Troubleshoot TLS

Signed-off-by: Kyle Harding <kyle@balena.io>

Dockerfile

@@ -51,6 +51,7 @@ ARG DEBIAN_FRONTEND=noninteractive
 # hadolint ignore=DL3008
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
+    bridge-utils \
     ca-certificates \
     curl \
     e2fsprogs \
@@ -62,6 +63,7 @@ RUN apt-get update \
     jq \
     procps \
     rsync \
+    tcpdump \
     uuid-runtime \
     && rm -rf /var/lib/apt/lists/*
 
@@ -82,100 +84,44 @@ RUN chmod +x start.sh overlay/sbin/* overlay/usr/local/bin/*
 
 ENTRYPOINT [ "/usr/src/app/start.sh" ]
 
-# Default command to exec after init.
-# This should be a long-running process or service, and get overriden by the user.
-# hadolint ignore=DL3025
-CMD 'curl http://artscene.textfiles.com/asciiart/unicorn && sleep infinity'
-
 ###############################################
 
-FROM alpine:3.18 AS alpine-rootfs
-
-# WORKDIR /src
+# # This is a stage we use for testing with livepush as it
+# # includes an example rootfs.
+# FROM alpine:3.18 AS test-rootfs
 
 # # hadolint ignore=DL3018
-# RUN apk add --no-cache openrc util-linux
-
-# # Set up a login terminal on the serial console (ttyS0)
-# RUN ln -s agetty /etc/init.d/agetty.ttyS0 \
-#     && echo ttyS0 > /etc/securetty \
-#     && rc-update add agetty.ttyS0 default
+# RUN apk add --no-cache bash ca-certificates curl iproute2
 
-# # Make sure special file systems are mounted on boot
-# RUN rc-update add devfs boot \
-#     && rc-update add procfs boot \
-#     && rc-update add sysfs boot
+# # Include firecracker wrapper and scripts
+# FROM jailer AS test-jailer
 
-# # Create a tarball of the root file system
-# RUN tar cf /rootfs.tar /bin /etc /lib /root /sbin /usr
-
-# hadolint ignore=DL3018
-RUN apk add --no-cache curl iproute2
+# # Use livepush directives to conditionally run this test stage
+# # for livepush, but not for default builds used in publishing.
+# #dev-copy= --from=test-rootfs / /usr/src/app/rootfs/
+# #dev-cmd-live=/usr/local/bin/usage.sh
 
 ###############################################
 
-# Use the official Ubuntu image as a base
-FROM ubuntu:jammy AS ubuntu-rootfs
-
-# # Set environment variables to avoid prompts
-# ENV DEBIAN_FRONTEND=noninteractive
-
-# # Install the necessary packages
-# # hadolint ignore=DL3008
-# RUN apt-get update \
-#     && apt-get install -y --no-install-recommends curl systemd systemd-sysv \
-#     && rm -rf /var/lib/apt/lists/*
-
-# # Remove unnecessary services
-# RUN find /etc/systemd/system \
-#         /lib/systemd/system \
-#         \( \
-#         -name "*udev*" \
-#         -o -name "*resolved*" \
-#         -o -name "*logind*" \
-#         -o -name "*getty*" \
-#         -o -name "*networkd*" \
-#         \) \
-#         -exec rm -f {} \;
-
-# # Set systemd as the entrypoint
-# STOPSIGNAL SIGRTMIN+3
-# CMD [ "/sbin/init" ]
-
-# # Set up necessary mount points
-# VOLUME [ "/sys/fs/cgroup" ]
-
-# # Copy the updated systemd service file
-# COPY entrypoint.service /etc/systemd/system/entrypoint.service
-# RUN systemctl enable entrypoint.service
-
-# COPY init /init
-# RUN chmod +x /init
+# This is a stage we use for testing with livepush as it
+# includes an example rootfs.
+FROM debian:bookworm AS test-rootfs
 
 # hadolint ignore=DL3008
 RUN apt-get update \
-    && apt-get install -y --no-install-recommends curl iproute2 \
+    && apt-get install -y --no-install-recommends curl iproute2 iputils-ping openssl tcpdump ca-certificates \
     && rm -rf /var/lib/apt/lists/*
 
-###############################################
-
-FROM ghcr.io/product-os/self-hosted-runners:v3.3.3 AS self-hosted-runners
-
-# hadolint ignore=DL3008
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends curl iproute2 \
-    && rm -rf /var/lib/apt/lists/*
+# Include firecracker wrapper and scripts
+FROM jailer AS test-jailer
 
-CMD [ "/init" ]
+# Use livepush directives to conditionally run this test stage
+# for livepush, but not for default builds used in publishing.
+#dev-copy= --from=test-rootfs / /usr/src/app/rootfs/
+#dev-cmd-live=/usr/local/bin/usage.sh
 
