testing debug config value

Makefile.eif

@@ -37,7 +37,7 @@ build/make_config.py: ./scripts/aws/make_config.py
 
 .PHONY: build_configs
 
-build_configs: build/conf/default-config.json build/conf/prod-uid2-config.json build/conf/integ-uid2-config.json build/conf/prod-euid-config.json build/conf/integ-euid-config.json build/conf/logback.xml
+build_configs: build/conf/default-config.json build/conf/prod-uid2-config.json build/conf/integ-uid2-config.json build/conf/prod-euid-config.json build/conf/integ-euid-config.json build/conf/logback.xml build/conf/logback-debug.xml
 
 build/conf/default-config.json: build_artifacts ./scripts/aws/conf/default-config.json
 	cp ./scripts/aws/conf/default-config.json ./build/conf/
@@ -57,6 +57,9 @@ build/conf/integ-euid-config.json: build_artifacts ./scripts/aws/conf/integ-euid
 build/conf/logback.xml: build_artifacts ./scripts/aws/conf/logback.xml
 	cp ./scripts/aws/conf/logback.xml ./build/conf/
 
+build/conf/logback-debug.xml: build_artifacts ./scripts/aws/conf/logback-debug.xml
+	cp ./scripts/aws/conf/logback-debug.xml ./build/conf/
+
 build/Dockerfile: build_artifacts ./scripts/aws/Dockerfile
 	cp ./scripts/aws/Dockerfile ./build/
 

pom.xml

@@ -6,7 +6,7 @@
 
     <groupId>com.uid2</groupId>
     <artifactId>uid2-operator</artifactId>
-    <version>5.40.48</version>
+    <version>5.40.56-alpha-34-SNAPSHOT</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

scripts/aws/conf/logback-debug.xml

@@ -0,0 +1,15 @@
+<configuration>
+    <statusListener class="ch.qos.logback.core.status.OnConsoleStatusListener" />
+
+    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder class="net.logstash.logback.encoder.LogstashEncoder">
+            <jsonGeneratorDecorator class="net.logstash.logback.mask.MaskingJsonGeneratorDecorator">
+                <defaultMask>REDACTED - S3</defaultMask>
+                <value>\S+s3\.amazonaws\.com\/\S*X-Amz-Security-Token=\S+</value>
+            </jsonGeneratorDecorator>
+        </encoder>
+    </appender>
+    <root level="INFO">
+        <appender-ref ref="STDOUT" />
+    </root>
+</configuration>

scripts/aws/eks-pod/entrypoint.sh

@@ -1,8 +1,9 @@
-#!/bin/bash -eufx
+#!/bin/bash -ufx
 CID=42
 EIF_PATH=/home/uid2operator.eif
 MEMORY_MB=24576
 CPU_COUNT=6
+DEBUG_MODE="false"
 
 set -x
 
@@ -13,7 +14,9 @@ function terminate_old_enclave() {
         nitro-cli terminate-enclave --enclave-id ${ENCLAVE_ID}
         echo "Terminated enclave with ID ${ENCLAVE_ID}"
     else
+        nitro-cli describe-enclaves
         echo "No running enclaves to terminate."
+        sleep 30
     fi
 }
 
@@ -27,7 +30,7 @@ function setup_vsockproxy() {
     VSOCK_PROXY=${VSOCK_PROXY:-/home/vsockpx}
     VSOCK_CONFIG=${VSOCK_CONFIG:-/home/proxies.host.yaml}
     VSOCK_THREADS=${VSOCK_THREADS:-$(( $(nproc) * 2 )) }
-    VSOCK_LOG_LEVEL=${VSOCK_LOG_LEVEL:-3}
+    VSOCK_LOG_LEVEL=1
     echo "starting vsock proxy at $VSOCK_PROXY with $VSOCK_THREADS worker threads..."
     $VSOCK_PROXY -c $VSOCK_CONFIG --workers $VSOCK_THREADS --log-level $VSOCK_LOG_LEVEL --daemon
     echo "vsock proxy now running in background."
@@ -87,12 +90,20 @@ function update_config() {
         { set +x; } 2>/dev/null; { CPU_COUNT=$(echo $IDENTITY_SERVICE_CONFIG | jq -r '.enclave_cpu_count'); set -x; }
         { set +x; } 2>/dev/null; { MEMORY_MB=$(echo $IDENTITY_SERVICE_CONFIG | jq -r '.enclave_memory_mb'); set -x; }
     fi
+
+    { set +x; } 2>/dev/null; { DEBUG_MODE=$(echo $IDENTITY_SERVICE_CONFIG | jq -r '.debug_mode'); set -x; }
+
     shopt -u nocasematch
 }
 
