Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[POC, DNM] Expose socks proxy (per user-v2 net, not per instance) #2782

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

AkihiroSuda
Copy link
Member

Usage:

curl \
  --proxy socks5h://localhost/$HOME/.lima/_networks/user-v2/user-v2_socks.sock \
  192.168.104.4

This is similar to the limactl tunnel proposal (PR #2710). While PR #2710 creates a proxy per an instance, this commit creates a proxy per a user-v2 network.

Remarks:

Overall, PR #2710 might be better than this commit, as PR #2710 works for any network driver, does not need an additional DNS resolver, and does not incur additional go.mod deps.

@AkihiroSuda
Copy link
Member Author

Maybe limactl tunnel may have limactl tunnel --target=instance INSTANCE (default?) and limactl tunnel --target=network NETWORK to support the both concepts

Originally posted by @AkihiroSuda in #2710 (comment)

Usage:
```
curl \
  --proxy socks5h://localhost/$HOME/.lima/_networks/user-v2/user-v2_socks.sock \
  192.168.104.4
```

This is similar to the `limactl tunnel` proposal (PR 2710).
While PR 2710 creates a proxy per an instance, this commit creates a
proxy per a user-v2 network.

Remarks:
- Only works for user-v2 networks.
- DNS lookup is not implemented yet in this POC.
  Could be taken from https://github.com/norouter/norouter/blob/v0.6.5/pkg/agent/socks/socks.go#L57-L75
- https://github.com/cybozu-go/usocksd is a dependency hog (See the `go.mod` diff).
  Should be replaced with a fork or another library.

Overall, PR 2710 might be better than this commit, as PR 2710 works for
any network driver, does not need an additional DNS resolver, and
does not incur additional `go.mod` deps.

Signed-off-by: Akihiro Suda <[email protected]>
github.com/cybozu-go/log v1.6.1 // indirect
github.com/cybozu-go/netutil v1.4.2 // indirect
github.com/cybozu-go/well v1.11.0 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

License check is failing

Not allowed license MPL-2.0 found for library github.com/hashicorp/hcl

Copy link
Member

@jandubois jandubois Oct 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is in the CNCF exception list (like all the other Hashicorp libraries used by Kubernetes), so using it would be fine:

  {
    "package": "github.com/hashicorp/hcl",
    "license": "MPL-2.0",
    "comment": "not auto-allowlist because: Non-allowlist license(s); approved by GB exception 2019-03-11"
  },

From https://github.com/cncf/foundation/blob/1e80c35a4b43868d5070366d9e4501babafd8a52/license-exceptions/cncf-exceptions-2022-04-12.json#L57-L61

I have not been able to figure out1 how this makes sense from a legal point of view, that some MPL libraries are acceptable and others aren't.

Footnotes

  1. Yes, including asking a former TOC member.

@balajiv113
Copy link
Member

Only works for user-v2 networks.

Yes this i agree. Only QEMU slirp is not supported. We could technically replace that as well with user-v2 one itself.

DNS lookup is not implemented yet in this POC. Could be taken from https://github.com/norouter/norouter/blob/v0.6.5/pkg/agent/socks/socks.go#L57-L75

True, We need some work here. We could try to connect to already present DNS resolver in gvisor-tap-vsock (gatewayIP:53) which can do the resolution required. But for some reason gonet.Dial not working against that

dependency hog

For socks5 alone, https://github.com/things-go/go-socks5 was working. Not much of a dependency here

Am fine in going with instance model for now, later it would be great if we can bring the network level tunnels for ease of access

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants