From f32403517d4d551f276ca03937b79836d60dc021 Mon Sep 17 00:00:00 2001 From: Ilya Raykker Date: Wed, 20 Aug 2025 20:12:18 +0400 Subject: [PATCH 001/133] feat: implement Verifiable Message Signing --- Cargo.lock | 27 +++++++++ guest-agent/Cargo.toml | 2 + guest-agent/rpc/proto/agent_rpc.proto | 18 ++++++ guest-agent/src/rpc_service.rs | 79 ++++++++++++++++++++++++++- 4 files changed, 125 insertions(+), 1 deletion(-) diff --git a/Cargo.lock b/Cargo.lock index 038f8461..191f3c47 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2051,6 +2051,7 @@ dependencies = [ "default-net", "dstack-guest-agent-rpc", "dstack-types", + "ed25519-dalek", "figment", "fs-err", "git-version", @@ -2061,6 +2062,7 @@ dependencies = [ "load_config", "ra-rpc", "ra-tls", + "rand 0.8.5", "rcgen", "reqwest", "ring", @@ -2296,6 +2298,31 @@ dependencies = [ "spki", ] +[[package]] +name = "ed25519" +version = "2.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53" +dependencies = [ + "pkcs8", + "signature", +] + +[[package]] +name = "ed25519-dalek" +version = "2.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "70e796c081cee67dc755e1a36a0a172b897fab85fc3f6bc48307991f64e4eca9" +dependencies = [ + "curve25519-dalek", + "ed25519", + "rand_core 0.6.4", + "serde", + "sha2", + "subtle", + "zeroize", +] + [[package]] name = "either" version = "1.15.0" diff --git a/guest-agent/Cargo.toml b/guest-agent/Cargo.toml index b987bce4..44f30718 100644 --- a/guest-agent/Cargo.toml +++ b/guest-agent/Cargo.toml @@ -43,3 +43,5 @@ sha3.workspace = true strip-ansi-escapes.workspace = true cert-client.workspace = true ring.workspace = true +ed25519-dalek = { version = "2.2.0", features = ["rand_core"] } +rand.workspace = true diff --git a/guest-agent/rpc/proto/agent_rpc.proto b/guest-agent/rpc/proto/agent_rpc.proto index 25c57531..a6c4d1e2 100644 --- a/guest-agent/rpc/proto/agent_rpc.proto +++ b/guest-agent/rpc/proto/agent_rpc.proto @@ -44,6 +44,9 @@ service DstackGuest { // Get app info rpc Info(google.protobuf.Empty) returns (AppInfo) {} + + // Get app info + rpc Sign(SignRequest) returns (SignResponse) {} } // The request to derive a key @@ -210,4 +213,19 @@ service Worker { rpc Info(google.protobuf.Empty) returns (AppInfo) {} // Get the guest agent version rpc Version(google.protobuf.Empty) returns (WorkerVersion) {} + // Get attestation + rpc GetAttestation(GetAttestationRequest) returns (GetQuoteResponse) {} +} + +message SignRequest { + string algorithm = 1; + bytes data = 2; +} + +message SignResponse { + bytes signature = 1; +} + +message GetAttestationRequest { + string algorithm = 1; } diff --git a/guest-agent/src/rpc_service.rs b/guest-agent/src/rpc_service.rs index 62d72e32..ea8e4cbe 100644 --- a/guest-agent/src/rpc_service.rs +++ b/guest-agent/src/rpc_service.rs @@ -6,11 +6,14 @@ use dstack_guest_agent_rpc::{ dstack_guest_server::{DstackGuestRpc, DstackGuestServer}, tappd_server::{TappdRpc, TappdServer}, worker_server::{WorkerRpc, WorkerServer}, + GetAttestationRequest, AppInfo, DeriveK256KeyResponse, DeriveKeyArgs, EmitEventArgs, GetKeyArgs, GetKeyResponse, GetQuoteResponse, GetTlsKeyArgs, GetTlsKeyResponse, RawQuoteArgs, TdxQuoteArgs, - TdxQuoteResponse, WorkerVersion, + TdxQuoteResponse, WorkerVersion, SignRequest, SignResponse, }; use dstack_types::{AppKeys, SysConfig}; +use ed25519_dalek::{Signer as Ed25519Signer, SigningKey as Ed25519SigningKey}; +use rand::rngs::OsRng; use fs_err as fs; use k256::ecdsa::SigningKey; use ra_rpc::{Attestation, CallContext, RpcCall}; @@ -38,6 +41,10 @@ struct AppStateInner { vm_config: String, cert_client: CertRequestClient, demo_cert: String, + ed25519_key: Ed25519SigningKey, + secp256k1_key: SigningKey, + ed25519_attestation: GetQuoteResponse, + secp256k1_attestation: GetQuoteResponse, } impl AppState { @@ -69,6 +76,49 @@ impl AppState { .await .context("Failed to get app cert")? .join("\n"); + + let mut csprng = OsRng; + let ed25519_key = ed25519_dalek::SigningKey::generate(&mut csprng); + let secp256k1_key = SigningKey::random(&mut csprng); + + let ed25519_pubkey = ed25519_key.verifying_key().to_bytes(); + let secp256k1_pubkey = secp256k1_key.verifying_key().to_sec1_bytes(); + + let mut ed25519_report_data = [0u8; 64]; + ed25519_report_data[..ed25519_pubkey.len()].copy_from_slice(&ed25519_pubkey); + + let mut secp256k1_report_data = [0u8; 64]; + secp256k1_report_data[..secp256k1_pubkey.len()].copy_from_slice(&secp256k1_pubkey); + let (ed25519_attestation, secp256k1_attestation) = if config.simulator.enabled { + ( + simulate_quote(&config, ed25519_report_data)?, + simulate_quote(&config, secp256k1_report_data)?, + ) + } else { + let (ed25519_quote, secp256k1_quote) = ( + tdx_attest::get_quote(&ed25519_report_data, None) + .context("Failed to get ed25519 quote")? + .1, + tdx_attest::get_quote(&secp256k1_report_data, None) + .context("Failed to get secp256k1 quote")? + .1, + ); + let event_log = + serde_json::to_string(&read_event_logs().context("Failed to read event log")?)?; + ( + GetQuoteResponse { + quote: ed25519_quote, + event_log: event_log.clone(), + report_data: ed25519_report_data.to_vec(), + }, + GetQuoteResponse { + quote: secp256k1_quote, + event_log, + report_data: secp256k1_report_data.to_vec(), + }, + ) + }; + Ok(Self { inner: Arc::new(AppStateInner { config, @@ -76,6 +126,10 @@ impl AppState { cert_client, demo_cert, vm_config, + ed25519_key, + secp256k1_key, + ed25519_attestation, + secp256k1_attestation, }), }) } @@ -236,6 +290,21 @@ impl DstackGuestRpc for InternalRpcHandler { async fn info(self) -> Result { get_info(&self.state, false).await } + + async fn sign(self, request: SignRequest) -> Result { + let signature = match request.algorithm.as_str() { + "ed25519" => { + let signature = self.state.inner.ed25519_key.sign(&request.data); + signature.to_bytes().to_vec() + } + "secp256k1" => { + let signature: k256::ecdsa::Signature = self.state.inner.secp256k1_key.sign(&request.data); + signature.to_bytes().to_vec() + } + _ => return Err(anyhow::anyhow!("Unsupported algorithm")), + }; + Ok(SignResponse { signature }) + } } fn simulate_quote(config: &Config, report_data: [u8; 64]) -> Result { @@ -398,6 +467,14 @@ impl WorkerRpc for ExternalRpcHandler { rev: super::GIT_REV.to_string(), }) } + + async fn get_attestation(self, request: GetAttestationRequest) -> Result { + match request.algorithm.as_str() { + "ed25519" => Ok(self.state.inner.ed25519_attestation.clone()), + "secp256k1" => Ok(self.state.inner.secp256k1_attestation.clone()), + _ => Err(anyhow::anyhow!("Unsupported algorithm")), + } + } } impl RpcCall for ExternalRpcHandler { From ee04ffae247e65fe4a22b9a68aa12575db9af1af Mon Sep 17 00:00:00 2001 From: Hang Yin Date: Mon, 1 Sep 2025 08:15:54 +0000 Subject: [PATCH 002/133] fix: reuse lint --- REUSE.toml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/REUSE.toml b/REUSE.toml index e48336ed..abf4a08c 100644 --- a/REUSE.toml +++ b/REUSE.toml @@ -157,3 +157,8 @@ SPDX-License-Identifier = "CC0-1.0" path = "guest-api/src/generated/*" SPDX-FileCopyrightText = "NONE" SPDX-License-Identifier = "CC0-1.0" + +[[annotations]] +path = "dstack-util/tests/fixtures/*" +SPDX-FileCopyrightText = "NONE" +SPDX-License-Identifier = "CC0-1.0" From c769b2d3b7aae92e58c018979df8ffedc137cad4 Mon Sep 17 00:00:00 2001 From: Leechael Yim Date: Tue, 2 Sep 2025 19:41:12 +0800 Subject: [PATCH 003/133] imp(sdk/js): typing for TcbInfo --- sdk/js/src/index.ts | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/sdk/js/src/index.ts b/sdk/js/src/index.ts index 4448c066..d30d295f 100644 --- a/sdk/js/src/index.ts +++ b/sdk/js/src/index.ts @@ -44,14 +44,26 @@ export interface TcbInfo { rtmr1: string rtmr2: string rtmr3: string + app_compose: string event_log: EventLog[] } -export interface InfoResponse { +export type TcbInfoV03x = TcbInfo & { + rootfs_hash: string +} + +export type TcbInfoV05x = TcbInfo & { + mr_aggregated: string + os_image_hash: string + compose_hash: string + device_id: string +} + +export interface InfoResponse { app_id: string instance_id: string app_cert: string - tcb_info: TcbInfo + tcb_info: VersionTcbInfo app_name: string device_id: string os_image_hash?: string // Optional: empty if OS image is not measured by KMS @@ -132,7 +144,7 @@ export interface TlsKeyOptions { usageClientAuth?: boolean; } -export class DstackClient { +export class DstackClient { protected endpoint: string constructor(endpoint: string | undefined = undefined) { @@ -210,11 +222,11 @@ export class DstackClient { return Object.freeze(result) } - async info(): Promise { - const result = await send_rpc_request & { tcb_info: string }>(this.endpoint, '/Info', '{}') + async info(): Promise> { + const result = await send_rpc_request, 'tcb_info'> & { tcb_info: string }>(this.endpoint, '/Info', '{}') return Object.freeze({ ...result, - tcb_info: JSON.parse(result.tcb_info) as TcbInfo, + tcb_info: JSON.parse(result.tcb_info) as T, }) } @@ -283,7 +295,7 @@ export class DstackClient { } } -export class TappdClient extends DstackClient { +export class TappdClient extends DstackClient { constructor(endpoint: string | undefined = undefined) { if (endpoint === undefined) { if (process.env.TAPPD_SIMULATOR_ENDPOINT) { From caddb8a494b06a2171f1f46f7a94cce0dc724856 Mon Sep 17 00:00:00 2001 From: Leechael Yim Date: Tue, 2 Sep 2025 19:56:07 +0800 Subject: [PATCH 004/133] imp(sdk/python): Schema for TcbInfo --- sdk/python/src/dstack_sdk/dstack_client.py | 57 ++++++++++++++++++---- 1 file changed, 47 insertions(+), 10 deletions(-) diff --git a/sdk/python/src/dstack_sdk/dstack_client.py b/sdk/python/src/dstack_sdk/dstack_client.py index 78f34844..31411fe2 100644 --- a/sdk/python/src/dstack_sdk/dstack_client.py +++ b/sdk/python/src/dstack_sdk/dstack_client.py @@ -11,8 +11,10 @@ import os from typing import Any from typing import Dict +from typing import Generic from typing import List from typing import Optional +from typing import TypeVar from typing import cast import warnings @@ -157,23 +159,41 @@ class EventLog(BaseModel): class TcbInfo(BaseModel): + """Base TCB (Trusted Computing Base) information structure.""" + mrtd: str rtmr0: str rtmr1: str rtmr2: str rtmr3: str - os_image_hash: str = "" - compose_hash: str - device_id: str app_compose: str event_log: List[EventLog] -class InfoResponse(BaseModel): +class TcbInfoV03x(TcbInfo): + """TCB information for dstack OS version 0.3.x.""" + + rootfs_hash: str + + +class TcbInfoV05x(TcbInfo): + """TCB information for dstack OS version 0.5.x.""" + + mr_aggregated: str + os_image_hash: str + compose_hash: str + device_id: str + + +# Type variable for TCB info versions +T = TypeVar("T", bound=TcbInfo) + + +class InfoResponse(BaseModel, Generic[T]): app_id: str instance_id: str app_cert: str - tcb_info: TcbInfo + tcb_info: T app_name: str device_id: str os_image_hash: str = "" @@ -181,14 +201,21 @@ class InfoResponse(BaseModel): compose_hash: str @classmethod - def parse_response(cls, obj: Any) -> "InfoResponse": + def parse_response(cls, obj: Any, tcb_info_type: type[T]) -> "InfoResponse[T]": + """Parse response from service, automatically deserializing tcb_info. + + Args: + obj: Raw response object from service + tcb_info_type: The specific TcbInfo subclass to use for parsing + + """ if ( isinstance(obj, dict) and "tcb_info" in obj and isinstance(obj["tcb_info"], str) ): obj = dict(obj) - obj["tcb_info"] = TcbInfo(**json.loads(obj["tcb_info"])) + obj["tcb_info"] = tcb_info_type(**json.loads(obj["tcb_info"])) return cls(**obj) @@ -311,10 +338,10 @@ async def get_quote( result = await self._send_rpc_request("GetQuote", {"report_data": hex}) return GetQuoteResponse(**result) - async def info(self) -> InfoResponse: + async def info(self) -> InfoResponse[TcbInfo]: """Fetch service information including parsed TCB info.""" result = await self._send_rpc_request("Info", {}) - return InfoResponse.parse_response(result) + return InfoResponse.parse_response(result, TcbInfoV05x) async def emit_event( self, @@ -391,7 +418,7 @@ def get_quote( raise NotImplementedError @call_async - def info(self) -> InfoResponse: + def info(self) -> InfoResponse[TcbInfo]: """Fetch service information including parsed TCB info.""" raise NotImplementedError @@ -503,6 +530,11 @@ async def tdx_quote( return GetQuoteResponse(**result) + async def info(self) -> InfoResponse[TcbInfo]: + """Fetch service information including parsed TCB info.""" + result = await self._send_rpc_request("Info", {}) + return InfoResponse.parse_response(result, TcbInfoV03x) + class TappdClient(DstackClient): """Deprecated client kept for backward compatibility. @@ -537,6 +569,11 @@ def tdx_quote( """Use ``get_quote`` instead (deprecated).""" raise NotImplementedError + @call_async + def info(self) -> InfoResponse[TcbInfo]: + """Fetch service information including parsed TCB info.""" + raise NotImplementedError + @call_async def __enter__(self): raise NotImplementedError From 9e2f0609b68bc8019672bdd80661347e66e2a11e Mon Sep 17 00:00:00 2001 From: Leechael Yim Date: Tue, 2 Sep 2025 21:14:50 +0800 Subject: [PATCH 005/133] chore(sdks): bump versions. --- sdk/js/package.json | 2 +- sdk/python/pyproject.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk/js/package.json b/sdk/js/package.json index 7a25c9d8..ce7f6a2b 100644 --- a/sdk/js/package.json +++ b/sdk/js/package.json @@ -1,6 +1,6 @@ { "name": "@phala/dstack-sdk", - "version": "0.5.4", + "version": "0.5.5", "description": "dstack SDK", "main": "dist/node/index.js", "types": "dist/node/index.d.ts", diff --git a/sdk/python/pyproject.toml b/sdk/python/pyproject.toml index 1e1c9df5..266c1ac2 100644 --- a/sdk/python/pyproject.toml +++ b/sdk/python/pyproject.toml @@ -4,7 +4,7 @@ [project] name = "dstack-sdk" -version = "0.5.0" +version = "0.5.1" description = "dstack SDK for Python" authors = [ {name = "Leechael Yim", email = "yanleech@gmail.com"}, From 26609ec5b1ebd64ed3d6b1fe5f713cdef0af6b08 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Wed, 3 Sep 2025 00:18:28 +0000 Subject: [PATCH 006/133] Add dstack-sdk-type version in Cargo.toml --- Cargo.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Cargo.toml b/Cargo.toml index baa7012a..55f8cef2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -57,7 +57,7 @@ resolver = "2" # Internal dependencies ra-rpc = { path = "ra-rpc", default-features = false } ra-tls = { path = "ra-tls" } -dstack-sdk-types = { path = "sdk/rust/types", default-features = false } +dstack-sdk-types = { path = "sdk/rust/types", version = "0.1.0", default-features = false } dstack-gateway-rpc = { path = "gateway/rpc" } dstack-kms-rpc = { path = "kms/rpc" } dstack-guest-agent-rpc = { path = "guest-agent/rpc" } From 09e9c408d78fd08b969449257df557d548deb727 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Tue, 2 Sep 2025 15:24:57 +0000 Subject: [PATCH 007/133] ra-tls: Add KeyCertSign and CrlSign usages for CA cert --- ra-tls/src/cert.rs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ra-tls/src/cert.rs b/ra-tls/src/cert.rs index 30939ec0..02dd1dc1 100644 --- a/ra-tls/src/cert.rs +++ b/ra-tls/src/cert.rs @@ -258,6 +258,8 @@ impl CertRequest<'_, Key> { } if let Some(ca_level) = self.ca_level { params.is_ca = IsCa::Ca(BasicConstraints::Constrained(ca_level)); + params.key_usages.push(KeyUsagePurpose::KeyCertSign); + params.key_usages.push(KeyUsagePurpose::CrlSign); } if let Some(not_before) = self.not_before { params.not_before = not_before.into(); From 720f8529a5055f064b4eb75c7595601868aca1f9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Sep 2025 15:38:03 +0000 Subject: [PATCH 008/133] build(deps): bump hono from 4.8.5 to 4.9.6 in /kms/auth-eth-bun Bumps [hono](https://github.com/honojs/hono) from 4.8.5 to 4.9.6. - [Release notes](https://github.com/honojs/hono/releases) - [Commits](https://github.com/honojs/hono/compare/v4.8.5...v4.9.6) --- updated-dependencies: - dependency-name: hono dependency-version: 4.9.6 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- kms/auth-eth-bun/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kms/auth-eth-bun/package.json b/kms/auth-eth-bun/package.json index 8b7ca5c3..e027a11c 100644 --- a/kms/auth-eth-bun/package.json +++ b/kms/auth-eth-bun/package.json @@ -15,7 +15,7 @@ "check": "bun run lint && bun run test:run" }, "dependencies": { - "hono": "4.8.5", + "hono": "4.9.6", "@hono/zod-validator": "0.2.2", "zod": "3.25.76", "viem": "2.31.7" From f6f98d2a50daddbbb66f1fb1199479d31be236a9 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Fri, 5 Sep 2025 01:25:46 +0000 Subject: [PATCH 009/133] Fix gateway dockerfile --- gateway/dstack-app/Dockerfile | 53 --------------------------- gateway/dstack-app/builder/Dockerfile | 3 +- 2 files changed, 2 insertions(+), 54 deletions(-) delete mode 100644 gateway/dstack-app/Dockerfile diff --git a/gateway/dstack-app/Dockerfile b/gateway/dstack-app/Dockerfile deleted file mode 100644 index 90aa8406..00000000 --- a/gateway/dstack-app/Dockerfile +++ /dev/null @@ -1,53 +0,0 @@ -# SPDX-FileCopyrightText: © 2025 Phala Network -# -# SPDX-License-Identifier: Apache-2.0 - -FROM rust:1.86.0@sha256:300ec56abce8cc9448ddea2172747d048ed902a3090e6b57babb2bf19f754081 AS gateway-builder -ARG DSTACK_REV -WORKDIR /src - -# Install build dependencies -RUN apt-get update && \ - apt-get install -y --no-install-recommends \ - git \ - build-essential \ - libssl-dev \ - protobuf-compiler \ - libprotobuf-dev \ - libclang-dev \ - && rm -rf /var/lib/apt/lists/* - -# Clone and checkout specific revision -RUN git clone https://github.com/Dstack-TEE/dstack.git && \ - cd dstack && \ - git checkout ${DSTACK_REV} - -# Build the gateway binary -WORKDIR /src/dstack -RUN cargo build --release -p dstack-gateway - -# Runtime stage -FROM debian:bookworm@sha256:ced9eb5eca0a3ba2e29d0045513863b3baaee71cd8c2eed403c9f7d3eaccfd2b -WORKDIR /app - -# Install runtime dependencies -RUN apt-get update && \ - apt-get install -y --no-install-recommends \ - wireguard-tools \ - iproute2 \ - jq \ - && rm -rf /var/lib/apt/lists/* - -# Copy the built binary -COPY --from=gateway-builder /src/dstack/target/release/dstack-gateway /usr/local/bin/dstack-gateway - -# Copy entrypoint script -COPY entrypoint.sh /app/entrypoint.sh -RUN chmod +x /app/entrypoint.sh - -# Store git revision for reproducibility -ARG DSTACK_REV -RUN echo "${DSTACK_REV}" > /etc/.GIT_REV - -ENTRYPOINT ["/app/entrypoint.sh"] -CMD ["dstack-gateway"] diff --git a/gateway/dstack-app/builder/Dockerfile b/gateway/dstack-app/builder/Dockerfile index 3e5b9c06..ba5bedb0 100644 --- a/gateway/dstack-app/builder/Dockerfile +++ b/gateway/dstack-app/builder/Dockerfile @@ -34,6 +34,7 @@ RUN ./pin-packages.sh ./pinned-packages.txt && \ wireguard-tools \ iproute2 \ jq \ + ca-certificates \ && rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/ldconfig/aux-cache COPY --from=gateway-builder /build/dstack/target/x86_64-unknown-linux-musl/release/dstack-gateway /usr/local/bin/dstack-gateway COPY --from=gateway-builder /build/.GIT_REV /etc/ @@ -41,4 +42,4 @@ WORKDIR /app COPY entrypoint.sh /app/entrypoint.sh RUN chmod +x /app/entrypoint.sh ENTRYPOINT ["/app/entrypoint.sh"] -CMD ["dstack-gateway"] +CMD ["dstack-gateway", "-c", "/data/gateway/gateway.toml"] From f612be174dae53bd0efc051887e805db5b664d2a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 7 Sep 2025 13:18:29 +0000 Subject: [PATCH 010/133] build(deps): bump undici in /kms/auth-eth Bumps and [undici](https://github.com/nodejs/undici). These dependencies needed to be updated together. Updates `undici` from 5.28.4 to 5.29.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](https://github.com/nodejs/undici/compare/v5.28.4...v5.29.0) Updates `undici` from 6.21.1 to 6.21.3 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](https://github.com/nodejs/undici/compare/v5.28.4...v5.29.0) --- updated-dependencies: - dependency-name: undici dependency-version: 5.29.0 dependency-type: indirect - dependency-name: undici dependency-version: 6.21.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] --- kms/auth-eth/package-lock.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/kms/auth-eth/package-lock.json b/kms/auth-eth/package-lock.json index 18003a43..6befa1d6 100644 --- a/kms/auth-eth/package-lock.json +++ b/kms/auth-eth/package-lock.json @@ -3218,9 +3218,9 @@ } }, "node_modules/@openzeppelin/hardhat-upgrades/node_modules/undici": { - "version": "6.21.1", - "resolved": "https://registry.npmjs.org/undici/-/undici-6.21.1.tgz", - "integrity": "sha512-q/1rj5D0/zayJB2FraXdaWxbhWiNKDvu8naDT2dl1yTlvJp4BLtOcp2a5BvgGNQpYYJzau7tf1WgKv3b+7mqpQ==", + "version": "6.21.3", + "resolved": "https://registry.npmjs.org/undici/-/undici-6.21.3.tgz", + "integrity": "sha512-gBLkYIlEnSp8pFbT64yFgGE6UIB9tAkhukC23PmMDCe5Nd+cRqKxSjw5y54MK2AZMgZfJWMaNE4nYUHgi1XEOw==", "dev": true, "license": "MIT", "engines": { @@ -13186,9 +13186,9 @@ } }, "node_modules/undici": { - "version": "5.28.4", - "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.4.tgz", - "integrity": "sha512-72RFADWFqKmUb2hmmvNODKL3p9hcB6Gt2DOQMis1SEBaV6a4MH8soBvzg+95CYhCKPFedut2JY9bMfrDl9D23g==", + "version": "5.29.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-5.29.0.tgz", + "integrity": "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==", "dev": true, "license": "MIT", "dependencies": { From 58fa9d60ce40a874163c06876ebabb26a5b54bf2 Mon Sep 17 00:00:00 2001 From: Leechael Yim Date: Wed, 10 Sep 2025 23:32:35 +0800 Subject: [PATCH 011/133] imp: when formatting app_url, skip port if it's 443 --- vmm/src/app/qemu.rs | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/vmm/src/app/qemu.rs b/vmm/src/app/qemu.rs index b67bd8d0..b6924836 100644 --- a/vmm/src/app/qemu.rs +++ b/vmm/src/app/qemu.rs @@ -165,10 +165,14 @@ impl VmInfo { .then_some(self.instance_id.as_ref()) .flatten() .map(|id| { - format!( - "https://{id}-{}.{}:{}", - gw.agent_port, gw.base_domain, gw.port - ) + if gw.port == 443 { + format!("https://{id}-{}.{}", gw.agent_port, gw.base_domain) + } else { + format!( + "https://{id}-{}.{}:{}", + gw.agent_port, gw.base_domain, gw.port + ) + } }), app_id: self.manifest.app_id.clone(), instance_id: self.instance_id.as_deref().map(Into::into), From 3902b9ab6a2b33723ab9b447049c0671e35ab0e9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 10 Sep 2025 15:35:13 +0000 Subject: [PATCH 012/133] build(deps): bump hono from 4.8.5 to 4.9.6 in /kms/auth-mock Bumps [hono](https://github.com/honojs/hono) from 4.8.5 to 4.9.6. - [Release notes](https://github.com/honojs/hono/releases) - [Commits](https://github.com/honojs/hono/compare/v4.8.5...v4.9.6) --- updated-dependencies: - dependency-name: hono dependency-version: 4.9.6 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- kms/auth-mock/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kms/auth-mock/package.json b/kms/auth-mock/package.json index 6493ab83..a2c38999 100644 --- a/kms/auth-mock/package.json +++ b/kms/auth-mock/package.json @@ -15,7 +15,7 @@ "check": "bun run lint && bun run test:run" }, "dependencies": { - "hono": "4.8.5", + "hono": "4.9.6", "@hono/zod-validator": "0.2.2", "zod": "3.25.76" }, From 99361b4a6871766b8a64e528abffc82e2cc9a122 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Sep 2025 21:45:22 +0000 Subject: [PATCH 013/133] build(deps): bump hono from 4.9.6 to 4.9.7 in /kms/auth-eth-bun Bumps [hono](https://github.com/honojs/hono) from 4.9.6 to 4.9.7. - [Release notes](https://github.com/honojs/hono/releases) - [Commits](https://github.com/honojs/hono/compare/v4.9.6...v4.9.7) --- updated-dependencies: - dependency-name: hono dependency-version: 4.9.7 dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- kms/auth-eth-bun/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kms/auth-eth-bun/package.json b/kms/auth-eth-bun/package.json index e027a11c..febd26eb 100644 --- a/kms/auth-eth-bun/package.json +++ b/kms/auth-eth-bun/package.json @@ -15,7 +15,7 @@ "check": "bun run lint && bun run test:run" }, "dependencies": { - "hono": "4.9.6", + "hono": "4.9.7", "@hono/zod-validator": "0.2.2", "zod": "3.25.76", "viem": "2.31.7" From 383596d703908ba8daf76914a0e378eab3228a6c Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Mon, 15 Sep 2025 06:01:29 +0000 Subject: [PATCH 014/133] Read qemu path from /etc/dstack/client.conf --- Cargo.lock | 24 ++++++++++++++++++++++++ Cargo.toml | 1 + vmm/Cargo.toml | 1 + vmm/src/config.rs | 41 +++++++++++++++++++++++++++++++++++++---- 4 files changed, 63 insertions(+), 4 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index b1c8f5da..32034056 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2473,6 +2473,7 @@ dependencies = [ "safe-write", "serde", "serde-human-bytes", + "serde_ini", "serde_json", "sha2 0.10.9", "shared_child", @@ -5693,6 +5694,12 @@ version = "0.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "95325155c684b1c89f7765e30bc1c42e4a6da51ca513615660cb8a62ef9a88e3" +[[package]] +name = "result" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "194d8e591e405d1eecf28819740abed6d719d1a2db87fc0bcdedee9a26d55560" + [[package]] name = "rfc6979" version = "0.4.0" @@ -6503,6 +6510,17 @@ dependencies = [ "syn 2.0.106", ] +[[package]] +name = "serde_ini" +version = "0.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "eb236687e2bb073a7521c021949be944641e671b8505a94069ca37b656c81139" +dependencies = [ + "result", + "serde", + "void", +] + [[package]] name = "serde_json" version = "1.0.142" @@ -7617,6 +7635,12 @@ version = "0.9.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a" +[[package]] +name = "void" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6a02e4885ed3bc0f2de90ea6dd45ebcbb66dacffe03547fadbb0eeae2770887d" + [[package]] name = "vsock" version = "0.5.1" diff --git a/Cargo.toml b/Cargo.toml index 55f8cef2..ec871bee 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -115,6 +115,7 @@ scale = { version = "3.7.4", package = "parity-scale-codec", features = [ serde = { version = "1.0.219", features = ["derive"], default-features = false } serde-human-bytes = "0.1.0" serde_json = { version = "1.0.140", default-features = false } +serde_ini = "0.2.0" toml = "0.8.20" toml_edit = { version = "0.22.24", features = ["serde"] } yasna = "0.5.2" diff --git a/vmm/Cargo.toml b/vmm/Cargo.toml index ccdeff85..31e5851f 100644 --- a/vmm/Cargo.toml +++ b/vmm/Cargo.toml @@ -32,6 +32,7 @@ tailf.workspace = true tokio = { workspace = true, features = ["full"] } git-version.workspace = true rocket-apitoken.workspace = true +serde_ini.workspace = true supervisor-client.workspace = true ra-rpc = { workspace = true, features = ["client", "rocket"] } diff --git a/vmm/src/config.rs b/vmm/src/config.rs index 40b06d81..d49312a4 100644 --- a/vmm/src/config.rs +++ b/vmm/src/config.rs @@ -310,6 +310,32 @@ pub struct KeyProviderConfig { pub port: u16, } +const CLIENT_CONF_PATH: &str = "/etc/dstack/client.conf"; +fn read_qemu_path_from_client_conf() -> Option { + #[derive(Debug, Deserialize)] + struct ClientQemuSection { + path: Option, + } + #[derive(Debug, Deserialize)] + struct ClientIniConfig { + qemu: Option, + } + + let raw = fs_err::read_to_string(CLIENT_CONF_PATH).ok()?; + let parsed: ClientIniConfig = serde_ini::from_str(&raw).ok()?; + let path = parsed.qemu?.path?; + let path = path.trim().trim_matches('"').trim_matches('\''); + if path.is_empty() { + return None; + } + let path = PathBuf::from(path); + if path.exists() { + Some(path) + } else { + None + } +} + impl Config { pub fn extract_or_default(figment: &Figment) -> Result { let mut me: Self = figment.extract()?; @@ -323,11 +349,18 @@ impl Config { me.run_path = app_home.join("vm"); } if me.cvm.qemu_path == PathBuf::default() { - let cpu_arch = std::env::consts::ARCH; - let qemu_path = which::which(format!("qemu-system-{}", cpu_arch)) - .context("Failed to find qemu executable")?; - me.cvm.qemu_path = qemu_path; + // Prefer the path from dstack client config if present + if let Some(qemu_path) = read_qemu_path_from_client_conf() { + info!("Found QEMU path from client config: {CLIENT_CONF_PATH:?}"); + me.cvm.qemu_path = qemu_path; + } else { + let cpu_arch = std::env::consts::ARCH; + let qemu_path = which::which(format!("qemu-system-{}", cpu_arch)) + .context("Failed to find qemu executable")?; + me.cvm.qemu_path = qemu_path; + } } + info!("QEMU path: {}", me.cvm.qemu_path.display()); } Ok(me) } From ba4eb54b7e7d6eaf1a1f0d3338c57e2694112479 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Mon, 15 Sep 2025 15:43:27 +0800 Subject: [PATCH 015/133] attestation.md: no rootfs hash in RTMR3 --- attestation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/attestation.md b/attestation.md index af7e7837..ddafc835 100644 --- a/attestation.md +++ b/attestation.md @@ -25,7 +25,7 @@ The MR register values indicate the following: - RTMR0: OVMF records CVM's virtual hardware setup, including CPU count, memory size, and device configuration. While dstack uses fixed devices, CPU and memory specifications can vary. RTMR0 can be computed from these specifications. - RTMR1: OVMF records the Linux kernel measurement. - RTMR2: Linux kernel records kernel cmdline (including rootfs hash) and initrd measurements. - - RTMR3: initrd records dstack App details, including compose hash, instance id, app id, rootfs hash, and key provider. + - RTMR3: initrd records dstack App details, including compose hash, instance id, app id, and key provider. MRTD, RTMR0, RTMR1, and RTMR2 can be pre-calculated from the built image (given CPU+RAM specifications). Compare these with the verified quote's MRs to confirm correct base image code execution. From f7e5259cfc5bf5f11c40e2ab7964e6d1f3387285 Mon Sep 17 00:00:00 2001 From: Daniel Sharifi Date: Tue, 16 Sep 2025 21:24:51 +0000 Subject: [PATCH 016/133] bump alloy version --- Cargo.lock | 96 +++++++++++++++++++++++++++++++++++------------------- Cargo.toml | 2 +- 2 files changed, 64 insertions(+), 34 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 32034056..983d5359 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -93,9 +93,9 @@ checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923" [[package]] name = "alloy" -version = "0.15.11" +version = "1.0.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2b064bd1cea105e70557a258cd2b317731896753ec08edf51da2d1fced587b05" +checksum = "36f63701831729cb154cf0b6945256af46c426074646c98b9d123148ba1d8bde" dependencies = [ "alloy-core", "alloy-signer", @@ -104,15 +104,16 @@ dependencies = [ [[package]] name = "alloy-consensus" -version = "0.15.11" +version = "1.0.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "32c3f3bc4f2a6b725970cd354e78e9738ea1e8961a91898f57bf6317970b1915" +checksum = "64a3bd0305a44fb457cae77de1e82856eadd42ea3cdf0dae29df32eb3b592979" dependencies = [ "alloy-eips", "alloy-primitives", "alloy-rlp", "alloy-serde", "alloy-trie", + "alloy-tx-macros", "auto_impl", "c-kzg", "derive_more 2.0.1", @@ -128,9 +129,9 @@ dependencies = [ [[package]] name = "alloy-consensus-any" -version = "0.15.11" +version = "1.0.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dda014fb5591b8d8d24cab30f52690117d238e52254c6fb40658e91ea2ccd6c3" +checksum = "7a842b4023f571835e62ac39fb8d523d19fcdbacfa70bf796ff96e7e19586f50" dependencies = [ "alloy-consensus", "alloy-eips", @@ -187,9 +188,9 @@ dependencies = [ [[package]] name = "alloy-eips" -version = "0.15.11" +version = "1.0.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2f7b2f7010581f29bcace81776cf2f0e022008d05a7d326884763f16f3044620" +checksum = "5cd749c57f38f8cbf433e651179fc5a676255e6b95044f467d49255d2b81725a" dependencies = [ "alloy-eip2124", "alloy-eip2930", @@ -202,7 +203,9 @@ dependencies = [ "derive_more 2.0.1", "either", "serde", + "serde_with", "sha2 0.10.9", + "thiserror 2.0.15", ] [[package]] @@ -219,12 +222,13 @@ dependencies = [ [[package]] name = "alloy-json-rpc" -version = "0.15.11" +version = "1.0.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ca1e31b50f4ed9a83689ae97263d366b15b935a67c4acb5dd46d5b1c3b27e8e6" +checksum = "f614019a029c8fec14ae661aa7d4302e6e66bdbfb869dab40e78dcfba935fc97" dependencies = [ "alloy-primitives", "alloy-sol-types", + "http", "serde", "serde_json", "thiserror 2.0.15", @@ -233,9 +237,9 @@ dependencies = [ [[package]] name = "alloy-network" -version = "0.15.11" +version = "1.0.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "879afc0f4a528908c8fe6935b2ab0bc07f77221a989186f71583f7592831689e" +checksum = "be8b6d58e98803017bbfea01dde96c4d270a29e7aed3beb65c8d28b5ab464e0e" dependencies = [ "alloy-consensus", "alloy-consensus-any", @@ -259,9 +263,9 @@ dependencies = [ [[package]] name = "alloy-network-primitives" -version = "0.15.11" +version = "1.0.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ec185bac9d32df79c1132558a450d48f6db0bfb5adef417dbb1a0258153f879b" +checksum = "db489617bffe14847bf89f175b1c183e5dd7563ef84713936e2c34255cfbd845" dependencies = [ "alloy-consensus", "alloy-eips", @@ -321,9 +325,9 @@ dependencies = [ [[package]] name = "alloy-rpc-types-any" -version = "0.15.11" +version = "1.0.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7a5a8f1efd77116915dad61092f9ef9295accd0b0b251062390d9c4e81599344" +checksum = "18f27c0c41a16cd0af4f5dbf791f7be2a60502ca8b0e840e0ad29803fac2d587" dependencies = [ "alloy-consensus-any", "alloy-rpc-types-eth", @@ -332,9 +336,9 @@ dependencies = [ [[package]] name = "alloy-rpc-types-eth" -version = "0.15.11" +version = "1.0.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bc1323310d87f9d950fb3ff58d943fdf832f5e10e6f902f405c0eaa954ffbaf1" +checksum = "7f5812f81c3131abc2cd8953dc03c41999e180cff7252abbccaba68676e15027" dependencies = [ "alloy-consensus", "alloy-consensus-any", @@ -347,14 +351,15 @@ dependencies = [ "itertools 0.14.0", "serde", "serde_json", + "serde_with", "thiserror 2.0.15", ] [[package]] name = "alloy-serde" -version = "0.15.11" +version = "1.0.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d05ace2ef3da874544c3ffacfd73261cdb1405d8631765deb991436a53ec6069" +checksum = "04dfe41a47805a34b848c83448946ca96f3d36842e8c074bcf8fa0870e337d12" dependencies = [ "alloy-primitives", "serde", @@ -363,9 +368,9 @@ dependencies = [ [[package]] name = "alloy-signer" -version = "0.15.11" +version = "1.0.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "67fdabad99ad3c71384867374c60bcd311fc1bb90ea87f5f9c779fd8c7ec36aa" +checksum = "f79237b4c1b0934d5869deea4a54e6f0a7425a8cd943a739d6293afdf893d847" dependencies = [ "alloy-primitives", "async-trait", @@ -378,9 +383,9 @@ dependencies = [ [[package]] name = "alloy-signer-local" -version = "0.15.11" +version = "1.0.32" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "acb3f4e72378566b189624d54618c8adf07afbcf39d5f368f4486e35a66725b3" +checksum = "d6e90a3858da59d1941f496c17db8d505f643260f7e97cdcdd33823ddca48fc1" dependencies = [ "alloy-consensus", "alloy-network", @@ -464,9 +469,9 @@ dependencies = [ [[package]] name = "alloy-trie" -version = "0.8.1" +version = "0.9.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "983d99aa81f586cef9dae38443245e585840fcf0fc58b09aee0b1f27aed1d500" +checksum = "e3412d52bb97c6c6cc27ccc28d4e6e8cf605469101193b50b0bd5813b1f990b5" dependencies = [ "alloy-primitives", "alloy-rlp", @@ -478,6 +483,19 @@ dependencies = [ "tracing", ] +[[package]] +name = "alloy-tx-macros" +version = "1.0.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e434e0917dce890f755ea774f59d6f12557bc8c7dd9fa06456af80cfe0f0181e" +dependencies = [ + "alloy-primitives", + "darling 0.21.2", + "proc-macro2", + "quote", + "syn 2.0.106", +] + [[package]] name = "android-tzdata" version = "0.1.1" @@ -1816,6 +1834,7 @@ dependencies = [ "ident_case", "proc-macro2", "quote", + "serde", "strsim", "syn 2.0.106", ] @@ -4539,13 +4558,14 @@ dependencies = [ [[package]] name = "nybbles" -version = "0.3.4" +version = "0.4.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8983bb634df7248924ee0c4c3a749609b5abcb082c28fffe3254b3eb3602b307" +checksum = "f0418987d1aaed324d95b4beffc93635e19be965ed5d63ec07a35980fe3b71a4" dependencies = [ "alloy-rlp", - "const-hex", + "cfg-if", "proptest", + "ruint", "serde", "smallvec", ] @@ -6457,10 +6477,11 @@ dependencies = [ [[package]] name = "serde" -version = "1.0.219" +version = "1.0.225" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5f0e2c6ed6606019b4e29e69dbaba95b11854410e5347d525002456dbbb786b6" +checksum = "fd6c24dee235d0da097043389623fb913daddf92c76e9f5a1db88607a0bcbd1d" dependencies = [ + "serde_core", "serde_derive", ] @@ -6499,11 +6520,20 @@ dependencies = [ "serde", ] +[[package]] +name = "serde_core" +version = "1.0.225" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "659356f9a0cb1e529b24c01e43ad2bdf520ec4ceaf83047b83ddcc2251f96383" +dependencies = [ + "serde_derive", +] + [[package]] name = "serde_derive" -version = "1.0.219" +version = "1.0.225" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5b0276cf7f2c73365f7157c8123c21cd9a50fbbd844757af28ca1f5925fc2a00" +checksum = "0ea936adf78b1f766949a4977b91d2f5595825bd6ec079aa9543ad2685fc4516" dependencies = [ "proc-macro2", "quote", diff --git a/Cargo.toml b/Cargo.toml index ec871bee..08c1cfd0 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -172,7 +172,7 @@ k256 = "0.13.4" xsalsa20poly1305 = "0.9.0" salsa20 = "0.10" rand_core = "0.6.4" -alloy = { version = "0.15", default-features = false } +alloy = { version = "1.0.32", default-features = false } # Certificate/DNS hickory-resolver = "0.24.4" From 5e9a551bc27d3b166f2e1c144d9914b04812d2e7 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Wed, 17 Sep 2025 07:14:24 +0000 Subject: [PATCH 017/133] rust-sdk v0.1.1 --- Cargo.lock | 4 ++-- Cargo.toml | 2 +- sdk/rust/Cargo.toml | 2 +- sdk/rust/types/Cargo.toml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 983d5359..df58f866 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2372,7 +2372,7 @@ dependencies = [ [[package]] name = "dstack-sdk" -version = "0.1.0" +version = "0.1.1" dependencies = [ "alloy", "anyhow", @@ -2392,7 +2392,7 @@ dependencies = [ [[package]] name = "dstack-sdk-types" -version = "0.1.0" +version = "0.1.1" dependencies = [ "anyhow", "bon", diff --git a/Cargo.toml b/Cargo.toml index 08c1cfd0..074bc454 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -57,7 +57,7 @@ resolver = "2" # Internal dependencies ra-rpc = { path = "ra-rpc", default-features = false } ra-tls = { path = "ra-tls" } -dstack-sdk-types = { path = "sdk/rust/types", version = "0.1.0", default-features = false } +dstack-sdk-types = { path = "sdk/rust/types", version = "0.1.1", default-features = false } dstack-gateway-rpc = { path = "gateway/rpc" } dstack-kms-rpc = { path = "kms/rpc" } dstack-guest-agent-rpc = { path = "guest-agent/rpc" } diff --git a/sdk/rust/Cargo.toml b/sdk/rust/Cargo.toml index 961af1e6..ba0671e2 100644 --- a/sdk/rust/Cargo.toml +++ b/sdk/rust/Cargo.toml @@ -7,7 +7,7 @@ [package] name = "dstack-sdk" -version = "0.1.0" +version = "0.1.1" edition = "2021" license = "MIT" description = "This crate provides a rust client for communicating with dstack" diff --git a/sdk/rust/types/Cargo.toml b/sdk/rust/types/Cargo.toml index 1fd355ed..a22713c2 100644 --- a/sdk/rust/types/Cargo.toml +++ b/sdk/rust/types/Cargo.toml @@ -5,7 +5,7 @@ [package] name = "dstack-sdk-types" -version = "0.1.0" +version = "0.1.1" edition = "2021" license = "MIT" description = "This crate provides rust types for communication with dstack" From 69785db1fe4cade2027baaad715740c9e7d98ea8 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Wed, 17 Sep 2025 15:08:26 +0000 Subject: [PATCH 018/133] Add init_script in app-compose.json --- basefiles/dstack-prepare.sh | 8 ++++++++ docs/security-guide/cvm-boundaries.md | 4 +++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/basefiles/dstack-prepare.sh b/basefiles/dstack-prepare.sh index cd64f79e..dfa92b9b 100755 --- a/basefiles/dstack-prepare.sh +++ b/basefiles/dstack-prepare.sh @@ -45,3 +45,11 @@ mkdir -p $DATA_MNT/var/lib/docker mount --rbind $DATA_MNT/var/lib/docker /var/lib/docker mount --rbind $WORK_DIR /dstack mount_overlay /etc/users $OVERLAY_PERSIST + +cd /dstack + +if [ $(jq 'has("init_script")' app-compose.json) == true ]; then + echo "Running init script" + dstack-util notify-host -e "boot.progress" -d "init-script" || true + source <(jq -r '.init_script' app-compose.json) +fi diff --git a/docs/security-guide/cvm-boundaries.md b/docs/security-guide/cvm-boundaries.md index 433dee40..1095e5da 100644 --- a/docs/security-guide/cvm-boundaries.md +++ b/docs/security-guide/cvm-boundaries.md @@ -39,7 +39,9 @@ This is the main configuration file for the application in JSON format: | allowed_envs | array of string | List of allowed environment variable names | | no_instance_id | boolean | Disable instance ID generation | | secure_time | boolean | Whether secure time is enabled | -| pre_launch_script | string | Prelaunch bash script that runs before starting containers | +| pre_launch_script | string | Prelaunch bash script that runs before execute `docker compose up` | +| init_script | string | Bash script that executed prior to dockerd startup | + The hash of this file content is extended to RTMR3 as event name `compose-hash`. Remote verifier can extract the compose-hash during remote attestation. From d380a0295384d5dcfb155e56b1c4608df5052f70 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Fri, 19 Sep 2025 10:48:05 +0000 Subject: [PATCH 019/133] Revert the cert subject changes Part of fccd83de272ced9a8d5a4b9cead2d8ce8e9e7764 --- kms/src/main_service.rs | 4 ++-- kms/src/onboard_service.rs | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/kms/src/main_service.rs b/kms/src/main_service.rs index f7e50b1d..8d8a49b9 100644 --- a/kms/src/main_service.rs +++ b/kms/src/main_service.rs @@ -481,8 +481,8 @@ impl RpcHandler { .context("Failed to derive app disk key")?; let req = CertRequest::builder() .key(&app_key) - .org_name("dstack") - .subject("dstack App CA") + .org_name("Dstack") + .subject("Dstack App CA") .ca_level(0) .app_id(app_id) .special_usage("app:ca") diff --git a/kms/src/onboard_service.rs b/kms/src/onboard_service.rs index a92c4cee..ffe38f16 100644 --- a/kms/src/onboard_service.rs +++ b/kms/src/onboard_service.rs @@ -128,8 +128,8 @@ impl Keys { quote_enabled: bool, ) -> Result { let tmp_ca_cert = CertRequest::builder() - .org_name("dstack") - .subject("dstack Client Temp CA") + .org_name("Dstack") + .subject("Dstack Client Temp CA") .ca_level(0) .key(&tmp_ca_key) .build() @@ -137,8 +137,8 @@ impl Keys { // Create self-signed KMS cert let ca_cert = CertRequest::builder() - .org_name("dstack") - .subject("dstack KMS CA") + .org_name("Dstack") + .subject("Dstack KMS CA") .ca_level(1) .key(&ca_key) .build() From 0da9839910bd1b292d5372be0039ee8e60756cfd Mon Sep 17 00:00:00 2001 From: Leechael Yim Date: Fri, 19 Sep 2025 22:59:48 +0800 Subject: [PATCH 020/133] imp(sdk/python): increase the default timeout to 3 secs for Python SDK. --- sdk/python/src/dstack_sdk/dstack_client.py | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/sdk/python/src/dstack_sdk/dstack_client.py b/sdk/python/src/dstack_sdk/dstack_client.py index 31411fe2..7f23f11f 100644 --- a/sdk/python/src/dstack_sdk/dstack_client.py +++ b/sdk/python/src/dstack_sdk/dstack_client.py @@ -226,7 +226,7 @@ class BaseClient: class AsyncDstackClient(BaseClient): PATH_PREFIX = "/" - def __init__(self, endpoint: str | None = None, use_sync_http: bool = False): + def __init__(self, endpoint: str | None = None, *, use_sync_http: bool = False, timeout: float = 3): """Initialize async client with HTTP or Unix-socket transport. Args: @@ -239,6 +239,7 @@ def __init__(self, endpoint: str | None = None, use_sync_http: bool = False): self._client: Optional[httpx.AsyncClient] = None self._sync_client: Optional[httpx.Client] = None self._client_ref_count = 0 + self._timeout = timeout if endpoint.startswith("http://") or endpoint.startswith("https://"): self.async_transport = httpx.AsyncHTTPTransport() @@ -255,14 +256,14 @@ def __init__(self, endpoint: str | None = None, use_sync_http: bool = False): def _get_client(self) -> httpx.AsyncClient: if self._client is None: self._client = httpx.AsyncClient( - transport=self.async_transport, base_url=self.base_url, timeout=0.5 + transport=self.async_transport, base_url=self.base_url, timeout=self._timeout ) return self._client def _get_sync_client(self) -> httpx.Client: if self._sync_client is None: self._sync_client = httpx.Client( - transport=self.sync_transport, base_url=self.base_url, timeout=0.5 + transport=self.sync_transport, base_url=self.base_url, timeout=self._timeout ) return self._sync_client @@ -392,13 +393,13 @@ async def is_reachable(self) -> bool: class DstackClient(BaseClient): PATH_PREFIX = "/" - def __init__(self, endpoint: str | None = None): + def __init__(self, endpoint: str | None = None, *, timeout: float = 3): """Initialize client with HTTP or Unix-socket transport. If a non-HTTP(S) endpoint is provided, it is treated as a Unix socket path and validated for existence. """ - self.async_client = AsyncDstackClient(endpoint, use_sync_http=True) + self.async_client = AsyncDstackClient(endpoint, use_sync_http=True, timeout=timeout) @call_async def get_key( @@ -463,7 +464,7 @@ class AsyncTappdClient(AsyncDstackClient): DEPRECATED: Use ``AsyncDstackClient`` instead. """ - def __init__(self, endpoint: str | None = None, use_sync_http: bool = False): + def __init__(self, endpoint: str | None = None, *, use_sync_http: bool = False, timeout: float = 3): """Initialize deprecated async tappd client wrapper.""" if not use_sync_http: # Already warned in TappdClient.__init__ @@ -472,7 +473,7 @@ def __init__(self, endpoint: str | None = None, use_sync_http: bool = False): ) endpoint = get_tappd_endpoint(endpoint) - super().__init__(endpoint, use_sync_http=use_sync_http) + super().__init__(endpoint, use_sync_http=use_sync_http, timeout=timeout) # Set the correct path prefix for tappd self.PATH_PREFIX = "/prpc/Tappd." @@ -542,13 +543,13 @@ class TappdClient(DstackClient): DEPRECATED: Use ``DstackClient`` instead. """ - def __init__(self, endpoint: str | None = None): + def __init__(self, endpoint: str | None = None, timeout: float = 3): """Initialize deprecated tappd client wrapper.""" emit_deprecation_warning( "TappdClient is deprecated, please use DstackClient instead" ) endpoint = get_tappd_endpoint(endpoint) - self.async_client = AsyncTappdClient(endpoint, use_sync_http=True) + self.async_client = AsyncTappdClient(endpoint, use_sync_http=True, timeout=timeout) @call_async def derive_key( From 3f56bc3914753430904f32d9c1bdde69753cdd23 Mon Sep 17 00:00:00 2001 From: Leechael Yim Date: Fri, 19 Sep 2025 23:01:50 +0800 Subject: [PATCH 021/133] fix(sdk): marked roofs_hash optional since it not returns from API anymore. --- sdk/js/src/index.ts | 2 +- sdk/python/src/dstack_sdk/dstack_client.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sdk/js/src/index.ts b/sdk/js/src/index.ts index d30d295f..d08357ea 100644 --- a/sdk/js/src/index.ts +++ b/sdk/js/src/index.ts @@ -49,7 +49,7 @@ export interface TcbInfo { } export type TcbInfoV03x = TcbInfo & { - rootfs_hash: string + rootfs_hash?: string } export type TcbInfoV05x = TcbInfo & { diff --git a/sdk/python/src/dstack_sdk/dstack_client.py b/sdk/python/src/dstack_sdk/dstack_client.py index 7f23f11f..ff9cd596 100644 --- a/sdk/python/src/dstack_sdk/dstack_client.py +++ b/sdk/python/src/dstack_sdk/dstack_client.py @@ -173,7 +173,7 @@ class TcbInfo(BaseModel): class TcbInfoV03x(TcbInfo): """TCB information for dstack OS version 0.3.x.""" - rootfs_hash: str + rootfs_hash: Optional[str] = None class TcbInfoV05x(TcbInfo): From 70ce94f86d087c3245a07bbd14ef0eaa096adf46 Mon Sep 17 00:00:00 2001 From: Leechael Yim Date: Fri, 19 Sep 2025 23:24:19 +0800 Subject: [PATCH 022/133] chore(sdk): bump versions --- sdk/js/package.json | 2 +- sdk/js/src/send-rpc-request.ts | 2 +- sdk/python/pyproject.toml | 2 +- sdk/python/src/dstack_sdk/dstack_client.py | 35 +++++++++++++++++----- 4 files changed, 31 insertions(+), 10 deletions(-) diff --git a/sdk/js/package.json b/sdk/js/package.json index ce7f6a2b..e2e057de 100644 --- a/sdk/js/package.json +++ b/sdk/js/package.json @@ -1,6 +1,6 @@ { "name": "@phala/dstack-sdk", - "version": "0.5.5", + "version": "0.5.6", "description": "dstack SDK", "main": "dist/node/index.js", "types": "dist/node/index.d.ts", diff --git a/sdk/js/src/send-rpc-request.ts b/sdk/js/src/send-rpc-request.ts index 6c17c344..fa6837a1 100644 --- a/sdk/js/src/send-rpc-request.ts +++ b/sdk/js/src/send-rpc-request.ts @@ -6,7 +6,7 @@ import http from 'http' import https from 'https' import net from 'net' -export const __version__ = "0.5.0" +export const __version__ = "0.5.6" export function send_rpc_request(endpoint: string, path: string, payload: string, timeoutMs?: number): Promise { diff --git a/sdk/python/pyproject.toml b/sdk/python/pyproject.toml index 266c1ac2..96d1a0e8 100644 --- a/sdk/python/pyproject.toml +++ b/sdk/python/pyproject.toml @@ -4,7 +4,7 @@ [project] name = "dstack-sdk" -version = "0.5.1" +version = "0.5.2" description = "dstack SDK for Python" authors = [ {name = "Leechael Yim", email = "yanleech@gmail.com"}, diff --git a/sdk/python/src/dstack_sdk/dstack_client.py b/sdk/python/src/dstack_sdk/dstack_client.py index ff9cd596..463aab47 100644 --- a/sdk/python/src/dstack_sdk/dstack_client.py +++ b/sdk/python/src/dstack_sdk/dstack_client.py @@ -23,7 +23,7 @@ logger = logging.getLogger("dstack_sdk") -__version__ = "0.2.0" +__version__ = "0.5.2" INIT_MR = "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" @@ -226,12 +226,19 @@ class BaseClient: class AsyncDstackClient(BaseClient): PATH_PREFIX = "/" - def __init__(self, endpoint: str | None = None, *, use_sync_http: bool = False, timeout: float = 3): + def __init__( + self, + endpoint: str | None = None, + *, + use_sync_http: bool = False, + timeout: float = 3, + ): """Initialize async client with HTTP or Unix-socket transport. Args: endpoint: HTTP/HTTPS URL or Unix socket path use_sync_http: If True, use sync HTTP client internally + timeout: Timeout in seconds """ endpoint = get_endpoint(endpoint) @@ -256,14 +263,18 @@ def __init__(self, endpoint: str | None = None, *, use_sync_http: bool = False, def _get_client(self) -> httpx.AsyncClient: if self._client is None: self._client = httpx.AsyncClient( - transport=self.async_transport, base_url=self.base_url, timeout=self._timeout + transport=self.async_transport, + base_url=self.base_url, + timeout=self._timeout, ) return self._client def _get_sync_client(self) -> httpx.Client: if self._sync_client is None: self._sync_client = httpx.Client( - transport=self.sync_transport, base_url=self.base_url, timeout=self._timeout + transport=self.sync_transport, + base_url=self.base_url, + timeout=self._timeout, ) return self._sync_client @@ -399,7 +410,9 @@ def __init__(self, endpoint: str | None = None, *, timeout: float = 3): If a non-HTTP(S) endpoint is provided, it is treated as a Unix socket path and validated for existence. """ - self.async_client = AsyncDstackClient(endpoint, use_sync_http=True, timeout=timeout) + self.async_client = AsyncDstackClient( + endpoint, use_sync_http=True, timeout=timeout + ) @call_async def get_key( @@ -464,7 +477,13 @@ class AsyncTappdClient(AsyncDstackClient): DEPRECATED: Use ``AsyncDstackClient`` instead. """ - def __init__(self, endpoint: str | None = None, *, use_sync_http: bool = False, timeout: float = 3): + def __init__( + self, + endpoint: str | None = None, + *, + use_sync_http: bool = False, + timeout: float = 3, + ): """Initialize deprecated async tappd client wrapper.""" if not use_sync_http: # Already warned in TappdClient.__init__ @@ -549,7 +568,9 @@ def __init__(self, endpoint: str | None = None, timeout: float = 3): "TappdClient is deprecated, please use DstackClient instead" ) endpoint = get_tappd_endpoint(endpoint) - self.async_client = AsyncTappdClient(endpoint, use_sync_http=True, timeout=timeout) + self.async_client = AsyncTappdClient( + endpoint, use_sync_http=True, timeout=timeout + ) @call_async def derive_key( From 8d3d7145755b3fc08330281c41218344eb629ebb Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Mon, 22 Sep 2025 03:33:56 +0000 Subject: [PATCH 023/133] dstack-mr: Add qemu_version in VmConfig --- dstack-mr/src/acpi.rs | 12 +++- dstack-mr/src/machine.rs | 54 +++++++++++++++- dstack-mr/src/tdvf.rs | 5 +- dstack-types/src/lib.rs | 7 +-- kms/src/main_service.rs | 5 +- vmm/src/app.rs | 1 + vmm/src/config.rs | 132 +++++++++++++++++++++++++++++++++++++-- vmm/src/one_shot.rs | 1 + vmm/vmm.toml | 5 +- 9 files changed, 205 insertions(+), 17 deletions(-) diff --git a/dstack-mr/src/acpi.rs b/dstack-mr/src/acpi.rs index b79a6301..b61337a1 100644 --- a/dstack-mr/src/acpi.rs +++ b/dstack-mr/src/acpi.rs @@ -85,7 +85,12 @@ impl Machine<'_> { } else { machine.push_str(",smm=off"); } - if self.pic { + + let vopt = self + .versioned_options() + .context("Failed to get versioned options")?; + + if vopt.pic { machine.push_str(",pic=on"); } else { machine.push_str(",pic=off"); @@ -148,8 +153,13 @@ impl Machine<'_> { debug!("qemu command: {cmd:?}"); + let ver = vopt.version; // Execute the command and capture output let output = cmd + .env( + "QEMU_ACPI_COMPAT_VER", + format!("{}.{}.{}", ver.0, ver.1, ver.2), + ) .output() .context("failed to execute dstack-acpi-tables")?; diff --git a/dstack-mr/src/machine.rs b/dstack-mr/src/machine.rs index 27a63a0f..2fe0f5c2 100644 --- a/dstack-mr/src/machine.rs +++ b/dstack-mr/src/machine.rs @@ -6,7 +6,7 @@ use crate::tdvf::Tdvf; use crate::util::debug_print_log; use crate::{kernel, TdxMeasurements}; use crate::{measure_log, measure_sha384}; -use anyhow::{Context, Result}; +use anyhow::{bail, Context, Result}; use fs_err as fs; use log::debug; @@ -18,8 +18,9 @@ pub struct Machine<'a> { pub kernel: &'a str, pub initrd: &'a str, pub kernel_cmdline: &'a str, - pub two_pass_add_pages: bool, - pub pic: bool, + pub two_pass_add_pages: Option, + pub pic: Option, + pub qemu_version: Option, #[builder(default = false)] pub smm: bool, pub pci_hole64_size: Option, @@ -30,6 +31,53 @@ pub struct Machine<'a> { pub root_verity: bool, } +fn parse_version_tuple(v: &str) -> Result<(u32, u32, u32)> { + let parts: Vec = v + .split('.') + .map(|p| p.parse::().context("Invalid version number")) + .collect::, _>>()?; + if parts.len() != 3 { + bail!( + "Version string must have exactly 3 parts (major.minor.patch), got {}", + parts.len() + ); + } + Ok((parts[0], parts[1], parts[2])) +} + +impl Machine<'_> { + pub fn versioned_options(&self) -> Result { + let version = match &self.qemu_version { + Some(v) => Some(parse_version_tuple(v).context("Failed to parse QEMU version")?), + None => None, + }; + let default_pic; + let default_two_pass; + let version = version.unwrap_or((9, 1, 0)); + if version < (8, 0, 0) { + bail!("Unsupported QEMU version: {version:?}"); + } + if ((8, 0, 0)..(9, 0, 0)).contains(&version) { + default_pic = true; + default_two_pass = true; + } else { + default_pic = false; + default_two_pass = false; + }; + Ok(VersionedOptions { + version, + pic: self.pic.unwrap_or(default_pic), + two_pass_add_pages: self.two_pass_add_pages.unwrap_or(default_two_pass), + }) + } +} + +pub struct VersionedOptions { + pub version: (u32, u32, u32), + pub pic: bool, + pub two_pass_add_pages: bool, +} + impl Machine<'_> { pub fn measure(&self) -> Result { debug!("measuring machine: {self:#?}"); diff --git a/dstack-mr/src/tdvf.rs b/dstack-mr/src/tdvf.rs index e04edcb3..8f02487b 100644 --- a/dstack-mr/src/tdvf.rs +++ b/dstack-mr/src/tdvf.rs @@ -223,7 +223,10 @@ impl<'a> Tdvf<'a> { } pub fn mrtd(&self, machine: &Machine) -> Result> { - self.compute_mrtd(if machine.two_pass_add_pages { + let opts = machine + .versioned_options() + .context("Failed to get versioned options")?; + self.compute_mrtd(if opts.two_pass_add_pages { PageAddOrder::TwoPass } else { PageAddOrder::SinglePass diff --git a/dstack-types/src/lib.rs b/dstack-types/src/lib.rs index 15183248..145d7ba6 100644 --- a/dstack-types/src/lib.rs +++ b/dstack-types/src/lib.rs @@ -138,10 +138,9 @@ pub struct VmConfig { pub cpu_count: u32, pub memory_size: u64, // https://github.com/intel-staging/qemu-tdx/issues/1 - #[serde(default)] - pub qemu_single_pass_add_pages: bool, - #[serde(default)] - pub pic: bool, + pub qemu_single_pass_add_pages: Option, + pub pic: Option, + pub qemu_version: Option, #[serde(default)] pub pci_hole64_size: u64, #[serde(default)] diff --git a/kms/src/main_service.rs b/kms/src/main_service.rs index f7e50b1d..ff9881e8 100644 --- a/kms/src/main_service.rs +++ b/kms/src/main_service.rs @@ -268,8 +268,9 @@ impl RpcHandler { .kernel_cmdline(&kernel_cmdline) .root_verity(true) .hotplug_off(vm_config.hotplug_off) - .two_pass_add_pages(vm_config.qemu_single_pass_add_pages) - .pic(vm_config.pic) + .maybe_two_pass_add_pages(vm_config.qemu_single_pass_add_pages) + .maybe_pic(vm_config.pic) + .maybe_qemu_version(vm_config.qemu_version.clone()) .maybe_pci_hole64_size(if vm_config.pci_hole64_size > 0 { Some(vm_config.pci_hole64_size) } else { diff --git a/vmm/src/app.rs b/vmm/src/app.rs index 133f823a..a9b6077a 100644 --- a/vmm/src/app.rs +++ b/vmm/src/app.rs @@ -513,6 +513,7 @@ impl App { memory_size: manifest.memory as u64 * 1024 * 1024, qemu_single_pass_add_pages: cfg.cvm.qemu_single_pass_add_pages, pic: cfg.cvm.qemu_pic, + qemu_version: cfg.cvm.qemu_version.clone(), pci_hole64_size: cfg.cvm.qemu_pci_hole64_size, hugepages: manifest.hugepages, num_gpus: gpus.gpus.len() as u32, diff --git a/vmm/src/config.rs b/vmm/src/config.rs index d49312a4..863e30f9 100644 --- a/vmm/src/config.rs +++ b/vmm/src/config.rs @@ -2,7 +2,7 @@ // // SPDX-License-Identifier: Apache-2.0 -use std::{net::IpAddr, path::PathBuf, str::FromStr}; +use std::{net::IpAddr, path::PathBuf, process::Command, str::FromStr}; use anyhow::{bail, Context, Result}; use load_config::load_config; @@ -11,9 +11,69 @@ use rocket::figment::Figment; use serde::{Deserialize, Serialize}; use lspci::{lspci_filtered, Device}; -use tracing::info; +use tracing::{info, warn}; pub const DEFAULT_CONFIG: &str = include_str!("../vmm.toml"); + +fn detect_qemu_version(qemu_path: &PathBuf) -> Result { + let output = Command::new(qemu_path) + .arg("--version") + .output() + .context("Failed to execute qemu --version")?; + + if !output.status.success() { + bail!("QEMU version command failed with status: {}", output.status); + } + + let version_output = + String::from_utf8(output.stdout).context("QEMU version output is not valid UTF-8")?; + + parse_qemu_version_from_output(&version_output) + .context("Could not parse QEMU version from output") +} + +fn parse_qemu_version_from_output(output: &str) -> Result { + // Parse version from output like: + // "QEMU emulator version 8.2.2 (Debian 2:8.2.2+ds-0ubuntu1.4+tdx1.0)" + // "QEMU emulator version 9.1.0" + let version = output + .lines() + .next() + .and_then(|line| { + let words: Vec<&str> = line.split_whitespace().collect(); + + // First try: Look for "version" keyword and get the next word (only if it looks like a version) + if let Some(version_idx) = words.iter().position(|&word| word == "version") { + if let Some(next_word) = words.get(version_idx + 1) { + // Only use the word after "version" if it looks like a version number + if next_word.chars().next().is_some_and(|c| c.is_ascii_digit()) + && (next_word.contains('.') + || next_word.chars().all(|c| c.is_ascii_digit() || c == '-')) + { + return Some(*next_word); + } + } + } + + // Fallback: find first word that looks like a version number + words + .iter() + .find(|word| { + // Check if word starts with digit and contains dots (version-like) + word.chars().next().is_some_and(|c| c.is_ascii_digit()) + && (word.contains('.') + || word.chars().all(|c| c.is_ascii_digit() || c == '-')) + }) + .copied() + }) + .context("Could not parse QEMU version from output")?; + + // Extract just the version number (e.g., "8.2.2" from "8.2.2+ds-0ubuntu1.4+tdx1.0") + let clean_version = version.split('+').next().unwrap_or(version).to_string(); + + Ok(clean_version) +} + pub fn load_config_figment(config_file: Option<&str>) -> Figment { load_config("vmm", DEFAULT_CONFIG, config_file, false) } @@ -127,9 +187,11 @@ pub struct CvmConfig { pub use_mrconfigid: bool, /// QEMU single pass add page - pub qemu_single_pass_add_pages: bool, + pub qemu_single_pass_add_pages: Option, /// QEMU pic - pub qemu_pic: bool, + pub qemu_pic: Option, + /// QEMU qemu_version + pub qemu_version: Option, /// QEMU pci_hole64_size pub qemu_pci_hole64_size: u64, /// QEMU hotplug_off @@ -361,7 +423,69 @@ impl Config { } } info!("QEMU path: {}", me.cvm.qemu_path.display()); + + // Detect QEMU version if not already set + match &me.cvm.qemu_version { + None => match detect_qemu_version(&me.cvm.qemu_path) { + Ok(version) => { + info!("Detected QEMU version: {version}"); + me.cvm.qemu_version = Some(version); + } + Err(e) => { + warn!("Failed to detect QEMU version: {e}"); + // Continue without version - the system will use defaults + } + }, + Some(version) => info!("Configured QEMU version: {version}"), + } } Ok(me) } } + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn test_parse_qemu_version_debian_format() { + let output = "QEMU emulator version 8.2.2 (Debian 2:8.2.2+ds-0ubuntu1.4+tdx1.0)\nCopyright (c) 2003-2023 Fabrice Bellard and the QEMU Project developers"; + let version = parse_qemu_version_from_output(output).unwrap(); + assert_eq!(version, "8.2.2"); + } + + #[test] + fn test_parse_qemu_version_simple_format() { + let output = "QEMU emulator version 9.1.0\nCopyright (c) 2003-2024 Fabrice Bellard and the QEMU Project developers"; + let version = parse_qemu_version_from_output(output).unwrap(); + assert_eq!(version, "9.1.0"); + } + + #[test] + fn test_parse_qemu_version_old_debian_format() { + let output = "QEMU emulator version 8.2.2 (Debian 1:8.2.2+ds-0ubuntu1.2)\nCopyright (c) 2003-2023 Fabrice Bellard and the QEMU Project developers"; + let version = parse_qemu_version_from_output(output).unwrap(); + assert_eq!(version, "8.2.2"); + } + + #[test] + fn test_parse_qemu_version_with_rc() { + let output = "QEMU emulator version 9.0.0-rc1\nCopyright (c) 2003-2024 Fabrice Bellard and the QEMU Project developers"; + let version = parse_qemu_version_from_output(output).unwrap(); + assert_eq!(version, "9.0.0-rc1"); + } + + #[test] + fn test_parse_qemu_version_fallback() { + let output = "Some unusual format 8.1.5 with version info"; + let version = parse_qemu_version_from_output(output).unwrap(); + assert_eq!(version, "8.1.5"); + } + + #[test] + fn test_parse_qemu_version_invalid() { + let output = "No version information here"; + let result = parse_qemu_version_from_output(output); + assert!(result.is_err()); + } +} diff --git a/vmm/src/one_shot.rs b/vmm/src/one_shot.rs index b51378e6..296f5df3 100644 --- a/vmm/src/one_shot.rs +++ b/vmm/src/one_shot.rs @@ -261,6 +261,7 @@ Compose file content (first 200 chars): memory_size: manifest.memory as u64 * 1024 * 1024, qemu_single_pass_add_pages: config.cvm.qemu_single_pass_add_pages, pic: config.cvm.qemu_pic, + qemu_version: config.cvm.qemu_version.clone(), pci_hole64_size: config.cvm.qemu_pci_hole64_size, hugepages: manifest.hugepages, num_gpus: manifest.gpus.as_ref().map_or(0, |g| g.gpus.len() as u32), diff --git a/vmm/vmm.toml b/vmm/vmm.toml index 4058ed74..568c2b2a 100644 --- a/vmm/vmm.toml +++ b/vmm/vmm.toml @@ -30,8 +30,9 @@ user = "" use_mrconfigid = true # QEMU flags -qemu_single_pass_add_pages = false -qemu_pic = true +#qemu_single_pass_add_pages = false +#qemu_pic = true +#qemu_version = "" qemu_pci_hole64_size = 0 qemu_hotplug_off = false From 4b4f55b968bdf096a9cc40438553a64a0f33c6a0 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Mon, 22 Sep 2025 08:50:34 +0000 Subject: [PATCH 024/133] Add image name in VmConfig --- dstack-types/src/lib.rs | 1 + vmm/src/app.rs | 1 + vmm/src/one_shot.rs | 1 + 3 files changed, 3 insertions(+) diff --git a/dstack-types/src/lib.rs b/dstack-types/src/lib.rs index 145d7ba6..439d9905 100644 --- a/dstack-types/src/lib.rs +++ b/dstack-types/src/lib.rs @@ -151,6 +151,7 @@ pub struct VmConfig { pub num_nvswitches: u32, #[serde(default)] pub hotplug_off: bool, + pub image: Option, } #[derive(Serialize, Deserialize, Debug, Clone)] diff --git a/vmm/src/app.rs b/vmm/src/app.rs index a9b6077a..9a344e48 100644 --- a/vmm/src/app.rs +++ b/vmm/src/app.rs @@ -519,6 +519,7 @@ impl App { num_gpus: gpus.gpus.len() as u32, num_nvswitches: gpus.bridges.len() as u32, hotplug_off: cfg.cvm.qemu_hotplug_off, + image: Some(manifest.image.clone()), })?; json!({ "kms_urls": kms_urls, diff --git a/vmm/src/one_shot.rs b/vmm/src/one_shot.rs index 296f5df3..a377b307 100644 --- a/vmm/src/one_shot.rs +++ b/vmm/src/one_shot.rs @@ -267,6 +267,7 @@ Compose file content (first 200 chars): num_gpus: manifest.gpus.as_ref().map_or(0, |g| g.gpus.len() as u32), num_nvswitches: manifest.gpus.as_ref().map_or(0, |g| g.bridges.len() as u32), hotplug_off: config.cvm.qemu_hotplug_off, + image: Some(manifest.image.clone()), })? }); let sys_config_path = vm_work_dir.shared_dir().join(".sys-config.json"); From d3499412d721b83c25baba5e440785b3f0df3c8e Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Mon, 22 Sep 2025 08:49:45 +0000 Subject: [PATCH 025/133] Returns event log in dstack-mr --- dstack-mr/src/acpi.rs | 1 + dstack-mr/src/kernel.rs | 12 +++++------ dstack-mr/src/lib.rs | 5 ++++- dstack-mr/src/machine.rs | 41 +++++++++++++++++++++++++++++------- dstack-mr/src/tdvf.rs | 45 +++++++++++++++++++++++----------------- 5 files changed, 69 insertions(+), 35 deletions(-) diff --git a/dstack-mr/src/acpi.rs b/dstack-mr/src/acpi.rs index b61337a1..a93f30e1 100644 --- a/dstack-mr/src/acpi.rs +++ b/dstack-mr/src/acpi.rs @@ -13,6 +13,7 @@ use crate::Machine; const LDR_LENGTH: usize = 4096; const FIXED_STRING_LEN: usize = 56; +#[derive(Debug, Clone)] pub struct Tables { pub tables: Vec, pub rsdp: Vec, diff --git a/dstack-mr/src/kernel.rs b/dstack-mr/src/kernel.rs index 1f714ee0..9fd465e6 100644 --- a/dstack-mr/src/kernel.rs +++ b/dstack-mr/src/kernel.rs @@ -2,7 +2,7 @@ // // SPDX-License-Identifier: Apache-2.0 -use crate::{measure_log, measure_sha384, num::read_le, utf16_encode, util::debug_print_log}; +use crate::{measure_sha384, num::read_le, utf16_encode}; use anyhow::{bail, Context, Result}; use object::pe; use sha2::{Digest, Sha384}; @@ -201,24 +201,22 @@ fn patch_kernel( } /// Measures a QEMU-patched TDX kernel image. -pub(crate) fn measure_kernel( +pub(crate) fn rtmr1_log( kernel_data: &[u8], initrd_size: u32, mem_size: u64, acpi_data_size: u32, -) -> Result> { +) -> Result>> { let kd = patch_kernel(kernel_data, initrd_size, mem_size, acpi_data_size) .context("Failed to patch kernel")?; let kernel_hash = authenticode_sha384_hash(&kd).context("Failed to compute kernel hash")?; - let rtmr1_log = vec![ + Ok(vec![ kernel_hash, measure_sha384(b"Calling EFI Application from Boot Option"), measure_sha384(&[0x00, 0x00, 0x00, 0x00]), // Separator measure_sha384(b"Exit Boot Services Invocation"), measure_sha384(b"Exit Boot Services Returned with Success"), - ]; - debug_print_log("RTMR1", &rtmr1_log); - Ok(measure_log(&rtmr1_log)) + ]) } /// Measures the kernel command line by converting to UTF-16LE and hashing. diff --git a/dstack-mr/src/lib.rs b/dstack-mr/src/lib.rs index 936e283f..a8d5825e 100644 --- a/dstack-mr/src/lib.rs +++ b/dstack-mr/src/lib.rs @@ -5,10 +5,13 @@ use serde::{Deserialize, Serialize}; use serde_human_bytes as hex_bytes; -pub use machine::Machine; +pub use machine::{Machine, TdxMeasurementDetails}; use util::{measure_log, measure_sha384, utf16_encode}; +pub type RtmrLog = Vec>; +pub type RtmrLogs = [RtmrLog; 3]; + mod acpi; mod kernel; mod machine; diff --git a/dstack-mr/src/machine.rs b/dstack-mr/src/machine.rs index 2fe0f5c2..c08e6cdf 100644 --- a/dstack-mr/src/machine.rs +++ b/dstack-mr/src/machine.rs @@ -2,9 +2,10 @@ // // SPDX-License-Identifier: Apache-2.0 +use crate::acpi::Tables; use crate::tdvf::Tdvf; use crate::util::debug_print_log; -use crate::{kernel, TdxMeasurements}; +use crate::{kernel, RtmrLogs, TdxMeasurements}; use crate::{measure_log, measure_sha384}; use anyhow::{bail, Context, Result}; use fs_err as fs; @@ -78,21 +79,41 @@ pub struct VersionedOptions { pub two_pass_add_pages: bool, } +#[derive(Debug, Clone)] +pub struct TdxMeasurementDetails { + pub measurements: TdxMeasurements, + pub rtmr_logs: RtmrLogs, + pub acpi_tables: Tables, +} + impl Machine<'_> { pub fn measure(&self) -> Result { + self.measure_with_logs().map(|details| details.measurements) + } + + pub fn measure_with_logs(&self) -> Result { debug!("measuring machine: {self:#?}"); let fw_data = fs::read(self.firmware)?; let kernel_data = fs::read(self.kernel)?; let initrd_data = fs::read(self.initrd)?; let tdvf = Tdvf::parse(&fw_data).context("Failed to parse TDVF metadata")?; + let mrtd = tdvf.mrtd(self).context("Failed to compute MR TD")?; - let rtmr0 = tdvf.rtmr0(self).context("Failed to compute RTMR0")?; - let rtmr1 = kernel::measure_kernel( + + let (rtmr0_log, acpi_tables) = tdvf + .rtmr0_log(self) + .context("Failed to compute RTMR0 log")?; + debug_print_log("RTMR0", &rtmr0_log); + let rtmr0 = measure_log(&rtmr0_log); + + let rtmr1_log = kernel::rtmr1_log( &kernel_data, initrd_data.len() as u32, self.memory_size, 0x28000, )?; + debug_print_log("RTMR1", &rtmr1_log); + let rtmr1 = measure_log(&rtmr1_log); let rtmr2_log = vec![ kernel::measure_cmdline(self.kernel_cmdline), @@ -101,11 +122,15 @@ impl Machine<'_> { debug_print_log("RTMR2", &rtmr2_log); let rtmr2 = measure_log(&rtmr2_log); - Ok(TdxMeasurements { - mrtd, - rtmr0, - rtmr1, - rtmr2, + Ok(TdxMeasurementDetails { + measurements: TdxMeasurements { + mrtd, + rtmr0, + rtmr1, + rtmr2, + }, + rtmr_logs: [rtmr0_log, rtmr1_log, rtmr2_log], + acpi_tables, }) } } diff --git a/dstack-mr/src/tdvf.rs b/dstack-mr/src/tdvf.rs index 8f02487b..a5d577a8 100644 --- a/dstack-mr/src/tdvf.rs +++ b/dstack-mr/src/tdvf.rs @@ -6,9 +6,9 @@ use anyhow::{anyhow, bail, Context, Result}; use hex_literal::hex; use sha2::{Digest, Sha384}; +use crate::acpi::Tables; use crate::num::read_le; -use crate::util::debug_print_log; -use crate::{measure_log, measure_sha384, utf16_encode, Machine}; +use crate::{measure_log, measure_sha384, utf16_encode, Machine, RtmrLog}; const PAGE_SIZE: u64 = 0x1000; const MR_EXTEND_GRANULARITY: usize = 0x100; @@ -233,7 +233,13 @@ impl<'a> Tdvf<'a> { }) } + #[allow(dead_code)] pub fn rtmr0(&self, machine: &Machine) -> Result> { + let (rtmr0_log, _) = self.rtmr0_log(machine)?; + Ok(measure_log(&rtmr0_log)) + } + + pub fn rtmr0_log(&self, machine: &Machine) -> Result<(RtmrLog, Tables)> { let td_hob_hash = self.measure_td_hob(machine.memory_size)?; let cfv_image_hash = hex!("344BC51C980BA621AAA00DA3ED7436F7D6E549197DFE699515DFA2C6583D95E6412AF21C097D473155875FFD561D6790"); let boot000_hash = hex!("23ADA07F5261F12F34A0BD8E46760962D6B4D576A416F1FEA1C64BC656B1D28EACF7047AE6E967C58FD2A98BFA74C298"); @@ -245,23 +251,24 @@ impl<'a> Tdvf<'a> { // RTMR0 calculation - let rtmr0_log = vec![ - td_hob_hash, - cfv_image_hash.to_vec(), - measure_tdx_efi_variable("8BE4DF61-93CA-11D2-AA0D-00E098032B8C", "SecureBoot")?, - measure_tdx_efi_variable("8BE4DF61-93CA-11D2-AA0D-00E098032B8C", "PK")?, - measure_tdx_efi_variable("8BE4DF61-93CA-11D2-AA0D-00E098032B8C", "KEK")?, - measure_tdx_efi_variable("D719B2CB-3D3A-4596-A3BC-DAD00E67656F", "db")?, - measure_tdx_efi_variable("D719B2CB-3D3A-4596-A3BC-DAD00E67656F", "dbx")?, - measure_sha384(&[0x00, 0x00, 0x00, 0x00]), // Separator - acpi_loader_hash, - acpi_rsdp_hash, - acpi_tables_hash, - measure_sha384(&[0x00, 0x00]), // BootOrder - boot000_hash.to_vec(), - ]; - debug_print_log("RTMR0", &rtmr0_log); - Ok(measure_log(&rtmr0_log)) + Ok(( + vec![ + td_hob_hash, + cfv_image_hash.to_vec(), + measure_tdx_efi_variable("8BE4DF61-93CA-11D2-AA0D-00E098032B8C", "SecureBoot")?, + measure_tdx_efi_variable("8BE4DF61-93CA-11D2-AA0D-00E098032B8C", "PK")?, + measure_tdx_efi_variable("8BE4DF61-93CA-11D2-AA0D-00E098032B8C", "KEK")?, + measure_tdx_efi_variable("D719B2CB-3D3A-4596-A3BC-DAD00E67656F", "db")?, + measure_tdx_efi_variable("D719B2CB-3D3A-4596-A3BC-DAD00E67656F", "dbx")?, + measure_sha384(&[0x00, 0x00, 0x00, 0x00]), // Separator + acpi_loader_hash, + acpi_rsdp_hash, + acpi_tables_hash, + measure_sha384(&[0x00, 0x00]), // BootOrder + boot000_hash.to_vec(), + ], + tables, + )) } fn measure_td_hob(&self, memory_size: u64) -> Result> { From 846637c65982fe57fb07beaa6c34460a80c64b19 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Mon, 22 Sep 2025 10:14:19 +0000 Subject: [PATCH 026/133] Add dstack-verifier --- .github/workflows/verifier-release.yml | 80 +++ Cargo.lock | 25 + Cargo.toml | 1 + REUSE.toml | 10 + kms/dstack-app/builder/Dockerfile | 4 +- verifier/Cargo.toml | 37 ++ verifier/README.md | 163 +++++ verifier/builder/Dockerfile | 86 +++ verifier/builder/build-image.sh | 87 +++ .../shared/builder-pinned-packages.txt | 435 ++++++++++++ verifier/builder/shared/config-qemu.sh | 28 + verifier/builder/shared/pin-packages.sh | 21 + verifier/builder/shared/pinned-packages.txt | 108 +++ .../builder/shared/qemu-pinned-packages.txt | 236 +++++++ verifier/dstack-verifier.toml | 19 + verifier/fixtures/quote-report.json | 1 + verifier/src/main.rs | 241 +++++++ verifier/src/types.rs | 80 +++ verifier/src/verification.rs | 620 ++++++++++++++++++ verifier/test.sh | 127 ++++ 20 files changed, 2407 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/verifier-release.yml create mode 100644 verifier/Cargo.toml create mode 100644 verifier/README.md create mode 100644 verifier/builder/Dockerfile create mode 100755 verifier/builder/build-image.sh create mode 100644 verifier/builder/shared/builder-pinned-packages.txt create mode 100755 verifier/builder/shared/config-qemu.sh create mode 100755 verifier/builder/shared/pin-packages.sh create mode 100644 verifier/builder/shared/pinned-packages.txt create mode 100644 verifier/builder/shared/qemu-pinned-packages.txt create mode 100644 verifier/dstack-verifier.toml create mode 100644 verifier/fixtures/quote-report.json create mode 100644 verifier/src/main.rs create mode 100644 verifier/src/types.rs create mode 100644 verifier/src/verification.rs create mode 100755 verifier/test.sh diff --git a/.github/workflows/verifier-release.yml b/.github/workflows/verifier-release.yml new file mode 100644 index 00000000..2c8d25f2 --- /dev/null +++ b/.github/workflows/verifier-release.yml @@ -0,0 +1,80 @@ +# SPDX-FileCopyrightText: © 2025 Phala Network +# +# SPDX-License-Identifier: Apache-2.0 + +name: Verifier Release + +on: + workflow_dispatch: + push: + tags: + - 'verifier-v*' +permissions: + attestations: write + id-token: write + contents: write + packages: write + +jobs: + build-and-release: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Parse version from tag + run: | + VERSION=${GITHUB_REF#refs/tags/verifier-v} + echo "VERSION=$VERSION" >> $GITHUB_ENV + echo "Parsed version: $VERSION" + + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ vars.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Get Git commit timestamps + run: | + echo "TIMESTAMP=$(git log -1 --pretty=%ct)" >> $GITHUB_ENV + echo "GIT_REV=$(git rev-parse HEAD)" >> $GITHUB_ENV + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v5 + env: + SOURCE_DATE_EPOCH: ${{ env.TIMESTAMP }} + with: + context: verifier + file: verifier/builder/Dockerfile + push: true + tags: ${{ vars.DOCKERHUB_USERNAME }}/dstack-verifier:${{ env.VERSION }} + platforms: linux/amd64 + provenance: false + build-args: | + DSTACK_REV=${{ env.GIT_REV }} + DSTACK_SRC_URL=${{ github.server_url }}/${{ github.repository }}.git + SOURCE_DATE_EPOCH=${{ env.TIMESTAMP }} + + - name: Generate artifact attestation + uses: actions/attest-build-provenance@v1 + with: + subject-name: "docker.io/${{ vars.DOCKERHUB_USERNAME }}/dstack-verifier" + subject-digest: ${{ steps.build-and-push.outputs.digest }} + push-to-registry: true + + - name: GitHub Release + uses: softprops/action-gh-release@v1 + with: + name: "Verifier Release v${{ env.VERSION }}" + body: | + ## Docker Image Information + + **Image**: `docker.io/${{ vars.DOCKERHUB_USERNAME }}/dstack-verifier:${{ env.VERSION }}` + + **Digest (SHA256)**: `${{ steps.build-and-push.outputs.digest }}` + + **Verification**: [Verify on Sigstore](https://search.sigstore.dev/?hash=${{ steps.build-and-push.outputs.digest }}) diff --git a/Cargo.lock b/Cargo.lock index df58f866..d17f8282 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2461,6 +2461,31 @@ dependencies = [ "x509-parser", ] +[[package]] +name = "dstack-verifier" +version = "0.5.4" +dependencies = [ + "anyhow", + "cc-eventlog", + "clap", + "dcap-qvl", + "dstack-mr", + "dstack-types", + "figment", + "fs-err", + "hex", + "ra-tls", + "reqwest", + "rocket", + "serde", + "serde_json", + "sha2 0.10.9", + "tempfile", + "tokio", + "tracing", + "tracing-subscriber", +] + [[package]] name = "dstack-vmm" version = "0.5.4" diff --git a/Cargo.toml b/Cargo.toml index 074bc454..b26e068d 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -49,6 +49,7 @@ members = [ "serde-duration", "dstack-mr", "dstack-mr/cli", + "verifier", "no_std_check", ] resolver = "2" diff --git a/REUSE.toml b/REUSE.toml index abf4a08c..bf435ec4 100644 --- a/REUSE.toml +++ b/REUSE.toml @@ -162,3 +162,13 @@ SPDX-License-Identifier = "CC0-1.0" path = "dstack-util/tests/fixtures/*" SPDX-FileCopyrightText = "NONE" SPDX-License-Identifier = "CC0-1.0" + +[[annotations]] +path = "verifier/fixtures/*" +SPDX-FileCopyrightText = "NONE" +SPDX-License-Identifier = "CC0-1.0" + +[[annotations]] +path = "verifier/builder/shared/*.txt" +SPDX-FileCopyrightText = "NONE" +SPDX-License-Identifier = "CC0-1.0" diff --git a/kms/dstack-app/builder/Dockerfile b/kms/dstack-app/builder/Dockerfile index 5e954755..e9c9448b 100644 --- a/kms/dstack-app/builder/Dockerfile +++ b/kms/dstack-app/builder/Dockerfile @@ -27,7 +27,7 @@ RUN cd dstack && cargo build --release -p dstack-kms --target x86_64-unknown-lin FROM debian:bookworm@sha256:0d8498a0e9e6a60011df39aab78534cfe940785e7c59d19dfae1eb53ea59babe COPY ./shared /build WORKDIR /build -ARG QEMU_REV=d98440811192c08eafc07c7af110593c6b3758ff +ARG QEMU_REV=dbcec07c0854bf873d346a09e87e4c993ccf2633 RUN ./pin-packages.sh ./qemu-pinned-packages.txt && \ apt-get update && \ apt-get install -y --no-install-recommends \ @@ -43,7 +43,7 @@ RUN ./pin-packages.sh ./qemu-pinned-packages.txt && \ flex \ bison && \ rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/ldconfig/aux-cache -RUN git clone https://github.com/kvinwang/qemu-tdx.git --depth 1 --branch passthrough-dump-acpi --single-branch && \ +RUN git clone https://github.com/kvinwang/qemu-tdx.git --depth 1 --branch dstack-qemu-9.2.1 --single-branch && \ cd qemu-tdx && git fetch --depth 1 origin ${QEMU_REV} && \ git checkout ${QEMU_REV} && \ ../config-qemu.sh ./build /usr/local && \ diff --git a/verifier/Cargo.toml b/verifier/Cargo.toml new file mode 100644 index 00000000..78706da9 --- /dev/null +++ b/verifier/Cargo.toml @@ -0,0 +1,37 @@ +# SPDX-FileCopyrightText: © 2024-2025 Phala Network +# +# SPDX-License-Identifier: Apache-2.0 + +[package] +name = "dstack-verifier" +version.workspace = true +authors.workspace = true +edition.workspace = true +license.workspace = true +homepage.workspace = true +repository.workspace = true + +[dependencies] +anyhow.workspace = true +clap = { workspace = true, features = ["derive"] } +figment.workspace = true +fs-err.workspace = true +hex.workspace = true +rocket = { workspace = true, features = ["json"] } +serde = { workspace = true, features = ["derive"] } +serde_json.workspace = true +tokio = { workspace = true, features = ["full"] } +tracing.workspace = true +tracing-subscriber.workspace = true +reqwest.workspace = true +tempfile.workspace = true + +# Internal dependencies +ra-tls.workspace = true +dstack-types.workspace = true +dstack-mr.workspace = true + +# Crypto/verification dependencies +dcap-qvl.workspace = true +cc-eventlog.workspace = true +sha2.workspace = true diff --git a/verifier/README.md b/verifier/README.md new file mode 100644 index 00000000..51cf3dbc --- /dev/null +++ b/verifier/README.md @@ -0,0 +1,163 @@ +# dstack-verifier + +A HTTP server that provides CVM (Confidential Virtual Machine) verification services using the same verification process as the dstack KMS. + +## Features + +- **TDX Quote Verification**: Uses dcap-qvl to verify TDX quotes +- **Event Log Verification**: Validates event logs and extracts app information +- **OS Image Hash Verification**: Uses dstack-mr to ensure OS image hash matches expected measurements +- **Automatic Image Download**: Downloads and caches OS images automatically when not found locally +- **RESTful API**: Simple HTTP endpoints for verification requests + +## API Endpoints + +### POST /verify + +Verifies a CVM attestation with the provided quote, event log, and VM configuration. + +**Request Body:** +```json +{ + "quote": "hex-encoded-quote", + "event_log": "hex-encoded-event-log", + "vm_config": "json-vm-config-string", + "pccs_url": "optional-pccs-url" +} +``` + +**Response:** +```json +{ + "is_valid": true, + "details": { + "quote_verified": true, + "event_log_verified": true, + "os_image_hash_verified": true, + "report_data": "hex-encoded-64-byte-report-data", + "tcb_status": "OK", + "advisory_ids": [], + "app_info": { + "app_id": "hex-string", + "compose_hash": "hex-string", + "instance_id": "hex-string", + "device_id": "hex-string", + "mrtd": "hex-string", + "rtmr0": "hex-string", + "rtmr1": "hex-string", + "rtmr2": "hex-string", + "rtmr3": "hex-string", + "mr_system": "hex-string", + "mr_aggregated": "hex-string", + "os_image_hash": "hex-string", + "key_provider_info": "hex-string" + } + }, + "reason": null +} +``` + +### GET /health + +Health check endpoint that returns service status. + +**Response:** +```json +{ + "status": "ok", + "service": "dstack-verifier" +} +``` + +## Configuration + +Configuration can be provided via: +1. TOML file (default: `dstack-verifier.toml`) +2. Environment variables with prefix `DSTACK_VERIFIER_` +3. Command line arguments + +### Configuration Options + +- `host`: Server bind address (default: "0.0.0.0") +- `port`: Server port (default: 8080) +- `image_cache_dir`: Directory for cached OS images (default: "/tmp/dstack-verifier/cache") +- `image_download_url`: URL template for downloading OS images (default: GitHub releases URL) +- `image_download_timeout_secs`: Download timeout in seconds (default: 300) +- `pccs_url`: Optional PCCS URL for quote verification + +### Example Configuration File + +```toml +host = "0.0.0.0" +port = 8080 +image_cache_dir = "/var/cache/dstack-verifier" +image_download_url = "http://0.0.0.0:8000/mr_{OS_IMAGE_HASH}.tar.gz" +image_download_timeout_secs = 300 +pccs_url = "https://pccs.example.com" +``` + +## Usage + +```bash +# Run with default config +cargo run --bin dstack-verifier + +# Run with custom config file +cargo run --bin dstack-verifier -- --config /path/to/config.toml + +# Set via environment variables +DSTACK_VERIFIER_PORT=9000 cargo run --bin dstack-verifier +``` + +## Testing + +Two test scripts are provided for easy testing: + +### Full Test (with server management) +```bash +./test.sh +``` +This script will: +- Build the project +- Start the server +- Run the verification test +- Display detailed results +- Clean up automatically + +### Quick Test (assumes server is running) +```bash +./quick-test.sh +``` +This script assumes the server is already running and just sends a test request. + +## Verification Process + +The verifier performs three main verification steps: + +1. **Quote Verification**: Validates the TDX quote using dcap-qvl, checking the quote signature and TCB status +2. **Event Log Verification**: Replays event logs to ensure RTMR values match and extracts app information +3. **OS Image Hash Verification**: + - Automatically downloads OS images if not cached locally + - Uses dstack-mr to compute expected measurements + - Compares against the verified measurements from the quote + +All three steps must pass for the verification to be considered valid. + +### Automatic Image Download + +When an OS image is not found in the local cache, the verifier will: + +1. **Download**: Fetch the image tarball from the configured URL +2. **Extract**: Extract the tarball contents to a temporary directory +3. **Verify**: Check SHA256 checksums to ensure file integrity +4. **Validate**: Confirm the OS image hash matches the computed hash +5. **Cache**: Move the validated files to the cache directory for future use + +The download URL template uses `{OS_IMAGE_HASH}` as a placeholder that gets replaced with the actual OS image hash from the verification request. + +## Dependencies + +- dcap-qvl: TDX quote verification +- dstack-mr: OS image measurement computation +- ra-tls: Attestation handling and verification +- rocket: HTTP server framework \ No newline at end of file diff --git a/verifier/builder/Dockerfile b/verifier/builder/Dockerfile new file mode 100644 index 00000000..cef0d128 --- /dev/null +++ b/verifier/builder/Dockerfile @@ -0,0 +1,86 @@ +# SPDX-FileCopyrightText: © 2025 Phala Network +# +# SPDX-License-Identifier: Apache-2.0 + +FROM rust:1.86.0@sha256:300ec56abce8cc9448ddea2172747d048ed902a3090e6b57babb2bf19f754081 AS verifier-builder +COPY builder/shared /build/shared +ARG DSTACK_REV +ARG DSTACK_SRC_URL=https://github.com/Dstack-TEE/dstack.git +WORKDIR /build +RUN ./shared/pin-packages.sh ./shared/builder-pinned-packages.txt +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + git \ + build-essential \ + musl-tools \ + libssl-dev \ + protobuf-compiler \ + libprotobuf-dev \ + clang \ + libclang-dev \ + pkg-config \ + ca-certificates \ + curl && \ + rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/ldconfig/aux-cache +RUN git clone ${DSTACK_SRC_URL} && \ + cd dstack && \ + git checkout ${DSTACK_REV} +RUN rustup target add x86_64-unknown-linux-musl +RUN cd dstack && cargo build --release -p dstack-verifier --target x86_64-unknown-linux-musl +RUN echo "${DSTACK_REV}" > /build/.GIT_REV + +FROM debian:bookworm@sha256:0d8498a0e9e6a60011df39aab78534cfe940785e7c59d19dfae1eb53ea59babe AS acpi-builder +COPY builder/shared /build +WORKDIR /build +ARG QEMU_REV=dbcec07c0854bf873d346a09e87e4c993ccf2633 +RUN ./pin-packages.sh ./qemu-pinned-packages.txt && \ + apt-get update && \ + apt-get install -y --no-install-recommends \ + git \ + libslirp-dev \ + python3-pip \ + ninja-build \ + pkg-config \ + libglib2.0-dev \ + python3-sphinx \ + python3-sphinx-rtd-theme \ + build-essential \ + flex \ + bison && \ + rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/ldconfig/aux-cache +RUN git clone https://github.com/kvinwang/qemu-tdx.git --depth 1 --branch dstack-qemu-9.2.1 --single-branch && \ + cd qemu-tdx && git fetch --depth 1 origin ${QEMU_REV} && \ + git checkout ${QEMU_REV} && \ + ../config-qemu.sh ./build /usr/local && \ + cd build && \ + ninja && \ + strip qemu-system-x86_64 && \ + install -m 755 qemu-system-x86_64 /usr/local/bin/dstack-acpi-tables && \ + cd ../ && \ + install -d /usr/local/share/qemu && \ + install -m 644 pc-bios/efi-virtio.rom /usr/local/share/qemu/ && \ + install -m 644 pc-bios/kvmvapic.bin /usr/local/share/qemu/ && \ + install -m 644 pc-bios/linuxboot_dma.bin /usr/local/share/qemu/ && \ + cd .. && rm -rf qemu-tdx + +FROM debian:bookworm@sha256:0d8498a0e9e6a60011df39aab78534cfe940785e7c59d19dfae1eb53ea59babe +COPY builder/shared /build +WORKDIR /build +RUN ./pin-packages.sh ./pinned-packages.txt && \ + apt-get update && \ + apt-get install -y --no-install-recommends \ + ca-certificates \ + curl \ + libglib2.0-0 \ + libslirp0 \ + && rm -rf /var/lib/apt/lists/* /var/log/* /var/cache/ldconfig/aux-cache +COPY --from=verifier-builder /build/dstack/target/x86_64-unknown-linux-musl/release/dstack-verifier /usr/local/bin/dstack-verifier +COPY --from=verifier-builder /build/.GIT_REV /etc/ +COPY --from=acpi-builder /usr/local/bin/dstack-acpi-tables /usr/local/bin/dstack-acpi-tables +COPY --from=acpi-builder /usr/local/share/qemu /usr/local/share/qemu +RUN mkdir -p /etc/dstack +COPY dstack-verifier.toml /etc/dstack/dstack-verifier.toml +WORKDIR /var/lib/dstack-verifier +EXPOSE 8080 +ENTRYPOINT ["/usr/local/bin/dstack-verifier"] +CMD ["--config", "/etc/dstack/dstack-verifier.toml"] diff --git a/verifier/builder/build-image.sh b/verifier/builder/build-image.sh new file mode 100755 index 00000000..75bcca79 --- /dev/null +++ b/verifier/builder/build-image.