aleph-im · hoh · Nov 21, 2022 · Oct 18, 2022 · Oct 25, 2022 · Oct 25, 2022
diff --git a/firecracker/microvm.py b/firecracker/microvm.py
@@ -64,15 +64,11 @@ class MicroVM:
  firecracker_bin_path: str
  jailer_bin_path: Optional[str]
  proc: Optional[asyncio.subprocess.Process] = None
- network_tap: Optional[str] = None
- network_interface: Optional[str] = None
  stdout_task: Optional[Task] = None
  stderr_task: Optional[Task] = None
  config_file_path: Optional[Path] = None
  drives: List[Drive]
  init_timeout: float
- guest_ip: Optional[str]
- host_ip: Optional[str]
 
  _unix_socket: Server
 
@@ -106,25 +102,19 @@ def __init__(
  use_jailer: bool = True,
  jailer_bin_path: Optional[str] = None,
  init_timeout: float = 5.0,
- guest_ip: Optional[str] = None,
- host_ip: Optional[str] = None,
  ):
  self.vm_id = vm_id
  self.use_jailer = use_jailer
  self.firecracker_bin_path = firecracker_bin_path
  self.jailer_bin_path = jailer_bin_path
  self.drives = []
  self.init_timeout = init_timeout
- self.guest_ip = guest_ip
- self.host_ip = host_ip
 
  def to_dict(self):
  return {
  "jailer_path": self.jailer_path,
  "socket_path": self.socket_path,
  "vsock_path": self.vsock_path,
- "guest_ip": self.guest_ip,
- "host_ip": self.host_ip,
  **self.__dict__,
  }
 
@@ -302,30 +292,6 @@ def enable_drive(self, drive_path: str, read_only: bool = True) -> Drive:
  self.drives.append(drive)
  return drive
 
- async def create_network_interface(self, interface: str = "eth0") -> str:
- logger.debug("Create network interface")
-
- assert self.network_interface is None # Only one is supported at the moment
- assert self.network_tap is None
-
- self.network_interface = interface
-
- host_dev_name = f"vmtap{self.vm_id}"
- self.network_tap = host_dev_name
-
- system(f"ip tuntap add {host_dev_name} mode tap")
- system(f"ip addr add {self.host_ip} dev {host_dev_name}")
- system(f"ip link set {host_dev_name} up")
- system('sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"')
- # TODO: Don't fill iptables with duplicate rules; purge rules on delete
- system(f"iptables -t nat -A POSTROUTING -o {interface} -j MASQUERADE")
- system(
- "iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
- )
- system(f"iptables -A FORWARD -i {host_dev_name} -o {interface} -j ACCEPT")
-
- return host_dev_name
-
  async def print_logs(self):
  while not self.proc:
  await asyncio.sleep(0.01) # Todo: Use signal here
@@ -434,23 +400,6 @@ async def teardown(self):
  if self.stderr_task:
  self.stderr_task.cancel()
 
- if self.network_tap:
- await asyncio.sleep(
- 0.01
- ) # Used to prevent `ioctl(TUNSETIFF): Device or resource busy`
- logger.debug(f"Removing interface {self.network_tap}")
- system(f"ip tuntap del {self.network_tap} mode tap")
- logger.debug("Removing iptables rules")
- system(
- f"iptables -t nat -D POSTROUTING -o {self.network_interface} -j MASQUERADE"
- )
- system(
- "iptables -D FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
- )
- system(
- f"iptables -D FORWARD -i {self.network_tap} -o {self.network_interface} -j ACCEPT"
- )
-
  if self._unix_socket:
  logger.debug("Closing unix socket")
  self._unix_socket.close()

diff --git a/packaging/aleph-vm/DEBIAN/control b/packaging/aleph-vm/DEBIAN/control
@@ -3,6 +3,6 @@ Version: 0.1.8
 Architecture: all
 Maintainer: Aleph.im
 Description: Aleph.im VM execution engine
-Depends: python3,python3-pip,python3-aiohttp,python3-msgpack,python3-aiodns,python3-sqlalchemy,python3-setproctitle,redis,python3-aioredis,python3-psutil,sudo,acl,curl,systemd-container,squashfs-tools,debootstrap,python3-packaging,python3-cpuinfo
+Depends: python3,python3-pip,python3-aiohttp,python3-msgpack,python3-aiodns,python3-sqlalchemy,python3-setproctitle,redis,python3-aioredis,python3-psutil,sudo,acl,curl,systemd-container,squashfs-tools,debootstrap,python3-packaging,python3-cpuinfo,python3-nftables,python3-jsonschema
 Section: aleph-im
 Priority: Extra
diff --git a/runtimes/aleph-alpine-3.13-python/init1.py b/runtimes/aleph-alpine-3.13-python/init1.py
@@ -127,8 +127,8 @@ def setup_network(
  system("ip link set eth0 up")
 
