homepage-data/Projects/Reproducible_builds

122 lines
14 KiB
Text
Raw Permalink Normal View History

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml"><head><title>Robur Reproducible Builds</title><meta charset="UTF-8"/><link rel="stylesheet" href="/static/css/style.css"/><link rel="alternate" href="/atom" title="Robur Reproducible Builds" type="application/atom+xml"/><meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover"/></head><body><nav class="navbar navbar-default navbar-fixed-top"><div class="container"><div class="navbar-header"><a class="navbar-brand" href="/Home">robur</a></div><div class="collapse navbar-collapse collapse"><ul class="nav navbar-nav navbar-right"><li><a href="/Donate"><span>Donate</span></a></li><li><a href="/Contact"><span>Contact</span></a></li><li><a href="/About Us"><span>About Us</span></a></li><li><a href="/Our Work"><span>Our Work</span></a></li><li><a href="/"><span></span></a></li><li><a href="/"><span></span></a></li><li><a href="/"><span></span></a></li><li><a href="/"><span></span></a></li></ul></div></div></nav><main><div class="flex-container"><div class="post"><h2>Robur Reproducible Builds</h2><span class="date">Published: 2021-11-16 (last updated: 2024-07-01)</span><article><p>In 2021 we in <a href="https://robur.coop/">Robur</a> have been working towards easing deployment of reproducible mirage applications. The work has been funded by the European Union under the <a href="https://pointer.ngi.eu/">Next Generation Internet (NGI Pointer) initiative</a>. The result is <a href="https://builds.robur.coop">online</a>.</p>
<p>The overall goal is to push MirageOS into production in a trustworthy way. We worked on reproducible builds for <a href="https://opam.ocaml.org">Opam</a> packages and <a href="https://mirageos.org">MirageOS</a> - with the infrastructure being reproducible itself. Reproducible builds are crucial for supply chain security - everyone can reproduce the exact same binary (by using the same sources and environment), without reproducible builds we would not publish binaries.</p>
<p>Reproducible builds are also great for fleet management: by inspecting the hash of the binary that is executed, we can figure out which versions of which libraries are in the unikernel - and suggest updates if newer builds are available or if a used library has a security flaw -- <code>albatross-client update my-unikernel</code> is everything needed for an update.</p>
<p>Several ready-to-use MirageOS unikernels are built on a daily basis - ranging from <a href="https://builds.robur.coop/job/dns-primary-git/">authoritative DNS servers</a> (<a href="https://builds.robur.coop/job/dns-secondary/">secondary</a>, <a href="https://builds.robur.coop/job/dns-letsencrypt-secondary/">let's encrypt DNS solver</a>), <a href="https://builds.robur.coop/job/dnsvizor/">DNS-and-DHCP service (similar to dnsmasq)</a>, <a href="https://builds.robur.coop/job/tlstunnel/">TLS reverse proxy</a>, <a href="https://builds.robur.coop/job/unipi/">Unipi - a web server that delivers content from a git repository</a>, <a href="https://builds.robur.coop/job/dns-resolver/">DNS resolver</a>, <a href="https://builds.robur.coop/job/caldav/">CalDAV server</a>, and of course your own MirageOS unikernel.</p>
<h2 id="brief-robur-and-mirageos-introduction">Brief robur and MirageOS introduction</h2>
<p><a href="https://mirageos.org">MirageOS</a> is an operating system, developed in OCaml, which produces unikernels. A unikernel serves a single purpose and is a single process, i.e. only has the really needed dependencies. For example, an OpenVPN endpoint does neither include persistent storage (block device, file system) nor user management. MirageOS unikernels are developed in <a href="https://ocaml.org">OCaml</a>, a statically typed and type-safe programming language - which avoids common pitfalls from the grounds up (spatial and temporal memory safety issues).</p>
<p><a href="https://robur.coop">Robur</a> is a collective that develops MirageOS and OCaml software with open source license. It was started in 2017, and is part of the non-profit company <a href="https://aenderwerk.de">Änderwerk gGmbH</a>. We received funding from several projects (<a href="https://prototypefund.de">prototypefund</a>, <a href="https://pointer.ngi.eu">NGI pointer</a>), donations, and commercial contracts.</p>
<h2 id="deploying-mirageos-unikernel">Deploying MirageOS unikernel</h2>
<p>To run a MirageOS unikernel on your laptop or computer with virtualization extensions (VT-x - KVM/BHyve), you first have to install the <code>solo5</code> and <code>albatross</code> packages. Afterwards you need to setup a virtual network switch (a bridge interface) where your unikernels will communicate, and forwarding.</p>
<h3 id="host-system-package-installation">Host system package installation</h3>
<p>For Debian and Ubuntu systems, we provide package repositories. Browse the <a href="https://apt.robur.coop/dists">dists</a> folder for one matching your distribution, and add it to <code>/etc/apt/sources.list</code>:</p>
<pre><code>$ curl -fsSL https://apt.robur.coop/gpg.pub | gpg --dearmor &gt; /usr/share/keyrings/apt.robur.coop.gpg
$ echo &quot;deb [signed-by=/usr/share/keyrings/apt.robur.coop.gpg] https://apt.robur.coop ubuntu-20.04 main&quot; &gt; /etc/apt/sources.list.d/robur.list # replace ubuntu-20.04 with e.g. debian-11 on a debian buster machine
$ apt update
$ apt install solo5 albatross
</code></pre>
<p>On FreeBSD:</p>
<pre><code>$ fetch -o /usr/local/etc/pkg/robur.pub https://pkg.robur.coop/repo.pub # download RSA public key
$ echo 'robur: {
url: &quot;https://pkg.robur.coop/${ABI}&quot;,
mirror_type: &quot;srv&quot;,
signature_type: &quot;pubkey&quot;,
pubkey: &quot;/usr/local/etc/pkg/robur.pub&quot;,
enabled: yes
}' &gt; /usr/local/etc/pkg/repos/robur.conf # Check https://pkg.robur.coop which ABI are available
$ pkg update
$ pkg install solo5 albatross
</code></pre>
<p>For other distributions and systems we do not (yet?) provide binary packages. You can compile and install them using <a href="https://opam.ocaml.org">opam</a> (<code>opam install solo5 albatross</code>). Get in touch if you're keen on adding some other distribution to our reproducible build infrastructure.</p>
<p>There is no configuration needed. Start the <code>albatross_console</code> and the <code>albatross_daemon</code> service (via <code>systemctl daemon-reload ; systemctl start albatross_daemon</code> on Linux or <code>service albatross_daemon start</code> on FreeBSD). Executing <code>albatross-client info </code> should return success (exit code 0) and no running unikernel. You may need to be in the albatross group, or change the permissions of the Unix domain socket (<code>/run/albatross/util/vmmd.sock</code> on Linux, <code>/var/run/albatross/util/vmmd.sock</code> on FreeBSD).</p>
<p>To check that albatross works, get the latest hello world unikernel and run it:</p>
<pre><code>$ wget https://builds.robur.coop/job/hello/build/latest/bin/hello-key.hvt
$ albatross-client console my-hello-unikernel &amp; # this is sent to the background since it waits and displays the console of the unikernel named &quot;my-hello-unikernel&quot;
$ albatross-client create my-hello-unikernel hello-key.hvt # this returns once the unikernel image has been transmitted to the albatross daemon
$ albatross-client create --arg='--hello=&quot;Hello,\ my\ unikernel&quot; my-hello-unikernel hello-key.hvt # executes the same unikernel, but passes the boot parameter &quot;--hello&quot;
$ fg # back to albatross-client console
$ Ctrl-C # kill that process
</code></pre>
<p>Voila, we have a working albatross installation. Albatross also supports a remote client (using a TLS handshake) <code>albatross-client --ca &lt;ca.pem&gt; --ca-key &lt;ca.key&gt; --server-ca &lt;cacert.pem&gt; --destination &lt;myhost&gt;</code>, monitoring of unikernels (<code>albatross_stats</code> and <code>albatross_influx</code> services), and a TLS endpoint (inetd/systemd: <code>albatross-tls-endpoint</code>).</p>
<p>Please ensure to have albatross in version of at least 2.0.0 to follow this page.</p>
<h3 id="network-for-your-unikernel">Network for your unikernel</h3>
<p>Next we want to setup networking for our unikernels. We use a so-called &quot;bridge&quot; interface for this, which is a virtual network switch where you connect &quot;tap&quot; interfaces (layer 2 ethernet devices). A MirageOS unikernel uses tap interfaces for communication. We give our bridge the name &quot;service&quot; (and for example for monitoring and management you may want to setup another bridge &quot;management&quot;).</p>
<p>If you're using a network manager that is capable of setting up bridge interfaces, use that interface.</p>
<p>If not, on Linux you can add the following to <code>/etc/network/interfaces</code> (the reason for adding a dummy interface to the bridge is that otherwise Linux uses the mac address of the first connected tap interface, and there'll be rather confusing issues):</p>
<pre><code>auto service
# Host-only bridge
iface service inet manual
up ip link add service-master address 02:00:00:00:00:01 type dummy
up ip link set dev service-master up
up ip link add service type bridge
up ip link set dev service-master master service
up ip addr add 10.0.42.1/24 dev service
up ip link set dev service up
down ip link del service
down ip link del service-master
</code></pre>
<p>On FreeBSD, add the following to <code>/etc/rc.conf</code>:</p>
<pre><code>cloned_interfaces=&quot;bridge0&quot;
ifconfig_bridge0_name=&quot;service&quot;
ifconfig_service=&quot;inet 10.0.42.1/24&quot;
</code></pre>
<p>Afterwards either restart your system or re-run the service scripts to have the bridge setup in your running system.</p>
<p>To check that the networking works, get the latest static website unikernel and run it:</p>
<pre><code>$ wget https://builds.robur.coop/job/static-website/build/latest/bin/https.hvt
$ albatross-client console my-website &amp; # this is sent to the background since it waits and displays the console of the unikernel named &quot;my-website&quot;
$ albatross-client create --net=service --arg='--ipv4=10.0.42.2/24' my-website https.hvt # this returns once the unikernel image has been transmitted to the albatross daemon
$ ping 10.0.42.2 # should receive answers
$ open http://10.0.42.2 # in your browser - also https://10.0.42.2 (you'll get a certificate warning)
$ wget http://10.0.42.2/ # should download the Hello Mirage world!