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# SPDX-FileCopyrightText: © 2025 Phala Network +# +# SPDX-License-Identifier: Apache-2.0 + +set -euo pipefail + +SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd) +CONTEXT_DIR=$(dirname "$SCRIPT_DIR") +REPO_ROOT=$(git -C "$SCRIPT_DIR" rev-parse --show-toplevel) +SHARED_DIR="$SCRIPT_DIR/shared" +SHARED_GIT_PATH=$(realpath --relative-to="$REPO_ROOT" "$SHARED_DIR") +DOCKERFILE="$SCRIPT_DIR/Dockerfile" + +NO_CACHE=${NO_CACHE:-} +NAME=${1:-} +if [ -z "$NAME" ]; then + echo "Usage: $0 [:]" >&2 + exit 1 +fi + +extract_packages() { + local image_name=$1 + local pkg_list_file=$2 + if [ -z "$pkg_list_file" ]; then + return + fi + docker run --rm --entrypoint bash "$image_name" \ + -c "dpkg -l | grep '^ii' | awk '{print \$2\"=\"\$3}' | sort" \ + >"$pkg_list_file" +} + +docker_build() { + local image_name=$1 + local target=$2 + local pkg_list_file=$3 + + local commit_timestamp + commit_timestamp=$(git -C "$REPO_ROOT" show -s --format=%ct "$GIT_REV") + + local args=( + --builder buildkit_20 + --progress=plain + --output type=docker,name="$image_name",rewrite-timestamp=true + --build-arg SOURCE_DATE_EPOCH="$commit_timestamp" + --build-arg DSTACK_REV="$GIT_REV" + --build-arg DSTACK_SRC_URL="$DSTACK_SRC_URL" + ) + + if [ -n "$NO_CACHE" ]; then + args+=(--no-cache) + fi + + if [ -n "$target" ]; then + args+=(--target "$target") + fi + + docker buildx build "${args[@]}" \ + --file "$DOCKERFILE" \ + "$CONTEXT_DIR" + + extract_packages "$image_name" "$pkg_list_file" +} + +if ! docker buildx inspect buildkit_20 &>/dev/null; then + docker buildx create --use --driver-opt image=moby/buildkit:v0.20.2 --name buildkit_20 +fi + +mkdir -p "$SHARED_DIR" +touch "$SHARED_DIR/builder-pinned-packages.txt" +touch "$SHARED_DIR/qemu-pinned-packages.txt" +touch "$SHARED_DIR/pinned-packages.txt" + +GIT_REV=${GIT_REV:-HEAD} +GIT_REV=$(git -C "$REPO_ROOT" rev-parse "$GIT_REV") +DSTACK_SRC_URL=${DSTACK_SRC_URL:-https://github.com/Dstack-TEE/dstack.git} + +docker_build "$NAME" "" "$SHARED_DIR/pinned-packages.txt" +docker_build "verifier-builder-temp" "verifier-builder" "$SHARED_DIR/builder-pinned-packages.txt" +docker_build "verifier-acpi-builder-temp" "acpi-builder" "$SHARED_DIR/qemu-pinned-packages.txt" + +git_status=$(git -C "$REPO_ROOT" status --porcelain -- "$SHARED_GIT_PATH") +if [ -n "$git_status" ]; then + echo "The working tree has updates in $SHARED_GIT_PATH. Commit or stash before re-running." >&2 + exit 1 +fi diff --git a/verifier/builder/shared/builder-pinned-packages.txt b/verifier/builder/shared/builder-pinned-packages.txt new file mode 100644 index 00000000..69c95e45 --- /dev/null +++ b/verifier/builder/shared/builder-pinned-packages.txt @@ -0,0 +1,435 @@ +adduser=3.134 +apt=2.6.1 +autoconf=2.71-3 +automake=1:1.16.5-1.3 +autotools-dev=20220109.1 +base-files=12.4+deb12u10 +base-passwd=3.6.1 +bash=5.2.15-2+b7 +binutils-common:amd64=2.40-2 +binutils-x86-64-linux-gnu=2.40-2 +binutils=2.40-2 +bsdutils=1:2.38.1-5+deb12u3 +build-essential=12.9 +bzip2=1.0.8-5+b1 +ca-certificates=20230311 +clang-14=1:14.0.6-12 +clang=1:14.0-55.7~deb12u1 +comerr-dev:amd64=2.1-1.47.0-2 +coreutils=9.1-1 +cpp-12=12.2.0-14+deb12u1 +cpp=4:12.2.0-3 +curl=7.88.1-10+deb12u12 +dash=0.5.12-2 +debconf=1.5.82 +debian-archive-keyring=2023.3+deb12u1 +debianutils=5.7-0.5~deb12u1 +default-libmysqlclient-dev:amd64=1.1.0 +diffutils=1:3.8-4 +dirmngr=2.2.40-1.1 +dpkg-dev=1.21.22 +dpkg=1.21.22 +e2fsprogs=1.47.0-2 +file=1:5.44-3 +findutils=4.9.0-4 +fontconfig-config=2.14.1-4 +fontconfig=2.14.1-4 +fonts-dejavu-core=2.37-6 +g++-12=12.2.0-14+deb12u1 +g++=4:12.2.0-3 +gcc-12-base:amd64=12.2.0-14+deb12u1 +gcc-12=12.2.0-14+deb12u1 +gcc=4:12.2.0-3 +gir1.2-freedesktop:amd64=1.74.0-3 +gir1.2-gdkpixbuf-2.0:amd64=2.42.10+dfsg-1+deb12u1 +gir1.2-glib-2.0:amd64=1.74.0-3 +gir1.2-rsvg-2.0:amd64=2.54.7+dfsg-1~deb12u1 +git-man=1:2.39.5-0+deb12u2 +git=1:2.39.5-0+deb12u2 +gnupg-l10n=2.2.40-1.1 +gnupg-utils=2.2.40-1.1 +gnupg=2.2.40-1.1 +gpg-agent=2.2.40-1.1 +gpg-wks-client=2.2.40-1.1 +gpg-wks-server=2.2.40-1.1 +gpg=2.2.40-1.1 +gpgconf=2.2.40-1.1 +gpgsm=2.2.40-1.1 +gpgv=2.2.40-1.1 +grep=3.8-5 +gzip=1.12-1 +hicolor-icon-theme=0.17-2 +hostname=3.23+nmu1 +icu-devtools=72.1-3 +imagemagick-6-common=8:6.9.11.60+dfsg-1.6+deb12u2 +imagemagick-6.q16=8:6.9.11.60+dfsg-1.6+deb12u2 +imagemagick=8:6.9.11.60+dfsg-1.6+deb12u2 +init-system-helpers=1.65.2 +krb5-multidev:amd64=1.20.1-2+deb12u2 +libacl1:amd64=2.3.1-3 +libaom3:amd64=3.6.0-1+deb12u1 +libapr1:amd64=1.7.2-3+deb12u1 +libaprutil1:amd64=1.6.3-1 +libapt-pkg6.0:amd64=2.6.1 +libasan8:amd64=12.2.0-14+deb12u1 +libassuan0:amd64=2.5.5-5 +libatomic1:amd64=12.2.0-14+deb12u1 +libattr1:amd64=1:2.5.1-4 +libaudit-common=1:3.0.9-1 +libaudit1:amd64=1:3.0.9-1 +libbinutils:amd64=2.40-2 +libblkid-dev:amd64=2.38.1-5+deb12u3 +libblkid1:amd64=2.38.1-5+deb12u3 +libbrotli-dev:amd64=1.0.9-2+b6 +libbrotli1:amd64=1.0.9-2+b6 +libbsd0:amd64=0.11.7-2 +libbz2-1.0:amd64=1.0.8-5+b1 +libbz2-dev:amd64=1.0.8-5+b1 +libc-bin=2.36-9+deb12u10 +libc-dev-bin=2.36-9+deb12u10 +libc6-dev:amd64=2.36-9+deb12u10 +libc6:amd64=2.36-9+deb12u10 +libcairo-gobject2:amd64=1.16.0-7 +libcairo-script-interpreter2:amd64=1.16.0-7 +libcairo2-dev:amd64=1.16.0-7 +libcairo2:amd64=1.16.0-7 +libcap-ng0:amd64=0.8.3-1+b3 +libcap2:amd64=1:2.66-4 +libcbor0.8:amd64=0.8.0-2+b1 +libcc1-0:amd64=12.2.0-14+deb12u1 +libclang-14-dev=1:14.0.6-12 +libclang-common-14-dev=1:14.0.6-12 +libclang-cpp14=1:14.0.6-12 +libclang-dev=1:14.0-55.7~deb12u1 +libclang1-14=1:14.0.6-12 +libcom-err2:amd64=1.47.0-2 +libcrypt-dev:amd64=1:4.4.33-2 +libcrypt1:amd64=1:4.4.33-2 +libctf-nobfd0:amd64=2.40-2 +libctf0:amd64=2.40-2 +libcurl3-gnutls:amd64=7.88.1-10+deb12u12 +libcurl4-openssl-dev:amd64=7.88.1-10+deb12u12 +libcurl4:amd64=7.88.1-10+deb12u12 +libdatrie1:amd64=0.2.13-2+b1 +libdav1d6:amd64=1.0.0-2+deb12u1 +libdb-dev:amd64=5.3.2 +libdb5.3-dev=5.3.28+dfsg2-1 +libdb5.3:amd64=5.3.28+dfsg2-1 +libde265-0:amd64=1.0.11-1+deb12u2 +libdebconfclient0:amd64=0.270 +libdeflate-dev:amd64=1.14-1 +libdeflate0:amd64=1.14-1 +libdjvulibre-dev:amd64=3.5.28-2+b1 +libdjvulibre-text=3.5.28-2 +libdjvulibre21:amd64=3.5.28-2+b1 +libdpkg-perl=1.21.22 +libedit2:amd64=3.1-20221030-2 +libelf1:amd64=0.188-2.1 +liberror-perl=0.17029-2 +libevent-2.1-7:amd64=2.1.12-stable-8 +libevent-core-2.1-7:amd64=2.1.12-stable-8 +libevent-dev=2.1.12-stable-8 +libevent-extra-2.1-7:amd64=2.1.12-stable-8 +libevent-openssl-2.1-7:amd64=2.1.12-stable-8 +libevent-pthreads-2.1-7:amd64=2.1.12-stable-8 +libexif-dev:amd64=0.6.24-1+b1 +libexif12:amd64=0.6.24-1+b1 +libexpat1-dev:amd64=2.5.0-1+deb12u1 +libexpat1:amd64=2.5.0-1+deb12u1 +libext2fs2:amd64=1.47.0-2 +libffi-dev:amd64=3.4.4-1 +libffi8:amd64=3.4.4-1 +libfftw3-double3:amd64=3.3.10-1 +libfido2-1:amd64=1.12.0-2+b1 +libfontconfig-dev:amd64=2.14.1-4 +libfontconfig1:amd64=2.14.1-4 +libfreetype-dev:amd64=2.12.1+dfsg-5+deb12u4 +libfreetype6-dev:amd64=2.12.1+dfsg-5+deb12u4 +libfreetype6:amd64=2.12.1+dfsg-5+deb12u4 +libfribidi0:amd64=1.0.8-2.1 +libgc1:amd64=1:8.2.2-3 +libgcc-12-dev:amd64=12.2.0-14+deb12u1 +libgcc-s1:amd64=12.2.0-14+deb12u1 +libgcrypt20:amd64=1.10.1-3 +libgdbm-compat4:amd64=1.23-3 +libgdbm-dev:amd64=1.23-3 +libgdbm6:amd64=1.23-3 +libgdk-pixbuf-2.0-0:amd64=2.42.10+dfsg-1+deb12u1 +libgdk-pixbuf-2.0-dev:amd64=2.42.10+dfsg-1+deb12u1 +libgdk-pixbuf2.0-bin=2.42.10+dfsg-1+deb12u1 +libgdk-pixbuf2.0-common=2.42.10+dfsg-1+deb12u1 +libgirepository-1.0-1:amd64=1.74.0-3 +libglib2.0-0:amd64=2.74.6-2+deb12u5 +libglib2.0-bin=2.74.6-2+deb12u5 +libglib2.0-data=2.74.6-2+deb12u5 +libglib2.0-dev-bin=2.74.6-2+deb12u5 +libglib2.0-dev:amd64=2.74.6-2+deb12u5 +libgmp-dev:amd64=2:6.2.1+dfsg1-1.1 +libgmp10:amd64=2:6.2.1+dfsg1-1.1 +libgmpxx4ldbl:amd64=2:6.2.1+dfsg1-1.1 +libgnutls30:amd64=3.7.9-2+deb12u4 +libgomp1:amd64=12.2.0-14+deb12u1 +libgpg-error0:amd64=1.46-1 +libgprofng0:amd64=2.40-2 +libgraphite2-3:amd64=1.3.14-1 +libgssapi-krb5-2:amd64=1.20.1-2+deb12u2 +libgssrpc4:amd64=1.20.1-2+deb12u2 +libharfbuzz0b:amd64=6.0.0+dfsg-3 +libheif1:amd64=1.15.1-1+deb12u1 +libhogweed6:amd64=3.8.1-2 +libice-dev:amd64=2:1.0.10-1 +libice6:amd64=2:1.0.10-1 +libicu-dev:amd64=72.1-3 +libicu72:amd64=72.1-3 +libidn2-0:amd64=2.3.3-1+b1 +libimath-3-1-29:amd64=3.1.6-1 +libimath-dev:amd64=3.1.6-1 +libisl23:amd64=0.25-1.1 +libitm1:amd64=12.2.0-14+deb12u1 +libjansson4:amd64=2.14-2 +libjbig-dev:amd64=2.1-6.1 +libjbig0:amd64=2.1-6.1 +libjpeg-dev:amd64=1:2.1.5-2 +libjpeg62-turbo-dev:amd64=1:2.1.5-2 +libjpeg62-turbo:amd64=1:2.1.5-2 +libk5crypto3:amd64=1.20.1-2+deb12u2 +libkadm5clnt-mit12:amd64=1.20.1-2+deb12u2 +libkadm5srv-mit12:amd64=1.20.1-2+deb12u2 +libkdb5-10:amd64=1.20.1-2+deb12u2 +libkeyutils1:amd64=1.6.3-2 +libkrb5-3:amd64=1.20.1-2+deb12u2 +libkrb5-dev:amd64=1.20.1-2+deb12u2 +libkrb5support0:amd64=1.20.1-2+deb12u2 +libksba8:amd64=1.6.3-2 +liblcms2-2:amd64=2.14-2 +liblcms2-dev:amd64=2.14-2 +libldap-2.5-0:amd64=2.5.13+dfsg-5 +liblerc-dev:amd64=4.0.0+ds-2 +liblerc4:amd64=4.0.0+ds-2 +libllvm14:amd64=1:14.0.6-12 +liblqr-1-0-dev:amd64=0.4.2-2.1 +liblqr-1-0:amd64=0.4.2-2.1 +liblsan0:amd64=12.2.0-14+deb12u1 +libltdl-dev:amd64=2.4.7-7~deb12u1 +libltdl7:amd64=2.4.7-7~deb12u1 +liblz4-1:amd64=1.9.4-1 +liblzma-dev:amd64=5.4.1-1 +liblzma5:amd64=5.4.1-1 +liblzo2-2:amd64=2.10-2 +libmagic-mgc=1:5.44-3 +libmagic1:amd64=1:5.44-3 +libmagickcore-6-arch-config:amd64=8:6.9.11.60+dfsg-1.6+deb12u2 +libmagickcore-6-headers=8:6.9.11.60+dfsg-1.6+deb12u2 +libmagickcore-6.q16-6-extra:amd64=8:6.9.11.60+dfsg-1.6+deb12u2 +libmagickcore-6.q16-6:amd64=8:6.9.11.60+dfsg-1.6+deb12u2 +libmagickcore-6.q16-dev:amd64=8:6.9.11.60+dfsg-1.6+deb12u2 +libmagickcore-dev=8:6.9.11.60+dfsg-1.6+deb12u2 +libmagickwand-6-headers=8:6.9.11.60+dfsg-1.6+deb12u2 +libmagickwand-6.q16-6:amd64=8:6.9.11.60+dfsg-1.6+deb12u2 +libmagickwand-6.q16-dev:amd64=8:6.9.11.60+dfsg-1.6+deb12u2 +libmagickwand-dev=8:6.9.11.60+dfsg-1.6+deb12u2 +libmariadb-dev-compat=1:10.11.11-0+deb12u1 +libmariadb-dev=1:10.11.11-0+deb12u1 +libmariadb3:amd64=1:10.11.11-0+deb12u1 +libmaxminddb-dev:amd64=1.7.1-1 +libmaxminddb0:amd64=1.7.1-1 +libmd0:amd64=1.0.4-2 +libmount-dev:amd64=2.38.1-5+deb12u3 +libmount1:amd64=2.38.1-5+deb12u3 +libmpc3:amd64=1.3.1-1 +libmpfr6:amd64=4.2.0-1 +libncurses-dev:amd64=6.4-4 +libncurses5-dev:amd64=6.4-4 +libncurses6:amd64=6.4-4 +libncursesw5-dev:amd64=6.4-4 +libncursesw6:amd64=6.4-4 +libnettle8:amd64=3.8.1-2 +libnghttp2-14:amd64=1.52.0-1+deb12u2 +libnpth0:amd64=1.6-3 +libnsl-dev:amd64=1.3.0-2 +libnsl2:amd64=1.3.0-2 +libnuma1:amd64=2.0.16-1 +libobjc-12-dev:amd64=12.2.0-14+deb12u1 +libobjc4:amd64=12.2.0-14+deb12u1 +libopenexr-3-1-30:amd64=3.1.5-5 +libopenexr-dev=3.1.5-5 +libopenjp2-7-dev:amd64=2.5.0-2+deb12u1 +libopenjp2-7:amd64=2.5.0-2+deb12u1 +libp11-kit0:amd64=0.24.1-2 +libpam-modules-bin=1.5.2-6+deb12u1 +libpam-modules:amd64=1.5.2-6+deb12u1 +libpam-runtime=1.5.2-6+deb12u1 +libpam0g:amd64=1.5.2-6+deb12u1 +libpango-1.0-0:amd64=1.50.12+ds-1 +libpangocairo-1.0-0:amd64=1.50.12+ds-1 +libpangoft2-1.0-0:amd64=1.50.12+ds-1 +libpcre2-16-0:amd64=10.42-1 +libpcre2-32-0:amd64=10.42-1 +libpcre2-8-0:amd64=10.42-1 +libpcre2-dev:amd64=10.42-1 +libpcre2-posix3:amd64=10.42-1 +libperl5.36:amd64=5.36.0-7+deb12u2 +libpixman-1-0:amd64=0.42.2-1 +libpixman-1-dev:amd64=0.42.2-1 +libpkgconf3:amd64=1.8.1-1 +libpng-dev:amd64=1.6.39-2 +libpng16-16:amd64=1.6.39-2 +libpq-dev=15.12-0+deb12u2 +libpq5:amd64=15.12-0+deb12u2 +libproc2-0:amd64=2:4.0.2-3 +libprotobuf-dev:amd64=3.21.12-3 +libprotobuf-lite32:amd64=3.21.12-3 +libprotobuf32:amd64=3.21.12-3 +libprotoc32:amd64=3.21.12-3 +libpsl5:amd64=0.21.2-1 +libpthread-stubs0-dev:amd64=0.4-1 +libpython3-stdlib:amd64=3.11.2-1+b1 +libpython3.11-minimal:amd64=3.11.2-6+deb12u5 +libpython3.11-stdlib:amd64=3.11.2-6+deb12u5 +libquadmath0:amd64=12.2.0-14+deb12u1 +libreadline-dev:amd64=8.2-1.3 +libreadline8:amd64=8.2-1.3 +librsvg2-2:amd64=2.54.7+dfsg-1~deb12u1 +librsvg2-common:amd64=2.54.7+dfsg-1~deb12u1 +librsvg2-dev:amd64=2.54.7+dfsg-1~deb12u1 +librtmp1:amd64=2.4+20151223.gitfa8646d.1-2+b2 +libsasl2-2:amd64=2.1.28+dfsg-10 +libsasl2-modules-db:amd64=2.1.28+dfsg-10 +libseccomp2:amd64=2.5.4-1+deb12u1 +libselinux1-dev:amd64=3.4-1+b6 +libselinux1:amd64=3.4-1+b6 +libsemanage-common=3.4-1 +libsemanage2:amd64=3.4-1+b5 +libsepol-dev:amd64=3.4-2.1 +libsepol2:amd64=3.4-2.1 +libserf-1-1:amd64=1.3.9-11 +libsm-dev:amd64=2:1.2.3-1 +libsm6:amd64=2:1.2.3-1 +libsmartcols1:amd64=2.38.1-5+deb12u3 +libsqlite3-0:amd64=3.40.1-2+deb12u1 +libsqlite3-dev:amd64=3.40.1-2+deb12u1 +libss2:amd64=1.47.0-2 +libssh2-1:amd64=1.10.0-3+b1 +libssl-dev:amd64=3.0.16-1~deb12u1 +libssl3:amd64=3.0.16-1~deb12u1 +libstdc++-12-dev:amd64=12.2.0-14+deb12u1 +libstdc++6:amd64=12.2.0-14+deb12u1 +libsvn1:amd64=1.14.2-4+deb12u1 +libsystemd0:amd64=252.36-1~deb12u1 +libtasn1-6:amd64=4.19.0-2+deb12u1 +libthai-data=0.1.29-1 +libthai0:amd64=0.1.29-1 +libtiff-dev:amd64=4.5.0-6+deb12u2 +libtiff6:amd64=4.5.0-6+deb12u2 +libtiffxx6:amd64=4.5.0-6+deb12u2 +libtinfo6:amd64=6.4-4 +libtirpc-common=1.3.3+ds-1 +libtirpc-dev:amd64=1.3.3+ds-1 +libtirpc3:amd64=1.3.3+ds-1 +libtool=2.4.7-7~deb12u1 +libtsan2:amd64=12.2.0-14+deb12u1 +libubsan1:amd64=12.2.0-14+deb12u1 +libudev1:amd64=252.36-1~deb12u1 +libunistring2:amd64=1.0-2 +libutf8proc2:amd64=2.8.0-1 +libuuid1:amd64=2.38.1-5+deb12u3 +libwebp-dev:amd64=1.2.4-0.2+deb12u1 +libwebp7:amd64=1.2.4-0.2+deb12u1 +libwebpdemux2:amd64=1.2.4-0.2+deb12u1 +libwebpmux3:amd64=1.2.4-0.2+deb12u1 +libwmf-0.2-7:amd64=0.2.12-5.1 +libwmf-dev=0.2.12-5.1 +libwmflite-0.2-7:amd64=0.2.12-5.1 +libx11-6:amd64=2:1.8.4-2+deb12u2 +libx11-data=2:1.8.4-2+deb12u2 +libx11-dev:amd64=2:1.8.4-2+deb12u2 +libx265-199:amd64=3.5-2+b1 +libxau-dev:amd64=1:1.0.9-1 +libxau6:amd64=1:1.0.9-1 +libxcb-render0-dev:amd64=1.15-1 +libxcb-render0:amd64=1.15-1 +libxcb-shm0-dev:amd64=1.15-1 +libxcb-shm0:amd64=1.15-1 +libxcb1-dev:amd64=1.15-1 +libxcb1:amd64=1.15-1 +libxdmcp-dev:amd64=1:1.1.2-3 +libxdmcp6:amd64=1:1.1.2-3 +libxext-dev:amd64=2:1.3.4-1+b1 +libxext6:amd64=2:1.3.4-1+b1 +libxml2-dev:amd64=2.9.14+dfsg-1.3~deb12u1 +libxml2:amd64=2.9.14+dfsg-1.3~deb12u1 +libxrender-dev:amd64=1:0.9.10-1.1 +libxrender1:amd64=1:0.9.10-1.1 +libxslt1-dev:amd64=1.1.35-1+deb12u1 +libxslt1.1:amd64=1.1.35-1+deb12u1 +libxt-dev:amd64=1:1.2.1-1.1 +libxt6:amd64=1:1.2.1-1.1 +libxxhash0:amd64=0.8.1-1 +libyaml-0-2:amd64=0.2.5-1 +libyaml-dev:amd64=0.2.5-1 +libz3-4:amd64=4.8.12-3.1 +libzstd-dev:amd64=1.5.4+dfsg2-5 +libzstd1:amd64=1.5.4+dfsg2-5 +linux-libc-dev:amd64=6.1.135-1 +llvm-14-linker-tools=1:14.0.6-12 +login=1:4.13+dfsg1-1+b1 +logsave=1.47.0-2 +m4=1.4.19-3 +make=4.3-4.1 +mariadb-common=1:10.11.11-0+deb12u1 +mawk=1.3.4.20200120-3.1 +media-types=10.0.0 +mercurial-common=6.3.2-1+deb12u1 +mercurial=6.3.2-1+deb12u1 +mount=2.38.1-5+deb12u3 +musl-dev:amd64=1.2.3-1 +musl-tools=1.2.3-1 +musl:amd64=1.2.3-1 +mysql-common=5.8+1.1.0 +ncurses-base=6.4-4 +ncurses-bin=6.4-4 +netbase=6.4 +openssh-client=1:9.2p1-2+deb12u5 +openssl=3.0.15-1~deb12u1 +passwd=1:4.13+dfsg1-1+b1 +patch=2.7.6-7 +perl-base=5.36.0-7+deb12u2 +perl-modules-5.36=5.36.0-7+deb12u2 +perl=5.36.0-7+deb12u2 +pinentry-curses=1.2.1-1 +pkg-config:amd64=1.8.1-1 +pkgconf-bin=1.8.1-1 +pkgconf:amd64=1.8.1-1 +procps=2:4.0.2-3 +protobuf-compiler=3.21.12-3 +python3-distutils=3.11.2-3 +python3-lib2to3=3.11.2-3 +python3-minimal=3.11.2-1+b1 +python3.11-minimal=3.11.2-6+deb12u5 +python3.11=3.11.2-6+deb12u5 +python3=3.11.2-1+b1 +readline-common=8.2-1.3 +rpcsvc-proto=1.4.3-1 +sed=4.9-1 +sensible-utils=0.0.17+nmu1 +shared-mime-info=2.2-1 +sq=0.27.0-2+b1 +subversion=1.14.2-4+deb12u1 +sysvinit-utils=3.06-4 +tar=1.34+dfsg-1.2+deb12u1 +tzdata=2025b-0+deb12u1 +ucf=3.0043+nmu1+deb12u1 +unzip=6.0-28 +usr-is-merged=37~deb12u1 +util-linux-extra=2.38.1-5+deb12u3 +util-linux=2.38.1-5+deb12u3 +uuid-dev:amd64=2.38.1-5+deb12u3 +wget=1.21.3-1+deb12u1 +x11-common=1:7.7+23 +x11proto-core-dev=2022.1-1 +x11proto-dev=2022.1-1 +xorg-sgml-doctools=1:1.11-1.1 +xtrans-dev=1.4.0-1 +xz-utils=5.4.1-1 +zlib1g-dev:amd64=1:1.2.13.dfsg-1 +zlib1g:amd64=1:1.2.13.dfsg-1 diff --git a/verifier/builder/shared/config-qemu.sh b/verifier/builder/shared/config-qemu.sh new file mode 100755 index 00000000..94174a58 --- /dev/null +++ b/verifier/builder/shared/config-qemu.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +# SPDX-FileCopyrightText: © 2025 Phala Network +# +# SPDX-License-Identifier: Apache-2.0 + +BUILD_DIR="$1" +PREFIX="$2" +if [ -z "$BUILD_DIR" ]; then + echo "Usage: $0 " + exit 1 +fi + +mkdir -p "$BUILD_DIR" +cd "$BUILD_DIR" + +export SOURCE_DATE_EPOCH=$(git -C .. log -1 --pretty=%ct) +export CFLAGS="-DDUMP_ACPI_TABLES -Wno-builtin-macro-redefined -D__DATE__=\"\" -D__TIME__=\"\" -D__TIMESTAMP__=\"\"" +export LDFLAGS="-Wl,--build-id=none" + +../configure \ + --prefix="$PREFIX" \ + --target-list=x86_64-softmmu \ + --disable-werror + +echo "" +echo "Build configured for reproducibility in $BUILD_DIR" +echo "To build, run: cd $BUILD_DIR && make" diff --git a/verifier/builder/shared/pin-packages.sh b/verifier/builder/shared/pin-packages.sh new file mode 100755 index 00000000..5aa8ba4a --- /dev/null +++ b/verifier/builder/shared/pin-packages.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +# SPDX-FileCopyrightText: © 2025 Phala Network +# +# SPDX-License-Identifier: Apache-2.0 + +set -e +PKG_LIST=$1 + +echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian/20250626T204007Z bookworm main' > /etc/apt/sources.list +echo 'deb [check-valid-until=no] https://snapshot.debian.org/archive/debian-security/20250626T204007Z bookworm-security main' >> /etc/apt/sources.list +echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/10no-check-valid-until + +mkdir -p /etc/apt/preferences.d +while IFS= read -r line; do + pkg=$(echo "$line" | cut -d= -f1) + ver=$(echo "$line" | cut -d= -f2) + if [ -n "$pkg" ] && [ -n "$ver" ]; then + printf 'Package: %s\nPin: version %s\nPin-Priority: 1001\n\n' "$pkg" "$ver" >> /etc/apt/preferences.d/pinned-packages + fi +done < "$PKG_LIST" diff --git a/verifier/builder/shared/pinned-packages.txt b/verifier/builder/shared/pinned-packages.txt new file mode 100644 index 00000000..409c097c --- /dev/null +++ b/verifier/builder/shared/pinned-packages.txt @@ -0,0 +1,108 @@ +adduser=3.134 +apt=2.6.1 +base-files=12.4+deb12u11 +base-passwd=3.6.1 +bash=5.2.15-2+b8 +bsdutils=1:2.38.1-5+deb12u3 +ca-certificates=20230311+deb12u1 +coreutils=9.1-1 +curl=7.88.1-10+deb12u14 +dash=0.5.12-2 +debconf=1.5.82 +debian-archive-keyring=2023.3+deb12u2 +debianutils=5.7-0.5~deb12u1 +diffutils=1:3.8-4 +dpkg=1.21.22 +e2fsprogs=1.47.0-2 +findutils=4.9.0-4 +gcc-12-base:amd64=12.2.0-14+deb12u1 +gpgv=2.2.40-1.1 +grep=3.8-5 +gzip=1.12-1 +hostname=3.23+nmu1 +init-system-helpers=1.65.2 +libacl1:amd64=2.3.1-3 +libapt-pkg6.0:amd64=2.6.1 +libattr1:amd64=1:2.5.1-4 +libaudit-common=1:3.0.9-1 +libaudit1:amd64=1:3.0.9-1 +libblkid1:amd64=2.38.1-5+deb12u3 +libbrotli1:amd64=1.0.9-2+b6 +libbz2-1.0:amd64=1.0.8-5+b1 +libc-bin=2.36-9+deb12u10 +libc6:amd64=2.36-9+deb12u10 +libcap-ng0:amd64=0.8.3-1+b3 +libcap2:amd64=1:2.66-4+deb12u1 +libcom-err2:amd64=1.47.0-2 +libcrypt1:amd64=1:4.4.33-2 +libcurl4:amd64=7.88.1-10+deb12u14 +libdb5.3:amd64=5.3.28+dfsg2-1 +libdebconfclient0:amd64=0.270 +libext2fs2:amd64=1.47.0-2 +libffi8:amd64=3.4.4-1 +libgcc-s1:amd64=12.2.0-14+deb12u1 +libgcrypt20:amd64=1.10.1-3 +libglib2.0-0:amd64=2.74.6-2+deb12u7 +libgmp10:amd64=2:6.2.1+dfsg1-1.1 +libgnutls30:amd64=3.7.9-2+deb12u4 +libgpg-error0:amd64=1.46-1 +libgssapi-krb5-2:amd64=1.20.1-2+deb12u4 +libhogweed6:amd64=3.8.1-2 +libidn2-0:amd64=2.3.3-1+b1 +libk5crypto3:amd64=1.20.1-2+deb12u4 +libkeyutils1:amd64=1.6.3-2 +libkrb5-3:amd64=1.20.1-2+deb12u4 +libkrb5support0:amd64=1.20.1-2+deb12u4 +libldap-2.5-0:amd64=2.5.13+dfsg-5 +liblz4-1:amd64=1.9.4-1 +liblzma5:amd64=5.4.1-1 +libmd0:amd64=1.0.4-2 +libmount1:amd64=2.38.1-5+deb12u3 +libnettle8:amd64=3.8.1-2 +libnghttp2-14:amd64=1.52.0-1+deb12u2 +libp11-kit0:amd64=0.24.1-2 +libpam-modules-bin=1.5.2-6+deb12u1 +libpam-modules:amd64=1.5.2-6+deb12u1 +libpam-runtime=1.5.2-6+deb12u1 +libpam0g:amd64=1.5.2-6+deb12u1 +libpcre2-8-0:amd64=10.42-1 +libpsl5:amd64=0.21.2-1 +librtmp1:amd64=2.4+20151223.gitfa8646d.1-2+b2 +libsasl2-2:amd64=2.1.28+dfsg-10 +libsasl2-modules-db:amd64=2.1.28+dfsg-10 +libseccomp2:amd64=2.5.4-1+deb12u1 +libselinux1:amd64=3.4-1+b6 +libsemanage-common=3.4-1 +libsemanage2:amd64=3.4-1+b5 +libsepol2:amd64=3.4-2.1 +libslirp0:amd64=4.7.0-1 +libsmartcols1:amd64=2.38.1-5+deb12u3 +libss2:amd64=1.47.0-2 +libssh2-1:amd64=1.10.0-3+b1 +libssl3:amd64=3.0.17-1~deb12u2 +libstdc++6:amd64=12.2.0-14+deb12u1 +libsystemd0:amd64=252.38-1~deb12u1 +libtasn1-6:amd64=4.19.0-2+deb12u1 +libtinfo6:amd64=6.4-4 +libudev1:amd64=252.38-1~deb12u1 +libunistring2:amd64=1.0-2 +libuuid1:amd64=2.38.1-5+deb12u3 +libxxhash0:amd64=0.8.1-1 +libzstd1:amd64=1.5.4+dfsg2-5 +login=1:4.13+dfsg1-1+deb12u1 +logsave=1.47.0-2 +mawk=1.3.4.20200120-3.1 +mount=2.38.1-5+deb12u3 +ncurses-base=6.4-4 +ncurses-bin=6.4-4 +openssl=3.0.17-1~deb12u2 +passwd=1:4.13+dfsg1-1+deb12u1 +perl-base=5.36.0-7+deb12u2 +sed=4.9-1 +sysvinit-utils=3.06-4 +tar=1.34+dfsg-1.2+deb12u1 +tzdata=2025b-0+deb12u1 +usr-is-merged=37~deb12u1 +util-linux-extra=2.38.1-5+deb12u3 +util-linux=2.38.1-5+deb12u3 +zlib1g:amd64=1:1.2.13.dfsg-1 diff --git a/verifier/builder/shared/qemu-pinned-packages.txt b/verifier/builder/shared/qemu-pinned-packages.txt new file mode 100644 index 00000000..1ae0d6b9 --- /dev/null +++ b/verifier/builder/shared/qemu-pinned-packages.txt @@ -0,0 +1,236 @@ +adduser=3.134 +apt=2.6.1 +base-files=12.4+deb12u11 +base-passwd=3.6.1 +bash=5.2.15-2+b8 +binutils-common:amd64=2.40-2 +binutils-x86-64-linux-gnu=2.40-2 +binutils=2.40-2 +bison=2:3.8.2+dfsg-1+b1 +bsdutils=1:2.38.1-5+deb12u3 +build-essential=12.9 +bzip2=1.0.8-5+b1 +ca-certificates=20230311+deb12u1 +coreutils=9.1-1 +cpp-12=12.2.0-14+deb12u1 +cpp=4:12.2.0-3 +dash=0.5.12-2 +debconf=1.5.82 +debian-archive-keyring=2023.3+deb12u2 +debianutils=5.7-0.5~deb12u1 +diffutils=1:3.8-4 +docutils-common=0.19+dfsg-6 +dpkg-dev=1.21.22 +dpkg=1.21.22 +e2fsprogs=1.47.0-2 +findutils=4.9.0-4 +flex=2.6.4-8.2 +fonts-font-awesome=5.0.10+really4.7.0~dfsg-4.1 +fonts-lato=2.0-2.1 +g++-12=12.2.0-14+deb12u1 +g++=4:12.2.0-3 +gcc-12-base:amd64=12.2.0-14+deb12u1 +gcc-12=12.2.0-14+deb12u1 +gcc=4:12.2.0-3 +git-man=1:2.39.5-0+deb12u2 +git=1:2.39.5-0+deb12u2 +gpgv=2.2.40-1.1 +grep=3.8-5 +gzip=1.12-1 +hostname=3.23+nmu1 +init-system-helpers=1.65.2 +libacl1:amd64=2.3.1-3 +libapt-pkg6.0:amd64=2.6.1 +libasan8:amd64=12.2.0-14+deb12u1 +libatomic1:amd64=12.2.0-14+deb12u1 +libattr1:amd64=1:2.5.1-4 +libaudit-common=1:3.0.9-1 +libaudit1:amd64=1:3.0.9-1 +libbinutils:amd64=2.40-2 +libblkid-dev:amd64=2.38.1-5+deb12u3 +libblkid1:amd64=2.38.1-5+deb12u3 +libbrotli1:amd64=1.0.9-2+b6 +libbz2-1.0:amd64=1.0.8-5+b1 +libc-bin=2.36-9+deb12u10 +libc-dev-bin=2.36-9+deb12u13 +libc6-dev:amd64=2.36-9+deb12u13 +libc6:amd64=2.36-9+deb12u13 +libcap-ng0:amd64=0.8.3-1+b3 +libcap2:amd64=1:2.66-4+deb12u1 +libcc1-0:amd64=12.2.0-14+deb12u1 +libcom-err2:amd64=1.47.0-2 +libcrypt-dev:amd64=1:4.4.33-2 +libcrypt1:amd64=1:4.4.33-2 +libctf-nobfd0:amd64=2.40-2 +libctf0:amd64=2.40-2 +libcurl3-gnutls:amd64=7.88.1-10+deb12u14 +libdb5.3:amd64=5.3.28+dfsg2-1 +libdebconfclient0:amd64=0.270 +libdpkg-perl=1.21.22 +libelf1:amd64=0.188-2.1 +liberror-perl=0.17029-2 +libexpat1:amd64=2.5.0-1+deb12u1 +libext2fs2:amd64=1.47.0-2 +libffi-dev:amd64=3.4.4-1 +libffi8:amd64=3.4.4-1 +libgcc-12-dev:amd64=12.2.0-14+deb12u1 +libgcc-s1:amd64=12.2.0-14+deb12u1 +libgcrypt20:amd64=1.10.1-3 +libgdbm-compat4:amd64=1.23-3 +libgdbm6:amd64=1.23-3 +libglib2.0-0:amd64=2.74.6-2+deb12u7 +libglib2.0-bin=2.74.6-2+deb12u7 +libglib2.0-data=2.74.6-2+deb12u7 +libglib2.0-dev-bin=2.74.6-2+deb12u7 +libglib2.0-dev:amd64=2.74.6-2+deb12u7 +libgmp10:amd64=2:6.2.1+dfsg1-1.1 +libgnutls30:amd64=3.7.9-2+deb12u4 +libgomp1:amd64=12.2.0-14+deb12u1 +libgpg-error0:amd64=1.46-1 +libgprofng0:amd64=2.40-2 +libgssapi-krb5-2:amd64=1.20.1-2+deb12u4 +libhogweed6:amd64=3.8.1-2 +libidn2-0:amd64=2.3.3-1+b1 +libisl23:amd64=0.25-1.1 +libitm1:amd64=12.2.0-14+deb12u1 +libjansson4:amd64=2.14-2 +libjs-jquery=3.6.1+dfsg+~3.5.14-1 +libjs-sphinxdoc=5.3.0-4 +libjs-underscore=1.13.4~dfsg+~1.11.4-3 +libjson-perl=4.10000-1 +libk5crypto3:amd64=1.20.1-2+deb12u4 +libkeyutils1:amd64=1.6.3-2 +libkrb5-3:amd64=1.20.1-2+deb12u4 +libkrb5support0:amd64=1.20.1-2+deb12u4 +libldap-2.5-0:amd64=2.5.13+dfsg-5 +liblsan0:amd64=12.2.0-14+deb12u1 +liblz4-1:amd64=1.9.4-1 +liblzma5:amd64=5.4.1-1 +libmd0:amd64=1.0.4-2 +libmount-dev:amd64=2.38.1-5+deb12u3 +libmount1:amd64=2.38.1-5+deb12u3 +libmpc3:amd64=1.3.1-1 +libmpfr6:amd64=4.2.0-1 +libncursesw6:amd64=6.4-4 +libnettle8:amd64=3.8.1-2 +libnghttp2-14:amd64=1.52.0-1+deb12u2 +libnsl-dev:amd64=1.3.0-2 +libnsl2:amd64=1.3.0-2 +libp11-kit0:amd64=0.24.1-2 +libpam-modules-bin=1.5.2-6+deb12u1 +libpam-modules:amd64=1.5.2-6+deb12u1 +libpam-runtime=1.5.2-6+deb12u1 +libpam0g:amd64=1.5.2-6+deb12u1 +libpcre2-16-0:amd64=10.42-1 +libpcre2-32-0:amd64=10.42-1 +libpcre2-8-0:amd64=10.42-1 +libpcre2-dev:amd64=10.42-1 +libpcre2-posix3:amd64=10.42-1 +libperl5.36:amd64=5.36.0-7+deb12u2 +libpkgconf3:amd64=1.8.1-1 +libpsl5:amd64=0.21.2-1 +libpython3-stdlib:amd64=3.11.2-1+b1 +libpython3.11-minimal:amd64=3.11.2-6+deb12u6 +libpython3.11-stdlib:amd64=3.11.2-6+deb12u6 +libquadmath0:amd64=12.2.0-14+deb12u1 +libreadline8:amd64=8.2-1.3 +librtmp1:amd64=2.4+20151223.gitfa8646d.1-2+b2 +libsasl2-2:amd64=2.1.28+dfsg-10 +libsasl2-modules-db:amd64=2.1.28+dfsg-10 +libseccomp2:amd64=2.5.4-1+deb12u1 +libselinux1-dev:amd64=3.4-1+b6 +libselinux1:amd64=3.4-1+b6 +libsemanage-common=3.4-1 +libsemanage2:amd64=3.4-1+b5 +libsepol-dev:amd64=3.4-2.1 +libsepol2:amd64=3.4-2.1 +libslirp-dev:amd64=4.7.0-1 +libslirp0:amd64=4.7.0-1 +libsmartcols1:amd64=2.38.1-5+deb12u3 +libsqlite3-0:amd64=3.40.1-2+deb12u2 +libss2:amd64=1.47.0-2 +libssh2-1:amd64=1.10.0-3+b1 +libssl3:amd64=3.0.17-1~deb12u2 +libstdc++-12-dev:amd64=12.2.0-14+deb12u1 +libstdc++6:amd64=12.2.0-14+deb12u1 +libsystemd0:amd64=252.38-1~deb12u1 +libtasn1-6:amd64=4.19.0-2+deb12u1 +libtinfo6:amd64=6.4-4 +libtirpc-common=1.3.3+ds-1 +libtirpc-dev:amd64=1.3.3+ds-1 +libtirpc3:amd64=1.3.3+ds-1 +libtsan2:amd64=12.2.0-14+deb12u1 +libubsan1:amd64=12.2.0-14+deb12u1 +libudev1:amd64=252.38-1~deb12u1 +libunistring2:amd64=1.0-2 +libuuid1:amd64=2.38.1-5+deb12u3 +libxxhash0:amd64=0.8.1-1 +libzstd1:amd64=1.5.4+dfsg2-5 +linux-libc-dev:amd64=6.1.148-1 +login=1:4.13+dfsg1-1+deb12u1 +logsave=1.47.0-2 +m4=1.4.19-3 +make=4.3-4.1 +mawk=1.3.4.20200120-3.1 +media-types=10.0.0 +mount=2.38.1-5+deb12u3 +ncurses-base=6.4-4 +ncurses-bin=6.4-4 +ninja-build=1.11.1-2~deb12u1 +openssl=3.0.17-1~deb12u2 +passwd=1:4.13+dfsg1-1+deb12u1 +patch=2.7.6-7 +perl-base=5.36.0-7+deb12u2 +perl-modules-5.36=5.36.0-7+deb12u2 +perl=5.36.0-7+deb12u2 +pkg-config:amd64=1.8.1-1 +pkgconf-bin=1.8.1-1 +pkgconf:amd64=1.8.1-1 +python-babel-localedata=2.10.3-1 +python3-alabaster=0.7.12-1 +python3-babel=2.10.3-1 +python3-certifi=2022.9.24-1 +python3-chardet=5.1.0+dfsg-2 +python3-charset-normalizer=3.0.1-2 +python3-distutils=3.11.2-3 +python3-docutils=0.19+dfsg-6 +python3-idna=3.3-1+deb12u1 +python3-imagesize=1.4.1-1 +python3-jinja2=3.1.2-1+deb12u3 +python3-lib2to3=3.11.2-3 +python3-markupsafe=2.1.2-1+b1 +python3-minimal=3.11.2-1+b1 +python3-packaging=23.0-1 +python3-pip=23.0.1+dfsg-1 +python3-pkg-resources=66.1.1-1+deb12u2 +python3-pygments=2.14.0+dfsg-1 +python3-requests=2.28.1+dfsg-1 +python3-roman=3.3-3 +python3-setuptools=66.1.1-1+deb12u2 +python3-six=1.16.0-4 +python3-snowballstemmer=2.2.0-2 +python3-sphinx-rtd-theme=1.2.0+dfsg-1 +python3-sphinx=5.3.0-4 +python3-tz=2022.7.1-4 +python3-urllib3=1.26.12-1+deb12u1 +python3-wheel=0.38.4-2 +python3.11-minimal=3.11.2-6+deb12u6 +python3.11=3.11.2-6+deb12u6 +python3=3.11.2-1+b1 +readline-common=8.2-1.3 +rpcsvc-proto=1.4.3-1 +sed=4.9-1 +sgml-base=1.31 +sphinx-common=5.3.0-4 +sphinx-rtd-theme-common=1.2.0+dfsg-1 +sysvinit-utils=3.06-4 +tar=1.34+dfsg-1.2+deb12u1 +tzdata=2025b-0+deb12u1 +usr-is-merged=37~deb12u1 +util-linux-extra=2.38.1-5+deb12u3 +util-linux=2.38.1-5+deb12u3 +uuid-dev:amd64=2.38.1-5+deb12u3 +xml-core=0.18+nmu1 +xz-utils=5.4.1-1 +zlib1g-dev:amd64=1:1.2.13.dfsg-1 +zlib1g:amd64=1:1.2.13.dfsg-1 diff --git a/verifier/dstack-verifier.toml b/verifier/dstack-verifier.toml new file mode 100644 index 00000000..c53b5351 --- /dev/null +++ b/verifier/dstack-verifier.toml @@ -0,0 +1,19 @@ +# SPDX-FileCopyrightText: © 2024-2025 Phala Network +# +# SPDX-License-Identifier: Apache-2.0 + +# Server configuration +address = "0.0.0.0" +port = 8080 + +# Image cache directory for OS image verification +image_cache_dir = "/tmp/dstack-verifier/cache" + +# Image download URL template (replace {OS_IMAGE_HASH} with actual hash) +image_download_url = "https://dstack-images.phala.network/mr_{OS_IMAGE_HASH}.tar.gz" + +# Image download timeout in seconds +image_download_timeout_secs = 300 + +# Optional PCCS URL for quote verification +# pccs_url = "https://pccs.phala.network" \ No newline at end of file diff --git a/verifier/fixtures/quote-report.json b/verifier/fixtures/quote-report.json new file mode 100644 index 00000000..93624477 --- /dev/null +++ b/verifier/fixtures/quote-report.json @@ -0,0 +1 @@ +{"quote":"040002008100000000000000939a7233f79c4ca9940a0db3957f06071eadadc7f30fb7f911d24aa522afc590000000000b0104000000000000000000000000007bf063280e94fb051f5dd7b1fc59ce9aac42bb961df8d44b709c9b0ff87a7b4df648657ba6d1189589feab1d5a3c9a9d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000e702060000000000b24d3b24e9e3c16012376b52362ca09856c4adecb709d5fac33addf1c47e193da075b125b6c364115771390a5461e2170000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002e3843265f8ecdd4e2282694747f6f2f111605c33f2a8882f5734ee6f3a6ce63d8f34aeef06093dcda76fa5f9d33d8d6a1b79d76021970f57c45c4a7c395f780bab37011a4df27fe44e8559bd1abb4d6e52f12f866d1d08405448eb797a5970f1e31b59d605df7ee8160cf7966be9bafa6d0e1905de7e09695a24cd9748e71a603a51fae1297619fa0c30517addbcd070f787c3877f3e95095d5a4d13dd0fe0233803b30120d8469866719dc28f519ce021fe1e53459121e7a5a4443147185a812340000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000cc100000aa59a2ab97a78a0401ffc862efb76aa25eb7921915c96f1e284737ac287c30e9a2eeddd04176329c840ab282c0347659cf19681d8c205cec2185e9fa40b673002982655d89dbd3867e7370e8b1b27bbae5eb5f24dfaceea8a2ff9ad71161930c379cef3c7360ef97468031741483798585c1befb2f1d9827d2eb7a22299a01270600461000000404191b04ff0006000000000000000000000000000000000000000000000000000000000000000000000000000000001500000000000000e700000000000000e5a3a7b5d830c2953b98534c6c59a3a34fdc34e933f7f5898f0a85cf08846bca0000000000000000000000000000000000000000000000000000000000000000dc9e2a7c6f948f17474e34a7fc43ed030f7c1563f1babddf6340c82e0e54a8c5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020006000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005be61ea67e69e2411dd59d258969727c5cd13f082b59b3dcc4721e2f7c3b7a4e0000000000000000000000000000000000000000000000000000000000000000a7d05873f18690a9dfa580c695e1c0bd4dde53423bbbed02ed798b8d8b0a727dc92cf12582189873197ef784fd97cd44feb2fee19d388bc5be0abf4231586ba72000000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f05005e0e00002d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d49494538544343424a65674177494241674956414c7142567a73712f787369354e387578426f59356c3641515a31444d416f4743437147534d343942414d430a4d484178496a416742674e5642414d4d47556c756447567349464e4857434251513073675547786864475a76636d306751304578476a415942674e5642416f4d0a45556c756447567349454e76636e4276636d4630615739754d5251774567594456515148444174545957353059534244624746795954454c4d416b47413155450a4341774351304578437a414a42674e5642415954416c56544d423458445449314d446b784e6a41794d6a67784e566f5844544d794d446b784e6a41794d6a67780a4e566f77634445694d434147413155454177775a535735305a5777675530645949464244537942445a584a3061575a70593246305a5445614d426747413155450a43677752535735305a577767513239796347397959585270623234784644415342674e564241634d43314e68626e526849454e7359584a684d517377435159440a5651514944414a445154454c4d416b474131554542684d4356564d775754415442676371686b6a4f5051494242676771686b6a4f50514d4242774e43414151380a39455a4b755278457952677a5a5873542b3079304346342b31683453582f6a54554c644f6771637275466b5033354750346562383634517361797779345877440a42755a65434b664569484e57356f3431353959646f3449444444434341776777487759445652306a42426777466f41556c5739647a62306234656c4153636e550a3944504f4156634c336c5177617759445652306642475177596a42676f46366758495a616148523063484d364c79396863476b7564484a316333526c5a484e6c0a636e5a705932567a4c6d6c75644756734c6d4e766253397a5a3367765932567964476c6d61574e6864476c76626939324e4339775932746a636d772f593245390a6347786864475a76636d306d5a57356a62325270626d63395a4756794d42304741315564446751574242525a63752f70597452454655736837726857544952750a2b446974786a414f42674e56485138424166384542414d434273417744415944565230544151482f4241497741444343416a6b4743537147534962345451454e0a4151534341696f776767496d4d42344743697147534962345451454e4151454545496c395072647571496533672f6d7450516478413073776767466a42676f710a686b69472b453042445145434d494942557a415142677371686b69472b45304244514543415149424244415142677371686b69472b45304244514543416749420a4244415142677371686b69472b4530424451454341774942416a415142677371686b69472b4530424451454342414942416a415142677371686b69472b4530420a44514543425149424244415142677371686b69472b45304244514543426749424154415142677371686b69472b453042445145434277494241444151426773710a686b69472b45304244514543434149424254415142677371686b69472b45304244514543435149424144415142677371686b69472b45304244514543436749420a4144415142677371686b69472b45304244514543437749424144415142677371686b69472b45304244514543444149424144415142677371686b69472b4530420a44514543445149424144415142677371686b69472b45304244514543446749424144415142677371686b69472b453042445145434477494241444151426773710a686b69472b45304244514543454149424144415142677371686b69472b45304244514543455149424454416642677371686b69472b45304244514543456751510a42415143416751424141554141414141414141414144415142676f71686b69472b45304244514544424149414144415542676f71686b69472b453042445145450a4241615177473841414141774477594b4b6f5a496876684e4151304242516f424154416542676f71686b69472b45304244514547424243764f3535314c75626a0a2b49363352564e713558734e4d45514743697147534962345451454e415163774e6a415142677371686b69472b45304244514548415145422f7a4151426773710a686b69472b45304244514548416745422f7a415142677371686b69472b45304244514548417745422f7a414b42676771686b6a4f5051514441674e49414442460a41694541366748457a39306f4c30362b4c6f414442307261326f587943333453504c4d6e35434e473569783862303043494131304d37796f79537a6a755178440a75617a6f505048722f745862432f64762b6b384362314175656b4a650a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d4949436c6a4343416a32674177494241674956414a567658633239472b487051456e4a3150517a7a674658433935554d416f4743437147534d343942414d430a4d476778476a415942674e5642414d4d45556c756447567349464e48574342536232393049454e424d526f77474159445651514b4442464a626e526c624342440a62334a7762334a6864476c76626a45554d424947413155454277774c553246756447456751327868636d4578437a414a42674e564241674d416b4e424d5173770a435159445651514745774a56557a4165467730784f4441314d6a45784d4455774d5442614677307a4d7a41314d6a45784d4455774d5442614d484178496a41670a42674e5642414d4d47556c756447567349464e4857434251513073675547786864475a76636d306751304578476a415942674e5642416f4d45556c75644756730a49454e76636e4276636d4630615739754d5251774567594456515148444174545957353059534244624746795954454c4d416b474131554543417743513045780a437a414a42674e5642415954416c56544d466b77457759484b6f5a497a6a3043415159494b6f5a497a6a304441516344516741454e53422f377432316c58534f0a3243757a7078773734654a423732457944476757357258437478327456544c7136684b6b367a2b5569525a436e71523770734f766771466553786c6d546c4a6c0a65546d693257597a33714f42757a43427544416642674e5648534d4547444157674251695a517a575770303069664f44744a5653763141624f536347724442530a42674e5648523845537a424a4d45656752614244686b466f64485277637a6f764c324e6c636e52705a6d6c6a5958526c63793530636e567a6447566b633256790a646d6c6a5a584d75615735305a577775593239744c306c756447567355306459556d397664454e424c6d526c636a416442674e5648513445466751556c5739640a7a62306234656c4153636e553944504f4156634c336c517744675944565230504151482f42415144416745474d42494741315564457745422f7751494d4159420a4166384341514177436759494b6f5a497a6a30454177494452774177524149675873566b6930772b6936565947573355462f32327561586530594a446a3155650a6e412b546a44316169356343494359623153416d4435786b66545670766f34556f79695359787244574c6d5552344349394e4b7966504e2b0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d4949436a7a4343416a53674177494241674955496d554d316c71644e496e7a6737535655723951477a6b6e42717777436759494b6f5a497a6a3045417749770a614445614d4267474131554541777752535735305a5777675530645949464a766233516751304578476a415942674e5642416f4d45556c756447567349454e760a636e4276636d4630615739754d5251774567594456515148444174545957353059534244624746795954454c4d416b47413155454341774351304578437a414a0a42674e5642415954416c56544d423458445445344d4455794d5445774e4455784d466f58445451354d54497a4d54497a4e546b314f566f77614445614d4267470a4131554541777752535735305a5777675530645949464a766233516751304578476a415942674e5642416f4d45556c756447567349454e76636e4276636d46300a615739754d5251774567594456515148444174545957353059534244624746795954454c4d416b47413155454341774351304578437a414a42674e56424159540a416c56544d466b77457759484b6f5a497a6a3043415159494b6f5a497a6a3044415163445167414543366e45774d4449595a4f6a2f69505773437a61454b69370a314f694f534c52466857476a626e42564a66566e6b59347533496a6b4459594c304d784f346d717379596a6c42616c54565978465032734a424b357a6c4b4f420a757a43427544416642674e5648534d4547444157674251695a517a575770303069664f44744a5653763141624f5363477244425342674e5648523845537a424a0a4d45656752614244686b466f64485277637a6f764c324e6c636e52705a6d6c6a5958526c63793530636e567a6447566b63325679646d6c6a5a584d75615735300a5a577775593239744c306c756447567355306459556d397664454e424c6d526c636a416442674e564851344546675155496d554d316c71644e496e7a673753560a55723951477a6b6e4271777744675944565230504151482f42415144416745474d42494741315564457745422f7751494d4159424166384341514577436759490a4b6f5a497a6a3045417749445351417752674968414f572f35516b522b533943695344634e6f6f774c7550524c735747662f59693747535839344267775477670a41694541344a306c72486f4d732b586f356f2f7358364f39515778485241765a55474f6452513763767152586171493d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000","event_log":"[{\"imr\":0,\"event_type\":2147483659,\"digest\":\"8ae1e425351df7992c444586eff99d35af3b779aa2b0e981cb4b73bc5b279f2ade19b6a62a203fc3c3bbdaae80af596d\",\"event\":\"\",\"event_payload\":\"095464785461626c65000100000000000000af96bb93f2b9b84e9462e0ba745642360090800000000000\"},{\"imr\":0,\"event_type\":2147483658,\"digest\":\"344bc51c980ba621aaa00da3ed7436f7d6e549197dfe699515dfa2c6583d95e6412af21c097d473155875ffd561d6790\",\"event\":\"\",\"event_payload\":\"2946762858585858585858582d585858582d585858582d585858582d58585858585858585858585829000000c0ff000000000040080000000000\"},{\"imr\":0,\"event_type\":2147483649,\"digest\":\"9dc3a1f80bcec915391dcda5ffbb15e7419f77eab462bbf72b42166fb70d50325e37b36f93537a863769bcf9bedae6fb\",\"event\":\"\",\"event_payload\":\"61dfe48bca93d211aa0d00e098032b8c0a00000000000000000000000000000053006500630075007200650042006f006f007400\"},{\"imr\":0,\"event_type\":2147483649,\"digest\":\"6f2e3cbc14f9def86980f5f66fd85e99d63e69a73014ed8a5633ce56eca5b64b692108c56110e22acadcef58c3250f1b\",\"event\":\"\",\"event_payload\":\"61dfe48bca93d211aa0d00e098032b8c0200000000000000000000000000000050004b00\"},{\"imr\":0,\"event_type\":2147483649,\"digest\":\"d607c0efb41c0d757d69bca0615c3a9ac0b1db06c557d992e906c6b7dee40e0e031640c7bfd7bcd35844ef9edeadc6f9\",\"event\":\"\",\"event_payload\":\"61dfe48bca93d211aa0d00e098032b8c030000000000000000000000000000004b0045004b00\"},{\"imr\":0,\"event_type\":2147483649,\"digest\":\"08a74f8963b337acb6c93682f934496373679dd26af1089cb4eaf0c30cf260a12e814856385ab8843e56a9acea19e127\",\"event\":\"\",\"event_payload\":\"cbb219d73a3d9645a3bcdad00e67656f0200000000000000000000000000000064006200\"},{\"imr\":0,\"event_type\":2147483649,\"digest\":\"18cc6e01f0c6ea99aa23f8a280423e94ad81d96d0aeb5180504fc0f7a40cb3619dd39bd6a95ec1680a86ed6ab0f9828d\",\"event\":\"\",\"event_payload\":\"cbb219d73a3d9645a3bcdad00e67656f03000000000000000000000000000000640062007800\"},{\"imr\":0,\"event_type\":4,\"digest\":\"394341b7182cd227c5c6b07ef8000cdfd86136c4292b8e576573ad7ed9ae41019f5818b4b971c9effc60e1ad9f1289f0\",\"event\":\"\",\"event_payload\":\"00000000\"},{\"imr\":0,\"event_type\":10,\"digest\":\"2065dd48d647e4377db277ba203526901a17845e93e0df4c2dfc3ce136e0910324ead1e1c86b8d90c2acdf9c85ffac53\",\"event\":\"\",\"event_payload\":\"414350492044415441\"},{\"imr\":0,\"event_type\":10,\"digest\":\"772b0169c66b52e4453fff9e3c6257635ea950ebcc8edd7ef2e2f8241cf6a155f39df01a7c7a194b6bc0abe5de11861d\",\"event\":\"\",\"event_payload\":\"414350492044415441\"},{\"imr\":0,\"event_type\":10,\"digest\":\"abfb2256644b5786eefdcb92303d2008c36cb9500d98997e215ef5080745d4bf2e5b3629090918e193e7f05b173d48c5\",\"event\":\"\",\"event_payload\":\"414350492044415441\"},{\"imr\":1,\"event_type\":2147483651,\"digest\":\"0761fbfa317a42d8edbe9e404178d102adc059cface98c5e07d1d535371c145c3497fd2a19b8398568b8c8a6f95e0a86\",\"event\":\"\",\"event_payload\":\"18400d7b0000000000d47d000000000000000000000000002a000000000000000403140072f728144ab61e44b8c39ebdd7f893c7040412006b00650072006e0065006c0000007fff0400\"},{\"imr\":0,\"event_type\":2147483650,\"digest\":\"1dd6f7b457ad880d840d41c961283bab688e94e4b59359ea45686581e90feccea3c624b1226113f824f315eb60ae0a7c\",\"event\":\"\",\"event_payload\":\"61dfe48bca93d211aa0d00e098032b8c0900000000000000020000000000000042006f006f0074004f0072006400650072000000\"},{\"imr\":0,\"event_type\":2147483650,\"digest\":\"23ada07f5261f12f34a0bd8e46760962d6b4d576a416f1fea1c64bc656b1d28eacf7047ae6e967c58fd2a98bfa74c298\",\"event\":\"\",\"event_payload\":\"61dfe48bca93d211aa0d00e098032b8c08000000000000003e0000000000000042006f006f0074003000300030003000090100002c0055006900410070007000000004071400c9bdb87cebf8344faaea3ee4af6516a10406140021aa2c4614760345836e8ab6f46623317fff0400\"},{\"imr\":1,\"event_type\":2147483655,\"digest\":\"77a0dab2312b4e1e57a84d865a21e5b2ee8d677a21012ada819d0a98988078d3d740f6346bfe0abaa938ca20439a8d71\",\"event\":\"\",\"event_payload\":\"43616c6c696e6720454649204170706c69636174696f6e2066726f6d20426f6f74204f7074696f6e\"},{\"imr\":1,\"event_type\":4,\"digest\":\"394341b7182cd227c5c6b07ef8000cdfd86136c4292b8e576573ad7ed9ae41019f5818b4b971c9effc60e1ad9f1289f0\",\"event\":\"\",\"event_payload\":\"00000000\"},{\"imr\":2,\"event_type\":6,\"digest\":\"4027cb4ec64dbc24b6d98d9470daeefc749bbb6a9b011762d215f6ed3eb833d58fd72d9ad850958f72878182e6f61924\",\"event\":\"\",\"event_payload\":\"ed223b8f1a0000004c4f414445445f494d4147453a3a4c6f61644f7074696f6e7300\"},{\"imr\":2,\"event_type\":6,\"digest\":\"63e06e29cf98f2fce71abd3a9629dff48457b47c010b64e11f7a2b42dd99bfa14ee35660b3f5d3fc376261d6ba9a6d6b\",\"event\":\"\",\"event_payload\":\"ec223b8f0d0000004c696e757820696e6974726400\"},{\"imr\":1,\"event_type\":2147483655,\"digest\":\"214b0bef1379756011344877743fdc2a5382bac6e70362d624ccf3f654407c1b4badf7d8f9295dd3dabdef65b27677e0\",\"event\":\"\",\"event_payload\":\"4578697420426f6f7420536572766963657320496e766f636174696f6e\"},{\"imr\":1,\"event_type\":2147483655,\"digest\":\"0a2e01c85deae718a530ad8c6d20a84009babe6c8989269e950d8cf440c6e997695e64d455c4174a652cd080f6230b74\",\"event\":\"\",\"event_payload\":\"4578697420426f6f742053657276696365732052657475726e656420776974682053756363657373\"},{\"imr\":3,\"event_type\":134217729,\"digest\":\"f9974020ef507068183313d0ca808e0d1ca9b2d1ad0c61f5784e7157c362c06536f5ddacdad4451693f48fcc72fff624\",\"event\":\"system-preparing\",\"event_payload\":\"\"},{\"imr\":3,\"event_type\":134217729,\"digest\":\"837c2dd72f8a4c740159e5e042ed79b7eaaa5ab3a151a45e27bc366bb8b27e6c3faec87aab1e95197d3e6d23308d448c\",\"event\":\"app-id\",\"event_payload\":\"3763bc34552cf3a27ff71ad5f7a90471562a1a2d\"},{\"imr\":3,\"event_type\":134217729,\"digest\":\"b883bee0b216618b1ce0e7a1bb4a9379b486cef8aadf0c682cb6e80c083f7982dbf104183c24a74693d860f4ffc8b72f\",\"event\":\"compose-hash\",\"event_payload\":\"3763bc34552cf3a27ff71ad5f7a90471562a1a2df552dfc1998cba2d60da27e7\"},{\"imr\":3,\"event_type\":134217729,\"digest\":\"9af8567194629f6798aafa76d95427bb7e84864145ee79fdf4ca29f5c743c159379c1c805934decfa513821edaa77fb7\",\"event\":\"instance-id\",\"event_payload\":\"c3714eb66990eace777b4e664c16e09375dec4c9\"},{\"imr\":3,\"event_type\":134217729,\"digest\":\"98bd7e6bd3952720b65027fd494834045d06b4a714bf737a06b874638b3ea00ff402f7f583e3e3b05e921c8570433ac6\",\"event\":\"boot-mr-done\",\"event_payload\":\"\"},{\"imr\":3,\"event_type\":134217729,\"digest\":\"74ca939b8c3c74aab3c30966a788f7743951d54a936a711dd01422f003ff9df6666f3cc54975d2e4f35c829865583f0f\",\"event\":\"key-provider\",\"event_payload\":\"7b226e616d65223a226c6f63616c2d736778222c226964223a2231623761343933373834303332343962363938366139303738343463616230393231656361333264643437653635376633633130333131636361656363663862227d\"},{\"imr\":3,\"event_type\":134217729,\"digest\":\"1a76b2a80a0be71eae59f80945d876351a7a3fb8e9fd1ff1cede5734aa84ea11fd72b4edfbb6f04e5a85edd114c751bd\",\"event\":\"system-ready\",\"event_payload\":\"\"},{\"imr\":3,\"event_type\":134217729,\"digest\":\"64c2c025c0e916a1802e8beee830954fe5693f3fb0f2ffb077d7d3f149c5525e2c1bfb0a15046b84f4038ba6f152588f\",\"event\":\"LIUM_MINER_HOTKEY\",\"event_payload\":\"35443333507467666b475951734d4c434d724b426a56454d54455371525944466666543672396a4264614833654c7434\"}]","report_data":"12340000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000","vm_config":"{\"spec_version\": 1, \"os_image_hash\": \"14ad42d0270b444eaeb53918a5a94d9b17eec7a817cd336173b17c5327541c67\", \"cpu_count\": 16, \"memory_size\": 68719476736, \"qemu_single_pass_add_pages\": false, \"pic\": false, \"pci_hole64_size\": 17592186044416, \"num_gpus\": 1, \"num_nvswitches\": 0, \"hugepages\": false, \"hotplug_off\": true, \"qemu_version\": \"9.2.1\"}"} diff --git a/verifier/src/main.rs b/verifier/src/main.rs new file mode 100644 index 00000000..f21594e4 --- /dev/null +++ b/verifier/src/main.rs @@ -0,0 +1,241 @@ +// SPDX-FileCopyrightText: © 2024-2025 Phala Network +// +// SPDX-License-Identifier: Apache-2.0 + +use std::sync::Arc; + +use clap::Parser; +use figment::{ + providers::{Env, Format, Toml}, + Figment, +}; +use rocket::{fairing::AdHoc, get, post, serde::json::Json, State}; +use serde::{Deserialize, Serialize}; +use tracing::{error, info}; + +mod types; +mod verification; + +use types::{VerificationRequest, VerificationResponse}; +use verification::CvmVerifier; + +#[derive(Parser)] +#[command(name = "dstack-verifier")] +#[command(about = "HTTP server providing CVM verification services")] +struct Cli { + #[arg(short, long, default_value = "dstack-verifier.toml")] + config: String, + + /// Oneshot mode: verify a single report JSON file and exit + #[arg(long, value_name = "FILE")] + verify: Option, +} + +#[derive(Debug, Clone, Deserialize, Serialize)] +pub struct Config { + pub address: String, + pub port: u16, + pub image_cache_dir: String, + pub pccs_url: Option, + pub image_download_url: String, + pub image_download_timeout_secs: u64, +} + +#[post("/verify", data = "")] +async fn verify_cvm( + verifier: &State>, + request: Json, +) -> Json { + match verifier.verify(&request.into_inner()).await { + Ok(response) => Json(response), + Err(e) => { + error!("Verification failed: {:?}", e); + Json(VerificationResponse { + is_valid: false, + details: types::VerificationDetails { + quote_verified: false, + event_log_verified: false, + os_image_hash_verified: false, + report_data: None, + tcb_status: None, + advisory_ids: vec![], + app_info: None, + acpi_tables: None, + rtmr_debug: None, + }, + reason: Some(format!("Internal error: {}", e)), + }) + } + } +} + +#[get("/health")] +fn health() -> Json { + Json(serde_json::json!({ + "status": "ok", + "service": "dstack-verifier" + })) +} + +async fn run_oneshot(file_path: &str, config: &Config) -> anyhow::Result<()> { + use std::fs; + + info!("Running in oneshot mode for file: {}", file_path); + + // Read the JSON file + let content = fs::read_to_string(file_path) + .map_err(|e| anyhow::anyhow!("Failed to read file {}: {}", file_path, e))?; + + // Parse as VerificationRequest + let mut request: VerificationRequest = serde_json::from_str(&content) + .map_err(|e| anyhow::anyhow!("Failed to parse JSON: {}", e))?; + + // Ensure PCCS URL is populated from config when the report omits it + request.pccs_url = request.pccs_url.or_else(|| config.pccs_url.clone()); + + // Create verifier + let verifier = CvmVerifier::new( + config.image_cache_dir.clone(), + config.image_download_url.clone(), + std::time::Duration::from_secs(config.image_download_timeout_secs), + ); + + // Run verification + info!("Starting verification..."); + let response = verifier.verify(&request).await?; + + // Persist response next to the input file for convenience + let output_path = format!("{file_path}.verification.json"); + let serialized = serde_json::to_string_pretty(&response) + .map_err(|e| anyhow::anyhow!("Failed to encode verification result: {}", e))?; + fs::write(&output_path, serialized).map_err(|e| { + anyhow::anyhow!( + "Failed to write verification result to {}: {}", + output_path, + e + ) + })?; + info!("Stored verification result at {}", output_path); + + // Output results + println!("\n=== Verification Results ==="); + println!("Valid: {}", response.is_valid); + println!("Quote verified: {}", response.details.quote_verified); + println!( + "Event log verified: {}", + response.details.event_log_verified + ); + println!( + "OS image hash verified: {}", + response.details.os_image_hash_verified + ); + + if let Some(tcb_status) = &response.details.tcb_status { + println!("TCB status: {}", tcb_status); + } + + if !response.details.advisory_ids.is_empty() { + println!("Advisory IDs: {:?}", response.details.advisory_ids); + } + + if let Some(reason) = &response.reason { + println!("Reason: {}", reason); + } + + if let Some(report_data) = &response.details.report_data { + println!("Report data: {}", report_data); + } + + if let Some(app_info) = &response.details.app_info { + println!("\n=== App Info ==="); + println!("App ID: {}", hex::encode(&app_info.app_id)); + println!("Instance ID: {}", hex::encode(&app_info.instance_id)); + println!("Compose hash: {}", hex::encode(&app_info.compose_hash)); + println!("MRTD: {}", hex::encode(app_info.mrtd)); + println!("RTMR0: {}", hex::encode(app_info.rtmr0)); + println!("RTMR1: {}", hex::encode(app_info.rtmr1)); + println!("RTMR2: {}", hex::encode(app_info.rtmr2)); + } + + // Exit with appropriate code + if !response.is_valid { + std::process::exit(1); + } + + Ok(()) +} + +#[rocket::launch] +fn rocket() -> _ { + tracing_subscriber::fmt::init(); + + let cli = Cli::parse(); + + let default_config_str = include_str!("../dstack-verifier.toml"); + + let figment = Figment::from(rocket::Config::default()) + .merge(Toml::string(default_config_str)) + .merge(Toml::file(&cli.config)) + .merge(Env::prefixed("DSTACK_VERIFIER_")); + + let config: Config = figment.extract().expect("Failed to load configuration"); + + // Check for oneshot mode + if let Some(file_path) = cli.verify { + // Run oneshot verification and exit + let rt = tokio::runtime::Runtime::new().expect("Failed to create runtime"); + rt.block_on(async { + if let Err(e) = run_oneshot(&file_path, &config).await { + error!("Oneshot verification failed: {:#}", e); + std::process::exit(1); + } + }); + std::process::exit(0); + } + + let verifier = Arc::new(CvmVerifier::new( + config.image_cache_dir.clone(), + config.image_download_url.clone(), + std::time::Duration::from_secs(config.image_download_timeout_secs), + )); + + rocket::custom(figment) + .mount("/", rocket::routes![verify_cvm, health]) + .manage(verifier) + .attach(AdHoc::on_liftoff("Startup", |_| { + Box::pin(async { + info!("dstack-verifier started successfully"); + }) + })) +} + +#[cfg(test)] +mod tests { + use super::*; + use rocket::http::{ContentType, Status}; + use rocket::local::asynchronous::Client; + + #[tokio::test] + async fn test_health_endpoint() { + let client = Client::tracked(rocket()) + .await + .expect("valid rocket instance"); + let response = client.get("/health").dispatch().await; + assert_eq!(response.status(), Status::Ok); + } + + #[tokio::test] + async fn test_verify_endpoint_invalid_request() { + let client = Client::tracked(rocket()) + .await + .expect("valid rocket instance"); + let response = client + .post("/verify") + .header(ContentType::JSON) + .body(r#"{"invalid": "request"}"#) + .dispatch() + .await; + + assert_eq!(response.status(), Status::UnprocessableEntity); + } +} diff --git a/verifier/src/types.rs b/verifier/src/types.rs new file mode 100644 index 00000000..28bdfe20 --- /dev/null +++ b/verifier/src/types.rs @@ -0,0 +1,80 @@ +// SPDX-FileCopyrightText: © 2024-2025 Phala Network +// +// SPDX-License-Identifier: Apache-2.0 + +use ra_tls::attestation::AppInfo; +use serde::{Deserialize, Serialize}; + +#[derive(Debug, Clone, Serialize, Deserialize)] +pub struct VerificationRequest { + pub quote: String, + pub event_log: String, + pub vm_config: String, + pub pccs_url: Option, +} + +#[derive(Debug, Clone, Serialize)] +pub struct VerificationResponse { + pub is_valid: bool, + pub details: VerificationDetails, + pub reason: Option, +} + +#[derive(Debug, Clone, Serialize)] +pub struct VerificationDetails { + pub quote_verified: bool, + pub event_log_verified: bool, + pub os_image_hash_verified: bool, + pub report_data: Option, + pub tcb_status: Option, + pub advisory_ids: Vec, + pub app_info: Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub acpi_tables: Option, + #[serde(skip_serializing_if = "Option::is_none")] + pub rtmr_debug: Option>, +} + +#[derive(Debug, Clone, Serialize)] +pub struct AcpiTables { + pub tables: String, + pub rsdp: String, + pub loader: String, +} + +#[derive(Debug, Clone, Serialize)] +pub struct RtmrMismatch { + pub rtmr: String, + pub expected: String, + pub actual: String, + pub events: Vec, + #[serde(skip_serializing_if = "Vec::is_empty")] + pub missing_expected_digests: Vec, +} + +#[derive(Debug, Clone, Serialize)] +pub struct RtmrEventEntry { + pub index: usize, + pub event_type: u32, + pub event_name: String, + pub actual_digest: String, + #[serde(skip_serializing_if = "Option::is_none")] + pub expected_digest: Option, + pub payload_len: usize, + pub status: RtmrEventStatus, +} + +#[derive(Debug, Clone, Serialize)] +#[serde(rename_all = "snake_case")] +pub enum RtmrEventStatus { + Match, + Mismatch, + Extra, + Missing, +} + +#[derive(Debug, Clone, Serialize, Deserialize)] +pub struct ErrorResponse { + pub error: String, + pub details: Option, +} diff --git a/verifier/src/verification.rs b/verifier/src/verification.rs new file mode 100644 index 00000000..e36f4b07 --- /dev/null +++ b/verifier/src/verification.rs @@ -0,0 +1,620 @@ +// SPDX-FileCopyrightText: © 2024-2025 Phala Network +// +// SPDX-License-Identifier: Apache-2.0 + +use std::{ffi::OsStr, path::Path, time::Duration}; + +use anyhow::{bail, Context, Result}; +use cc_eventlog::TdxEventLog as EventLog; +use dstack_mr::RtmrLog; +use dstack_types::VmConfig; +use ra_tls::attestation::{Attestation, VerifiedAttestation}; +use sha2::{Digest as _, Sha256, Sha384}; +use tokio::{io::AsyncWriteExt, process::Command}; +use tracing::{debug, info}; + +use crate::types::{ + AcpiTables, RtmrEventEntry, RtmrEventStatus, RtmrMismatch, VerificationDetails, + VerificationRequest, VerificationResponse, +}; + +#[derive(Debug, Clone)] +struct RtmrComputationResult { + event_indices: [Vec; 4], + rtmrs: [[u8; 48]; 4], +} + +fn replay_event_logs(eventlog: &[EventLog]) -> Result { + let mut event_indices: [Vec; 4] = Default::default(); + let mut rtmrs: [[u8; 48]; 4] = [[0u8; 48]; 4]; + + for idx in 0..4 { + for (event_idx, event) in eventlog.iter().enumerate() { + event + .validate() + .context("Failed to validate event digest")?; + + if event.imr == idx { + event_indices[idx as usize].push(event_idx); + let mut hasher = Sha384::new(); + hasher.update(rtmrs[idx as usize]); + hasher.update(event.digest); + rtmrs[idx as usize] = hasher.finalize().into(); + } + } + } + + Ok(RtmrComputationResult { + event_indices, + rtmrs, + }) +} + +fn collect_rtmr_mismatch( + rtmr_label: &str, + expected_hex: &str, + actual_hex: &str, + expected_sequence: &RtmrLog, + actual_indices: &[usize], + event_log: &[EventLog], +) -> RtmrMismatch { + let mut events = Vec::new(); + + for (&idx, expected_digest) in actual_indices.iter().zip(expected_sequence.iter()) { + match event_log.get(idx) { + Some(event) => { + let event_name = if event.event.is_empty() { + "(unnamed)".to_string() + } else { + event.event.clone() + }; + let status = if event.digest == expected_digest.as_slice() { + RtmrEventStatus::Match + } else { + RtmrEventStatus::Mismatch + }; + events.push(RtmrEventEntry { + index: idx, + event_type: event.event_type, + event_name, + actual_digest: hex::encode(event.digest), + expected_digest: Some(hex::encode(expected_digest)), + payload_len: event.event_payload.len(), + status, + }); + } + None => { + events.push(RtmrEventEntry { + index: idx, + event_type: 0, + event_name: "(missing)".to_string(), + actual_digest: String::new(), + expected_digest: Some(hex::encode(expected_digest)), + payload_len: 0, + status: RtmrEventStatus::Missing, + }); + } + } + } + + for &idx in actual_indices.iter().skip(expected_sequence.len()) { + let (event_type, event_name, actual_digest, payload_len) = match event_log.get(idx) { + Some(event) => ( + event.event_type, + if event.event.is_empty() { + "(unnamed)".to_string() + } else { + event.event.clone() + }, + hex::encode(event.digest), + event.event_payload.len(), + ), + None => (0, "(missing)".to_string(), String::new(), 0), + }; + events.push(RtmrEventEntry { + index: idx, + event_type, + event_name, + actual_digest, + expected_digest: None, + payload_len, + status: RtmrEventStatus::Extra, + }); + } + + let missing_expected_digests = if expected_sequence.len() > actual_indices.len() { + expected_sequence[actual_indices.len()..] + .iter() + .map(hex::encode) + .collect() + } else { + Vec::new() + }; + + RtmrMismatch { + rtmr: rtmr_label.to_string(), + expected: expected_hex.to_string(), + actual: actual_hex.to_string(), + events, + missing_expected_digests, + } +} + +pub struct CvmVerifier { + pub image_cache_dir: String, + pub download_url: String, + pub download_timeout: Duration, +} + +impl CvmVerifier { + pub fn new(image_cache_dir: String, download_url: String, download_timeout: Duration) -> Self { + Self { + image_cache_dir, + download_url, + download_timeout, + } + } + + pub async fn verify(&self, request: &VerificationRequest) -> Result { + let quote = hex::decode(&request.quote).context("Failed to decode quote hex")?; + + // Event log is always JSON string + let event_log = request.event_log.as_bytes().to_vec(); + + let attestation = Attestation::new(quote, event_log) + .context("Failed to create attestation from quote and event log")?; + + let mut details = VerificationDetails { + quote_verified: false, + event_log_verified: false, + os_image_hash_verified: false, + report_data: None, + tcb_status: None, + advisory_ids: vec![], + app_info: None, + acpi_tables: None, + rtmr_debug: None, + }; + + let vm_config: VmConfig = + serde_json::from_str(&request.vm_config).context("Failed to decode VM config JSON")?; + + // Step 1: Verify the TDX quote using dcap-qvl + let verified_attestation = match self.verify_quote(attestation, &request.pccs_url).await { + Ok(att) => { + details.quote_verified = true; + details.tcb_status = Some(att.report.status.clone()); + details.advisory_ids = att.report.advisory_ids.clone(); + // Extract and store report_data + if let Ok(report_data) = att.decode_report_data() { + details.report_data = Some(hex::encode(report_data)); + } + att + } + Err(e) => { + return Ok(VerificationResponse { + is_valid: false, + details, + reason: Some(format!("Quote verification failed: {}", e)), + }); + } + }; + + match verified_attestation.decode_app_info(false) { + Ok(info) => { + details.event_log_verified = true; + details.app_info = Some(info); + } + Err(e) => { + return Ok(VerificationResponse { + is_valid: false, + details, + reason: Some(format!("Event log verification failed: {}", e)), + }); + } + }; + + // Step 3: Verify os-image-hash matches using dstack-mr + if let Err(e) = self + .verify_os_image_hash(&vm_config, &verified_attestation, &mut details) + .await + { + return Ok(VerificationResponse { + is_valid: false, + details, + reason: Some(format!("OS image hash verification failed: {e:#}")), + }); + } + details.os_image_hash_verified = true; + + Ok(VerificationResponse { + is_valid: true, + details, + reason: None, + }) + } + + async fn verify_quote( + &self, + attestation: Attestation, + pccs_url: &Option, + ) -> Result { + // Extract report data from quote + let report_data = attestation.decode_report_data()?; + + attestation + .verify(&report_data, pccs_url.as_deref()) + .await + .context("Quote verification failed") + } + + async fn verify_os_image_hash( + &self, + vm_config: &VmConfig, + attestation: &VerifiedAttestation, + details: &mut VerificationDetails, + ) -> Result<()> { + let hex_os_image_hash = hex::encode(&vm_config.os_image_hash); + + // Get boot info from attestation + let report = attestation + .report + .report + .as_td10() + .context("Failed to decode TD report")?; + + let app_info = attestation.decode_app_info(false)?; + + let boot_info = upgrade_authority::BootInfo { + mrtd: report.mr_td.to_vec(), + rtmr0: report.rt_mr0.to_vec(), + rtmr1: report.rt_mr1.to_vec(), + rtmr2: report.rt_mr2.to_vec(), + rtmr3: report.rt_mr3.to_vec(), + mr_aggregated: app_info.mr_aggregated.to_vec(), + os_image_hash: vm_config.os_image_hash.clone(), + mr_system: app_info.mr_system.to_vec(), + app_id: app_info.app_id, + compose_hash: app_info.compose_hash, + instance_id: app_info.instance_id, + device_id: app_info.device_id, + key_provider_info: app_info.key_provider_info, + event_log: String::from_utf8(attestation.raw_event_log.clone()) + .context("Failed to serialize event log")?, + tcb_status: attestation.report.status.clone(), + advisory_ids: attestation.report.advisory_ids.clone(), + }; + + // Extract the verified MRs from the boot info + let verified_mrs = Mrs::from(&boot_info); + + // Get image directory + let image_dir = Path::new(&self.image_cache_dir) + .join("images") + .join(&hex_os_image_hash); + + let metadata_path = image_dir.join("metadata.json"); + if !metadata_path.exists() { + info!("Image {} not found, downloading", hex_os_image_hash); + tokio::time::timeout( + self.download_timeout, + self.download_image(&hex_os_image_hash, &image_dir), + ) + .await + .context("Download image timeout")? + .with_context(|| format!("Failed to download image {hex_os_image_hash}"))?; + } + + let image_info = + fs_err::read_to_string(metadata_path).context("Failed to read image metadata")?; + let image_info: dstack_types::ImageInfo = + serde_json::from_str(&image_info).context("Failed to parse image metadata")?; + + let fw_path = image_dir.join(&image_info.bios); + let kernel_path = image_dir.join(&image_info.kernel); + let initrd_path = image_dir.join(&image_info.initrd); + let kernel_cmdline = image_info.cmdline + " initrd=initrd"; + + // Use dstack-mr to compute expected MRs + let measurement_details = dstack_mr::Machine::builder() + .cpu_count(vm_config.cpu_count) + .memory_size(vm_config.memory_size) + .firmware(&fw_path.display().to_string()) + .kernel(&kernel_path.display().to_string()) + .initrd(&initrd_path.display().to_string()) + .kernel_cmdline(&kernel_cmdline) + .root_verity(true) + .hotplug_off(vm_config.hotplug_off) + .maybe_two_pass_add_pages(vm_config.qemu_single_pass_add_pages) + .maybe_pic(vm_config.pic) + .maybe_qemu_version(vm_config.qemu_version.clone()) + .maybe_pci_hole64_size(if vm_config.pci_hole64_size > 0 { + Some(vm_config.pci_hole64_size) + } else { + None + }) + .hugepages(vm_config.hugepages) + .num_gpus(vm_config.num_gpus) + .num_nvswitches(vm_config.num_nvswitches) + .build() + .measure_with_logs() + .context("Failed to compute expected MRs")?; + + let mrs = measurement_details.measurements; + let expected_logs = measurement_details.rtmr_logs; + details.acpi_tables = Some(AcpiTables { + tables: hex::encode(&measurement_details.acpi_tables.tables), + rsdp: hex::encode(&measurement_details.acpi_tables.rsdp), + loader: hex::encode(&measurement_details.acpi_tables.loader), + }); + + let expected_mrs = Mrs { + mrtd: hex::encode(&mrs.mrtd), + rtmr0: hex::encode(&mrs.rtmr0), + rtmr1: hex::encode(&mrs.rtmr1), + rtmr2: hex::encode(&mrs.rtmr2), + }; + + debug!( + "Expected MRs from dstack-mr: MRTD={}, RTMR0={}, RTMR1={}, RTMR2={}", + expected_mrs.mrtd, expected_mrs.rtmr0, expected_mrs.rtmr1, expected_mrs.rtmr2 + ); + debug!( + "Verified MRs from attestation: MRTD={}, RTMR0={}, RTMR1={}, RTMR2={}", + verified_mrs.mrtd, verified_mrs.rtmr0, verified_mrs.rtmr1, verified_mrs.rtmr2 + ); + let event_log: Vec = serde_json::from_slice(&attestation.raw_event_log) + .context("Failed to parse event log for mismatch analysis")?; + + let computation_result = replay_event_logs(&event_log) + .context("Failed to replay event logs for mismatch analysis")?; + + if computation_result.rtmrs[3] != *boot_info.rtmr3 { + bail!("RTMR3 mismatch"); + } + + match expected_mrs.assert_eq(&verified_mrs) { + Ok(()) => Ok(()), + Err(e) => { + let mut rtmr_debug = Vec::new(); + + if expected_mrs.rtmr0 != verified_mrs.rtmr0 { + rtmr_debug.push(collect_rtmr_mismatch( + "RTMR0", + &expected_mrs.rtmr0, + &verified_mrs.rtmr0, + &expected_logs[0], + &computation_result.event_indices[0], + &event_log, + )); + } + + if expected_mrs.rtmr1 != verified_mrs.rtmr1 { + rtmr_debug.push(collect_rtmr_mismatch( + "RTMR1", + &expected_mrs.rtmr1, + &verified_mrs.rtmr1, + &expected_logs[1], + &computation_result.event_indices[1], + &event_log, + )); + } + + if expected_mrs.rtmr2 != verified_mrs.rtmr2 { + rtmr_debug.push(collect_rtmr_mismatch( + "RTMR2", + &expected_mrs.rtmr2, + &verified_mrs.rtmr2, + &expected_logs[2], + &computation_result.event_indices[2], + &event_log, + )); + } + + if !rtmr_debug.is_empty() { + details.rtmr_debug = Some(rtmr_debug); + } + + Err(e.context("MRs do not match")) + } + } + } + + async fn download_image(&self, hex_os_image_hash: &str, dst_dir: &Path) -> Result<()> { + let url = self + .download_url + .replace("{OS_IMAGE_HASH}", hex_os_image_hash); + + // Create a temporary directory for extraction within the cache directory + let cache_dir = Path::new(&self.image_cache_dir).join("images").join("tmp"); + fs_err::create_dir_all(&cache_dir).context("Failed to create cache directory")?; + let auto_delete_temp_dir = tempfile::Builder::new() + .prefix("tmp-download-") + .tempdir_in(&cache_dir) + .context("Failed to create temporary directory")?; + let tmp_dir = auto_delete_temp_dir.path(); + + info!("Downloading image from {}", url); + let client = reqwest::Client::new(); + let response = client + .get(&url) + .send() + .await + .context("Failed to download image")?; + + if !response.status().is_success() { + bail!( + "Failed to download image: HTTP status {}, url: {url}", + response.status(), + ); + } + + // Save the tarball to a temporary file using streaming + let tarball_path = tmp_dir.join("image.tar.gz"); + let mut file = tokio::fs::File::create(&tarball_path) + .await + .context("Failed to create tarball file")?; + let mut response = response; + while let Some(chunk) = response.chunk().await? { + file.write_all(&chunk) + .await + .context("Failed to write chunk to file")?; + } + + let extracted_dir = tmp_dir.join("extracted"); + fs_err::create_dir_all(&extracted_dir).context("Failed to create extraction directory")?; + + // Extract the tarball + let output = Command::new("tar") + .arg("xzf") + .arg(&tarball_path) + .current_dir(&extracted_dir) + .output() + .await + .context("Failed to extract tarball")?; + + if !output.status.success() { + bail!( + "Failed to extract tarball: {}", + String::from_utf8_lossy(&output.stderr) + ); + } + + // Verify checksum + let output = Command::new("sha256sum") + .arg("-c") + .arg("sha256sum.txt") + .current_dir(&extracted_dir) + .output() + .await + .context("Failed to verify checksum")?; + + if !output.status.success() { + bail!( + "Checksum verification failed: {}", + String::from_utf8_lossy(&output.stderr) + ); + } + + // Remove the files that are not listed in sha256sum.txt + let sha256sum_path = extracted_dir.join("sha256sum.txt"); + let files_doc = + fs_err::read_to_string(&sha256sum_path).context("Failed to read sha256sum.txt")?; + let listed_files: Vec<&OsStr> = files_doc + .lines() + .flat_map(|line| line.split_whitespace().nth(1)) + .map(|s| s.as_ref()) + .collect(); + let files = fs_err::read_dir(&extracted_dir).context("Failed to read directory")?; + for file in files { + let file = file.context("Failed to read directory entry")?; + let filename = file.file_name(); + if !listed_files.contains(&filename.as_os_str()) { + if file.path().is_dir() { + fs_err::remove_dir_all(file.path()).context("Failed to remove directory")?; + } else { + fs_err::remove_file(file.path()).context("Failed to remove file")?; + } + } + } + + // os_image_hash should eq to sha256sum of the sha256sum.txt + let os_image_hash = Sha256::new_with_prefix(files_doc.as_bytes()).finalize(); + if hex::encode(os_image_hash) != hex_os_image_hash { + bail!("os_image_hash does not match sha256sum of the sha256sum.txt"); + } + + // Move the extracted files to the destination directory + let metadata_path = extracted_dir.join("metadata.json"); + if !metadata_path.exists() { + bail!("metadata.json not found in the extracted archive"); + } + + if dst_dir.exists() { + fs_err::remove_dir_all(dst_dir).context("Failed to remove destination directory")?; + } + let dst_dir_parent = dst_dir.parent().context("Failed to get parent directory")?; + fs_err::create_dir_all(dst_dir_parent).context("Failed to create parent directory")?; + // Move the extracted files to the destination directory + fs_err::rename(extracted_dir, dst_dir) + .context("Failed to move extracted files to destination directory")?; + Ok(()) + } +} + +#[derive(Debug, Clone)] +struct Mrs { + mrtd: String, + rtmr0: String, + rtmr1: String, + rtmr2: String, +} + +impl Mrs { + fn assert_eq(&self, other: &Self) -> Result<()> { + if self.mrtd != other.mrtd { + bail!( + "MRTD does not match: expected={}, actual={}", + self.mrtd, + other.mrtd + ); + } + if self.rtmr0 != other.rtmr0 { + bail!( + "RTMR0 does not match: expected={}, actual={}", + self.rtmr0, + other.rtmr0 + ); + } + if self.rtmr1 != other.rtmr1 { + bail!( + "RTMR1 does not match: expected={}, actual={}", + self.rtmr1, + other.rtmr1 + ); + } + if self.rtmr2 != other.rtmr2 { + bail!( + "RTMR2 does not match: expected={}, actual={}", + self.rtmr2, + other.rtmr2 + ); + } + Ok(()) + } +} + +impl From<&upgrade_authority::BootInfo> for Mrs { + fn from(report: &upgrade_authority::BootInfo) -> Self { + Self { + mrtd: hex::encode(&report.mrtd), + rtmr0: hex::encode(&report.rtmr0), + rtmr1: hex::encode(&report.rtmr1), + rtmr2: hex::encode(&report.rtmr2), + } + } +} + +mod upgrade_authority { + use serde::{Deserialize, Serialize}; + + #[derive(Debug, Serialize, Deserialize, Clone, Eq, PartialEq)] + pub struct BootInfo { + pub mrtd: Vec, + pub rtmr0: Vec, + pub rtmr1: Vec, + pub rtmr2: Vec, + pub rtmr3: Vec, + pub mr_aggregated: Vec, + pub os_image_hash: Vec, + pub mr_system: Vec, + pub app_id: Vec, + pub compose_hash: Vec, + pub instance_id: Vec, + pub device_id: Vec, + pub key_provider_info: Vec, + pub event_log: String, + pub tcb_status: String, + pub advisory_ids: Vec, + } +} diff --git a/verifier/test.sh b/verifier/test.sh new file mode 100755 index 00000000..11c2ad1e --- /dev/null +++ b/verifier/test.sh @@ -0,0 +1,127 @@ +#!/bin/bash + +# SPDX-FileCopyrightText: © 2024-2025 Phala Network +# +# SPDX-License-Identifier: Apache-2.0 + +set -e + +# Colors for output +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +NC='\033[0m' # No Color + +# Configuration +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +PROJECT_ROOT="$(dirname "$SCRIPT_DIR")" +BINARY="$PROJECT_ROOT/target/debug/dstack-verifier" +LOG_FILE="/tmp/verifier-test.log" +FIXTURE_FILE="$SCRIPT_DIR/fixtures/quote-report.json" + +echo -e "${YELLOW}dstack-verifier Test Script${NC}" +echo "==================================" + +# Function to cleanup on exit +cleanup() { + echo -e "\n${YELLOW}Cleaning up...${NC}" + pkill -f dstack-verifier 2>/dev/null || true + sleep 1 +} +trap cleanup EXIT + +# Build the project +echo -e "${YELLOW}Building dstack-verifier...${NC}" +cd "$PROJECT_ROOT" +cargo build --bin dstack-verifier --quiet + +if [ ! -f "$BINARY" ]; then + echo -e "${RED}Error: Binary not found at $BINARY${NC}" + exit 1 +fi + +# Start the server +echo -e "${YELLOW}Starting dstack-verifier server...${NC}" +"$BINARY" >"$LOG_FILE" 2>&1 & +SERVER_PID=$! + +# Wait for server to start +echo -e "${YELLOW}Waiting for server to start...${NC}" +for i in {1..10}; do + if curl -s http://localhost:8080/health >/dev/null 2>&1; then + echo -e "${GREEN}Server started successfully${NC}" + break + fi + if [ $i -eq 10 ]; then + echo -e "${RED}Server failed to start${NC}" + echo "Server logs:" + cat "$LOG_FILE" + exit 1 + fi + sleep 1 +done + +# Check if fixture file exists +if [ ! -f "$FIXTURE_FILE" ]; then + echo -e "${RED}Error: Fixture file not found at $FIXTURE_FILE${NC}" + exit 1 +fi + +# Run the verification test +echo -e "${YELLOW}Running verification test...${NC}" +echo "Using fixture: $FIXTURE_FILE" + +RESPONSE=$(curl -s -X POST http://localhost:8080/verify \ + -H "Content-Type: application/json" \ + -d @"$FIXTURE_FILE") + +# Parse and display results +echo -e "\n${YELLOW}Test Results:${NC}" +echo "=============" + +IS_VALID=$(echo "$RESPONSE" | jq -r '.is_valid') +QUOTE_VERIFIED=$(echo "$RESPONSE" | jq -r '.details.quote_verified') +EVENT_LOG_VERIFIED=$(echo "$RESPONSE" | jq -r '.details.event_log_verified') +OS_IMAGE_VERIFIED=$(echo "$RESPONSE" | jq -r '.details.os_image_hash_verified') +TCB_STATUS=$(echo "$RESPONSE" | jq -r '.details.tcb_status') +REASON=$(echo "$RESPONSE" | jq -r '.reason // "null"') + +echo -e "Overall Valid: $([ "$IS_VALID" = "true" ] && echo -e "${GREEN}✓${NC}" || echo -e "${RED}✗${NC}") $IS_VALID" +echo -e "Quote Verified: $([ "$QUOTE_VERIFIED" = "true" ] && echo -e "${GREEN}✓${NC}" || echo -e "${RED}✗${NC}") $QUOTE_VERIFIED" +echo -e "Event Log Verified: $([ "$EVENT_LOG_VERIFIED" = "true" ] && echo -e "${GREEN}✓${NC}" || echo -e "${RED}✗${NC}") $EVENT_LOG_VERIFIED" +echo -e "OS Image Verified: $([ "$OS_IMAGE_VERIFIED" = "true" ] && echo -e "${GREEN}✓${NC}" || echo -e "${RED}✗${NC}") $OS_IMAGE_VERIFIED" +echo -e "TCB Status: ${GREEN}$TCB_STATUS${NC}" + +if [ "$REASON" != "null" ]; then + echo -e "${RED}Failure Reason:${NC}" + echo "$REASON" +fi + +# Show app info if available +APP_ID=$(echo "$RESPONSE" | jq -r '.details.app_info.app_id // "null"') +if [ "$APP_ID" != "null" ]; then + echo -e "\n${YELLOW}App Information:${NC}" + echo "App ID: $APP_ID" + echo "Instance ID: $(echo "$RESPONSE" | jq -r '.details.app_info.instance_id')" + echo "Compose Hash: $(echo "$RESPONSE" | jq -r '.details.app_info.compose_hash')" +fi + +# Show report data +REPORT_DATA=$(echo "$RESPONSE" | jq -r '.details.report_data // "null"') +if [ "$REPORT_DATA" != "null" ]; then + echo -e "\n${YELLOW}Report Data:${NC}" + echo "$REPORT_DATA" +fi + +echo -e "\n${YELLOW}Server Logs:${NC}" +echo "============" +tail -10 "$LOG_FILE" + +echo -e "\n${YELLOW}Test completed!