Update main branch from development

deny.toml → .ci/cargo-deny.toml

@@ -103,6 +103,7 @@ unlicensed = "deny"
 # [possible values: any SPDX 3.11 short identifier (+ optional exception)].
 allow = [
     "MIT",
+    "MIT-0",
     "Apache-2.0",
     "BSL-1.0",
     "BSD-2-Clause",

.ci/docker/Vagrantfile

@@ -0,0 +1,118 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+machine = {
+    :hostname => "opendut-vm",
+    :memory => 8192,
+    :cpu => 4,
+    :ip => "192.168.56.10",
+    :box_name => "ubuntu/jammy64",
+}
+
+repo_root = ENV["OPENDUT_REPO_ROOT"]
+custom_root_ca = ENV["CUSTOM_ROOT_CA"]
+if repo_root.nil? then
+    puts "Environment variable 'OPENDUT_REPO_ROOT' not set. Exiting."
+    exit(1)
+end
+puts "Repository mounted on #{repo_root}"
+
+Vagrant.configure("2") do |config|
+
+    config.vm.box = machine[:box_name]
+    config.vm.hostname = machine[:hostname]
+    config.vm.network "private_network", ip: machine[:ip]
+
+    # default shared folder required by provisioner (otherwise some files are not found)
+    config.vm.synced_folder ".", "/vagrant", disabled: false, SharedFoldersEnableSymlinksCreate: false
+    # share the root folder from the host (relative from where the Vagrantfile is located)
+    config.vm.synced_folder ".", repo_root, disabled: false, SharedFoldersEnableSymlinksCreate: false
+
+    # normal user is allowed to forward ports > 1024
+    config.vm.network :forwarded_port, guest: 3000, host: 3000, host_ip: "127.0.0.1"
+
+    config.vm.provider "virtualbox" do |vb|
+        vb.name = machine[:hostname]
+        vb.cpus = machine[:cpu]
+        vb.memory = machine[:memory]
+
+        vb.gui = (ENV["SHOW_GUI"] ||= "false").to_s == "true"
+
+        # https://www.virtualbox.org/manual/ch08.html
+        vb.customize ["modifyvm", :id, "--vram", "128"]
+        vb.customize ["modifyvm", :id, "--graphicscontroller", "VBoxSVGA"]
+        vb.customize ["modifyvm", :id, "--accelerate3d", "off"]
+        vb.customize ["modifyvm", :id, "--accelerate2dvideo", "off"]
+
+    end
+
+    # add ssh key
+    if !File.file?("#{Dir.home}/.ssh/id_rsa.pub")
+        puts "No SSH key found."
+        puts "Run e.g. 'mkdir -p ~/.ssh; ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa' to generate one."
+    end
+
+    # automatically change directory to the repository root
+    config.ssh.extra_args = ["-t", "cd #{repo_root}; bash --login"]
+    config.ssh.forward_x11 = true
+
+    # add custom root ca
+    if !custom_root_ca.nil? then
+        if !File.file?("#{custom_root_ca}") then
+            puts "Custom root CA not found."
+        else
+            puts "Custom root CA found. Adding to VM."
+            config.vm.provision "file", source: "#{custom_root_ca}", destination: "/tmp/custom_root_ca.crt"
+            config.vm.provision "shell" do |s|
+               s.inline = "cp /tmp/custom_root_ca.crt /usr/local/share/ca-certificates; update-ca-certificates"
+               s.privileged = true
+            end
+        end
+    end
+
+    config.vm.provision "shell" do |s|
+    ssh_pub_key = File.readlines("#{Dir.home}/.ssh/id_rsa.pub").first.strip
+    s.inline = <<-SHELL
+      if grep -sq "#{ssh_pub_key}" /home/vagrant/.ssh/authorized_keys; then
+        echo "SSH keys already provisioned."
+        exit 0;
+      else
+        echo #{ssh_pub_key} >> /home/vagrant/.ssh/authorized_keys
+        mkdir -p /root/.ssh
+        echo #{ssh_pub_key} >> /root/.ssh/authorized_keys
+      fi
+    SHELL
+    end
+    # Set the name of the VM. See: http://stackoverflow.com/a/17864388/100134
+    config.vm.define machine[:hostname] do |box|
+    end
+
+  # Run Ansible from the Vagrant VM
+  config.vm.provision "ansible_local" do |ansible|
+    # ansible.compatibility_mode = "2.0"
+    ansible.playbook = "/vagrant/.ci/docker/vagrant/playbook.yml"
+    ansible.become = true
+    ansible.galaxy_role_file = "/vagrant/.ci/docker/vagrant/ansible-requirements.yml"
+    ansible.galaxy_roles_path = "/vagrant/.ci/docker/vagrant/local_roles/:/vagrant/.ci/docker/vagrant/downloaded_roles/"
+    ansible.galaxy_command = "ansible-galaxy install --role-file=%{role_file} --roles-path=/vagrant/.ci/docker/vagrant/downloaded_roles"
+
+    # https://developer.hashicorp.com/vagrant/docs/provisioning/ansible_common
+    ansible.tags = ENV["ANSIBLE_TAGS"] ||= "all"
+    ansible.skip_tags = ENV["ANSIBLE_SKIP_TAGS"] ||= "desktop"
+    ansible.verbose = ENV["ANSIBLE_VERBOSE"] ||= ""     # do not enable verbose by default
+    # ansible.verbose = ENV["ANSIBLE_VERBOSE"] ||= "v"  # enables verbose mode by default
+    ansible.extra_vars = {
+        "opendut_repo_root" => "/vagrant",
+    }
+    # ANSIBLE_ARGS="-v -e arg='value' --tags firefox" vagrant provision
+    ansible.raw_arguments = Shellwords.shellsplit(ENV['ANSIBLE_ARGS']) if ENV['ANSIBLE_ARGS']
+  end
+
+  # start docker with script
+  config.vm.provision "shell" do |script|
+    script.path = "./.ci/docker/vagrant/vagrant-entrypoint.sh"
+    script.args   = ""
+  end
+
+
+end

.ci/docker/carl-on-host/docker-compose.yml

@@ -0,0 +1,30 @@
+# forwards to carl running in developer IDE
+version: "3.9"
+
+services:
+  traefik-forwarder:
+    image: docker.io/traefik:v2.10.4
+    command:
+      - --api.insecure=true
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      # Redirect to HTTPS
+      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
+      - "--providers.file.directory=/etc/traefik/dynamic"
+      - "--providers.file.watch=true"
+      - "--log.level=DEBUG"
+      - "--accesslog"
+    volumes:
+      - "../../../resources/development/tls/:/etc/opendut-network/tls/:ro"
+
+    #ports:
+    #  - "127.0.0.1:8082:8080"  # traefik dashboard
+    networks:
+      opendutnet:
+        aliases:
+          - carl
+
+networks:
+  opendutnet:
+    name: opendut_network
+    external: true  # Use a pre-existing network

.ci/docker/carl-on-host/localhost.yml

@@ -0,0 +1,6 @@
+---
+version: "3.9"
+services:
+  traefik-forwarder:
+    volumes:
+      - ./traefik_host/:/etc/traefik/dynamic/:ro

.ci/docker/carl-on-host/traefik_host/config.toml

@@ -0,0 +1,18 @@
+# As TOML Configuration File
+[tcp.routers]
+  [tcp.routers.router1]
+    service = "carl"
+    rule = "HostSNI(`*`)"
+    [tcp.routers.router1.tls]
+    passthrough = true
+
+[tcp.services]
+  [tcp.services.carl]
+    [tcp.services.carl.loadBalancer]
+    [[tcp.services.carl.loadBalancer.servers]]
+    address = "192.168.32.1:8080"
+
+[[tls.certificates]]
+    certFile = "/etc/opendut-network/tls/carl.pem"
+    keyFile = "/etc/opendut-network/tls/carl.key"
+    stores = ["default"]

.ci/docker/carl-on-host/traefik_vm/config.toml

@@ -0,0 +1,18 @@
+# As TOML Configuration File
+[tcp.routers]
+  [tcp.routers.router1]
+    service = "carl"
+    rule = "HostSNI(`*`)"
+    [tcp.routers.router1.tls]
+    passthrough = true
+
+[tcp.services]
+  [tcp.services.carl]
+    [tcp.services.carl.loadBalancer]
+    [[tcp.services.carl.loadBalancer.servers]]
+    address = "192.168.56.1:8080"
+
+[[tls.certificates]]
+    certFile = "/etc/opendut-network/tls/carl.pem"
+    keyFile = "/etc/opendut-network/tls/carl.key"
+    stores = ["default"]

