Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem: multiple vsock_proxies may need to be launched #315

Open
scirner22 opened this issue Apr 26, 2022 · 3 comments
Open

Problem: multiple vsock_proxies may need to be launched #315

scirner22 opened this issue Apr 26, 2022 · 3 comments

Comments

@scirner22
Copy link

Is your feature request related to a problem? Please describe.
In the enclave.toml there's a [vsock_proxy] block where the kms vsock is configured. When running the cosmos node on a separate node than the tmkms node, having a vsock proxy between 5000 and whatever port you assign to the cosmos node in the field priv_validator_laddr is needed.

Describe the solution you'd like
Allow enclave.toml to take a list of [vsock_proxy] blocks, i.e. [[vsock_proxy]], or define another field like [[additional_vsock_proxies]] if a breaking change is not desirable. This would allow launch-all to manage any number of additional vsock proxies.

Describe alternatives you've considered
Open to suggestions, but the two solutions above are the only alternatives I've come up with.

Additional context
If either of the solutions above are accepted, I can work on implementing this.
@tomtau
Copy link

tomtau commented Apr 26, 2022

@scirner22 thanks for the suggestion. Maybe one alternative would be to patch the vsock_proxy itself: https://github.com/aws/aws-nitro-enclaves-cli/tree/main/vsock_proxy to allow proxying to multiple remote hosts?
Right now, one needs to configure the allowlist for vsock_proxy: https://github.com/aws/aws-nitro-enclaves-cli/blob/main/vsock_proxy/configs/vsock-proxy.yaml
so perhaps adding a "proxy-all" option to vsock_proxy could be a more convenient solution. What do you think?

@tomtau tomtau changed the title Configurable Validator Vsock Problem: multiple vsock_proxies may need to be launched Apr 26, 2022
@scirner22
Copy link
Author

That's an interesting concept. If I understand, you're suggesting a single vsock-proxy would run and on new incoming connections, dynamically create a persistent proxy? OR would you configure all at the command line so they could all be launched up front? Are either of those in the spirit of what vsock_proxy is intended for? I haven't had any problems running multiple vsock_proxies manually, this issue was more around usability so that they don't have to be managed externally anymore.

@tomtau
Copy link

tomtau commented Apr 27, 2022

That's an interesting concept. If I understand, you're suggesting a single vsock-proxy would run and on new incoming connections, dynamically create a persistent proxy? OR would you configure all at the command line so they could all be launched up front?

More of the former, because providing many command-line arguments may be a hassle... vsock_proxy requires the allowlist, so perhaps adding an extra config item there to specify the corresponding vsock ports?

Are either of those in the spirit of what vsock_proxy is intended for?

I don't know. It's probably worth opening an issue on the AWS repo: https://github.com/aws/aws-nitro-enclaves-cli/issues/new to see whether that's something they had in mind themselves or are willing to merge.
If not, we can probably go with the "Allow enclave.toml to take a list of [vsock_proxy] blocks" solution here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@scirner22 @tomtau