${NC}" +if [ "$IS_VALID" = "true" ]; then + echo -e "${GREEN}✓ Verification PASSED${NC}" + exit 0 +else + echo -e "${RED}✗ Verification FAILED${NC}" + exit 1 +fi From a1591646b676c73b204f87207fbe76a61d4a9273 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Tue, 23 Sep 2025 09:15:35 +0000 Subject: [PATCH 027/133] Add os_image_hash in verifier report --- verifier/src/verification.rs | 119 +++++++++++++---------------------- verifier/test.sh | 3 +- 2 files changed, 45 insertions(+), 77 deletions(-) diff --git a/verifier/src/verification.rs b/verifier/src/verification.rs index e36f4b07..2525d92a 100644 --- a/verifier/src/verification.rs +++ b/verifier/src/verification.rs @@ -11,7 +11,7 @@ use dstack_types::VmConfig; use ra_tls::attestation::{Attestation, VerifiedAttestation}; use sha2::{Digest as _, Sha256, Sha384}; use tokio::{io::AsyncWriteExt, process::Command}; -use tracing::{debug, info}; +use tracing::info; use crate::types::{ AcpiTables, RtmrEventEntry, RtmrEventStatus, RtmrMismatch, VerificationDetails, @@ -52,12 +52,15 @@ fn replay_event_logs(eventlog: &[EventLog]) -> Result { fn collect_rtmr_mismatch( rtmr_label: &str, - expected_hex: &str, - actual_hex: &str, + expected: &[u8], + actual: &[u8], expected_sequence: &RtmrLog, actual_indices: &[usize], event_log: &[EventLog], ) -> RtmrMismatch { + let expected_hex = hex::encode(expected); + let actual_hex = hex::encode(actual); + let mut events = Vec::new(); for (&idx, expected_digest) in actual_indices.iter().zip(expected_sequence.iter()) { @@ -200,20 +203,6 @@ impl CvmVerifier { } }; - match verified_attestation.decode_app_info(false) { - Ok(info) => { - details.event_log_verified = true; - details.app_info = Some(info); - } - Err(e) => { - return Ok(VerificationResponse { - is_valid: false, - details, - reason: Some(format!("Event log verification failed: {}", e)), - }); - } - }; - // Step 3: Verify os-image-hash matches using dstack-mr if let Err(e) = self .verify_os_image_hash(&vm_config, &verified_attestation, &mut details) @@ -226,6 +215,20 @@ impl CvmVerifier { }); } details.os_image_hash_verified = true; + match verified_attestation.decode_app_info(false) { + Ok(mut info) => { + info.os_image_hash = vm_config.os_image_hash; + details.event_log_verified = true; + details.app_info = Some(info); + } + Err(e) => { + return Ok(VerificationResponse { + is_valid: false, + details, + reason: Some(format!("Event log verification failed: {}", e)), + }); + } + }; Ok(VerificationResponse { is_valid: true, @@ -263,31 +266,14 @@ impl CvmVerifier { .as_td10() .context("Failed to decode TD report")?; - let app_info = attestation.decode_app_info(false)?; - - let boot_info = upgrade_authority::BootInfo { + // Extract the verified MRs from the report + let verified_mrs = Mrs { mrtd: report.mr_td.to_vec(), rtmr0: report.rt_mr0.to_vec(), rtmr1: report.rt_mr1.to_vec(), rtmr2: report.rt_mr2.to_vec(), - rtmr3: report.rt_mr3.to_vec(), - mr_aggregated: app_info.mr_aggregated.to_vec(), - os_image_hash: vm_config.os_image_hash.clone(), - mr_system: app_info.mr_system.to_vec(), - app_id: app_info.app_id, - compose_hash: app_info.compose_hash, - instance_id: app_info.instance_id, - device_id: app_info.device_id, - key_provider_info: app_info.key_provider_info, - event_log: String::from_utf8(attestation.raw_event_log.clone()) - .context("Failed to serialize event log")?, - tcb_status: attestation.report.status.clone(), - advisory_ids: attestation.report.advisory_ids.clone(), }; - // Extract the verified MRs from the boot info - let verified_mrs = Mrs::from(&boot_info); - // Get image directory let image_dir = Path::new(&self.image_cache_dir) .join("images") @@ -349,27 +335,19 @@ impl CvmVerifier { }); let expected_mrs = Mrs { - mrtd: hex::encode(&mrs.mrtd), - rtmr0: hex::encode(&mrs.rtmr0), - rtmr1: hex::encode(&mrs.rtmr1), - rtmr2: hex::encode(&mrs.rtmr2), + mrtd: mrs.mrtd.clone(), + rtmr0: mrs.rtmr0.clone(), + rtmr1: mrs.rtmr1.clone(), + rtmr2: mrs.rtmr2.clone(), }; - debug!( - "Expected MRs from dstack-mr: MRTD={}, RTMR0={}, RTMR1={}, RTMR2={}", - expected_mrs.mrtd, expected_mrs.rtmr0, expected_mrs.rtmr1, expected_mrs.rtmr2 - ); - debug!( - "Verified MRs from attestation: MRTD={}, RTMR0={}, RTMR1={}, RTMR2={}", - verified_mrs.mrtd, verified_mrs.rtmr0, verified_mrs.rtmr1, verified_mrs.rtmr2 - ); let event_log: Vec = serde_json::from_slice(&attestation.raw_event_log) .context("Failed to parse event log for mismatch analysis")?; let computation_result = replay_event_logs(&event_log) .context("Failed to replay event logs for mismatch analysis")?; - if computation_result.rtmrs[3] != *boot_info.rtmr3 { + if computation_result.rtmrs[3] != report.rt_mr3 { bail!("RTMR3 mismatch"); } @@ -544,57 +522,46 @@ impl CvmVerifier { #[derive(Debug, Clone)] struct Mrs { - mrtd: String, - rtmr0: String, - rtmr1: String, - rtmr2: String, + mrtd: Vec, + rtmr0: Vec, + rtmr1: Vec, + rtmr2: Vec, } impl Mrs { fn assert_eq(&self, other: &Self) -> Result<()> { if self.mrtd != other.mrtd { bail!( - "MRTD does not match: expected={}, actual={}", - self.mrtd, - other.mrtd + "MRTD mismatch: expected={}, actual={}", + hex::encode(&self.mrtd), + hex::encode(&other.mrtd) ); } if self.rtmr0 != other.rtmr0 { bail!( - "RTMR0 does not match: expected={}, actual={}", - self.rtmr0, - other.rtmr0 + "RTMR0 mismatch: expected={}, actual={}", + hex::encode(&self.rtmr0), + hex::encode(&other.rtmr0) ); } if self.rtmr1 != other.rtmr1 { bail!( - "RTMR1 does not match: expected={}, actual={}", - self.rtmr1, - other.rtmr1 + "RTMR1 mismatch: expected={}, actual={}", + hex::encode(&self.rtmr1), + hex::encode(&other.rtmr1) ); } if self.rtmr2 != other.rtmr2 { bail!( - "RTMR2 does not match: expected={}, actual={}", - self.rtmr2, - other.rtmr2 + "RTMR2 mismatch: expected={}, actual={}", + hex::encode(&self.rtmr2), + hex::encode(&other.rtmr2) ); } Ok(()) } } -impl From<&upgrade_authority::BootInfo> for Mrs { - fn from(report: &upgrade_authority::BootInfo) -> Self { - Self { - mrtd: hex::encode(&report.mrtd), - rtmr0: hex::encode(&report.rtmr0), - rtmr1: hex::encode(&report.rtmr1), - rtmr2: hex::encode(&report.rtmr2), - } - } -} - mod upgrade_authority { use serde::{Deserialize, Serialize}; diff --git a/verifier/test.sh b/verifier/test.sh index 11c2ad1e..4f9554cf 100755 --- a/verifier/test.sh +++ b/verifier/test.sh @@ -99,11 +99,12 @@ fi # Show app info if available APP_ID=$(echo "$RESPONSE" | jq -r '.details.app_info.app_id // "null"') +OS_IMAGE_HASH=$(echo "$RESPONSE" | jq -r '.details.app_info.os_image_hash // "null"') if [ "$APP_ID" != "null" ]; then echo -e "\n${YELLOW}App Information:${NC}" echo "App ID: $APP_ID" - echo "Instance ID: $(echo "$RESPONSE" | jq -r '.details.app_info.instance_id')" echo "Compose Hash: $(echo "$RESPONSE" | jq -r '.details.app_info.compose_hash')" + echo "OS Image Hash: $OS_IMAGE_HASH" fi # Show report data From cf5cc614b053ebe5922f514f40bbf4faa026d373 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Tue, 23 Sep 2025 09:55:46 +0000 Subject: [PATCH 028/133] Fix testing failures --- verifier/src/main.rs | 33 +-------------------------------- 1 file changed, 1 insertion(+), 32 deletions(-) diff --git a/verifier/src/main.rs b/verifier/src/main.rs index f21594e4..d5ad4cc3 100644 --- a/verifier/src/main.rs +++ b/verifier/src/main.rs @@ -167,7 +167,7 @@ async fn run_oneshot(file_path: &str, config: &Config) -> anyhow::Result<()> { #[rocket::launch] fn rocket() -> _ { - tracing_subscriber::fmt::init(); + tracing_subscriber::fmt::try_init().ok(); let cli = Cli::parse(); @@ -208,34 +208,3 @@ fn rocket() -> _ { }) })) } - -#[cfg(test)] -mod tests { - use super::*; - use rocket::http::{ContentType, Status}; - use rocket::local::asynchronous::Client; - - #[tokio::test] - async fn test_health_endpoint() { - let client = Client::tracked(rocket()) - .await - .expect("valid rocket instance"); - let response = client.get("/health").dispatch().await; - assert_eq!(response.status(), Status::Ok); - } - - #[tokio::test] - async fn test_verify_endpoint_invalid_request() { - let client = Client::tracked(rocket()) - .await - .expect("valid rocket instance"); - let response = client - .post("/verify") - .header(ContentType::JSON) - .body(r#"{"invalid": "request"}"#) - .dispatch() - .await; - - assert_eq!(response.status(), Status::UnprocessableEntity); - } -} From a24476f2cd43929b0608ae0f5f40a687f5bd44de Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Tue, 23 Sep 2025 13:33:45 +0000 Subject: [PATCH 029/133] Update doc for verifier --- sdk/curl/api.md | 3 +- verifier/README.md | 108 ++++++++++++++++++----------------- verifier/src/types.rs | 1 + verifier/src/verification.rs | 23 +++++--- 4 files changed, 75 insertions(+), 60 deletions(-) diff --git a/sdk/curl/api.md b/sdk/curl/api.md index 73400d38..f2f4c518 100644 --- a/sdk/curl/api.md +++ b/sdk/curl/api.md @@ -131,7 +131,8 @@ curl --unix-socket /var/run/dstack.sock http://dstack/GetQuote?report_data=00000 { "quote": "", "event_log": "quote generation log", - "report_data": "" + "report_data": "", + "vm_config": "" } ``` diff --git a/verifier/README.md b/verifier/README.md index 51cf3dbc..50c37e32 100644 --- a/verifier/README.md +++ b/verifier/README.md @@ -1,20 +1,12 @@ # dstack-verifier -A HTTP server that provides CVM (Confidential Virtual Machine) verification services using the same verification process as the dstack KMS. - -## Features - -- **TDX Quote Verification**: Uses dcap-qvl to verify TDX quotes -- **Event Log Verification**: Validates event logs and extracts app information -- **OS Image Hash Verification**: Uses dstack-mr to ensure OS image hash matches expected measurements -- **Automatic Image Download**: Downloads and caches OS images automatically when not found locally -- **RESTful API**: Simple HTTP endpoints for verification requests +A HTTP server that provides dstack quote verification services using the same verification process as the dstack KMS. ## API Endpoints ### POST /verify -Verifies a CVM attestation with the provided quote, event log, and VM configuration. +Verifies a dstack quote with the provided quote and VM configuration. The body can be grabbed via [getQuote](https://github.com/Dstack-TEE/dstack/blob/master/sdk/curl/api.md#3-get-quote). **Request Body:** ```json @@ -22,7 +14,6 @@ Verifies a CVM attestation with the provided quote, event log, and VM configurat "quote": "hex-encoded-quote", "event_log": "hex-encoded-event-log", "vm_config": "json-vm-config-string", - "pccs_url": "optional-pccs-url" } ``` @@ -71,11 +62,6 @@ Health check endpoint that returns service status. ## Configuration -Configuration can be provided via: -1. TOML file (default: `dstack-verifier.toml`) -2. Environment variables with prefix `DSTACK_VERIFIER_` -3. Command line arguments - ### Configuration Options - `host`: Server bind address (default: "0.0.0.0") @@ -90,14 +76,16 @@ Configuration can be provided via: ```toml host = "0.0.0.0" port = 8080 -image_cache_dir = "/var/cache/dstack-verifier" +image_cache_dir = "/tmp/dstack-verifier/cache" image_download_url = "http://0.0.0.0:8000/mr_{OS_IMAGE_HASH}.tar.gz" image_download_timeout_secs = 300 -pccs_url = "https://pccs.example.com" +pccs_url = "https://pccs.phala.network" ``` ## Usage +### Running with Cargo + ```bash # Run with default config cargo run --bin dstack-verifier @@ -106,29 +94,64 @@ cargo run --bin dstack-verifier cargo run --bin dstack-verifier -- --config /path/to/config.toml # Set via environment variables -DSTACK_VERIFIER_PORT=9000 cargo run --bin dstack-verifier +DSTACK_VERIFIER_PORT=8080 cargo run --bin dstack-verifier ``` -## Testing +### Running with Docker Compose + +```yaml +services: + dstack-verifier: + image: kvin/dstack-verifier:latest + ports: + - "8080:8080" + restart: unless-stopped +``` + +Save the docker compose file as `docker-compose.yml` and run `docker compose up -d`. + +### Request verification -Two test scripts are provided for easy testing: +Grab a quote from your app. It's depends on your app how to grab a quote. -### Full Test (with server management) ```bash -./test.sh +# Grab a quote from the demo app +curl https://712eab2f507b963e11144ae67218177e93ac2a24-3000.app.kvin.wang:12004/GetQuote?report_data=0x1234 -o quote.json + ``` -This script will: -- Build the project -- Start the server -- Run the verification test -- Display detailed results -- Clean up automatically - -### Quick Test (assumes server is running) + +Send the quote to the verifier. + ```bash -./quick-test.sh +$ curl -s -d @quote.json localhost:8080/verify | jq +{ + "is_valid": true, + "details": { + "quote_verified": true, + "event_log_verified": true, + "os_image_hash_verified": true, + "report_data": "12340000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", + "tcb_status": "UpToDate", + "advisory_ids": [], + "app_info": { + "app_id": "e631a04a5d068c0e5ffd8ca60d6574ac99a18bda", + "compose_hash": "e631a04a5d068c0e5ffd8ca60d6574ac99a18bdaf0417d129d0c4ac52244d40f", + "instance_id": "712eab2f507b963e11144ae67218177e93ac2a24", + "device_id": "ee218f44a5f0a9c3233f9cc09f0cd41518f376478127feb989d5cf1292c56a01", + "mrtd": "f06dfda6dce1cf904d4e2bab1dc370634cf95cefa2ceb2de2eee127c9382698090d7a4a13e14c536ec6c9c3c8fa87077", + "rtmr0": "68102e7b524af310f7b7d426ce75481e36c40f5d513a9009c046e9d37e31551f0134d954b496a3357fd61d03f07ffe96", + "rtmr1": "a7b523278d4f914ee8df0ec80cd1c3d498cbf1152b0c5eaf65bad9425072874a3fcf891e8b01713d3d9937e3e0d26c15", + "rtmr2": "dbf4924c07f5066f3dc6859844184344306aa3263817153dcaee85af97d23e0c0b96efe0731d8865a8747e51b9e351ac", + "rtmr3": "5e7d8d84317343d28d73031d0be3c75f25facb1b20c9835a44582b8b0115de1acfe2d19350437dbd63846bcc5d7bf328", + "mr_system": "145010fa227e6c2537ad957c64e4a8486fcbfd8265ddfb359168b59afcff1d05", + "mr_aggregated": "52f6d7ccbee1bfa870709e8ff489e016e2e5c25a157b7e22ef1ea68fce763694", + "os_image_hash": "b6420818b356b198bdd70f076079aa0299a20279b87ab33ada7b2770ef432a5a", + "key_provider_info": "7b226e616d65223a226b6d73222c226964223a223330353933303133303630373261383634386365336430323031303630383261383634386365336430333031303730333432303030343139623234353764643962386161363434366439383066313336666666373831326563643663373737343065656230653238623130643536633063303030323861356236653539646365613330376435383362643166373037363965396331313664663262636662313735386139356438363133653764653163383438326330227d" + } + }, + "reason": null +} ``` -This script assumes the server is already running and just sends a test request. ## Verification Process @@ -142,22 +165,3 @@ The verifier performs three main verification steps: - Compares against the verified measurements from the quote All three steps must pass for the verification to be considered valid. - -### Automatic Image Download - -When an OS image is not found in the local cache, the verifier will: - -1. **Download**: Fetch the image tarball from the configured URL -2. **Extract**: Extract the tarball contents to a temporary directory -3. **Verify**: Check SHA256 checksums to ensure file integrity -4. **Validate**: Confirm the OS image hash matches the computed hash -5. **Cache**: Move the validated files to the cache directory for future use - -The download URL template uses `{OS_IMAGE_HASH}` as a placeholder that gets replaced with the actual OS image hash from the verification request. - -## Dependencies - -- dcap-qvl: TDX quote verification -- dstack-mr: OS image measurement computation -- ra-tls: Attestation handling and verification -- rocket: HTTP server framework \ No newline at end of file diff --git a/verifier/src/types.rs b/verifier/src/types.rs index 28bdfe20..e4e5d2c5 100644 --- a/verifier/src/types.rs +++ b/verifier/src/types.rs @@ -11,6 +11,7 @@ pub struct VerificationRequest { pub event_log: String, pub vm_config: String, pub pccs_url: Option, + pub debug: Option, } #[derive(Debug, Clone, Serialize)] diff --git a/verifier/src/verification.rs b/verifier/src/verification.rs index 2525d92a..a5d2a492 100644 --- a/verifier/src/verification.rs +++ b/verifier/src/verification.rs @@ -167,6 +167,8 @@ impl CvmVerifier { let attestation = Attestation::new(quote, event_log) .context("Failed to create attestation from quote and event log")?; + let debug = request.debug.unwrap_or(false); + let mut details = VerificationDetails { quote_verified: false, event_log_verified: false, @@ -205,7 +207,7 @@ impl CvmVerifier { // Step 3: Verify os-image-hash matches using dstack-mr if let Err(e) = self - .verify_os_image_hash(&vm_config, &verified_attestation, &mut details) + .verify_os_image_hash(&vm_config, &verified_attestation, debug, &mut details) .await { return Ok(VerificationResponse { @@ -255,6 +257,7 @@ impl CvmVerifier { &self, vm_config: &VmConfig, attestation: &VerifiedAttestation, + debug: bool, details: &mut VerificationDetails, ) -> Result<()> { let hex_os_image_hash = hex::encode(&vm_config.os_image_hash); @@ -328,11 +331,13 @@ impl CvmVerifier { let mrs = measurement_details.measurements; let expected_logs = measurement_details.rtmr_logs; - details.acpi_tables = Some(AcpiTables { - tables: hex::encode(&measurement_details.acpi_tables.tables), - rsdp: hex::encode(&measurement_details.acpi_tables.rsdp), - loader: hex::encode(&measurement_details.acpi_tables.loader), - }); + if debug { + details.acpi_tables = Some(AcpiTables { + tables: hex::encode(&measurement_details.acpi_tables.tables), + rsdp: hex::encode(&measurement_details.acpi_tables.rsdp), + loader: hex::encode(&measurement_details.acpi_tables.loader), + }); + } let expected_mrs = Mrs { mrtd: mrs.mrtd.clone(), @@ -354,6 +359,10 @@ impl CvmVerifier { match expected_mrs.assert_eq(&verified_mrs) { Ok(()) => Ok(()), Err(e) => { + let result = Err(e).context("MRs do not match"); + if !debug { + return result; + } let mut rtmr_debug = Vec::new(); if expected_mrs.rtmr0 != verified_mrs.rtmr0 { @@ -393,7 +402,7 @@ impl CvmVerifier { details.rtmr_debug = Some(rtmr_debug); } - Err(e.context("MRs do not match")) + result } } } From 96ac391dbcc80b53f99f014601021bff97501c5d Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Tue, 23 Sep 2025 13:34:09 +0000 Subject: [PATCH 030/133] Add cache for verifer --- verifier/src/verification.rs | 258 ++++++++++++++++++++++++++++++----- 1 file changed, 224 insertions(+), 34 deletions(-) diff --git a/verifier/src/verification.rs b/verifier/src/verification.rs index a5d2a492..a53da571 100644 --- a/verifier/src/verification.rs +++ b/verifier/src/verification.rs @@ -2,16 +2,21 @@ // // SPDX-License-Identifier: Apache-2.0 -use std::{ffi::OsStr, path::Path, time::Duration}; +use std::{ + ffi::OsStr, + path::{Path, PathBuf}, + time::Duration, +}; -use anyhow::{bail, Context, Result}; +use anyhow::{anyhow, bail, Context, Result}; use cc_eventlog::TdxEventLog as EventLog; -use dstack_mr::RtmrLog; +use dstack_mr::{RtmrLog, TdxMeasurementDetails, TdxMeasurements}; use dstack_types::VmConfig; use ra_tls::attestation::{Attestation, VerifiedAttestation}; +use serde::{Deserialize, Serialize}; use sha2::{Digest as _, Sha256, Sha384}; use tokio::{io::AsyncWriteExt, process::Command}; -use tracing::info; +use tracing::{debug, info, warn}; use crate::types::{ AcpiTables, RtmrEventEntry, RtmrEventStatus, RtmrMismatch, VerificationDetails, @@ -143,6 +148,14 @@ fn collect_rtmr_mismatch( } } +const MEASUREMENT_CACHE_VERSION: u32 = 1; + +#[derive(Clone, Serialize, Deserialize)] +struct CachedMeasurement { + version: u32, + measurements: TdxMeasurements, +} + pub struct CvmVerifier { pub image_cache_dir: String, pub download_url: String, @@ -158,6 +171,178 @@ impl CvmVerifier { } } + fn measurement_cache_dir(&self) -> PathBuf { + Path::new(&self.image_cache_dir).join("measurements") + } + + fn measurement_cache_path(&self, cache_key: &str) -> PathBuf { + self.measurement_cache_dir() + .join(format!("{cache_key}.json")) + } + + fn vm_config_cache_key(vm_config: &VmConfig) -> Result { + let serialized = serde_json::to_vec(vm_config) + .context("Failed to serialize VM config for cache key computation")?; + Ok(hex::encode(Sha256::digest(&serialized))) + } + + fn load_measurements_from_cache(&self, cache_key: &str) -> Result> { + let path = self.measurement_cache_path(cache_key); + if !path.exists() { + return Ok(None); + } + + let path_display = path.display().to_string(); + let contents = match fs_err::read(&path) { + Ok(data) => data, + Err(e) => { + warn!("Failed to read measurement cache {}: {e:?}", path_display); + return Ok(None); + } + }; + + let cached: CachedMeasurement = match serde_json::from_slice(&contents) { + Ok(entry) => entry, + Err(e) => { + warn!("Failed to parse measurement cache {}: {e:?}", path_display); + return Ok(None); + } + }; + + if cached.version != MEASUREMENT_CACHE_VERSION { + debug!( + "Ignoring measurement cache {} due to version mismatch (found {}, expected {})", + path_display, cached.version, MEASUREMENT_CACHE_VERSION + ); + return Ok(None); + } + + debug!("Loaded measurement cache entry {}", cache_key); + Ok(Some(cached.measurements)) + } + + fn store_measurements_in_cache( + &self, + cache_key: &str, + measurements: &TdxMeasurements, + ) -> Result<()> { + let cache_dir = self.measurement_cache_dir(); + fs_err::create_dir_all(&cache_dir) + .context("Failed to create measurement cache directory")?; + + let path = self.measurement_cache_path(cache_key); + let mut tmp = tempfile::NamedTempFile::new_in(&cache_dir) + .context("Failed to create temporary cache file")?; + + let entry = CachedMeasurement { + version: MEASUREMENT_CACHE_VERSION, + measurements: measurements.clone(), + }; + serde_json::to_writer(tmp.as_file_mut(), &entry) + .context("Failed to serialize measurement cache entry")?; + tmp.as_file_mut() + .sync_all() + .context("Failed to flush measurement cache entry to disk")?; + + tmp.persist(&path).map_err(|e| { + anyhow!( + "Failed to persist measurement cache to {}: {e}", + path.display() + ) + })?; + debug!("Stored measurement cache entry {}", cache_key); + Ok(()) + } + + fn compute_measurement_details( + &self, + vm_config: &VmConfig, + fw_path: &Path, + kernel_path: &Path, + initrd_path: &Path, + kernel_cmdline: &str, + ) -> Result { + let firmware = fw_path.display().to_string(); + let kernel = kernel_path.display().to_string(); + let initrd = initrd_path.display().to_string(); + + let details = dstack_mr::Machine::builder() + .cpu_count(vm_config.cpu_count) + .memory_size(vm_config.memory_size) + .firmware(&firmware) + .kernel(&kernel) + .initrd(&initrd) + .kernel_cmdline(kernel_cmdline) + .root_verity(true) + .hotplug_off(vm_config.hotplug_off) + .maybe_two_pass_add_pages(vm_config.qemu_single_pass_add_pages) + .maybe_pic(vm_config.pic) + .maybe_qemu_version(vm_config.qemu_version.clone()) + .maybe_pci_hole64_size(if vm_config.pci_hole64_size > 0 { + Some(vm_config.pci_hole64_size) + } else { + None + }) + .hugepages(vm_config.hugepages) + .num_gpus(vm_config.num_gpus) + .num_nvswitches(vm_config.num_nvswitches) + .build() + .measure_with_logs() + .context("Failed to compute expected MRs")?; + + Ok(details) + } + + fn compute_measurements( + &self, + vm_config: &VmConfig, + fw_path: &Path, + kernel_path: &Path, + initrd_path: &Path, + kernel_cmdline: &str, + ) -> Result { + self.compute_measurement_details( + vm_config, + fw_path, + kernel_path, + initrd_path, + kernel_cmdline, + ) + .map(|details| details.measurements) + } + + fn load_or_compute_measurements( + &self, + vm_config: &VmConfig, + fw_path: &Path, + kernel_path: &Path, + initrd_path: &Path, + kernel_cmdline: &str, + ) -> Result { + let cache_key = Self::vm_config_cache_key(vm_config)?; + + if let Some(measurements) = self.load_measurements_from_cache(&cache_key)? { + return Ok(measurements); + } + + let measurements = self.compute_measurements( + vm_config, + fw_path, + kernel_path, + initrd_path, + kernel_cmdline, + )?; + + if let Err(e) = self.store_measurements_in_cache(&cache_key, &measurements) { + warn!( + "Failed to write measurement cache entry for {}: {e:?}", + cache_key + ); + } + + Ok(measurements) + } + pub async fn verify(&self, request: &VerificationRequest) -> Result { let quote = hex::decode(&request.quote).context("Failed to decode quote hex")?; @@ -305,39 +490,41 @@ impl CvmVerifier { let kernel_cmdline = image_info.cmdline + " initrd=initrd"; // Use dstack-mr to compute expected MRs - let measurement_details = dstack_mr::Machine::builder() - .cpu_count(vm_config.cpu_count) - .memory_size(vm_config.memory_size) - .firmware(&fw_path.display().to_string()) - .kernel(&kernel_path.display().to_string()) - .initrd(&initrd_path.display().to_string()) - .kernel_cmdline(&kernel_cmdline) - .root_verity(true) - .hotplug_off(vm_config.hotplug_off) - .maybe_two_pass_add_pages(vm_config.qemu_single_pass_add_pages) - .maybe_pic(vm_config.pic) - .maybe_qemu_version(vm_config.qemu_version.clone()) - .maybe_pci_hole64_size(if vm_config.pci_hole64_size > 0 { - Some(vm_config.pci_hole64_size) - } else { - None - }) - .hugepages(vm_config.hugepages) - .num_gpus(vm_config.num_gpus) - .num_nvswitches(vm_config.num_nvswitches) - .build() - .measure_with_logs() - .context("Failed to compute expected MRs")?; + let (mrs, expected_logs) = if debug { + let TdxMeasurementDetails { + measurements, + rtmr_logs, + acpi_tables, + } = self + .compute_measurement_details( + vm_config, + &fw_path, + &kernel_path, + &initrd_path, + &kernel_cmdline, + ) + .context("Failed to compute expected measurements")?; - let mrs = measurement_details.measurements; - let expected_logs = measurement_details.rtmr_logs; - if debug { details.acpi_tables = Some(AcpiTables { - tables: hex::encode(&measurement_details.acpi_tables.tables), - rsdp: hex::encode(&measurement_details.acpi_tables.rsdp), - loader: hex::encode(&measurement_details.acpi_tables.loader), + tables: hex::encode(&acpi_tables.tables), + rsdp: hex::encode(&acpi_tables.rsdp), + loader: hex::encode(&acpi_tables.loader), }); - } + + (measurements, Some(rtmr_logs)) + } else { + ( + self.load_or_compute_measurements( + vm_config, + &fw_path, + &kernel_path, + &initrd_path, + &kernel_cmdline, + ) + .context("Failed to obtain expected measurements")?, + None, + ) + }; let expected_mrs = Mrs { mrtd: mrs.mrtd.clone(), @@ -363,6 +550,9 @@ impl CvmVerifier { if !debug { return result; } + let Some(expected_logs) = expected_logs.as_ref() else { + return result; + }; let mut rtmr_debug = Vec::new(); if expected_mrs.rtmr0 != verified_mrs.rtmr0 { From 30acf0b05659a96f09a63616965941f658973465 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Wed, 24 Sep 2025 03:37:44 +0000 Subject: [PATCH 031/133] Update GH workflow to push images to org --- .github/workflows/gateway-release.yml | 6 +++--- .github/workflows/kms-release.yml | 6 +++--- .github/workflows/verifier-release.yml | 6 +++--- verifier/README.md | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/gateway-release.yml b/.github/workflows/gateway-release.yml index 493a7a41..e983b89a 100644 --- a/.github/workflows/gateway-release.yml +++ b/.github/workflows/gateway-release.yml @@ -51,7 +51,7 @@ jobs: with: context: gateway/dstack-app/builder push: true - tags: ${{ vars.DOCKERHUB_USERNAME }}/gateway:${{ env.VERSION }} + tags: ${{ vars.DOCKERHUB_ORG }}/dstack-gateway:${{ env.VERSION }} platforms: linux/amd64 provenance: false build-args: | @@ -61,7 +61,7 @@ jobs: - name: Generate artifact attestation uses: actions/attest-build-provenance@v1 with: - subject-name: "docker.io/${{ vars.DOCKERHUB_USERNAME }}/gateway" + subject-name: "docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-gateway" subject-digest: ${{ steps.build-and-push.outputs.digest }} push-to-registry: true @@ -72,7 +72,7 @@ jobs: body: | ## Docker Image Information - **Image**: `docker.io/${{ vars.DOCKERHUB_USERNAME }}/gateway:${{ env.VERSION }}` + **Image**: `docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-gateway:${{ env.VERSION }}` **Digest (SHA256)**: `${{ steps.build-and-push.outputs.digest }}` diff --git a/.github/workflows/kms-release.yml b/.github/workflows/kms-release.yml index f3f45e4f..b5384372 100644 --- a/.github/workflows/kms-release.yml +++ b/.github/workflows/kms-release.yml @@ -54,7 +54,7 @@ jobs: with: context: kms/dstack-app/builder push: true - tags: ${{ vars.DOCKERHUB_USERNAME }}/kms:${{ env.VERSION }} + tags: ${{ vars.DOCKERHUB_ORG }}/dstack-kms:${{ env.VERSION }} platforms: linux/amd64 provenance: false build-args: | @@ -65,7 +65,7 @@ jobs: - name: Generate artifact attestation uses: actions/attest-build-provenance@v1 with: - subject-name: "docker.io/${{ vars.DOCKERHUB_USERNAME }}/kms" + subject-name: "docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-kms" subject-digest: ${{ steps.build-and-push.outputs.digest }} push-to-registry: true @@ -92,7 +92,7 @@ jobs: body: | ## Docker Image Information - **Image**: `docker.io/${{ vars.DOCKERHUB_USERNAME }}/kms:${{ env.VERSION }}` + **Image**: `docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-kms:${{ env.VERSION }}` **Digest (SHA256)**: `${{ steps.build-and-push.outputs.digest }}` diff --git a/.github/workflows/verifier-release.yml b/.github/workflows/verifier-release.yml index 2c8d25f2..a7a4d28d 100644 --- a/.github/workflows/verifier-release.yml +++ b/.github/workflows/verifier-release.yml @@ -51,7 +51,7 @@ jobs: context: verifier file: verifier/builder/Dockerfile push: true - tags: ${{ vars.DOCKERHUB_USERNAME }}/dstack-verifier:${{ env.VERSION }} + tags: ${{ vars.DOCKERHUB_ORG }}/dstack-verifier:${{ env.VERSION }} platforms: linux/amd64 provenance: false build-args: | @@ -62,7 +62,7 @@ jobs: - name: Generate artifact attestation uses: actions/attest-build-provenance@v1 with: - subject-name: "docker.io/${{ vars.DOCKERHUB_USERNAME }}/dstack-verifier" + subject-name: "docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-verifier" subject-digest: ${{ steps.build-and-push.outputs.digest }} push-to-registry: true @@ -73,7 +73,7 @@ jobs: body: | ## Docker Image Information - **Image**: `docker.io/${{ vars.DOCKERHUB_USERNAME }}/dstack-verifier:${{ env.VERSION }}` + **Image**: `docker.io/${{ vars.DOCKERHUB_ORG }}/dstack-verifier:${{ env.VERSION }}` **Digest (SHA256)**: `${{ steps.build-and-push.outputs.digest }}` diff --git a/verifier/README.md b/verifier/README.md index 50c37e32..0ae36f7d 100644 --- a/verifier/README.md +++ b/verifier/README.md @@ -102,7 +102,7 @@ DSTACK_VERIFIER_PORT=8080 cargo run --bin dstack-verifier ```yaml services: dstack-verifier: - image: kvin/dstack-verifier:latest + image: dstacktee/dstack-verifier:latest ports: - "8080:8080" restart: unless-stopped From 1029b7a54beec22f4174915499134879735d490e Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Wed, 24 Sep 2025 08:26:04 +0000 Subject: [PATCH 032/133] Replace kvin.wang with dstack.org --- README.md | 35 +++++++--------------------- docs/deployment.md | 2 +- gateway/dstack-app/builder/README.md | 2 +- gateway/src/proxy/tls_passthough.rs | 2 +- kms/dstack-app/builder/README.md | 2 +- kms/dstack-app/deploy-to-vmm.sh | 2 +- sdk/simulator/sys-config.json | 4 ++-- verifier/README.md | 2 +- verifier/dstack-verifier.toml | 2 +- 9 files changed, 18 insertions(+), 35 deletions(-) diff --git a/README.md b/README.md index a68edb4e..a03c9131 100644 --- a/README.md +++ b/README.md @@ -212,9 +212,9 @@ Once your app is deployed and listening on an HTTP port, you can access it throu **Examples**: -- `3327603e03f5bd1f830812ca4a789277fc31f577-8080.app.kvin.wang` → port `8080` (TLS termination to any TCP) -- `3327603e03f5bd1f830812ca4a789277fc31f577-8080g.app.kvin.wang` → port `8080` (TLS termination with HTTP/2 negotiation) -- `3327603e03f5bd1f830812ca4a789277fc31f577-8080s.app.kvin.wang` → port `8080` (TLS passthrough to any TCP) +- `3327603e03f5bd1f830812ca4a789277fc31f577-8080.test0.dstack.org` → port `8080` (TLS termination to any TCP) +- `3327603e03f5bd1f830812ca4a789277fc31f577-8080g.test0.dstack.org` → port `8080` (TLS termination with HTTP/2 negotiation) +- `3327603e03f5bd1f830812ca4a789277fc31f577-8080s.test0.dstack.org` → port `8080` (TLS passthrough to any TCP) The `` can be either the app ID or instance ID. When using the app ID, the load balancer will select one of the available instances. Adding an `s` suffix enables TLS passthrough to the app instead of terminating at dstack-gateway. Adding a `g` suffix enables HTTPS/2 with TLS termination for gRPC applications. @@ -258,7 +258,7 @@ curl --unix-socket /var/run/dstack.sock http://localhost/GetQuote?report_data=0x Container logs can be obtained from the CVM's `dashboard` page or by curl: ```bash -curl 'http://.app.kvin.wang:9090/logs/?since=0&until=0&follow=true&text=true×tamps=true&bare=true' +curl 'http://.:9090/logs/?since=0&until=0&follow=true&text=true×tamps=true&bare=true' ``` Replace `` and `` with actual values. Available parameters: @@ -334,24 +334,7 @@ Then run the certbot in the `build/` and you will see the following log: $ RUST_LOG=info,certbot=debug ./certbot renew -c certbot.toml 2024-10-25T07:41:00.682990Z INFO certbot::bot: creating new ACME account 2024-10-25T07:41:00.869246Z INFO certbot::bot: created new ACME account: https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853 -2024-10-25T07:41:00.869270Z INFO certbot::bot: setting CAA records -2024-10-25T07:41:00.869276Z DEBUG certbot::acme_client: setting guard CAA records for app.kvin.wang -2024-10-25T07:41:01.740767Z DEBUG certbot::acme_client: removing existing CAA record app.kvin.wang 0 issuewild "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168578683" -2024-10-25T07:41:01.991298Z DEBUG certbot::acme_client: removing existing CAA record app.kvin.wang 0 issue "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168578683" -2024-10-25T07:41:02.216751Z DEBUG certbot::acme_client: setting CAA records for app.kvin.wang, 0 issue "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853" -2024-10-25T07:41:02.424217Z DEBUG certbot::acme_client: setting CAA records for app.kvin.wang, 0 issuewild "letsencrypt.org;validationmethods=dns-01;accounturi=https://acme-staging-v02.api.letsencrypt.org/acme/acct/168601853" -2024-10-25T07:41:02.663824Z DEBUG certbot::acme_client: removing guard CAA records for app.kvin.wang -2024-10-25T07:41:03.095564Z DEBUG certbot::acme_client: generating new cert key pair -2024-10-25T07:41:03.095678Z DEBUG certbot::acme_client: requesting new certificates for *.app.kvin.wang -2024-10-25T07:41:03.095699Z DEBUG certbot::acme_client: creating new order -2024-10-25T07:41:03.250382Z DEBUG certbot::acme_client: order is pending, waiting for authorization -2024-10-25T07:41:03.283600Z DEBUG certbot::acme_client: creating dns record for app.kvin.wang -2024-10-25T07:41:04.027882Z DEBUG certbot::acme_client: challenge not found, waiting 500ms tries=2 domain="_acme-challenge.app.kvin.wang" -2024-10-25T07:41:04.600711Z DEBUG certbot::acme_client: challenge not found, waiting 1s tries=3 domain="_acme-challenge.app.kvin.wang" -2024-10-25T07:41:05.642300Z DEBUG certbot::acme_client: challenge not found, waiting 2s tries=4 domain="_acme-challenge.app.kvin.wang" -2024-10-25T07:41:07.715947Z DEBUG certbot::acme_client: challenge not found, waiting 4s tries=5 domain="_acme-challenge.app.kvin.wang" -2024-10-25T07:41:11.724831Z DEBUG certbot::acme_client: challenge not found, waiting 8s tries=6 domain="_acme-challenge.app.kvin.wang" -2024-10-25T07:41:19.815990Z DEBUG certbot::acme_client: challenge not found, waiting 16s tries=7 domain="_acme-challenge.app.kvin.wang" +... 2024-10-25T07:41:35.852790Z DEBUG certbot::acme_client: setting challenge ready for https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/14584884443/mQ-I2A 2024-10-25T07:41:35.934425Z DEBUG certbot::acme_client: challenges are ready, waiting for order to be ready 2024-10-25T07:41:37.972434Z DEBUG certbot::acme_client: order is ready, uploading csr @@ -391,16 +374,16 @@ Execute dstack-gateway with `sudo ./dstack-gateway -c gateway.toml`, then access To enhance security, we've limited TLS certificate issuance to dstack-gateway via CAA records. However, since these records can be modified through Cloudflare's domain management, we need to implement global CA certificate monitoring to maintain security oversight. -`ct_monitor` tracks Certificate Transparency logs via [https://crt.sh](https://crt.sh/?q=app.kvin.wang), comparing their public key with the ones got from dstack-gateway RPC. It immediately alerts when detecting unauthorized certificates not issued through dstack-gateway: +`ct_monitor` tracks Certificate Transparency logs via https://crt.sh, comparing their public key with the ones got from dstack-gateway RPC. It immediately alerts when detecting unauthorized certificates not issued through dstack-gateway: ```text -$ ./ct_monitor -t https://localhost:9010/prpc -d app.kvin.wang -2024-10-25T08:12:11.366463Z INFO ct_monitor: monitoring app.kvin.wang... +$ ./ct_monitor -t https://localhost:9010/prpc -d +2024-10-25T08:12:11.366463Z INFO ct_monitor: monitoring ... 2024-10-25T08:12:11.366488Z INFO ct_monitor: fetching known public keys from https://localhost:9010/prpc 2024-10-25T08:12:11.566222Z INFO ct_monitor: got 2 known public keys 2024-10-25T08:12:13.142122Z INFO ct_monitor: ✅ checked log id=14705660685 2024-10-25T08:12:13.802573Z INFO ct_monitor: ✅ checked log id=14705656674 -2024-10-25T08:12:14.494944Z ERROR ct_monitor: ❌ error in CTLog { id: 14666084839, issuer_ca_id: 295815, issuer_name: "C=US, O=Let's Encrypt, CN=R11", common_name: "kvin.wang", name_value: "*.app.kvin.wang", not_before: "2024-09-24T02:23:15", not_after: "2024-12-23T02:23:14", serial_number: "03ae796f56a933c8ff7e32c7c0d662a253d4", result_count: 1, entry_timestamp: "2024-09-24T03:21:45.825" } +2024-10-25T08:12:14.494944Z ERROR ct_monitor: ❌ error in CTLog { id: 14666084839, issuer_ca_id: 295815, issuer_name: "C=US, O=Let's Encrypt, CN=R11", common_name: "", name_value: "*.", not_before: "2024-09-24T02:23:15", not_after: "2024-12-23T02:23:14", serial_number: "03ae796f56a933c8ff7e32c7c0d662a253d4", result_count: 1, entry_timestamp: "2024-09-24T03:21:45.825" } 2024-10-25T08:12:14.494998Z ERROR ct_monitor: error: certificate has issued to unknown pubkey: 30820122300d06092a864886f70d01010105000382010f003082010a02820101009de65c767caf117880626d1acc1ee78f3c6a992e3fe458f34066f92812ac550190a67e49ebf4f537003c393c000a8ec3e114da088c0cb02ffd0881fd39a2b32cc60d2e9989f0efab3345bee418262e0179d307d8d361fd0837f85d17eab92ec6f4126247e614aa01f4efcc05bc6303a8be68230f04326c9e85406fc4d234e9ce92089253b11d002cdf325582df45d5da42981cd546cbd2e9e49f0fa6636e747a345aaf8cefa02556aa258e1f7f90906be8fe51567ac9626f35bc46837e4f3203387fee59c71cea400000007c24e7537debc1941b36ff1612990233e4c219632e35858b1771f17a71944adf6c657dd7303583e3aeed199bd36a3152f49980f4f30203010001 ``` diff --git a/docs/deployment.md b/docs/deployment.md index f2b7d017..26b2858f 100644 --- a/docs/deployment.md +++ b/docs/deployment.md @@ -104,7 +104,7 @@ GUEST_AGENT_ADDR=127.0.0.1:9205 ETH_RPC_URL=https://rpc.phala.network GIT_REV=HEAD OS_IMAGE=dstack-0.5.2 -IMAGE_DOWNLOAD_URL=https://files.kvin.wang/images/mr_{OS_IMAGE_HASH}.tar.gz +IMAGE_DOWNLOAD_URL=https://download.dstack.org/os-images/mr_{OS_IMAGE_HASH}.tar.gz ``` Then run the script again. diff --git a/gateway/dstack-app/builder/README.md b/gateway/dstack-app/builder/README.md index 40f376a3..b5387fa9 100644 --- a/gateway/dstack-app/builder/README.md +++ b/gateway/dstack-app/builder/README.md @@ -44,7 +44,7 @@ services: environment: - IMAGE_DOWNLOAD_URL=${IMAGE_DOWNLOAD_URL:-http://localhost:8001/mr_{OS_IMAGE_HASH}.tar.gz} - AUTH_TYPE=dev - - DEV_DOMAIN=kms.1022.kvin.wang + - DEV_DOMAIN=kms.1022.dstack.org - QUOTE_ENABLED=false ``` diff --git a/gateway/src/proxy/tls_passthough.rs b/gateway/src/proxy/tls_passthough.rs index 1131eb01..e2cea9d0 100644 --- a/gateway/src/proxy/tls_passthough.rs +++ b/gateway/src/proxy/tls_passthough.rs @@ -150,7 +150,7 @@ mod tests { async fn test_resolve_app_address() { let app_addr = resolve_app_address( "_dstack-app-address", - "3327603e03f5bd1f830812ca4a789277fc31f577.app.kvin.wang", + "3327603e03f5bd1f830812ca4a789277fc31f577.app.dstack.org", false, ) .await diff --git a/kms/dstack-app/builder/README.md b/kms/dstack-app/builder/README.md index 40f376a3..b5387fa9 100644 --- a/kms/dstack-app/builder/README.md +++ b/kms/dstack-app/builder/README.md @@ -44,7 +44,7 @@ services: environment: - IMAGE_DOWNLOAD_URL=${IMAGE_DOWNLOAD_URL:-http://localhost:8001/mr_{OS_IMAGE_HASH}.tar.gz} - AUTH_TYPE=dev - - DEV_DOMAIN=kms.1022.kvin.wang + - DEV_DOMAIN=kms.1022.dstack.org - QUOTE_ENABLED=false ``` diff --git a/kms/dstack-app/deploy-to-vmm.sh b/kms/dstack-app/deploy-to-vmm.sh index d2d6ce5b..48a8fd19 100755 --- a/kms/dstack-app/deploy-to-vmm.sh +++ b/kms/dstack-app/deploy-to-vmm.sh @@ -35,7 +35,7 @@ else # GUEST_AGENT_ADDR=127.0.0.1:9205 # The URL of the dstack app image download URL -# IMAGE_DOWNLOAD_URL=https://files.kvin.wang/images/mr_{OS_IMAGE_HASH}.tar.gz +# IMAGE_DOWNLOAD_URL=https://download.dstack.org/os-images/mr_{OS_IMAGE_HASH}.tar.gz # Image hash verification feature flag VERIFY_IMAGE=true diff --git a/sdk/simulator/sys-config.json b/sdk/simulator/sys-config.json index 02911d19..1b2d5b48 100644 --- a/sdk/simulator/sys-config.json +++ b/sdk/simulator/sys-config.json @@ -1,9 +1,9 @@ { "kms_urls": [ - "https://kms.1022.kvin.wang:12001" + "https://kms.1022.dstack.org:12001" ], "gateway_urls": [ - "https://tproxy.1022.kvin.wang:12002" + "https://tproxy.1022.dstack.org:12002" ], "pccs_url": "", "docker_registry": "", diff --git a/verifier/README.md b/verifier/README.md index 0ae36f7d..e8343ed2 100644 --- a/verifier/README.md +++ b/verifier/README.md @@ -116,7 +116,7 @@ Grab a quote from your app. It's depends on your app how to grab a quote. ```bash # Grab a quote from the demo app -curl https://712eab2f507b963e11144ae67218177e93ac2a24-3000.app.kvin.wang:12004/GetQuote?report_data=0x1234 -o quote.json +curl https://712eab2f507b963e11144ae67218177e93ac2a24-3000.test0.dstack.org:12004/GetQuote?report_data=0x1234 -o quote.json ``` diff --git a/verifier/dstack-verifier.toml b/verifier/dstack-verifier.toml index c53b5351..8c8a9b89 100644 --- a/verifier/dstack-verifier.toml +++ b/verifier/dstack-verifier.toml @@ -10,7 +10,7 @@ port = 8080 image_cache_dir = "/tmp/dstack-verifier/cache" # Image download URL template (replace {OS_IMAGE_HASH} with actual hash) -image_download_url = "https://dstack-images.phala.network/mr_{OS_IMAGE_HASH}.tar.gz" +image_download_url = "https://download.dstack.org/os-images/mr_{OS_IMAGE_HASH}.tar.gz" # Image download timeout in seconds image_download_timeout_secs = 300 From 1594ba260a2c489689c438d9dee005a24731dd5b Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Wed, 24 Sep 2025 09:44:54 +0000 Subject: [PATCH 033/133] Update attestation.md use latest dstack-mr --- attestation.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/attestation.md b/attestation.md index ddafc835..c10232cd 100644 --- a/attestation.md +++ b/attestation.md @@ -33,26 +33,26 @@ RTMR3 differs as it contains runtime information like compose hash and instance ### 2.2. Determining expected MRs MRTD, RTMR0, RTMR1, and RTMR2 correspond to the image. dstack OS builds all related software from source. -Build version v0.4.0 using these commands: +Build version v0.5.4 using these commands: ```bash git clone https://github.com/Dstack-TEE/meta-dstack.git cd meta-dstack/ -git checkout 15189bcb5397083b5c650a438243ce3f29e705f4 +git checkout f7c795b76faa693f218e1c255007e3a68c541d79 git submodule update --init --recursive cd repro-build && ./repro-build.sh -n ``` -The resulting dstack-v0.4.0.tar.gz contains: +The resulting dstack-0.5.4.tar.gz contains: - ovmf.fd: virtual firmware - bzImage: kernel image - initramfs.cpio.gz: initrd -- rootfs.cpio: root filesystem +- rootfs.img.verity: root filesystem - metadata.json: image metadata, including kernel boot cmdline -Calculate image MRs using [dstack-mr](https://github.com/kvinwang/dstack-mr): +Calculate image MRs using [dstack-mr](dstack-mr/): ```bash -dstack-mr -cpu 4 -ram 4096 -metadata dstack-v0.4.0/metadata.json +cargo run --manifest-path ../dstack/Cargo.toml --bin dstack-mr measure -c 4 -m 4G dstack-0.5.4/metadata.json ``` Once these verification steps are completed successfully, the report_data contained in the verified quote can be considered authentic and trustworthy. From dd91bff339a4364c7d271d04d246cb6fc892851a Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Wed, 24 Sep 2025 09:49:34 +0000 Subject: [PATCH 034/133] dstack-mr: Fix potential panic due to int overflow --- dstack-mr/src/kernel.rs | 21 ++++++++++++----- dstack-mr/src/tdvf.rs | 50 ++++++++++++++++++++++++++++++++--------- 2 files changed, 54 insertions(+), 17 deletions(-) diff --git a/dstack-mr/src/kernel.rs b/dstack-mr/src/kernel.rs index 9fd465e6..51c7bb46 100644 --- a/dstack-mr/src/kernel.rs +++ b/dstack-mr/src/kernel.rs @@ -99,7 +99,7 @@ fn authenticode_sha384_hash(data: &[u8]) -> Result> { let trailing_data_len = file_size - sum_of_bytes_hashed; if trailing_data_len > cert_table_size { - let hashed_trailing_len = trailing_data_len - cert_table_size; + let hashed_trailing_len = trailing_data_len.saturating_sub(cert_table_size); let trailing_start = sum_of_bytes_hashed; if trailing_start + hashed_trailing_len <= data.len() { @@ -142,14 +142,14 @@ fn patch_kernel( } if protocol >= 0x201 { kd[0x211] |= 0x80; // loadflags |= CAN_USE_HEAP - let heap_end_ptr = cmdline_addr - real_addr - 0x200; + let heap_end_ptr = cmdline_addr.saturating_sub(real_addr).saturating_sub(0x200); kd[0x224..0x228].copy_from_slice(&heap_end_ptr.to_le_bytes()); } if protocol >= 0x202 { kd[0x228..0x22C].copy_from_slice(&cmdline_addr.to_le_bytes()); } else { kd[0x20..0x22].copy_from_slice(&0xa33f_u16.to_le_bytes()); - let offset = (cmdline_addr - real_addr) as u16; + let offset = cmdline_addr.saturating_sub(real_addr) as u16; kd[0x22..0x24].copy_from_slice(&offset.to_le_bytes()); } @@ -186,14 +186,23 @@ fn patch_kernel( mem_size as u32 }; - if initrd_max >= below_4g_mem_size - acpi_data_size { - initrd_max = below_4g_mem_size - acpi_data_size - 1; + if let Some(available_mem) = below_4g_mem_size.checked_sub(acpi_data_size) { + if initrd_max >= available_mem { + initrd_max = available_mem.saturating_sub(1); + } + } else { + // If acpi_data_size >= below_4g_mem_size, we have no memory available + bail!( + "ACPI data size ({}) exceeds available memory ({})", + acpi_data_size, + below_4g_mem_size + ); } if initrd_size >= initrd_max { bail!("initrd is too large"); } - let initrd_addr = (initrd_max - initrd_size) & !4095; + let initrd_addr = initrd_max.saturating_sub(initrd_size) & !4095; kd[0x218..0x21C].copy_from_slice(&initrd_addr.to_le_bytes()); kd[0x21C..0x220].copy_from_slice(&initrd_size.to_le_bytes()); } diff --git a/dstack-mr/src/tdvf.rs b/dstack-mr/src/tdvf.rs index a5d577a8..246cced6 100644 --- a/dstack-mr/src/tdvf.rs +++ b/dstack-mr/src/tdvf.rs @@ -82,20 +82,30 @@ impl<'a> Tdvf<'a> { const TABLE_FOOTER_GUID: &str = "96b582de-1fb2-45f7-baea-a366c55a082d"; const BYTES_AFTER_TABLE_FOOTER: usize = 32; + if fw.len() < BYTES_AFTER_TABLE_FOOTER { + bail!("TDVF firmware too small"); + } let offset = fw.len() - BYTES_AFTER_TABLE_FOOTER; let encoded_footer_guid = encode_guid(TABLE_FOOTER_GUID)?; + if offset < 16 { + bail!("TDVF firmware offset too small for GUID"); + } let guid = &fw[offset - 16..offset]; if guid != encoded_footer_guid { bail!("Failed to parse TDVF metadata: Invalid footer GUID"); } + if offset < 18 { + bail!("TDVF firmware offset too small for tables length"); + } let tables_len = u16::from_le_bytes(fw[offset - 18..offset - 16].try_into().unwrap()) as usize; - if tables_len == 0 || tables_len > offset - 18 { + if tables_len == 0 || tables_len > offset.saturating_sub(18) { bail!("Failed to parse TDVF metadata: Invalid tables length"); } - let tables = &fw[offset - 18 - tables_len..offset - 18]; + let table_start = offset.saturating_sub(18).saturating_sub(tables_len); + let tables = &fw[table_start..offset - 18]; let mut offset = tables.len(); let mut data: Option<&[u8]> = None; @@ -106,21 +116,28 @@ impl<'a> Tdvf<'a> { } let guid = &tables[offset - 16..offset]; let entry_len = read_le::(tables, offset - 18, "entry length")? as usize; - if entry_len > offset - 18 { + if entry_len > offset.saturating_sub(18) { bail!("Failed to parse TDVF metadata: Invalid entry length"); } if guid == encoded_guid { - data = Some(&tables[offset - 18 - entry_len..offset - 18]); + let entry_start = offset.saturating_sub(18).saturating_sub(entry_len); + data = Some(&tables[entry_start..offset - 18]); break; } - offset -= entry_len; + offset = offset.saturating_sub(entry_len); } let data = data.context("Failed to parse TDVF metadata: Missing TDVF metadata")?; - let tdvf_meta_offset = + if data.len() < 4 { + bail!("TDVF metadata data too small"); + } + let tdvf_meta_offset_raw = u32::from_le_bytes(data[data.len() - 4..].try_into().unwrap()) as usize; - let tdvf_meta_offset = fw.len() - tdvf_meta_offset; + if tdvf_meta_offset_raw > fw.len() { + bail!("TDVF metadata offset exceeds firmware size"); + } + let tdvf_meta_offset = fw.len() - tdvf_meta_offset_raw; let tdvf_meta_desc = &fw[tdvf_meta_offset..tdvf_meta_offset + 16]; if &tdvf_meta_desc[..4] != b"TDVF" { @@ -311,16 +328,27 @@ impl<'a> Tdvf<'a> { let (_, last_start, last_end) = memory_acceptor.ranges.pop().expect("No ranges"); for (accepted, start, end) in memory_acceptor.ranges { + if end < start { + bail!("Invalid memory range: end < start"); + } + let size = end - start; if accepted { - add_memory_resource_hob(0x00, start, end - start); + add_memory_resource_hob(0x00, start, size); } else { - add_memory_resource_hob(0x07, start, end - start); + add_memory_resource_hob(0x07, start, size); } } + if last_end < last_start { + bail!("Invalid last memory range: end < start"); + } if memory_size >= 0xB0000000 { - add_memory_resource_hob(0x07, last_start, 0x80000000u64 - last_start); - add_memory_resource_hob(0x07, 0x100000000, last_end - 0x80000000u64); + if last_start < 0x80000000u64 { + add_memory_resource_hob(0x07, last_start, 0x80000000u64 - last_start); + } + if last_end > 0x80000000u64 { + add_memory_resource_hob(0x07, 0x100000000, last_end - 0x80000000u64); + } } else { add_memory_resource_hob(0x07, last_start, last_end - last_start); } From 536cbc0e94ffc4e5dbd6493fca0bba8faa118608 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Wed, 24 Sep 2025 10:18:00 +0000 Subject: [PATCH 035/133] Fix deployment.md --- docs/deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/deployment.md b/docs/deployment.md index f2b7d017..0dc61612 100644 --- a/docs/deployment.md +++ b/docs/deployment.md @@ -165,7 +165,7 @@ After you get the `os_image_hash`, you can register it to the KMS whitelist by r ```bash cd dstack/kms/auth-eth -npx hardhat kms:add-image --network phala --mr +npx hardhat kms:add-image --network phala 0x ``` ### Register dstack-gateway in KMS From c50f7f37ea0711b51f9015cee33609b7178c028d Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Thu, 25 Sep 2025 00:47:50 +0000 Subject: [PATCH 036/133] Fix VmConfig decode error --- dstack-types/src/lib.rs | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/dstack-types/src/lib.rs b/dstack-types/src/lib.rs index 439d9905..5ecf70db 100644 --- a/dstack-types/src/lib.rs +++ b/dstack-types/src/lib.rs @@ -138,8 +138,11 @@ pub struct VmConfig { pub cpu_count: u32, pub memory_size: u64, // https://github.com/intel-staging/qemu-tdx/issues/1 + #[serde(default, skip_serializing_if = "Option::is_none")] pub qemu_single_pass_add_pages: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] pub pic: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] pub qemu_version: Option, #[serde(default)] pub pci_hole64_size: u64, @@ -151,6 +154,7 @@ pub struct VmConfig { pub num_nvswitches: u32, #[serde(default)] pub hotplug_off: bool, + #[serde(default, skip_serializing_if = "Option::is_none")] pub image: Option, } From 6b80ce10a372c100c260260c48bca86c67e942dd Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Fri, 26 Sep 2025 00:56:38 +0000 Subject: [PATCH 037/133] cvm: Support for configuration of storage fs type --- docs/security-guide/cvm-boundaries.md | 1 + dstack-types/src/lib.rs | 2 + dstack-util/src/system_setup.rs | 150 ++++++++++++++++++++++---- 3 files changed, 135 insertions(+), 18 deletions(-) diff --git a/docs/security-guide/cvm-boundaries.md b/docs/security-guide/cvm-boundaries.md index 1095e5da..0c99720e 100644 --- a/docs/security-guide/cvm-boundaries.md +++ b/docs/security-guide/cvm-boundaries.md @@ -41,6 +41,7 @@ This is the main configuration file for the application in JSON format: | secure_time | boolean | Whether secure time is enabled | | pre_launch_script | string | Prelaunch bash script that runs before execute `docker compose up` | | init_script | string | Bash script that executed prior to dockerd startup | +| storage_fs | string | Filesystem type for the data disk of the CVM. Supported values: "zfs", "ext4". default to "zfs". **ZFS:** Ensures filesystem integrity with built-in data protection features. **ext4:** Provides better performance for database applications with lower overhead and faster I/O operations, but no strong integrity protection. | The hash of this file content is extended to RTMR3 as event name `compose-hash`. Remote verifier can extract the compose-hash during remote attestation. diff --git a/dstack-types/src/lib.rs b/dstack-types/src/lib.rs index 5ecf70db..ba11f1ff 100644 --- a/dstack-types/src/lib.rs +++ b/dstack-types/src/lib.rs @@ -39,6 +39,8 @@ pub struct AppCompose { pub no_instance_id: bool, #[serde(default = "default_true")] pub secure_time: bool, + #[serde(default)] + pub storage_fs: Option, } fn default_true() -> bool { diff --git a/dstack-util/src/system_setup.rs b/dstack-util/src/system_setup.rs index 0470b1de..15cef6f1 100644 --- a/dstack-util/src/system_setup.rs +++ b/dstack-util/src/system_setup.rs @@ -6,6 +6,7 @@ use std::{ collections::{BTreeMap, BTreeSet}, ops::Deref, path::{Path, PathBuf}, + str::FromStr, }; use anyhow::{anyhow, bail, Context, Result}; @@ -77,6 +78,58 @@ struct InstanceInfo { app_id: Vec, } +#[derive(Debug, Clone, Copy, PartialEq, Default)] +enum FsType { + #[default] + Zfs, + Ext4, +} + +impl FromStr for FsType { + type Err = anyhow::Error; + fn from_str(s: &str) -> Result { + match s.to_lowercase().as_str() { + "zfs" => Ok(FsType::Zfs), + "ext4" => Ok(FsType::Ext4), + _ => bail!("Invalid filesystem type: {s}, supported types: zfs, ext4"), + } + } +} + +#[derive(Debug, Clone, Default)] +struct DstackOptions { + storage_encrypted: bool, + storage_fs: FsType, +} + +fn parse_dstack_options(shared: &HostShared) -> Result { + let cmdline = fs::read_to_string("/proc/cmdline").context("Failed to read /proc/cmdline")?; + + let mut options = DstackOptions { + storage_encrypted: true, // Default to encryption enabled + storage_fs: FsType::Zfs, // Default to ZFS + }; + + for param in cmdline.split_whitespace() { + if let Some(value) = param.strip_prefix("dstack.storage_encrypted=") { + match value { + "0" | "false" | "no" | "off" => options.storage_encrypted = false, + "1" | "true" | "yes" | "on" => options.storage_encrypted = true, + _ => { + bail!("Invalid value for dstack.storage_encrypted: {value}"); + } + } + } else if let Some(value) = param.strip_prefix("dstack.storage_fs=") { + options.storage_fs = value.parse().context("Failed to parse dstack.storage_fs")?; + } + } + + if let Some(fs) = &shared.app_compose.storage_fs { + options.storage_fs = fs.parse().context("Failed to parse storage_fs")?; + } + Ok(options) +} + impl InstanceInfo { fn is_initialized(&self) -> bool { !self.instance_id_seed.is_empty() @@ -433,36 +486,86 @@ impl<'a> Stage0<'a> { } } - async fn mount_data_disk(&self, initialized: bool, disk_crypt_key: &str) -> Result<()> { + async fn mount_data_disk( + &self, + initialized: bool, + disk_crypt_key: &str, + opts: &DstackOptions, + ) -> Result<()> { let name = "dstack_data_disk"; - let fs_dev = "/dev/mapper/".to_string() + name; let mount_point = &self.args.mount_point; + + // Determine the device to use based on encryption settings + let fs_dev = if opts.storage_encrypted { + format!("/dev/mapper/{name}") + } else { + self.args.device.to_string_lossy().to_string() + }; + if !initialized { self.vmm .notify_q("boot.progress", "initializing data disk") .await; - info!("Setting up disk encryption"); - self.luks_setup(disk_crypt_key, name)?; + + if opts.storage_encrypted { + info!("Setting up disk encryption"); + self.luks_setup(disk_crypt_key, name)?; + } else { + info!("Skipping disk encryption as requested by kernel cmdline"); + } + cmd! { mkdir -p $mount_point; - zpool create -o autoexpand=on dstack $fs_dev; - zfs create -o mountpoint=$mount_point -o atime=off -o checksum=blake3 dstack/data; + }?; + + match opts.storage_fs { + FsType::Zfs => { + info!("Creating ZFS filesystem"); + cmd! { + zpool create -o autoexpand=on dstack $fs_dev; + zfs create -o mountpoint=$mount_point -o atime=off -o checksum=blake3 dstack/data; + } + .context("Failed to create zpool")?; + } + FsType::Ext4 => { + info!("Creating ext4 filesystem"); + cmd! { + mkfs.ext4 -F $fs_dev; + mount $fs_dev $mount_point; + } + .context("Failed to create ext4 filesystem")?; + } } - .context("Failed to create zpool")?; } else { self.vmm .notify_q("boot.progress", "mounting data disk") .await; - info!("Mounting encrypted data disk"); - self.open_encrypted_volume(disk_crypt_key, name)?; - cmd! { - zpool import dstack; - zpool status dstack; - zpool online -e dstack $fs_dev; // triggers autoexpand + + if opts.storage_encrypted { + info!("Mounting encrypted data disk"); + self.open_encrypted_volume(disk_crypt_key, name)?; + } else { + info!("Mounting unencrypted data disk"); } - .context("Failed to import zpool")?; - if cmd!(mountpoint -q $mount_point).is_err() { - cmd!(zfs mount dstack/data).context("Failed to mount zpool")?; + + match opts.storage_fs { + FsType::Zfs => { + cmd! { + zpool import dstack; + zpool status dstack; + zpool online -e dstack $fs_dev; // triggers autoexpand + } + .context("Failed to import zpool")?; + if cmd!(mountpoint -q $mount_point).is_err() { + cmd!(zfs mount dstack/data).context("Failed to mount zpool")?; + } + } + FsType::Ext4 => { + if cmd!(mountpoint -q $mount_point).is_err() { + cmd!(mount $fs_dev $mount_point) + .context("Failed to mount ext4 filesystem")?; + } + } } } Ok(()) @@ -614,9 +717,20 @@ impl<'a> Stage0<'a> { let keys_json = serde_json::to_string(&app_keys).context("Failed to serialize app keys")?; fs::write(self.app_keys_file(), keys_json).context("Failed to write app keys")?; + // Parse kernel command line options + let opts = parse_dstack_options(&self.shared).context("Failed to parse kernel cmdline")?; + info!( + "Filesystem options: encryption={}, filesystem={:?}", + opts.storage_encrypted, opts.storage_fs + ); + self.vmm.notify_q("boot.progress", "unsealing env").await; - self.mount_data_disk(is_initialized, &hex::encode(&app_keys.disk_crypt_key)) - .await?; + self.mount_data_disk( + is_initialized, + &hex::encode(&app_keys.disk_crypt_key), + &opts, + ) + .await?; self.vmm .notify_q( "instance.info", From c0279f4306e7220f376b250635779ecffc08f3ca Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Fri, 26 Sep 2025 01:18:51 +0000 Subject: [PATCH 038/133] vmm: UI for storage fs selection --- vmm/src/console.html | 85 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 82 insertions(+), 3 deletions(-) diff --git a/vmm/src/console.html b/vmm/src/console.html index 3ab894fa..e2cfab5b 100644 --- a/vmm/src/console.html +++ b/vmm/src/console.html @@ -492,6 +492,56 @@ font-family: monospace; } + `; + result = result.replace(match[0], styleTag); + } + return result; +} + +async function inlineScripts(html, scripts) { + let result = html; + for (const { placeholder, code } of scripts) { + result = result.replace(placeholder, ``); + } + return result; +} + +async function run(command, args) { + await new Promise((resolve, reject) => { + const proc = spawn(command, args, { stdio: 'inherit' }); + proc.on('close', (code) => { + if (code === 0) { + resolve(); + } else { + reject(new Error(`${command} exited with code ${code}`)); + } + }); + }); +} + +async function copyDir(src, dest) { + const entries = await fs.readdir(src, { withFileTypes: true }); + await fs.mkdir(dest, { recursive: true }); + await Promise.all( + entries.map((entry) => { + const srcPath = path.join(src, entry.name); + const destPath = path.join(dest, entry.name); + if (entry.isDirectory()) { + return copyDir(srcPath, destPath); + } + return fs.copyFile(srcPath, destPath); + }), + ); +} + +async function compileProto() { + await run('bash', [path.join(ROOT, 'scripts', 'build_proto.sh')]); +} + +async function compileTypeScript() { + await fs.rm(TS_OUT_DIR, { recursive: true, force: true }); + await run(TSC, ['--project', path.join(ROOT, 'tsconfig.json')]); + await copyDir(path.join(SOURCE_DIR, 'templates'), path.join(TS_OUT_DIR, 'templates')); +} + +async function build({ watch = false } = {}) { + await fs.mkdir(DIST_DIR, { recursive: true }); + MODULE_DIR = TS_OUT_DIR; + + await compileProto(); + await compileTypeScript(); + + const entryId = canonicalId(path.resolve(MODULE_DIR, ENTRY)); + const modules = await collectModules(entryId); + const bundle = createBundle(modules, entryId); + + const indexPath = path.join(SOURCE_DIR, 'index.html'); + let html = await fs.readFile(indexPath, 'utf-8'); + html = await inlineStyles(html, SOURCE_DIR); + + const vuePlaceholder = /<\/script>/i; + const vuePath = path.join(ROOT, 'vendor/vue.global.prod.js'); + let vueInlined = false; + try { + const vueCode = await fs.readFile(vuePath, 'utf-8'); + html = html.replace(vuePlaceholder, ``); + vueInlined = true; + } catch { + console.warn('Warning: vendor/vue.global.prod.js not found – using CDN fallback.'); + } + if (!vueInlined) { + html = html.replace( + vuePlaceholder, + '', + ); + } + + html = await inlineScripts(html, [ + { + placeholder: '', + code: bundle, + }, + ]); + + const distFile = path.join(DIST_DIR, 'index.html'); + await fs.writeFile(distFile, html); + + const targetFile = path.resolve(ROOT, '../src/console_beta.html'); + await fs.writeFile(targetFile, html); + + if (watch) { + console.log('Watching for changes...'); + const watcher = fs.watch(SOURCE_DIR, { recursive: true }, async () => { + try { + await compileProto(); + await compileTypeScript(); + const mods = await collectModules(entryId); + const rebundle = createBundle(mods, entryId); + let rehtml = await fs.readFile(indexPath, 'utf-8'); + rehtml = await inlineStyles(rehtml, SOURCE_DIR); + let vueEmbedded = false; + try { + const vueCode = await fs.readFile(vuePath, 'utf-8'); + rehtml = rehtml.replace(vuePlaceholder, ``); + vueEmbedded = true; + } catch { + console.warn('Warning: vendor/vue.global.prod.js not found – using CDN fallback.'); + } + if (!vueEmbedded) { + rehtml = rehtml.replace( + vuePlaceholder, + '', + ); + } + rehtml = await inlineScripts(rehtml, [ + { + placeholder: '', + code: rebundle, + }, + ]); + await fs.writeFile(distFile, rehtml); + await fs.writeFile(targetFile, rehtml); + console.log('Rebuilt console'); + } catch (err) { + console.error('Build failed:', err); + } + }); + process.on('SIGINT', () => watcher.close()); + } +} + +const watchMode = process.argv.includes('--watch'); + +build({ watch: watchMode }).catch((error) => { + console.error(error); + process.exit(1); +}); diff --git a/vmm/ui/package-lock.json b/vmm/ui/package-lock.json new file mode 100644 index 00000000..22d204e9 --- /dev/null +++ b/vmm/ui/package-lock.json @@ -0,0 +1,778 @@ +{ + "name": "vmm-ui", + "version": "0.1.0", + "lockfileVersion": 3, + "requires": true, + "packages": { + "": { + "name": "vmm-ui", + "version": "0.1.0", + "devDependencies": { + "@types/node": "^20.11.30", + "protobufjs": "^7.2.4", + "protobufjs-cli": "^1.1.3", + "typescript": "^5.4.5" + } + }, + "node_modules/@babel/helper-string-parser": { + "version": "7.27.1", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/@babel/helper-validator-identifier": { + "version": "7.28.5", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/@babel/parser": { + "version": "7.28.5", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/types": "^7.28.5" + }, + "bin": { + "parser": "bin/babel-parser.js" + }, + "engines": { + "node": ">=6.0.0" + } + }, + "node_modules/@babel/types": { + "version": "7.28.5", + "dev": true, + "license": "MIT", + "dependencies": { + "@babel/helper-string-parser": "^7.27.1", + "@babel/helper-validator-identifier": "^7.28.5" + }, + "engines": { + "node": ">=6.9.0" + } + }, + "node_modules/@jsdoc/salty": { + "version": "0.2.9", + "dev": true, + "license": "Apache-2.0", + "dependencies": { + "lodash": "^4.17.21" + }, + "engines": { + "node": ">=v12.0.0" + } + }, + "node_modules/@protobufjs/aspromise": { + "version": "1.1.2", + "dev": true, + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/base64": { + "version": "1.1.2", + "dev": true, + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/codegen": { + "version": "2.0.4", + "dev": true, + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/eventemitter": { + "version": "1.1.0", + "dev": true, + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/fetch": { + "version": "1.1.0", + "dev": true, + "license": "BSD-3-Clause", + "dependencies": { + "@protobufjs/aspromise": "^1.1.1", + "@protobufjs/inquire": "^1.1.0" + } + }, + "node_modules/@protobufjs/float": { + "version": "1.0.2", + "dev": true, + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/inquire": { + "version": "1.1.0", + "dev": true, + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/path": { + "version": "1.1.2", + "dev": true, + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/pool": { + "version": "1.1.0", + "dev": true, + "license": "BSD-3-Clause" + }, + "node_modules/@protobufjs/utf8": { + "version": "1.1.0", + "dev": true, + "license": "BSD-3-Clause" + }, + "node_modules/@types/linkify-it": { + "version": "5.0.0", + "dev": true, + "license": "MIT" + }, + "node_modules/@types/markdown-it": { + "version": "14.1.2", + "dev": true, + "license": "MIT", + "dependencies": { + "@types/linkify-it": "^5", + "@types/mdurl": "^2" + } + }, + "node_modules/@types/mdurl": { + "version": "2.0.0", + "dev": true, + "license": "MIT" + }, + "node_modules/@types/node": { + "version": "20.19.24", + "resolved": "https://registry.npmmirror.com/@types/node/-/node-20.19.24.tgz", + "integrity": "sha512-FE5u0ezmi6y9OZEzlJfg37mqqf6ZDSF2V/NLjUyGrR9uTZ7Sb9F7bLNZ03S4XVUNRWGA7Ck4c1kK+YnuWjl+DA==", + "dev": true, + "license": "MIT", + "dependencies": { + "undici-types": "~6.21.0" + } + }, + "node_modules/acorn": { + "version": "8.15.0", + "dev": true, + "license": "MIT", + "bin": { + "acorn": "bin/acorn" + }, + "engines": { + "node": ">=0.4.0" + } + }, + "node_modules/acorn-jsx": { + "version": "5.3.2", + "dev": true, + "license": "MIT", + "peerDependencies": { + "acorn": "^6.0.0 || ^7.0.0 || ^8.0.0" + } + }, + "node_modules/ansi-styles": { + "version": "4.3.0", + "dev": true, + "license": "MIT", + "dependencies": { + "color-convert": "^2.0.1" + }, + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/chalk/ansi-styles?sponsor=1" + } + }, + "node_modules/argparse": { + "version": "2.0.1", + "dev": true, + "license": "Python-2.0" + }, + "node_modules/balanced-match": { + "version": "1.0.2", + "dev": true, + "license": "MIT" + }, + "node_modules/bluebird": { + "version": "3.7.2", + "dev": true, + "license": "MIT" + }, + "node_modules/brace-expansion": { + "version": "2.0.2", + "dev": true, + "license": "MIT", + "dependencies": { + "balanced-match": "^1.0.0" + } + }, + "node_modules/catharsis": { + "version": "0.9.0", + "dev": true, + "license": "MIT", + "dependencies": { + "lodash": "^4.17.15" + }, + "engines": { + "node": ">= 10" + } + }, + "node_modules/chalk": { + "version": "4.1.2", + "dev": true, + "license": "MIT", + "dependencies": { + "ansi-styles": "^4.1.0", + "supports-color": "^7.1.0" + }, + "engines": { + "node": ">=10" + }, + "funding": { + "url": "https://github.com/chalk/chalk?sponsor=1" + } + }, + "node_modules/color-convert": { + "version": "2.0.1", + "dev": true, + "license": "MIT", + "dependencies": { + "color-name": "~1.1.4" + }, + "engines": { + "node": ">=7.0.0" + } + }, + "node_modules/color-name": { + "version": "1.1.4", + "dev": true, + "license": "MIT" + }, + "node_modules/deep-is": { + "version": "0.1.4", + "dev": true, + "license": "MIT" + }, + "node_modules/entities": { + "version": "4.5.0", + "dev": true, + "license": "BSD-2-Clause", + "engines": { + "node": ">=0.12" + }, + "funding": { + "url": "https://github.com/fb55/entities?sponsor=1" + } + }, + "node_modules/escape-string-regexp": { + "version": "2.0.0", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/escodegen": { + "version": "1.14.3", + "dev": true, + "license": "BSD-2-Clause", + "dependencies": { + "esprima": "^4.0.1", + "estraverse": "^4.2.0", + "esutils": "^2.0.2", + "optionator": "^0.8.1" + }, + "bin": { + "escodegen": "bin/escodegen.js", + "esgenerate": "bin/esgenerate.js" + }, + "engines": { + "node": ">=4.0" + }, + "optionalDependencies": { + "source-map": "~0.6.1" + } + }, + "node_modules/escodegen/node_modules/estraverse": { + "version": "4.3.0", + "dev": true, + "license": "BSD-2-Clause", + "engines": { + "node": ">=4.0" + } + }, + "node_modules/eslint-visitor-keys": { + "version": "3.4.3", + "dev": true, + "license": "Apache-2.0", + "engines": { + "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + }, + "funding": { + "url": "https://opencollective.com/eslint" + } + }, + "node_modules/espree": { + "version": "9.6.1", + "dev": true, + "license": "BSD-2-Clause", + "dependencies": { + "acorn": "^8.9.0", + "acorn-jsx": "^5.3.2", + "eslint-visitor-keys": "^3.4.1" + }, + "engines": { + "node": "^12.22.0 || ^14.17.0 || >=16.0.0" + }, + "funding": { + "url": "https://opencollective.com/eslint" + } + }, + "node_modules/esprima": { + "version": "4.0.1", + "dev": true, + "license": "BSD-2-Clause", + "bin": { + "esparse": "bin/esparse.js", + "esvalidate": "bin/esvalidate.js" + }, + "engines": { + "node": ">=4" + } + }, + "node_modules/estraverse": { + "version": "5.3.0", + "dev": true, + "license": "BSD-2-Clause", + "engines": { + "node": ">=4.0" + } + }, + "node_modules/esutils": { + "version": "2.0.3", + "dev": true, + "license": "BSD-2-Clause", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/fast-levenshtein": { + "version": "2.0.6", + "dev": true, + "license": "MIT" + }, + "node_modules/fs.realpath": { + "version": "1.0.0", + "dev": true, + "license": "ISC" + }, + "node_modules/glob": { + "version": "8.1.0", + "dev": true, + "license": "ISC", + "dependencies": { + "fs.realpath": "^1.0.0", + "inflight": "^1.0.4", + "inherits": "2", + "minimatch": "^5.0.1", + "once": "^1.3.0" + }, + "engines": { + "node": ">=12" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/graceful-fs": { + "version": "4.2.11", + "dev": true, + "license": "ISC" + }, + "node_modules/has-flag": { + "version": "4.0.0", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=8" + } + }, + "node_modules/inflight": { + "version": "1.0.6", + "dev": true, + "license": "ISC", + "dependencies": { + "once": "^1.3.0", + "wrappy": "1" + } + }, + "node_modules/inherits": { + "version": "2.0.4", + "dev": true, + "license": "ISC" + }, + "node_modules/js2xmlparser": { + "version": "4.0.2", + "dev": true, + "license": "Apache-2.0", + "dependencies": { + "xmlcreate": "^2.0.4" + } + }, + "node_modules/jsdoc": { + "version": "4.0.5", + "dev": true, + "license": "Apache-2.0", + "dependencies": { + "@babel/parser": "^7.20.15", + "@jsdoc/salty": "^0.2.1", + "@types/markdown-it": "^14.1.1", + "bluebird": "^3.7.2", + "catharsis": "^0.9.0", + "escape-string-regexp": "^2.0.0", + "js2xmlparser": "^4.0.2", + "klaw": "^3.0.0", + "markdown-it": "^14.1.0", + "markdown-it-anchor": "^8.6.7", + "marked": "^4.0.10", + "mkdirp": "^1.0.4", + "requizzle": "^0.2.3", + "strip-json-comments": "^3.1.0", + "underscore": "~1.13.2" + }, + "bin": { + "jsdoc": "jsdoc.js" + }, + "engines": { + "node": ">=12.0.0" + } + }, + "node_modules/klaw": { + "version": "3.0.0", + "dev": true, + "license": "MIT", + "dependencies": { + "graceful-fs": "^4.1.9" + } + }, + "node_modules/levn": { + "version": "0.3.0", + "dev": true, + "license": "MIT", + "dependencies": { + "prelude-ls": "~1.1.2", + "type-check": "~0.3.2" + }, + "engines": { + "node": ">= 0.8.0" + } + }, + "node_modules/linkify-it": { + "version": "5.0.0", + "dev": true, + "license": "MIT", + "dependencies": { + "uc.micro": "^2.0.0" + } + }, + "node_modules/lodash": { + "version": "4.17.21", + "dev": true, + "license": "MIT" + }, + "node_modules/long": { + "version": "5.3.2", + "dev": true, + "license": "Apache-2.0" + }, + "node_modules/markdown-it": { + "version": "14.1.0", + "dev": true, + "license": "MIT", + "dependencies": { + "argparse": "^2.0.1", + "entities": "^4.4.0", + "linkify-it": "^5.0.0", + "mdurl": "^2.0.0", + "punycode.js": "^2.3.1", + "uc.micro": "^2.1.0" + }, + "bin": { + "markdown-it": "bin/markdown-it.mjs" + } + }, + "node_modules/markdown-it-anchor": { + "version": "8.6.7", + "dev": true, + "license": "Unlicense", + "peerDependencies": { + "@types/markdown-it": "*", + "markdown-it": "*" + } + }, + "node_modules/marked": { + "version": "4.3.0", + "dev": true, + "license": "MIT", + "bin": { + "marked": "bin/marked.js" + }, + "engines": { + "node": ">= 12" + } + }, + "node_modules/mdurl": { + "version": "2.0.0", + "dev": true, + "license": "MIT" + }, + "node_modules/minimatch": { + "version": "5.1.6", + "dev": true, + "license": "ISC", + "dependencies": { + "brace-expansion": "^2.0.1" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/minimist": { + "version": "1.2.8", + "dev": true, + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } + }, + "node_modules/mkdirp": { + "version": "1.0.4", + "dev": true, + "license": "MIT", + "bin": { + "mkdirp": "bin/cmd.js" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/once": { + "version": "1.4.0", + "dev": true, + "license": "ISC", + "dependencies": { + "wrappy": "1" + } + }, + "node_modules/optionator": { + "version": "0.8.3", + "dev": true, + "license": "MIT", + "dependencies": { + "deep-is": "~0.1.3", + "fast-levenshtein": "~2.0.6", + "levn": "~0.3.0", + "prelude-ls": "~1.1.2", + "type-check": "~0.3.2", + "word-wrap": "~1.2.3" + }, + "engines": { + "node": ">= 0.8.0" + } + }, + "node_modules/prelude-ls": { + "version": "1.1.2", + "dev": true, + "engines": { + "node": ">= 0.8.0" + } + }, + "node_modules/protobufjs": { + "version": "7.5.4", + "dev": true, + "hasInstallScript": true, + "license": "BSD-3-Clause", + "dependencies": { + "@protobufjs/aspromise": "^1.1.2", + "@protobufjs/base64": "^1.1.2", + "@protobufjs/codegen": "^2.0.4", + "@protobufjs/eventemitter": "^1.1.0", + "@protobufjs/fetch": "^1.1.0", + "@protobufjs/float": "^1.0.2", + "@protobufjs/inquire": "^1.1.0", + "@protobufjs/path": "^1.1.2", + "@protobufjs/pool": "^1.1.0", + "@protobufjs/utf8": "^1.1.0", + "@types/node": ">=13.7.0", + "long": "^5.0.0" + }, + "engines": { + "node": ">=12.0.0" + } + }, + "node_modules/protobufjs-cli": { + "version": "1.1.3", + "dev": true, + "license": "BSD-3-Clause", + "dependencies": { + "chalk": "^4.0.0", + "escodegen": "^1.13.0", + "espree": "^9.0.0", + "estraverse": "^5.1.0", + "glob": "^8.0.0", + "jsdoc": "^4.0.0", + "minimist": "^1.2.0", + "semver": "^7.1.2", + "tmp": "^0.2.1", + "uglify-js": "^3.7.7" + }, + "bin": { + "pbjs": "bin/pbjs", + "pbts": "bin/pbts" + }, + "engines": { + "node": ">=12.0.0" + }, + "peerDependencies": { + "protobufjs": "^7.0.0" + } + }, + "node_modules/punycode.js": { + "version": "2.3.1", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=6" + } + }, + "node_modules/requizzle": { + "version": "0.2.4", + "dev": true, + "license": "MIT", + "dependencies": { + "lodash": "^4.17.21" + } + }, + "node_modules/semver": { + "version": "7.7.3", + "dev": true, + "license": "ISC", + "bin": { + "semver": "bin/semver.js" + }, + "engines": { + "node": ">=10" + } + }, + "node_modules/source-map": { + "version": "0.6.1", + "dev": true, + "license": "BSD-3-Clause", + "optional": true, + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/strip-json-comments": { + "version": "3.1.1", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=8" + }, + "funding": { + "url": "https://github.com/sponsors/sindresorhus" + } + }, + "node_modules/supports-color": { + "version": "7.2.0", + "dev": true, + "license": "MIT", + "dependencies": { + "has-flag": "^4.0.0" + }, + "engines": { + "node": ">=8" + } + }, + "node_modules/tmp": { + "version": "0.2.5", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=14.14" + } + }, + "node_modules/type-check": { + "version": "0.3.2", + "dev": true, + "license": "MIT", + "dependencies": { + "prelude-ls": "~1.1.2" + }, + "engines": { + "node": ">= 0.8.0" + } + }, + "node_modules/typescript": { + "version": "5.9.3", + "resolved": "https://registry.npmmirror.com/typescript/-/typescript-5.9.3.tgz", + "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", + "dev": true, + "license": "Apache-2.0", + "bin": { + "tsc": "bin/tsc", + "tsserver": "bin/tsserver" + }, + "engines": { + "node": ">=14.17" + } + }, + "node_modules/uc.micro": { + "version": "2.1.0", + "dev": true, + "license": "MIT" + }, + "node_modules/uglify-js": { + "version": "3.19.3", + "dev": true, + "license": "BSD-2-Clause", + "bin": { + "uglifyjs": "bin/uglifyjs" + }, + "engines": { + "node": ">=0.8.0" + } + }, + "node_modules/underscore": { + "version": "1.13.7", + "dev": true, + "license": "MIT" + }, + "node_modules/undici-types": { + "version": "6.21.0", + "resolved": "https://registry.npmmirror.com/undici-types/-/undici-types-6.21.0.tgz", + "integrity": "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==", + "dev": true, + "license": "MIT" + }, + "node_modules/word-wrap": { + "version": "1.2.5", + "dev": true, + "license": "MIT", + "engines": { + "node": ">=0.10.0" + } + }, + "node_modules/wrappy": { + "version": "1.0.2", + "dev": true, + "license": "ISC" + }, + "node_modules/xmlcreate": { + "version": "2.0.4", + "dev": true, + "license": "Apache-2.0" + } + } +} diff --git a/vmm/ui/package.json b/vmm/ui/package.json new file mode 100644 index 00000000..18165f32 --- /dev/null +++ b/vmm/ui/package.json @@ -0,0 +1,17 @@ +{ + "name": "vmm-ui", + "version": "0.1.0", + "private": true, + "type": "module", + "scripts": { + "generate:proto": "bash scripts/build_proto.sh", + "build": "node build.mjs", + "watch": "node build.mjs --watch" + }, + "devDependencies": { + "@types/node": "^20.11.30", + "protobufjs": "^7.2.4", + "protobufjs-cli": "^1.1.3", + "typescript": "^5.4.5" + } +} diff --git a/vmm/ui/scripts/build_proto.sh b/vmm/ui/scripts/build_proto.sh new file mode 100755 index 00000000..301d72b8 --- /dev/null +++ b/vmm/ui/scripts/build_proto.sh @@ -0,0 +1,28 @@ +#!/bin/bash + +set -euo pipefail + +ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" +PROTO_DIR="${ROOT}/../rpc/proto" +OUT_DIR="${ROOT}/src/proto" +PBJS="${ROOT}/node_modules/.bin/pbjs" +PBTS="${ROOT}/node_modules/.bin/pbts" + +if [ ! -x "${PBJS}" ] || [ ! -x "${PBTS}" ]; then + echo "protobufjs CLI not found. Run 'npm install' first." >&2 + exit 1 +fi + +mkdir -p "${OUT_DIR}" + +generate_proto() { + local name="$1" + echo "[proto] Generating ${name} bindings..." + "${PBJS}" --keep-case -w commonjs -t static-module --path "${PROTO_DIR}" "${PROTO_DIR}/${name}.proto" -o "${OUT_DIR}/${name}.js" + "${PBTS}" -o "${OUT_DIR}/${name}.d.ts" "${OUT_DIR}/${name}.js" +} + +generate_proto "vmm_rpc" +generate_proto "prpc" + +echo "[proto] Done." diff --git a/vmm/ui/src/App.ts b/vmm/ui/src/App.ts new file mode 100644 index 00000000..d1f09ce6 --- /dev/null +++ b/vmm/ui/src/App.ts @@ -0,0 +1,29 @@ +// SPDX-FileCopyrightText: © 2025 Phala Network +// SPDX-License-Identifier: Apache-2.0 + +const EncryptedEnvEditor = require('./components/EncryptedEnvEditor'); +const PortMappingEditor = require('./components/PortMappingEditor'); +const GpuConfigEditor = require('./components/GpuConfigEditor'); +const CreateVmDialog = require('./components/CreateVmDialog'); +const UpdateVmDialog = require('./components/UpdateVmDialog'); +const ForkVmDialog = require('./components/ForkVmDialog'); +const { useVmManager } = require('./composables/useVmManager'); +const template: string = require('./templates/app.html'); + +const AppComponent = { + name: 'DstackConsoleApp', + components: { + 'encrypted-env-editor': EncryptedEnvEditor, + 'port-mapping-editor': PortMappingEditor, + 'gpu-config-editor': GpuConfigEditor, + 'create-vm-dialog': CreateVmDialog, + 'update-vm-dialog': UpdateVmDialog, + 'fork-vm-dialog': ForkVmDialog, + }, + setup() { + return useVmManager(); + }, + template, +}; + +export = AppComponent; diff --git a/vmm/ui/src/components/CreateVmDialog.ts b/vmm/ui/src/components/CreateVmDialog.ts new file mode 100644 index 00000000..822162f5 --- /dev/null +++ b/vmm/ui/src/components/CreateVmDialog.ts @@ -0,0 +1,172 @@ +// SPDX-FileCopyrightText: © 2025 Phala Network +// SPDX-License-Identifier: Apache-2.0 + +const EncryptedEnvEditor = require('./EncryptedEnvEditor'); +const PortMappingEditor = require('./PortMappingEditor'); +const GpuConfigEditor = require('./GpuConfigEditor'); + +const CreateVmDialogComponent = { + name: 'CreateVmDialog', + components: { + 'encrypted-env-editor': EncryptedEnvEditor, + 'port-mapping-editor': PortMappingEditor, + 'gpu-config-editor': GpuConfigEditor, + }, + props: { + visible: { type: Boolean, required: true }, + form: { type: Object, required: true }, + availableImages: { type: Array, required: true }, + availableGpus: { type: Array, required: true }, + allowAttachAllGpus: { type: Boolean, required: true }, + kmsAvailable: { type: Boolean, required: true }, + portMappingEnabled: { type: Boolean, required: true }, + }, + emits: ['close', 'submit', 'load-compose'], + template: /* html */ ` +
+
+