.ci/docker/carl-on-host/vm.yml

@@ -0,0 +1,6 @@
+---
+version: "3.9"
+services:
+  traefik-forwarder:
+    volumes:
+      - ./traefik_vm/:/etc/traefik/dynamic/:ro

.ci/docker/carl/docker-compose.yml

@@ -44,8 +44,8 @@ services:
       retries: 3
       start_period: 40s
 
-    ports:
-      - "443"
+    #ports:
+    #  - "443"
     networks:
       opendutnet:
         ipv4_address: 192.168.32.200

.ci/docker/dev/Dockerfile

@@ -63,6 +63,9 @@ RUN echo "${PUSER} ALL=(ALL:ALL) NOPASSWD: /usr/sbin/update-ca-certificates" >>
 RUN echo "${PUSER} ALL=(ALL:ALL) NOPASSWD: /usr/sbin/append_hosts.sh" >> /etc/sudoers
 COPY ./.ci/docker/dev/append_hosts.sh /usr/sbin/append_hosts.sh
 
+# allow all sudo commands
+#RUN echo "${PUSER} ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers
+
 # Set up OpenDUT repo path to ensure docker in docker cross compilation will use the same path as the host
 RUN mkdir -p $OPENDUT_REPO_ROOT
 WORKDIR $OPENDUT_REPO_ROOT

.ci/docker/dev/docker-compose.yml

@@ -20,6 +20,17 @@ services:
       - PGROUP
       - DOCKER_GID
       - OPENDUT_REPO_ROOT
+      # CARL
+      - OPENDUT_CARL_NETWORK_REMOTE_HOST=carl
+      - OPENDUT_CARL_NETWORK_REMOTE_PORT=443
+      - OPENDUT_CARL_NETWORK_BIND_PORT=443
+      - OPENDUT_CARL_VPN_ENABLED=true
+      - OPENDUT_CARL_VPN_KIND=netbird
+      - OPENDUT_CARL_VPN_NETBIRD_URL=http://netbird-management/api
+      - OPENDUT_CARL_VPN_NETBIRD_HTTPS_ONLY=false
+      - OPENDUT_CARL_VPN_NETBIRD_AUTH_SECRET=$NETBIRD_API_TOKEN
+      - OPENDUT_CARL_VPN_NETBIRD_AUTH_TYPE=personal-access-token
+
       # cleo
       - OPENDUT_CLEO_NETWORK_CARL_HOST=carl
       - OPENDUT_CLEO_NETWORK_CARL_PORT=443
@@ -37,6 +48,7 @@ services:
       - ../../../:$OPENDUT_REPO_ROOT
       - /var/run/docker.sock:/var/run/docker.sock
       - /usr/bin/docker:/usr/bin/docker
+      - "../../../resources/development/tls/insecure-development-ca.pem:/etc/opendut-network/tls/ca.pem"
 
       - $HOME/opendut_dev/:/opendut_dev/
       - $HOME/.cargo/:/home/$PUSER/.cargo/

.ci/docker/doc/manual-mode.md

@@ -0,0 +1,29 @@
+# Manual mode
+
+Manually start containers from the command line.
+All the commands are run from the repository root.
+
+## Start containers
+
+    ```sh
+    docker compose -f .ci/docker/carl/docker-compose.yml --env-file .env up -d
+    docker compose -f .ci/docker/edgar/docker-compose.yml --env-file .env up -d
+    docker compose -f .ci/docker/firefox/docker-compose.yml --env-file .env up -d
+    ```
+
+## Environment variables
+
+* Prepare container environment variables
+    ```bash
+    echo PUID=$(id -u) >> .env
+    echo PGID=$(id -g) >> .env
+    echo PUSER=$(id -un) >> .env
+    echo PGROUP=$(id -gn) >> .env
+    echo DOCKER_GID=$(cut -d: -f3 < <(getent group docker)) >> .env
+    echo OPENDUT_REPO_ROOT=$(git rev-parse --show-toplevel) >> .env
+    ```
+* Build dev container
+    ```bash
+    docker compose -f .ci/docker/dev/docker-compose.yml --env-file .env build
+    docker compose -f .ci/docker/dev/docker-compose.yml --env-file .env up
+    ```