2021-09-27 13:10:35 +00:00
|
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
|
#
|
|
|
|
|
# PASST - Plug A Simple Socket Transport
|
|
|
|
|
# for qemu/UNIX domain socket mode
|
|
|
|
|
#
|
|
|
|
|
# PASTA - Pack A Subtle Tap Abstraction
|
|
|
|
|
# for network namespace/tap device mode
|
|
|
|
|
#
|
|
|
|
|
# test/demo/pasta - Quick introduction to pasta
|
|
|
|
|
#
|
|
|
|
|
# Copyright (c) 2021 Red Hat GmbH
|
|
|
|
|
# Author: Stefano Brivio <sbrivio@redhat.com>
|
|
|
|
|
|
|
|
|
|
say This is a short introduction to
|
|
|
|
|
em pasta
|
|
|
|
|
say .
|
|
|
|
|
nl
|
|
|
|
|
nl
|
|
|
|
|
sleep 3
|
|
|
|
|
|
|
|
|
|
say Let's fetch the source
|
|
|
|
|
sleep 1
|
|
|
|
|
tempdir TEMPDIR
|
|
|
|
|
host cd __TEMPDIR__
|
|
|
|
|
host git clone https://passt.top/passt
|
|
|
|
|
sleep 1
|
|
|
|
|
|
|
|
|
|
say and build it.
|
|
|
|
|
sleep 1
|
|
|
|
|
host cd passt
|
|
|
|
|
host make
|
|
|
|
|
sleep 1
|
|
|
|
|
|
|
|
|
|
nl
|
|
|
|
|
nl
|
|
|
|
|
say A quick look at the man page...
|
|
|
|
|
sleep 1
|
|
|
|
|
hostb man ./pasta.1
|
|
|
|
|
sleep 5
|
|
|
|
|
hostb /pasta
|
|
|
|
|
sleep 2
|
|
|
|
|
hostb n
|
|
|
|
|
sleep 2
|
|
|
|
|
hostb n
|
|
|
|
|
sleep 10
|
|
|
|
|
|
|
|
|
|
nl
|
2021-09-29 14:11:06 +00:00
|
|
|
say without PID, it will create a namespace.
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 3
|
|
|
|
|
passt cd __TEMPDIR__/passt
|
2022-01-26 06:27:05 +00:00
|
|
|
passtb ./pasta
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 3
|
|
|
|
|
|
|
|
|
|
nl
|
|
|
|
|
nl
|
|
|
|
|
say For convenience, let's enter this namespace
|
|
|
|
|
nl
|
|
|
|
|
say from another terminal.
|
|
|
|
|
sleep 3
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 20:11:37 +00:00
|
|
|
ns pstree -p | grep pasta
|
|
|
|
|
nsout TARGET_PID pstree -p | grep pasta | sed -n 's/.*(\([0-9].*\))$/\1/p'
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 1
|
|
|
|
|
|
|
|
|
|
ns nsenter -t __TARGET_PID__ -U -n --preserve-credentials
|
|
|
|
|
sleep 5
|
|
|
|
|
|
|
|
|
|
nl
|
|
|
|
|
nl
|
|
|
|
|
say Now, we're ready to configure networking.
|
|
|
|
|
sleep 2
|
|
|
|
|
host q
|
|
|
|
|
|
|
|
|
|
nl
|
|
|
|
|
nl
|
2022-06-10 02:32:42 +00:00
|
|
|
ns ip link show
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 3
|
|
|
|
|
say Let's configure IPv4 first...
|
|
|
|
|
sleep 2
|
2022-06-10 02:32:43 +00:00
|
|
|
ns dhclient -4 --no-pid
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 2
|
2022-06-10 02:32:42 +00:00
|
|
|
ns ip addr show
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 5
|
|
|
|
|
|
|
|
|
|
nl
|
|
|
|
|
say SLAAC is already done, but we can also
|
|
|
|
|
nl
|
|
|
|
|
say get another address via DHCPv6.
|
|
|
|
|
sleep 3
|
2022-06-10 02:32:43 +00:00
|
|
|
ns dhclient -6 --no-pid
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 3
|
|
|
|
|
|
|
|
|
|
nl
|
|
|
|
|
nl
|
|
|
|
|
say Let's try to communicate between host and namespace
|
|
|
|
|
sleep 2
|
|
|
|
|
nl
|
|
|
|
|
say ...there's no need to configure port forwarding,
|
|
|
|
|
nl
|
|
|
|
|
say pasta detects bound ports and forwards them.