Deploy a new instance

+
+
+
+ + +
+ +
+ + +
+ +
+ + +
+ +
+ +
+ + +
+
+ +
+ +
+ + +
+ Leave as 0 to disable swap. +
+ +
+ + +
+ +
+ + +
+ +
+ + +
+ +
+ + +
+ +
+ +
+
+ + or paste below + +
+ +
+
+ +
+ + +
+ +
+ +
+ +
+ + +
+ +
+ +
+ + + + + + + + +
+
+ +
+ + +
+ +
+ +
+ +
+ +
+
+ +
+ + +
+
+
+
+ `, +}; + +export = CreateVmDialogComponent; diff --git a/vmm/ui/src/components/EncryptedEnvEditor.ts b/vmm/ui/src/components/EncryptedEnvEditor.ts new file mode 100644 index 00000000..1a081bfd --- /dev/null +++ b/vmm/ui/src/components/EncryptedEnvEditor.ts @@ -0,0 +1,163 @@ +// SPDX-FileCopyrightText: © 2025 Phala Network +// SPDX-License-Identifier: Apache-2.0 + +declare const FileReader: any; + +type EnvVar = { key: string; value: string }; + +type ComponentInstance = { + envVars: EnvVar[]; + $refs: { envFileInput?: HTMLInputElement }; + $data: { + editMode: 'form' | 'text'; + textContent: string; + }; + parseTextContent(): void; +}; + +const EncryptedEnvEditorComponent = { + name: 'EncryptedEnvEditor', + props: { + envVars: { + type: Array, + required: true, + }, + }, + data() { + return { + editMode: 'form' as 'form' | 'text', + textContent: '', + }; + }, + template: /* html */ ` +
+
+

Encrypted Environment Variables

+
+ + +
+
+ +
+
+

No environment variables yet. Click "Add" to create one.

+
+
+ + + +
+
+ + + +
+
+ +
+ +

Format: KEY=VALUE (one per line). Lines starting with # are ignored.

+
+
+ `, + methods: { + addEnv(this: ComponentInstance) { + this.envVars.push({ key: '', value: '' }); + }, + removeEnv(this: ComponentInstance, index: number) { + this.envVars.splice(index, 1); + }, + triggerFileInput(this: ComponentInstance) { + this.$refs.envFileInput?.click(); + }, + switchToForm(this: ComponentInstance) { + this.parseTextContent(); + this.$data.editMode = 'form'; + }, + switchToText(this: ComponentInstance) { + this.$data.textContent = this.envVars + .map((env) => `${env.key}=${env.value}`) + .join('\n'); + this.$data.editMode = 'text'; + }, + parseTextContent(this: ComponentInstance) { + const content = this.$data.textContent; + if (!content.trim()) { + return; + } + const lines = content.split('\n'); + this.envVars.splice(0, this.envVars.length); + for (const line of lines) { + const trimmed = line.trim(); + if (!trimmed || trimmed.startsWith('#')) { + continue; + } + const equalIndex = trimmed.indexOf('='); + if (equalIndex === -1) { + continue; + } + const key = trimmed.substring(0, equalIndex).trim(); + const value = trimmed.substring(equalIndex + 1).trim(); + if (!key) { + continue; + } + this.envVars.push({ key, value }); + } + }, + loadEnvFromFile(this: ComponentInstance, event: Event) { + const input = event.target as HTMLInputElement | null; + const file = input?.files?.[0]; + if (!file) { + return; + } + const reader = new FileReader(); + reader.onload = (e: { target: { result: string } }) => { + const content = e.target.result || ''; + const lines = content.split('\n'); + this.envVars.splice(0, this.envVars.length); + for (const line of lines) { + const trimmed = line.trim(); + if (!trimmed || trimmed.startsWith('#')) { + continue; + } + const equalIndex = trimmed.indexOf('='); + if (equalIndex === -1) { + continue; + } + const key = trimmed.substring(0, equalIndex).trim(); + const value = trimmed.substring(equalIndex + 1).trim(); + if (!key) { + continue; + } + this.envVars.push({ key, value }); + } + }; + reader.readAsText(file); + if (input) { + input.value = ''; + } + }, + }, +}; + +export = EncryptedEnvEditorComponent; diff --git a/vmm/ui/src/components/ForkVmDialog.ts b/vmm/ui/src/components/ForkVmDialog.ts new file mode 100644 index 00000000..2b7599be --- /dev/null +++ b/vmm/ui/src/components/ForkVmDialog.ts @@ -0,0 +1,62 @@ +// SPDX-FileCopyrightText: © 2025 Phala Network +// SPDX-License-Identifier: Apache-2.0 + +const ForkVmDialogComponent = { + name: 'ForkVmDialog', + props: { + visible: { type: Boolean, required: true }, + dialog: { type: Object, required: true }, + availableImages: { type: Array, required: true }, + }, + emits: ['close', 'submit'], + template: /* html */ ` +
+
+

Derive VM

+

+ This will create a new VM instance with the same app id, but the disk state will NOT migrate to the new instance. +

+ +
+ + +
+ +
+ + +
+ +
+ + +
+ +
+ + +
+ +
+ + +
+ +
+ + +
+
+
+ `, +}; + +export = ForkVmDialogComponent; diff --git a/vmm/ui/src/components/GpuConfigEditor.ts b/vmm/ui/src/components/GpuConfigEditor.ts new file mode 100644 index 00000000..c7cbe8e6 --- /dev/null +++ b/vmm/ui/src/components/GpuConfigEditor.ts @@ -0,0 +1,77 @@ +// SPDX-FileCopyrightText: © 2025 Phala Network +// SPDX-License-Identifier: Apache-2.0 + +declare const Vue: any; +const { computed } = Vue; + +type ComponentInstance = { + availableGpus: Array<{ slot: string; description?: string; is_free?: boolean }>; + gpus: string[]; + attachAll: boolean; +}; + +const GpuConfigEditorComponent = { + name: 'GpuConfigEditor', + props: { + availableGpus: { + type: Array, + required: true, + }, + gpus: { + type: Array, + required: true, + }, + attachAll: { + type: Boolean, + required: true, + }, + allowAttachAll: { + type: Boolean, + required: true, + }, + }, + emits: ['update:gpus', 'update:attachAll'], + setup(props: any, { emit }: any) { + const selectedGpus = computed({ + get: () => props.gpus, + set: (value: string[]) => emit('update:gpus', value), + }); + + const attachAllComputed = computed({ + get: () => props.attachAll, + set: (value: boolean) => emit('update:attachAll', value), + }); + + return { + selectedGpus, + attachAllComputed, + }; + }, + template: /* html */ ` +
+ +
+ +
+
+
+ Select GPUs to attach: +
+
+ +
+
+
+ All NVIDIA GPUs and NVSwitches will be attached to the VM +
+
+ `, +}; + +export = GpuConfigEditorComponent; diff --git a/vmm/ui/src/components/PortMappingEditor.ts b/vmm/ui/src/components/PortMappingEditor.ts new file mode 100644 index 00000000..8658b8bb --- /dev/null +++ b/vmm/ui/src/components/PortMappingEditor.ts @@ -0,0 +1,57 @@ +// SPDX-FileCopyrightText: © 2025 Phala Network +// SPDX-License-Identifier: Apache-2.0 + +type PortEntry = { + protocol: string; + host_address: string; + host_port: number | null; + vm_port: number | null; +}; + +type ComponentInstance = { + ports: PortEntry[]; +}; + +const PortMappingEditorComponent = { + name: 'PortMappingEditor', + props: { + ports: { + type: Array, + required: true, + }, + }, + template: /* html */ ` +
+ +
+ + + + + +
+ +
+ `, + methods: { + addPort(this: ComponentInstance) { + this.ports.push({ + protocol: 'tcp', + host_address: '127.0.0.1', + host_port: null, + vm_port: null, + }); + }, + removePort(this: ComponentInstance, index: number) { + this.ports.splice(index, 1); + }, + }, +}; + +export = PortMappingEditorComponent; diff --git a/vmm/ui/src/components/UpdateVmDialog.ts b/vmm/ui/src/components/UpdateVmDialog.ts new file mode 100644 index 00000000..75c93c13 --- /dev/null +++ b/vmm/ui/src/components/UpdateVmDialog.ts @@ -0,0 +1,143 @@ +// SPDX-FileCopyrightText: © 2025 Phala Network +// SPDX-License-Identifier: Apache-2.0 + +const EncryptedEnvEditor = require('./EncryptedEnvEditor'); +const PortMappingEditor = require('./PortMappingEditor'); +const GpuConfigEditor = require('./GpuConfigEditor'); + +const UpdateVmDialogComponent = { + name: 'UpdateVmDialog', + components: { + 'encrypted-env-editor': EncryptedEnvEditor, + 'port-mapping-editor': PortMappingEditor, + 'gpu-config-editor': GpuConfigEditor, + }, + props: { + visible: { type: Boolean, required: true }, + dialog: { type: Object, required: true }, + availableImages: { type: Array, required: true }, + availableGpus: { type: Array, required: true }, + allowAttachAllGpus: { type: Boolean, required: true }, + portMappingEnabled: { type: Boolean, required: true }, + kmsEnabled: { type: Boolean, required: true }, + composeHashPreview: { type: String, required: true }, + }, + emits: ['close', 'submit', 'load-compose'], + template: /* html */ ` +
+
+

