diff --git a/.github/actions/build_eks_docker_image/action.yaml b/.github/actions/build_eks_docker_image/action.yaml index 556543751..a0f8978ee 100644 --- a/.github/actions/build_eks_docker_image/action.yaml +++ b/.github/actions/build_eks_docker_image/action.yaml @@ -72,6 +72,7 @@ runs: id: copy_docker_files run: | mkdir -p ${{ inputs.artifacts_output_dir }} + cp -r ./scripts/aws/config-server/* ${{ inputs.artifacts_output_dir }} cp -r ./scripts/aws/eks/pod/* ${{ inputs.artifacts_output_dir }} ls -l ${{ inputs.artifacts_output_dir }} diff --git a/scripts/aws/config-server/app.py b/scripts/aws/config-server/app.py new file mode 100644 index 000000000..2ba45dc3d --- /dev/null +++ b/scripts/aws/config-server/app.py @@ -0,0 +1,15 @@ +from flask import Flask + +app = Flask(__name__) + +@app.route('/getConfig', methods=['GET']) +def get_config(): + try: + with open('/etc/secret/secret-value/config', 'r') as secret_file: + secret_value = secret_file.read().strip() + return secret_value + except Exception as e: + return str(e), 500 + +if __name__ == '__main__': + app.run(processes=8) diff --git a/scripts/aws/config-server/requirements.txt b/scripts/aws/config-server/requirements.txt new file mode 100644 index 000000000..57652a258 --- /dev/null +++ b/scripts/aws/config-server/requirements.txt @@ -0,0 +1,3 @@ +Flask==2.3.2 +Werkzeug==3.0.3 +setuptools==70.0.0 diff --git a/scripts/aws/eks/pod/Dockerfile b/scripts/aws/eks/pod/Dockerfile index d4679c4d7..19e6f337b 100644 --- a/scripts/aws/eks/pod/Dockerfile +++ b/scripts/aws/eks/pod/Dockerfile @@ -1,12 +1,16 @@ FROM amazonlinux:2023 -RUN yum install aws-nitro-enclaves-cli-devel jq -y + RUN dnf install aws-nitro-enclaves-cli -y # RUN yum install -y libxcrypt-compat +RUN dnf -y install iproute +RUN dnf -y install net-tools + -RUN yum install -y python3 +RUN dnf install python3.11 -y +RUN dnf install python3.11-pip -y COPY ./sockd /home/ -COPY ./sockd.conf /etc/ +COPY ./sockd_eks.conf /etc/sockd.conf COPY ./vsockpx /home COPY ./entrypoint.sh /home/ @@ -16,4 +20,12 @@ COPY ./proxies.host.yaml /home/proxies.host.yaml RUN chmod +x /home/vsockpx && chmod +x /home/entrypoint.sh # RUN yum install net-tools -y +COPY ./app.py /home/config-server/ +COPY ./requirements.txt /home/config-server/ +RUN python3 -m venv config-server +RUN config-server/bin/pip3 install -r /home/config-server/requirements.txt + +RUN dnf -y install shadow-utils +RUN useradd ec2-user + CMD ["/home/entrypoint.sh"] \ No newline at end of file diff --git a/scripts/aws/eks/pod/entrypoint.sh b/scripts/aws/eks/pod/entrypoint.sh index c42965d69..7a2d1a27b 100644 --- a/scripts/aws/eks/pod/entrypoint.sh +++ b/scripts/aws/eks/pod/entrypoint.sh @@ -5,11 +5,23 @@ MEMORY_MB=24576 CPU_COUNT=6 function terminate_old_enclave() { + echo "terminate_old_enclave" ENCLAVE_ID=$(nitro-cli describe-enclaves | jq -r ".[0].EnclaveID") - [ "$ENCLAVE_ID" != "null" ] && nitro-cli terminate-enclave --enclave-id ${ENCLAVE_ID} + if [ "$ENCLAVE_ID" != "null" ]; then + nitro-cli terminate-enclave --enclave-id ${ENCLAVE_ID} + echo "Terminated enclave with ID ${ENCLAVE_ID}" + else + echo "No running enclaves to terminate." + fi +} + +function debug() { + ip link show + ifconfig } function setup_vsockproxy() { + echo "setup_vsockproxy" VSOCK_PROXY=${VSOCK_PROXY:-/home/vsockpx} VSOCK_CONFIG=${VSOCK_CONFIG:-/home/proxies.host.yaml} VSOCK_THREADS=${VSOCK_THREADS:-$(( $(nproc) * 2 )) } @@ -20,16 +32,25 @@ function setup_vsockproxy() { } function setup_dante() { + echo "setup_dante" ulimit -n 1024 /home/sockd -D } +function run_config_server() { + echo "run_config_server" + cd /home/config-server/ + /config-server/bin/flask run --host 127.0.0.1 --port 27015 +} + function run_enclave() { echo "starting enclave..." nitro-cli run-enclave --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID --enclave-name simple-eif --debug-mode --attach-console } terminate_old_enclave +debug setup_vsockproxy setup_dante -run_enclave \ No newline at end of file +run_config_server +run_enclave diff --git a/scripts/aws/eks/pod/sockd_eks.conf b/scripts/aws/eks/pod/sockd_eks.conf new file mode 100644 index 000000000..69c6264f8 --- /dev/null +++ b/scripts/aws/eks/pod/sockd_eks.conf @@ -0,0 +1,17 @@ +internal: 127.0.0.1 port = 3306 +external: eth0 +user.notprivileged: ec2-user +clientmethod: none +socksmethod: none + +client pass { + from: 127.0.0.1/32 to: 127.0.0.1/32 + log: error # connect disconnect iooperation +} + +socks pass { + from: 127.0.0.1/32 to: 0.0.0.0/0 + command: bind connect + protocol: tcp + log: error +} \ No newline at end of file