  if route:
- system(f"ip route add default via {route.split('/')[0]} dev eth0")
- logger.debug("IP and route set")
+ system(f"ip route add default via {route} dev eth0")
+ logger.debug(f"IP and route set: {ip} via {route}")
  else:
  logger.warning("IP set with no network route")
 

diff --git a/vm_supervisor/README.md b/vm_supervisor/README.md
@@ -57,7 +57,7 @@ when running the VM Supervisor.
 ```shell
 apt update
 apt install -y git python3 python3-aiohttp python3-msgpack python3-aiodns python3-sqlalchemy python3-setproctitle redis python3-aioredis \
- python3-psutil sudo acl curl systemd-container squashfs-tools debootstrap
+ python3-psutil sudo acl curl systemd-container squashfs-tools debootstrap python3-nftables python3-jsonschema
 useradd jailman
 ```
 

diff --git a/vm_supervisor/conf.py b/vm_supervisor/conf.py
@@ -84,6 +84,7 @@ class Settings(BaseSettings):
  NETWORK_INTERFACE = "eth0"
  IPV4_ADDRESS_POOL = "172.16.0.0/12"
  IPV4_NETWORK_SIZE = 24
+ NFTABLES_CHAIN_PREFIX = "aleph"
 
  DNS_RESOLUTION: Optional[DnsResolver] = DnsResolver.resolv_conf
  DNS_NAMESERVERS: Optional[List[str]] = None

diff --git a/vm_supervisor/metrics.py b/vm_supervisor/metrics.py
@@ -51,7 +51,6 @@ class ExecutionRecord(Base):
 
  vcpus = Column(Integer, nullable=False)
  memory = Column(Integer, nullable=False)
- network_tap = Column(String, nullable=True)
 
  def __repr__(self):
  return f"<ExecutionRecord(uuid={self.uuid}, vm_hash={self.vm_hash})>"

diff --git a/vm_supervisor/models.py b/vm_supervisor/models.py
@@ -15,6 +15,7 @@
 from .utils import dumps_for_json, create_task_log_exceptions
 from .vm import AlephFirecrackerVM
 from .vm.firecracker_microvm import AlephFirecrackerResources
+from .network.interfaces import TapInterface
 
 logger = logging.getLogger(__name__)
 
@@ -100,7 +101,9 @@ async def prepare(self):
  self.times.prepared_at = datetime.now()
  self.resources = resources
 
- async def create(self, vm_id: int) -> AlephFirecrackerVM:
+ async def create(
+ self, vm_id: int, tap_interface: TapInterface
+ ) -> AlephFirecrackerVM:
  if not self.resources:
  raise ValueError("Execution resources must be configured first")
  self.times.starting_at = datetime.now()
@@ -110,6 +113,7 @@ async def create(self, vm_id: int) -> AlephFirecrackerVM:
  resources=self.resources,
  enable_networking=self.program.environment.internet,
  hardware_resources=self.program.resources,
+ tap_interface=tap_interface,
  )
  try:
  await vm.setup()
@@ -229,7 +233,6 @@ async def record_usage(self):
  io_write_bytes=pid_info["process"]["io_counters"][3],
  vcpus=self.vm.hardware_resources.vcpus,
  memory=self.vm.hardware_resources.memory,
- network_tap=self.vm.fvm.network_tap,
  )
  )
  else:
@@ -251,7 +254,6 @@ async def record_usage(self):
  io_write_bytes=None,
  vcpus=self.vm.hardware_resources.vcpus,
  memory=self.vm.hardware_resources.memory,
- network_tap=self.vm.fvm.network_tap,
  )
  )
 

diff --git a/vm_supervisor/network/__init__.py b/vm_supervisor/network/__init__.py