Update VM Config

+ +
+
+ + +
+
+ +
+ + +
+
+
+ +
+ +
+ + +
+ Enable "Update compose" to change swap size. +
+ +
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+
+ +
+ +
+ +
+
+ +
+
+ + or paste below + +
+ +
+
+
+ + +
+
+ Compose Hash: 0x{{ composeHashPreview }} +
+
+ +
+ +
+
+
+ +
+
+
+ +
+ +
+ +
+ + +
+ +
+ + +
+
+
+ `, +}; + +export = UpdateVmDialogComponent; diff --git a/vmm/ui/src/composables/useVmManager.ts b/vmm/ui/src/composables/useVmManager.ts new file mode 100644 index 00000000..a044e02a --- /dev/null +++ b/vmm/ui/src/composables/useVmManager.ts @@ -0,0 +1,1405 @@ +// SPDX-FileCopyrightText: © 2025 Phala Network +// SPDX-License-Identifier: Apache-2.0 + +declare const Vue: any; +const { ref, computed, watch, onMounted } = Vue; +import type { vmm as VmmTypes } from '../proto/vmm_rpc'; + +// Types based on Rust definitions +type VmConfiguration = VmmTypes.IVmConfiguration; + +type AppCompose = { + manifest_version: number; + name: string; + features: string[]; + runner: string; + docker_compose_file?: string; + public_logs: boolean; + public_sysinfo: boolean; + public_tcbinfo: boolean; + kms_enabled: boolean; + gateway_enabled: boolean; + tproxy_enabled?: boolean; + local_key_provider_enabled: boolean; + key_provider?: KeyProviderKind; + key_provider_id: string; + allowed_envs: string[]; + no_instance_id: boolean; + secure_time: boolean; + storage_fs?: string; + swap_size: number; + launch_token_hash?: string; + pre_launch_script?: string; +}; + +type KeyProviderKind = 'none' | 'kms' | 'local'; + +const x25519 = require('../lib/x25519.js'); +const { getVmmRpcClient } = require('../lib/vmmRpcClient'); + +const vmmRpc = getVmmRpcClient(); + +// Initialize dangerConfirm setting +if (localStorage.getItem('dangerConfirm') === null) { + localStorage.setItem('dangerConfirm', 'true'); +} + +type MemoryUnit = 'MB' | 'GB'; +type DiskType = 'virtio-pci' | 'nvme'; + +type JsonRpcCall = (method: string, params?: Record) => Promise; +type Ref = { value: T }; + +type VmListItem = { + id: string; + name: string; + app_id: string; + status: string; + app_url?: string; + uptime?: string; + boot_progress?: string; + shutdown_progress?: string; + image_version?: string; + configuration?: VmConfiguration; + appCompose?: AppCompose; +}; + +type EncryptedEnvEntry = { + key: string; + value: string; +}; + +type PortFormEntry = { + protocol: string; + host_address?: string; + host_port?: number | null; + vm_port?: number | null; +}; + +type VmFormState = { + name: string; + image: string; + dockerComposeFile: string; + preLaunchScript: string; + vcpu: number; + memory: number; + memoryValue: number; + memoryUnit: MemoryUnit; + swap_size: number; + swapValue: number; + swapUnit: MemoryUnit; + disk_size: number; + disk_type: DiskType; + selectedGpus: string[]; + attachAllGpus: boolean; + ports: PortFormEntry[]; + encryptedEnvs: EncryptedEnvEntry[]; + storage_fs: string; + app_id: string | null; + kms_enabled: boolean; + local_key_provider_enabled: boolean; + key_provider_id: string; + gateway_enabled: boolean; + public_logs: boolean; + public_sysinfo: boolean; + public_tcbinfo: boolean; + pin_numa: boolean; + hugepages: boolean; + user_config: string; + kms_urls: string[]; + gateway_urls: string[]; + stopped: boolean; +}; + +type UpdateDialogState = { + show: boolean; + vm: VmListItem | null; + updateCompose: boolean; + dockerComposeFile: string; + preLaunchScript: string; + encryptedEnvs: EncryptedEnvEntry[]; + resetSecrets: boolean; + vcpu: number; + memory: number; + memoryValue: number; + memoryUnit: MemoryUnit; + swap_size: number; + swapValue: number; + swapUnit: MemoryUnit; + disk_size: number; + disk_type: DiskType; + image: string; + ports: PortFormEntry[]; + attachAllGpus: boolean; + selectedGpus: string[]; + updateGpuConfig: boolean; + user_config: string; +}; + +type CloneConfigDialogState = { + show: boolean; + name: string; + compose_file: string; + image: string; + vcpu: number; + memory: number; + disk_size: number; + disk_type: DiskType; + ports: PortFormEntry[]; + user_config: string; + gpus?: VmmTypes.IGpuConfig; + kms_urls?: string[]; + gateway_urls?: string[]; + hugepages: boolean; + pin_numa: boolean; + encrypted_env?: Uint8Array; + app_id?: string; + stopped: boolean; +}; + +function createVmFormState(preLaunchScript: string): VmFormState { + return { + name: '', + image: '', + dockerComposeFile: '', + preLaunchScript, + vcpu: 1, + memory: 2048, + memoryValue: 2, + memoryUnit: 'GB', + swap_size: 0, + swapValue: 0, + swapUnit: 'GB', + disk_size: 20, + disk_type: 'virtio-pci', + selectedGpus: [], + attachAllGpus: false, + ports: [], + encryptedEnvs: [], + storage_fs: '', + app_id: null, + kms_enabled: true, + local_key_provider_enabled: false, + key_provider_id: '', + gateway_enabled: true, + public_logs: true, + public_sysinfo: true, + public_tcbinfo: true, + pin_numa: false, + hugepages: false, + user_config: '', + kms_urls: [], + gateway_urls: [], + stopped: false, + }; +} + +function createUpdateDialogState(): UpdateDialogState { + return { + show: false, + vm: null, + updateCompose: false, + dockerComposeFile: '', + preLaunchScript: '', + encryptedEnvs: [], + resetSecrets: false, + vcpu: 0, + memory: 0, + memoryValue: 0, + memoryUnit: 'MB', + swap_size: 0, + swapValue: 0, + swapUnit: 'GB', + disk_size: 0, + disk_type: 'virtio-pci', + image: '', + ports: [], + attachAllGpus: false, + selectedGpus: [], + updateGpuConfig: false, + user_config: '', + }; +} + +function createCloneConfigDialogState(): CloneConfigDialogState { + return { + show: false, + name: '', + compose_file: '', + image: '', + vcpu: 0, + memory: 0, + disk_size: 0, + disk_type: 'virtio-pci', + ports: [], + user_config: '', + gpus: undefined, + kms_urls: undefined, + gateway_urls: undefined, + hugepages: false, + pin_numa: false, + encrypted_env: undefined, + app_id: undefined, + stopped: false, + }; +} + +function useVmManager() { + const version = ref({ version: '-', commit: '' }); + const vms = ref([] as VmListItem[]); + const expandedVMs = ref(new Set() as Set); + const networkInfo = ref({} as Record); + const searchQuery = ref(''); + const currentPage = ref(1); + const pageInput = ref(1); + const pageSize = ref(Number.parseInt(localStorage.getItem('pageSize') || '50', 10)); + const totalVMs = ref(0); + const hasMorePages = ref(false); + const loadingVMDetails = ref(false); + const maxPage = computed(() => Math.ceil(totalVMs.value / pageSize.value) || 1); + + const preLaunchScript = ` +EXPECTED_TOKEN_HASH=$(jq -j .launch_token_hash app-compose.json) +if [ "$EXPECTED_TOKEN_HASH" == "null" ]; then + echo "Skipped APP_LAUNCH_TOKEN check" +else + ACTUAL_TOKEN_HASH=$(echo -n "$APP_LAUNCH_TOKEN" | sha256sum | cut -d' ' -f1) + if [ "$EXPECTED_TOKEN_HASH" != "$ACTUAL_TOKEN_HASH" ]; then + echo "Error: Incorrect APP_LAUNCH_TOKEN, please make sure set the correct APP_LAUNCH_TOKEN in env" + reboot + exit 1 + else + echo "APP_LAUNCH_TOKEN checked OK" + fi +fi +`; + + const vmForm: Ref = ref(createVmFormState(preLaunchScript)); + + const availableImages = ref([] as Array<{ name: string; version?: string }>); + const availableGpus = ref([] as Array); + const availableGpuProducts = ref([] as Array); + const allowAttachAllGpus = ref(false); + + const updateDialog: Ref = ref(createUpdateDialogState()); + + const updateMessage = ref(''); + const successMessage = ref(''); + const errorMessage = ref(''); + + const cloneConfigDialog: Ref = ref(createCloneConfigDialogState()); + + const showCreateDialog = ref(false); + const config = ref({ portMappingEnabled: false }); + const composeHashPreview = ref(''); + const updateComposeHashPreview = ref(''); + + const BYTES_PER_MB = 1024 * 1024; + + function convertMemoryToMB(value: number, unit: string) { + if (!Number.isFinite(value) || value < 0) { + return 0; + } + if (unit === 'GB') { + return value * 1024; + } + return value; + } + + function convertSwapToBytes(value: number, unit: string) { + const mb = convertMemoryToMB(value, unit); + if (!Number.isFinite(mb) || mb <= 0) { + return 0; + } + return Math.max(0, Math.round(mb * BYTES_PER_MB)); + } + + function bytesToMB(bytes: number) { + if (!bytes) { + return 0; + } + return bytes / BYTES_PER_MB; + } + + function hexToBytes(hex: string) { + if (!hex) { + return new Uint8Array(); + } + const normalized = hex.startsWith('0x') ? hex.slice(2) : hex; + const length = Math.floor(normalized.length / 2); + const result = new Uint8Array(length); + for (let i = 0; i < length; i += 1) { + const byte = normalized.slice(i * 2, i * 2 + 2); + result[i] = Number.parseInt(byte, 16); + } + return result; + } + + const clonePortMappings = (ports: VmmTypes.IPortMapping[] = []): PortFormEntry[] => + ports.map((port) => ({ + protocol: port.protocol || 'tcp', + host_address: port.host_address || '127.0.0.1', + host_port: typeof port.host_port === 'number' ? port.host_port : null, + vm_port: typeof port.vm_port === 'number' ? port.vm_port : null, + })); + + const normalizePorts = (ports: PortFormEntry[] = []): VmmTypes.IPortMapping[] => + ports + .map((port) => { + const protocol = (port.protocol || '').trim(); + const hostPort = + port.host_port === null || port.host_port === undefined ? Number.NaN : Number(port.host_port); + const vmPort = + port.vm_port === null || port.vm_port === undefined ? Number.NaN : Number(port.vm_port); + return { + protocol, + host_address: (port.host_address || '127.0.0.1').trim() || '127.0.0.1', + host_port: hostPort, + vm_port: vmPort, + }; + }) + .filter( + (port) => + port.protocol.length > 0 && + Number.isFinite(port.host_port) && + Number.isFinite(port.vm_port), + ) + .map((port) => ({ + protocol: port.protocol, + host_address: port.host_address, + host_port: port.host_port, + vm_port: port.vm_port, + })); + + function deriveGpuSelection(gpuConfig?: VmmTypes.IGpuConfig) { + if (!gpuConfig) { + return { attachAll: false, selected: [] as string[] }; + } + if (gpuConfig.attach_mode === 'all') { + return { attachAll: true, selected: [] as string[] }; + } + return { + attachAll: false, + selected: (gpuConfig.gpus || []).map((gpu) => gpu.slot).filter(Boolean) as string[], + }; + } + + function recordError(context: string, err: unknown) { + console.error(context, err); + if (err instanceof Error && err.message) { + errorMessage.value = err.message; + } else { + errorMessage.value = String(err); + } + } + + function configGpu(form: { attachAllGpus: boolean; selectedGpus: string[] }): VmmTypes.IGpuConfig | undefined { + if (form.attachAllGpus) { + return { attach_mode: 'all' }; + } + if (form.selectedGpus && form.selectedGpus.length > 0) { + return { + attach_mode: 'listed', + gpus: form.selectedGpus.map((slot: string) => ({ slot })), + }; + } + return undefined; + } + + type CreateVmPayloadSource = { + name: string; + image: string; + compose_file: string; + vcpu: number; + memory: number; + disk_size: number; + disk_type: DiskType; + ports: PortFormEntry[]; + encrypted_env?: Uint8Array; + app_id?: string | null; + user_config?: string; + hugepages?: boolean; + pin_numa?: boolean; + gpus?: VmmTypes.IGpuConfig; + kms_urls?: string[]; + gateway_urls?: string[]; + stopped?: boolean; + }; + + function buildCreateVmPayload(source: CreateVmPayloadSource): VmmTypes.IVmConfiguration { + const normalizedPorts = normalizePorts(source.ports); + return { + name: source.name.trim(), + image: source.image.trim(), + compose_file: source.compose_file, + vcpu: Math.max(1, Number(source.vcpu) || 1), + memory: Math.max(0, Number(source.memory) || 0), + disk_size: Math.max(0, Number(source.disk_size) || 0), + disk_type: source.disk_type || 'virtio-pci', + ports: normalizedPorts, + encrypted_env: source.encrypted_env, + app_id: source.app_id || undefined, + user_config: source.user_config || '', + hugepages: !!source.hugepages, + pin_numa: !!source.pin_numa, + gpus: source.gpus, + kms_urls: source.kms_urls?.filter((url) => url && url.trim().length) ?? [], + gateway_urls: source.gateway_urls?.filter((url) => url && url.trim().length) ?? [], + stopped: !!source.stopped, + }; + } + + const autoMemoryDisplay = (mb: number): { memoryValue: number; memoryUnit: MemoryUnit } => { + if (mb >= 1024) { + return { + memoryValue: Number((mb / 1024).toFixed(1)), + memoryUnit: 'GB', + }; + } + return { + memoryValue: mb, + memoryUnit: 'MB', + }; + }; + + watch([() => vmForm.value.memoryValue, () => vmForm.value.memoryUnit], () => { + vmForm.value.memory = convertMemoryToMB(vmForm.value.memoryValue, vmForm.value.memoryUnit); + }); + + watch([() => vmForm.value.swapValue, () => vmForm.value.swapUnit], () => { + vmForm.value.swap_size = convertSwapToBytes(vmForm.value.swapValue, vmForm.value.swapUnit); + }); + + watch([() => updateDialog.value.memoryValue, () => updateDialog.value.memoryUnit], () => { + updateDialog.value.memory = convertMemoryToMB(updateDialog.value.memoryValue, updateDialog.value.memoryUnit); + }); + + watch([() => updateDialog.value.swapValue, () => updateDialog.value.swapUnit], () => { + updateDialog.value.swap_size = convertSwapToBytes(updateDialog.value.swapValue, updateDialog.value.swapUnit); + }); + + function makeBaseUrl(pathname: string) { + return `${pathname}?json`; + } + + async function baseRpcCall(pathname: string, params: Record = {}) { + const response = await fetch(makeBaseUrl(pathname), { + method: 'POST', + headers: { + 'Content-Type': 'application/json', + }, + body: JSON.stringify(params), + }); + if (!response.ok) { + const error = await response.text(); + errorMessage.value = error; + throw new Error(error); + } + return response; + } + + const guestRpcCall: JsonRpcCall = (method, params) => baseRpcCall(`/guest/${method}`, params); + + async function loadVMList() { + try { + const request: VmmTypes.IStatusRequest = { + brief: true, + keyword: searchQuery.value || undefined, + page: currentPage.value, + page_size: pageSize.value, + }; + const data = await vmmRpc.status(request); + totalVMs.value = data.total || data.vms.length; + hasMorePages.value = data.vms.length === pageSize.value && totalVMs.value > currentPage.value * pageSize.value; + + const previousVmMap = new Map(vms.value.map((vmItem: VmListItem) => [vmItem.id, vmItem])); + vms.value = (data.vms as VmListItem[]).map((vm) => { + const previousVm = previousVmMap.get(vm.id); + if (previousVm) { + return { + ...vm, + configuration: previousVm.configuration, + appCompose: previousVm.appCompose, + }; + } + return vm; + }); + + config.value = { portMappingEnabled: data.port_mapping_enabled }; + + if (expandedVMs.value.size > 0) { + await refreshExpandedVMs(); + } + } catch (error) { + recordError('error loading vm list', error); + } + } + + async function refreshExpandedVMs() { + try { + for (const vmId of Array.from(expandedVMs.value.values()) as string[]) { + await loadVMDetails(vmId); + } + } catch (error) { + recordError('Error refreshing expanded VMs', error); + } + } + + async function loadVMDetails(vmId: string) { + loadingVMDetails.value = true; + try { + const data = await vmmRpc.status({ + brief: false, + ids: [vmId], + }); + if (data.vms && data.vms.length > 0) { + const detailedVM: any = data.vms[0]; + const appCompose = (() => { + try { + return JSON.parse(detailedVM.configuration?.compose_file || '{}'); + } catch (err) { + console.error('Error parsing app config:', err); + return {}; + } + })(); + const index = vms.value.findIndex((vmItem) => vmItem.id === vmId); + if (index !== -1) { + vms.value[index] = { ...detailedVM, appCompose }; + } + } + } catch (error) { + recordError(`Error loading details for VM ${vmId}`, error); + } finally { + loadingVMDetails.value = false; + } + } + + async function ensureVmDetails(vm: VmListItem): Promise { + if (vm.configuration?.compose_file && vm.appCompose) { + return vm; + } + await loadVMDetails(vm.id); + return vms.value.find((item) => item.id === vm.id) || null; + } + + async function loadImages() { + try { + const data = await vmmRpc.listImages({}); + availableImages.value = data.images || []; + } catch (error) { + recordError('error loading images', error); + } + } + + async function loadGpus() { + try { + const data = await vmmRpc.listGpus({}); + const gpus = data.gpus || []; + availableGpus.value = gpus; + availableGpuProducts.value = []; + allowAttachAllGpus.value = data.allow_attach_all; + for (const gpu of gpus) { + if (!availableGpuProducts.value.find((product) => product.product_id === gpu.product_id)) { + availableGpuProducts.value.push(gpu); + } + } + } catch (error) { + recordError('error loading GPUs', error); + } + } + + async function loadVersion() { + const data = await vmmRpc.version({}); + version.value = data; + } + + const imageVersion = (imageName: string) => { + const image = availableImages.value.find((img) => img.name === imageName); + return image?.version; + }; + + const verGE = (versionStr: string, otherVersionStr: string) => { + const versionParts = versionStr.split('.').map(Number); + const otherParts = otherVersionStr.split('.').map(Number); + return ( + versionParts[0] > otherParts[0] || + (versionParts[0] === otherParts[0] && versionParts[1] > otherParts[1]) || + (versionParts[0] === otherParts[0] && versionParts[1] === otherParts[1] && versionParts[2] >= otherParts[2]) + ); + }; + + const imageVersionFeatures = (versionStr: string | undefined) => { + const features = { + progress: false, + graceful_shutdown: false, + network_info: false, + compose_version: 1, + }; + if (!versionStr) { + return features; + } + if (verGE(versionStr, '0.3.3')) { + features.progress = true; + features.graceful_shutdown = true; + features.network_info = true; + features.compose_version = 2; + } + if (verGE(versionStr, '0.4.2')) { + features.compose_version = 3; + } + return features; + }; + + const imageFeatures = (vm: VmListItem) => imageVersionFeatures(vm.image_version); + + const vmStatus = (vm: VmListItem) => { + const features = imageFeatures(vm); + if (!features.progress) { + return vm.status; + } + if (vm.status !== 'running') { + return vm.status; + } + if (vm.shutdown_progress) { + return 'shutting down'; + } + if (vm.boot_progress === 'running') { + return 'running'; + } + if (vm.boot_progress !== 'done') { + return 'booting'; + } + return 'running'; + }; + + const kmsEnabled = (vm: any) => vm.appCompose?.kms_enabled || vm.appCompose?.features?.includes('kms'); + + const gatewayEnabled = (vm: any) => + vm.appCompose?.gateway_enabled || vm.appCompose?.tproxy_enabled || vm.appCompose?.features?.includes('tproxy-net'); + + const defaultTrue = (v: boolean | undefined) => (v === undefined ? true : v); + + function formatMemory(memoryMB?: number) { + if (!memoryMB) { + return '0 MB'; + } + if (memoryMB >= 1024) { + const gbValue = (memoryMB / 1024).toFixed(1); + return `${parseFloat(gbValue)} GB`; + } + return `${memoryMB} MB`; + } + + async function calcComposeHash(appCompose: string) { + const buffer = new TextEncoder().encode(appCompose); + const hashBuffer = await crypto.subtle.digest('SHA-256', buffer); + return Array.from(new Uint8Array(hashBuffer)) + .map((b) => b.toString(16).padStart(2, '0')) + .join(''); + } + + async function makeAppComposeFile() { + const appCompose: Record = { + manifest_version: 2, + name: vmForm.value.name, + runner: 'docker-compose', + docker_compose_file: vmForm.value.dockerComposeFile, + kms_enabled: vmForm.value.kms_enabled, + gateway_enabled: vmForm.value.gateway_enabled, + public_logs: vmForm.value.public_logs, + public_sysinfo: vmForm.value.public_sysinfo, + public_tcbinfo: vmForm.value.public_tcbinfo, + local_key_provider_enabled: vmForm.value.local_key_provider_enabled, + key_provider_id: vmForm.value.key_provider_id, + allowed_envs: vmForm.value.encryptedEnvs.map((env) => env.key), + no_instance_id: !vmForm.value.gateway_enabled, + secure_time: false, + }; + + if (vmForm.value.storage_fs) { + appCompose.storage_fs = vmForm.value.storage_fs; + } + + if (vmForm.value.preLaunchScript?.trim()) { + appCompose.pre_launch_script = vmForm.value.preLaunchScript; + } + + const swapBytes = Math.max(0, Math.round(vmForm.value.swap_size || 0)); + if (swapBytes > 0) { + appCompose.swap_size = swapBytes; + } + + const launchToken = vmForm.value.encryptedEnvs.find((env) => env.key === 'APP_LAUNCH_TOKEN'); + if (launchToken) { + appCompose.launch_token_hash = await calcComposeHash(launchToken.value); + } + + const imgFeatures = imageVersionFeatures(imageVersion(vmForm.value.image)); + if (imgFeatures.compose_version < 2) { + const features: string[] = []; + if (vmForm.value.kms_enabled) features.push('kms'); + if (vmForm.value.gateway_enabled) features.push('tproxy-net'); + appCompose.features = features; + appCompose.manifest_version = 1; + appCompose.version = '1.0.0'; + } + if (imgFeatures.compose_version < 3) { + appCompose.tproxy_enabled = appCompose.gateway_enabled; + delete appCompose.gateway_enabled; + } + return JSON.stringify(appCompose); + } + + async function makeUpdateComposeFile() { + const currentAppCompose = updateDialog.value.vm.appCompose; + const appCompose = { + ...currentAppCompose, + docker_compose_file: updateDialog.value.dockerComposeFile || currentAppCompose.docker_compose_file, + }; + if (updateDialog.value.resetSecrets) { + // Update allowed_envs with the new environment variable keys + appCompose.allowed_envs = updateDialog.value.encryptedEnvs.map(env => env.key); + + const launchToken = updateDialog.value.encryptedEnvs.find((env) => env.key === 'APP_LAUNCH_TOKEN'); + if (launchToken) { + appCompose.launch_token_hash = await calcComposeHash(launchToken.value); + } + } + appCompose.pre_launch_script = updateDialog.value.preLaunchScript?.trim(); + + const swapBytes = Math.max(0, Math.round(updateDialog.value.swap_size || 0)); + if (swapBytes > 0) { + appCompose.swap_size = swapBytes; + } else { + delete appCompose.swap_size; + } + return JSON.stringify(appCompose); + } + + watch( + [ + () => vmForm.value.name, + () => vmForm.value.dockerComposeFile, + () => vmForm.value.preLaunchScript, + () => vmForm.value.kms_enabled, + () => vmForm.value.gateway_enabled, + () => vmForm.value.public_logs, + () => vmForm.value.public_sysinfo, + () => vmForm.value.public_tcbinfo, + () => vmForm.value.local_key_provider_enabled, + () => vmForm.value.key_provider_id, + () => vmForm.value.encryptedEnvs, + () => vmForm.value.storage_fs, + ], + async () => { + try { + const appCompose = await makeAppComposeFile(); + composeHashPreview.value = await calcComposeHash(appCompose); + } catch (error) { + composeHashPreview.value = 'Error calculating hash'; + console.error('Failed to calculate compose hash', error); + } + }, + { deep: true }, + ); + + watch( + [ + () => updateDialog.value.dockerComposeFile, + () => updateDialog.value.preLaunchScript, + () => updateDialog.value.encryptedEnvs, + ], + async () => { + if (!updateDialog.value.updateCompose) { + updateComposeHashPreview.value = ''; + return; + } + try { + const upgradedCompose = await makeUpdateComposeFile(); + updateComposeHashPreview.value = await calcComposeHash(upgradedCompose); + } catch (error) { + updateComposeHashPreview.value = 'Error calculating hash'; + console.error('Failed to calculate compose hash', error); + } + }, + { deep: true }, + ); + + watch(pageSize, (newValue) => { + localStorage.setItem('pageSize', String(newValue)); + }); + + function showDeployDialog() { + showCreateDialog.value = true; + vmForm.value.encryptedEnvs = []; + vmForm.value.app_id = null; + vmForm.value.swapValue = 0; + vmForm.value.swapUnit = 'GB'; + vmForm.value.swap_size = 0; + vmForm.value.disk_type = 'virtio-pci'; + loadGpus(); + } + + async function showUpdateDialog(vm: VmListItem) { + const detailedVm = await ensureVmDetails(vm); + if (!detailedVm?.configuration?.compose_file || !detailedVm.appCompose) { + alert('Compose file not available for this VM. Please expand its details first.'); + return; + } + const config = detailedVm.configuration; + const memoryDisplay = autoMemoryDisplay(config.memory || 0); + const swapDisplay = autoMemoryDisplay(bytesToMB(detailedVm.appCompose?.swap_size || 0)); + const gpuSelection = deriveGpuSelection(config.gpus); + updateDialog.value = { + show: true, + vm: detailedVm, + updateCompose: false, + dockerComposeFile: detailedVm.appCompose.docker_compose_file || '', + preLaunchScript: detailedVm.appCompose.pre_launch_script || '', + encryptedEnvs: [], + resetSecrets: false, + vcpu: config.vcpu || 0, + memory: config.memory || 0, + memoryValue: memoryDisplay.memoryValue, + memoryUnit: memoryDisplay.memoryUnit, + swap_size: detailedVm.appCompose?.swap_size || 0, + swapValue: swapDisplay.memoryValue, + swapUnit: swapDisplay.memoryUnit, + disk_size: config.disk_size || 0, + disk_type: (config.disk_type as DiskType) || 'virtio-pci', + image: config.image || '', + ports: clonePortMappings(config.ports || []), + attachAllGpus: gpuSelection.attachAll, + selectedGpus: gpuSelection.selected, + updateGpuConfig: false, + user_config: config.user_config || '', + }; + } + + function parseEnvFile(content: string) { + const lines = content + .split('\n') + .map((line) => line.trim()) + .filter((line) => line && !line.startsWith('#')); + const envs: Record = {}; + for (const line of lines) { + const [key, ...parts] = line.split('='); + if (!key || parts.length === 0) { + continue; + } + envs[key.trim()] = parts.join('=').trim(); + } + return envs; + } + + async function calcAppId(compose: string) { + const composeHash = await calcComposeHash(compose); + return composeHash.slice(0, 40); + } + + async function encryptEnv(envs: EncryptedEnvEntry[], kmsEnabled: boolean, appId: string | null) { + if (!kmsEnabled || envs.length === 0) { + return undefined; + } + let appIdToUse = appId; + if (!appIdToUse) { + const appCompose = await makeAppComposeFile(); + appIdToUse = await calcAppId(appCompose); + } + const keyBytes = hexToBytes(appIdToUse); + const response = await vmmRpc.getAppEnvEncryptPubKey({ app_id: keyBytes }); + return encryptEnvWithKey(envs, response.public_key); + } + + async function encryptEnvWithKey(envs: EncryptedEnvEntry[], publicKeyBytes: Uint8Array) { + const envsJson = JSON.stringify({ env: envs }); + const remotePubkey = publicKeyBytes && publicKeyBytes.length ? publicKeyBytes : new Uint8Array(); + + const seed = crypto.getRandomValues(new Uint8Array(32)); + const keyPair = x25519.generateKeyPair(seed); + const shared = x25519.sharedKey(keyPair.private, remotePubkey); + + const importedShared = await crypto.subtle.importKey( + 'raw', + shared, + { name: 'AES-GCM', length: 256 }, + true, + ['encrypt'], + ); + const iv = crypto.getRandomValues(new Uint8Array(12)); + const encrypted = await crypto.subtle.encrypt( + { name: 'AES-GCM', iv }, + importedShared, + new TextEncoder().encode(envsJson), + ); + + const result = new Uint8Array(iv.length + keyPair.public.byteLength + encrypted.byteLength); + result.set(keyPair.public, 0); + result.set(iv, keyPair.public.byteLength); + result.set(new Uint8Array(encrypted), keyPair.public.byteLength + iv.length); + + return result; + } + + async function createVm() { + try { + vmForm.value.memory = convertMemoryToMB(vmForm.value.memoryValue, vmForm.value.memoryUnit); + const composeFile = await makeAppComposeFile(); + const encryptedEnv = await encryptEnv( + vmForm.value.encryptedEnvs, + vmForm.value.kms_enabled, + vmForm.value.app_id, + ); + const payload = buildCreateVmPayload({ + name: vmForm.value.name, + image: vmForm.value.image, + compose_file: composeFile, + vcpu: vmForm.value.vcpu, + memory: vmForm.value.memory, + disk_size: vmForm.value.disk_size, + disk_type: vmForm.value.disk_type, + ports: vmForm.value.ports, + encrypted_env: encryptedEnv || undefined, + app_id: vmForm.value.app_id || undefined, + user_config: vmForm.value.user_config, + hugepages: vmForm.value.hugepages, + pin_numa: vmForm.value.pin_numa, + gpus: configGpu(vmForm.value) || undefined, + kms_urls: vmForm.value.kms_urls, + gateway_urls: vmForm.value.gateway_urls, + stopped: vmForm.value.stopped, + }); + + await vmmRpc.createVm(payload); + leaveCreateDialog(); + loadVMList(); + } catch (error) { + recordError('Error creating VM', error); + alert('Failed to create VM'); + } + } + + function leaveCreateDialog() { + showCreateDialog.value = false; + } + + function loadComposeFile(event: Event) { + const input = event.target as HTMLInputElement | null; + const file = input?.files?.[0]; + if (!file) { + return; + } + const reader = new FileReader(); + reader.onload = (e: any) => { + vmForm.value.dockerComposeFile = e.target.result; + }; + reader.readAsText(file); + if (input) { + input.value = ''; + } + } + + function loadUpdateFile(event: Event) { + const input = event.target as HTMLInputElement | null; + const file = input?.files?.[0]; + if (!file) { + return; + } + const reader = new FileReader(); + reader.onload = (e: any) => { + updateDialog.value.dockerComposeFile = e.target.result; + }; + reader.readAsText(file); + if (input) { + input.value = ''; + } + } + + async function updateVM() { + try { + const vm = updateDialog.value.vm; + const original = vm.configuration; + const updated = updateDialog.value; + + const fieldsToCompare = ['vcpu', 'memory', 'disk_size', 'image']; + if (fieldsToCompare.some((field) => updated[field] !== original[field])) { + const resizePayload: VmmTypes.IResizeVmRequest = { + id: vm.id, + vcpu: updated.vcpu, + memory: updated.memory, + disk_size: updated.disk_size, + image: updated.image, + }; + await vmmRpc.resizeVm(resizePayload); + } + + const composeWasExplicitlyUpdated = updateDialog.value.updateCompose; + let composeNeedsUpdate = composeWasExplicitlyUpdated; + let encryptedEnvPayload; + if (updateDialog.value.resetSecrets) { + const keyResponse = await vmmRpc.getAppEnvEncryptPubKey({ app_id: hexToBytes(vm.app_id || '') }); + encryptedEnvPayload = await encryptEnvWithKey(updateDialog.value.encryptedEnvs, keyResponse.public_key); + composeNeedsUpdate = true; + } + const body: VmmTypes.IUpgradeAppRequest = { + id: vm.id, + compose_file: composeNeedsUpdate ? await makeUpdateComposeFile() : undefined, + encrypted_env: encryptedEnvPayload, + user_config: updated.user_config, + update_ports: true, + ports: normalizePorts(updated.ports), + gpus: updateDialog.value.updateGpuConfig ? configGpu(updated) : undefined, + }; + + await vmmRpc.upgradeApp(body); + updateDialog.value.encryptedEnvs = []; + updateDialog.value.show = false; + if (composeWasExplicitlyUpdated) { + updateMessage.value = '✅ Compose file updated!'; + } + loadVMList(); + } catch (error) { + recordError('error upgrading VM', error); + alert('failed to upgrade VM'); + } + } + + async function showCloneConfig(vm: VmListItem) { + const theVm = await ensureVmDetails(vm); + if (!theVm?.configuration?.compose_file) { + alert('Compose file not available for this VM. Please open its details first.'); + return; + } + const config = theVm.configuration; + + // Populate vmForm with current VM data, but clear envs and ports + vmForm.value = { + name: `${config.name || vm.name}-cloned`, + image: config.image || '', + dockerComposeFile: theVm.appCompose?.docker_compose_file || '', + preLaunchScript: theVm.appCompose?.pre_launch_script || '', + vcpu: config.vcpu || 1, + memory: config.memory || 0, + memoryValue: autoMemoryDisplay(config.memory || 0).memoryValue, + memoryUnit: autoMemoryDisplay(config.memory || 0).memoryUnit, + swap_size: theVm.appCompose?.swap_size || 0, + swapValue: autoMemoryDisplay(bytesToMB(theVm.appCompose?.swap_size || 0)).memoryValue, + swapUnit: autoMemoryDisplay(bytesToMB(theVm.appCompose?.swap_size || 0)).memoryUnit, + disk_size: config.disk_size || 0, + disk_type: (config.disk_type as DiskType) || 'virtio-pci', + selectedGpus: [], + attachAllGpus: false, + encryptedEnvs: [], // Clear environment variables + ports: [], // Clear port mappings + storage_fs: theVm.appCompose?.storage_fs || 'ext4', + app_id: config.app_id || '', + kms_enabled: !!theVm.appCompose?.kms_enabled, + kms_urls: config.kms_urls || [], + local_key_provider_enabled: !!theVm.appCompose?.local_key_provider_enabled, + key_provider_id: theVm.appCompose?.key_provider_id || '', + gateway_enabled: !!theVm.appCompose?.gateway_enabled, + gateway_urls: config.gateway_urls || [], + public_logs: !!theVm.appCompose?.public_logs, + public_sysinfo: !!theVm.appCompose?.public_sysinfo, + public_tcbinfo: !!theVm.appCompose?.public_tcbinfo, + pin_numa: !!config.pin_numa, + hugepages: !!config.hugepages, + user_config: config.user_config || '', + stopped: !!config.stopped, + }; + + // Show Create VM dialog instead of Clone Config dialog + showCreateDialog.value = true; + } + + async function cloneConfig() { + try { + const source = cloneConfigDialog.value; + if (!source.compose_file) { + alert('Compose file not available for this VM. Please open its details first.'); + return; + } + const payload = buildCreateVmPayload({ + name: source.name, + image: source.image, + compose_file: source.compose_file, + vcpu: source.vcpu, + memory: source.memory, + disk_size: source.disk_size, + disk_type: source.disk_type, + ports: source.ports, + encrypted_env: source.encrypted_env, + app_id: source.app_id, + user_config: source.user_config, + hugepages: source.hugepages, + pin_numa: source.pin_numa, + gpus: source.gpus, + kms_urls: source.kms_urls, + gateway_urls: source.gateway_urls, + stopped: source.stopped, + }); + await vmmRpc.createVm(payload); + cloneConfigDialog.value.show = false; + loadVMList(); + } catch (error) { + recordError('Error creating VM', error); + alert('Failed to create VM'); + } + } + + function toggleDetails(vm: VmListItem) { + if (expandedVMs.value.has(vm.id)) { + expandedVMs.value.delete(vm.id); + } else { + // Close all other expanded VMs + expandedVMs.value.clear(); + expandedVMs.value.add(vm.id); + loadVMDetails(vm.id); + refreshNetworkInfo(vm); + } + } + + async function refreshNetworkInfo(vm: VmListItem) { + if (vm.status !== 'running' || !imageFeatures(vm).network_info) { + return; + } + const response = await guestRpcCall('NetworkInfo', { id: vm.id }); + const data = await response.json(); + networkInfo.value[vm.id] = data; + } + + function nextPage() { + if (hasMorePages.value) { + currentPage.value += 1; + pageInput.value = currentPage.value; + loadVMList(); + } + } + + function prevPage() { + if (currentPage.value > 1) { + currentPage.value -= 1; + pageInput.value = currentPage.value; + loadVMList(); + } + } + + function goToPage() { + let page = Number.parseInt(String(pageInput.value), 10); + if (Number.isNaN(page) || page < 1) { + page = 1; + } else if (page > maxPage.value) { + page = maxPage.value; + } + pageInput.value = page; + currentPage.value = page; + loadVMList(); + } + + function closeAllDropdowns() { + document.querySelectorAll('.dropdown-content').forEach((dropdown) => dropdown.classList.remove('show')); + document.removeEventListener('click', closeAllDropdowns); + } + + function toggleDropdown(event: Event, vm: VmListItem) { + document.querySelectorAll('.dropdown-content').forEach((dropdown) => { + if (dropdown.id !== `dropdown-${vm.id}`) { + dropdown.classList.remove('show'); + } + }); + const dropdownContent = document.getElementById(`dropdown-${vm.id}`); + dropdownContent?.classList.toggle('show'); + + event.stopPropagation(); + + document.addEventListener('click', closeAllDropdowns); + } + + function onPageSizeChange() { + currentPage.value = 1; + pageInput.value = 1; + loadVMList(); + } + + async function startVm(id: string) { + await vmmRpc.startVm({ id }); + loadVMList(); + } + + async function shutdownVm(id: string) { + await vmmRpc.shutdownVm({ id }); + loadVMList(); + } + + async function stopVm(vm: VmListItem) { + if (localStorage.getItem('dangerConfirm') === 'true' && + !confirm(`You are killing "${vm.name}". This might cause data corruption.`)) { + return; + } + await vmmRpc.stopVm({ id: vm.id }); + loadVMList(); + } + + async function removeVm(id: string) { + if (localStorage.getItem('dangerConfirm') === 'true' && + !confirm('Remove VM? This action cannot be undone.')) { + return; + } + await vmmRpc.removeVm({ id }); + loadVMList(); + } + + function showLogs(id: string, channel: string) { + window.open(`/logs?id=${encodeURIComponent(id)}&follow=false&ansi=false&lines=200&ch=${channel}`, '_blank'); + } + + function showDashboard(vm: VmListItem) { + if (vm.app_url) { + window.open(vm.app_url, '_blank'); + } else { + alert('No guest agent dashboard URL'); + } + } + + async function watchVmList() { + while (true) { + try { + await loadVMList(); + } catch (error) { + recordError('error loading VM list', error); + } + await new Promise((resolve) => setTimeout(resolve, 3000)); + } + } + + async function copyToClipboard(text: string) { + try { + await navigator.clipboard.writeText(text); + successMessage.value = '✅ Copied to clipboard!'; + setTimeout(() => { + successMessage.value = ''; + }, 2000); + } catch (error) { + console.error('Failed to copy to clipboard', error); + errorMessage.value = 'Failed to copy to clipboard'; + setTimeout(() => { + errorMessage.value = ''; + }, 3000); + } + } + + function downloadFile(filename: string, content: string) { + const blob = new Blob([content], { type: 'text/plain' }); + const url = URL.createObjectURL(blob); + const link = document.createElement('a'); + link.href = url; + link.download = filename; + document.body.appendChild(link); + link.click(); + document.body.removeChild(link); + URL.revokeObjectURL(url); + } + + function downloadAppCompose(vm: VmListItem) { + if (vm.configuration?.compose_file) { + downloadFile(`${vm.name}-app-compose.json`, vm.configuration.compose_file); + } + } + + function downloadUserConfig(vm: VmListItem) { + if (vm.configuration?.user_config) { + downloadFile(`${vm.name}-user-config.txt`, vm.configuration.user_config); + } + } + + function getVmFeatures(vm: VmListItem) { + const features = []; + + // Check KMS + const kmsEnabled = vm.appCompose?.kms_enabled || vm.appCompose?.features?.includes('kms') || + vm.configuration?.kms_urls?.length > 0; + if (kmsEnabled) features.push("kms"); + + // Check Gateway/TProxy + const gatewayEnabled = vm.appCompose?.gateway_enabled || vm.appCompose?.tproxy_enabled || + vm.appCompose?.features?.includes('tproxy-net') || vm.configuration?.gateway_urls?.length > 0; + if (gatewayEnabled) features.push("gateway"); + + // Check other features from appCompose + if (vm.appCompose?.public_logs) features.push("logs"); + if (vm.appCompose?.public_sysinfo) features.push("sysinfo"); + if (vm.appCompose?.public_tcbinfo) features.push("tcbinfo"); + + return features.length > 0 ? features.join(', ') : 'None'; + } + + onMounted(() => { + watchVmList(); + loadImages(); + loadGpus(); + loadVersion(); + }); + + return { + version, + vms, + expandedVMs, + networkInfo, + searchQuery, + currentPage, + pageInput, + pageSize, + totalVMs, + hasMorePages, + loadingVMDetails, + maxPage, + vmForm, + availableImages, + availableGpus, + availableGpuProducts, + allowAttachAllGpus, + updateDialog, + updateMessage, + successMessage, + errorMessage, + cloneConfigDialog, + showCreateDialog, + config, + composeHashPreview, + updateComposeHashPreview, + showDeployDialog, + leaveCreateDialog, + loadComposeFile, + loadUpdateFile, + createVm, + updateVM, + cloneConfig, + loadVMList, + toggleDetails, + toggleDropdown, + closeAllDropdowns, + showLogs, + showDashboard, + stopVm, + shutdownVm, + startVm, + removeVm, + showUpdateDialog, + showCloneConfig, + formatMemory, + bytesToMB, + vmStatus, + kmsEnabled, + gatewayEnabled, + goToPage, + nextPage, + prevPage, + onPageSizeChange, + copyToClipboard, + downloadAppCompose, + downloadUserConfig, + getVmFeatures, + }; +} + +export { useVmManager }; diff --git a/vmm/ui/src/index.html b/vmm/ui/src/index.html new file mode 100644 index 00000000..1ff7df63 --- /dev/null +++ b/vmm/ui/src/index.html @@ -0,0 +1,17 @@ + + + + + + + {{TITLE}} | dstack-vmm + + + + +
+ + + + + diff --git a/vmm/ui/src/lib/vmmRpcClient.ts b/vmm/ui/src/lib/vmmRpcClient.ts new file mode 100644 index 00000000..683f499f --- /dev/null +++ b/vmm/ui/src/lib/vmmRpcClient.ts @@ -0,0 +1,91 @@ +// SPDX-FileCopyrightText: © 2025 Phala Network +// SPDX-License-Identifier: Apache-2.0 + +const { vmm } = require('../proto/vmm_rpc.js'); +const { prpc } = require('../proto/prpc.js'); + +const textDecoder = new TextDecoder(); +const EMPTY_BODY = new Uint8Array(); +let cachedClient: any; + +function decodePrpcError(buffer: Uint8Array) { + try { + if (buffer && buffer.length > 0) { + const err = prpc.PrpcError.decode(buffer); + if (err?.message) { + return err.message; + } + } + } catch { + // Ignore decode failures; fall through to text decoding. + } + try { + const text = buffer && buffer.length > 0 ? textDecoder.decode(buffer) : ''; + return text || 'Unknown RPC error'; + } catch { + return 'Unknown RPC error'; + } +} + +function normalizeRequestData(data?: Uint8Array | ArrayBuffer | null) { + if (!data) { + return EMPTY_BODY; + } + if (data instanceof Uint8Array) { + return data; + } + return new Uint8Array(data); +} + +function resolveMethodName(method: any) { + if (!method) { + return ''; + } + const type = typeof method; + if (type === 'string') { + return method; + } + if (type === 'function' || type === 'object') { + if (method.name) { + return method.name.charAt(0).toUpperCase() + method.name.slice(1); + } + if (method.fullName) { + const parts = String(method.fullName).split('.'); + return parts[parts.length - 1]; + } + } + return String(method); +} + +export function getVmmRpcClient(basePath = '/prpc') { + if (cachedClient) { + return cachedClient; + } + + const rpcImpl = (method: any, requestData: Uint8Array, callback: (err?: Error | null, data?: Uint8Array) => void) => { + const methodName = resolveMethodName(method); + const payload = normalizeRequestData(requestData); + fetch(`${basePath}/${methodName}`, { + method: 'POST', + headers: { + 'Content-Type': 'application/octet-stream', + }, + body: payload as unknown as BodyInit, + credentials: 'same-origin', + }) + .then(async (response) => { + const buffer = new Uint8Array(await response.arrayBuffer()); + if (!response.ok) { + callback(new Error(decodePrpcError(buffer))); + return; + } + callback(null, buffer); + }) + .catch((error) => { + callback(error); + }); + }; + + cachedClient = vmm.Vmm.create(rpcImpl, false, false); + return cachedClient; +} diff --git a/vmm/ui/src/lib/x25519.js b/vmm/ui/src/lib/x25519.js new file mode 100644 index 00000000..76311675 --- /dev/null +++ b/vmm/ui/src/lib/x25519.js @@ -0,0 +1,1672 @@ +// SPDX-FileCopyrightText: © 2016 Dmitry Chestnykh, © 2019 Harvey Connor +// SPDX-License-Identifier: MIT + + let _0 = new Uint8Array(16); + let _9 = new Uint8Array(32); + _9[0] = 9; + function gf(init) { + var i, r = new Float64Array(16); + if (init) + for (i = 0; i < init.length; i++) + r[i] = init[i]; + return r; + } + ; + const gf0 = gf(), gf1 = gf([1]), _121665 = gf([0xdb41, 1]), D = gf([ + 0x78a3, + 0x1359, + 0x4dca, + 0x75eb, + 0xd8ab, + 0x4141, + 0x0a4d, + 0x0070, + 0xe898, + 0x7779, + 0x4079, + 0x8cc7, + 0xfe73, + 0x2b6f, + 0x6cee, + 0x5203, + ]), D2 = gf([ + 0xf159, + 0x26b2, + 0x9b94, + 0xebd6, + 0xb156, + 0x8283, + 0x149a, + 0x00e0, + 0xd130, + 0xeef3, + 0x80f2, + 0x198e, + 0xfce7, + 0x56df, + 0xd9dc, + 0x2406, + ]), X = gf([ + 0xd51a, + 0x8f25, + 0x2d60, + 0xc956, + 0xa7b2, + 0x9525, + 0xc760, + 0x692c, + 0xdc5c, + 0xfdd6, + 0xe231, + 0xc0a4, + 0x53fe, + 0xcd6e, + 0x36d3, + 0x2169, + ]), Y = gf([ + 0x6658, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + ]), I = gf([ + 0xa0b0, + 0x4a0e, + 0x1b27, + 0xc4ee, + 0xe478, + 0xad2f, + 0x1806, + 0x2f43, + 0xd7a7, + 0x3dfb, + 0x0099, + 0x2b4d, + 0xdf0b, + 0x4fc1, + 0x2480, + 0x2b83, + ]); + function ts64(x, i, h, l) { + x[i] = (h >> 24) & 0xff; + x[i + 1] = (h >> 16) & 0xff; + x[i + 2] = (h >> 8) & 0xff; + x[i + 3] = h & 0xff; + x[i + 4] = (l >> 24) & 0xff; + x[i + 5] = (l >> 16) & 0xff; + x[i + 6] = (l >> 8) & 0xff; + x[i + 7] = l & 0xff; + } + function vn(x, xi, y, yi, n) { + var i, d = 0; + for (i = 0; i < n; i++) + d |= x[xi + i] ^ y[yi + i]; + return (1 & ((d - 1) >>> 8)) - 1; + } + function crypto_verify_32(x, xi, y, yi) { + return vn(x, xi, y, yi, 32); + } + function set25519(r, a) { + var i; + for (i = 0; i < 16; i++) + r[i] = a[i] | 0; + } + function car25519(o) { + var i, v, c = 1; + for (i = 0; i < 16; i++) { + v = o[i] + c + 65535; + c = Math.floor(v / 65536); + o[i] = v - c * 65536; + } + o[0] += c - 1 + 37 * (c - 1); + } + function sel25519(p, q, b) { + var t, c = ~(b - 1); + for (var i = 0; i < 16; i++) { + t = c & (p[i] ^ q[i]); + p[i] ^= t; + q[i] ^= t; + } + } + function pack25519(o, n) { + var i, j, b; + var m = gf(), t = gf(); + for (i = 0; i < 16; i++) + t[i] = n[i]; + car25519(t); + car25519(t); + car25519(t); + for (j = 0; j < 2; j++) { + m[0] = t[0] - 0xffed; + for (i = 1; i < 15; i++) { + m[i] = t[i] - 0xffff - ((m[i - 1] >> 16) & 1); + m[i - 1] &= 0xffff; + } + m[15] = t[15] - 0x7fff - ((m[14] >> 16) & 1); + b = (m[15] >> 16) & 1; + m[14] &= 0xffff; + sel25519(t, m, 1 - b); + } + for (i = 0; i < 16; i++) { + o[2 * i] = t[i] & 0xff; + o[2 * i + 1] = t[i] >> 8; + } + } + function neq25519(a, b) { + var c = new Uint8Array(32), d = new Uint8Array(32); + pack25519(c, a); + pack25519(d, b); + return crypto_verify_32(c, 0, d, 0); + } + function par25519(a) { + var d = new Uint8Array(32); + pack25519(d, a); + return d[0] & 1; + } + function unpack25519(o, n) { + var i; + for (i = 0; i < 16; i++) + o[i] = n[2 * i] + (n[2 * i + 1] << 8); + o[15] &= 0x7fff; + } + function A(o, a, b) { + for (var i = 0; i < 16; i++) + o[i] = a[i] + b[i]; + } + function Z(o, a, b) { + for (var i = 0; i < 16; i++) + o[i] = a[i] - b[i]; + } + function M(o, a, b) { + var v, c, t0 = 0, t1 = 0, t2 = 0, t3 = 0, t4 = 0, t5 = 0, t6 = 0, t7 = 0, t8 = 0, t9 = 0, t10 = 0, t11 = 0, t12 = 0, t13 = 0, t14 = 0, t15 = 0, t16 = 0, t17 = 0, t18 = 0, t19 = 0, t20 = 0, t21 = 0, t22 = 0, t23 = 0, t24 = 0, t25 = 0, t26 = 0, t27 = 0, t28 = 0, t29 = 0, t30 = 0, b0 = b[0], b1 = b[1], b2 = b[2], b3 = b[3], b4 = b[4], b5 = b[5], b6 = b[6], b7 = b[7], b8 = b[8], b9 = b[9], b10 = b[10], b11 = b[11], b12 = b[12], b13 = b[13], b14 = b[14], b15 = b[15]; + v = a[0]; + t0 += v * b0; + t1 += v * b1; + t2 += v * b2; + t3 += v * b3; + t4 += v * b4; + t5 += v * b5; + t6 += v * b6; + t7 += v * b7; + t8 += v * b8; + t9 += v * b9; + t10 += v * b10; + t11 += v * b11; + t12 += v * b12; + t13 += v * b13; + t14 += v * b14; + t15 += v * b15; + v = a[1]; + t1 += v * b0; + t2 += v * b1; + t3 += v * b2; + t4 += v * b3; + t5 += v * b4; + t6 += v * b5; + t7 += v * b6; + t8 += v * b7; + t9 += v * b8; + t10 += v * b9; + t11 += v * b10; + t12 += v * b11; + t13 += v * b12; + t14 += v * b13; + t15 += v * b14; + t16 += v * b15; + v = a[2]; + t2 += v * b0; + t3 += v * b1; + t4 += v * b2; + t5 += v * b3; + t6 += v * b4; + t7 += v * b5; + t8 += v * b6; + t9 += v * b7; + t10 += v * b8; + t11 += v * b9; + t12 += v * b10; + t13 += v * b11; + t14 += v * b12; + t15 += v * b13; + t16 += v * b14; + t17 += v * b15; + v = a[3]; + t3 += v * b0; + t4 += v * b1; + t5 += v * b2; + t6 += v * b3; + t7 += v * b4; + t8 += v * b5; + t9 += v * b6; + t10 += v * b7; + t11 += v * b8; + t12 += v * b9; + t13 += v * b10; + t14 += v * b11; + t15 += v * b12; + t16 += v * b13; + t17 += v * b14; + t18 += v * b15; + v = a[4]; + t4 += v * b0; + t5 += v * b1; + t6 += v * b2; + t7 += v * b3; + t8 += v * b4; + t9 += v * b5; + t10 += v * b6; + t11 += v * b7; + t12 += v * b8; + t13 += v * b9; + t14 += v * b10; + t15 += v * b11; + t16 += v * b12; + t17 += v * b13; + t18 += v * b14; + t19 += v * b15; + v = a[5]; + t5 += v * b0; + t6 += v * b1; + t7 += v * b2; + t8 += v * b3; + t9 += v * b4; + t10 += v * b5; + t11 += v * b6; + t12 += v * b7; + t13 += v * b8; + t14 += v * b9; + t15 += v * b10; + t16 += v * b11; + t17 += v * b12; + t18 += v * b13; + t19 += v * b14; + t20 += v * b15; + v = a[6]; + t6 += v * b0; + t7 += v * b1; + t8 += v * b2; + t9 += v * b3; + t10 += v * b4; + t11 += v * b5; + t12 += v * b6; + t13 += v * b7; + t14 += v * b8; + t15 += v * b9; + t16 += v * b10; + t17 += v * b11; + t18 += v * b12; + t19 += v * b13; + t20 += v * b14; + t21 += v * b15; + v = a[7]; + t7 += v * b0; + t8 += v * b1; + t9 += v * b2; + t10 += v * b3; + t11 += v * b4; + t12 += v * b5; + t13 += v * b6; + t14 += v * b7; + t15 += v * b8; + t16 += v * b9; + t17 += v * b10; + t18 += v * b11; + t19 += v * b12; + t20 += v * b13; + t21 += v * b14; + t22 += v * b15; + v = a[8]; + t8 += v * b0; + t9 += v * b1; + t10 += v * b2; + t11 += v * b3; + t12 += v * b4; + t13 += v * b5; + t14 += v * b6; + t15 += v * b7; + t16 += v * b8; + t17 += v * b9; + t18 += v * b10; + t19 += v * b11; + t20 += v * b12; + t21 += v * b13; + t22 += v * b14; + t23 += v * b15; + v = a[9]; + t9 += v * b0; + t10 += v * b1; + t11 += v * b2; + t12 += v * b3; + t13 += v * b4; + t14 += v * b5; + t15 += v * b6; + t16 += v * b7; + t17 += v * b8; + t18 += v * b9; + t19 += v * b10; + t20 += v * b11; + t21 += v * b12; + t22 += v * b13; + t23 += v * b14; + t24 += v * b15; + v = a[10]; + t10 += v * b0; + t11 += v * b1; + t12 += v * b2; + t13 += v * b3; + t14 += v * b4; + t15 += v * b5; + t16 += v * b6; + t17 += v * b7; + t18 += v * b8; + t19 += v * b9; + t20 += v * b10; + t21 += v * b11; + t22 += v * b12; + t23 += v * b13; + t24 += v * b14; + t25 += v * b15; + v = a[11]; + t11 += v * b0; + t12 += v * b1; + t13 += v * b2; + t14 += v * b3; + t15 += v * b4; + t16 += v * b5; + t17 += v * b6; + t18 += v * b7; + t19 += v * b8; + t20 += v * b9; + t21 += v * b10; + t22 += v * b11; + t23 += v * b12; + t24 += v * b13; + t25 += v * b14; + t26 += v * b15; + v = a[12]; + t12 += v * b0; + t13 += v * b1; + t14 += v * b2; + t15 += v * b3; + t16 += v * b4; + t17 += v * b5; + t18 += v * b6; + t19 += v * b7; + t20 += v * b8; + t21 += v * b9; + t22 += v * b10; + t23 += v * b11; + t24 += v * b12; + t25 += v * b13; + t26 += v * b14; + t27 += v * b15; + v = a[13]; + t13 += v * b0; + t14 += v * b1; + t15 += v * b2; + t16 += v * b3; + t17 += v * b4; + t18 += v * b5; + t19 += v * b6; + t20 += v * b7; + t21 += v * b8; + t22 += v * b9; + t23 += v * b10; + t24 += v * b11; + t25 += v * b12; + t26 += v * b13; + t27 += v * b14; + t28 += v * b15; + v = a[14]; + t14 += v * b0; + t15 += v * b1; + t16 += v * b2; + t17 += v * b3; + t18 += v * b4; + t19 += v * b5; + t20 += v * b6; + t21 += v * b7; + t22 += v * b8; + t23 += v * b9; + t24 += v * b10; + t25 += v * b11; + t26 += v * b12; + t27 += v * b13; + t28 += v * b14; + t29 += v * b15; + v = a[15]; + t15 += v * b0; + t16 += v * b1; + t17 += v * b2; + t18 += v * b3; + t19 += v * b4; + t20 += v * b5; + t21 += v * b6; + t22 += v * b7; + t23 += v * b8; + t24 += v * b9; + t25 += v * b10; + t26 += v * b11; + t27 += v * b12; + t28 += v * b13; + t29 += v * b14; + t30 += v * b15; + t0 += 38 * t16; + t1 += 38 * t17; + t2 += 38 * t18; + t3 += 38 * t19; + t4 += 38 * t20; + t5 += 38 * t21; + t6 += 38 * t22; + t7 += 38 * t23; + t8 += 38 * t24; + t9 += 38 * t25; + t10 += 38 * t26; + t11 += 38 * t27; + t12 += 38 * t28; + t13 += 38 * t29; + t14 += 38 * t30; + // t15 left as is + // first car + c = 1; + v = t0 + c + 65535; + c = Math.floor(v / 65536); + t0 = v - c * 65536; + v = t1 + c + 65535; + c = Math.floor(v / 65536); + t1 = v - c * 65536; + v = t2 + c + 65535; + c = Math.floor(v / 65536); + t2 = v - c * 65536; + v = t3 + c + 65535; + c = Math.floor(v / 65536); + t3 = v - c * 65536; + v = t4 + c + 65535; + c = Math.floor(v / 65536); + t4 = v - c * 65536; + v = t5 + c + 65535; + c = Math.floor(v / 65536); + t5 = v - c * 65536; + v = t6 + c + 65535; + c = Math.floor(v / 65536); + t6 = v - c * 65536; + v = t7 + c + 65535; + c = Math.floor(v / 65536); + t7 = v - c * 65536; + v = t8 + c + 65535; + c = Math.floor(v / 65536); + t8 = v - c * 65536; + v = t9 + c + 65535; + c = Math.floor(v / 65536); + t9 = v - c * 65536; + v = t10 + c + 65535; + c = Math.floor(v / 65536); + t10 = v - c * 65536; + v = t11 + c + 65535; + c = Math.floor(v / 65536); + t11 = v - c * 65536; + v = t12 + c + 65535; + c = Math.floor(v / 65536); + t12 = v - c * 65536; + v = t13 + c + 65535; + c = Math.floor(v / 65536); + t13 = v - c * 65536; + v = t14 + c + 65535; + c = Math.floor(v / 65536); + t14 = v - c * 65536; + v = t15 + c + 65535; + c = Math.floor(v / 65536); + t15 = v - c * 65536; + t0 += c - 1 + 37 * (c - 1); + // second car + c = 1; + v = t0 + c + 65535; + c = Math.floor(v / 65536); + t0 = v - c * 65536; + v = t1 + c + 65535; + c = Math.floor(v / 65536); + t1 = v - c * 65536; + v = t2 + c + 65535; + c = Math.floor(v / 65536); + t2 = v - c * 65536; + v = t3 + c + 65535; + c = Math.floor(v / 65536); + t3 = v - c * 65536; + v = t4 + c + 65535; + c = Math.floor(v / 65536); + t4 = v - c * 65536; + v = t5 + c + 65535; + c = Math.floor(v / 65536); + t5 = v - c * 65536; + v = t6 + c + 65535; + c = Math.floor(v / 65536); + t6 = v - c * 65536; + v = t7 + c + 65535; + c = Math.floor(v / 65536); + t7 = v - c * 65536; + v = t8 + c + 65535; + c = Math.floor(v / 65536); + t8 = v - c * 65536; + v = t9 + c + 65535; + c = Math.floor(v / 65536); + t9 = v - c * 65536; + v = t10 + c + 65535; + c = Math.floor(v / 65536); + t10 = v - c * 65536; + v = t11 + c + 65535; + c = Math.floor(v / 65536); + t11 = v - c * 65536; + v = t12 + c + 65535; + c = Math.floor(v / 65536); + t12 = v - c * 65536; + v = t13 + c + 65535; + c = Math.floor(v / 65536); + t13 = v - c * 65536; + v = t14 + c + 65535; + c = Math.floor(v / 65536); + t14 = v - c * 65536; + v = t15 + c + 65535; + c = Math.floor(v / 65536); + t15 = v - c * 65536; + t0 += c - 1 + 37 * (c - 1); + o[0] = t0; + o[1] = t1; + o[2] = t2; + o[3] = t3; + o[4] = t4; + o[5] = t5; + o[6] = t6; + o[7] = t7; + o[8] = t8; + o[9] = t9; + o[10] = t10; + o[11] = t11; + o[12] = t12; + o[13] = t13; + o[14] = t14; + o[15] = t15; + } + function S(o, a) { + M(o, a, a); + } + function inv25519(o, i) { + var c = gf(); + var a; + for (a = 0; a < 16; a++) + c[a] = i[a]; + for (a = 253; a >= 0; a--) { + S(c, c); + if (a !== 2 && a !== 4) + M(c, c, i); + } + for (a = 0; a < 16; a++) + o[a] = c[a]; + } + function pow2523(o, i) { + var c = gf(); + var a; + for (a = 0; a < 16; a++) + c[a] = i[a]; + for (a = 250; a >= 0; a--) { + S(c, c); + if (a !== 1) + M(c, c, i); + } + for (a = 0; a < 16; a++) + o[a] = c[a]; + } + function crypto_scalarmult(q, n, p) { + var z = new Uint8Array(32); + var x = new Float64Array(80), r, i; + var a = gf(), b = gf(), c = gf(), d = gf(), e = gf(), f = gf(); + for (i = 0; i < 31; i++) + z[i] = n[i]; + z[31] = (n[31] & 127) | 64; + z[0] &= 248; + unpack25519(x, p); + for (i = 0; i < 16; i++) { + b[i] = x[i]; + d[i] = a[i] = c[i] = 0; + } + a[0] = d[0] = 1; + for (i = 254; i >= 0; --i) { + r = (z[i >>> 3] >>> (i & 7)) & 1; + sel25519(a, b, r); + sel25519(c, d, r); + A(e, a, c); + Z(a, a, c); + A(c, b, d); + Z(b, b, d); + S(d, e); + S(f, a); + M(a, c, a); + M(c, b, e); + A(e, a, c); + Z(a, a, c); + S(b, a); + Z(c, d, f); + M(a, c, _121665); + A(a, a, d); + M(c, c, a); + M(a, d, f); + M(d, b, x); + S(b, e); + sel25519(a, b, r); + sel25519(c, d, r); + } + for (i = 0; i < 16; i++) { + x[i + 16] = a[i]; + x[i + 32] = c[i]; + x[i + 48] = b[i]; + x[i + 64] = d[i]; + } + var x32 = x.subarray(32); + var x16 = x.subarray(16); + inv25519(x32, x32); + M(x16, x16, x32); + pack25519(q, x16); + return 0; + } + function crypto_scalarmult_base(q, n) { + return crypto_scalarmult(q, n, _9); + } + var K = [ + 0x428a2f98, + 0xd728ae22, + 0x71374491, + 0x23ef65cd, + 0xb5c0fbcf, + 0xec4d3b2f, + 0xe9b5dba5, + 0x8189dbbc, + 0x3956c25b, + 0xf348b538, + 0x59f111f1, + 0xb605d019, + 0x923f82a4, + 0xaf194f9b, + 0xab1c5ed5, + 0xda6d8118, + 0xd807aa98, + 0xa3030242, + 0x12835b01, + 0x45706fbe, + 0x243185be, + 0x4ee4b28c, + 0x550c7dc3, + 0xd5ffb4e2, + 0x72be5d74, + 0xf27b896f, + 0x80deb1fe, + 0x3b1696b1, + 0x9bdc06a7, + 0x25c71235, + 0xc19bf174, + 0xcf692694, + 0xe49b69c1, + 0x9ef14ad2, + 0xefbe4786, + 0x384f25e3, + 0x0fc19dc6, + 0x8b8cd5b5, + 0x240ca1cc, + 0x77ac9c65, + 0x2de92c6f, + 0x592b0275, + 0x4a7484aa, + 0x6ea6e483, + 0x5cb0a9dc, + 0xbd41fbd4, + 0x76f988da, + 0x831153b5, + 0x983e5152, + 0xee66dfab, + 0xa831c66d, + 0x2db43210, + 0xb00327c8, + 0x98fb213f, + 0xbf597fc7, + 0xbeef0ee4, + 0xc6e00bf3, + 0x3da88fc2, + 0xd5a79147, + 0x930aa725, + 0x06ca6351, + 0xe003826f, + 0x14292967, + 0x0a0e6e70, + 0x27b70a85, + 0x46d22ffc, + 0x2e1b2138, + 0x5c26c926, + 0x4d2c6dfc, + 0x5ac42aed, + 0x53380d13, + 0x9d95b3df, + 0x650a7354, + 0x8baf63de, + 0x766a0abb, + 0x3c77b2a8, + 0x81c2c92e, + 0x47edaee6, + 0x92722c85, + 0x1482353b, + 0xa2bfe8a1, + 0x4cf10364, + 0xa81a664b, + 0xbc423001, + 0xc24b8b70, + 0xd0f89791, + 0xc76c51a3, + 0x0654be30, + 0xd192e819, + 0xd6ef5218, + 0xd6990624, + 0x5565a910, + 0xf40e3585, + 0x5771202a, + 0x106aa070, + 0x32bbd1b8, + 0x19a4c116, + 0xb8d2d0c8, + 0x1e376c08, + 0x5141ab53, + 0x2748774c, + 0xdf8eeb99, + 0x34b0bcb5, + 0xe19b48a8, + 0x391c0cb3, + 0xc5c95a63, + 0x4ed8aa4a, + 0xe3418acb, + 0x5b9cca4f, + 0x7763e373, + 0x682e6ff3, + 0xd6b2b8a3, + 0x748f82ee, + 0x5defb2fc, + 0x78a5636f, + 0x43172f60, + 0x84c87814, + 0xa1f0ab72, + 0x8cc70208, + 0x1a6439ec, + 0x90befffa, + 0x23631e28, + 0xa4506ceb, + 0xde82bde9, + 0xbef9a3f7, + 0xb2c67915, + 0xc67178f2, + 0xe372532b, + 0xca273ece, + 0xea26619c, + 0xd186b8c7, + 0x21c0c207, + 0xeada7dd6, + 0xcde0eb1e, + 0xf57d4f7f, + 0xee6ed178, + 0x06f067aa, + 0x72176fba, + 0x0a637dc5, + 0xa2c898a6, + 0x113f9804, + 0xbef90dae, + 0x1b710b35, + 0x131c471b, + 0x28db77f5, + 0x23047d84, + 0x32caab7b, + 0x40c72493, + 0x3c9ebe0a, + 0x15c9bebc, + 0x431d67c4, + 0x9c100d4c, + 0x4cc5d4be, + 0xcb3e42b6, + 0x597f299c, + 0xfc657e2a, + 0x5fcb6fab, + 0x3ad6faec, + 0x6c44198c, + 0x4a475817, + ]; + function crypto_hashblocks_hl(hh, hl, m, n) { + var wh = new Int32Array(16), wl = new Int32Array(16), bh0, bh1, bh2, bh3, bh4, bh5, bh6, bh7, bl0, bl1, bl2, bl3, bl4, bl5, bl6, bl7, th, tl, i, j, h, l, a, b, c, d; + var ah0 = hh[0], ah1 = hh[1], ah2 = hh[2], ah3 = hh[3], ah4 = hh[4], ah5 = hh[5], ah6 = hh[6], ah7 = hh[7], al0 = hl[0], al1 = hl[1], al2 = hl[2], al3 = hl[3], al4 = hl[4], al5 = hl[5], al6 = hl[6], al7 = hl[7]; + var pos = 0; + while (n >= 128) { + for (i = 0; i < 16; i++) { + j = 8 * i + pos; + wh[i] = (m[j + 0] << 24) | (m[j + 1] << 16) | (m[j + 2] << 8) | m[j + 3]; + wl[i] = (m[j + 4] << 24) | (m[j + 5] << 16) | (m[j + 6] << 8) | m[j + 7]; + } + for (i = 0; i < 80; i++) { + bh0 = ah0; + bh1 = ah1; + bh2 = ah2; + bh3 = ah3; + bh4 = ah4; + bh5 = ah5; + bh6 = ah6; + bh7 = ah7; + bl0 = al0; + bl1 = al1; + bl2 = al2; + bl3 = al3; + bl4 = al4; + bl5 = al5; + bl6 = al6; + bl7 = al7; + // add + h = ah7; + l = al7; + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + // Sigma1 + h = + ((ah4 >>> 14) | (al4 << (32 - 14))) ^ + ((ah4 >>> 18) | (al4 << (32 - 18))) ^ + ((al4 >>> (41 - 32)) | (ah4 << (32 - (41 - 32)))); + l = + ((al4 >>> 14) | (ah4 << (32 - 14))) ^ + ((al4 >>> 18) | (ah4 << (32 - 18))) ^ + ((ah4 >>> (41 - 32)) | (al4 << (32 - (41 - 32)))); + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + // Ch + h = (ah4 & ah5) ^ (~ah4 & ah6); + l = (al4 & al5) ^ (~al4 & al6); + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + // K + h = K[i * 2]; + l = K[i * 2 + 1]; + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + // w + h = wh[i % 16]; + l = wl[i % 16]; + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + th = (c & 0xffff) | (d << 16); + tl = (a & 0xffff) | (b << 16); + // add + h = th; + l = tl; + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + // Sigma0 + h = + ((ah0 >>> 28) | (al0 << (32 - 28))) ^ + ((al0 >>> (34 - 32)) | (ah0 << (32 - (34 - 32)))) ^ + ((al0 >>> (39 - 32)) | (ah0 << (32 - (39 - 32)))); + l = + ((al0 >>> 28) | (ah0 << (32 - 28))) ^ + ((ah0 >>> (34 - 32)) | (al0 << (32 - (34 - 32)))) ^ + ((ah0 >>> (39 - 32)) | (al0 << (32 - (39 - 32)))); + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + // Maj + h = (ah0 & ah1) ^ (ah0 & ah2) ^ (ah1 & ah2); + l = (al0 & al1) ^ (al0 & al2) ^ (al1 & al2); + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + bh7 = (c & 0xffff) | (d << 16); + bl7 = (a & 0xffff) | (b << 16); + // add + h = bh3; + l = bl3; + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + h = th; + l = tl; + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + bh3 = (c & 0xffff) | (d << 16); + bl3 = (a & 0xffff) | (b << 16); + ah1 = bh0; + ah2 = bh1; + ah3 = bh2; + ah4 = bh3; + ah5 = bh4; + ah6 = bh5; + ah7 = bh6; + ah0 = bh7; + al1 = bl0; + al2 = bl1; + al3 = bl2; + al4 = bl3; + al5 = bl4; + al6 = bl5; + al7 = bl6; + al0 = bl7; + if (i % 16 === 15) { + for (j = 0; j < 16; j++) { + // add + h = wh[j]; + l = wl[j]; + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + h = wh[(j + 9) % 16]; + l = wl[(j + 9) % 16]; + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + // sigma0 + th = wh[(j + 1) % 16]; + tl = wl[(j + 1) % 16]; + h = ((th >>> 1) | (tl << (32 - 1))) ^ ((th >>> 8) | (tl << (32 - 8))) ^ (th >>> 7); + l = ((tl >>> 1) | (th << (32 - 1))) ^ ((tl >>> 8) | (th << (32 - 8))) ^ ((tl >>> 7) | (th << (32 - 7))); + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + // sigma1 + th = wh[(j + 14) % 16]; + tl = wl[(j + 14) % 16]; + h = ((th >>> 19) | (tl << (32 - 19))) ^ ((tl >>> (61 - 32)) | (th << (32 - (61 - 32)))) ^ (th >>> 6); + l = + ((tl >>> 19) | (th << (32 - 19))) ^ + ((th >>> (61 - 32)) | (tl << (32 - (61 - 32)))) ^ + ((tl >>> 6) | (th << (32 - 6))); + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + wh[j] = (c & 0xffff) | (d << 16); + wl[j] = (a & 0xffff) | (b << 16); + } + } + } + // add + h = ah0; + l = al0; + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + h = hh[0]; + l = hl[0]; + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + hh[0] = ah0 = (c & 0xffff) | (d << 16); + hl[0] = al0 = (a & 0xffff) | (b << 16); + h = ah1; + l = al1; + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + h = hh[1]; + l = hl[1]; + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + hh[1] = ah1 = (c & 0xffff) | (d << 16); + hl[1] = al1 = (a & 0xffff) | (b << 16); + h = ah2; + l = al2; + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + h = hh[2]; + l = hl[2]; + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + hh[2] = ah2 = (c & 0xffff) | (d << 16); + hl[2] = al2 = (a & 0xffff) | (b << 16); + h = ah3; + l = al3; + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + h = hh[3]; + l = hl[3]; + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + hh[3] = ah3 = (c & 0xffff) | (d << 16); + hl[3] = al3 = (a & 0xffff) | (b << 16); + h = ah4; + l = al4; + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + h = hh[4]; + l = hl[4]; + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + hh[4] = ah4 = (c & 0xffff) | (d << 16); + hl[4] = al4 = (a & 0xffff) | (b << 16); + h = ah5; + l = al5; + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + h = hh[5]; + l = hl[5]; + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + hh[5] = ah5 = (c & 0xffff) | (d << 16); + hl[5] = al5 = (a & 0xffff) | (b << 16); + h = ah6; + l = al6; + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + h = hh[6]; + l = hl[6]; + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + hh[6] = ah6 = (c & 0xffff) | (d << 16); + hl[6] = al6 = (a & 0xffff) | (b << 16); + h = ah7; + l = al7; + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + h = hh[7]; + l = hl[7]; + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + hh[7] = ah7 = (c & 0xffff) | (d << 16); + hl[7] = al7 = (a & 0xffff) | (b << 16); + pos += 128; + n -= 128; + } + return n; + } + function crypto_hash(out, m, n) { + var hh = new Int32Array(8), hl = new Int32Array(8), x = new Uint8Array(256), i, b = n; + hh[0] = 0x6a09e667; + hh[1] = 0xbb67ae85; + hh[2] = 0x3c6ef372; + hh[3] = 0xa54ff53a; + hh[4] = 0x510e527f; + hh[5] = 0x9b05688c; + hh[6] = 0x1f83d9ab; + hh[7] = 0x5be0cd19; + hl[0] = 0xf3bcc908; + hl[1] = 0x84caa73b; + hl[2] = 0xfe94f82b; + hl[3] = 0x5f1d36f1; + hl[4] = 0xade682d1; + hl[5] = 0x2b3e6c1f; + hl[6] = 0xfb41bd6b; + hl[7] = 0x137e2179; + crypto_hashblocks_hl(hh, hl, m, n); + n %= 128; + for (i = 0; i < n; i++) + x[i] = m[b - n + i]; + x[n] = 128; + n = 256 - 128 * (n < 112 ? 1 : 0); + x[n - 9] = 0; + ts64(x, n - 8, (b / 0x20000000) | 0, b << 3); + crypto_hashblocks_hl(hh, hl, x, n); + for (i = 0; i < 8; i++) + ts64(out, 8 * i, hh[i], hl[i]); + return 0; + } + function add(p, q) { + var a = gf(), b = gf(), c = gf(), d = gf(), e = gf(), f = gf(), g = gf(), h = gf(), t = gf(); + Z(a, p[1], p[0]); + Z(t, q[1], q[0]); + M(a, a, t); + A(b, p[0], p[1]); + A(t, q[0], q[1]); + M(b, b, t); + M(c, p[3], q[3]); + M(c, c, D2); + M(d, p[2], q[2]); + A(d, d, d); + Z(e, b, a); + Z(f, d, c); + A(g, d, c); + A(h, b, a); + M(p[0], e, f); + M(p[1], h, g); + M(p[2], g, f); + M(p[3], e, h); + } + function cswap(p, q, b) { + var i; + for (i = 0; i < 4; i++) { + sel25519(p[i], q[i], b); + } + } + function pack(r, p) { + var tx = gf(), ty = gf(), zi = gf(); + inv25519(zi, p[2]); + M(tx, p[0], zi); + M(ty, p[1], zi); + pack25519(r, ty); + r[31] ^= par25519(tx) << 7; + } + function scalarmult(p, q, s) { + var b, i; + set25519(p[0], gf0); + set25519(p[1], gf1); + set25519(p[2], gf1); + set25519(p[3], gf0); + for (i = 255; i >= 0; --i) { + b = (s[(i / 8) | 0] >> (i & 7)) & 1; + cswap(p, q, b); + add(q, p); + add(p, p); + cswap(p, q, b); + } + } + function scalarbase(p, s) { + var q = [gf(), gf(), gf(), gf()]; + set25519(q[0], X); + set25519(q[1], Y); + set25519(q[2], gf1); + M(q[3], X, Y); + scalarmult(p, q, s); + } + var L = new Float64Array([ + 0xed, + 0xd3, + 0xf5, + 0x5c, + 0x1a, + 0x63, + 0x12, + 0x58, + 0xd6, + 0x9c, + 0xf7, + 0xa2, + 0xde, + 0xf9, + 0xde, + 0x14, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0x10, + ]); + function modL(r, x) { + var carry, i, j, k; + for (i = 63; i >= 32; --i) { + carry = 0; + for (j = i - 32, k = i - 12; j < k; ++j) { + x[j] += carry - 16 * x[i] * L[j - (i - 32)]; + carry = (x[j] + 128) >> 8; + x[j] -= carry * 256; + } + x[j] += carry; + x[i] = 0; + } + carry = 0; + for (j = 0; j < 32; j++) { + x[j] += carry - (x[31] >> 4) * L[j]; + carry = x[j] >> 8; + x[j] &= 255; + } + for (j = 0; j < 32; j++) + x[j] -= carry * L[j]; + for (i = 0; i < 32; i++) { + x[i + 1] += x[i] >> 8; + r[i] = x[i] & 255; + } + } + function reduce(r) { + var x = new Float64Array(64), i; + for (i = 0; i < 64; i++) + x[i] = r[i]; + for (i = 0; i < 64; i++) + r[i] = 0; + modL(r, x); + } + // Like crypto_sign, but uses secret key directly in hash. + function crypto_sign_direct(sm, m, n, sk) { + var h = new Uint8Array(64), r = new Uint8Array(64); + var i, j, x = new Float64Array(64); + var p = [gf(), gf(), gf(), gf()]; + for (i = 0; i < n; i++) + sm[64 + i] = m[i]; + for (i = 0; i < 32; i++) + sm[32 + i] = sk[i]; + crypto_hash(r, sm.subarray(32), n + 32); + reduce(r); + scalarbase(p, r); + pack(sm, p); + for (i = 0; i < 32; i++) + sm[i + 32] = sk[32 + i]; + crypto_hash(h, sm, n + 64); + reduce(h); + for (i = 0; i < 64; i++) + x[i] = 0; + for (i = 0; i < 32; i++) + x[i] = r[i]; + for (i = 0; i < 32; i++) { + for (j = 0; j < 32; j++) { + x[i + j] += h[i] * sk[j]; + } + } + modL(sm.subarray(32), x); + return n + 64; + } + // Note: sm must be n+128. + function crypto_sign_direct_rnd(sm, m, n, sk, rnd) { + var h = new Uint8Array(64), r = new Uint8Array(64); + var i, j, x = new Float64Array(64); + var p = [gf(), gf(), gf(), gf()]; + // Hash separation. + sm[0] = 0xfe; + for (i = 1; i < 32; i++) + sm[i] = 0xff; + // Secret key. + for (i = 0; i < 32; i++) + sm[32 + i] = sk[i]; + // Message. + for (i = 0; i < n; i++) + sm[64 + i] = m[i]; + // Random suffix. + for (i = 0; i < 64; i++) + sm[n + 64 + i] = rnd[i]; + crypto_hash(r, sm, n + 128); + reduce(r); + scalarbase(p, r); + pack(sm, p); + for (i = 0; i < 32; i++) + sm[i + 32] = sk[32 + i]; + crypto_hash(h, sm, n + 64); + reduce(h); + // Wipe out random suffix. + for (i = 0; i < 64; i++) + sm[n + 64 + i] = 0; + for (i = 0; i < 64; i++) + x[i] = 0; + for (i = 0; i < 32; i++) + x[i] = r[i]; + for (i = 0; i < 32; i++) { + for (j = 0; j < 32; j++) { + x[i + j] += h[i] * sk[j]; + } + } + modL(sm.subarray(32, n + 64), x); + return n + 64; + } + function curve25519_sign(sm, m, n, sk, opt_rnd) { + // If opt_rnd is provided, sm must have n + 128, + // otherwise it must have n + 64 bytes. + // Convert Curve25519 secret key into Ed25519 secret key (includes pub key). + var edsk = new Uint8Array(64); + var p = [gf(), gf(), gf(), gf()]; + for (var i = 0; i < 32; i++) + edsk[i] = sk[i]; + // Ensure private key is in the correct format. + edsk[0] &= 248; + edsk[31] &= 127; + edsk[31] |= 64; + scalarbase(p, edsk); + pack(edsk.subarray(32), p); + // Remember sign bit. + var signBit = edsk[63] & 128; + var smlen; + if (opt_rnd) { + smlen = crypto_sign_direct_rnd(sm, m, n, edsk, opt_rnd); + } + else { + smlen = crypto_sign_direct(sm, m, n, edsk); + } + // Copy sign bit from public key into signature. + sm[63] |= signBit; + return smlen; + } + function unpackneg(r, p) { + var t = gf(), chk = gf(), num = gf(), den = gf(), den2 = gf(), den4 = gf(), den6 = gf(); + set25519(r[2], gf1); + unpack25519(r[1], p); + S(num, r[1]); + M(den, num, D); + Z(num, num, r[2]); + A(den, r[2], den); + S(den2, den); + S(den4, den2); + M(den6, den4, den2); + M(t, den6, num); + M(t, t, den); + pow2523(t, t); + M(t, t, num); + M(t, t, den); + M(t, t, den); + M(r[0], t, den); + S(chk, r[0]); + M(chk, chk, den); + if (neq25519(chk, num)) + M(r[0], r[0], I); + S(chk, r[0]); + M(chk, chk, den); + if (neq25519(chk, num)) + return -1; + if (par25519(r[0]) === p[31] >> 7) + Z(r[0], gf0, r[0]); + M(r[3], r[0], r[1]); + return 0; + } + function crypto_sign_open(m, sm, n, pk) { + var i, mlen; + var t = new Uint8Array(32), h = new Uint8Array(64); + var p = [gf(), gf(), gf(), gf()], q = [gf(), gf(), gf(), gf()]; + mlen = -1; + if (n < 64) + return -1; + if (unpackneg(q, pk)) + return -1; + for (i = 0; i < n; i++) + m[i] = sm[i]; + for (i = 0; i < 32; i++) + m[i + 32] = pk[i]; + crypto_hash(h, m, n); + reduce(h); + scalarmult(p, q, h); + scalarbase(q, sm.subarray(32)); + add(p, q); + pack(t, p); + n -= 64; + if (crypto_verify_32(sm, 0, t, 0)) { + for (i = 0; i < n; i++) + m[i] = 0; + return -1; + } + for (i = 0; i < n; i++) + m[i] = sm[i + 64]; + mlen = n; + return mlen; + } + // Converts Curve25519 public key back to Ed25519 public key. + // edwardsY = (montgomeryX - 1) / (montgomeryX + 1) + function convertPublicKey(pk) { + var z = new Uint8Array(32), x = gf(), a = gf(), b = gf(); + unpack25519(x, pk); + A(a, x, gf1); + Z(b, x, gf1); + inv25519(a, a); + M(a, a, b); + pack25519(z, a); + return z; + } + function curve25519_sign_open(m, sm, n, pk) { + // Convert Curve25519 public key into Ed25519 public key. + var edpk = convertPublicKey(pk); + // Restore sign bit from signature. + edpk[31] |= sm[63] & 128; + // Remove sign bit from signature. + sm[63] &= 127; + // Verify signed message. + return crypto_sign_open(m, sm, n, edpk); + } + /* High-level API */ + function checkArrayTypes(...args) { + var t, i; + for (i = 0; i < arguments.length; i++) { + if ((t = Object.prototype.toString.call(arguments[i])) !== '[object Uint8Array]') + throw new TypeError('unexpected type ' + t + ', use Uint8Array'); + } + } + /** + * Returns a raw shared key between own private key and peer's public key (in other words, this is an ECC Diffie-Hellman function X25519, performing scalar multiplication). + * + * The result should not be used directly as a key, but should be processed with a one-way function (e.g. HSalsa20 as in NaCl, or any secure cryptographic hash function, such as SHA-256, or key derivation function, such as HKDF). + * + * @export + * @param {Uint8Array} secretKey + * @param {Uint8Array} publicKey + * @returns Uint8Array + */ + function sharedKey(secretKey, publicKey) { + checkArrayTypes(publicKey, secretKey); + if (publicKey.length !== 32) + throw new Error('wrong public key length'); + if (secretKey.length !== 32) + throw new Error('wrong secret key length'); + var sharedKey = new Uint8Array(32); + crypto_scalarmult(sharedKey, secretKey, publicKey); + return sharedKey; + } + /** + * Signs the given message using the private key and returns a signed message (signature concatenated with the message copy). + * + * Optional random data argument (which must have 64 random bytes) turns on hash separation and randomization to make signatures non-deterministic. + * + * @export + * @param {Uint8Array} secretKey + * @param {*} msg + * @param {Uint8Array} opt_random + * @returns + */ + function signMessage(secretKey, msg, opt_random) { + checkArrayTypes(msg, secretKey); + if (secretKey.length !== 32) + throw new Error('wrong secret key length'); + if (opt_random) { + checkArrayTypes(opt_random); + if (opt_random.length !== 64) + throw new Error('wrong random data length'); + var buf = new Uint8Array(128 + msg.length); + curve25519_sign(buf, msg, msg.length, secretKey, opt_random); + return new Uint8Array(buf.subarray(0, 64 + msg.length)); + } + else { + var signedMsg = new Uint8Array(64 + msg.length); + curve25519_sign(signedMsg, msg, msg.length, secretKey); + return signedMsg; + } + } + /** + * Verifies signed message with the public key and returns the original message without signature if it's correct or null if verification fails. + * + * @export + * @param {Uint8Array} publicKey + * @param {*} signedMsg + * @returns Message + */ + function openMessage(publicKey, signedMsg) { + checkArrayTypes(signedMsg, publicKey); + if (publicKey.length !== 32) + throw new Error('wrong public key length'); + var tmp = new Uint8Array(signedMsg.length); + var mlen = curve25519_sign_open(tmp, signedMsg, signedMsg.length, publicKey); + if (mlen < 0) + return null; + var m = new Uint8Array(mlen); + for (var i = 0; i < m.length; i++) + m[i] = tmp[i]; + return m; + } + /** + * Signs the given message using the private key and returns signature. + * + * Optional random data argument (which must have 64 random bytes) turns on hash separation and randomization to make signatures non-deterministic. + * + * @export + * @param {Uint8Array} secretKey + * @param {*} msg + * @param {Uint8Array} opt_random + * @returns + */ + function sign(secretKey, msg, opt_random) { + checkArrayTypes(secretKey, msg); + if (secretKey.length !== 32) + throw new Error('wrong secret key length'); + if (opt_random) { + checkArrayTypes(opt_random); + if (opt_random.length !== 64) + throw new Error('wrong random data length'); + } + var buf = new Uint8Array((opt_random ? 128 : 64) + msg.length); + curve25519_sign(buf, msg, msg.length, secretKey, opt_random); + var signature = new Uint8Array(64); + for (var i = 0; i < signature.length; i++) + signature[i] = buf[i]; + return signature; + } + /** + * Verifies the given signature for the message using the given private key. Returns true if the signature is valid, false otherwise. + * + * @export + * @param {Uint8Array} publicKey + * @param {*} msg + * @param {*} signature + * @returns + */ + function verify(publicKey, msg, signature) { + checkArrayTypes(msg, signature, publicKey); + if (signature.length !== 64) + throw new Error('wrong signature length'); + if (publicKey.length !== 32) + throw new Error('wrong public key length'); + var sm = new Uint8Array(64 + msg.length); + var m = new Uint8Array(64 + msg.length); + var i; + for (i = 0; i < 64; i++) + sm[i] = signature[i]; + for (i = 0; i < msg.length; i++) + sm[i + 64] = msg[i]; + return curve25519_sign_open(m, sm, sm.length, publicKey) >= 0; + } + /** + * Generates a new key pair from the given 32-byte secret seed (which should be generated with a CSPRNG) and returns it as object. + * + * The returned keys can be used for signing and key agreement. + * + * @export + * @param {Uint8Array} seed required + * @returns + */ + function generateKeyPair(seed) { + checkArrayTypes(seed); + if (seed.length !== 32) + throw new Error('wrong seed length'); + var sk = new Uint8Array(32); + var pk = new Uint8Array(32); + for (var i = 0; i < 32; i++) + sk[i] = seed[i]; + crypto_scalarmult_base(pk, sk); + // Turn secret key into the correct format. + sk[0] &= 248; + sk[31] &= 127; + sk[31] |= 64; + // Remove sign bit from public key. + pk[31] &= 127; + return { + public: pk, + private: sk, + }; + } + +module.exports = { + sharedKey, + signMessage, + openMessage, + sign, + verify, + generateKeyPair, +}; diff --git a/vmm/ui/src/main.ts b/vmm/ui/src/main.ts new file mode 100644 index 00000000..c2dbfe9d --- /dev/null +++ b/vmm/ui/src/main.ts @@ -0,0 +1,9 @@ +// SPDX-FileCopyrightText: © 2025 Phala Network +// SPDX-License-Identifier: Apache-2.0 + +declare const Vue: any; + +const { createApp } = Vue; +const App = require('./App'); + +createApp(App).mount('#app'); diff --git a/vmm/ui/src/styles/main.css b/vmm/ui/src/styles/main.css new file mode 100644 index 00000000..06b3df1a --- /dev/null +++ b/vmm/ui/src/styles/main.css @@ -0,0 +1,1436 @@ +/* SPDX-FileCopyrightText: © 2025 Phala Network + SPDX-License-Identifier: Apache-2.0 */ + +:root { + --color-primary: #2563eb; + --color-primary-hover: #1d4ed8; + --color-success: #16a34a; + --color-warning: #ea580c; + --color-danger: #dc2626; + --color-text-primary: #0f172a; + --color-text-secondary: #475569; + --color-text-tertiary: #94a3b8; + --color-bg-primary: #ffffff; + --color-bg-secondary: #f8fafc; + --color-bg-tertiary: #f1f5f9; + --color-border: #e2e8f0; + --color-border-light: #f1f5f9; + --shadow-sm: 0 1px 2px 0 rgb(0 0 0 / 0.05); + --shadow-md: 0 4px 6px -1px rgb(0 0 0 / 0.1); + --shadow-lg: 0 10px 15px -3px rgb(0 0 0 / 0.1); + --shadow-xl: 0 20px 25px -5px rgb(0 0 0 / 0.1); + --radius-sm: 6px; + --radius-md: 8px; + --radius-lg: 12px; + color-scheme: light; + font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'Roboto', 'Oxygen', 'Ubuntu', 'Cantarell', sans-serif; +} + +* { + box-sizing: border-box; +} + +body { + margin: 0; + padding: 0; + background: var(--color-bg-secondary); + color: var(--color-text-primary); + line-height: 1.6; + -webkit-font-smoothing: antialiased; + -moz-osx-font-smoothing: grayscale; +} + +h1, h2, h3, h4, h5, h6 { + margin: 0; + font-weight: 600; + color: var(--color-text-primary); +} + +.console-root { + min-height: 100vh; + display: flex; + flex-direction: column; +} + +.app-header { + background: var(--color-bg-primary); + border-bottom: 1px solid var(--color-border); + box-shadow: var(--shadow-sm); + position: sticky; + top: 0; + z-index: 100; +} + +.header-content { + max-width: 1400px; + margin: 0 auto; + padding: 16px 24px; + display: flex; + justify-content: space-between; + align-items: center; + gap: 24px; +} + +.header-left { + display: flex; + align-items: center; + gap: 12px; +} + +.app-title { + font-size: 20px; + font-weight: 700; + color: var(--color-text-primary); +} + +.version-badge { + background: var(--color-bg-tertiary); + color: var(--color-text-secondary); + padding: 4px 10px; + border-radius: 12px; + font-size: 12px; + font-weight: 600; +} + +.header-right { + display: flex; + align-items: center; + gap: 12px; +} + +.btn-primary { + background: var(--color-primary); + color: white; + border: none; + padding: 10px 20px; + border-radius: var(--radius-md); + font-size: 14px; + font-weight: 600; + cursor: pointer; + display: inline-flex; + align-items: center; + gap: 8px; + transition: all 0.2s ease; + box-shadow: var(--shadow-sm); +} + +.btn-primary:hover { + background: var(--color-primary-hover); + box-shadow: var(--shadow-md); + transform: translateY(-1px); +} + +.btn-primary:active { + transform: translateY(0); +} + +.btn-secondary { + background: var(--color-bg-primary); + color: var(--color-text-secondary); + border: 1px solid var(--color-border); + padding: 8px 16px; + border-radius: var(--radius-md); + font-size: 14px; + font-weight: 500; + cursor: pointer; + display: inline-flex; + align-items: center; + gap: 6px; + transition: all 0.2s ease; +} + +.btn-secondary:hover { + background: var(--color-bg-tertiary); + border-color: var(--color-text-tertiary); +} + +.btn-secondary:active { + transform: scale(0.98); +} + +.toolbar { + max-width: 1400px; + margin: 24px auto; + padding: 0 24px; + display: flex; + flex-wrap: wrap; + gap: 16px; + justify-content: space-between; + align-items: center; +} + +.toolbar-section { + display: flex; + align-items: center; + gap: 16px; + flex-wrap: wrap; +} + +.search-box { + position: relative; + display: flex; + align-items: center; + background: var(--color-bg-primary); + border: 1px solid var(--color-border); + border-radius: var(--radius-md); + padding: 0 12px; + gap: 8px; + min-width: 320px; + box-shadow: var(--shadow-sm); +} + +.search-icon { + color: var(--color-text-tertiary); + flex-shrink: 0; +} + +.search-box input { + border: none; + outline: none; + padding: 10px 0; + font-size: 14px; + background: transparent; + flex: 1; + min-width: 0; + color: var(--color-text-primary); +} + +.search-box input::placeholder { + color: var(--color-text-tertiary); +} + +.btn-search { + background: var(--color-primary); + color: white; + border: none; + padding: 6px 14px; + border-radius: var(--radius-sm); + font-size: 13px; + font-weight: 600; + cursor: pointer; + white-space: nowrap; + transition: background 0.2s ease; +} + +.btn-search:hover { + background: var(--color-primary-hover); +} + +.vm-count { + display: flex; + align-items: center; + gap: 8px; + padding: 10px 16px; + background: var(--color-bg-primary); + border: 1px solid var(--color-border); + border-radius: var(--radius-md); + box-shadow: var(--shadow-sm); +} + +.count-label { + color: var(--color-text-secondary); + font-size: 13px; + font-weight: 500; +} + +.count-value { + color: var(--color-primary); + font-size: 15px; + font-weight: 700; +} + +.pagination-controls { + display: flex; + align-items: center; + gap: 8px; + background: var(--color-bg-primary); + border: 1px solid var(--color-border); + border-radius: var(--radius-md); + padding: 6px; + box-shadow: var(--shadow-sm); +} + +.btn-pagination { + background: transparent; + border: none; + padding: 6px 8px; + border-radius: var(--radius-sm); + cursor: pointer; + display: flex; + align-items: center; + justify-content: center; + color: var(--color-text-secondary); + transition: all 0.2s ease; +} + +.btn-pagination:hover:not(:disabled) { + background: var(--color-bg-tertiary); + color: var(--color-text-primary); +} + +.btn-pagination:disabled { + opacity: 0.4; + cursor: not-allowed; +} + +.page-display { + display: flex; + align-items: center; + gap: 6px; + padding: 0 8px; +} + +.page-input { + width: 50px; + padding: 4px 8px; + border: 1px solid var(--color-border); + border-radius: var(--radius-sm); + font-size: 14px; + text-align: center; + outline: none; +} + +.page-input:focus { + border-color: var(--color-primary); +} + +.page-separator { + color: var(--color-text-tertiary); + font-weight: 500; +} + +.page-total { + color: var(--color-text-secondary); + font-weight: 600; + min-width: 24px; + text-align: center; +} + +.page-size-select { + border: 1px solid var(--color-border); + border-radius: var(--radius-sm); + padding: 6px 10px; + font-size: 13px; + outline: none; + cursor: pointer; + background: var(--color-bg-primary); + color: var(--color-text-secondary); + font-weight: 500; +} + +.page-size-select:hover { + border-color: var(--color-text-tertiary); +} + +.vm-table { + max-width: 1600px; + margin: 0 auto 24px; + padding: 0 24px; +} + +.vm-table-header { + display: grid; + grid-template-columns: 24px 1fr 140px 120px 280px 60px; + gap: 16px; + padding: 12px 16px; + background: var(--color-bg-primary); + border-bottom: 2px solid var(--color-border); + font-weight: 600; + font-size: 13px; + color: var(--color-text-secondary); + text-transform: uppercase; + letter-spacing: 0.5px; +} + +.vm-row { + background: var(--color-bg-primary); + border-bottom: 1px solid var(--color-border-light); + transition: background 0.15s ease; +} + +.vm-row:hover { + background: var(--color-bg-secondary); +} + +.vm-row-main { + display: grid; + grid-template-columns: 24px 1fr 140px 120px 280px 60px; + gap: 16px; + padding: 16px; + align-items: center; + cursor: pointer; + transition: background-color 0.15s ease; +} + +.vm-col-expand, +.vm-col-name, +.vm-col-status, +.vm-col-uptime, +.vm-col-view, +.vm-col-actions { + display: flex; + align-items: center; +} + +.vm-col-view, +.vm-col-actions { + cursor: default; +} + +.vm-col-expand { + justify-content: flex-start; +} + +.vm-col-view { + gap: 12px; +} + +.btn-expand { + width: 24px; + height: 24px; + border: 1px solid transparent; + background: transparent; + border-radius: var(--radius-sm); + cursor: pointer; + display: flex; + align-items: center; + justify-content: center; + color: var(--color-text-tertiary); + transition: all 0.2s ease; + opacity: 0.7; +} + +.btn-expand:hover { + background: var(--color-bg-tertiary); + color: var(--color-text-primary); + opacity: 1; +} + +.btn-expand.expanded { + background: var(--color-primary); + color: white; + opacity: 1; +} + +.vm-name { + font-size: 15px; + font-weight: 600; + color: var(--color-text-primary); +} + +.view-link { + color: var(--color-primary); + text-decoration: none; + font-size: 14px; + font-weight: 500; + transition: color 0.15s ease; +} + +.view-link:hover { + color: var(--color-primary-hover); + text-decoration: underline; +} + +.btn-actions { + width: 36px; + height: 36px; + border: 1px solid var(--color-border); + background: var(--color-bg-primary); + border-radius: var(--radius-sm); + cursor: pointer; + display: flex; + align-items: center; + justify-content: center; + color: var(--color-text-secondary); + transition: all 0.2s ease; +} + +.btn-actions:hover { + background: var(--color-bg-tertiary); + border-color: var(--color-text-tertiary); + color: var(--color-text-primary); +} + +.status-badge { + display: inline-flex; + align-items: center; + gap: 6px; + padding: 6px 12px; + border-radius: 16px; + font-size: 13px; + font-weight: 600; + text-transform: capitalize; +} + +.status-dot { + width: 8px; + height: 8px; + border-radius: 50%; + animation: pulse 2s infinite; +} + +@keyframes pulse { + 0%, 100% { opacity: 1; } + 50% { opacity: 0.5; } +} + +.status-running { + background: #dcfce7; + color: var(--color-success); +} + +.status-running .status-dot { + background: var(--color-success); +} + +.status-stopping, +.status-shutting-down { + background: #fed7aa; + color: var(--color-warning); +} + +.status-stopping .status-dot, +.status-shutting-down .status-dot { + background: var(--color-warning); +} + +.status-exited { + background: var(--color-bg-tertiary); + color: var(--color-text-tertiary); +} + +.status-exited .status-dot { + background: var(--color-text-tertiary); + animation: none; +} + +.status-stopped { + background: #fee2e2; + color: var(--color-danger); +} + +.status-stopped .status-dot { + background: var(--color-danger); + animation: none; +} + +.vm-details { + padding: 24px; + background: var(--color-bg-secondary); + border-top: 1px solid var(--color-border); + display: flex; + flex-direction: column; + gap: 20px; +} + +.details-grid { + display: grid; + grid-template-columns: repeat(auto-fit, minmax(240px, 1fr)); + gap: 16px; +} + +.detail-item { + display: flex; + flex-direction: column; + gap: 6px; + min-width: 0; +} + +.detail-label { + font-size: 12px; + font-weight: 600; + color: var(--color-text-tertiary); + text-transform: uppercase; + letter-spacing: 0.5px; +} + +.detail-value { + font-size: 14px; + color: var(--color-text-primary); + font-weight: 500; + overflow: hidden; + text-overflow: ellipsis; + white-space: nowrap; + cursor: help; +} + +.port-mappings { + display: flex; + flex-direction: column; + gap: 12px; +} + +.port-mappings h4 { + font-size: 14px; + font-weight: 600; + color: var(--color-text-primary); + margin-bottom: 4px; +} + +.port-item { + padding: 12px 16px; + background: var(--color-bg-primary); + border: 1px solid var(--color-border); + border-radius: var(--radius-md); + display: flex; + justify-content: space-between; + align-items: center; + font-size: 14px; + font-family: 'SF Mono', 'Monaco', 'Cascadia Code', monospace; +} + +.features-section { + margin-top: 24px; +} + +.features-section h4 { + font-size: 14px; + font-weight: 600; + color: var(--color-text-primary); + margin-bottom: 8px; +} + +.features-text { + font-size: 14px; + color: var(--color-text-secondary); + font-family: 'SF Mono', 'Monaco', 'Cascadia Code', monospace; + background: var(--color-bg-primary); + border: 1px solid var(--color-border); + border-radius: var(--radius-md); + padding: 12px 16px; + display: inline-block; +} + +.detail-value-with-copy { + display: flex; + align-items: center; + gap: 8px; + flex: 1; + min-width: 0; +} + +.detail-value-with-copy .detail-value { + flex: 1; + min-width: 0; +} + +.copy-btn { + flex-shrink: 0; + padding: 4px; + background: transparent; + border: 1px solid var(--color-border); + border-radius: 4px; + cursor: pointer; + color: var(--color-text-secondary); + transition: all 0.15s ease; + display: flex; + align-items: center; + justify-content: center; +} + +.copy-btn:hover { + background: var(--color-bg-tertiary); + border-color: var(--color-primary); + color: var(--color-primary); +} + +.section-header { + display: flex; + justify-content: space-between; + align-items: center; + margin-bottom: 12px; +} + +.section-actions { + display: flex; + align-items: center; + gap: 8px; +} + +.copy-btn-small { + background: var(--color-bg-primary); + border: 1px solid var(--color-border); + padding: 6px 8px; + border-radius: var(--radius-sm); + cursor: pointer; + color: var(--color-text-secondary); + transition: all 0.15s ease; + display: flex; + align-items: center; + justify-content: center; + min-width: 32px; + height: 32px; +} + +.copy-btn-small:hover { + background: var(--color-bg-tertiary); + border-color: var(--color-primary); + color: var(--color-primary); +} + +.section-header h4 { + font-size: 14px; + font-weight: 600; + color: var(--color-text-primary); + margin: 0; +} + +.compose-section, +.user-config-section { + margin-top: 24px; +} + +.compose-content { + width: 100%; + max-width: 100%; + overflow-x: auto; +} + +.compose-content pre, +.user-config-content { + background: var(--color-bg-primary); + border: 1px solid var(--color-border); + border-radius: var(--radius-md); + padding: 16px; + font-size: 13px; + font-family: 'SF Mono', 'Monaco', 'Cascadia Code', monospace; + line-height: 1.6; + max-height: 400px; + overflow-y: auto; + margin: 0; + white-space: pre-wrap; + word-break: break-all; + color: var(--color-text-primary); + width: 100%; + box-sizing: border-box; +} + +.network-section { + display: flex; + flex-direction: column; + gap: 16px; +} + +.section-title { + font-size: 15px; + font-weight: 600; + color: var(--color-text-primary); + margin: 0; + display: flex; + align-items: center; + gap: 8px; +} + +.network-interfaces { + display: grid; + grid-template-columns: repeat(auto-fill, minmax(320px, 360px)); + gap: 12px; +} + +.network-interface-card { + background: var(--color-bg-primary); + border: 1px solid var(--color-border); + border-radius: var(--radius-md); + overflow: hidden; +} + +.interface-header { + background: var(--color-bg-tertiary); + padding: 12px 16px; + border-bottom: 1px solid var(--color-border); +} + +.interface-name { + display: flex; + align-items: center; + gap: 8px; + font-weight: 600; + color: var(--color-text-primary); + font-size: 14px; +} + +.interface-name svg { + color: var(--color-primary); + flex-shrink: 0; +} + +.interface-details { + padding: 16px; + display: flex; + flex-direction: column; + gap: 12px; +} + +.interface-detail-row { + display: flex; + justify-content: space-between; + align-items: baseline; + gap: 12px; + padding-bottom: 8px; + border-bottom: 1px solid var(--color-border-light); +} + +.interface-detail-row:last-of-type { + border-bottom: none; + padding-bottom: 0; +} + +.interface-detail-row .detail-label { + font-size: 12px; + font-weight: 600; + color: var(--color-text-tertiary); + text-transform: uppercase; + letter-spacing: 0.5px; + flex-shrink: 0; +} + +.interface-detail-row .detail-value { + font-size: 13px; + color: var(--color-text-primary); + font-family: 'SF Mono', 'Monaco', 'Cascadia Code', monospace; + word-break: break-all; + text-align: right; +} + +.interface-stats { + display: grid; + grid-template-columns: 1fr 1fr; + gap: 12px; + margin-top: 8px; + padding-top: 12px; + border-top: 1px solid var(--color-border-light); +} + +.stat-item { + display: flex; + gap: 10px; + align-items: flex-start; +} + +.stat-icon { + width: 28px; + height: 28px; + border-radius: var(--radius-sm); + display: flex; + align-items: center; + justify-content: center; + flex-shrink: 0; +} + +.stat-icon.rx { + background: #dcfce7; + color: var(--color-success); +} + +.stat-icon.tx { + background: #dbeafe; + color: var(--color-primary); +} + +.stat-content { + display: flex; + flex-direction: column; + gap: 2px; + min-width: 0; +} + +.stat-label { + font-size: 11px; + font-weight: 700; + color: var(--color-text-tertiary); + text-transform: uppercase; + letter-spacing: 0.5px; +} + +.stat-value { + font-size: 13px; + font-weight: 600; + color: var(--color-text-primary); + font-family: 'SF Mono', 'Monaco', 'Cascadia Code', monospace; +} + +.stat-errors { + font-size: 11px; + color: var(--color-danger); + font-weight: 500; +} + +.wireguard-section { + display: flex; + flex-direction: column; + gap: 12px; +} + +.wireguard-info-text { + background: var(--color-bg-primary); + border: 1px solid var(--color-border); + border-radius: var(--radius-md); + padding: 16px; + font-family: 'SF Mono', 'Monaco', 'Cascadia Code', monospace; + font-size: 12px; + overflow-x: auto; + line-height: 1.6; + color: var(--color-text-secondary); + margin: 0; +} + +.vm-log-tabs { + display: flex; + gap: 8px; + flex-wrap: wrap; +} + +.vm-log-button { + background: var(--color-bg-primary); + border: 1px solid var(--color-border); + padding: 8px 16px; + border-radius: var(--radius-md); + font-size: 14px; + cursor: pointer; + transition: all 0.2s ease; +} + +.vm-log-button:hover { + background: var(--color-bg-tertiary); + border-color: var(--color-text-tertiary); +} + +.dropdown { + position: relative; + display: inline-block; +} + +.dropdown-content { + display: none; + position: absolute; + right: 0; + top: calc(100% + 4px); + z-index: 300; + min-width: 200px; + background: var(--color-bg-primary); + border: 1px solid var(--color-border); + border-radius: var(--radius-md); + box-shadow: var(--shadow-xl); + overflow: hidden; +} + +.dropdown-content.show { + display: block; + animation: fadeIn 0.15s ease; +} + +@keyframes fadeIn { + from { + opacity: 0; + transform: translateY(-8px); + } + to { + opacity: 1; + transform: translateY(0); + } +} + +.dropdown-content button { + width: 100%; + padding: 12px 16px; + border: none; + background: transparent; + text-align: left; + cursor: pointer; + font-size: 14px; + font-weight: 500; + color: var(--color-text-primary); + transition: all 0.15s ease; + display: flex; + align-items: center; + gap: 12px; + border-bottom: 1px solid var(--color-border); +} + +.dropdown-content button:last-child { + border-bottom: none; +} + +.dropdown-content button:hover { + background: var(--color-bg-tertiary); + padding-left: 20px; + color: var(--color-primary); +} + +.dropdown-content button svg { + flex-shrink: 0; + opacity: 0.7; + transition: opacity 0.15s ease; +} + +.dropdown-content button:hover svg { + opacity: 1; +} + +.message-container { + position: fixed; + top: 20px; + right: 20px; + z-index: 1001; + display: flex; + flex-direction: column; + gap: 8px; + max-width: 400px; +} + +.message { + position: relative; + padding: 12px 40px 12px 16px; + border-radius: var(--radius-md); + font-size: 13px; + box-shadow: var(--shadow-lg); + animation: slideInRight 0.3s ease; + word-wrap: break-word; +} + +@keyframes slideInRight { + from { + opacity: 0; + transform: translateX(20px); + } + to { + opacity: 1; + transform: translateX(0); + } +} + +.success-message { + background: #dcfce7; + color: #166534; + border-left: 4px solid var(--color-success); +} + +.error-message { + background: #fee2e2; + color: #991b1b; + border-left: 4px solid var(--color-danger); +} + +.close-btn { + position: absolute; + top: 8px; + right: 8px; + border: none; + background: transparent; + font-size: 18px; + cursor: pointer; + color: inherit; + opacity: 0.6; + transition: opacity 0.2s ease; + width: 20px; + height: 20px; + display: flex; + align-items: center; + justify-content: center; + border-radius: 50%; +} + +.close-btn:hover { + opacity: 1; + background: rgba(0, 0, 0, 0.1); +} + +.dialog-overlay { + position: fixed; + inset: 0; + background: rgba(0, 0, 0, 0.5); + display: flex; + align-items: center; + justify-content: center; + padding: 24px; + z-index: 1000; + backdrop-filter: blur(4px); +} + +.dialog { + background: var(--color-bg-primary); + border-radius: var(--radius-lg); + max-width: 960px; + width: 100%; + max-height: 90vh; + overflow-y: auto; + padding: 32px; + box-shadow: var(--shadow-xl); + animation: dialogIn 0.2s ease; +} + +@keyframes dialogIn { + from { + opacity: 0; + transform: scale(0.95); + } + to { + opacity: 1; + transform: scale(1); + } +} + +.dialog h2 { + margin-bottom: 24px; + font-size: 24px; +} + +.dialog-footer { + display: flex; + justify-content: flex-end; + gap: 12px; + margin-top: 32px; + padding-top: 24px; + border-top: 1px solid var(--color-border); +} + +.form-grid { + display: grid; + grid-template-columns: repeat(auto-fill, minmax(280px, 1fr)); + gap: 20px; + margin-bottom: 24px; +} + +.form-group { + display: flex; + flex-direction: column; + gap: 8px; +} + +.form-group.full-width { + grid-column: 1 / -1; +} + +.form-group label { + font-weight: 600; + color: var(--color-text-primary); + font-size: 14px; +} + +.form-group input, +.form-group select, +.form-group textarea { + width: 100%; + padding: 10px 12px; + border: 1px solid var(--color-border); + border-radius: var(--radius-md); + font-size: 14px; + outline: none; + background: var(--color-bg-primary); + color: var(--color-text-primary); + transition: all 0.2s ease; +} + +.form-group input:focus, +.form-group select:focus, +.form-group textarea:focus { + border-color: var(--color-primary); + box-shadow: 0 0 0 3px rgba(37, 99, 235, 0.1); +} + +.form-group textarea { + min-height: 120px; + resize: vertical; + font-family: 'SF Mono', 'Monaco', 'Cascadia Code', monospace; +} + +.hint { + color: var(--color-text-tertiary); + font-size: 13px; +} + +.help-icon { + display: inline-flex; + justify-content: center; + align-items: center; + width: 18px; + height: 18px; + font-size: 12px; + font-weight: 700; + color: white; + background: var(--color-text-tertiary); + border-radius: 50%; + cursor: help; +} + +.action-btn { + background: var(--color-primary); + color: white; + border: none; + padding: 10px 18px; + border-radius: var(--radius-md); + font-size: 14px; + font-weight: 600; + cursor: pointer; + display: inline-flex; + align-items: center; + gap: 8px; + transition: all 0.2s ease; +} + +.action-btn:hover { + background: var(--color-primary-hover); + transform: translateY(-1px); + box-shadow: var(--shadow-md); +} + +.action-btn:disabled { + background: var(--color-text-tertiary); + cursor: not-allowed; + transform: none; + opacity: 0.6; +} + +.action-btn.primary { + background: var(--color-success); +} + +.action-btn.primary:hover { + background: #15803d; +} + +.action-btn.danger { + background: var(--color-danger); +} + +.action-btn.danger:hover { + background: #b91c1c; +} + +.inline-field { + display: flex; + align-items: center; + gap: 12px; +} + +.file-input-row { + display: flex; + flex-direction: column; + gap: 12px; +} + +.file-input-actions { + display: flex; + align-items: center; + gap: 12px; +} + +.file-input-actions input[type="file"] { + display: none; +} + +.help-text { + color: var(--color-text-tertiary); + font-size: 14px; +} + +.feature-checkboxes, +.checkbox-grid { + display: grid; + grid-template-columns: repeat(3, 1fr); + gap: 12px; + row-gap: 16px; +} + +.feature-checkboxes label, +.checkbox-grid label { + display: flex; + align-items: center; + gap: 8px; + cursor: pointer; + white-space: nowrap; +} + +.feature-checkboxes input[type="checkbox"], +.checkbox-grid input[type="checkbox"] { + flex-shrink: 0; + cursor: pointer; + margin: 0; + width: 16px; + height: 16px; +} + +.encrypted-env-editor, +.port-mapping-editor, +.gpu-config-editor { + display: flex; + flex-direction: column; + gap: 16px; +} + +.port-mapping-editor > button { + width: fit-content; + min-width: 120px; +} + +.gpu-section-label { + font-size: 14px; + font-weight: 600; + color: var(--color-text-primary); + margin-bottom: -8px; +} + +.gpu-config-list-header { + font-size: 13px; + font-weight: 500; + color: var(--color-text-secondary); + margin-bottom: 8px; +} + +.gpu-config-hint { + font-size: 13px; + color: var(--color-text-secondary); + padding: 12px 16px; + background: var(--color-bg-secondary); + border-radius: var(--radius-md); + border-left: 3px solid var(--color-primary); +} + +.env-editor-header { + display: flex; + justify-content: space-between; + align-items: center; + margin-bottom: 12px; +} + +.env-editor-title { + font-size: 14px; + font-weight: 600; + color: var(--color-text-primary); + margin: 0; +} + +.env-mode-toggle { + display: flex; + gap: 0; + border: 1px solid var(--color-border); + border-radius: var(--radius-sm); + overflow: hidden; +} + +.mode-btn { + padding: 6px 16px; + border: none; + background: var(--color-bg-primary); + color: var(--color-text-secondary); + font-size: 13px; + font-weight: 500; + cursor: pointer; + transition: all 0.2s ease; + border-right: 1px solid var(--color-border); +} + +.mode-btn:last-child { + border-right: none; +} + +.mode-btn:hover { + background: var(--color-bg-tertiary); +} + +.mode-btn.active { + background: var(--color-primary); + color: white; +} + +.env-form-mode { + display: flex; + flex-direction: column; + gap: 12px; +} + +.env-text-mode { + display: flex; + flex-direction: column; + gap: 8px; +} + +.env-text-mode textarea { + width: 100%; + padding: 12px; + border: 1px solid var(--color-border); + border-radius: var(--radius-md); + font-size: 14px; + font-family: 'SF Mono', 'Monaco', 'Cascadia Code', monospace; + resize: vertical; + line-height: 1.5; +} + +.env-text-mode textarea:focus { + outline: none; + border-color: var(--color-primary); + box-shadow: 0 0 0 3px rgba(37, 99, 235, 0.1); +} + +.env-editor-empty { + padding: 16px; + background: var(--color-bg-tertiary); + border: 1px dashed var(--color-border); + border-radius: var(--radius-md); +} + +.env-editor-empty .hint { + margin: 0; + color: var(--color-text-secondary); + font-size: 14px; + line-height: 1.5; +} + +.encrypted-env-row, +.port-row { + display: grid; + gap: 12px; + align-items: center; +} + +.encrypted-env-row { + grid-template-columns: 200px 1fr auto; +} + +.encrypted-env-actions { + display: flex; + align-items: center; + gap: 12px; +} + +.encrypted-env-actions input[type="file"] { + display: none; +} + +.port-row { + grid-template-columns: 90px 100px 120px 120px 100px; +} + +.gpu-config-items { + max-height: 240px; + overflow-y: auto; + border: 1px solid var(--color-border); + border-radius: var(--radius-md); + padding: 16px; + display: flex; + flex-direction: column; + gap: 12px; + background: var(--color-bg-secondary); +} + +.gpu-config-items label { + display: flex; + align-items: center; + gap: 10px; + font-size: 14px; + cursor: pointer; +} + +.warning-text { + color: var(--color-danger); + font-weight: 600; +} + +.app-id-preview { + font-family: 'SF Mono', 'Monaco', 'Cascadia Code', monospace; + font-size: 13px; + color: var(--color-text-secondary); + background: var(--color-bg-tertiary); + padding: 8px 12px; + border-radius: var(--radius-sm); +} diff --git a/vmm/ui/src/templates/app.html b/vmm/ui/src/templates/app.html new file mode 100644 index 00000000..23818bcd --- /dev/null +++ b/vmm/ui/src/templates/app.html @@ -0,0 +1,399 @@ + + +
+
+
+
+

dstack-vmm

+ v{{ version.version }} +
+
+ +
+
+
+ + + + + + + +
+
+
+ + + + + + +
+
+ Total Instances: + {{ totalVMs }} +
+
+
+
+ +
+ + / + {{ maxPage || 1 }} +
+ + +
+
+
+ +
+
+
+
Name
+
Status
+
Uptime
+
View
+
Actions
+
+ +
+
+
+ +
+
+ {{ vm.name }} +
+
+ + + {{ vmStatus(vm) }} + +
+
{{ vm.status !== 'stopped' ? (vm.uptime || '-') : '-' }}
+
+ Logs + Stderr + Board +
+
+
+ +
+ + + + + + +
+
+
+
+ +
+
+
+ VM ID +
+ {{ vm.id }} + +
+
+
+ Instance ID +
+ {{ vm.instance_id }} + +
+ - +
+
+ App ID +
+ {{ vm.app_id }} + +
+ - +
+
+ Image + {{ vm.configuration?.image }} +
+
+ vCPUs + {{ vm.configuration?.vcpu }} +
+
+ Memory + {{ formatMemory(vm.configuration?.memory) }} +
+
+ Swap + {{ formatMemory(bytesToMB(vm.configuration.swap_size)) }} +
+
+ Disk Size + {{ vm.configuration?.disk_size }} GB +
+
+ Disk Type + {{ vm.configuration?.disk_type || 'virtio-pci' }} +
+
+ GPUs +
+
+ {{ gpu.slot || gpu.product_id }} +
+
+
+
+ +
+

Port Mappings

+
+ {{ port.host_address === '127.0.0.1' ? 'Local' : 'Public' }} + {{ port.protocol.toUpperCase() }}: {{ port.host_port }} → {{ port.vm_port }} +
+
+ +
+

Features

+ {{ getVmFeatures(vm) }} +
+ +
+

Network Interfaces

+
+
+
+
+ + + + + {{ iface.name }} +
+
+
+
+ MAC Address + {{ iface.mac || '-' }} +
+
+ IP Address + {{ iface.addresses.map(addr => addr.address + '/' + addr.prefix).join(', ') || '-' }} +
+
+
+
+ + + +
+
+ RX + {{ iface.rx_bytes }} bytes + ({{ iface.rx_errors }} errors) +
+
+
+
+ + + +
+
+ TX + {{ iface.tx_bytes }} bytes + ({{ iface.tx_errors }} errors) +
+
+
+
+
+
+
+

+ + + + + WireGuard Info +

+ 
{{ networkInfo[vm.id].wg_info }}
+
+
+ +
+
+

App Compose

+
+ + +
+
+
+ 
{{ vm.appCompose?.docker_compose_file || 'Docker Compose content not available' }}
+
+
+ +
+
+

User Config

+ +
+ 
{{ vm.configuration.user_config }}
+
+ +
+ + + +
+
+
+
+ +
+
+ +
+
+
+ +
+
+
+ {{ errorMessage }} + +
+
+
diff --git a/vmm/ui/tsconfig.json b/vmm/ui/tsconfig.json new file mode 100644 index 00000000..92257638 --- /dev/null +++ b/vmm/ui/tsconfig.json @@ -0,0 +1,18 @@ +{ + "compilerOptions": { + "target": "ES2018", + "module": "commonjs", + "moduleResolution": "node", + "resolveJsonModule": true, + "lib": ["ES2018", "DOM"], + "strict": false, + "esModuleInterop": false, + "skipLibCheck": true, + "forceConsistentCasingInFileNames": true, + "outDir": "build/ts", + "rootDir": "src", + "allowJs": true, + "types": ["node"] + }, + "include": ["src/**/*.ts", "src/proto/**/*.js", "src/lib/**/*.js"] +} diff --git a/vmm/ui/vendor/README.md b/vmm/ui/vendor/README.md new file mode 100644 index 00000000..d2b21367 --- /dev/null +++ b/vmm/ui/vendor/README.md @@ -0,0 +1,4 @@ +Place `vue.global.prod.js` from a matching Vue 3 release in this directory. + +The build script inlines the file when present; otherwise the generated +HTML keeps the external CDN reference. From 227b47463424e0a63c96ea49fee0fceabf8b0632 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Mon, 10 Nov 2025 01:30:32 +0000 Subject: [PATCH 100/133] Fix SPDX issue --- vmm/src/console_beta.html | 15229 ++++++++++++++++++++++ vmm/ui/.gitignore | 1 + vmm/ui/build.mjs | 3 +- vmm/ui/scripts/build_proto.sh | 3 + vmm/ui/src/components/CreateVmDialog.ts | 8 - vmm/ui/src/components/ForkVmDialog.ts | 8 - vmm/ui/src/composables/useVmManager.ts | 14 - vmm/ui/src/index.html | 4 + 8 files changed, 15239 insertions(+), 31 deletions(-) create mode 100644 vmm/src/console_beta.html diff --git a/vmm/src/console_beta.html b/vmm/src/console_beta.html new file mode 100644 index 00000000..e6b313e5 --- /dev/null +++ b/vmm/src/console_beta.html @@ -0,0 +1,15229 @@ + + + + + + + + {{TITLE}} | dstack-vmm + + + + +
+ + + + + diff --git a/vmm/ui/.gitignore b/vmm/ui/.gitignore index f90c01e9..82934168 100644 --- a/vmm/ui/.gitignore +++ b/vmm/ui/.gitignore @@ -2,3 +2,4 @@ node_modules dist build *.log +/src/proto/ diff --git a/vmm/ui/build.mjs b/vmm/ui/build.mjs index 537bc832..26197051 100644 --- a/vmm/ui/build.mjs +++ b/vmm/ui/build.mjs @@ -238,7 +238,8 @@ async function build({ watch = false } = {}) { }, ]); await fs.writeFile(distFile, rehtml); - await fs.writeFile(targetFile, rehtml); + const spdxHeader = '\n'; + await fs.writeFile(targetFile, spdxHeader + rehtml); console.log('Rebuilt console'); } catch (err) { console.error('Build failed:', err); diff --git a/vmm/ui/scripts/build_proto.sh b/vmm/ui/scripts/build_proto.sh index 301d72b8..2e22c302 100755 --- a/vmm/ui/scripts/build_proto.sh +++ b/vmm/ui/scripts/build_proto.sh @@ -1,5 +1,8 @@ #!/bin/bash +# SPDX-FileCopyrightText: © 2024-2025 Phala Network +# SPDX-License-Identifier: Apache-2.0 + set -euo pipefail ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" diff --git a/vmm/ui/src/components/CreateVmDialog.ts b/vmm/ui/src/components/CreateVmDialog.ts index 822162f5..14e72a30 100644 --- a/vmm/ui/src/components/CreateVmDialog.ts +++ b/vmm/ui/src/components/CreateVmDialog.ts @@ -76,14 +76,6 @@ const CreateVmDialogComponent = { -
- - -
-
-
- - -
-
diff --git a/vmm/ui/src/composables/useVmManager.ts b/vmm/ui/src/composables/useVmManager.ts index a044e02a..0dbe36e5 100644 --- a/vmm/ui/src/composables/useVmManager.ts +++ b/vmm/ui/src/composables/useVmManager.ts @@ -45,7 +45,6 @@ if (localStorage.getItem('dangerConfirm') === null) { } type MemoryUnit = 'MB' | 'GB'; -type DiskType = 'virtio-pci' | 'nvme'; type JsonRpcCall = (method: string, params?: Record) => Promise; type Ref = { value: T }; @@ -89,7 +88,6 @@ type VmFormState = { swapValue: number; swapUnit: MemoryUnit; disk_size: number; - disk_type: DiskType; selectedGpus: string[]; attachAllGpus: boolean; ports: PortFormEntry[]; @@ -127,7 +125,6 @@ type UpdateDialogState = { swapValue: number; swapUnit: MemoryUnit; disk_size: number; - disk_type: DiskType; image: string; ports: PortFormEntry[]; attachAllGpus: boolean; @@ -144,7 +141,6 @@ type CloneConfigDialogState = { vcpu: number; memory: number; disk_size: number; - disk_type: DiskType; ports: PortFormEntry[]; user_config: string; gpus?: VmmTypes.IGpuConfig; @@ -171,7 +167,6 @@ function createVmFormState(preLaunchScript: string): VmFormState { swapValue: 0, swapUnit: 'GB', disk_size: 20, - disk_type: 'virtio-pci', selectedGpus: [], attachAllGpus: false, ports: [], @@ -211,7 +206,6 @@ function createUpdateDialogState(): UpdateDialogState { swapValue: 0, swapUnit: 'GB', disk_size: 0, - disk_type: 'virtio-pci', image: '', ports: [], attachAllGpus: false, @@ -230,7 +224,6 @@ function createCloneConfigDialogState(): CloneConfigDialogState { vcpu: 0, memory: 0, disk_size: 0, - disk_type: 'virtio-pci', ports: [], user_config: '', gpus: undefined, @@ -413,7 +406,6 @@ fi vcpu: number; memory: number; disk_size: number; - disk_type: DiskType; ports: PortFormEntry[]; encrypted_env?: Uint8Array; app_id?: string | null; @@ -435,7 +427,6 @@ fi vcpu: Math.max(1, Number(source.vcpu) || 1), memory: Math.max(0, Number(source.memory) || 0), disk_size: Math.max(0, Number(source.disk_size) || 0), - disk_type: source.disk_type || 'virtio-pci', ports: normalizedPorts, encrypted_env: source.encrypted_env, app_id: source.app_id || undefined, @@ -836,7 +827,6 @@ fi vmForm.value.swapValue = 0; vmForm.value.swapUnit = 'GB'; vmForm.value.swap_size = 0; - vmForm.value.disk_type = 'virtio-pci'; loadGpus(); } @@ -866,7 +856,6 @@ fi swapValue: swapDisplay.memoryValue, swapUnit: swapDisplay.memoryUnit, disk_size: config.disk_size || 0, - disk_type: (config.disk_type as DiskType) || 'virtio-pci', image: config.image || '', ports: clonePortMappings(config.ports || []), attachAllGpus: gpuSelection.attachAll, @@ -957,7 +946,6 @@ fi vcpu: vmForm.value.vcpu, memory: vmForm.value.memory, disk_size: vmForm.value.disk_size, - disk_type: vmForm.value.disk_type, ports: vmForm.value.ports, encrypted_env: encryptedEnv || undefined, app_id: vmForm.value.app_id || undefined, @@ -1086,7 +1074,6 @@ fi swapValue: autoMemoryDisplay(bytesToMB(theVm.appCompose?.swap_size || 0)).memoryValue, swapUnit: autoMemoryDisplay(bytesToMB(theVm.appCompose?.swap_size || 0)).memoryUnit, disk_size: config.disk_size || 0, - disk_type: (config.disk_type as DiskType) || 'virtio-pci', selectedGpus: [], attachAllGpus: false, encryptedEnvs: [], // Clear environment variables @@ -1126,7 +1113,6 @@ fi vcpu: source.vcpu, memory: source.memory, disk_size: source.disk_size, - disk_type: source.disk_type, ports: source.ports, encrypted_env: source.encrypted_env, app_id: source.app_id, diff --git a/vmm/ui/src/index.html b/vmm/ui/src/index.html index 1ff7df63..d0b3f288 100644 --- a/vmm/ui/src/index.html +++ b/vmm/ui/src/index.html @@ -1,3 +1,7 @@ + From cf63b9ac159f4c223a33b14e8b5b864626322429 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Mon, 10 Nov 2025 01:47:50 +0000 Subject: [PATCH 101/133] vmm: Accept more chars in cvm name --- vmm/src/main_service.rs | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/vmm/src/main_service.rs b/vmm/src/main_service.rs index a3aa6317..62251bd8 100644 --- a/vmm/src/main_service.rs +++ b/vmm/src/main_service.rs @@ -51,13 +51,17 @@ fn app_id_of(compose_file: &str) -> String { truncate40(&hex_sha256(compose_file)).to_string() } -/// Validate the label of the VM. Valid chars are alphanumeric, dash and underscore. +/// Validate the VM label, restricting it to a safe character set to prevent injection vectors. fn validate_label(label: &str) -> Result<()> { - if label - .chars() - .any(|c| !c.is_alphanumeric() && c != '-' && c != '_') - { - bail!("Invalid name: {}", label); + fn is_valid_label_char(c: char) -> bool { + c.is_ascii_alphanumeric() + || matches!( + c, + '-' | '_' | '.' | ' ' | '@' | '~' | '!' | '$' | '^' | '(' | ')' + ) + } + if !label.chars().all(is_valid_label_char) { + bail!("Invalid name: {label}"); } Ok(()) } From f91e7122cbea6e712419631b135b5c73cf0eb9d0 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Mon, 10 Nov 2025 01:46:22 +0000 Subject: [PATCH 102/133] Render the {{TITLE}} --- vmm/src/console_beta.html | 2 +- vmm/src/main_routes.rs | 22 ++++++++++++++-------- vmm/ui/src/index.html | 2 +- 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/vmm/src/console_beta.html b/vmm/src/console_beta.html index e6b313e5..0bacf93c 100644 --- a/vmm/src/console_beta.html +++ b/vmm/src/console_beta.html @@ -8,7 +8,7 @@ - {{TITLE}} | dstack-vmm + {{TITLE}} + + +
+ + + + + +"#, + title = cfg.title, + css = css, + bundle = bundle, + preset = preset, + spec = spec, + background = background + ) +} + +#[cfg(test)] +mod tests { + use super::*; + use prost_types::{FileDescriptorProto, MethodDescriptorProto}; + fn test_descriptor() -> Vec { + let request = DescriptorProto { + name: Some("PingRequest".into()), + field: vec![FieldDescriptorProto { + name: Some("message".into()), + number: Some(1), + label: Some(FieldLabel::Optional as i32), + r#type: Some(FieldType::String as i32), + ..Default::default() + }], + ..Default::default() + }; + + let response = DescriptorProto { + name: Some("PingResponse".into()), + field: vec![FieldDescriptorProto { + name: Some("echo".into()), + number: Some(1), + label: Some(FieldLabel::Optional as i32), + r#type: Some(FieldType::String as i32), + ..Default::default() + }], + ..Default::default() + }; + + let service = ServiceDescriptorProto { + name: Some("TestService".into()), + method: vec![MethodDescriptorProto { + name: Some("Ping".into()), + input_type: Some(".test.PingRequest".into()), + output_type: Some(".test.PingResponse".into()), + ..Default::default() + }], + ..Default::default() + }; + + let file = FileDescriptorProto { + name: Some("test.proto".into()), + package: Some("test".into()), + message_type: vec![request, response], + service: vec![service], + ..Default::default() + }; + + let set = FileDescriptorSet { file: vec![file] }; + let mut buf = Vec::new(); + set.encode(&mut buf).unwrap(); + buf + } + + #[test] + fn generates_document() { + let descriptor = test_descriptor(); + let sources = vec![DescriptorSource::new( + &descriptor, + vec![ServiceConfig::new("TestService", "/prpc")], + )]; + let info = DocumentInfo::new("Test API", "1.0.0") + .with_description("test-only spec") + .add_server("http://localhost:8000/prpc"); + let json = generate_document(&sources, &info).expect("spec"); + let doc: Value = serde_json::from_str(&json).expect("valid json"); + assert_eq!(doc["info"]["title"], "Test API"); + assert!( + doc["paths"]["/prpc/Ping"]["post"]["requestBody"]["content"]["application/json"] + ["schema"] + .is_object() + ); + } +} diff --git a/ra-rpc/src/rocket_helper.rs b/ra-rpc/src/rocket_helper.rs index e2c398ce..4abfe3ab 100644 --- a/ra-rpc/src/rocket_helper.rs +++ b/ra-rpc/src/rocket_helper.rs @@ -4,6 +4,13 @@ use std::convert::Infallible; +#[cfg(all(feature = "rocket", feature = "openapi"))] +use crate::openapi::{OpenApiDoc, RenderedDoc}; +#[cfg(all(feature = "rocket", feature = "openapi"))] +use rocket::response::content::{RawHtml, RawJson}; +#[cfg(all(feature = "rocket", feature = "openapi"))] +use std::{borrow::Cow, sync::Arc}; + use anyhow::{Context, Result}; use ra_tls::{attestation::Attestation, traits::CertExt}; use rocket::{ @@ -356,3 +363,76 @@ impl CertExt for RocketCertificate<'_> { Ok(Some(ext.value.to_vec())) } } + +#[cfg(all(feature = "rocket", feature = "openapi"))] +#[derive(Clone)] +struct OpenApiState { + spec_json: Arc, + ui_html: Arc, +} + +#[cfg(all(feature = "rocket", feature = "openapi"))] +impl From for OpenApiState { + fn from(doc: RenderedDoc) -> Self { + Self { + spec_json: doc.spec.clone(), + ui_html: Arc::new(doc.ui_html), + } + } +} + +#[cfg(all(feature = "rocket", feature = "openapi"))] +#[rocket::get("/openapi.json")] +fn openapi_spec(state: &rocket::State) -> RawJson { + RawJson((*state.spec_json).clone()) +} + +#[cfg(all(feature = "rocket", feature = "openapi"))] +#[rocket::get("/docs")] +fn openapi_docs(state: &rocket::State) -> RawHtml { + RawHtml((*state.ui_html).clone()) +} + +#[cfg(all(feature = "rocket", feature = "openapi"))] +pub fn mount_openapi_docs( + rocket: rocket::Rocket, + doc: OpenApiDoc, + mount_path: impl Into>, +) -> rocket::Rocket { + let base = normalize_openapi_mount(mount_path.into()); + let spec_url = join_mount_path(base.as_ref(), "openapi.json"); + let rendered = doc.render(&spec_url); + let state = OpenApiState::from(rendered); + let mount_point = base.clone().into_owned(); + rocket + .manage(state) + .mount(mount_point, rocket::routes![openapi_spec, openapi_docs]) +} + +#[cfg(all(feature = "rocket", feature = "openapi"))] +fn normalize_openapi_mount(path: Cow<'static, str>) -> Cow<'static, str> { + let mut owned = path.into_owned(); + if owned.is_empty() { + owned.push('/'); + } + if !owned.starts_with('/') { + owned.insert(0, '/'); + } + if owned.len() > 1 && owned.ends_with('/') { + owned.pop(); + } + Cow::Owned(if owned.is_empty() { "/".into() } else { owned }) +} + +#[cfg(all(feature = "rocket", feature = "openapi"))] +fn join_mount_path(base: &str, segment: &str) -> String { + if base == "/" { + format!("/{}", segment.trim_start_matches('/')) + } else { + format!( + "{}/{}", + base.trim_end_matches('/'), + segment.trim_start_matches('/') + ) + } +} diff --git a/vmm/Cargo.toml b/vmm/Cargo.toml index 84ec6100..caf7542a 100644 --- a/vmm/Cargo.toml +++ b/vmm/Cargo.toml @@ -35,7 +35,7 @@ rocket-apitoken.workspace = true serde_ini.workspace = true supervisor-client.workspace = true -ra-rpc = { workspace = true, features = ["client", "rocket"] } +ra-rpc = { workspace = true, features = ["client", "rocket", "openapi"] } dstack-vmm-rpc.workspace = true dstack-kms-rpc.workspace = true path-absolutize.workspace = true diff --git a/vmm/rpc/src/generated.rs b/vmm/rpc/src/generated.rs index a6e9a646..8cf98c39 100644 --- a/vmm/rpc/src/generated.rs +++ b/vmm/rpc/src/generated.rs @@ -1,3 +1,6 @@ #![allow(async_fn_in_trait)] +pub const FILE_DESCRIPTOR_SET: &[u8] = + include_bytes!(concat!(env!("OUT_DIR"), "/file_descriptor_set.bin")); + include!(concat!(env!("OUT_DIR"), "/vmm.rs")); diff --git a/vmm/src/main.rs b/vmm/src/main.rs index 92cb9f46..0c6edff2 100644 --- a/vmm/src/main.rs +++ b/vmm/src/main.rs @@ -29,6 +29,7 @@ mod host_api_service; mod main_routes; mod main_service; mod one_shot; +mod openapi; const CARGO_PKG_VERSION: &str = env!("CARGO_PKG_VERSION"); const GIT_REV: &str = git_version::git_version!( @@ -74,6 +75,9 @@ struct RunArgs { } async fn run_external_api(app: App, figment: Figment, api_auth: ApiToken) -> Result<()> { + let version = app_version(); + let openapi_doc = openapi::build_openapi_doc(&version)?; + let external_api = rocket::custom(figment) .mount("/", main_routes::routes()) .mount("/guest", ra_rpc::prpc_routes!(App, GuestApiHandler)) @@ -94,6 +98,8 @@ async fn run_external_api(app: App, figment: Figment, api_auth: ApiToken) -> Res res.set_raw_header("X-Accel-Buffering", "no"); }) })); + let external_api = + ra_rpc::rocket_helper::mount_openapi_docs(external_api, openapi_doc, "/rpc-docs"); let _ = external_api .launch() diff --git a/vmm/src/openapi.rs b/vmm/src/openapi.rs new file mode 100644 index 00000000..d9b01ba9 --- /dev/null +++ b/vmm/src/openapi.rs @@ -0,0 +1,35 @@ +// SPDX-FileCopyrightText: © 2025 Phala Network +// +// SPDX-License-Identifier: Apache-2.0 + +use anyhow::{Context, Result}; +use ra_rpc::openapi::{ + build_openapi_doc as build_doc, DescriptorSource, DocumentInfo, OpenApiDoc, ServiceConfig, + SwaggerUiConfig, +}; + +pub fn build_openapi_doc(app_version: &str) -> Result { + let info = DocumentInfo::new("dstack-vmm RPC", app_version.to_string()) + .with_description( + "Auto-generated OpenAPI spec for the pRPC surfaces exposed by dstack-vmm.", + ) + .add_server("/"); + + let sources = vec![ + DescriptorSource::new( + dstack_vmm_rpc::FILE_DESCRIPTOR_SET, + vec![ServiceConfig::new("Vmm", "/prpc")], + ), + DescriptorSource::new( + guest_api::FILE_DESCRIPTOR_SET, + vec![ServiceConfig::new("ProxiedGuestApi", "/guest")], + ), + ]; + + let ui = SwaggerUiConfig { + title: "dstack-vmm RPC Explorer".to_string(), + ..Default::default() + }; + + build_doc(&sources, &info, ui).context("failed to build OpenAPI document") +} From 44db965e1e9b2fdd84bf3f1c7d9388788a023634 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Wed, 12 Nov 2025 06:14:28 +0000 Subject: [PATCH 107/133] vmm-ui: Fix gpu editor layout --- vmm/src/console_beta.html | 32 +++++++++++++----------- vmm/ui/src/components/GpuConfigEditor.ts | 10 +++++--- vmm/ui/src/styles/main.css | 22 ++++++++-------- 3 files changed, 36 insertions(+), 28 deletions(-) diff --git a/vmm/src/console_beta.html b/vmm/src/console_beta.html index e3ea105b..aaebdec4 100644 --- a/vmm/src/console_beta.html +++ b/vmm/src/console_beta.html @@ -1244,8 +1244,16 @@ row-gap: 16px; } +.gpu-checkbox-grid { + display: grid; + grid-template-columns: 1fr; + gap: 12px; + row-gap: 16px; +} + .feature-checkboxes label, -.checkbox-grid label { +.checkbox-grid label, +.gpu-checkbox-grid label { display: flex; align-items: center; gap: 8px; @@ -1254,7 +1262,8 @@ } .feature-checkboxes input[type="checkbox"], -.checkbox-grid input[type="checkbox"] { +.checkbox-grid input[type="checkbox"], +.gpu-checkbox-grid input[type="checkbox"] { flex-shrink: 0; cursor: pointer; margin: 0; @@ -1419,18 +1428,11 @@ border: 1px solid var(--color-border); border-radius: var(--radius-md); padding: 16px; - display: flex; - flex-direction: column; - gap: 12px; background: var(--color-bg-secondary); } -.gpu-config-items label { - display: flex; - align-items: center; - gap: 10px; +.gpu-checkbox-grid label { font-size: 14px; - cursor: pointer; } .warning-text { @@ -1749,10 +1751,12 @@

Encrypted Environment Variables

Select GPUs to attach:
- +
+ +
diff --git a/vmm/ui/src/components/GpuConfigEditor.ts b/vmm/ui/src/components/GpuConfigEditor.ts index c7cbe8e6..11a142e0 100644 --- a/vmm/ui/src/components/GpuConfigEditor.ts +++ b/vmm/ui/src/components/GpuConfigEditor.ts @@ -61,10 +61,12 @@ const GpuConfigEditorComponent = { Select GPUs to attach:
- +
+ +
diff --git a/vmm/ui/src/styles/main.css b/vmm/ui/src/styles/main.css index 53fcdb23..aae2c2c5 100644 --- a/vmm/ui/src/styles/main.css +++ b/vmm/ui/src/styles/main.css @@ -1232,8 +1232,16 @@ h1, h2, h3, h4, h5, h6 { row-gap: 16px; } +.gpu-checkbox-grid { + display: grid; + grid-template-columns: 1fr; + gap: 12px; + row-gap: 16px; +} + .feature-checkboxes label, -.checkbox-grid label { +.checkbox-grid label, +.gpu-checkbox-grid label { display: flex; align-items: center; gap: 8px; @@ -1242,7 +1250,8 @@ h1, h2, h3, h4, h5, h6 { } .feature-checkboxes input[type="checkbox"], -.checkbox-grid input[type="checkbox"] { +.checkbox-grid input[type="checkbox"], +.gpu-checkbox-grid input[type="checkbox"] { flex-shrink: 0; cursor: pointer; margin: 0; @@ -1407,18 +1416,11 @@ h1, h2, h3, h4, h5, h6 { border: 1px solid var(--color-border); border-radius: var(--radius-md); padding: 16px; - display: flex; - flex-direction: column; - gap: 12px; background: var(--color-bg-secondary); } -.gpu-config-items label { - display: flex; - align-items: center; - gap: 10px; +.gpu-checkbox-grid label { font-size: 14px; - cursor: pointer; } .warning-text { From 6560cb064d96e92e5e9ab017c52e837c689d3e0d Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Tue, 11 Nov 2025 12:18:42 +0000 Subject: [PATCH 108/133] Add ReloadVms API to sync VM directory with memory state --- vmm/rpc/proto/vmm_rpc.proto | 9 + vmm/src/app.rs | 201 +++++++++++- vmm/src/app/id_pool.rs | 4 + vmm/src/console_beta.html | 420 ++++++++++++++++++++++++- vmm/src/main_service.rs | 9 +- vmm/ui/src/composables/useVmManager.ts | 69 ++++ vmm/ui/src/styles/main.css | 91 ++++++ vmm/ui/src/templates/app.html | 15 + 8 files changed, 812 insertions(+), 6 deletions(-) diff --git a/vmm/rpc/proto/vmm_rpc.proto b/vmm/rpc/proto/vmm_rpc.proto index 6ef77320..cfc75e67 100644 --- a/vmm/rpc/proto/vmm_rpc.proto +++ b/vmm/rpc/proto/vmm_rpc.proto @@ -231,6 +231,12 @@ message ListGpusResponse { bool allow_attach_all = 2; } +message ReloadVmsResponse { + uint32 loaded = 1; // Number of VMs that were loaded + uint32 updated = 2; // Number of VMs that were updated + uint32 removed = 3; // Number of VMs that were removed +} + message GpuInfo { string slot = 1; string product_id = 2; @@ -276,4 +282,7 @@ service Vmm { // List GPUs rpc ListGpus(google.protobuf.Empty) returns (ListGpusResponse); + + // Reload VMs directory and sync with memory state + rpc ReloadVms(google.protobuf.Empty) returns (ReloadVmsResponse); } diff --git a/vmm/src/app.rs b/vmm/src/app.rs index 61245ccd..5d9977be 100644 --- a/vmm/src/app.rs +++ b/vmm/src/app.rs @@ -10,20 +10,22 @@ use dstack_kms_rpc::kms_client::KmsClient; use dstack_types::shared_filenames::{ APP_COMPOSE, ENCRYPTED_ENV, INSTANCE_INFO, SYS_CONFIG, USER_CONFIG, }; -use dstack_vmm_rpc::{self as pb, GpuInfo, StatusRequest, StatusResponse, VmConfiguration}; +use dstack_vmm_rpc::{ + self as pb, GpuInfo, ReloadVmsResponse, StatusRequest, StatusResponse, VmConfiguration, +}; use fs_err as fs; use guest_api::client::DefaultClient as GuestClient; use id_pool::IdPool; use ra_rpc::client::RaClient; use serde::{Deserialize, Serialize}; use serde_json::json; -use std::collections::{BTreeSet, HashMap, VecDeque}; +use std::collections::{BTreeSet, HashMap, HashSet, VecDeque}; use std::net::IpAddr; use std::path::{Path, PathBuf}; use std::sync::{Arc, Mutex, MutexGuard}; use std::time::SystemTime; use supervisor_client::SupervisorClient; -use tracing::{error, info}; +use tracing::{error, info, warn}; pub use image::{Image, ImageInfo}; pub use qemu::{VmConfig, VmWorkDir}; @@ -326,6 +328,199 @@ impl App { Ok(()) } + /// Reload VMs directory and sync with memory state while preserving statistics + pub async fn reload_vms_sync(&self) -> Result { + let vm_path = self.vm_dir(); + let mut loaded = 0u32; + let mut updated = 0u32; + let mut removed = 0u32; + + // Get running VMs to preserve CIDs and process info + let running_vms = self.supervisor.list().await.context("Failed to list VMs")?; + let running_vms_map: HashMap = running_vms + .into_iter() + .map(|p| (p.config.id.clone(), p)) + .collect(); + let occupied_cids = running_vms_map + .iter() + .filter(|(_, p)| { + serde_json::from_str::(&p.config.note) + .unwrap_or_default() + .is_cvm() + }) + .map(|(id, p)| (id.clone(), p.config.cid.unwrap())) + .collect::>(); + + // Update CID pool with running VMs + { + let mut state = self.lock(); + // First clear the pool and re-occupy running VM CIDs + state.cid_pool.clear(); + for cid in occupied_cids.values() { + state.cid_pool.occupy(*cid)?; + } + } + + // Get VM IDs from filesystem + let mut fs_vm_ids = HashSet::new(); + if vm_path.exists() { + for entry in fs::read_dir(&vm_path).context("Failed to read VM directory")? { + let entry = entry.context("Failed to read directory entry")?; + let vm_dir_path = entry.path(); + if vm_dir_path.is_dir() { + // Try to get VM ID from directory name or manifest + if let Some(vm_id) = vm_dir_path.file_name().and_then(|n| n.to_str()) { + fs_vm_ids.insert(vm_id.to_string()); + } + } + } + } + + // Get VM IDs currently in memory and their CIDs + let (memory_vm_ids, existing_cids): (HashSet, HashSet) = { + let state = self.lock(); + ( + state.vms.keys().cloned().collect(), + state.vms.values().map(|vm| vm.config.cid).collect(), + ) + }; + + // Remove VMs that no longer exist in filesystem + let to_remove: Vec = memory_vm_ids.difference(&fs_vm_ids).cloned().collect(); + if !to_remove.is_empty() { + for vm_id in &to_remove { + // Stop the VM process first if it's running + if running_vms_map.contains_key(vm_id) { + if let Err(err) = self.supervisor.stop(vm_id).await { + warn!("Failed to stop VM process {vm_id}: {err:?}"); + } + } + + // Remove from memory and free CID + let mut state = self.lock(); + if let Some(vm) = state.vms.remove(vm_id) { + state.cid_pool.free(vm.config.cid); + removed += 1; + info!("Removed VM {vm_id} from memory (directory no longer exists)"); + } + } + } + + // Load or update VMs from filesystem + if vm_path.exists() { + for entry in fs::read_dir(vm_path).context("Failed to read VM directory")? { + let entry = entry.context("Failed to read directory entry")?; + let vm_path = entry.path(); + if vm_path.is_dir() { + match self.load_or_update_vm(&vm_path, &occupied_cids, true).await { + Ok(is_new) => { + if is_new { + loaded += 1; + } else { + updated += 1; + } + } + Err(err) => { + error!("Failed to load or update VM: {err:?}"); + } + } + } + } + } + + // Clean up any orphaned CIDs that aren't being used + { + let mut state = self.lock(); + let used_cids: HashSet = state.vms.values().map(|vm| vm.config.cid).collect(); + let orphaned_cids: Vec = existing_cids.difference(&used_cids).cloned().collect(); + for cid in orphaned_cids { + state.cid_pool.free(cid); + info!("Released orphaned CID {cid}"); + } + } + + Ok(ReloadVmsResponse { + loaded, + updated, + removed, + }) + } + + /// Load or update a VM, preserving existing statistics + async fn load_or_update_vm( + &self, + work_dir: impl AsRef, + cids_assigned: &HashMap, + auto_start: bool, + ) -> Result { + let vm_work_dir = VmWorkDir::new(work_dir.as_ref()); + let manifest = vm_work_dir.manifest().context("Failed to read manifest")?; + if manifest.image.len() > 64 + || manifest.image.contains("..") + || !manifest + .image + .chars() + .all(|c| c.is_alphanumeric() || c == '_' || c == '-' || c == '.') + { + bail!("Invalid image name"); + } + let image_path = self.config.image_path.join(&manifest.image); + let image = Image::load(&image_path).context("Failed to load image")?; + let vm_id = manifest.id.clone(); + let app_compose = vm_work_dir + .app_compose() + .context("Failed to read compose file")?; + + let mut is_new = false; + { + let mut states = self.lock(); + + // For existing VMs, keep their current CID + // For new VMs, try to use assigned CID or allocate a new one + let cid = if let Some(existing_vm) = states.get(&vm_id) { + // Keep existing CID + existing_vm.config.cid + } else if let Some(assigned_cid) = cids_assigned.get(&vm_id) { + // Use assigned CID from running processes + *assigned_cid + } else { + // Allocate new CID only for truly new VMs + states.cid_pool.allocate().context("CID pool exhausted")? + }; + + let vm_config = VmConfig { + manifest, + image, + cid, + workdir: vm_work_dir.path().to_path_buf(), + gateway_enabled: app_compose.gateway_enabled(), + }; + + match states.get_mut(&vm_id) { + Some(vm) => { + // Update existing VM but preserve statistics and CID + let old_state = vm.state.clone(); + vm.config = vm_config.into(); + vm.state = old_state; // Preserve the existing state with statistics + } + None => { + // This is a new VM, need to occupy its CID if it wasn't allocated + if !cids_assigned.contains_key(&vm_id) { + states.cid_pool.occupy(cid)?; + } + states.add(VmState::new(vm_config)); + is_new = true; + } + } + }; + + if auto_start && vm_work_dir.started().unwrap_or_default() { + self.start_vm(&vm_id).await?; + } + + Ok(is_new) + } + pub async fn list_vms(&self, request: StatusRequest) -> Result { let vms = self .supervisor diff --git a/vmm/src/app/id_pool.rs b/vmm/src/app/id_pool.rs index a111a16f..5bbb205e 100644 --- a/vmm/src/app/id_pool.rs +++ b/vmm/src/app/id_pool.rs @@ -62,4 +62,8 @@ impl IdPool { pub fn free(&mut self, id: T) { self.allocated.remove(&id); } + + pub fn clear(&mut self) { + self.allocated.clear(); + } } diff --git a/vmm/src/console_beta.html b/vmm/src/console_beta.html index aaebdec4..8a9809ee 100644 --- a/vmm/src/console_beta.html +++ b/vmm/src/console_beta.html @@ -979,6 +979,97 @@ opacity: 1; } +/* System Menu Styles */ +.system-menu { + position: relative; + display: inline-block; + margin-right: 12px; +} + +.btn-icon { + background: transparent; + color: var(--color-text-secondary); + border: 1px solid var(--color-border); + padding: 8px; + border-radius: var(--radius-md); + font-size: 14px; + font-weight: 500; + cursor: pointer; + display: inline-flex; + align-items: center; + justify-content: center; + transition: all 0.15s ease; + min-width: 36px; + min-height: 36px; +} + +.btn-icon:hover { + background: var(--color-bg-tertiary); + color: var(--color-primary); + border-color: var(--color-primary); + box-shadow: var(--shadow-sm); + transform: translateY(-1px); +} + +.btn-icon:active { + transform: translateY(0); +} + +.system-dropdown { + display: none; + position: absolute; + right: 0; + top: calc(100% + 8px); + z-index: 300; + min-width: 180px; + background: var(--color-bg-primary); + border: 1px solid var(--color-border); + border-radius: var(--radius-md); + box-shadow: var(--shadow-xl); + animation: fadeIn 0.15s ease; +} + +.system-dropdown.show { + display: block; +} + +.dropdown-item { + width: 100%; + padding: 12px 16px; + border: none; + background: transparent; + text-align: left; + cursor: pointer; + font-size: 14px; + font-weight: 500; + color: var(--color-text-primary); + transition: all 0.15s ease; + display: flex; + align-items: center; + gap: 12px; + border-bottom: 1px solid var(--color-border-light); +} + +.dropdown-item:last-child { + border-bottom: none; +} + +.dropdown-item:hover { + background: var(--color-bg-tertiary); + padding-left: 20px; + color: var(--color-primary); +} + +.dropdown-item svg { + flex-shrink: 0; + opacity: 0.7; + transition: opacity 0.15s ease; +} + +.dropdown-item:hover svg { + opacity: 1; +} + .message-container { position: fixed; top: 20px; @@ -2147,6 +2238,10 @@

Derive VM

if (localStorage.getItem('dangerConfirm') === null) { localStorage.setItem('dangerConfirm', 'true'); } +// System menu state +const systemMenu = ref({ + show: false, +}); function createVmFormState(preLaunchScript) { return { name: '', @@ -3064,8 +3159,62 @@

Derive VM

} function closeAllDropdowns() { document.querySelectorAll('.dropdown-content').forEach((dropdown) => dropdown.classList.remove('show')); + systemMenu.value.show = false; document.removeEventListener('click', closeAllDropdowns); } + function toggleSystemMenu(event) { + event.stopPropagation(); + systemMenu.value.show = !systemMenu.value.show; + // Close all other dropdowns + document.querySelectorAll('.dropdown-content').forEach((dropdown) => { + dropdown.classList.remove('show'); + }); + if (systemMenu.value.show) { + document.addEventListener('click', closeAllDropdowns); + } + else { + document.removeEventListener('click', closeAllDropdowns); + } + } + function closeSystemMenu() { + systemMenu.value.show = false; + } + async function reloadVMs() { + try { + errorMessage.value = ''; + successMessage.value = ''; + const response = await vmmRpc.reloadVms({}); + // Show success message with statistics + if (response.loaded > 0 || response.updated > 0 || response.removed > 0) { + let message = 'VM reload completed: '; + const parts = []; + if (response.loaded > 0) + parts.push(`${response.loaded} loaded`); + if (response.updated > 0) + parts.push(`${response.updated} updated`); + if (response.removed > 0) + parts.push(`${response.removed} removed`); + successMessage.value = message + parts.join(', '); + } + else { + successMessage.value = 'VM reload completed: no changes detected'; + } + // Reload the VM list to show updated data + await loadVMList(); + // Hide message after 5 seconds + setTimeout(() => { + successMessage.value = ''; + }, 5000); + } + catch (error) { + console.error('Failed to reload VMs:', error); + errorMessage.value = `Failed to reload VMs: ${error.message || error.toString()}`; + // Hide error message after 10 seconds + setTimeout(() => { + errorMessage.value = ''; + }, 10000); + } + } function toggleDropdown(event, vm) { document.querySelectorAll('.dropdown-content').forEach((dropdown) => { if (dropdown.id !== `dropdown-${vm.id}`) { @@ -3254,6 +3403,10 @@

Derive VM

downloadAppCompose, downloadUserConfig, getVmFeatures, + systemMenu, + toggleSystemMenu, + closeSystemMenu, + reloadVMs, }; } @@ -11343,6 +11496,241 @@

Derive VM

}; return ListGpusResponse; })(); + vmm.ReloadVmsResponse = (function () { + /** + * Properties of a ReloadVmsResponse. + * @memberof vmm + * @interface IReloadVmsResponse + * @property {number|null} [loaded] ReloadVmsResponse loaded + * @property {number|null} [updated] ReloadVmsResponse updated + * @property {number|null} [removed] ReloadVmsResponse removed + */ + /** + * Constructs a new ReloadVmsResponse. + * @memberof vmm + * @classdesc Represents a ReloadVmsResponse. + * @implements IReloadVmsResponse + * @constructor + * @param {vmm.IReloadVmsResponse=} [properties] Properties to set + */ + function ReloadVmsResponse(properties) { + if (properties) + for (var keys = Object.keys(properties), i = 0; i < keys.length; ++i) + if (properties[keys[i]] != null) + this[keys[i]] = properties[keys[i]]; + } + /** + * ReloadVmsResponse loaded. + * @member {number} loaded + * @memberof vmm.ReloadVmsResponse + * @instance + */ + ReloadVmsResponse.prototype.loaded = 0; + /** + * ReloadVmsResponse updated. + * @member {number} updated + * @memberof vmm.ReloadVmsResponse + * @instance + */ + ReloadVmsResponse.prototype.updated = 0; + /** + * ReloadVmsResponse removed. + * @member {number} removed + * @memberof vmm.ReloadVmsResponse + * @instance + */ + ReloadVmsResponse.prototype.removed = 0; + /** + * Creates a new ReloadVmsResponse instance using the specified properties. + * @function create + * @memberof vmm.ReloadVmsResponse + * @static + * @param {vmm.IReloadVmsResponse=} [properties] Properties to set + * @returns {vmm.ReloadVmsResponse} ReloadVmsResponse instance + */ + ReloadVmsResponse.create = function create(properties) { + return new ReloadVmsResponse(properties); + }; + /** + * Encodes the specified ReloadVmsResponse message. Does not implicitly {@link vmm.ReloadVmsResponse.verify|verify} messages. + * @function encode + * @memberof vmm.ReloadVmsResponse + * @static + * @param {vmm.IReloadVmsResponse} message ReloadVmsResponse message or plain object to encode + * @param {$protobuf.Writer} [writer] Writer to encode to + * @returns {$protobuf.Writer} Writer + */ + ReloadVmsResponse.encode = function encode(message, writer) { + if (!writer) + writer = $Writer.create(); + if (message.loaded != null && Object.hasOwnProperty.call(message, "loaded")) + writer.uint32(/* id 1, wireType 0 =*/ 8).uint32(message.loaded); + if (message.updated != null && Object.hasOwnProperty.call(message, "updated")) + writer.uint32(/* id 2, wireType 0 =*/ 16).uint32(message.updated); + if (message.removed != null && Object.hasOwnProperty.call(message, "removed")) + writer.uint32(/* id 3, wireType 0 =*/ 24).uint32(message.removed); + return writer; + }; + /** + * Encodes the specified ReloadVmsResponse message, length delimited. Does not implicitly {@link vmm.ReloadVmsResponse.verify|verify} messages. + * @function encodeDelimited + * @memberof vmm.ReloadVmsResponse + * @static + * @param {vmm.IReloadVmsResponse} message ReloadVmsResponse message or plain object to encode + * @param {$protobuf.Writer} [writer] Writer to encode to + * @returns {$protobuf.Writer} Writer + */ + ReloadVmsResponse.encodeDelimited = function encodeDelimited(message, writer) { + return this.encode(message, writer).ldelim(); + }; + /** + * Decodes a ReloadVmsResponse message from the specified reader or buffer. + * @function decode + * @memberof vmm.ReloadVmsResponse + * @static + * @param {$protobuf.Reader|Uint8Array} reader Reader or buffer to decode from + * @param {number} [length] Message length if known beforehand + * @returns {vmm.ReloadVmsResponse} ReloadVmsResponse + * @throws {Error} If the payload is not a reader or valid buffer + * @throws {$protobuf.util.ProtocolError} If required fields are missing + */ + ReloadVmsResponse.decode = function decode(reader, length, error) { + if (!(reader instanceof $Reader)) + reader = $Reader.create(reader); + var end = length === undefined ? reader.len : reader.pos + length, message = new $root.vmm.ReloadVmsResponse(); + while (reader.pos < end) { + var tag = reader.uint32(); + if (tag === error) + break; + switch (tag >>> 3) { + case 1: { + message.loaded = reader.uint32(); + break; + } + case 2: { + message.updated = reader.uint32(); + break; + } + case 3: { + message.removed = reader.uint32(); + break; + } + default: + reader.skipType(tag & 7); + break; + } + } + return message; + }; + /** + * Decodes a ReloadVmsResponse message from the specified reader or buffer, length delimited. + * @function decodeDelimited + * @memberof vmm.ReloadVmsResponse + * @static + * @param {$protobuf.Reader|Uint8Array} reader Reader or buffer to decode from + * @returns {vmm.ReloadVmsResponse} ReloadVmsResponse + * @throws {Error} If the payload is not a reader or valid buffer + * @throws {$protobuf.util.ProtocolError} If required fields are missing + */ + ReloadVmsResponse.decodeDelimited = function decodeDelimited(reader) { + if (!(reader instanceof $Reader)) + reader = new $Reader(reader); + return this.decode(reader, reader.uint32()); + }; + /** + * Verifies a ReloadVmsResponse message. + * @function verify + * @memberof vmm.ReloadVmsResponse + * @static + * @param {Object.} message Plain object to verify + * @returns {string|null} `null` if valid, otherwise the reason why it is not + */ + ReloadVmsResponse.verify = function verify(message) { + if (typeof message !== "object" || message === null) + return "object expected"; + if (message.loaded != null && message.hasOwnProperty("loaded")) + if (!$util.isInteger(message.loaded)) + return "loaded: integer expected"; + if (message.updated != null && message.hasOwnProperty("updated")) + if (!$util.isInteger(message.updated)) + return "updated: integer expected"; + if (message.removed != null && message.hasOwnProperty("removed")) + if (!$util.isInteger(message.removed)) + return "removed: integer expected"; + return null; + }; + /** + * Creates a ReloadVmsResponse message from a plain object. Also converts values to their respective internal types. + * @function fromObject + * @memberof vmm.ReloadVmsResponse + * @static + * @param {Object.} object Plain object + * @returns {vmm.ReloadVmsResponse} ReloadVmsResponse + */ + ReloadVmsResponse.fromObject = function fromObject(object) { + if (object instanceof $root.vmm.ReloadVmsResponse) + return object; + var message = new $root.vmm.ReloadVmsResponse(); + if (object.loaded != null) + message.loaded = object.loaded >>> 0; + if (object.updated != null) + message.updated = object.updated >>> 0; + if (object.removed != null) + message.removed = object.removed >>> 0; + return message; + }; + /** + * Creates a plain object from a ReloadVmsResponse message. Also converts values to other types if specified. + * @function toObject + * @memberof vmm.ReloadVmsResponse + * @static + * @param {vmm.ReloadVmsResponse} message ReloadVmsResponse + * @param {$protobuf.IConversionOptions} [options] Conversion options + * @returns {Object.} Plain object + */ + ReloadVmsResponse.toObject = function toObject(message, options) { + if (!options) + options = {}; + var object = {}; + if (options.defaults) { + object.loaded = 0; + object.updated = 0; + object.removed = 0; + } + if (message.loaded != null && message.hasOwnProperty("loaded")) + object.loaded = message.loaded; + if (message.updated != null && message.hasOwnProperty("updated")) + object.updated = message.updated; + if (message.removed != null && message.hasOwnProperty("removed")) + object.removed = message.removed; + return object; + }; + /** + * Converts this ReloadVmsResponse to JSON. + * @function toJSON + * @memberof vmm.ReloadVmsResponse + * @instance + * @returns {Object.} JSON object + */ + ReloadVmsResponse.prototype.toJSON = function toJSON() { + return this.constructor.toObject(this, $protobuf.util.toJSONOptions); + }; + /** + * Gets the default type url for ReloadVmsResponse + * @function getTypeUrl + * @memberof vmm.ReloadVmsResponse + * @static + * @param {string} [typeUrlPrefix] your custom typeUrlPrefix(default "type.googleapis.com") + * @returns {string} The default type url + */ + ReloadVmsResponse.getTypeUrl = function getTypeUrl(typeUrlPrefix) { + if (typeUrlPrefix === undefined) { + typeUrlPrefix = "type.googleapis.com"; + } + return typeUrlPrefix + "/vmm.ReloadVmsResponse"; + }; + return ReloadVmsResponse; + })(); vmm.GpuInfo = (function () { /** * Properties of a GpuInfo. @@ -12078,6 +12466,36 @@

Derive VM

* @returns {Promise} Promise * @variation 2 */ + /** + * Callback as used by {@link vmm.Vmm#reloadVms}. + * @memberof vmm.Vmm + * @typedef ReloadVmsCallback + * @type {function} + * @param {Error|null} error Error, if any + * @param {vmm.ReloadVmsResponse} [response] ReloadVmsResponse + */ + /** + * Calls ReloadVms. + * @function reloadVms + * @memberof vmm.Vmm + * @instance + * @param {google.protobuf.IEmpty} request Empty message or plain object + * @param {vmm.Vmm.ReloadVmsCallback} callback Node-style callback called with the error, if any, and ReloadVmsResponse + * @returns {undefined} + * @variation 1 + */ + Object.defineProperty(Vmm.prototype.reloadVms = function reloadVms(request, callback) { + return this.rpcCall(reloadVms, $root.google.protobuf.Empty, $root.vmm.ReloadVmsResponse, request, callback); + }, "name", { value: "ReloadVms" }); + /** + * Calls ReloadVms. + * @function reloadVms + * @memberof vmm.Vmm + * @instance + * @param {google.protobuf.IEmpty} request Empty message or plain object + * @returns {Promise} Promise + * @variation 2 + */ return Vmm; })(); return vmm; @@ -15194,7 +15612,7 @@

Derive VM

}, map: {"protobufjs/minimal":"node_modules/protobufjs/minimal.js"} }, 'build/ts/templates/app.html': { factory: function(module, exports, require) { -module.exports = "\n\n
\n
\n
\n
\n

dstack-vmm

\n v{{ version.version }}\n
\n
\n \n
\n
\n
\n\n \n\n \n\n \n\n
\n
\n
\n \n \n \n \n \n \n
\n
\n Total Instances:\n {{ totalVMs }}\n
\n
\n
\n
\n \n
\n \n /\n {{ maxPage || 1 }}\n
\n \n \n
\n
\n
\n\n
\n
\n
\n
Name
\n
Status
\n
Uptime
\n
View
\n
Actions
\n
\n\n
\n
\n
\n \n
\n
\n {{ vm.name }}\n
\n
\n \n \n {{ vmStatus(vm) }}\n \n
\n
{{ vm.status !== 'stopped' ? (vm.uptime || '-') : '-' }}
\n
\n Logs\n Stderr\n Board\n
\n
\n
\n \n
\n \n \n \n \n \n \n
\n
\n
\n
\n\n
\n
\n
\n VM ID\n
\n {{ vm.id }}\n \n
\n
\n
\n Instance ID\n
\n {{ vm.instance_id }}\n \n
\n -\n
\n
\n App ID\n
\n {{ vm.app_id }}\n \n
\n -\n
\n
\n Image\n {{ vm.configuration?.image }}\n
\n
\n vCPUs\n {{ vm.configuration?.vcpu }}\n
\n
\n Memory\n {{ formatMemory(vm.configuration?.memory) }}\n
\n
\n Swap\n {{ formatMemory(bytesToMB(vm.configuration.swap_size)) }}\n
\n
\n Disk Size\n {{ vm.configuration?.disk_size }} GB\n
\n
\n Disk Type\n {{ vm.configuration?.disk_type || 'virtio-pci' }}\n
\n
0\">\n GPUs\n
\n
\n {{ gpu.slot || gpu.product_id }}\n
\n
\n
\n
\n\n
\n

Port Mappings

\n
\n {{ port.host_address === '127.0.0.1' ? 'Local' : 'Public' }}\n {{ port.protocol.toUpperCase() }}: {{ port.host_port }} → {{ port.vm_port }}\n
\n
\n\n
\n

Features

\n {{ getVmFeatures(vm) }}\n
\n\n
\n

Network Interfaces

\n
\n
\n
\n
\n \n \n \n \n {{ iface.name }}\n
\n
\n
\n
\n MAC Address\n {{ iface.mac || '-' }}\n
\n
\n IP Address\n {{ iface.addresses.map(addr => addr.address + '/' + addr.prefix).join(', ') || '-' }}\n
\n
\n
\n
\n \n \n \n
\n
\n RX\n {{ iface.rx_bytes }} bytes\n 0\">({{ iface.rx_errors }} errors)\n
\n
\n
\n
\n \n \n \n
\n
\n TX\n {{ iface.tx_bytes }} bytes\n 0\">({{ iface.tx_errors }} errors)\n
\n
\n
\n
\n
\n
\n
\n

\n \n \n \n \n WireGuard Info\n

\n 
{{ networkInfo[vm.id].wg_info }}
\n
\n
\n\n
\n
\n

App Compose

\n
\n \n \n
\n
\n
\n 
{{ vm.appCompose?.docker_compose_file || 'Docker Compose content not available' }}
\n
\n
\n\n
\n
\n

User Config

\n \n
\n 
{{ vm.configuration.user_config }}
\n
\n\n
\n \n \n \n
\n
\n
\n
\n\n
\n
\n \n
\n
\n
\n \n
\n
\n
\n {{ errorMessage }}\n \n
\n
\n
\n"; +module.exports = "\n\n
\n
\n
\n
\n

dstack-vmm

\n v{{ version.version }}\n
\n
\n
\n \n
\n \n
\n
\n \n
\n
\n
\n\n \n\n \n\n \n\n
\n
\n
\n \n \n \n \n \n \n
\n
\n Total Instances:\n {{ totalVMs }}\n
\n
\n
\n
\n \n
\n \n /\n {{ maxPage || 1 }}\n
\n \n \n
\n
\n
\n\n
\n
\n
\n
Name
\n
Status
\n
Uptime
\n
View
\n
Actions
\n
\n\n
\n
\n
\n \n
\n
\n {{ vm.name }}\n
\n
\n \n \n {{ vmStatus(vm) }}\n \n
\n
{{ vm.status !== 'stopped' ? (vm.uptime || '-') : '-' }}
\n
\n Logs\n Stderr\n Board\n
\n
\n
\n \n
\n \n \n \n \n \n \n
\n
\n
\n
\n\n
\n
\n
\n VM ID\n
\n {{ vm.id }}\n \n
\n
\n
\n Instance ID\n
\n {{ vm.instance_id }}\n \n
\n -\n
\n
\n App ID\n
\n {{ vm.app_id }}\n \n
\n -\n
\n
\n Image\n {{ vm.configuration?.image }}\n
\n
\n vCPUs\n {{ vm.configuration?.vcpu }}\n
\n
\n Memory\n {{ formatMemory(vm.configuration?.memory) }}\n
\n
\n Swap\n {{ formatMemory(bytesToMB(vm.configuration.swap_size)) }}\n
\n
\n Disk Size\n {{ vm.configuration?.disk_size }} GB\n
\n
\n Disk Type\n {{ vm.configuration?.disk_type || 'virtio-pci' }}\n
\n
0\">\n GPUs\n
\n
\n {{ gpu.slot || gpu.product_id }}\n
\n
\n
\n
\n\n
\n

Port Mappings

\n
\n {{ port.host_address === '127.0.0.1' ? 'Local' : 'Public' }}\n {{ port.protocol.toUpperCase() }}: {{ port.host_port }} → {{ port.vm_port }}\n
\n
\n\n
\n

Features

\n {{ getVmFeatures(vm) }}\n
\n\n
\n

Network Interfaces

\n
\n
\n
\n
\n \n \n \n \n {{ iface.name }}\n
\n
\n
\n
\n MAC Address\n {{ iface.mac || '-' }}\n
\n
\n IP Address\n {{ iface.addresses.map(addr => addr.address + '/' + addr.prefix).join(', ') || '-' }}\n
\n
\n
\n
\n \n \n \n
\n
\n RX\n {{ iface.rx_bytes }} bytes\n 0\">({{ iface.rx_errors }} errors)\n
\n
\n
\n
\n \n \n \n
\n
\n TX\n {{ iface.tx_bytes }} bytes\n 0\">({{ iface.tx_errors }} errors)\n
\n
\n
\n
\n
\n
\n
\n

\n \n \n \n \n WireGuard Info\n

\n 
{{ networkInfo[vm.id].wg_info }}
\n
\n
\n\n
\n
\n

App Compose

\n
\n \n \n
\n
\n
\n 
{{ vm.appCompose?.docker_compose_file || 'Docker Compose content not available' }}
\n
\n
\n\n
\n
\n

User Config

\n \n
\n 
{{ vm.configuration.user_config }}
\n
\n\n
\n \n \n \n
\n
\n
\n
\n\n
\n
\n \n
\n
\n
\n \n
\n
\n
\n {{ errorMessage }}\n \n
\n
\n
\n"; }, map: {} } }; const cache = {}; diff --git a/vmm/src/main_service.rs b/vmm/src/main_service.rs index 62251bd8..658473a1 100644 --- a/vmm/src/main_service.rs +++ b/vmm/src/main_service.rs @@ -12,8 +12,8 @@ use dstack_vmm_rpc::vmm_server::{VmmRpc, VmmServer}; use dstack_vmm_rpc::{ AppId, ComposeHash as RpcComposeHash, GatewaySettings, GetInfoResponse, GetMetaResponse, Id, ImageInfo as RpcImageInfo, ImageListResponse, KmsSettings, ListGpusResponse, PublicKeyResponse, - ResizeVmRequest, ResourcesSettings, StatusRequest, StatusResponse, UpgradeAppRequest, - VersionResponse, VmConfiguration, + ReloadVmsResponse, ResizeVmRequest, ResourcesSettings, StatusRequest, StatusResponse, + UpgradeAppRequest, VersionResponse, VmConfiguration, }; use fs_err as fs; use ra_rpc::{CallContext, RpcCall}; @@ -488,6 +488,11 @@ impl VmmRpc for RpcHandler { let hash = hex_sha256(&request.compose_file); Ok(RpcComposeHash { hash }) } + + async fn reload_vms(self) -> Result { + info!("Reloading VMs directory and syncing with memory state"); + self.app.reload_vms_sync().await + } } impl RpcCall for RpcHandler { diff --git a/vmm/ui/src/composables/useVmManager.ts b/vmm/ui/src/composables/useVmManager.ts index 0dbe36e5..c47cb969 100644 --- a/vmm/ui/src/composables/useVmManager.ts +++ b/vmm/ui/src/composables/useVmManager.ts @@ -44,6 +44,11 @@ if (localStorage.getItem('dangerConfirm') === null) { localStorage.setItem('dangerConfirm', 'true'); } +// System menu state +const systemMenu = ref({ + show: false, +}); + type MemoryUnit = 'MB' | 'GB'; type JsonRpcCall = (method: string, params?: Record) => Promise; @@ -1184,9 +1189,69 @@ fi function closeAllDropdowns() { document.querySelectorAll('.dropdown-content').forEach((dropdown) => dropdown.classList.remove('show')); + systemMenu.value.show = false; document.removeEventListener('click', closeAllDropdowns); } + function toggleSystemMenu(event: Event) { + event.stopPropagation(); + systemMenu.value.show = !systemMenu.value.show; + + // Close all other dropdowns + document.querySelectorAll('.dropdown-content').forEach((dropdown) => { + dropdown.classList.remove('show'); + }); + + if (systemMenu.value.show) { + document.addEventListener('click', closeAllDropdowns); + } else { + document.removeEventListener('click', closeAllDropdowns); + } + } + + function closeSystemMenu() { + systemMenu.value.show = false; + } + + async function reloadVMs() { + try { + errorMessage.value = ''; + successMessage.value = ''; + + const response = await vmmRpc.reloadVms({}); + + // Show success message with statistics + if (response.loaded > 0 || response.updated > 0 || response.removed > 0) { + let message = 'VM reload completed: '; + const parts = []; + if (response.loaded > 0) parts.push(`${response.loaded} loaded`); + if (response.updated > 0) parts.push(`${response.updated} updated`); + if (response.removed > 0) parts.push(`${response.removed} removed`); + + successMessage.value = message + parts.join(', '); + } else { + successMessage.value = 'VM reload completed: no changes detected'; + } + + // Reload the VM list to show updated data + await loadVMList(); + + // Hide message after 5 seconds + setTimeout(() => { + successMessage.value = ''; + }, 5000); + + } catch (error: any) { + console.error('Failed to reload VMs:', error); + errorMessage.value = `Failed to reload VMs: ${error.message || error.toString()}`; + + // Hide error message after 10 seconds + setTimeout(() => { + errorMessage.value = ''; + }, 10000); + } + } + function toggleDropdown(event: Event, vm: VmListItem) { document.querySelectorAll('.dropdown-content').forEach((dropdown) => { if (dropdown.id !== `dropdown-${vm.id}`) { @@ -1385,6 +1450,10 @@ fi downloadAppCompose, downloadUserConfig, getVmFeatures, + systemMenu, + toggleSystemMenu, + closeSystemMenu, + reloadVMs, }; } diff --git a/vmm/ui/src/styles/main.css b/vmm/ui/src/styles/main.css index aae2c2c5..667100a7 100644 --- a/vmm/ui/src/styles/main.css +++ b/vmm/ui/src/styles/main.css @@ -967,6 +967,97 @@ h1, h2, h3, h4, h5, h6 { opacity: 1; } +/* System Menu Styles */ +.system-menu { + position: relative; + display: inline-block; + margin-right: 12px; +} + +.btn-icon { + background: transparent; + color: var(--color-text-secondary); + border: 1px solid var(--color-border); + padding: 8px; + border-radius: var(--radius-md); + font-size: 14px; + font-weight: 500; + cursor: pointer; + display: inline-flex; + align-items: center; + justify-content: center; + transition: all 0.15s ease; + min-width: 36px; + min-height: 36px; +} + +.btn-icon:hover { + background: var(--color-bg-tertiary); + color: var(--color-primary); + border-color: var(--color-primary); + box-shadow: var(--shadow-sm); + transform: translateY(-1px); +} + +.btn-icon:active { + transform: translateY(0); +} + +.system-dropdown { + display: none; + position: absolute; + right: 0; + top: calc(100% + 8px); + z-index: 300; + min-width: 180px; + background: var(--color-bg-primary); + border: 1px solid var(--color-border); + border-radius: var(--radius-md); + box-shadow: var(--shadow-xl); + animation: fadeIn 0.15s ease; +} + +.system-dropdown.show { + display: block; +} + +.dropdown-item { + width: 100%; + padding: 12px 16px; + border: none; + background: transparent; + text-align: left; + cursor: pointer; + font-size: 14px; + font-weight: 500; + color: var(--color-text-primary); + transition: all 0.15s ease; + display: flex; + align-items: center; + gap: 12px; + border-bottom: 1px solid var(--color-border-light); +} + +.dropdown-item:last-child { + border-bottom: none; +} + +.dropdown-item:hover { + background: var(--color-bg-tertiary); + padding-left: 20px; + color: var(--color-primary); +} + +.dropdown-item svg { + flex-shrink: 0; + opacity: 0.7; + transition: opacity 0.15s ease; +} + +.dropdown-item:hover svg { + opacity: 1; +} + .message-container { position: fixed; top: 20px; diff --git a/vmm/ui/src/templates/app.html b/vmm/ui/src/templates/app.html index 23818bcd..c702c247 100644 --- a/vmm/ui/src/templates/app.html +++ b/vmm/ui/src/templates/app.html @@ -11,6 +11,21 @@

dstack-vmm

v{{ version.version }}
+
+ +
+ +
+
@@ -2269,6 +2270,7 @@

Derive VM

public_logs: true, public_sysinfo: true, public_tcbinfo: true, + no_tee: false, pin_numa: false, hugepages: false, user_config: '', @@ -2318,6 +2320,7 @@

Derive VM

gateway_urls: undefined, hugepages: false, pin_numa: false, + no_tee: false, encrypted_env: undefined, app_id: undefined, stopped: false, @@ -2462,7 +2465,7 @@

Derive VM

return undefined; } function buildCreateVmPayload(source) { - var _a, _b, _c, _d; + var _a, _b, _c, _d, _e; const normalizedPorts = normalizePorts(source.ports); return { name: source.name.trim(), @@ -2477,9 +2480,10 @@

Derive VM

user_config: source.user_config || '', hugepages: !!source.hugepages, pin_numa: !!source.pin_numa, + no_tee: (_a = source.no_tee) !== null && _a !== void 0 ? _a : false, gpus: source.gpus, - kms_urls: (_b = (_a = source.kms_urls) === null || _a === void 0 ? void 0 : _a.filter((url) => url && url.trim().length)) !== null && _b !== void 0 ? _b : [], - gateway_urls: (_d = (_c = source.gateway_urls) === null || _c === void 0 ? void 0 : _c.filter((url) => url && url.trim().length)) !== null && _d !== void 0 ? _d : [], + kms_urls: (_c = (_b = source.kms_urls) === null || _b === void 0 ? void 0 : _b.filter((url) => url && url.trim().length)) !== null && _c !== void 0 ? _c : [], + gateway_urls: (_e = (_d = source.gateway_urls) === null || _d === void 0 ? void 0 : _d.filter((url) => url && url.trim().length)) !== null && _e !== void 0 ? _e : [], stopped: !!source.stopped, }; } @@ -2937,6 +2941,7 @@

Derive VM

user_config: vmForm.value.user_config, hugepages: vmForm.value.hugepages, pin_numa: vmForm.value.pin_numa, + no_tee: vmForm.value.no_tee, gpus: configGpu(vmForm.value) || undefined, kms_urls: vmForm.value.kms_urls, gateway_urls: vmForm.value.gateway_urls, @@ -3067,6 +3072,7 @@

Derive VM

public_tcbinfo: !!((_p = theVm.appCompose) === null || _p === void 0 ? void 0 : _p.public_tcbinfo), pin_numa: !!config.pin_numa, hugepages: !!config.hugepages, + no_tee: !!config.no_tee, user_config: config.user_config || '', stopped: !!config.stopped, }; @@ -3093,6 +3099,7 @@

Derive VM

user_config: source.user_config, hugepages: source.hugepages, pin_numa: source.pin_numa, + no_tee: source.no_tee, gpus: source.gpus, kms_urls: source.kms_urls, gateway_urls: source.gateway_urls, @@ -6386,6 +6393,7 @@

Derive VM

* @property {Array.|null} [kms_urls] VmConfiguration kms_urls * @property {Array.|null} [gateway_urls] VmConfiguration gateway_urls * @property {boolean|null} [stopped] VmConfiguration stopped + * @property {boolean|null} [no_tee] VmConfiguration no_tee */ /** * Constructs a new VmConfiguration. @@ -6516,6 +6524,13 @@

Derive VM

* @instance */ VmConfiguration.prototype.stopped = false; + /** + * VmConfiguration no_tee. + * @member {boolean} no_tee + * @memberof vmm.VmConfiguration + * @instance + */ + VmConfiguration.prototype.no_tee = false; // OneOf field names bound to virtual getters and setters var $oneOfFields; /** @@ -6586,6 +6601,8 @@

Derive VM

writer.uint32(/* id 15, wireType 2 =*/ 122).string(message.gateway_urls[i]); if (message.stopped != null && Object.hasOwnProperty.call(message, "stopped")) writer.uint32(/* id 16, wireType 0 =*/ 128).bool(message.stopped); + if (message.no_tee != null && Object.hasOwnProperty.call(message, "no_tee")) + writer.uint32(/* id 17, wireType 0 =*/ 136).bool(message.no_tee); return writer; }; /** @@ -6690,6 +6707,10 @@

Derive VM

message.stopped = reader.bool(); break; } + case 17: { + message.no_tee = reader.bool(); + break; + } default: reader.skipType(tag & 7); break; @@ -6790,6 +6811,9 @@

Derive VM

if (message.stopped != null && message.hasOwnProperty("stopped")) if (typeof message.stopped !== "boolean") return "stopped: boolean expected"; + if (message.no_tee != null && message.hasOwnProperty("no_tee")) + if (typeof message.no_tee !== "boolean") + return "no_tee: boolean expected"; return null; }; /** @@ -6860,6 +6884,8 @@

Derive VM

} if (object.stopped != null) message.stopped = Boolean(object.stopped); + if (object.no_tee != null) + message.no_tee = Boolean(object.no_tee); return message; }; /** @@ -6899,6 +6925,7 @@

Derive VM

object.pin_numa = false; object.gpus = null; object.stopped = false; + object.no_tee = false; } if (message.name != null && message.hasOwnProperty("name")) object.name = message.name; @@ -6944,6 +6971,8 @@

Derive VM

} if (message.stopped != null && message.hasOwnProperty("stopped")) object.stopped = message.stopped; + if (message.no_tee != null && message.hasOwnProperty("no_tee")) + object.no_tee = message.no_tee; return object; }; /** @@ -7669,6 +7698,7 @@

Derive VM

* @property {number|null} [memory] UpdateVmRequest memory * @property {number|null} [disk_size] UpdateVmRequest disk_size * @property {string|null} [image] UpdateVmRequest image + * @property {boolean|null} [no_tee] UpdateVmRequest no_tee */ /** * Constructs a new UpdateVmRequest. @@ -7762,6 +7792,13 @@

Derive VM

* @instance */ UpdateVmRequest.prototype.image = null; + /** + * UpdateVmRequest no_tee. + * @member {boolean|null|undefined} no_tee + * @memberof vmm.UpdateVmRequest + * @instance + */ + UpdateVmRequest.prototype.no_tee = null; // OneOf field names bound to virtual getters and setters var $oneOfFields; /** @@ -7804,6 +7841,16 @@

Derive VM

get: $util.oneOfGetter($oneOfFields = ["image"]), set: $util.oneOfSetter($oneOfFields) }); + /** + * UpdateVmRequest _no_tee. + * @member {"no_tee"|undefined} _no_tee + * @memberof vmm.UpdateVmRequest + * @instance + */ + Object.defineProperty(UpdateVmRequest.prototype, "_no_tee", { + get: $util.oneOfGetter($oneOfFields = ["no_tee"]), + set: $util.oneOfSetter($oneOfFields) + }); /** * Creates a new UpdateVmRequest instance using the specified properties. * @function create @@ -7850,6 +7897,8 @@

Derive VM

writer.uint32(/* id 16, wireType 0 =*/ 128).uint32(message.disk_size); if (message.image != null && Object.hasOwnProperty.call(message, "image")) writer.uint32(/* id 17, wireType 2 =*/ 138).string(message.image); + if (message.no_tee != null && Object.hasOwnProperty.call(message, "no_tee")) + writer.uint32(/* id 18, wireType 0 =*/ 144).bool(message.no_tee); return writer; }; /** @@ -7930,6 +7979,10 @@

Derive VM

message.image = reader.string(); break; } + case 18: { + message.no_tee = reader.bool(); + break; + } default: reader.skipType(tag & 7); break; @@ -8013,6 +8066,11 @@

Derive VM

if (!$util.isString(message.image)) return "image: string expected"; } + if (message.no_tee != null && message.hasOwnProperty("no_tee")) { + properties._no_tee = 1; + if (typeof message.no_tee !== "boolean") + return "no_tee: boolean expected"; + } return null; }; /** @@ -8063,6 +8121,8 @@

Derive VM

message.disk_size = object.disk_size >>> 0; if (object.image != null) message.image = String(object.image); + if (object.no_tee != null) + message.no_tee = Boolean(object.no_tee); return message; }; /** @@ -8131,6 +8191,11 @@

Derive VM

if (options.oneofs) object._image = "image"; } + if (message.no_tee != null && message.hasOwnProperty("no_tee")) { + object.no_tee = message.no_tee; + if (options.oneofs) + object._no_tee = "no_tee"; + } return object; }; /** diff --git a/vmm/src/main_service.rs b/vmm/src/main_service.rs index 6b6bed04..d309ded5 100644 --- a/vmm/src/main_service.rs +++ b/vmm/src/main_service.rs @@ -192,6 +192,7 @@ pub fn create_manifest_from_vm_config( gpus: Some(gpus), kms_urls: request.kms_urls.clone(), gateway_urls: request.gateway_urls.clone(), + no_tee: request.no_tee, }) } @@ -384,6 +385,9 @@ impl VmmRpc for RpcHandler { if let Some(gpus) = request.gpus { manifest.gpus = Some(self.resolve_gpus(&gpus)?); } + if let Some(no_tee) = request.no_tee { + manifest.no_tee = no_tee; + } if request.update_ports { manifest.port_map = request .ports diff --git a/vmm/src/vmm-cli.py b/vmm/src/vmm-cli.py index f97ff9a9..7bf4b3fa 100755 --- a/vmm/src/vmm-cli.py +++ b/vmm/src/vmm-cli.py @@ -568,6 +568,7 @@ def create_vm(self, args) -> None: "hugepages": args.hugepages, "pin_numa": args.pin_numa, "stopped": args.stopped, + "no_tee": args.no_tee, } if args.swap is not None: swap_bytes = max(0, int(round(args.swap)) * 1024 * 1024) @@ -689,6 +690,7 @@ def update_vm( attach_all: bool = False, no_gpus: bool = False, kms_urls: Optional[List[str]] = None, + no_tee: Optional[bool] = None, ) -> None: """Update multiple aspects of a VM in one command""" updates = [] @@ -838,6 +840,10 @@ def update_vm( updates.append("GPUs (none)") upgrade_params["gpus"] = gpu_config + if no_tee is not None: + upgrade_params["no_tee"] = no_tee + updates.append("TEE disabled" if no_tee else "TEE enabled") + if len(upgrade_params) > 1: # more than just the id self.rpc_call("UpgradeApp", upgrade_params) @@ -1208,6 +1214,11 @@ def main(): help='Gateway URL') deploy_parser.add_argument('--stopped', action='store_true', help='Create VM in stopped state (requires dstack-vmm >= 0.5.4)') + deploy_parser.add_argument('--no-tee', dest='no_tee', action='store_true', + help='Disable Intel TDX / run without TEE') + deploy_parser.add_argument('--tee', dest='no_tee', action='store_false', + help='Force-enable Intel TDX (default)') + deploy_parser.set_defaults(no_tee=False) # Images command lsimage_parser = subparsers.add_parser( @@ -1346,6 +1357,22 @@ def main(): help="Detach all GPUs from the VM", ) + # TDX toggle + tee_group = update_parser.add_mutually_exclusive_group() + tee_group.add_argument( + "--no-tee", + dest="no_tee", + action="store_true", + help="Disable Intel TDX / run without TEE", + ) + tee_group.add_argument( + "--tee", + dest="no_tee", + action="store_false", + help="Enable Intel TDX for the VM", + ) + update_parser.set_defaults(no_tee=None) + # KMS URL for environment encryption update_parser.add_argument( "--kms-url", action="append", type=str, help="KMS URL" @@ -1418,6 +1445,7 @@ def main(): attach_all=args.ppcie, no_gpus=args.no_gpus if hasattr(args, 'no_gpus') else False, kms_urls=args.kms_url, + no_tee=args.no_tee, ) elif args.command == 'kms': if not args.kms_action: diff --git a/vmm/ui/src/components/CreateVmDialog.ts b/vmm/ui/src/components/CreateVmDialog.ts index 14e72a30..2bf3ef80 100644 --- a/vmm/ui/src/components/CreateVmDialog.ts +++ b/vmm/ui/src/components/CreateVmDialog.ts @@ -132,6 +132,7 @@ const CreateVmDialogComponent = { + diff --git a/vmm/ui/src/composables/useVmManager.ts b/vmm/ui/src/composables/useVmManager.ts index e1e0049b..2422ed69 100644 --- a/vmm/ui/src/composables/useVmManager.ts +++ b/vmm/ui/src/composables/useVmManager.ts @@ -106,6 +106,7 @@ type VmFormState = { public_logs: boolean; public_sysinfo: boolean; public_tcbinfo: boolean; + no_tee: boolean; pin_numa: boolean; hugepages: boolean; user_config: string; @@ -153,6 +154,7 @@ type CloneConfigDialogState = { gateway_urls?: string[]; hugepages: boolean; pin_numa: boolean; + no_tee: boolean; encrypted_env?: Uint8Array; app_id?: string; stopped: boolean; @@ -185,6 +187,7 @@ function createVmFormState(preLaunchScript: string): VmFormState { public_logs: true, public_sysinfo: true, public_tcbinfo: true, + no_tee: false, pin_numa: false, hugepages: false, user_config: '', @@ -236,6 +239,7 @@ function createCloneConfigDialogState(): CloneConfigDialogState { gateway_urls: undefined, hugepages: false, pin_numa: false, + no_tee: false, encrypted_env: undefined, app_id: undefined, stopped: false, @@ -404,9 +408,9 @@ fi return undefined; } - type CreateVmPayloadSource = { - name: string; - image: string; +type CreateVmPayloadSource = { + name: string; + image: string; compose_file: string; vcpu: number; memory: number; @@ -415,8 +419,9 @@ fi encrypted_env?: Uint8Array; app_id?: string | null; user_config?: string; - hugepages?: boolean; - pin_numa?: boolean; + hugepages?: boolean; + pin_numa?: boolean; + no_tee?: boolean; gpus?: VmmTypes.IGpuConfig; kms_urls?: string[]; gateway_urls?: string[]; @@ -438,6 +443,7 @@ fi user_config: source.user_config || '', hugepages: !!source.hugepages, pin_numa: !!source.pin_numa, + no_tee: source.no_tee ?? false, gpus: source.gpus, kms_urls: source.kms_urls?.filter((url) => url && url.trim().length) ?? [], gateway_urls: source.gateway_urls?.filter((url) => url && url.trim().length) ?? [], @@ -957,6 +963,7 @@ fi user_config: vmForm.value.user_config, hugepages: vmForm.value.hugepages, pin_numa: vmForm.value.pin_numa, + no_tee: vmForm.value.no_tee, gpus: configGpu(vmForm.value) || undefined, kms_urls: vmForm.value.kms_urls, gateway_urls: vmForm.value.gateway_urls, @@ -1093,6 +1100,7 @@ fi public_tcbinfo: !!theVm.appCompose?.public_tcbinfo, pin_numa: !!config.pin_numa, hugepages: !!config.hugepages, + no_tee: !!config.no_tee, user_config: config.user_config || '', stopped: !!config.stopped, }; @@ -1121,6 +1129,7 @@ fi user_config: source.user_config, hugepages: source.hugepages, pin_numa: source.pin_numa, + no_tee: source.no_tee, gpus: source.gpus, kms_urls: source.kms_urls, gateway_urls: source.gateway_urls, From be3a52cbb1367ff6c26a74d6b355ae44a344bcaa Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Wed, 12 Nov 2025 14:12:26 +0000 Subject: [PATCH 115/133] vmm: Add api docs link in the UI --- vmm/src/console_beta.html | 7 ++++++- vmm/src/main.rs | 2 +- vmm/ui/src/composables/useVmManager.ts | 6 ++++++ vmm/ui/src/templates/app.html | 19 +++++++++++++------ 4 files changed, 26 insertions(+), 8 deletions(-) diff --git a/vmm/src/console_beta.html b/vmm/src/console_beta.html index 3eeefbec..77329237 100644 --- a/vmm/src/console_beta.html +++ b/vmm/src/console_beta.html @@ -3182,6 +3182,10 @@

Derive VM

function closeSystemMenu() { systemMenu.value.show = false; } + function openApiDocs() { + closeSystemMenu(); + window.open('/api-docs/docs', '_blank', 'noopener'); + } async function reloadVMs() { try { errorMessage.value = ''; @@ -3409,6 +3413,7 @@

Derive VM

systemMenu, toggleSystemMenu, closeSystemMenu, + openApiDocs, reloadVMs, }; } @@ -15850,7 +15855,7 @@

Derive VM

}, map: {"protobufjs/minimal":"node_modules/protobufjs/minimal.js"} }, 'build/ts/templates/app.html': { factory: function(module, exports, require) { -module.exports = "\n\n
\n
\n
\n
\n

dstack-vmm

\n v{{ version.version }}\n
\n
\n
\n \n
\n \n
\n
\n \n
\n
\n
\n\n \n\n \n\n \n\n
\n
\n
\n \n \n \n \n \n \n
\n
\n Total Instances:\n {{ totalVMs }}\n
\n
\n
\n
\n \n
\n \n /\n {{ maxPage || 1 }}\n
\n \n \n
\n
\n
\n\n
\n
\n
\n
Name
\n
Status
\n
Uptime
\n
View
\n
Actions
\n
\n\n
\n
\n
\n \n
\n
\n {{ vm.name }}\n
\n
\n \n \n {{ vmStatus(vm) }}\n \n
\n
{{ vm.status !== 'stopped' ? (vm.uptime || '-') : '-' }}
\n
\n Logs\n Stderr\n Board\n
\n
\n
\n \n
\n \n \n \n \n \n \n
\n
\n
\n
\n\n
\n
\n
\n VM ID\n
\n {{ vm.id }}\n \n
\n
\n
\n Instance ID\n
\n {{ vm.instance_id }}\n \n
\n -\n
\n
\n App ID\n
\n {{ vm.app_id }}\n \n
\n -\n
\n
\n Image\n {{ vm.configuration?.image }}\n
\n
\n vCPUs\n {{ vm.configuration?.vcpu }}\n
\n
\n Memory\n {{ formatMemory(vm.configuration?.memory) }}\n
\n
\n Swap\n {{ formatMemory(bytesToMB(vm.configuration.swap_size)) }}\n
\n
\n Disk Size\n {{ vm.configuration?.disk_size }} GB\n
\n
\n Disk Type\n {{ vm.configuration?.disk_type || 'virtio-pci' }}\n
\n
0\">\n GPUs\n
\n
\n {{ gpu.slot || gpu.product_id }}\n
\n
\n
\n
\n\n
\n

Port Mappings

\n
\n {{ port.host_address === '127.0.0.1' ? 'Local' : 'Public' }}\n {{ port.protocol.toUpperCase() }}: {{ port.host_port }} → {{ port.vm_port }}\n
\n
\n\n
\n

Features

\n {{ getVmFeatures(vm) }}\n
\n\n
\n

Network Interfaces

\n
\n
\n
\n
\n \n \n \n \n {{ iface.name }}\n
\n
\n
\n
\n MAC Address\n {{ iface.mac || '-' }}\n
\n
\n IP Address\n {{ iface.addresses.map(addr => addr.address + '/' + addr.prefix).join(', ') || '-' }}\n
\n
\n
\n
\n \n \n \n
\n
\n RX\n {{ iface.rx_bytes }} bytes\n 0\">({{ iface.rx_errors }} errors)\n
\n
\n
\n
\n \n \n \n
\n
\n TX\n {{ iface.tx_bytes }} bytes\n 0\">({{ iface.tx_errors }} errors)\n
\n
\n
\n
\n
\n
\n
\n

\n \n \n \n \n WireGuard Info\n

\n 
{{ networkInfo[vm.id].wg_info }}
\n
\n
\n\n
\n
\n

App Compose

\n
\n \n \n
\n
\n
\n 
{{ vm.appCompose?.docker_compose_file || 'Docker Compose content not available' }}
\n
\n
\n\n
\n
\n

User Config

\n \n
\n 
{{ vm.configuration.user_config }}
\n
\n\n
\n \n \n \n
\n
\n
\n
\n\n
\n
\n \n
\n
\n
\n \n
\n
\n
\n {{ errorMessage }}\n \n
\n
\n
\n"; +module.exports = "\n\n
\n
\n
\n
\n

dstack-vmm

\n v{{ version.version }}\n
\n
\n \n
\n \n
\n \n \n
\n
\n
\n
\n
\n\n \n\n \n\n \n\n
\n
\n
\n \n \n \n \n \n \n
\n
\n Total Instances:\n {{ totalVMs }}\n
\n
\n
\n
\n \n
\n \n /\n {{ maxPage || 1 }}\n
\n \n \n
\n
\n
\n\n
\n
\n
\n
Name
\n
Status
\n
Uptime
\n
View
\n
Actions
\n
\n\n
\n
\n
\n \n
\n
\n {{ vm.name }}\n
\n
\n \n \n {{ vmStatus(vm) }}\n \n
\n
{{ vm.status !== 'stopped' ? (vm.uptime || '-') : '-' }}
\n
\n Logs\n Stderr\n Board\n
\n
\n
\n \n
\n \n \n \n \n \n \n
\n
\n
\n
\n\n
\n
\n
\n VM ID\n
\n {{ vm.id }}\n \n
\n
\n
\n Instance ID\n
\n {{ vm.instance_id }}\n \n
\n -\n
\n
\n App ID\n
\n {{ vm.app_id }}\n \n
\n -\n
\n
\n Image\n {{ vm.configuration?.image }}\n
\n
\n vCPUs\n {{ vm.configuration?.vcpu }}\n
\n
\n Memory\n {{ formatMemory(vm.configuration?.memory) }}\n
\n
\n Swap\n {{ formatMemory(bytesToMB(vm.configuration.swap_size)) }}\n
\n
\n Disk Size\n {{ vm.configuration?.disk_size }} GB\n
\n
\n Disk Type\n {{ vm.configuration?.disk_type || 'virtio-pci' }}\n
\n
0\">\n GPUs\n
\n
\n {{ gpu.slot || gpu.product_id }}\n
\n
\n
\n
\n\n
\n

Port Mappings

\n
\n {{ port.host_address === '127.0.0.1' ? 'Local' : 'Public' }}\n {{ port.protocol.toUpperCase() }}: {{ port.host_port }} → {{ port.vm_port }}\n
\n
\n\n
\n

Features

\n {{ getVmFeatures(vm) }}\n
\n\n
\n

Network Interfaces

\n
\n
\n
\n
\n \n \n \n \n {{ iface.name }}\n
\n
\n
\n
\n MAC Address\n {{ iface.mac || '-' }}\n
\n
\n IP Address\n {{ iface.addresses.map(addr => addr.address + '/' + addr.prefix).join(', ') || '-' }}\n
\n
\n
\n
\n \n \n \n
\n
\n RX\n {{ iface.rx_bytes }} bytes\n 0\">({{ iface.rx_errors }} errors)\n
\n
\n
\n
\n \n \n \n
\n
\n TX\n {{ iface.tx_bytes }} bytes\n 0\">({{ iface.tx_errors }} errors)\n
\n
\n
\n
\n
\n
\n
\n

\n \n \n \n \n WireGuard Info\n

\n 
{{ networkInfo[vm.id].wg_info }}
\n
\n
\n\n
\n
\n

App Compose

\n
\n \n \n
\n
\n
\n 
{{ vm.appCompose?.docker_compose_file || 'Docker Compose content not available' }}
\n
\n
\n\n
\n
\n

User Config

\n \n
\n 
{{ vm.configuration.user_config }}
\n
\n\n
\n \n \n \n
\n
\n
\n
\n\n
\n
\n \n
\n
\n
\n \n
\n
\n
\n {{ errorMessage }}\n \n
\n
\n
\n"; }, map: {} } }; const cache = {}; diff --git a/vmm/src/main.rs b/vmm/src/main.rs index 0c6edff2..bb1f7873 100644 --- a/vmm/src/main.rs +++ b/vmm/src/main.rs @@ -99,7 +99,7 @@ async fn run_external_api(app: App, figment: Figment, api_auth: ApiToken) -> Res }) })); let external_api = - ra_rpc::rocket_helper::mount_openapi_docs(external_api, openapi_doc, "/rpc-docs"); + ra_rpc::rocket_helper::mount_openapi_docs(external_api, openapi_doc, "/api-docs"); let _ = external_api .launch() diff --git a/vmm/ui/src/composables/useVmManager.ts b/vmm/ui/src/composables/useVmManager.ts index 2422ed69..9020ddbf 100644 --- a/vmm/ui/src/composables/useVmManager.ts +++ b/vmm/ui/src/composables/useVmManager.ts @@ -1219,6 +1219,11 @@ type CreateVmPayloadSource = { systemMenu.value.show = false; } + function openApiDocs() { + closeSystemMenu(); + window.open('/api-docs/docs', '_blank', 'noopener'); + } + async function reloadVMs() { try { errorMessage.value = ''; @@ -1459,6 +1464,7 @@ type CreateVmPayloadSource = { systemMenu, toggleSystemMenu, closeSystemMenu, + openApiDocs, reloadVMs, }; } diff --git a/vmm/ui/src/templates/app.html b/vmm/ui/src/templates/app.html index c702c247..a3b49b75 100644 --- a/vmm/ui/src/templates/app.html +++ b/vmm/ui/src/templates/app.html @@ -11,6 +11,12 @@

dstack-vmm

v{{ version.version }}
+
+
- From 423bf6fd0b462975406ee1ce3b15025028130974 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Wed, 12 Nov 2025 14:28:54 +0000 Subject: [PATCH 116/133] vmm-ui: Use new UI as default --- vmm/src/{console.html => console_v0.html} | 0 .../{console_beta.html => console_v1.html} | 7 +++++- vmm/src/main_routes.rs | 25 +++++++++++++------ vmm/ui/README.md | 12 ++++----- vmm/ui/build.mjs | 2 +- vmm/ui/src/composables/useVmManager.ts | 6 +++++ vmm/ui/src/templates/app.html | 7 ++++++ 7 files changed, 44 insertions(+), 15 deletions(-) rename vmm/src/{console.html => console_v0.html} (100%) rename vmm/src/{console_beta.html => console_v1.html} (96%) diff --git a/vmm/src/console.html b/vmm/src/console_v0.html similarity index 100% rename from vmm/src/console.html rename to vmm/src/console_v0.html diff --git a/vmm/src/console_beta.html b/vmm/src/console_v1.html similarity index 96% rename from vmm/src/console_beta.html rename to vmm/src/console_v1.html index 77329237..d78771b5 100644 --- a/vmm/src/console_beta.html +++ b/vmm/src/console_v1.html @@ -3186,6 +3186,10 @@

Derive VM

closeSystemMenu(); window.open('/api-docs/docs', '_blank', 'noopener'); } + function openLegacyUi() { + closeSystemMenu(); + window.open('/v0', '_blank', 'noopener'); + } async function reloadVMs() { try { errorMessage.value = ''; @@ -3414,6 +3418,7 @@

Derive VM

toggleSystemMenu, closeSystemMenu, openApiDocs, + openLegacyUi, reloadVMs, }; } @@ -15855,7 +15860,7 @@

Derive VM

}, map: {"protobufjs/minimal":"node_modules/protobufjs/minimal.js"} }, 'build/ts/templates/app.html': { factory: function(module, exports, require) { -module.exports = "\n\n
\n
\n
\n
\n

dstack-vmm

\n v{{ version.version }}\n
\n
\n \n
\n \n
\n \n \n
\n
\n
\n
\n
\n\n \n\n \n\n \n\n
\n
\n
\n \n \n \n \n \n \n
\n
\n Total Instances:\n {{ totalVMs }}\n
\n
\n
\n
\n \n
\n \n /\n {{ maxPage || 1 }}\n
\n \n \n
\n
\n
\n\n
\n
\n
\n
Name
\n
Status
\n
Uptime
\n
View
\n
Actions
\n
\n\n
\n
\n
\n \n
\n
\n {{ vm.name }}\n
\n
\n \n \n {{ vmStatus(vm) }}\n \n
\n
{{ vm.status !== 'stopped' ? (vm.uptime || '-') : '-' }}
\n
\n Logs\n Stderr\n Board\n
\n
\n
\n \n
\n \n \n \n \n \n \n
\n
\n
\n
\n\n
\n
\n
\n VM ID\n
\n {{ vm.id }}\n \n
\n
\n
\n Instance ID\n
\n {{ vm.instance_id }}\n \n
\n -\n
\n
\n App ID\n
\n {{ vm.app_id }}\n \n
\n -\n
\n
\n Image\n {{ vm.configuration?.image }}\n
\n
\n vCPUs\n {{ vm.configuration?.vcpu }}\n
\n
\n Memory\n {{ formatMemory(vm.configuration?.memory) }}\n
\n
\n Swap\n {{ formatMemory(bytesToMB(vm.configuration.swap_size)) }}\n
\n
\n Disk Size\n {{ vm.configuration?.disk_size }} GB\n
\n
\n Disk Type\n {{ vm.configuration?.disk_type || 'virtio-pci' }}\n
\n
0\">\n GPUs\n
\n
\n {{ gpu.slot || gpu.product_id }}\n
\n
\n
\n
\n\n
\n

Port Mappings

\n
\n {{ port.host_address === '127.0.0.1' ? 'Local' : 'Public' }}\n {{ port.protocol.toUpperCase() }}: {{ port.host_port }} → {{ port.vm_port }}\n
\n
\n\n
\n

Features

\n {{ getVmFeatures(vm) }}\n
\n\n
\n

Network Interfaces

\n
\n
\n
\n
\n \n \n \n \n {{ iface.name }}\n
\n
\n
\n
\n MAC Address\n {{ iface.mac || '-' }}\n
\n
\n IP Address\n {{ iface.addresses.map(addr => addr.address + '/' + addr.prefix).join(', ') || '-' }}\n
\n
\n
\n
\n \n \n \n
\n
\n RX\n {{ iface.rx_bytes }} bytes\n 0\">({{ iface.rx_errors }} errors)\n
\n
\n
\n
\n \n \n \n
\n
\n TX\n {{ iface.tx_bytes }} bytes\n 0\">({{ iface.tx_errors }} errors)\n
\n
\n
\n
\n
\n
\n
\n

\n \n \n \n \n WireGuard Info\n

\n 
{{ networkInfo[vm.id].wg_info }}
\n
\n
\n\n
\n
\n

App Compose

\n
\n \n \n
\n
\n
\n 
{{ vm.appCompose?.docker_compose_file || 'Docker Compose content not available' }}
\n
\n
\n\n
\n
\n

User Config

\n \n
\n 
{{ vm.configuration.user_config }}
\n
\n\n
\n \n \n \n
\n
\n
\n
\n\n
\n
\n \n
\n
\n
\n \n
\n
\n
\n {{ errorMessage }}\n \n
\n
\n
\n"; +module.exports = "\n\n
\n
\n
\n
\n

dstack-vmm

\n v{{ version.version }}\n
\n
\n \n
\n \n
\n \n \n \n
\n
\n
\n
\n
\n\n \n\n \n\n \n\n
\n
\n
\n \n \n \n \n \n \n
\n
\n Total Instances:\n {{ totalVMs }}\n
\n
\n
\n
\n \n
\n \n /\n {{ maxPage || 1 }}\n
\n \n \n
\n
\n
\n\n
\n
\n
\n
Name
\n
Status
\n
Uptime
\n
View
\n
Actions
\n
\n\n
\n
\n
\n \n
\n
\n {{ vm.name }}\n
\n
\n \n \n {{ vmStatus(vm) }}\n \n
\n
{{ vm.status !== 'stopped' ? (vm.uptime || '-') : '-' }}
\n
\n Logs\n Stderr\n Board\n
\n
\n
\n \n
\n \n \n \n \n \n \n
\n
\n
\n
\n\n
\n
\n
\n VM ID\n
\n {{ vm.id }}\n \n
\n
\n
\n Instance ID\n
\n {{ vm.instance_id }}\n \n
\n -\n
\n
\n App ID\n
\n {{ vm.app_id }}\n \n
\n -\n
\n
\n Image\n {{ vm.configuration?.image }}\n
\n
\n vCPUs\n {{ vm.configuration?.vcpu }}\n
\n
\n Memory\n {{ formatMemory(vm.configuration?.memory) }}\n
\n
\n Swap\n {{ formatMemory(bytesToMB(vm.configuration.swap_size)) }}\n
\n
\n Disk Size\n {{ vm.configuration?.disk_size }} GB\n
\n
\n Disk Type\n {{ vm.configuration?.disk_type || 'virtio-pci' }}\n
\n
0\">\n GPUs\n
\n
\n {{ gpu.slot || gpu.product_id }}\n
\n
\n
\n
\n\n
\n

Port Mappings

\n
\n {{ port.host_address === '127.0.0.1' ? 'Local' : 'Public' }}\n {{ port.protocol.toUpperCase() }}: {{ port.host_port }} → {{ port.vm_port }}\n
\n
\n\n
\n

Features

\n {{ getVmFeatures(vm) }}\n
\n\n
\n

Network Interfaces

\n
\n
\n
\n
\n \n \n \n \n {{ iface.name }}\n
\n
\n
\n
\n MAC Address\n {{ iface.mac || '-' }}\n
\n
\n IP Address\n {{ iface.addresses.map(addr => addr.address + '/' + addr.prefix).join(', ') || '-' }}\n
\n
\n
\n
\n \n \n \n
\n
\n RX\n {{ iface.rx_bytes }} bytes\n 0\">({{ iface.rx_errors }} errors)\n
\n
\n
\n
\n \n \n \n
\n
\n TX\n {{ iface.tx_bytes }} bytes\n 0\">({{ iface.tx_errors }} errors)\n
\n
\n
\n
\n
\n
\n
\n

\n \n \n \n \n WireGuard Info\n

\n 
{{ networkInfo[vm.id].wg_info }}
\n
\n
\n\n
\n
\n

App Compose

\n
\n \n \n
\n
\n
\n 
{{ vm.appCompose?.docker_compose_file || 'Docker Compose content not available' }}
\n
\n
\n\n
\n
\n

User Config

\n \n
\n 
{{ vm.configuration.user_config }}
\n
\n\n
\n \n \n \n
\n
\n
\n
\n\n
\n
\n \n
\n
\n
\n \n
\n
\n
\n {{ errorMessage }}\n \n
\n
\n
\n"; }, map: {} } }; const cache = {}; diff --git a/vmm/src/main_routes.rs b/vmm/src/main_routes.rs index a7146688..f4ef9a45 100644 --- a/vmm/src/main_routes.rs +++ b/vmm/src/main_routes.rs @@ -36,18 +36,29 @@ fn replace_title(app: &App, html: &str) -> String { html.replace("{{TITLE}}", &title) } -#[get("/")] -async fn index(app: &State) -> (ContentType, String) { - let html = file_or_include_str!("console.html"); +fn render_console(html: String, app: &State) -> (ContentType, String) { let html = replace_title(app, &html); (ContentType::HTML, html) } +#[get("/")] +async fn index(app: &State) -> (ContentType, String) { + render_console(file_or_include_str!("console_v1.html"), app) +} + +#[get("/v1")] +async fn v1(app: &State) -> (ContentType, String) { + index(app).await +} + #[get("/beta")] async fn beta(app: &State) -> (ContentType, String) { - let html = file_or_include_str!("console_beta.html"); - let html = replace_title(app, &html); - (ContentType::HTML, html) + index(app).await +} + +#[get("/v0")] +async fn v0(app: &State) -> (ContentType, String) { + render_console(file_or_include_str!("console_v0.html"), app) } #[get("/res/")] @@ -171,5 +182,5 @@ fn vm_logs( } pub fn routes() -> Vec { - routes![index, beta, res, vm_logs] + routes![index, v1, beta, v0, res, vm_logs] } diff --git a/vmm/ui/README.md b/vmm/ui/README.md index b6544f86..55476d20 100644 --- a/vmm/ui/README.md +++ b/vmm/ui/README.md @@ -8,19 +8,19 @@ This directory contains the source for the Vue-based VM management console. # Install dev dependencies (installs protobufjs CLI) npm install -# Build the beta console once +# Build the console once npm run build -# Build continuously (writes beta console on changes) +# Build continuously (writes console_v1 on changes) npm run watch ``` -The build step generates a single-file HTML artifact at `../src/console_beta.html` -which is served by `dstack-vmm` under the `/beta` path. The existing -`console.html` remains untouched so both versions can coexist. +The build step generates a single-file HTML artifact at `../src/console_v1.html` +which is served by `dstack-vmm` under `/` and `/v1`. The previous +`console_v0.html` remains untouched so the legacy UI stays available under `/v0`. The UI codebase is written in TypeScript. The build pipeline performs three steps: 1. `scripts/build_proto.sh` (borrowed from `phala-blockchain`) uses `pbjs/pbts` to regenerate static JS bindings for `vmm_rpc.proto`. 2. `tsc` transpiles `src/**/*.ts` into `build/ts/`. -3. `build.mjs` bundles the transpiled output together with the runtime assets into a single HTML page `console_beta.html`. +3. `build.mjs` bundles the transpiled output together with the runtime assets into a single HTML page `console_v1.html`. diff --git a/vmm/ui/build.mjs b/vmm/ui/build.mjs index 26197051..b1193a45 100644 --- a/vmm/ui/build.mjs +++ b/vmm/ui/build.mjs @@ -204,7 +204,7 @@ async function build({ watch = false } = {}) { const distFile = path.join(DIST_DIR, 'index.html'); await fs.writeFile(distFile, html); - const targetFile = path.resolve(ROOT, '../src/console_beta.html'); + const targetFile = path.resolve(ROOT, '../src/console_v1.html'); await fs.writeFile(targetFile, html); if (watch) { diff --git a/vmm/ui/src/composables/useVmManager.ts b/vmm/ui/src/composables/useVmManager.ts index 9020ddbf..0c48f9b1 100644 --- a/vmm/ui/src/composables/useVmManager.ts +++ b/vmm/ui/src/composables/useVmManager.ts @@ -1224,6 +1224,11 @@ type CreateVmPayloadSource = { window.open('/api-docs/docs', '_blank', 'noopener'); } + function openLegacyUi() { + closeSystemMenu(); + window.open('/v0', '_blank', 'noopener'); + } + async function reloadVMs() { try { errorMessage.value = ''; @@ -1465,6 +1470,7 @@ type CreateVmPayloadSource = { toggleSystemMenu, closeSystemMenu, openApiDocs, + openLegacyUi, reloadVMs, }; } diff --git a/vmm/ui/src/templates/app.html b/vmm/ui/src/templates/app.html index a3b49b75..3ebb52ca 100644 --- a/vmm/ui/src/templates/app.html +++ b/vmm/ui/src/templates/app.html @@ -37,6 +37,13 @@

dstack-vmm

API Docs + From edd7fcacc02171f99b8357e907b6c3c0900b81b0 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Wed, 12 Nov 2025 14:40:47 +0000 Subject: [PATCH 117/133] vmm-ui: Follow logs by default --- vmm/src/console_v1.html | 2 +- vmm/ui/src/composables/useVmManager.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vmm/src/console_v1.html b/vmm/src/console_v1.html index d78771b5..6138d2f2 100644 --- a/vmm/src/console_v1.html +++ b/vmm/src/console_v1.html @@ -3267,7 +3267,7 @@

Derive VM

loadVMList(); } function showLogs(id, channel) { - window.open(`/logs?id=${encodeURIComponent(id)}&follow=false&ansi=false&lines=200&ch=${channel}`, '_blank'); + window.open(`/logs?id=${encodeURIComponent(id)}&follow=true&ansi=false&lines=200&ch=${channel}`, '_blank'); } function showDashboard(vm) { if (vm.app_url) { diff --git a/vmm/ui/src/composables/useVmManager.ts b/vmm/ui/src/composables/useVmManager.ts index 0c48f9b1..96691153 100644 --- a/vmm/ui/src/composables/useVmManager.ts +++ b/vmm/ui/src/composables/useVmManager.ts @@ -1317,7 +1317,7 @@ type CreateVmPayloadSource = { } function showLogs(id: string, channel: string) { - window.open(`/logs?id=${encodeURIComponent(id)}&follow=false&ansi=false&lines=200&ch=${channel}`, '_blank'); + window.open(`/logs?id=${encodeURIComponent(id)}&follow=true&ansi=false&lines=200&ch=${channel}`, '_blank'); } function showDashboard(vm: VmListItem) { From f13816d63e2373167bdaf2729fd5794d911bc689 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Wed, 12 Nov 2025 14:48:41 +0000 Subject: [PATCH 118/133] vmm-ui: Show TEE enabled flag --- vmm/src/console_v1.html | 2 +- vmm/ui/src/templates/app.html | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/vmm/src/console_v1.html b/vmm/src/console_v1.html index 6138d2f2..6535e339 100644 --- a/vmm/src/console_v1.html +++ b/vmm/src/console_v1.html @@ -15860,7 +15860,7 @@

Derive VM

}, map: {"protobufjs/minimal":"node_modules/protobufjs/minimal.js"} }, 'build/ts/templates/app.html': { factory: function(module, exports, require) { -module.exports = "\n\n
\n
\n
\n
\n

dstack-vmm

\n v{{ version.version }}\n
\n
\n \n
\n \n
\n \n \n \n
\n
\n
\n
\n
\n\n \n\n \n\n \n\n
\n
\n
\n \n \n \n \n \n \n
\n
\n Total Instances:\n {{ totalVMs }}\n
\n
\n
\n
\n \n
\n \n /\n {{ maxPage || 1 }}\n
\n \n \n
\n
\n
\n\n
\n
\n
\n
Name
\n
Status
\n
Uptime
\n
View
\n
Actions
\n
\n\n
\n
\n
\n \n
\n
\n {{ vm.name }}\n
\n
\n \n \n {{ vmStatus(vm) }}\n \n
\n
{{ vm.status !== 'stopped' ? (vm.uptime || '-') : '-' }}
\n
\n Logs\n Stderr\n Board\n
\n
\n
\n \n
\n \n \n \n \n \n \n
\n
\n
\n
\n\n
\n
\n
\n VM ID\n
\n {{ vm.id }}\n \n
\n
\n
\n Instance ID\n
\n {{ vm.instance_id }}\n \n
\n -\n
\n
\n App ID\n
\n {{ vm.app_id }}\n \n
\n -\n
\n
\n Image\n {{ vm.configuration?.image }}\n
\n
\n vCPUs\n {{ vm.configuration?.vcpu }}\n
\n
\n Memory\n {{ formatMemory(vm.configuration?.memory) }}\n
\n
\n Swap\n {{ formatMemory(bytesToMB(vm.configuration.swap_size)) }}\n
\n
\n Disk Size\n {{ vm.configuration?.disk_size }} GB\n
\n
\n Disk Type\n {{ vm.configuration?.disk_type || 'virtio-pci' }}\n
\n
0\">\n GPUs\n
\n
\n {{ gpu.slot || gpu.product_id }}\n
\n
\n
\n
\n\n
\n

Port Mappings

\n
\n {{ port.host_address === '127.0.0.1' ? 'Local' : 'Public' }}\n {{ port.protocol.toUpperCase() }}: {{ port.host_port }} → {{ port.vm_port }}\n
\n
\n\n
\n

Features

\n {{ getVmFeatures(vm) }}\n
\n\n
\n

Network Interfaces

\n
\n
\n
\n
\n \n \n \n \n {{ iface.name }}\n
\n
\n
\n
\n MAC Address\n {{ iface.mac || '-' }}\n
\n
\n IP Address\n {{ iface.addresses.map(addr => addr.address + '/' + addr.prefix).join(', ') || '-' }}\n
\n
\n
\n
\n \n \n \n
\n
\n RX\n {{ iface.rx_bytes }} bytes\n 0\">({{ iface.rx_errors }} errors)\n
\n
\n
\n
\n \n \n \n
\n
\n TX\n {{ iface.tx_bytes }} bytes\n 0\">({{ iface.tx_errors }} errors)\n
\n
\n
\n
\n
\n
\n
\n

\n \n \n \n \n WireGuard Info\n

\n 
{{ networkInfo[vm.id].wg_info }}
\n
\n
\n\n
\n
\n

App Compose

\n
\n \n \n
\n
\n
\n 
{{ vm.appCompose?.docker_compose_file || 'Docker Compose content not available' }}
\n
\n
\n\n
\n
\n

User Config

\n \n
\n 
{{ vm.configuration.user_config }}
\n
\n\n
\n \n \n \n
\n
\n
\n
\n\n
\n
\n \n
\n
\n
\n \n
\n
\n
\n {{ errorMessage }}\n \n
\n
\n
\n"; +module.exports = "\n\n
\n
\n
\n
\n

dstack-vmm

\n v{{ version.version }}\n
\n
\n \n
\n \n
\n \n \n \n
\n
\n
\n
\n
\n\n \n\n \n\n \n\n
\n
\n
\n \n \n \n \n \n \n
\n
\n Total Instances:\n {{ totalVMs }}\n
\n
\n
\n
\n \n
\n \n /\n {{ maxPage || 1 }}\n
\n \n \n
\n
\n
\n\n
\n
\n
\n
Name
\n
Status
\n
Uptime
\n
View
\n
Actions
\n
\n\n
\n
\n
\n \n
\n
\n {{ vm.name }}\n
\n
\n \n \n {{ vmStatus(vm) }}\n \n
\n
{{ vm.status !== 'stopped' ? (vm.uptime || '-') : '-' }}
\n
\n Logs\n Stderr\n Board\n
\n
\n
\n \n
\n \n \n \n \n \n \n
\n
\n
\n
\n\n
\n
\n
\n VM ID\n
\n {{ vm.id }}\n \n
\n
\n
\n Instance ID\n
\n {{ vm.instance_id }}\n \n
\n -\n
\n
\n App ID\n
\n {{ vm.app_id }}\n \n
\n -\n
\n
\n Image\n {{ vm.configuration?.image }}\n
\n
\n vCPUs\n {{ vm.configuration?.vcpu }}\n
\n
\n Memory\n {{ formatMemory(vm.configuration?.memory) }}\n
\n
\n Swap\n {{ formatMemory(bytesToMB(vm.configuration.swap_size)) }}\n
\n
\n Disk Size\n {{ vm.configuration?.disk_size }} GB\n
\n
\n Disk Type\n {{ vm.configuration?.disk_type || 'virtio-pci' }}\n
\n
\n TEE\n {{ vm.configuration?.no_tee ? 'Disabled' : 'Enabled' }}\n
\n
0\">\n GPUs\n
\n
\n {{ gpu.slot || gpu.product_id }}\n
\n
\n
\n
\n\n
\n

Port Mappings

\n
\n {{ port.host_address === '127.0.0.1' ? 'Local' : 'Public' }}\n {{ port.protocol.toUpperCase() }}: {{ port.host_port }} → {{ port.vm_port }}\n
\n
\n\n
\n

Features

\n {{ getVmFeatures(vm) }}\n
\n\n
\n

Network Interfaces

\n
\n
\n
\n
\n \n \n \n \n {{ iface.name }}\n
\n
\n
\n
\n MAC Address\n {{ iface.mac || '-' }}\n
\n
\n IP Address\n {{ iface.addresses.map(addr => addr.address + '/' + addr.prefix).join(', ') || '-' }}\n
\n
\n
\n
\n \n \n \n
\n
\n RX\n {{ iface.rx_bytes }} bytes\n 0\">({{ iface.rx_errors }} errors)\n
\n
\n
\n
\n \n \n \n
\n
\n TX\n {{ iface.tx_bytes }} bytes\n 0\">({{ iface.tx_errors }} errors)\n
\n
\n
\n
\n
\n
\n
\n

\n \n \n \n \n WireGuard Info\n

\n 
{{ networkInfo[vm.id].wg_info }}
\n
\n
\n\n
\n
\n

App Compose

\n
\n \n \n
\n
\n
\n 
{{ vm.appCompose?.docker_compose_file || 'Docker Compose content not available' }}
\n
\n
\n\n
\n
\n

User Config

\n \n
\n 
{{ vm.configuration.user_config }}
\n
\n\n
\n \n \n \n
\n
\n
\n
\n\n
\n
\n \n
\n
\n
\n \n
\n
\n
\n {{ errorMessage }}\n \n
\n
\n
\n"; }, map: {} } }; const cache = {}; diff --git a/vmm/ui/src/templates/app.html b/vmm/ui/src/templates/app.html index 3ebb52ca..384db7bf 100644 --- a/vmm/ui/src/templates/app.html +++ b/vmm/ui/src/templates/app.html @@ -278,6 +278,10 @@

dstack-vmm

Disk Type {{ vm.configuration?.disk_type || 'virtio-pci' }} +
+ TEE + {{ vm.configuration?.no_tee ? 'Disabled' : 'Enabled' }} +
GPUs
From e72b2149b40c518b35d15ae60a48f3502968a26a Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Thu, 13 Nov 2025 01:06:19 +0000 Subject: [PATCH 119/133] vmm-ui: Show git rev --- vmm/src/console_v1.html | 2 +- vmm/ui/src/templates/app.html | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/vmm/src/console_v1.html b/vmm/src/console_v1.html index 6535e339..c0025399 100644 --- a/vmm/src/console_v1.html +++ b/vmm/src/console_v1.html @@ -15860,7 +15860,7 @@

Derive VM

}, map: {"protobufjs/minimal":"node_modules/protobufjs/minimal.js"} }, 'build/ts/templates/app.html': { factory: function(module, exports, require) { -module.exports = "\n\n
\n
\n
\n
\n

dstack-vmm

\n v{{ version.version }}\n
\n
\n \n
\n \n
\n \n \n \n
\n
\n
\n
\n
\n\n \n\n \n\n \n\n
\n
\n
\n \n \n \n \n \n \n
\n
\n Total Instances:\n {{ totalVMs }}\n
\n
\n
\n
\n \n
\n \n /\n {{ maxPage || 1 }}\n
\n \n \n
\n
\n
\n\n
\n
\n
\n
Name
\n
Status
\n
Uptime
\n
View
\n
Actions
\n
\n\n
\n
\n
\n \n
\n
\n {{ vm.name }}\n
\n
\n \n \n {{ vmStatus(vm) }}\n \n
\n
{{ vm.status !== 'stopped' ? (vm.uptime || '-') : '-' }}
\n
\n Logs\n Stderr\n Board\n
\n
\n
\n \n
\n \n \n \n \n \n \n
\n
\n
\n
\n\n
\n
\n
\n VM ID\n
\n {{ vm.id }}\n \n
\n
\n
\n Instance ID\n
\n {{ vm.instance_id }}\n \n
\n -\n
\n
\n App ID\n
\n {{ vm.app_id }}\n \n
\n -\n
\n
\n Image\n {{ vm.configuration?.image }}\n
\n
\n vCPUs\n {{ vm.configuration?.vcpu }}\n
\n
\n Memory\n {{ formatMemory(vm.configuration?.memory) }}\n
\n
\n Swap\n {{ formatMemory(bytesToMB(vm.configuration.swap_size)) }}\n
\n
\n Disk Size\n {{ vm.configuration?.disk_size }} GB\n
\n
\n Disk Type\n {{ vm.configuration?.disk_type || 'virtio-pci' }}\n
\n
\n TEE\n {{ vm.configuration?.no_tee ? 'Disabled' : 'Enabled' }}\n
\n
0\">\n GPUs\n
\n
\n {{ gpu.slot || gpu.product_id }}\n
\n
\n
\n
\n\n
\n

Port Mappings

\n
\n {{ port.host_address === '127.0.0.1' ? 'Local' : 'Public' }}\n {{ port.protocol.toUpperCase() }}: {{ port.host_port }} → {{ port.vm_port }}\n
\n
\n\n
\n

Features

\n {{ getVmFeatures(vm) }}\n
\n\n
\n

Network Interfaces

\n
\n
\n
\n
\n \n \n \n \n {{ iface.name }}\n
\n
\n
\n
\n MAC Address\n {{ iface.mac || '-' }}\n
\n
\n IP Address\n {{ iface.addresses.map(addr => addr.address + '/' + addr.prefix).join(', ') || '-' }}\n
\n
\n
\n
\n \n \n \n
\n
\n RX\n {{ iface.rx_bytes }} bytes\n 0\">({{ iface.rx_errors }} errors)\n
\n
\n
\n
\n \n \n \n
\n
\n TX\n {{ iface.tx_bytes }} bytes\n 0\">({{ iface.tx_errors }} errors)\n
\n
\n
\n
\n
\n
\n
\n

\n \n \n \n \n WireGuard Info\n

\n 
{{ networkInfo[vm.id].wg_info }}
\n
\n
\n\n
\n
\n

App Compose

\n
\n \n \n
\n
\n
\n 
{{ vm.appCompose?.docker_compose_file || 'Docker Compose content not available' }}
\n
\n
\n\n
\n
\n

User Config

\n \n
\n 
{{ vm.configuration.user_config }}
\n
\n\n
\n \n \n \n
\n
\n
\n
\n\n
\n
\n \n
\n
\n
\n \n
\n
\n
\n {{ errorMessage }}\n \n
\n
\n
\n"; +module.exports = "\n\n
\n
\n
\n
\n

dstack-vmm

\n v{{ version.version }} ({{ version.commit.slice(0, 14) }})\n
\n
\n \n
\n \n
\n \n \n \n
\n
\n
\n
\n
\n\n \n\n \n\n \n\n
\n
\n
\n \n \n \n \n \n \n
\n
\n Total Instances:\n {{ totalVMs }}\n
\n
\n
\n
\n \n
\n \n /\n {{ maxPage || 1 }}\n
\n \n \n
\n
\n
\n\n
\n
\n
\n
Name
\n
Status
\n
Uptime
\n
View
\n
Actions
\n
\n\n
\n
\n
\n \n
\n
\n {{ vm.name }}\n
\n
\n \n \n {{ vmStatus(vm) }}\n \n
\n
{{ vm.status !== 'stopped' ? (vm.uptime || '-') : '-' }}
\n
\n Logs\n Stderr\n Board\n
\n
\n
\n \n
\n \n \n \n \n \n \n
\n
\n
\n
\n\n
\n
\n
\n VM ID\n
\n {{ vm.id }}\n \n
\n
\n
\n Instance ID\n
\n {{ vm.instance_id }}\n \n
\n -\n
\n
\n App ID\n
\n {{ vm.app_id }}\n \n
\n -\n
\n
\n Image\n {{ vm.configuration?.image }}\n
\n
\n vCPUs\n {{ vm.configuration?.vcpu }}\n
\n
\n Memory\n {{ formatMemory(vm.configuration?.memory) }}\n
\n
\n Swap\n {{ formatMemory(bytesToMB(vm.configuration.swap_size)) }}\n
\n
\n Disk Size\n {{ vm.configuration?.disk_size }} GB\n
\n
\n Disk Type\n {{ vm.configuration?.disk_type || 'virtio-pci' }}\n
\n
\n TEE\n {{ vm.configuration?.no_tee ? 'Disabled' : 'Enabled' }}\n
\n
0\">\n GPUs\n
\n
\n {{ gpu.slot || gpu.product_id }}\n
\n
\n
\n
\n\n
\n

Port Mappings

\n
\n {{ port.host_address === '127.0.0.1' ? 'Local' : 'Public' }}\n {{ port.protocol.toUpperCase() }}: {{ port.host_port }} → {{ port.vm_port }}\n
\n
\n\n
\n

Features

\n {{ getVmFeatures(vm) }}\n
\n\n
\n

Network Interfaces

\n
\n
\n
\n
\n \n \n \n \n {{ iface.name }}\n
\n
\n
\n
\n MAC Address\n {{ iface.mac || '-' }}\n
\n
\n IP Address\n {{ iface.addresses.map(addr => addr.address + '/' + addr.prefix).join(', ') || '-' }}\n
\n
\n
\n
\n \n \n \n
\n
\n RX\n {{ iface.rx_bytes }} bytes\n 0\">({{ iface.rx_errors }} errors)\n
\n
\n
\n
\n \n \n \n
\n
\n TX\n {{ iface.tx_bytes }} bytes\n 0\">({{ iface.tx_errors }} errors)\n
\n
\n
\n
\n
\n
\n
\n

\n \n \n \n \n WireGuard Info\n

\n 
{{ networkInfo[vm.id].wg_info }}
\n
\n
\n\n
\n
\n

App Compose

\n
\n \n \n
\n
\n
\n 
{{ vm.appCompose?.docker_compose_file || 'Docker Compose content not available' }}
\n
\n
\n\n
\n
\n

User Config

\n \n
\n 
{{ vm.configuration.user_config }}
\n
\n\n
\n \n \n \n
\n
\n
\n
\n\n
\n
\n \n
\n
\n
\n \n
\n
\n
\n {{ errorMessage }}\n \n
\n
\n
\n"; }, map: {} } }; const cache = {}; diff --git a/vmm/ui/src/templates/app.html b/vmm/ui/src/templates/app.html index 384db7bf..ccd85527 100644 --- a/vmm/ui/src/templates/app.html +++ b/vmm/ui/src/templates/app.html @@ -8,7 +8,12 @@

dstack-vmm

- v{{ version.version }} + + v{{ version.version }} + +
\n
\n \n
\n \n \n \n
\n
\n
\n
\n \n\n \n\n \n\n \n\n
\n
\n
\n \n \n \n \n \n \n
\n
\n Total Instances:\n {{ totalVMs }}\n
\n
\n
\n
\n \n
\n \n /\n {{ maxPage || 1 }}\n
\n \n \n
\n
\n
\n\n
\n
\n
\n
Name
\n
Status
\n
Uptime
\n
View
\n
Actions
\n
\n\n
\n
\n
\n \n
\n
\n {{ vm.name }}\n
\n
\n \n \n {{ vmStatus(vm) }}\n \n
\n
{{ vm.status !== 'stopped' ? (vm.uptime || '-') : '-' }}
\n
\n Logs\n Stderr\n Board\n
\n
\n
\n \n
\n \n \n \n \n \n \n
\n
\n
\n
\n\n
\n
\n
\n VM ID\n
\n {{ vm.id }}\n \n
\n
\n
\n Instance ID\n
\n {{ vm.instance_id }}\n \n
\n -\n
\n
\n App ID\n
\n {{ vm.app_id }}\n \n
\n -\n
\n
\n Image\n {{ vm.configuration?.image }}\n
\n
\n vCPUs\n {{ vm.configuration?.vcpu }}\n
\n
\n Memory\n {{ formatMemory(vm.configuration?.memory) }}\n
\n
\n Swap\n {{ formatMemory(bytesToMB(vm.configuration.swap_size)) }}\n
\n
\n Disk Size\n {{ vm.configuration?.disk_size }} GB\n
\n
\n Disk Type\n {{ vm.configuration?.disk_type || 'virtio-pci' }}\n
\n
\n TEE\n {{ vm.configuration?.no_tee ? 'Disabled' : 'Enabled' }}\n
\n
0\">\n GPUs\n
\n
\n {{ gpu.slot || gpu.product_id }}\n
\n
\n
\n
\n\n
\n

Port Mappings

\n
\n {{ port.host_address === '127.0.0.1' ? 'Local' : 'Public' }}\n {{ port.protocol.toUpperCase() }}: {{ port.host_port }} → {{ port.vm_port }}\n
\n
\n\n
\n

Features

\n {{ getVmFeatures(vm) }}\n
\n\n
\n

Network Interfaces

\n
\n
\n
\n
\n \n \n \n \n {{ iface.name }}\n
\n
\n
\n
\n MAC Address\n {{ iface.mac || '-' }}\n
\n
\n IP Address\n {{ iface.addresses.map(addr => addr.address + '/' + addr.prefix).join(', ') || '-' }}\n
\n
\n
\n
\n \n \n \n
\n
\n RX\n {{ iface.rx_bytes }} bytes\n 0\">({{ iface.rx_errors }} errors)\n
\n
\n
\n
\n \n \n \n
\n
\n TX\n {{ iface.tx_bytes }} bytes\n 0\">({{ iface.tx_errors }} errors)\n
\n
\n
\n
\n
\n
\n
\n

\n \n \n \n \n WireGuard Info\n

\n 
{{ networkInfo[vm.id].wg_info }}
\n
\n
\n\n
\n
\n

App Compose

\n
\n \n \n
\n
\n
\n 
{{ vm.appCompose?.docker_compose_file || 'Docker Compose content not available' }}
\n
\n
\n\n
\n
\n

User Config

\n \n
\n 
{{ vm.configuration.user_config }}
\n
\n\n
\n \n \n \n
\n
\n
\n
\n\n
\n
\n \n
\n
\n
\n \n
\n
\n
\n {{ errorMessage }}\n \n
\n
\n
\n"; +module.exports = "\n\n
\n
\n
\n
\n

dstack-vmm

\n \n v{{ version.version }}\n \n \n
\n
\n \n
\n \n
\n \n \n \n \n
\n
\n
\n
\n
\n\n \n\n \n\n \n\n
\n
\n
\n \n \n \n \n \n \n
\n
\n Total Instances:\n {{ totalVMs }}\n
\n
\n
\n
\n \n
\n \n /\n {{ maxPage || 1 }}\n
\n \n \n
\n
\n
\n\n
\n
\n
\n
Name
\n
Status
\n
Uptime
\n
View
\n
Actions
\n
\n\n
\n
\n
\n \n
\n
\n {{ vm.name }}\n
\n
\n \n \n {{ vmStatus(vm) }}\n \n
\n
{{ vm.status !== 'stopped' ? (vm.uptime || '-') : '-' }}
\n
\n Logs\n Stderr\n Board\n
\n
\n
\n \n
\n \n \n \n \n \n \n
\n
\n
\n
\n\n
\n
\n
\n VM ID\n
\n {{ vm.id }}\n \n
\n
\n
\n Instance ID\n
\n {{ vm.instance_id }}\n \n
\n -\n
\n
\n App ID\n
\n {{ vm.app_id }}\n \n
\n -\n
\n
\n Image\n {{ vm.configuration?.image }}\n
\n
\n vCPUs\n {{ vm.configuration?.vcpu }}\n
\n
\n Memory\n {{ formatMemory(vm.configuration?.memory) }}\n
\n
\n Swap\n {{ formatMemory(bytesToMB(vm.configuration.swap_size)) }}\n
\n
\n Disk Size\n {{ vm.configuration?.disk_size }} GB\n
\n
\n Disk Type\n {{ vm.configuration?.disk_type || 'virtio-pci' }}\n
\n
\n TEE\n {{ vm.configuration?.no_tee ? 'Disabled' : 'Enabled' }}\n
\n
0\">\n GPUs\n
\n
\n {{ gpu.slot || gpu.product_id }}\n
\n
\n
\n
\n\n
\n

Port Mappings

\n
\n {{ port.host_address === '127.0.0.1' ? 'Local' : 'Public' }}\n {{ port.protocol.toUpperCase() }}: {{ port.host_port }} → {{ port.vm_port }}\n
\n
\n\n
\n

Features

\n {{ getVmFeatures(vm) }}\n
\n\n
\n

Network Interfaces

\n
\n
\n
\n
\n \n \n \n \n {{ iface.name }}\n
\n
\n
\n
\n MAC Address\n {{ iface.mac || '-' }}\n
\n
\n IP Address\n {{ iface.addresses.map(addr => addr.address + '/' + addr.prefix).join(', ') || '-' }}\n
\n
\n
\n
\n \n \n \n
\n
\n RX\n {{ iface.rx_bytes }} bytes\n 0\">({{ iface.rx_errors }} errors)\n
\n
\n
\n
\n \n \n \n
\n
\n TX\n {{ iface.tx_bytes }} bytes\n 0\">({{ iface.tx_errors }} errors)\n
\n
\n
\n
\n
\n
\n
\n

\n \n \n \n \n WireGuard Info\n

\n 
{{ networkInfo[vm.id].wg_info }}
\n
\n
\n\n
\n
\n

App Compose

\n
\n \n \n
\n
\n
\n 
{{ vm.appCompose?.docker_compose_file || 'Docker Compose content not available' }}
\n
\n
\n\n
\n
\n