 function run_enclave() {
-    echo "starting enclave... --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID"
-    nitro-cli run-enclave --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID --enclave-name uid2-operator
+    if [ "$DEBUG_MODE" = "true" ]; then
+      echo "starting enclave... --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID --debug-mode --attach-console"
+      nitro-cli run-enclave --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID --enclave-name uid2-operator --debug-mode --attach-console
+    else
+      echo "starting enclave... --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID"
+      nitro-cli run-enclave --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID --enclave-name uid2-operator
+    fi
 }
 
 echo "starting ..."
@@ -111,6 +122,7 @@ wait_for_config
 update_config
 run_enclave
 
+nitro-cli describe-enclaves
 sleep 60s
 set +x
 ENCLAVE_ID=$(nitro-cli describe-enclaves | jq -r ".[0].EnclaveID")

scripts/aws/eks-pod/proxies.host.yaml

@@ -10,6 +10,11 @@ operator-service:
   listen: tcp://0.0.0.0:80
   connect: vsock://42:8080
 
+operator-debug:
+  service: direct
+  listen: tcp://0.0.0.0:8000
+  connect: vsock://42:8000
+
 operator-prometheus:
   service: direct
   listen: tcp://0.0.0.0:9080

scripts/aws/eks-pod/sockd_eks.conf

@@ -1,6 +1,6 @@
-#logoutput: stdout
+logoutput: stdout
 errorlog: stdout
-#debug: 2
+debug: 2
 internal: 127.0.0.1 port = 3306
 external: eth0
 user.notprivileged: ec2-user
@@ -9,12 +9,12 @@ socksmethod: none
 
 client pass {
     from: 127.0.0.1/32 to: 127.0.0.1/32
-    log: error # connect disconnect iooperation
+    log: connect disconnect tcpinfo # connect disconnect iooperation
 }
 
 socks pass {
     from: 127.0.0.1/32 to: 0.0.0.0/0
     command: bind connect
     protocol: tcp
-    log: error
+    log: connect disconnect tcpinfo
 }

scripts/aws/entrypoint.sh

@@ -1,12 +1,11 @@
-#!/bin/bash -eufx
+#!/bin/bash -ufx
 
 # This is the entrypoint for the Enclave. It is executed in all enclaves - EC2 and EKS
 
 LOG_FILE="/home/start.txt"
 
 set -x
-exec > $LOG_FILE
-exec 2>&1
+exec &> >(tee -a "$LOG_FILE")
 
 set -o pipefail
 ulimit -n 65536
@@ -17,11 +16,7 @@ ifconfig lo 127.0.0.1
 
 # -- start vsock proxy
 echo "Starting vsock proxy..."
-/app/vsockpx --config /app/proxies.nitro.yaml --daemon --workers $(( $(nproc) * 2 )) --log-level 3
-
-# -- setup syslog-ng
-echo "Starting syslog-ng..."
-/usr/sbin/syslog-ng --verbose
+/app/vsockpx --config /app/proxies.nitro.yaml --daemon --workers $(( $(nproc) * 2 )) --log-level 1
 
 # -- load config from identity service
 echo "Loading config from identity service via proxy..."
@@ -42,6 +37,14 @@ do
   sleep 2
 done
 