$ wget --no-check-certificate https://10.0.42.2/ # should also download the Hello Mirage world!
$ fg # back to albatross-client console
$ Ctrl-C # kill that process
$ albatross-client destroy my-website # kills the unikernel
</code></pre>
<p>When you reached this point, you have successfully launched a MirageOS unikernel, and are able to communicate from your computer with it. This uses the OCaml networking stack, and the host bridge interface.</p>
<h2 id="routing-and-internet">Routing and Internet</h2>
<p>Your unikernel may want to communicate not only with your host, but also with the Internet. The other way around is also important (the Internet wants to talk with your unikernel).</p>
<p>There are several options, depending on your setup:</p>
<ul>
<li>Your unikernel will be masqueraded (using <a href="https://en.wikipedia.org/wiki/Network_address_translation">NAT</a>) - some ports may be forwarded to the unikernel,
</li>
<li>Your computer has several public IP addresses (and put the ethernet device with the ethernet cable on the bridge) and there is an external router,
</li>
<li>Your computer acts as a router for a subnet.
</li>
</ul>
<h3 id="nat">NAT</h3>
<p>This won't allow your unikernel to be reachable from the outside.You'll need to:</p>
<ul>
<li>enable IPv4 forwarding
</li>
<li>add a firewall rule
</li>
</ul>
<p>On Linux:</p>
<pre><code>$ echo &quot;1&quot; &gt; /proc/sys/net/ipv4/ip_forward # enables IP forwarding
$ iptables -t nat -A POSTROUTING -o enp0s20f0 -j MASQUERADE # replace enp0s20f0 with your network interface
</code></pre>
<p>On FreeBSD:</p>
<pre><code>$ echo 'gateway_enable=&quot;YES&quot;' &gt;&gt; /etc/rc.conf # enable IP forwarding
$ echo 'pf_enable=&quot;YES&quot;' &gt;&gt; /etc/rc.conf # enables the packet filter
$ echo &quot;nat pass on em0 inet from 10.0.42.0/24 to any -&gt; (em0)&quot; &gt;&gt; /etc/pf.conf # replace em0 with your ethernet interface)
</code></pre>
<h3 id="public-ip-addresses">Public IP addresses</h3>
<p>To put your unikernels on the same network as your host system, add that external network interface to the bridge:</p>
<p>On Linux, add <code>up ip link set dev enp0s20f0 master service</code> in <code>/etc/network/interfaces</code> (replace enp0s20f0 with your ethernet interface).
On FreeBSD, add <code>ifconfig_service=&quot;addm em0&quot;</code> to <code>/etc/rc.conf</code> (replace em0 with your ethernet interface).</p>
<h3 id="router">Router</h3>
<p>Enable IPv4 forwarding, and setup one IP address on the bridge (replacing the 10.0.42.1/24 above).</p>
<h2 id="unikernel-execution">Unikernel execution</h2>
<p>Let's test that your unikernels have access to the Internet by using the <a href="https://hannes.robur.coop/Posts/Traceroute">traceroute</a> unikernel:</p>
<pre><code>$ wget https://builds.robur.coop/job/traceroute/build/latest/bin/traceroute.hvt
$ albatross-client console my-traceroute &amp; # this is sent to the background since it waits and displays the console of the unikernel named &quot;my-traceroute&quot;
$ albatross-client create --net=service --arg='--ipv4=10.0.42.2/24' --arg='--ipv4-gateway=10.0.42.1' my-traceroute traceroute.hvt # the IP configuration depends on your setup, use your public IP address and actual router IP if you've set it up.
$ fg # back to albatross-client console
$ Ctrl-C # kill that process
</code></pre>
<p>That's it. Albatross has more features, such as block devices, multiple bridges (for management, private networks, ...), restart if the unikernel exited with specific exit code, assignment of a unikernel to a specific CPU. It also has remote command execution and resource limits (you can allow your friends to execute a number of unikernels with limited memory and block storage accessing only some of your bridges). There is a daemon to collect metrics and report them to Grafana (via Telegraf and Influx). MirageOS unikernels also support IPv6, you're not limited to legacy IP.</p>
</article></div></div></main><div class="footer"><p><a href="/Contact">Contact</a>
<a href="/Donate">Donate</a></p>
</div></body></html>