|
|
|
|
|
sleep 3
|
|
|
|
|
|
2022-06-10 02:32:45 +00:00
|
|
|
nsb ncat -6 -l ::1 31337
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 2
|
2022-06-10 02:32:45 +00:00
|
|
|
host echo "Hello from the host" | ncat ::1 31337
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 5
|
|
|
|
|
|
|
|
|
|
nl
|
|
|
|
|
nl
|
|
|
|
|
say Now the other way around...
|
|
|
|
|
nl
|
|
|
|
|
say we can use a loopback address
|
2022-05-18 23:22:33 +00:00
|
|
|
sleep 2
|
2022-06-10 02:32:45 +00:00
|
|
|
hostb ncat -l ::1 31337
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 2
|
2022-06-10 02:32:45 +00:00
|
|
|
ns echo "Hello from the namespace" | ncat ::1 31337
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 5
|
|
|
|
|
|
|
|
|
|
nl
|
|
|
|
|
say or the address of the default gateway.
|
|
|
|
|
sleep 2
|
2022-06-10 02:32:42 +00:00
|
|
|
nsout GW ip -j -4 route show|jq -rM '.[] | select(.dst == "default").gateway'
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 5
|
2022-06-10 02:32:45 +00:00
|
|
|
hostb ncat -l 0.0.0.0 31337
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 2
|
2022-06-10 02:32:45 +00:00
|
|
|
ns echo "Hello from the namespace" | ncat __GW__ 31337
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 3
|
|
|
|
|
|
|
|
|
|
nl
|
|
|
|
|
nl
|
|
|
|
|
say UDP...
|
|
|
|
|
sleep 2
|
|
|
|
|
ns host -t A passt.top
|
|
|
|
|
sleep 3
|
|
|
|
|
say seems to work too.
|
|
|
|
|
sleep 3
|
|
|
|
|
|
|
|
|
|
nl
|
|
|
|
|
nl
|
|
|
|
|
em pasta
|
|
|
|
|
say can also take packet captures.
|
|
|
|
|
sleep 3
|
|
|
|
|
passt exit
|
|
|
|
|
sleep 2
|
|
|
|
|
temp TEMP
|
|
|
|
|
passtb ./pasta -p __TEMP__.pcap
|
|
|
|
|
sleep 2
|
|
|
|
|
passt
|
2022-06-10 02:32:43 +00:00
|
|
|
passt /sbin/dhclient -4 --no-pid
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 2
|
|
|
|
|
hostb tshark -r __TEMP__.pcap
|
|
|
|
|
sleep 5
|
|
|
|
|
|
|
|
|
|
nl
|
|
|
|
|
nl
|
|
|
|
|
say And there are tons of totally useless
|
|
|
|
|
sleep 1
|
|
|
|
|
bsp 14
|
|
|
|
|
say absolutely useful features
|
|
|
|
|
nl
|
|
|
|
|
say you can find described in the man page.
|
|
|
|
|
sleep 5
|
|
|
|
|
|
|
|
|
|
nl
|
|
|
|
|
nl
|
|
|
|
|
say Let's have a (quick!) look at performance
|
|
|
|
|
nl
|
|
|
|
|
say more in the "Performance" section below.
|
|
|
|
|
sleep 3
|
2022-02-28 01:50:25 +00:00
|
|
|
ns exit
|
2021-09-27 13:10:35 +00:00
|
|
|
passt exit
|
2022-03-01 20:32:08 +00:00
|
|
|
passt make clean
|
2022-02-28 15:18:44 +00:00
|
|
|
passt CFLAGS="-g" make
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 2
|
2021-10-20 06:27:55 +00:00
|
|
|
passtb perf record -g ./pasta
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 2
|
|
|
|
|
|
passt, pasta: Namespace-based sandboxing, defer seccomp policy application
To reach (at least) a conceptually equivalent security level as
implemented by --enable-sandbox in slirp4netns, we need to create a
new mount namespace and pivot_root() into a new (empty) mountpoint, so
that passt and pasta can't access any filesystem resource after
initialisation.
While at it, also detach IPC, PID (only for passt, to prevent
vulnerabilities based on the knowledge of a target PID), and UTS
namespaces.
With this approach, if we apply the seccomp filters right after the
configuration step, the number of allowed syscalls grows further. To
prevent this, defer the application of seccomp policies after the
initialisation phase, before the main loop, that's where we expect bad
things to happen, potentially. This way, we get back to 22 allowed
syscalls for passt and 34 for pasta, on x86_64.
