refactor: cli and linux jail (#104)

* refactor: cli and linux jail

* refactor: linux jail; remove platform-specific abstractions

* refactor: linux jail

Author: evgeniy-scherbina

app/app.go

@@ -0,0 +1,97 @@
+package app
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"os"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/coder/serpent"
+)
+
+// Config holds all configuration for the CLI
+type Config struct {
+	Config           serpent.YAMLConfigPath `yaml:"-"`
+	AllowListStrings serpent.StringArray    `yaml:"allowlist"` // From config file
+	AllowStrings     serpent.StringArray    `yaml:"-"`         // From CLI flags only
+	LogLevel         serpent.String         `yaml:"log_level"`
+	LogDir           serpent.String         `yaml:"log_dir"`
+	ProxyPort        serpent.Int64          `yaml:"proxy_port"`
+	PprofEnabled     serpent.Bool           `yaml:"pprof_enabled"`
+	PprofPort        serpent.Int64          `yaml:"pprof_port"`
+}
+
+func isChild() bool {
+	return os.Getenv("CHILD") == "true"
+}
+
+// Run executes the boundary command with the given configuration and arguments
+func Run(ctx context.Context, config Config, args []string) error {
+	logger, err := setupLogging(config)
+	if err != nil {
+		return fmt.Errorf("could not set up logging: %v", err)
+	}
+
+	configInJSON, err := json.Marshal(config)
+	if err != nil {
+		return err
+	}
+	logger.Debug("config", "json_config", configInJSON)
+
+	if isChild() {
+		return RunChild(logger, args)
+	}
+
+	return RunParent(ctx, logger, args, config)
+}
+
+// setupLogging creates a slog logger with the specified level
+func setupLogging(config Config) (*slog.Logger, error) {
+	var level slog.Level
+	switch strings.ToLower(config.LogLevel.Value()) {
+	case "error":
+		level = slog.LevelError
+	case "warn":
+		level = slog.LevelWarn
+	case "info":
+		level = slog.LevelInfo
+	case "debug":
+		level = slog.LevelDebug
+	default:
+		level = slog.LevelWarn // Default to warn if invalid level
+	}
+
+	logTarget := os.Stderr
+
+	logDir := config.LogDir.Value()
+	if logDir != "" {
+		// Set up the logging directory if it doesn't exist yet
+		if err := os.MkdirAll(logDir, 0755); err != nil {
+			return nil, fmt.Errorf("could not set up log dir %s: %v", logDir, err)
+		}
+
+		// Create a logfile (timestamp and pid to avoid race conditions with multiple boundary calls running)
+		logFilePath := fmt.Sprintf("boundary-%s-%d.log",
+			time.Now().Format("2006-01-02_15-04-05"),
+			os.Getpid())
+
+		logFile, err := os.Create(filepath.Join(logDir, logFilePath))
+		if err != nil {
+			return nil, fmt.Errorf("could not create log file %s: %v", logFilePath, err)
+		}
+
+		// Set the log target to the file rather than stderr.
+		logTarget = logFile
+	}
+
+	// Create a standard slog logger with the appropriate level
+	handler := slog.NewTextHandler(logTarget, &slog.HandlerOptions{
+		Level: level,
+	})
+
+	return slog.New(handler), nil
+}

app/child.go

@@ -0,0 +1,38 @@
+package app
+
+import (
+	"fmt"
+	"log"
+	"log/slog"
+	"os"
+	"os/exec"
+
+	"github.com/coder/boundary/jail"
+)
+
+func RunChild(logger *slog.Logger, args []string) error {
+	logger.Info("boundary CHILD process is started")
+
+	vethNetJail := os.Getenv("VETH_JAIL_NAME")
+	err := jail.SetupChildNetworking(vethNetJail)
+	if err != nil {
+		return fmt.Errorf("failed to setup child networking: %v", err)
+	}
+	logger.Info("child networking is successfully configured")
+
+	// Program to run
+	bin := args[0]
+	args = args[1:]
+
+	cmd := exec.Command(bin, args...)
+	cmd.Stdin = os.Stdin
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	err = cmd.Run()
+	if err != nil {
+		log.Printf("failed to run %s: %v", bin, err)
+		return err
+	}
+
+	return nil
+}