 ###############################################
 
-# Include firecracker wrapper and scripts
-FROM jailer AS runtime
-
-# Copy the root file system from your container final stage
-COPY --from=alpine-rootfs / /usr/src/app/rootfs/
-# COPY --from=ubuntu-rootfs / /usr/src/app/rootfs/
-# COPY --from=self-hosted-runners / /usr/src/app/rootfs/
-
-CMD 'curl http://artscene.textfiles.com/asciiart/unicorn ; echo $SECRET_KEY ; sleep infinity'
+# This is the stage we want to publish, but it has no rootfs
+# so we can't use it for livepush testing.
+FROM jailer AS default

docker-compose.test.yml

@@ -2,7 +2,46 @@ version: "2.4"
 
 services:
   sut:
+    image: alpine:3.18
+    depends_on:
+      - alpine-rootfs
+      - debian-rootfs
+      - ubuntu-rootfs
+    volumes:
+      - data-1:/data-1
+      - data-2:/data-2
+      - data-3:/data-3
+    command:
+      - sh
+      - -c
+      - |
+        ls -a /data-?/*
+
+  alpine-rootfs:
+    extends:
+      file: docker-compose.yml
+      service: firecracker
+    build: ./test/alpine
+    volumes:
+      - data-1:/jail/data
+
+  debian-rootfs:
     extends:
       file: docker-compose.yml
       service: firecracker
-    image: localhost:5000/sut
+    build: ./test/debian
+    volumes:
+      - data-2:/jail/data
+
+  ubuntu-rootfs:
+    extends:
+      file: docker-compose.yml
+      service: firecracker
+    build: ./test/ubuntu
+    volumes:
+      - data-3:/jail/data
+
+volumes:
+  data-1: {}
+  data-2: {}
+  data-3: {}

docker-compose.yml

@@ -7,14 +7,10 @@ services:
     # but permissions are dropped to a chroot in order to start your VM
     privileged: true
     network_mode: host
-    # Optionally run the VM rootfs and kernel in-memory to save storage wear
+    # Optionally run the VM jail in-memory to save storage wear
     tmpfs:
       - /tmp
       - /run
       - /srv
-    volumes:
-      - persistent-data:/jail/data
-
-volumes:
-  persistent-data: {}
-
+    environment:
+      - CTR_SECRET_KEY=secretvalue

overlay/sbin/init

@@ -4,20 +4,52 @@ exec 1>/dev/console
 exec 2>/dev/console
 
 # Mount essential file systems
-mount -t proc none /proc
-mount -t sysfs none /sys
-mount -t devtmpfs none /dev
+if ! mountpoint -q /proc; then
+  mount -t proc none /proc
+fi
 
-# Mount tmpfs
-mount -o remount,rw,exec tmpfs /tmp
-mount -o remount,rw,exec tmpfs /var/run
+if ! mountpoint -q /sys; then
+  mount -t sysfs none /sys
+fi
 
-# Bring up networking
+if ! mountpoint -q /dev; then
+  mount -t devtmpfs none /dev
+fi
+
+if ! mountpoint -q /tmp; then
+  mount -t tmpfs none /tmp
+fi
+
+if ! mountpoint -q /run; then
+  mount -t tmpfs none /run
+fi
+
+ip link list
+
+# The IP is assigned by converting the last 4 hexa groups of the MAC into decimals.
 # https://github.com/firecracker-microvm/firecracker/blob/main/resources/overlay/usr/local/bin/fcnet-setup.sh
-/usr/local/bin/fcnet-setup.sh
+for dev in /sys/class/net/*; do
+    dev="$(basename "$dev")"
+    case $dev in
+    *lo) continue ;;
+    esac
+    for octet in $(
+        ip link show dev "$dev" |
+            awk '/link\/ether/ {print $2}' |
+            awk -F: '{print $3" "$4" "$5" "$6}'
+    ); do
+        ip=$ip$(printf "%d" 0x"$octet").
+    done
+    ip=${ip%?}
+    ip addr add "$ip/30" dev "$dev"
+    ip link set "$dev" up
+    ip route add default via "${ip%?}1" dev "$dev"
+done
 
 # Export secrets to the environment and remove the files
-for f in /var/secrets/*; do
-    eval "export $(basename "${f}")=$(cat "${f}")"
-    rm -f "${f}"
-done
+if [ "$(ls /var/secrets)" ]; then
+    for f in /var/secrets/*; do
+        eval "export $(basename "${f}")=$(cat "${f}")"
+        rm -f "${f}"
+    done
+fi

overlay/usr/local/bin/usage.sh

@@ -0,0 +1,50 @@
+#!/bin/sh
+
+echo
+date
+
+echo
+cat /etc/os-release
+
+echo
+echo SECRET_KEY=$SECRET_KEY
+
+ip route
+
+echo
+ping -c 4 "$(ip route | awk '/default/ {print $3}')"
+
+echo
+ping -c 4 "$(head -1 /etc/resolv.conf | awk '{print $2}')"
+ping -c 4 -M "do" -s 1472 8.8.8.8
+
+set -x
+# tcpdump -i eth0 -nnv &
+
+# netcat -vz www.google.com 443
+
+# openssl s_client -connect www.google.com:443 -servername www.google.com -debug -msg
+
+curl -L -v https://raw.githubusercontent.com/dylanaraps/neofetch/7.1.0/neofetch
+
+curl -v -A "Mozilla/5.0" https://www.google.com/
+
+curl -v https://letsencrypt.org/
+curl -v https://www.mozilla.org/
+curl -v https://www.cloudflare.com/
+
+echo
+curl http://artscene.textfiles.com/asciiart/unicorn
+
+
+# echo
+# openssl s_client -connect github.com:80
+# openssl s_client -connect github.com:443
+
+echo
+curl -L -v https://raw.githubusercontent.com/dylanaraps/neofetch/7.1.0/neofetch
+
+echo
+echo "At least one COMMAND instruction is required. See the project README for usage."
+
+sleep infinity