+DEBUG_MODE=$(jq -r ".debug_mode" < "${OVERRIDES_CONFIG}")
+
+if [[ ! "$DEBUG_MODE" = "true" ]]; then
+  # -- setup syslog-ng
+  echo "Starting syslog-ng..."
+  /usr/sbin/syslog-ng --verbose
+fi
+
 # check the config is valid. Querying for a known missing element (empty) makes jq parse the file, but does not echo the results
 if jq empty "${OVERRIDES_CONFIG}"; then
     echo "Identity service returned valid config"
@@ -95,12 +98,25 @@ cd /app
 
 # -- start operator
 echo "Starting Java application..."
-java \
-  -XX:MaxRAMPercentage=95 -XX:-UseCompressedOops -XX:+PrintFlagsFinal \
-  -Djava.security.egd=file:/dev/./urandom \
-  -Djava.library.path=/app/lib \
-  -Dvertx-config-path="${FINAL_CONFIG}" \
-  -Dvertx.logger-delegate-factory-class-name=io.vertx.core.logging.SLF4JLogDelegateFactory \
-  -Dlogback.configurationFile=./conf/logback.xml \
-  -Dhttp_proxy=socks5://127.0.0.1:3305 \
-  -jar /app/"${JAR_NAME}"-"${JAR_VERSION}".jar
+if [[ "$DEBUG_MODE" = "true" ]]; then
+  java \
+    -XX:MaxRAMPercentage=95 -XX:-UseCompressedOops -XX:+PrintFlagsFinal \
+    -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=8000 \
+    -Djava.security.egd=file:/dev/./urandom \
+    -Djava.library.path=/app/lib \
+    -Dvertx-config-path="${FINAL_CONFIG}" \
+    -Dvertx.logger-delegate-factory-class-name=io.vertx.core.logging.SLF4JLogDelegateFactory \
+    -Dlogback.configurationFile=./conf/logback-debug.xml \
+    -Dhttp_proxy=socks5://127.0.0.1:3305 \
+    -jar /app/"${JAR_NAME}"-"${JAR_VERSION}".jar
+else
+  java \
+    -XX:MaxRAMPercentage=95 -XX:-UseCompressedOops -XX:+PrintFlagsFinal \
+    -Djava.security.egd=file:/dev/./urandom \
+    -Djava.library.path=/app/lib \
+    -Dvertx-config-path="${FINAL_CONFIG}" \
+    -Dvertx.logger-delegate-factory-class-name=io.vertx.core.logging.SLF4JLogDelegateFactory \
+    -Dlogback.configurationFile=./conf/logback.xml \
+    -Dhttp_proxy=socks5://127.0.0.1:3305 \
+    -jar /app/"${JAR_NAME}"-"${JAR_VERSION}".jar
+fi

scripts/aws/proxies.host.yaml

@@ -10,6 +10,11 @@ operator-service:
   listen: tcp://0.0.0.0:80
   connect: vsock://42:8080
 
+operator-debug:
+  service: direct
+  listen: tcp://0.0.0.0:8000
+  connect: vsock://42:8000
+
 operator-prometheus:
   service: direct
   listen: tcp://0.0.0.0:9080

scripts/aws/proxies.nitro.yaml

@@ -5,6 +5,11 @@ uid-operator-in:
   listen: vsock://-1:8080
   connect: tcp://127.0.0.1:8080
 
+uid-operator-debug-in:
+  service: direct
+  listen: vsock://-1:8000
+  connect: tcp://127.0.0.1:8000
+
 prometheus-server:
   service: direct
   listen: vsock://-1:9080

scripts/aws/sockd.conf

@@ -1,3 +1,6 @@
+logoutput: stdout
+errorlog: stdout
+debug: 2
 internal: 127.0.0.1 port = 3306
 external: ens5
 user.notprivileged: ec2-user
@@ -6,12 +9,12 @@ socksmethod: none
 
 client pass {
     from: 127.0.0.1/32 to: 127.0.0.1/32
-    log: error # connect disconnect iooperation
+    log: connect disconnect tcpinfo # connect disconnect iooperation
 }
 
 socks pass {
     from: 127.0.0.1/32 to: 0.0.0.0/0
     command: bind connect
     protocol: tcp
-    log: error
+    log: connect disconnect tcpinfo
 }