app/parent.go

@@ -0,0 +1,157 @@
+package app
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"os"
+	"os/signal"
+	"strings"
+	"syscall"
+
+	"github.com/coder/boundary"
+	"github.com/coder/boundary/audit"
+	"github.com/coder/boundary/jail"
+	"github.com/coder/boundary/rulesengine"
+	"github.com/coder/boundary/tls"
+	"github.com/coder/boundary/util"
+)
+
+func RunParent(ctx context.Context, logger *slog.Logger, args []string, config Config) error {
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	username, uid, gid, homeDir, configDir := util.GetUserInfo()
+
+	// Get command arguments
+	if len(args) == 0 {
+		return fmt.Errorf("no command specified")
+	}
+
+	// Merge allowlist from config file with allow from CLI flags
+	allowListStrings := config.AllowListStrings.Value()
+	allowStrings := config.AllowStrings.Value()
+
+	// Combine allowlist (config file) with allow (CLI flags)
+	allAllowStrings := append(allowListStrings, allowStrings...)
+
+	if len(allAllowStrings) == 0 {
+		logger.Warn("No allow rules specified; all network traffic will be denied by default")
+	}
+
+	// Parse allow rules
+	allowRules, err := rulesengine.ParseAllowSpecs(allAllowStrings)
+	if err != nil {
+		logger.Error("Failed to parse allow rules", "error", err)
+		return fmt.Errorf("failed to parse allow rules: %v", err)
+	}
+
+	// Create rule engine
+	ruleEngine := rulesengine.NewRuleEngine(allowRules, logger)
+
+	// Create auditor
+	auditor := audit.NewLogAuditor(logger)
+
+	// Create TLS certificate manager
+	certManager, err := tls.NewCertificateManager(tls.Config{
+		Logger:    logger,
+		ConfigDir: configDir,
+		Uid:       uid,
+		Gid:       gid,
+	})
+	if err != nil {
+		logger.Error("Failed to create certificate manager", "error", err)
+		return fmt.Errorf("failed to create certificate manager: %v", err)
+	}
+
+	// Setup TLS to get cert path for jailer
+	tlsConfig, caCertPath, configDir, err := certManager.SetupTLSAndWriteCACert()
+	if err != nil {
+		return fmt.Errorf("failed to setup TLS and CA certificate: %v", err)
+	}
+
+	// Create jailer with cert path from TLS setup
+	jailer, err := jail.NewLinuxJail(jail.Config{
+		Logger:        logger,
+		HttpProxyPort: int(config.ProxyPort.Value()),
+		Username:      username,
+		Uid:           uid,
+		Gid:           gid,
+		HomeDir:       homeDir,
+		ConfigDir:     configDir,
+		CACertPath:    caCertPath,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to create jailer: %v", err)
+	}
+
+	// Create boundary instance
+	boundaryInstance, err := boundary.New(ctx, boundary.Config{
+		RuleEngine:   ruleEngine,
+		Auditor:      auditor,
+		TLSConfig:    tlsConfig,
+		Logger:       logger,
+		Jailer:       jailer,
+		ProxyPort:    int(config.ProxyPort.Value()),
+		PprofEnabled: config.PprofEnabled.Value(),
+		PprofPort:    int(config.PprofPort.Value()),
+	})
+	if err != nil {
+		return fmt.Errorf("failed to create boundary instance: %v", err)
+	}
+
+	// Setup signal handling BEFORE any setup
+	sigChan := make(chan os.Signal, 1)
+	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
+
+	// Open boundary (starts network namespace and proxy server)
+	err = boundaryInstance.Start()
+	if err != nil {
+		return fmt.Errorf("failed to open boundary: %v", err)
+	}
+	defer func() {
+		logger.Info("Closing boundary...")
+		err := boundaryInstance.Close()
+		if err != nil {
+			logger.Error("Failed to close boundary", "error", err)
+		}
+	}()
+
+	// Execute command in boundary
+	go func() {
+		defer cancel()
+		cmd := boundaryInstance.Command(os.Args)
+
+		logger.Debug("Executing command in boundary", "command", strings.Join(os.Args, " "))
+		err := cmd.Start()
+		if err != nil {
+			logger.Error("Command failed to start", "error", err)
+			return
+		}
+
+		err = boundaryInstance.ConfigureAfterCommandExecution(cmd.Process.Pid)
+		if err != nil {
+			logger.Error("configuration after command execution failed", "error", err)
+			return
+		}
+
+		logger.Debug("waiting on a child process to finish")
+		err = cmd.Wait()
+		if err != nil {
+			logger.Error("Command execution failed", "error", err)
+			return
+		}
+	}()
+
+	// Wait for signal or context cancellation
+	select {
+	case sig := <-sigChan:
+		logger.Info("Received signal, shutting down...", "signal", sig)
+		cancel()
+	case <-ctx.Done():
+		// Context cancelled by command completion
+		logger.Info("Command completed, shutting down...")
+	}
+
+	return nil
+}