While at it, move #syscalls notes to specific code paths wherever it
conceptually makes sense.
We have to open all the file handles we'll ever need before
sandboxing:
- the packet capture file can only be opened once, drop instance
numbers from the default path and use the (pre-sandbox) PID instead
- /proc/net/tcp{,v6} and /proc/net/udp{,v6}, for automatic detection
of bound ports in pasta mode, are now opened only once, before
sandboxing, and their handles are stored in the execution context
- the UNIX domain socket for passt is also bound only once, before
sandboxing: to reject clients after the first one, instead of
closing the listening socket, keep it open, accept and immediately
discard new connection if we already have a valid one
Clarify the (unchanged) behaviour for --netns-only in the man page.
To actually make passt and pasta processes run in a separate PID
namespace, we need to unshare(CLONE_NEWPID) before forking to
background (if configured to do so). Introduce a small daemon()
implementation, __daemon(), that additionally saves the PID file
before forking. While running in foreground, the process itself can't
move to a new PID namespace (a process can't change the notion of its
own PID): mention that in the man page.
For some reason, fork() in a detached PID namespace causes SIGTERM
and SIGQUIT to be ignored, even if the handler is still reported as
SIG_DFL: add a signal handler that just exits.
We can now drop most of the pasta_child_handler() implementation,
that took care of terminating all processes running in the same
namespace, if pasta started a shell: the shell itself is now the
init process in that namespace, and all children will terminate
once the init process exits.
Issuing 'echo $$' in a detached PID namespace won't return the
actual namespace PID as seen from the init namespace: adapt
demo and test setup scripts to reflect that.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2022-02-07 20:11:37 +00:00
|
|
|
nsout TARGET_PID pstree -p | grep pasta | sed -n 's/.*(\([0-9].*\))$/\1/p'
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 1
|
|
|
|
|
ns nsenter -t __TARGET_PID__ -U -n --preserve-credentials
|
|
|
|
|
sleep 5
|
|
|
|
|
|
|
|
|
|
nl
|
|
|
|
|
nl
|
|
|
|
|
info Throughput in Gbps, latency in µs
|
|
|
|
|
th flow init>ns ns>init
|
|
|
|
|
|
|
|
|
|
set OPTS -P4 -l 1M -w 32M -i1 --pacing-timer 100000
|
|
|
|
|
|
|
|
|
|
tr TCP/IPv6 throughput
|
|
|
|
|
hostb sleep 10; iperf3 -c ::1 __OPTS__
|
|
|
|
|
nsout BW iperf3 -s1J | jq -rM ".end.sum_received.bits_per_second"
|
|
|
|
|
bw __BW__ 10.0 20.0
|
2021-10-15 18:45:16 +00:00
|
|
|
sleep 5
|
|
|
|
|
nsb sleep 10; iperf3 -c ::1 __OPTS__
|
|
|
|
|
hout BW iperf3 -s1J | jq -rM ".end.sum_received.bits_per_second"
|
|
|
|
|
bw __BW__ 10.0 20.0
|
2021-09-27 13:10:35 +00:00
|
|
|
|
|
|
|
|
tl TCP/IPv6 RR latency
|
2021-10-15 18:45:16 +00:00
|
|
|
nsb tcp_rr -6 --nolog
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 2
|
2021-10-15 18:45:16 +00:00
|
|
|
hout LAT tcp_rr --nolog -c -H ::1 | sed -n 's/^throughput=\(.*\)/\1/p'
|
2021-09-27 13:10:35 +00:00
|
|
|
lat __LAT__ 1000 500
|
|
|
|
|
sleep 2
|
2021-10-15 18:45:16 +00:00
|
|
|
hostb tcp_rr -6 --nolog
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 2
|
2021-10-15 18:45:16 +00:00
|
|
|
nsout LAT tcp_rr --nolog -c -H ::1 | sed -n 's/^throughput=\(.*\)/\1/p'
|
2021-09-27 13:10:35 +00:00
|
|
|
lat __LAT__ 1000 500
|
|
|
|
|
sleep 2
|
|
|
|
|
|
|
|
|
|
tl TCP/IPv6 CRR latency
|
2021-10-15 18:45:16 +00:00
|
|
|
nsb tcp_crr -6 --nolog
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 2
|
2021-10-15 18:45:16 +00:00
|
|
|
hout LAT tcp_crr --nolog -c -H ::1 | sed -n 's/^throughput=\(.*\)/\1/p'
|
2021-09-27 13:10:35 +00:00
|
|
|
lat __LAT__ 1000 500
|
|
|
|
|
sleep 2
|
2021-10-15 18:45:16 +00:00
|
|
|
hostb tcp_crr -6 --nolog
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 2
|
2021-10-15 18:45:16 +00:00
|
|
|
nsout LAT tcp_crr --nolog -c -H ::1 | sed -n 's/^throughput=\(.*\)/\1/p'
|
2021-09-27 13:10:35 +00:00
|
|
|
lat __LAT__ 1000 500
|
|
|
|
|
sleep 2
|
|
|
|
|
|
|
|
|
|
tr TCP/IPv4 throughput
|
|
|
|
|
hostb sleep 10; iperf3 -c 127.0.0.1 __OPTS__
|
|
|
|
|
nsout BW iperf3 -s1J | jq -rM ".end.sum_received.bits_per_second"
|
|
|
|
|
bw __BW__ 10.0 20.0
|
2021-10-15 18:45:16 +00:00
|
|
|
sleep 5
|
|
|
|
|
nsb sleep 10; iperf3 -c 127.0.0.1 __OPTS__
|
|
|
|
|
hout BW iperf3 -s1J | jq -rM ".end.sum_received.bits_per_second"
|
|
|
|
|
bw __BW__ 10.0 20.0
|
2021-09-27 13:10:35 +00:00
|
|
|
|
|
|
|
|
tl TCP/IPv4 RR latency
|
2021-10-15 18:45:16 +00:00
|
|
|
nsb tcp_rr -4 --nolog
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 2
|
2021-10-15 18:45:16 +00:00
|
|
|
hout LAT tcp_rr --nolog -c -H 127.0.0.1 | sed -n 's/^throughput=\(.*\)/\1/p'
|
2021-09-27 13:10:35 +00:00
|
|
|
lat __LAT__ 1000 500
|
|
|
|
|
sleep 2
|
2021-10-15 18:45:16 +00:00
|
|
|
hostb tcp_rr -4 --nolog
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 2
|
2021-10-15 18:45:16 +00:00
|
|
|
nsout LAT tcp_rr --nolog -c -H 127.0.0.1 | sed -n 's/^throughput=\(.*\)/\1/p'
|
2021-09-27 13:10:35 +00:00
|
|
|
lat __LAT__ 1000 500
|
|
|
|
|
sleep 2
|
|
|
|
|
|
|
|
|
|
tl TCP/IPv4 CRR latency
|
2021-10-15 18:45:16 +00:00
|
|
|
nsb tcp_crr -4 --nolog
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 2
|
2021-10-15 18:45:16 +00:00
|
|
|
hout LAT tcp_crr --nolog -c -H 127.0.0.1 | sed -n 's/^throughput=\(.*\)/\1/p'
|
2021-09-27 13:10:35 +00:00
|
|
|
lat __LAT__ 1000 500
|
|
|
|
|
sleep 2
|
2021-10-15 18:45:16 +00:00
|
|
|
hostb tcp_crr -4 --nolog
|
2021-09-27 13:10:35 +00:00
|
|
|
sleep 2
|
2021-10-15 18:45:16 +00:00
|
|
|
nsout LAT tcp_crr --nolog -c -H 127.0.0.1 | sed -n 's/^throughput=\(.*\)/\1/p'
|
2021-09-27 13:10:35 +00:00
|
|
|
lat __LAT__ 1000 500
|
|
|
|
|
sleep 2
|
|
|
|
|
|
|
|
|
|
sleep 5
|
|
|
|
|
passt exit
|
|
|
|
|
sleep 2
|
|
|
|
|
killp PASST
|
|
|
|
|
killp HOST
|
|
|
|
|
sleep 2
|
2021-10-04 20:18:35 +00:00
|
|
|
ns cd __TEMPDIR__/passt
|
2021-09-27 13:10:35 +00:00
|
|
|
nsb perf report -g --max-stack 3
|
|
|
|
|
sleep 10
|
|
|
|
|
|
|
|
|
|
nl
|
|
|
|
|
nl
|
|
|
|
|
say I
|
|
|
|
|
em knew
|
|
|
|
|
say it.
|
|
|
|
|
em syscalls
|
|
|
|
|
say .
|
|
|
|
|
sleep 5
|
|
|
|
|
|
|
|
|
|
nl
|
|
|
|
|
nl
|
|
|
|
|
say Thanks for watching!
|
|
|
|
|
sleep 5
|
