Enable config file based configuration

[MrEcco]

This is a little rethink of how to configure. Since the previous implementation disallows to use the compiled binaries in releases, I have prepared a more flexible version. However, the legacy behavior (without configuration file) remains as is (proven by unit tests).

List of changes

• Enable -config flag. If no such flag provided, then remain the original behavior
• Partial refactoring of the initialization process
• Fix small issue what prevented multiple hypervisors connecting to the controlling socket (e.g. now you can attach more than 1 qemu VM, and they can ping each other)

Most of all changes are tested, see unit tests.

Reasons

I'm trying to enable multi-VM local lab which should support different host OS, guest OS, guest arches. With this tool I have resolved the significant problem with the proper VM networking (at least for MacOS). However, I must fix a few issues, here's the PR.

Pealse accept it and release the new version of gvproxy binary. I would appreciate.

[lstocchi]

Looking at the code LGTM, need to do some test.

Adding @cfergeau and @evidolob as reviewers so they give it a look as well

[MrEcco]

Any news on it?

[cfergeau]

@MrEcco one thing which is missing from the PR is a signed-off-by, see https://github.com/containers/gvisor-tap-vsock/pull/484/checks?check_run_id=38666327398

[MrEcco]

Sorry to bother your GHCI minutes, I finally won this DCO requirement.

[cfergeau]

After the addition of the DCO, there is no longer a commit log to your change :-/ The initial description in the PR should be good as a commit log.
Can you also rebase this (and not merge) on top of main? There will a conflict related to 4bbb832 , I’m a bit worried of introducing a regression if I try to fix it myself :-/

There are also a number of issues reported by make lint

[cfergeau]

Is it required to allow to specify a config file, but to allow to override some of its content with commandline options? or can we decide in the future that -config is mutually exclusive with any other cmdline flag? (with the exception of logging/debug)

[MrEcco]

I want to remain CLI flags as is as much as possible, because I'm not a maintainer here, you know. If you just say that I can reimplement the initialization from scratch, I would do it :) But it may disturb maintainers, no one likes when someone changes the code they already got used to.

If you propose me to reimplement configuration of it without default behavior with hardcoded configuration, I would do, with bells, tests, and whistles. Maybe with some portion of integration testing. Please answer in thread :)

[MrEcco]

BTW, CLI args and config file complement each other. You can find the proof of it in tests.

[cfergeau]

BTW, CLI args and config file complement each other. You can find the proof of it in tests.

I’ve seen that you can override some parts of the config with commandline args, but looking at the tests, I don’t really see tests for stuff like:

--config config.yaml --listen ... --forward... --ssh-port 1234

I think the code in the PR has kind support for matching both, but I was asking if you have a requirement for this? we could decide --config and other network-related args can’t be used together.

[cfergeau]

This could be derived from luaddr in GVProxyConfigure as is already partially done for config.Stack.NAT for example.

[MrEcco]

Yes, but please look at the original code. It seems like the maintainers used this code with these hardcoded variables and calls like go run main.go, without flags. I don't know if I can remove this feature.

[cfergeau]

I don’t expect many people to use go run main.go directly, at the very least you need to specify one of the listen args.
The main user of gvproxy that I’m aware of is podman-machine, mainly for use on macos and windows, but on linux it also starts gvproxy. Its commandline (on macos for example) is:

/opt/podman/bin/gvproxy -mtu 1500 -ssh-port 64450 -listen-vfkit unixgram:///var/folders/l0/rh4v8_j54k37h2w320__7d1h0000gn/T/podman/podman-machine-default-gvproxy.sock -forward-sock /var/folders/l0/rh4v8_j54k37h2w320__7d1h0000gn/T/podman/podman-machine-default-api.sock -forward-dest /run/user/501/podman/podman.sock -forward-user core -forward-identity /Users/teuf/.local/share/containers/podman/machine/machine -pid-file /var/folders/l0/rh4v8_j54k37h2w320__7d1h0000gn/T/podman/gvproxy.pid -log-file /var/folders/l0/rh4v8_j54k37h2w320__7d1h0000gn/T/podman/gvproxy.log

Imo the main reason for these hardcoded values is because it was easier this way rather than writing the code you added, where you specify the subnet you want, and everything is inferred from it.

[cfergeau]

I’ve rebased this and squashed the commits which go together in https://github.com/cfergeau/gvisor-tap-vsock/tree/MrEcco
The modified version works fine with podman-machine and macadam on a mac. I need to take a closer look at the "multiaccept" changes though.

[ggoodman]

I don't believe that this change does what it promises; here conn is a connectionless unix datagram socket. Handing the 'conn' off to another goroutine doesn't actually work.

Some form of affinity is needed. It's really not clear to me if the unixgram socket can even support multiplexing different vms.

[cfergeau]

here conn is a connectionless unix datagram socket. Handing the 'conn' off to another goroutine doesn't actually work.

That’s a good point, both transport.AcceptVfkit(conn) and vn.AcceptVfkit(ctx, vfkitConn) will be trying to read from conn, and if a second vfkit process tries to connect to gvproxy, then it’s supposed to be handled by transport.AcceptVfkit(conn) but the packet could be read by vn.AcceptVfkit(ctx, vfkitConn).

It's really not clear to me if the unixgram socket can even support multiplexing different vms.

The way the code is currently written, it’s not clear to me either if this kind of multiplexing is possible or not, I think it’s not. In general, multiplexing should be possible by looking at the net.UnixAddr of the vfkit-side of the connection, and then processing it in the right context.

[cfergeau]

So I’ve looked some more at this branch, rebased it and did a few more cleanups, mostly in the test code. Imo the config file commit is good to go, I’ll push it soon. Current code is in https://github.com/cfergeau/gvisor-tap-vsock/tree/MrEcco

However, the "multiple VMs" commit could use some work, for example I started gvproxy, connected 2 qemu VMs, killed one qemu with ctrl+c, and gvproxy exits. I don’t think it should be doing this. And thinking more about how this could impact existing users, it’s better to enable this using a command line/config file argument.

[cfergeau]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cfergeau, MrEcco

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [cfergeau]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[MrEcco]

Sorry, I forgot about this PR. Months ago, I have reimplemented your idea with appropriate configuration (or just with my own understanding of "appropriate", for my case) and CLI interface, here: https://github.com/circumspectlabs/gvswitch. This little project is a well tested by my students, they use it with this Ansible code which can start multiple VMs with a shared private network: https://github.com/circumspectlabs/kubernetes-the-mindful-way/blob/main/code/molecule/default/create.yml#L255-L272.

You can take the CLI and config implementation from this repo. It works with 6 VMs (haven't succeeded to start more on my laptop). Haven't yet tested on Windows and Linux.