flashbox - switch cvm-reverse-proxy to attested-tls-proxy#168
Conversation
| @@ -1,4 +1,4 @@ | |||
| #!/bin/bash | |||
| #!/usr/bin/env bash | |||
There was a problem hiding this comment.
Not related to this PR but needed to build on nixos - see #130
ameba23
force-pushed
the
peg/flashbox-use-attested-tls-proxy
branch
from
3f0b3dd to
80be581
Compare
| cp -r "$cache_dir/$src"/* "$DESTDIR$dest/" | ||
| else | ||
| cp "$cache_dir/$src" "$DESTDIR$dest" | ||
| install -m 755 "$cache_dir/$src" "$DESTDIR$dest" |
There was a problem hiding this comment.
Not strictly related to this PR but without this tdx-init was ending up having permissions 600 in the initrd, causing wait-for-key.service to get stuck trying to execute it:
[FAILED] Failed to start wait-for-key.service - SSH Public Key Server.
See 'systemctl status wait-for-key.service' for details.
Starting wait-for-key.service - SSH Public Key Server...
[FAILED] Failed to start wait-for-key.service - SSH Public Key Server.
See 'systemctl status wait-for-key.service' for details.
Starting wait-for-key.service - SSH Public Key Server...
[FAILED] Failed to start wait-for-key.service - SSH Public Key Server.
See 'systemctl status wait-for-key.service' for details.
Im not sure if this is a platform-specific difference in permissions handling due to a different umask, but i don't see a reason why this fix would cause issues when building on other platforms.
I can move this to a separate PR if needed.
|
Is this based on this older PR ? or is it supposed to replace it? |
|
|
||
| ./ssh-pubkey-server/cmd/cli/add_to_known_hosts.sh \ | ||
| ./cvm-reverse-proxy/build/proxy-client \ | ||
| http://127.0.0.1:8080 \ |
There was a problem hiding this comment.
what's this? do you mean curl using that address and the endpoint /pubkey?
There was a problem hiding this comment.
I was a bit confuse why this line was ./cvm-reverse-proxy/build/proxy-client, because it appears the first argument to add_to_known_hosts.sh should be the url which is used to retrieve the public key:
Does that make sense?
This process could probably be simplified a bit by using the attested-get command rather than proxy client and then curl. But since that would mean making a change to this external script i left it as is it.
I forgot that one was still open - i thought it got closed for some reason. What was the blocker with merging that one? Besides the merge conflicts that have since popped up. No strong opinions whether to merge this one or that one. This has been tested on GCP, that one tested with bare Qemu and Azure. |
|
Im hesitating a bit to hit merge on this, because i realise its kind of a breaking change in that it requires searchers to use a different tool to fetch the ssh key. Even though this is documented, im not sure how much friction it will cause or if we should announce that somewhere. |
2 participants
This switches
cvm-reverse-proxytoattested-tls-proxy.The purpose is to avoid a licensing issue and use more actively maintained attestation generation and verification code.
I have tried to make this as unopinionated as possible, making a drop-in replacement giving the exact same functionality as before.
This does NOT use the new nested attested TLS protocol. It is the older protocol which is currently used on Buildernet. The only difference between the 1.1.3 release used here and 1.1.2 currently used by Buildernet is some dependency updates relating to attestation.
I have tested the documented workflow for retrieving ssh public key on a GCP deployment.
Note that support for dstack-mr style measurement is still not merged - neither in attested-tls used here: flashbots/attested-tls#56 or in cvm-reverse-proxy: flashbots/cvm-reverse-proxy#49