User Config

\n \n
\n 
{{ vm.configuration.user_config }}
\n
\n\n
\n \n \n \n
\n
\n
\n
\n\n
\n
\n \n
\n
\n
\n \n
\n
\n
\n {{ errorMessage }}\n \n
\n
\n
\n"; }, map: {} } }; const cache = {}; diff --git a/vmm/ui/src/composables/useVmManager.ts b/vmm/ui/src/composables/useVmManager.ts index 96691153..6149f06a 100644 --- a/vmm/ui/src/composables/useVmManager.ts +++ b/vmm/ui/src/composables/useVmManager.ts @@ -39,15 +39,11 @@ const { getVmmRpcClient } = require('../lib/vmmRpcClient'); const vmmRpc = getVmmRpcClient(); -// Initialize dangerConfirm setting -if (localStorage.getItem('dangerConfirm') === null) { - localStorage.setItem('dangerConfirm', 'true'); -} - // System menu state const systemMenu = ref({ show: false, }); +const devMode = ref(localStorage.getItem('devMode') === 'true'); type MemoryUnit = 'MB' | 'GB'; @@ -1229,6 +1225,16 @@ type CreateVmPayloadSource = { window.open('/v0', '_blank', 'noopener'); } + function toggleDevMode() { + devMode.value = !devMode.value; + localStorage.setItem('devMode', devMode.value ? 'true' : 'false'); + closeSystemMenu(); + successMessage.value = devMode.value ? '✅ Dev mode enabled' : 'Dev mode disabled'; + setTimeout(() => { + successMessage.value = ''; + }, 2000); + } + async function reloadVMs() { try { errorMessage.value = ''; @@ -1289,31 +1295,59 @@ type CreateVmPayloadSource = { } async function startVm(id: string) { - await vmmRpc.startVm({ id }); - loadVMList(); + try { + await vmmRpc.startVm({ id }); + loadVMList(); + } catch (error) { + recordError('Failed to start VM', error); + } } async function shutdownVm(id: string) { - await vmmRpc.shutdownVm({ id }); - loadVMList(); + try { + await vmmRpc.shutdownVm({ id }); + loadVMList(); + } catch (error) { + recordError('Failed to shutdown VM', error); + } } + const dangerConfirmEnabled = () => !devMode.value; + async function stopVm(vm: VmListItem) { - if (localStorage.getItem('dangerConfirm') === 'true' && + if (dangerConfirmEnabled() && !confirm(`You are killing "${vm.name}". This might cause data corruption.`)) { return; } - await vmmRpc.stopVm({ id: vm.id }); - loadVMList(); + try { + await vmmRpc.stopVm({ id: vm.id }); + loadVMList(); + } catch (error) { + recordError(`Failed to stop ${vm.name}`, error); + } } - async function removeVm(id: string) { - if (localStorage.getItem('dangerConfirm') === 'true' && + async function removeVm(vm: VmListItem) { + if (dangerConfirmEnabled() && !confirm('Remove VM? This action cannot be undone.')) { return; } - await vmmRpc.removeVm({ id }); - loadVMList(); + + try { + if (devMode.value && vm.status === 'running') { + try { + await vmmRpc.stopVm({ id: vm.id }); + } catch (error) { + recordError(`Failed to stop ${vm.name} before removal`, error); + return; + } + } + + await vmmRpc.removeVm({ id: vm.id }); + loadVMList(); + } catch (error) { + recordError(`Failed to remove ${vm.name}`, error); + } } function showLogs(id: string, channel: string) { @@ -1472,6 +1506,8 @@ type CreateVmPayloadSource = { openApiDocs, openLegacyUi, reloadVMs, + devMode, + toggleDevMode, }; } diff --git a/vmm/ui/src/templates/app.html b/vmm/ui/src/templates/app.html index ccd85527..f6576699 100644 --- a/vmm/ui/src/templates/app.html +++ b/vmm/ui/src/templates/app.html @@ -49,6 +49,13 @@

dstack-vmm

Legacy UI +
@@ -194,7 +201,7 @@

dstack-vmm

Kill - \n
\n \n
\n \n \n \n \n
\n
\n \n \n \n\n \n\n \n\n \n\n
\n
\n
\n \n \n \n \n \n \n
\n
\n Total Instances:\n {{ totalVMs }}\n
\n
\n
\n
\n \n
\n \n /\n {{ maxPage || 1 }}\n
\n \n \n
\n
\n
\n\n
\n
\n
\n
Name
\n
Status
\n
Uptime
\n
View
\n
Actions
\n
\n\n
\n
\n
\n \n
\n
\n {{ vm.name }}\n
\n
\n \n \n {{ vmStatus(vm) }}\n \n
\n
{{ vm.status !== 'stopped' ? (vm.uptime || '-') : '-' }}
\n
\n Logs\n Stderr\n Board\n
\n
\n
\n \n
\n \n \n \n \n \n \n
\n
\n
\n
\n\n
\n
\n
\n VM ID\n
\n {{ vm.id }}\n \n
\n
\n
\n Instance ID\n
\n {{ vm.instance_id }}\n \n
\n -\n
\n
\n App ID\n
\n {{ vm.app_id }}\n \n
\n -\n
\n
\n Image\n {{ vm.configuration?.image }}\n
\n
\n vCPUs\n {{ vm.configuration?.vcpu }}\n
\n
\n Memory\n {{ formatMemory(vm.configuration?.memory) }}\n
\n
\n Swap\n {{ formatMemory(bytesToMB(vm.configuration.swap_size)) }}\n
\n
\n Disk Size\n {{ vm.configuration?.disk_size }} GB\n
\n
\n Disk Type\n {{ vm.configuration?.disk_type || 'virtio-pci' }}\n
\n
\n TEE\n {{ vm.configuration?.no_tee ? 'Disabled' : 'Enabled' }}\n
\n
0\">\n GPUs\n
\n
\n {{ gpu.slot || gpu.product_id }}\n
\n
\n
\n
\n\n
\n

Port Mappings

\n
\n {{ port.host_address === '127.0.0.1' ? 'Local' : 'Public' }}\n {{ port.protocol.toUpperCase() }}: {{ port.host_port }} → {{ port.vm_port }}\n
\n
\n\n
\n

Features

\n {{ getVmFeatures(vm) }}\n
\n\n
\n

Network Interfaces

\n
\n
\n
\n
\n \n \n \n \n {{ iface.name }}\n
\n
\n
\n
\n MAC Address\n {{ iface.mac || '-' }}\n
\n
\n IP Address\n {{ iface.addresses.map(addr => addr.address + '/' + addr.prefix).join(', ') || '-' }}\n
\n
\n
\n
\n \n \n \n
\n
\n RX\n {{ iface.rx_bytes }} bytes\n 0\">({{ iface.rx_errors }} errors)\n
\n
\n
\n
\n \n \n \n
\n
\n TX\n {{ iface.tx_bytes }} bytes\n 0\">({{ iface.tx_errors }} errors)\n
\n
\n
\n
\n
\n
\n
\n

\n \n \n \n \n WireGuard Info\n

\n 
{{ networkInfo[vm.id].wg_info }}
\n
\n
\n\n
\n
\n

App Compose

\n
\n \n \n
\n
\n
\n 
{{ vm.appCompose?.docker_compose_file || 'Docker Compose content not available' }}
\n
\n
\n\n
\n
\n

User Config

\n \n
\n 
{{ vm.configuration.user_config }}
\n
\n\n
\n \n \n \n
\n
\n
\n
\n\n
\n
\n \n
\n
\n
\n \n
\n
\n
\n {{ errorMessage }}\n \n
\n
\n\n"; +module.exports = "\n\n
\n
\n
\n
\n

dstack-vmm

\n \n v{{ version.version }}\n \n \n
\n
\n \n
\n \n
\n \n \n \n \n
\n
\n
\n
\n
\n\n \n\n \n\n \n\n
\n
\n
\n \n \n \n \n \n \n
\n
\n Total Instances:\n {{ totalVMs }}\n
\n
\n
\n
\n \n
\n \n /\n {{ maxPage || 1 }}\n
\n \n \n
\n
\n
\n\n
\n
\n
\n
Name
\n
Status
\n
Uptime
\n
View
\n
Actions
\n
\n\n
\n
\n
\n \n
\n
\n {{ vm.name }}\n
\n
\n \n \n {{ vmStatus(vm) }}\n \n
\n
{{ vm.status !== 'stopped' ? shortUptime(vm.uptime) : '-' }}
\n
\n Logs\n Stderr\n Board\n
\n
\n
\n \n
\n \n \n \n \n \n \n
\n
\n
\n
\n\n
\n
\n
\n VM ID\n
\n {{ vm.id }}\n \n
\n
\n
\n Instance ID\n
\n {{ vm.instance_id }}\n \n
\n -\n
\n
\n App ID\n
\n {{ vm.app_id }}\n \n
\n -\n
\n
\n Image\n {{ vm.configuration?.image }}\n
\n
\n vCPUs\n {{ vm.configuration?.vcpu }}\n
\n
\n Memory\n {{ formatMemory(vm.configuration?.memory) }}\n
\n
\n Swap\n {{ formatMemory(bytesToMB(vm.configuration.swap_size)) }}\n
\n
\n Disk Size\n {{ vm.configuration?.disk_size }} GB\n
\n
\n Disk Type\n {{ vm.configuration?.disk_type || 'virtio-pci' }}\n
\n
\n TEE\n {{ vm.configuration?.no_tee ? 'Disabled' : 'Enabled' }}\n
\n
\n GPUs\n
\n \n All GPUs\n \n
\n
\n \n {{ gpu.slot || gpu.product_id || ('GPU #' + (index + 1)) }}\n \n
\n
\n None\n
\n
\n
\n\n
\n

Port Mappings

\n
\n {{ port.host_address === '127.0.0.1' ? 'Local' : 'Public' }}\n {{ port.protocol.toUpperCase() }}: {{ port.host_port }} → {{ port.vm_port }}\n
\n
\n\n
\n

Features

\n {{ getVmFeatures(vm) }}\n
\n\n
\n

Network Interfaces

\n
\n
\n
\n
\n \n \n \n \n {{ iface.name }}\n
\n
\n
\n
\n MAC Address\n {{ iface.mac || '-' }}\n
\n
\n IP Address\n {{ iface.addresses.map(addr => addr.address + '/' + addr.prefix).join(', ') || '-' }}\n
\n
\n
\n
\n \n \n \n
\n
\n RX\n {{ iface.rx_bytes }} bytes\n 0\">({{ iface.rx_errors }} errors)\n
\n
\n
\n
\n \n \n \n
\n
\n TX\n {{ iface.tx_bytes }} bytes\n 0\">({{ iface.tx_errors }} errors)\n
\n
\n
\n
\n
\n
\n
\n

\n \n \n \n \n WireGuard Info\n

\n 
{{ networkInfo[vm.id].wg_info }}
\n
\n
\n\n
\n
\n

App Compose

\n
\n \n \n
\n
\n
\n 
{{ vm.appCompose?.docker_compose_file || 'Docker Compose content not available' }}
\n
\n
\n\n
\n
\n

User Config

\n \n
\n 
{{ vm.configuration.user_config }}
\n
\n\n
\n \n \n \n
\n
\n
\n
\n\n
\n
\n \n
\n
\n
\n \n
\n
\n
\n {{ errorMessage }}\n \n
\n
\n
\n"; }, map: {} } }; const cache = {}; diff --git a/vmm/ui/src/components/UpdateVmDialog.ts b/vmm/ui/src/components/UpdateVmDialog.ts index 75c93c13..f1c499ec 100644 --- a/vmm/ui/src/components/UpdateVmDialog.ts +++ b/vmm/ui/src/components/UpdateVmDialog.ts @@ -73,20 +73,6 @@ const UpdateVmDialogComponent = { -
-
- -
-
- -
-
-
@@ -122,6 +108,20 @@ const UpdateVmDialogComponent = { +
+
+ +
+
+ +
+
+
diff --git a/vmm/ui/src/styles/main.css b/vmm/ui/src/styles/main.css index 667100a7..45b267a9 100644 --- a/vmm/ui/src/styles/main.css +++ b/vmm/ui/src/styles/main.css @@ -324,13 +324,14 @@ h1, h2, h3, h4, h5, h6 { .vm-table { max-width: 900px; + width: 900px; margin: 0 auto 24px; padding: 0 24px; } .vm-table-header { display: grid; - grid-template-columns: 24px 1fr 140px 120px 280px 60px; + grid-template-columns: 24px 2fr 100px 120px 180px 60px; gap: 16px; padding: 12px 16px; background: var(--color-bg-primary); @@ -354,7 +355,7 @@ h1, h2, h3, h4, h5, h6 { .vm-row-main { display: grid; - grid-template-columns: 24px 1fr 140px 120px 280px 60px; + grid-template-columns: 24px 2fr 100px 120px 180px 60px; gap: 16px; padding: 16px; align-items: center; @@ -554,6 +555,29 @@ h1, h2, h3, h4, h5, h6 { cursor: help; } +.gpu-chip-list { + display: flex; + flex-wrap: wrap; + gap: 6px; +} + +.gpu-chip { + font-size: 12px; + line-height: 1.4; + padding: 4px 10px; + border-radius: 999px; + border: 1px solid var(--color-border); + background: var(--color-bg-primary); + color: var(--color-text-secondary); + white-space: nowrap; +} + +.gpu-chip--all { + font-weight: 600; + color: var(--color-text-primary); + border-style: dashed; +} + .port-mappings { display: flex; flex-direction: column; diff --git a/vmm/ui/src/templates/app.html b/vmm/ui/src/templates/app.html index 6034bfc8..b55550fa 100644 --- a/vmm/ui/src/templates/app.html +++ b/vmm/ui/src/templates/app.html @@ -294,12 +294,25 @@

dstack-vmm

TEE {{ vm.configuration?.no_tee ? 'Disabled' : 'Enabled' }} -
+
GPUs -
-
- {{ gpu.slot || gpu.product_id }} -
+
+ + All GPUs + +
+
+ + {{ gpu.slot || gpu.product_id || ('GPU #' + (index + 1)) }} + +
+
+ None
From a52fe84c46a22527d4c7a4cd5631439958a41419 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Fri, 14 Nov 2025 05:23:00 +0000 Subject: [PATCH 124/133] vmm: Optimize web UI --- ra-rpc/src/openapi.rs | 1 + vmm/src/console_v1.html | 10 +++++----- vmm/ui/src/components/CreateVmDialog.ts | 10 +++++----- vmm/ui/src/composables/useVmManager.ts | 13 +++++++++++-- 4 files changed, 22 insertions(+), 12 deletions(-) diff --git a/ra-rpc/src/openapi.rs b/ra-rpc/src/openapi.rs index 0e70fcfa..7eb0a0e9 100644 --- a/ra-rpc/src/openapi.rs +++ b/ra-rpc/src/openapi.rs @@ -1035,6 +1035,7 @@ fn build_swagger_ui_html(spec_url: &str, cfg: &SwaggerUiConfig) -> String { window.ui = SwaggerUIBundle({{ url: '{spec}', dom_id: '#swagger-ui', + deepLinking: true, presets: [ SwaggerUIBundle.presets.apis, SwaggerUIStandalonePreset diff --git a/vmm/src/console_v1.html b/vmm/src/console_v1.html index f20b35a3..ab0b54c8 100644 --- a/vmm/src/console_v1.html +++ b/vmm/src/console_v1.html @@ -1994,6 +1994,11 @@

Deploy a new instance

+
+ + +
+
Deploy a new instance />
-
- - -
-
diff --git a/vmm/ui/src/components/CreateVmDialog.ts b/vmm/ui/src/components/CreateVmDialog.ts index 2bf3ef80..21d2fa99 100644 --- a/vmm/ui/src/components/CreateVmDialog.ts +++ b/vmm/ui/src/components/CreateVmDialog.ts @@ -109,6 +109,11 @@ const CreateVmDialogComponent = {
+
+ + +
+
-
- - -
-
diff --git a/vmm/ui/src/composables/useVmManager.ts b/vmm/ui/src/composables/useVmManager.ts index ec6e607c..ac598136 100644 --- a/vmm/ui/src/composables/useVmManager.ts +++ b/vmm/ui/src/composables/useVmManager.ts @@ -391,10 +391,19 @@ fi } } - function configGpu(form: { attachAllGpus: boolean; selectedGpus: string[] }): VmmTypes.IGpuConfig | undefined { + function configGpu(form: { attachAllGpus: boolean; selectedGpus: string[] }, isUpdate: boolean = false): VmmTypes.IGpuConfig | undefined { if (form.attachAllGpus) { return { attach_mode: 'all' }; } + // For updates, always return a config when GPUs are being explicitly updated + // Empty array means no GPUs should be attached + if (isUpdate) { + return { + attach_mode: 'listed', + gpus: (form.selectedGpus || []).map((slot: string) => ({ slot })), + }; + } + // For creation, return undefined if no GPUs are selected if (form.selectedGpus && form.selectedGpus.length > 0) { return { attach_mode: 'listed', @@ -1042,7 +1051,7 @@ type CreateVmPayloadSource = { body.user_config = updated.user_config; body.update_ports = true; body.ports = normalizePorts(updated.ports); - body.gpus = updateDialog.value.updateGpuConfig ? configGpu(updated) : undefined; + body.gpus = updateDialog.value.updateGpuConfig ? configGpu(updated, true) : undefined; await vmmRpc.updateVm(body); updateDialog.value.encryptedEnvs = []; From aa92aa420c0de15f23ccc814b9ff70df5cdd1f13 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Tue, 18 Nov 2025 10:56:44 +0800 Subject: [PATCH 125/133] Change default image download URL in README Updated the default image download URL in the README. --- verifier/README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/verifier/README.md b/verifier/README.md index e8343ed2..f16bb6e0 100644 --- a/verifier/README.md +++ b/verifier/README.md @@ -61,13 +61,14 @@ Health check endpoint that returns service status. ``` ## Configuration +You usually don't need to edit the config file. Just using the default is fine, unless you need to deploy your cunstomized os images. ### Configuration Options - `host`: Server bind address (default: "0.0.0.0") - `port`: Server port (default: 8080) - `image_cache_dir`: Directory for cached OS images (default: "/tmp/dstack-verifier/cache") -- `image_download_url`: URL template for downloading OS images (default: GitHub releases URL) +- `image_download_url`: URL template for downloading OS images (default: Dstack official releases URL) - `image_download_timeout_secs`: Download timeout in seconds (default: 300) - `pccs_url`: Optional PCCS URL for quote verification @@ -77,7 +78,7 @@ Health check endpoint that returns service status. host = "0.0.0.0" port = 8080 image_cache_dir = "/tmp/dstack-verifier/cache" -image_download_url = "http://0.0.0.0:8000/mr_{OS_IMAGE_HASH}.tar.gz" +image_download_url = "https://download.dstack.org/os-images/mr_{OS_IMAGE_HASH}.tar.gz" image_download_timeout_secs = 300 pccs_url = "https://pccs.phala.network" ``` From 5f005e4885ae73e1db13a3abb24c4cbebe74363a Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Tue, 18 Nov 2025 11:00:19 +0800 Subject: [PATCH 126/133] Update verifier/README.md --- verifier/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/verifier/README.md b/verifier/README.md index f16bb6e0..4d3d8618 100644 --- a/verifier/README.md +++ b/verifier/README.md @@ -68,7 +68,7 @@ You usually don't need to edit the config file. Just using the default is fine, - `host`: Server bind address (default: "0.0.0.0") - `port`: Server port (default: 8080) - `image_cache_dir`: Directory for cached OS images (default: "/tmp/dstack-verifier/cache") -- `image_download_url`: URL template for downloading OS images (default: Dstack official releases URL) +- `image_download_url`: URL template for downloading OS images (default: dstack official releases URL) - `image_download_timeout_secs`: Download timeout in seconds (default: 300) - `pccs_url`: Optional PCCS URL for quote verification From 0e00721bb71b7044bb61393db9a72430eec5ee63 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 18 Nov 2025 06:47:03 +0000 Subject: [PATCH 127/133] build(deps): bump js-yaml in /kms/auth-eth Bumps and [js-yaml](https://github.com/nodeca/js-yaml). These dependencies needed to be updated together. Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](https://github.com/nodeca/js-yaml/compare/4.1.0...4.1.1) Updates `js-yaml` from 3.14.1 to 3.14.2 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](https://github.com/nodeca/js-yaml/compare/4.1.0...4.1.1) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: indirect - dependency-name: js-yaml dependency-version: 3.14.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] --- kms/auth-eth/package-lock.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/kms/auth-eth/package-lock.json b/kms/auth-eth/package-lock.json index 6befa1d6..f9336526 100644 --- a/kms/auth-eth/package-lock.json +++ b/kms/auth-eth/package-lock.json @@ -9599,9 +9599,9 @@ "license": "MIT" }, "node_modules/js-yaml": { - "version": "3.14.1", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz", - "integrity": "sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==", + "version": "3.14.2", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz", + "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==", "dev": true, "license": "MIT", "dependencies": { @@ -10243,9 +10243,9 @@ } }, "node_modules/mocha/node_modules/js-yaml": { - "version": "4.1.0", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz", - "integrity": "sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==", + "version": "4.1.1", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz", + "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==", "dev": true, "license": "MIT", "dependencies": { From 914623e0bb3fbf967eaf9042932f4a77fedd124a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 20 Nov 2025 01:37:50 +0000 Subject: [PATCH 128/133] build(deps): bump golang.org/x/crypto from 0.35.0 to 0.45.0 in /sdk/go Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.35.0 to 0.45.0. - [Commits](https://github.com/golang/crypto/compare/v0.35.0...v0.45.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.45.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] --- sdk/go/go.mod | 9 ++++----- sdk/go/go.sum | 9 +++++---- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/sdk/go/go.mod b/sdk/go/go.mod index 95e643ca..ada79bf7 100644 --- a/sdk/go/go.mod +++ b/sdk/go/go.mod @@ -5,14 +5,13 @@ module github.com/Dstack-TEE/dstack/sdk/go -go 1.23.0 +go 1.24.0 -toolchain go1.23.8 +require github.com/ethereum/go-ethereum v1.15.7 require ( github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 // indirect - github.com/ethereum/go-ethereum v1.15.7 // indirect github.com/holiman/uint256 v1.3.2 // indirect - golang.org/x/crypto v0.35.0 // indirect - golang.org/x/sys v0.30.0 // indirect + golang.org/x/crypto v0.45.0 // indirect + golang.org/x/sys v0.38.0 // indirect ) diff --git a/sdk/go/go.sum b/sdk/go/go.sum index 28868299..9fd544d6 100644 --- a/sdk/go/go.sum +++ b/sdk/go/go.sum @@ -1,3 +1,4 @@ +github.com/decred/dcrd/crypto/blake256 v1.0.0 h1:/8DMNYp9SGi5f0w7uCm6d6M4OU2rGFK09Y2A4Xv7EE0= github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc= github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 h1:YLtO71vCjJRCBcrPMtQ9nqBsqpA1m5sE92cU+pd5Mcc= github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1/go.mod h1:hyedUtir6IdtD/7lIxGeCxkaw7y45JueMRL4DIyJDKs= @@ -5,7 +6,7 @@ github.com/ethereum/go-ethereum v1.15.7 h1:vm1XXruZVnqtODBgqFaTclzP0xAvCvQIDKyFN github.com/ethereum/go-ethereum v1.15.7/go.mod h1:+S9k+jFzlyVTNcYGvqFhzN/SFhI6vA+aOY4T5tLSPL0= github.com/holiman/uint256 v1.3.2 h1:a9EgMPSC1AAaj1SZL5zIQD3WbwTuHrMGOerLjGmM/TA= github.com/holiman/uint256 v1.3.2/go.mod h1:EOMSn4q6Nyt9P6efbI3bueV4e1b3dGlUCXeiRV4ng7E= -golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs= -golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ= -golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= -golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q= +golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4= +golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc= +golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= From 2608afa8ecc018079845818750e64fc1ee1465cf Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Tue, 9 Dec 2025 02:55:07 +0000 Subject: [PATCH 129/133] Improve code style --- Cargo.lock | 39 +++++++++ ct_monitor/src/main.rs | 3 +- dstack-mr/Cargo.toml | 7 ++ dstack-mr/cli/src/main.rs | 2 +- dstack-mr/src/acpi.rs | 4 +- dstack-mr/src/kernel.rs | 8 +- dstack-mr/src/tdvf.rs | 52 +++++++----- dstack-mr/tests/tdvf_parse.rs | 141 +++++++++++++++++++++++++++++++++ gateway/rpc/build.rs | 2 +- guest-agent/rpc/build.rs | 2 +- guest-agent/src/rpc_service.rs | 23 +++++- guest-api/build.rs | 2 +- host-api/build.rs | 2 +- http-client/src/lib.rs | 4 +- kms/rpc/build.rs | 2 +- size-parser/src/lib.rs | 9 +-- supervisor/src/process.rs | 18 +++-- vmm/rpc/build.rs | 2 +- vmm/src/app.rs | 4 +- 19 files changed, 275 insertions(+), 51 deletions(-) create mode 100644 dstack-mr/tests/tdvf_parse.rs diff --git a/Cargo.lock b/Cargo.lock index 301fa18c..744ad1c2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2347,15 +2347,20 @@ version = "0.5.5" dependencies = [ "anyhow", "bon", + "dstack-types", + "flate2", "fs-err", "hex", "hex-literal 1.0.0", "log", "object", + "parity-scale-codec", + "reqwest", "serde", "serde-human-bytes", "serde_json", "sha2 0.10.9", + "tar", "thiserror 2.0.15", ] @@ -2776,6 +2781,18 @@ dependencies = [ "version_check", ] +[[package]] +name = "filetime" +version = "0.2.26" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bc0505cd1b6fa6580283f6bdf70a73fcf4aba1184038c90902b92b3dd0df63ed" +dependencies = [ + "cfg-if", + "libc", + "libredox", + "windows-sys 0.60.2", +] + [[package]] name = "fixed-hash" version = "0.8.0" @@ -4102,6 +4119,7 @@ checksum = "391290121bad3d37fbddad76d8f5d1c1c314cfc646d143d7e07a3086ddff0ce3" dependencies = [ "bitflags 2.9.2", "libc", + "redox_syscall 0.5.17", ] [[package]] @@ -7149,6 +7167,17 @@ version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "55937e1799185b12863d447f42597ed69d9928686b8d88a1df17376a097d8369" +[[package]] +name = "tar" +version = "0.4.44" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1d863878d212c87a19c1a610eb53bb01fe12951c0501cf5a0d65f724914a667a" +dependencies = [ + "filetime", + "libc", + "xattr", +] + [[package]] name = "tdx-attest" version = "0.5.5" @@ -8399,6 +8428,16 @@ dependencies = [ "time", ] +[[package]] +name = "xattr" +version = "1.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "32e45ad4206f6d2479085147f02bc2ef834ac85886624a23575ae137c8aa8156" +dependencies = [ + "libc", + "rustix 1.0.8", +] + [[package]] name = "xsalsa20poly1305" version = "0.9.1" diff --git a/ct_monitor/src/main.rs b/ct_monitor/src/main.rs index a624835b..6a168cce 100644 --- a/ct_monitor/src/main.rs +++ b/ct_monitor/src/main.rs @@ -140,7 +140,8 @@ impl Monitor { fn validate_domain(domain: &str) -> Result<()> { let domain_regex = - Regex::new(r"^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$").unwrap(); + Regex::new(r"^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$") + .context("invalid regex")?; if !domain_regex.is_match(domain) { bail!("invalid domain name"); } diff --git a/dstack-mr/Cargo.toml b/dstack-mr/Cargo.toml index f695d6b6..32a96f96 100644 --- a/dstack-mr/Cargo.toml +++ b/dstack-mr/Cargo.toml @@ -24,3 +24,10 @@ hex-literal.workspace = true fs-err.workspace = true bon.workspace = true log.workspace = true +scale.workspace = true + +[dev-dependencies] +dstack-types.workspace = true +reqwest = { version = "0.12", default-features = false, features = ["blocking", "rustls-tls"] } +flate2 = "1.0" +tar = "0.4" diff --git a/dstack-mr/cli/src/main.rs b/dstack-mr/cli/src/main.rs index ff0274b2..f0fc2596 100644 --- a/dstack-mr/cli/src/main.rs +++ b/dstack-mr/cli/src/main.rs @@ -118,7 +118,7 @@ fn main() -> Result<()> { .context("Failed to measure machine configuration")?; if config.json { - println!("{}", serde_json::to_string_pretty(&measurements).unwrap()); + println!("{}", serde_json::to_string_pretty(&measurements)?); } else { println!("Machine measurements:"); println!("MRTD: {}", hex::encode(measurements.mrtd)); diff --git a/dstack-mr/src/acpi.rs b/dstack-mr/src/acpi.rs index a93f30e1..b2cd4d46 100644 --- a/dstack-mr/src/acpi.rs +++ b/dstack-mr/src/acpi.rs @@ -408,7 +408,9 @@ fn find_acpi_table(tables: &[u8], signature: &str) -> Result<(u32, u32, u32)> { } let tbl_sig = &tables[offset..offset + 4]; - let tbl_len_bytes: [u8; 4] = tables[offset + 4..offset + 8].try_into().unwrap(); + let tbl_len_bytes: [u8; 4] = tables[offset + 4..offset + 8] + .try_into() + .expect("header len checked"); let tbl_len = u32::from_le_bytes(tbl_len_bytes) as usize; if tbl_sig == sig_bytes { diff --git a/dstack-mr/src/kernel.rs b/dstack-mr/src/kernel.rs index 51c7bb46..878a2b01 100644 --- a/dstack-mr/src/kernel.rs +++ b/dstack-mr/src/kernel.rs @@ -129,7 +129,7 @@ fn patch_kernel( let mut kd = kernel_data.to_vec(); - let protocol = u16::from_le_bytes(kd[0x206..0x208].try_into().unwrap()); + let protocol = u16::from_le_bytes(kd[0x206..0x208].try_into().context("impossible failure")?); let (real_addr, cmdline_addr) = if protocol < 0x200 || (kd[0x211] & 0x01) == 0 { (0x90000_u32, 0x9a000_u32) @@ -158,14 +158,16 @@ fn patch_kernel( bail!("the kernel image is too old for ramdisk"); } let mut initrd_max = if protocol >= 0x20c { - let xlf = u16::from_le_bytes(kd[0x236..0x238].try_into().unwrap()); + let xlf = + u16::from_le_bytes(kd[0x236..0x238].try_into().context("impossible failure")?); if (xlf & 0x40) != 0 { u32::MAX } else { 0x37ffffff } } else if protocol >= 0x203 { - let max = u32::from_le_bytes(kd[0x22c..0x230].try_into().unwrap()); + let max = + u32::from_le_bytes(kd[0x22c..0x230].try_into().context("impossible failure")?); if max == 0 { 0x37ffffff } else { diff --git a/dstack-mr/src/tdvf.rs b/dstack-mr/src/tdvf.rs index 246cced6..704bc669 100644 --- a/dstack-mr/src/tdvf.rs +++ b/dstack-mr/src/tdvf.rs @@ -4,6 +4,7 @@ use anyhow::{anyhow, bail, Context, Result}; use hex_literal::hex; +use scale::Decode; use sha2::{Digest, Sha384}; use crate::acpi::Tables; @@ -24,7 +25,13 @@ pub enum PageAddOrder { SinglePass, } -#[derive(Debug)] +/// Helper to decode little-endian integers from byte slice using scale codec +fn decode_le(data: &[u8], context: &str) -> Result { + T::decode(&mut &data[..]) + .with_context(|| format!("failed to decode {} as little-endian", context)) +} + +#[derive(Debug, Decode)] struct TdvfSection { data_offset: u32, raw_data_size: u32, @@ -34,6 +41,14 @@ struct TdvfSection { attributes: u32, } +#[derive(Debug, Decode)] +struct TdvfDescriptor { + signature: [u8; 4], // "TDVF" + _length: u32, + version: u32, + num_sections: u32, +} + #[derive(Debug)] pub(crate) struct Tdvf<'a> { fw: &'a [u8], @@ -77,6 +92,11 @@ fn measure_tdx_efi_variable(vendor_guid: &str, var_name: &str) -> Result } impl<'a> Tdvf<'a> { + /// Parse TDVF firmware metadata + /// + /// This function uses scale codec for clean, panic-free parsing. + /// Correctness is verified by integration test in tests/tdvf_parse.rs + /// which ensures identical measurements to the original implementation. pub fn parse(fw: &'a [u8]) -> Result> { const TDX_METADATA_OFFSET_GUID: &str = "e47a6535-984a-4798-865e-4685a7bf8ec2"; const TABLE_FOOTER_GUID: &str = "96b582de-1fb2-45f7-baea-a366c55a082d"; @@ -99,8 +119,7 @@ impl<'a> Tdvf<'a> { if offset < 18 { bail!("TDVF firmware offset too small for tables length"); } - let tables_len = - u16::from_le_bytes(fw[offset - 18..offset - 16].try_into().unwrap()) as usize; + let tables_len = decode_le::(&fw[offset - 18..offset - 16], "tables length")? as usize; if tables_len == 0 || tables_len > offset.saturating_sub(18) { bail!("Failed to parse TDVF metadata: Invalid tables length"); } @@ -133,37 +152,34 @@ impl<'a> Tdvf<'a> { bail!("TDVF metadata data too small"); } let tdvf_meta_offset_raw = - u32::from_le_bytes(data[data.len() - 4..].try_into().unwrap()) as usize; + decode_le::(&data[data.len() - 4..], "TDVF metadata offset")? as usize; if tdvf_meta_offset_raw > fw.len() { bail!("TDVF metadata offset exceeds firmware size"); } let tdvf_meta_offset = fw.len() - tdvf_meta_offset_raw; - let tdvf_meta_desc = &fw[tdvf_meta_offset..tdvf_meta_offset + 16]; - if &tdvf_meta_desc[..4] != b"TDVF" { + // Decode TDVF descriptor using scale codec + let descriptor = TdvfDescriptor::decode(&mut &fw[tdvf_meta_offset..]) + .context("failed to decode TDVF descriptor")?; + + if &descriptor.signature != b"TDVF" { bail!("Failed to parse TDVF metadata: Invalid TDVF descriptor"); } - let tdvf_version = u32::from_le_bytes(tdvf_meta_desc[8..12].try_into().unwrap()); - if tdvf_version != 1 { + if descriptor.version != 1 { bail!("Failed to parse TDVF metadata: Unsupported TDVF version"); } - let num_sections = u32::from_le_bytes(tdvf_meta_desc[12..16].try_into().unwrap()) as usize; + let num_sections = descriptor.num_sections as usize; let mut meta = Tdvf { fw, sections: Vec::new(), }; + + // Decode all sections using scale codec for i in 0..num_sections { let sec_offset = tdvf_meta_offset + 16 + 32 * i; - let sec_data = &fw[sec_offset..sec_offset + 32]; - let s = TdvfSection { - data_offset: u32::from_le_bytes(sec_data[0..4].try_into().unwrap()), - raw_data_size: u32::from_le_bytes(sec_data[4..8].try_into().unwrap()), - memory_address: u64::from_le_bytes(sec_data[8..16].try_into().unwrap()), - memory_data_size: u64::from_le_bytes(sec_data[16..24].try_into().unwrap()), - sec_type: u32::from_le_bytes(sec_data[24..28].try_into().unwrap()), - attributes: u32::from_le_bytes(sec_data[28..32].try_into().unwrap()), - }; + let s = TdvfSection::decode(&mut &fw[sec_offset..]) + .with_context(|| format!("failed to decode TDVF section {}", i))?; if s.memory_address % PAGE_SIZE != 0 { bail!("Failed to parse TDVF metadata: Section memory address not aligned"); diff --git a/dstack-mr/tests/tdvf_parse.rs b/dstack-mr/tests/tdvf_parse.rs new file mode 100644 index 00000000..6c7e9382 --- /dev/null +++ b/dstack-mr/tests/tdvf_parse.rs @@ -0,0 +1,141 @@ +// SPDX-FileCopyrightText: © 2025 Phala Network +// +// SPDX-License-Identifier: Apache-2.0 + +//! Integration test to verify TDVF firmware parsing correctness +//! +//! This test ensures that the scale codec-based parsing produces +//! identical measurements to the original implementation. +//! +//! The test downloads a real dstack release from GitHub and verifies +//! that the measurements remain consistent with the baseline. + +use anyhow::{Context, Result}; +use dstack_mr::Machine; +use std::path::PathBuf; + +// dstack release to download for testing +const DSTACK_VERSION: &str = "v0.5.5"; +const DSTACK_RELEASE_URL: &str = + "https://github.com/Dstack-TEE/meta-dstack/releases/download/v0.5.5/dstack-0.5.5.tar.gz"; + +// Expected measurements from baseline (verified with original implementation) +// These are the measurements for dstack v0.5.5 with default configuration +// Generated with: dstack-mr measure /path/to/dstack-0.5.5/metadata.json --json +const EXPECTED_MRTD: &str = "f06dfda6dce1cf904d4e2bab1dc370634cf95cefa2ceb2de2eee127c9382698090d7a4a13e14c536ec6c9c3c8fa87077"; +const EXPECTED_RTMR0: &str = "68102e7b524af310f7b7d426ce75481e36c40f5d513a9009c046e9d37e31551f0134d954b496a3357fd61d03f07ffe96"; +const EXPECTED_RTMR1: &str = "daa9380dc33b14728a9adb222437cf14db2d40ffc4d7061d8f3c329f6c6b339f71486d33521287e8faeae22301f4d815"; +const EXPECTED_RTMR2: &str = "1c41080c9c74be158e55b92f2958129fc1265647324c4a0dc403292cfa41d4c529f39093900347a11c8c1b82ed8c5edf"; + +/// Download and extract dstack release tarball if not already cached +fn get_test_image_dir() -> Result { + let cache_dir = std::env::temp_dir().join("dstack-mr-test-cache"); + let version_dir = cache_dir.join(DSTACK_VERSION); + let image_dir = version_dir.join("dstack-0.5.5"); + let metadata_path = image_dir.join("metadata.json"); + + // Return cached version if it exists + if metadata_path.exists() { + return Ok(image_dir); + } + + eprintln!("Downloading dstack {DSTACK_VERSION} release for testing...",); + std::fs::create_dir_all(&version_dir)?; + + // Download tarball + let tarball_path = version_dir.join("dstack.tar.gz"); + let response = + reqwest::blocking::get(DSTACK_RELEASE_URL).context("failed to download dstack release")?; + + if !response.status().is_success() { + anyhow::bail!("failed to download: HTTP {}", response.status()); + } + + let bytes = response.bytes().context("failed to read response")?; + std::fs::write(&tarball_path, bytes).context("failed to write tarball")?; + + eprintln!("Extracting tarball..."); + + // Extract tarball + let tarball = std::fs::File::open(&tarball_path)?; + let decoder = flate2::read::GzDecoder::new(tarball); + let mut archive = tar::Archive::new(decoder); + archive + .unpack(&version_dir) + .context("failed to extract tarball")?; + + // Verify extraction + if !metadata_path.exists() { + anyhow::bail!("metadata.json not found after extraction"); + } + + eprintln!("Test image ready at: {}", image_dir.display()); + + Ok(image_dir) +} + +#[test] +#[ignore] // Run with: cargo test --release -- --ignored +fn test_tdvf_parse_produces_correct_measurements() -> Result<()> { + // Get or download test image + let image_dir = get_test_image_dir()?; + let metadata_path = image_dir.join("metadata.json"); + + let metadata = std::fs::read_to_string(&metadata_path) + .with_context(|| format!("failed to read {}", metadata_path.display()))?; + let image_info: dstack_types::ImageInfo = serde_json::from_str(&metadata)?; + + let firmware_path = image_dir.join(&image_info.bios).display().to_string(); + let kernel_path = image_dir.join(&image_info.kernel).display().to_string(); + let initrd_path = image_dir.join(&image_info.initrd).display().to_string(); + let cmdline = image_info.cmdline + " initrd=initrd"; + + eprintln!("Building machine configuration..."); + let machine = Machine::builder() + .cpu_count(1) + .memory_size(2 * 1024 * 1024 * 1024) // 2GB + .firmware(&firmware_path) + .kernel(&kernel_path) + .initrd(&initrd_path) + .kernel_cmdline(&cmdline) + .two_pass_add_pages(true) + .pic(true) + .smm(false) + .hugepages(false) + .num_gpus(0) + .num_nvswitches(0) + .hotplug_off(false) + .root_verity(true) + .build(); + + eprintln!("Computing measurements (this parses TDVF firmware)..."); + let measurements = machine.measure()?; + + eprintln!("Verifying measurements against baseline..."); + + // Verify measurements match expected values + assert_eq!( + hex::encode(&measurements.mrtd), + EXPECTED_MRTD, + "MRTD mismatch - TDVF parsing may have regressed" + ); + assert_eq!( + hex::encode(&measurements.rtmr0), + EXPECTED_RTMR0, + "RTMR0 mismatch - TDVF parsing may have regressed" + ); + assert_eq!( + hex::encode(&measurements.rtmr1), + EXPECTED_RTMR1, + "RTMR1 mismatch - TDVF parsing may have regressed" + ); + assert_eq!( + hex::encode(&measurements.rtmr2), + EXPECTED_RTMR2, + "RTMR2 mismatch - TDVF parsing may have regressed" + ); + + eprintln!("✅ All measurements match baseline - TDVF parsing is correct!"); + + Ok(()) +} diff --git a/gateway/rpc/build.rs b/gateway/rpc/build.rs index 77e6a9e8..6fbbba01 100644 --- a/gateway/rpc/build.rs +++ b/gateway/rpc/build.rs @@ -4,7 +4,7 @@ fn main() { prpc_build::configure() - .out_dir(std::env::var_os("OUT_DIR").unwrap()) + .out_dir(std::env::var_os("OUT_DIR").expect("OUT_DIR not set")) .mod_prefix("super::") .build_scale_ext(false) .disable_package_emission() diff --git a/guest-agent/rpc/build.rs b/guest-agent/rpc/build.rs index 77e6a9e8..6fbbba01 100644 --- a/guest-agent/rpc/build.rs +++ b/guest-agent/rpc/build.rs @@ -4,7 +4,7 @@ fn main() { prpc_build::configure() - .out_dir(std::env::var_os("OUT_DIR").unwrap()) + .out_dir(std::env::var_os("OUT_DIR").expect("OUT_DIR not set")) .mod_prefix("super::") .build_scale_ext(false) .disable_package_emission() diff --git a/guest-agent/src/rpc_service.rs b/guest-agent/src/rpc_service.rs index 3f78d702..7915e56e 100644 --- a/guest-agent/src/rpc_service.rs +++ b/guest-agent/src/rpc_service.rs @@ -78,13 +78,18 @@ impl AppStateInner { impl AppState { fn maybe_request_demo_cert(&self) { let state = self.inner.clone(); - if !state.demo_cert.read().unwrap().is_empty() { + if !state + .demo_cert + .read() + .expect("lock shoud not fail") + .is_empty() + { return; } tokio::spawn(async move { match state.request_demo_cert().await { Ok(demo_cert) => { - *state.demo_cert.write().unwrap() = demo_cert; + *state.demo_cert.write().expect("lock shoud not fail") = demo_cert; } Err(e) => { error!("Failed to request demo cert: {e}"); @@ -179,7 +184,12 @@ pub async fn get_info(state: &AppState, external: bool) -> Result { os_image_hash: app_info.os_image_hash.clone(), key_provider_info: String::from_utf8(app_info.key_provider_info).unwrap_or_default(), compose_hash: app_info.compose_hash.clone(), - app_cert: state.inner.demo_cert.read().unwrap().clone(), + app_cert: state + .inner + .demo_cert + .read() + .expect("lock should not faile") + .clone(), tcb_info, vm_config, }) @@ -351,7 +361,12 @@ impl DstackGuestRpc for InternalRpcHandler { let valid = match request.algorithm.as_str() { "ed25519" => { let verifying_key = ed25519_dalek::VerifyingKey::from_bytes( - &request.public_key.as_slice().try_into().unwrap(), + &request + .public_key + .as_slice() + .try_into() + .ok() + .context("invalid public key")?, )?; let signature = ed25519_dalek::Signature::from_slice(&request.signature)?; verifying_key.verify(&request.data, &signature).is_ok() diff --git a/guest-api/build.rs b/guest-api/build.rs index 2292ec24..7a9a2723 100644 --- a/guest-api/build.rs +++ b/guest-api/build.rs @@ -4,7 +4,7 @@ fn main() { prpc_build::configure() - .out_dir(std::env::var_os("OUT_DIR").unwrap()) + .out_dir(std::env::var_os("OUT_DIR").expect("OUT_DIR not set")) .mod_prefix("super::") .build_scale_ext(false) .disable_service_name_emission() diff --git a/host-api/build.rs b/host-api/build.rs index 2292ec24..7a9a2723 100644 --- a/host-api/build.rs +++ b/host-api/build.rs @@ -4,7 +4,7 @@ fn main() { prpc_build::configure() - .out_dir(std::env::var_os("OUT_DIR").unwrap()) + .out_dir(std::env::var_os("OUT_DIR").expect("OUT_DIR not set")) .mod_prefix("super::") .build_scale_ext(false) .disable_service_name_emission() diff --git a/http-client/src/lib.rs b/http-client/src/lib.rs index cd121c96..ee5c7f9f 100644 --- a/http-client/src/lib.rs +++ b/http-client/src/lib.rs @@ -36,14 +36,14 @@ pub async fn http_request( body: &[u8], ) -> Result<(u16, Vec)> { debug!("Sending HTTP request to {base}, path={path}"); - let mut response = if base.starts_with("unix:") { + let mut response = if let Some(uds) = base.strip_prefix("unix:") { let path = if path.starts_with("/") { path.to_string() } else { format!("/{path}") }; let client: Client> = Client::unix(); - let unix_uri: hyper::Uri = Uri::new(base.strip_prefix("unix:").unwrap(), &path).into(); + let unix_uri: hyper::Uri = Uri::new(uds, &path).into(); let req = Request::builder() .method(method) .uri(unix_uri) diff --git a/kms/rpc/build.rs b/kms/rpc/build.rs index 77e6a9e8..6fbbba01 100644 --- a/kms/rpc/build.rs +++ b/kms/rpc/build.rs @@ -4,7 +4,7 @@ fn main() { prpc_build::configure() - .out_dir(std::env::var_os("OUT_DIR").unwrap()) + .out_dir(std::env::var_os("OUT_DIR").expect("OUT_DIR not set")) .mod_prefix("super::") .build_scale_ext(false) .disable_package_emission() diff --git a/size-parser/src/lib.rs b/size-parser/src/lib.rs index fab531cc..b7cf3989 100644 --- a/size-parser/src/lib.rs +++ b/size-parser/src/lib.rs @@ -126,12 +126,10 @@ impl MemorySize { } // Handle numbers with suffixes - let len = s.len(); - if len == 0 { + let Some(last_char) = s.chars().last() else { return Err(MemorySizeError::Empty); - } + }; - let last_char = s.chars().last().unwrap(); let multiplier = match last_char.to_ascii_lowercase() { 'k' => 1024u64, 'm' => 1024u64.saturating_mul(1024), @@ -142,8 +140,7 @@ impl MemorySize { .saturating_mul(1024), _ => return Err(MemorySizeError::UnknownSuffix(last_char)), }; - - let num_part = &s[0..len - 1]; + let num_part = s.trim_end_matches(last_char); let num = num_part .parse::() .map_err(|_| MemorySizeError::InvalidNumber(num_part.to_string()))?; diff --git a/supervisor/src/process.rs b/supervisor/src/process.rs index 769d586e..1c2d8b29 100644 --- a/supervisor/src/process.rs +++ b/supervisor/src/process.rs @@ -104,8 +104,12 @@ mod systime { time: &Option, serializer: S, ) -> Result { - time.map(|t| t.duration_since(UNIX_EPOCH).unwrap().as_secs()) - .serialize(serializer) + time.map(|t| { + t.duration_since(UNIX_EPOCH) + .expect("since zero should not fail") + .as_secs() + }) + .serialize(serializer) } pub(crate) fn deserialize<'de, D: Deserializer<'de>>( @@ -162,7 +166,7 @@ impl Process { } pub(crate) fn lock(&self) -> MutexGuard { - self.state.lock().unwrap() + self.state.lock().expect("lock should not fail") } pub fn start(&self) -> Result<()> { @@ -199,7 +203,7 @@ impl Process { // Update process state { - let mut state = self.state.lock().unwrap(); + let mut state = self.lock(); state.started_at = Some(SystemTime::now()); state.status = ProcessStatus::Running; state.pid = pid; @@ -263,7 +267,7 @@ impl Process { } }; if let Some(state) = state { - let mut state = state.lock().unwrap(); + let mut state = state.lock().expect("lock should not fail"); state.status = next_status; state.stopped_at = Some(SystemTime::now()); } @@ -276,7 +280,7 @@ impl Process { } pub fn stop(&self) -> Result<()> { - let mut state = self.state.lock().unwrap(); + let mut state = self.lock(); state.started = false; let is_running = state.status.is_running(); let Some(stop_tx) = state.kill_tx.take() else { @@ -295,7 +299,7 @@ impl Process { } pub fn info(&self) -> ProcessInfo { - let state = self.state.lock().unwrap(); + let state = self.lock(); ProcessInfo { config: (*self.config).clone(), state: state.display(), diff --git a/vmm/rpc/build.rs b/vmm/rpc/build.rs index 77e6a9e8..6fbbba01 100644 --- a/vmm/rpc/build.rs +++ b/vmm/rpc/build.rs @@ -4,7 +4,7 @@ fn main() { prpc_build::configure() - .out_dir(std::env::var_os("OUT_DIR").unwrap()) + .out_dir(std::env::var_os("OUT_DIR").expect("OUT_DIR not set")) .mod_prefix("super::") .build_scale_ext(false) .disable_package_emission() diff --git a/vmm/src/app.rs b/vmm/src/app.rs index 913f0515..e48856ff 100644 --- a/vmm/src/app.rs +++ b/vmm/src/app.rs @@ -123,7 +123,7 @@ pub struct App { impl App { fn lock(&self) -> MutexGuard { - self.state.lock().unwrap() + self.state.lock().expect("mutex poisoned") } pub(crate) fn vm_dir(&self) -> PathBuf { @@ -350,7 +350,7 @@ impl App { .unwrap_or_default() .is_cvm() }) - .map(|(id, p)| (id.clone(), p.config.cid.unwrap())) + .flat_map(|(id, p)| p.config.cid.map(|cid| (id.clone(), cid))) .collect::>(); // Update CID pool with running VMs From ad4a8404dcb912d661033de009ac6cab610034cf Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Tue, 9 Dec 2025 06:53:52 +0000 Subject: [PATCH 130/133] Use or_panic instead of expect --- .github/workflows/rust.yml | 2 +- Cargo.lock | 14 ++++++++++++++ Cargo.toml | 1 + certbot/cli/Cargo.toml | 1 + certbot/cli/src/main.rs | 3 ++- dstack-mr/src/acpi.rs | 27 ++++++++++++++++----------- dstack-mr/src/tdvf.rs | 2 +- gateway/Cargo.toml | 1 + gateway/rpc/build.rs | 2 ++ gateway/src/main.rs | 3 ++- gateway/src/main_service.rs | 3 ++- gateway/src/proxy.rs | 19 ++++++++++--------- gateway/src/proxy/tls_terminate.rs | 6 ++++-- guest-agent/Cargo.toml | 1 + guest-agent/rpc/build.rs | 2 ++ guest-agent/src/rpc_service.rs | 19 ++++++++++++++----- guest-api/build.rs | 2 ++ host-api/build.rs | 2 ++ kms/rpc/build.rs | 2 ++ kms/src/main_service.rs | 4 +++- ra-rpc/Cargo.toml | 1 + ra-rpc/src/rocket_helper.rs | 2 +- ra-tls/Cargo.toml | 1 + ra-tls/src/attestation.rs | 3 ++- ra-tls/src/cert.rs | 2 +- sodiumbox/Cargo.toml | 1 + sodiumbox/src/lib.rs | 9 ++++++--- supervisor/Cargo.toml | 1 + supervisor/src/process.rs | 8 +++++--- supervisor/src/web_api.rs | 7 ++++--- tdx-attest-sys/build.rs | 4 +++- verifier/src/main.rs | 13 +++++++++---- vmm/Cargo.toml | 4 ++++ vmm/rpc/build.rs | 2 ++ vmm/src/app.rs | 3 ++- 35 files changed, 126 insertions(+), 51 deletions(-) diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index 93ee1828..006c7808 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -25,7 +25,7 @@ jobs: components: clippy, rustfmt - name: Run Clippy - run: cargo clippy -- -D warnings --allow unused_variables + run: cargo clippy -- -D warnings -D clippy::expect_used -D clippy::unwrap_used --allow unused_variables - name: Cargo fmt check run: cargo fmt --check --all diff --git a/Cargo.lock b/Cargo.lock index 744ad1c2..348a9493 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1330,6 +1330,7 @@ dependencies = [ "clap", "documented", "fs-err", + "or-panic", "rustls", "serde", "tokio", @@ -2192,6 +2193,7 @@ dependencies = [ "jemallocator", "load_config", "nix", + "or-panic", "parcelona", "pin-project", "ra-rpc", @@ -2250,6 +2252,7 @@ dependencies = [ "host-api", "k256", "load_config", + "or-panic", "ra-rpc", "ra-tls", "rand 0.8.5", @@ -2519,6 +2522,7 @@ dependencies = [ "key-provider-client", "load_config", "lspci", + "or-panic", "path-absolutize", "ra-rpc", "rocket", @@ -4728,6 +4732,12 @@ version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d" +[[package]] +name = "or-panic" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "596a79faf55e869e7bc0c2162cf2f18a54d4d1112876bceae587ad954fcbd574" + [[package]] name = "os_pipe" version = "1.2.2" @@ -5468,6 +5478,7 @@ version = "0.5.5" dependencies = [ "anyhow", "bon", + "or-panic", "prost-types 0.13.5", "prpc", "ra-tls", @@ -5492,6 +5503,7 @@ dependencies = [ "fs-err", "hex", "hkdf", + "or-panic", "p256", "parity-scale-codec", "rcgen", @@ -6918,6 +6930,7 @@ name = "sodiumbox" version = "0.1.0" dependencies = [ "blake2", + "or-panic", "rand_core 0.6.4", "salsa20", "x25519-dalek", @@ -7026,6 +7039,7 @@ dependencies = [ "load_config", "nix", "notify", + "or-panic", "rocket", "serde", "serde_json", diff --git a/Cargo.toml b/Cargo.toml index 084ded65..98bc4551 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -86,6 +86,7 @@ size-parser = { path = "size-parser" } # Core dependencies anyhow = { version = "1.0.97", default-features = false } +or-panic = { version = "1.0", default-features = false } chrono = "0.4.40" clap = { version = "4.5.32", features = ["derive", "string"] } dashmap = "6.1.0" diff --git a/certbot/cli/Cargo.toml b/certbot/cli/Cargo.toml index a3f21a10..cd415c08 100644 --- a/certbot/cli/Cargo.toml +++ b/certbot/cli/Cargo.toml @@ -24,3 +24,4 @@ tokio = { workspace = true, features = ["full"] } toml_edit.workspace = true tracing-subscriber.workspace = true rustls.workspace = true +or-panic.workspace = true diff --git a/certbot/cli/src/main.rs b/certbot/cli/src/main.rs index 19fed2e1..083ab641 100644 --- a/certbot/cli/src/main.rs +++ b/certbot/cli/src/main.rs @@ -10,6 +10,7 @@ use certbot::{CertBotConfig, WorkDir}; use clap::Parser; use documented::DocumentedFields; use fs_err as fs; +use or_panic::ResultOrPanic; use serde::{Deserialize, Serialize}; use toml_edit::ser::to_document; @@ -166,7 +167,7 @@ async fn main() -> Result<()> { } rustls::crypto::ring::default_provider() .install_default() - .expect("Failed to install default crypto provider"); + .or_panic("Failed to install default crypto provider"); let args = Args::parse(); match args.command { diff --git a/dstack-mr/src/acpi.rs b/dstack-mr/src/acpi.rs index b2cd4d46..5976c10f 100644 --- a/dstack-mr/src/acpi.rs +++ b/dstack-mr/src/acpi.rs @@ -7,6 +7,7 @@ use anyhow::{bail, Context, Result}; use log::debug; +use scale::Decode; use crate::Machine; @@ -392,6 +393,13 @@ fn qemu_loader_append(data: &mut Vec, cmd: LoaderCmd) { } } +/// ACPI table header (first 8 bytes of every ACPI table) +#[derive(Debug, Decode)] +struct AcpiTableHeader { + signature: [u8; 4], + length: u32, +} + /// Searches for an ACPI table with the given signature and returns its offset, /// checksum offset, and length. fn find_acpi_table(tables: &[u8], signature: &str) -> Result<(u32, u32, u32)> { @@ -407,24 +415,21 @@ fn find_acpi_table(tables: &[u8], signature: &str) -> Result<(u32, u32, u32)> { bail!("Table not found: {signature}"); } - let tbl_sig = &tables[offset..offset + 4]; - let tbl_len_bytes: [u8; 4] = tables[offset + 4..offset + 8] - .try_into() - .expect("header len checked"); - let tbl_len = u32::from_le_bytes(tbl_len_bytes) as usize; + let header = AcpiTableHeader::decode(&mut &tables[offset..]) + .context("failed to decode ACPI table header")?; - if tbl_sig == sig_bytes { + if header.signature == sig_bytes { // Found the table - return Ok((offset as u32, (offset + 9) as u32, tbl_len as u32)); + return Ok((offset as u32, (offset + 9) as u32, header.length)); } - if tbl_len == 0 { + if header.length == 0 { // Invalid table length, stop searching - bail!("Found table with zero length at offset {offset}"); + bail!("found table with zero length at offset {offset}"); } // Move to the next table - offset += tbl_len; + offset += header.length as usize; } - bail!("Table not found: {signature}"); + bail!("table not found: {signature}"); } diff --git a/dstack-mr/src/tdvf.rs b/dstack-mr/src/tdvf.rs index 704bc669..b41dee76 100644 --- a/dstack-mr/src/tdvf.rs +++ b/dstack-mr/src/tdvf.rs @@ -341,7 +341,7 @@ impl<'a> Tdvf<'a> { td_hob.extend_from_slice(&length.to_le_bytes()); }; - let (_, last_start, last_end) = memory_acceptor.ranges.pop().expect("No ranges"); + let (_, last_start, last_end) = memory_acceptor.ranges.pop().context("No ranges")?; for (accepted, start, end) in memory_acceptor.ranges { if end < start { diff --git a/gateway/Cargo.toml b/gateway/Cargo.toml index d150126c..8a30c6da 100644 --- a/gateway/Cargo.toml +++ b/gateway/Cargo.toml @@ -50,6 +50,7 @@ reqwest = { workspace = true, features = ["json"] } hyper = { workspace = true, features = ["server", "http1"] } hyper-util = { version = "0.1", features = ["tokio"] } jemallocator.workspace = true +or-panic.workspace = true [target.'cfg(unix)'.dependencies] nix = { workspace = true, features = ["resource"] } diff --git a/gateway/rpc/build.rs b/gateway/rpc/build.rs index 6fbbba01..fe19530a 100644 --- a/gateway/rpc/build.rs +++ b/gateway/rpc/build.rs @@ -2,6 +2,8 @@ // // SPDX-License-Identifier: Apache-2.0 +#![allow(clippy::expect_used)] + fn main() { prpc_build::configure() .out_dir(std::env::var_os("OUT_DIR").expect("OUT_DIR not set")) diff --git a/gateway/src/main.rs b/gateway/src/main.rs index 61d25632..d4544ffd 100644 --- a/gateway/src/main.rs +++ b/gateway/src/main.rs @@ -167,7 +167,8 @@ async fn main() -> Result<()> { info!("Starting background tasks"); state.start_bg_tasks().await?; state.lock().reconfigure()?; - proxy::start(proxy_config, state.clone()); + + proxy::start(proxy_config, state.clone()).context("failed to start the proxy")?; let admin_figment = Figment::new() diff --git a/gateway/src/main_service.rs b/gateway/src/main_service.rs index 9162ff40..c85d501c 100644 --- a/gateway/src/main_service.rs +++ b/gateway/src/main_service.rs @@ -23,6 +23,7 @@ use dstack_gateway_rpc::{ use dstack_guest_agent_rpc::{dstack_guest_client::DstackGuestClient, RawQuoteArgs}; use fs_err as fs; use http_client::prpc::PrpcClient; +use or_panic::ResultOrPanic; use ra_rpc::{CallContext, RpcCall, VerifiedAttestation}; use ra_tls::attestation::QuoteContentType; use rand::seq::IteratorRandom; @@ -100,7 +101,7 @@ impl Proxy { impl ProxyInner { pub(crate) fn lock(&self) -> MutexGuard { - self.state.lock().expect("Failed to lock AppState") + self.state.lock().or_panic("Failed to lock AppState") } pub async fn new(config: Config, my_app_id: Option>) -> Result { diff --git a/gateway/src/proxy.rs b/gateway/src/proxy.rs index 75cc286e..73b947cc 100644 --- a/gateway/src/proxy.rs +++ b/gateway/src/proxy.rs @@ -166,7 +166,7 @@ pub async fn proxy_main(config: &ProxyConfig, proxy: Proxy) -> Result<()> { .enable_all() .worker_threads(config.workers) .build() - .expect("Failed to build Tokio runtime"); + .context("Failed to build Tokio runtime")?; let dotted_base_domain = { let base_domain = config.base_domain.as_str(); @@ -232,16 +232,16 @@ fn next_connection_id() -> usize { COUNTER.fetch_add(1, Ordering::Relaxed) } -pub fn start(config: ProxyConfig, app_state: Proxy) { +pub fn start(config: ProxyConfig, app_state: Proxy) -> Result<()> { + // Create a new single-threaded runtime + let rt = tokio::runtime::Builder::new_current_thread() + .enable_all() + .build() + .context("Failed to build Tokio runtime")?; + std::thread::Builder::new() .name("proxy-main".to_string()) .spawn(move || { - // Create a new single-threaded runtime - let rt = tokio::runtime::Builder::new_current_thread() - .enable_all() - .build() - .expect("Failed to build Tokio runtime"); - // Run the proxy_main function in this runtime if let Err(err) = rt.block_on(proxy_main(&config, app_state)) { error!( @@ -250,7 +250,8 @@ pub fn start(config: ProxyConfig, app_state: Proxy) { ); } }) - .expect("Failed to spawn proxy-main thread"); + .context("Failed to spawn proxy-main thread")?; + Ok(()) } #[cfg(test)] diff --git a/gateway/src/proxy/tls_terminate.rs b/gateway/src/proxy/tls_terminate.rs index 9c159492..ad19ebf4 100644 --- a/gateway/src/proxy/tls_terminate.rs +++ b/gateway/src/proxy/tls_terminate.rs @@ -24,6 +24,8 @@ use tokio::time::timeout; use tokio_rustls::{rustls, server::TlsStream, TlsAcceptor}; use tracing::{debug, info}; +use or_panic::ResultOrPanic; + use crate::config::{CryptoProvider, ProxyConfig, TlsVersion}; use crate::main_service::Proxy; @@ -278,12 +280,12 @@ impl Proxy { let acceptor = if h2 { self.h2_acceptor .read() - .expect("Failed to acquire read lock for TLS acceptor") + .or_panic("lock should never fail") .clone() } else { self.acceptor .read() - .expect("Failed to acquire read lock for TLS acceptor") + .or_panic("lock should never fail") .clone() }; let tls_stream = timeout( diff --git a/guest-agent/Cargo.toml b/guest-agent/Cargo.toml index 101c63d7..b8e0c881 100644 --- a/guest-agent/Cargo.toml +++ b/guest-agent/Cargo.toml @@ -50,3 +50,4 @@ ring.workspace = true ed25519-dalek.workspace = true tempfile.workspace = true rand.workspace = true +or-panic.workspace = true diff --git a/guest-agent/rpc/build.rs b/guest-agent/rpc/build.rs index 6fbbba01..fe19530a 100644 --- a/guest-agent/rpc/build.rs +++ b/guest-agent/rpc/build.rs @@ -2,6 +2,8 @@ // // SPDX-License-Identifier: Apache-2.0 +#![allow(clippy::expect_used)] + fn main() { prpc_build::configure() .out_dir(std::env::var_os("OUT_DIR").expect("OUT_DIR not set")) diff --git a/guest-agent/src/rpc_service.rs b/guest-agent/src/rpc_service.rs index 7915e56e..16fe61a4 100644 --- a/guest-agent/src/rpc_service.rs +++ b/guest-agent/src/rpc_service.rs @@ -23,6 +23,7 @@ use ed25519_dalek::{ }; use fs_err as fs; use k256::ecdsa::SigningKey; +use or_panic::ResultOrPanic; use ra_rpc::{Attestation, CallContext, RpcCall}; use ra_tls::{ attestation::{QuoteContentType, DEFAULT_HASH_ALGORITHM}, @@ -81,7 +82,7 @@ impl AppState { if !state .demo_cert .read() - .expect("lock shoud not fail") + .or_panic("lock shoud never fail") .is_empty() { return; @@ -89,7 +90,7 @@ impl AppState { tokio::spawn(async move { match state.request_demo_cert().await { Ok(demo_cert) => { - *state.demo_cert.write().expect("lock shoud not fail") = demo_cert; + *state.demo_cert.write().or_panic("lock shoud never fail") = demo_cert; } Err(e) => { error!("Failed to request demo cert: {e}"); @@ -188,7 +189,7 @@ pub async fn get_info(state: &AppState, external: bool) -> Result { .inner .demo_cert .read() - .expect("lock should not faile") + .or_panic("lock should not fail") .clone(), tcb_info, vm_config, @@ -318,7 +319,11 @@ impl DstackGuestRpc for InternalRpcHandler { .await?; let (signature, public_key) = match request.algorithm.as_str() { "ed25519" => { - let key_bytes: [u8; 32] = key_response.key.try_into().expect("Key is incorrect"); + let key_bytes: [u8; 32] = key_response + .key + .try_into() + .ok() + .context("Key is incorrect")?; let signing_key = Ed25519SigningKey::from_bytes(&key_bytes); let signature = signing_key.sign(&request.data); let public_key = signing_key.verifying_key().to_bytes().to_vec(); @@ -577,7 +582,11 @@ impl WorkerRpc for ExternalRpcHandler { match request.algorithm.as_str() { "ed25519" => { - let key_bytes: [u8; 32] = key_response.key.try_into().expect("Key is incorrect"); + let key_bytes: [u8; 32] = key_response + .key + .try_into() + .ok() + .context("Key is incorrect")?; let ed25519_key = Ed25519SigningKey::from_bytes(&key_bytes); let ed25519_pubkey = ed25519_key.verifying_key().to_bytes(); diff --git a/guest-api/build.rs b/guest-api/build.rs index 7a9a2723..dc3e9d96 100644 --- a/guest-api/build.rs +++ b/guest-api/build.rs @@ -2,6 +2,8 @@ // // SPDX-License-Identifier: Apache-2.0 +#![allow(clippy::expect_used)] + fn main() { prpc_build::configure() .out_dir(std::env::var_os("OUT_DIR").expect("OUT_DIR not set")) diff --git a/host-api/build.rs b/host-api/build.rs index 7a9a2723..dc3e9d96 100644 --- a/host-api/build.rs +++ b/host-api/build.rs @@ -2,6 +2,8 @@ // // SPDX-License-Identifier: Apache-2.0 +#![allow(clippy::expect_used)] + fn main() { prpc_build::configure() .out_dir(std::env::var_os("OUT_DIR").expect("OUT_DIR not set")) diff --git a/kms/rpc/build.rs b/kms/rpc/build.rs index 6fbbba01..fe19530a 100644 --- a/kms/rpc/build.rs +++ b/kms/rpc/build.rs @@ -2,6 +2,8 @@ // // SPDX-License-Identifier: Apache-2.0 +#![allow(clippy::expect_used)] + fn main() { prpc_build::configure() .out_dir(std::env::var_os("OUT_DIR").expect("OUT_DIR not set")) diff --git a/kms/src/main_service.rs b/kms/src/main_service.rs index 8e5b5f3b..66fbf87b 100644 --- a/kms/src/main_service.rs +++ b/kms/src/main_service.rs @@ -203,7 +203,9 @@ impl RpcHandler { fn cache_mrs(&self, key: &str, mrs: &Mrs) -> Result<()> { let path = self.mr_cache_dir().join(key); - fs::create_dir_all(path.parent().unwrap()).context("Failed to create cache directory")?; + if let Some(parent) = path.parent() { + fs::create_dir_all(parent).context("Failed to create cache directory")?; + } safe_write::safe_write( &path, serde_json::to_string(mrs).context("Failed to serialize cached MRs")?, diff --git a/ra-rpc/Cargo.toml b/ra-rpc/Cargo.toml index f762308a..2ec2b636 100644 --- a/ra-rpc/Cargo.toml +++ b/ra-rpc/Cargo.toml @@ -23,6 +23,7 @@ rocket-vsock-listener = { workspace = true, optional = true } serde.workspace = true x509-parser.workspace = true prost-types = { workspace = true, optional = true } +or-panic.workspace = true [features] default = ["rocket", "client"] diff --git a/ra-rpc/src/rocket_helper.rs b/ra-rpc/src/rocket_helper.rs index 4abfe3ab..dcdbfa15 100644 --- a/ra-rpc/src/rocket_helper.rs +++ b/ra-rpc/src/rocket_helper.rs @@ -308,7 +308,7 @@ pub async fn handle_prpc_impl>( (Some(quote_verifier), Some(attestation)) => { let pubkey = request .certificate - .expect("certificate is missing") + .context("certificate is missing")? .public_key() .raw .to_vec(); diff --git a/ra-tls/Cargo.toml b/ra-tls/Cargo.toml index 9d7be749..c6451fbb 100644 --- a/ra-tls/Cargo.toml +++ b/ra-tls/Cargo.toml @@ -33,3 +33,4 @@ scale.workspace = true cc-eventlog.workspace = true serde-human-bytes.workspace = true +or-panic.workspace = true diff --git a/ra-tls/src/attestation.rs b/ra-tls/src/attestation.rs index 65f591d0..103f7f62 100644 --- a/ra-tls/src/attestation.rs +++ b/ra-tls/src/attestation.rs @@ -18,6 +18,7 @@ use x509_parser::parse_x509_certificate; use crate::{oids, traits::CertExt}; use cc_eventlog::TdxEventLog as EventLog; +use or_panic::ResultOrPanic; use serde_human_bytes as hex_bytes; /// The content type of a quote. A CVM should only generate quotes for these types. @@ -50,7 +51,7 @@ impl QuoteContentType<'_> { /// Convert the content to the report data. pub fn to_report_data(&self, content: &[u8]) -> [u8; 64] { self.to_report_data_with_hash(content, "") - .expect("sha512 hash should not fail") + .or_panic("sha512 hash should not fail") } /// Convert the content to the report data with a specific hash algorithm. diff --git a/ra-tls/src/cert.rs b/ra-tls/src/cert.rs index 16b9399c..2cfa3e0c 100644 --- a/ra-tls/src/cert.rs +++ b/ra-tls/src/cert.rs @@ -149,7 +149,7 @@ impl CertSigningRequest { // Sign the encoded CSR let signature = key_pair .sign(&rng, &encoded) - .expect("Failed to sign CSR") + .context("Failed to sign CSR")? .as_ref() .to_vec(); Ok(signature) diff --git a/sodiumbox/Cargo.toml b/sodiumbox/Cargo.toml index ffd55962..9fcd6702 100644 --- a/sodiumbox/Cargo.toml +++ b/sodiumbox/Cargo.toml @@ -17,3 +17,4 @@ xsalsa20poly1305.workspace = true salsa20.workspace = true rand_core.workspace = true blake2.workspace = true +or-panic.workspace = true diff --git a/sodiumbox/src/lib.rs b/sodiumbox/src/lib.rs index f78ab346..8375776c 100644 --- a/sodiumbox/src/lib.rs +++ b/sodiumbox/src/lib.rs @@ -18,6 +18,7 @@ use blake2::{ digest::{Update, VariableOutput}, Blake2bVar, }; +use or_panic::ResultOrPanic; use rand_core::OsRng; use xsalsa20poly1305::{aead::Aead, consts::U10, KeyInit, XSalsa20Poly1305}; @@ -94,14 +95,16 @@ pub fn seal(message: &[u8], recipient_pk: &PublicKey) -> Vec { // Compute nonce: blake2b(ephemeral_pk || recipient_pk, outlen=24) let nonce = derive_nonce(ephemeral_pk.as_bytes(), recipient_pk.as_bytes()) - .expect("Failed to derive nonce"); + .or_panic("Failed to derive nonce"); // Create the XSalsa20Poly1305 cipher with the derived key let cipher = XSalsa20Poly1305::new_from_slice(&key_bytes) - .expect("Failed to create XSalsa20Poly1305 cipher"); + .or_panic("Failed to create XSalsa20Poly1305 cipher"); // Encrypt the message - let ciphertext = cipher.encrypt(&nonce, message).expect("Encryption failed"); + let ciphertext = cipher + .encrypt(&nonce, message) + .or_panic("Encryption failed"); // Combine the ephemeral public key and ciphertext to form the sealed box let mut sealed_box = Vec::with_capacity(PUBLICKEYBYTES + ciphertext.len()); diff --git a/supervisor/Cargo.toml b/supervisor/Cargo.toml index 647a0b1e..e9e91b55 100644 --- a/supervisor/Cargo.toml +++ b/supervisor/Cargo.toml @@ -21,6 +21,7 @@ libc.workspace = true load_config.workspace = true nix = { workspace = true, features = ["resource"] } notify.workspace = true +or-panic.workspace = true rocket = { workspace = true, features = ["json"] } serde = { workspace = true, features = ["derive"] } serde_json.workspace = true diff --git a/supervisor/src/process.rs b/supervisor/src/process.rs index 1c2d8b29..887aac14 100644 --- a/supervisor/src/process.rs +++ b/supervisor/src/process.rs @@ -6,6 +6,7 @@ use anyhow::{bail, Result}; use bon::Builder; use fs_err as fs; use notify::{RecursiveMode, Watcher}; +use or_panic::ResultOrPanic; use serde::{Deserialize, Serialize}; use std::collections::HashMap; use std::io::Write; @@ -97,6 +98,7 @@ impl ProcessStateRT { } mod systime { + use or_panic::ResultOrPanic; use serde::{de::Error, Deserialize, Deserializer, Serialize, Serializer}; use std::time::{Duration, SystemTime, UNIX_EPOCH}; @@ -106,7 +108,7 @@ mod systime { ) -> Result { time.map(|t| { t.duration_since(UNIX_EPOCH) - .expect("since zero should not fail") + .or_panic("since zero should never fail") .as_secs() }) .serialize(serializer) @@ -166,7 +168,7 @@ impl Process { } pub(crate) fn lock(&self) -> MutexGuard { - self.state.lock().expect("lock should not fail") + self.state.lock().or_panic("lock should never fail") } pub fn start(&self) -> Result<()> { @@ -267,7 +269,7 @@ impl Process { } }; if let Some(state) = state { - let mut state = state.lock().expect("lock should not fail"); + let mut state = state.lock().or_panic("lock should never fail"); state.status = next_status; state.stopped_at = Some(SystemTime::now()); } diff --git a/supervisor/src/web_api.rs b/supervisor/src/web_api.rs index f52ebe0b..2521ee20 100644 --- a/supervisor/src/web_api.rs +++ b/supervisor/src/web_api.rs @@ -3,6 +3,7 @@ // SPDX-License-Identifier: Apache-2.0 use anyhow::{anyhow, Result}; +use or_panic::ResultOrPanic; use rocket::figment::Figment; use rocket::serde::json::Json; use rocket::{delete, get, post, routes, Build, Rocket, State}; @@ -108,13 +109,13 @@ async fn handle_shutdown_signals(supervisor: Supervisor) { let ctrl_c = async { signal::ctrl_c() .await - .expect("failed to install Ctrl+C handler"); + .or_panic("failed to install Ctrl+C handler"); }; #[cfg(unix)] let terminate = async { signal::unix::signal(signal::unix::SignalKind::terminate()) - .expect("failed to install signal handler") + .or_panic("failed to install signal handler") .recv() .await; }; @@ -133,5 +134,5 @@ async fn handle_shutdown_signals(supervisor: Supervisor) { perform_shutdown(&supervisor, true) .await - .expect("Force shutdown should never return"); + .or_panic("Force shutdown should never return"); } diff --git a/tdx-attest-sys/build.rs b/tdx-attest-sys/build.rs index b943878e..9e30e05f 100644 --- a/tdx-attest-sys/build.rs +++ b/tdx-attest-sys/build.rs @@ -2,13 +2,15 @@ // // SPDX-License-Identifier: Apache-2.0 +#![allow(clippy::expect_used)] + use std::env; use std::path::PathBuf; fn main() { println!("cargo:rerun-if-changed=csrc/tdx_attest.c"); println!("cargo:rerun-if-changed=csrc/qgs_msg_lib.cpp"); - let output_path = PathBuf::from(env::var("OUT_DIR").unwrap()); + let output_path = PathBuf::from(env::var("OUT_DIR").expect("OUT_DIR not set")); bindgen::Builder::default() .header("bindings.h") .default_enum_style(bindgen::EnumVariation::ModuleConsts) diff --git a/verifier/src/main.rs b/verifier/src/main.rs index d5ad4cc3..f145d71d 100644 --- a/verifier/src/main.rs +++ b/verifier/src/main.rs @@ -4,6 +4,7 @@ use std::sync::Arc; +use anyhow::{Context, Result}; use clap::Parser; use figment::{ providers::{Env, Format, Toml}, @@ -165,8 +166,8 @@ async fn run_oneshot(file_path: &str, config: &Config) -> anyhow::Result<()> { Ok(()) } -#[rocket::launch] -fn rocket() -> _ { +#[rocket::main] +async fn main() -> Result<()> { tracing_subscriber::fmt::try_init().ok(); let cli = Cli::parse(); @@ -178,12 +179,12 @@ fn rocket() -> _ { .merge(Toml::file(&cli.config)) .merge(Env::prefixed("DSTACK_VERIFIER_")); - let config: Config = figment.extract().expect("Failed to load configuration"); + let config: Config = figment.extract().context("Failed to load configuration")?; // Check for oneshot mode if let Some(file_path) = cli.verify { // Run oneshot verification and exit - let rt = tokio::runtime::Runtime::new().expect("Failed to create runtime"); + let rt = tokio::runtime::Runtime::new().context("Failed to create runtime")?; rt.block_on(async { if let Err(e) = run_oneshot(&file_path, &config).await { error!("Oneshot verification failed: {:#}", e); @@ -207,4 +208,8 @@ fn rocket() -> _ { info!("dstack-verifier started successfully"); }) })) + .launch() + .await + .map_err(|err| anyhow::anyhow!("launch rocket failed: {err:?}"))?; + Ok(()) } diff --git a/vmm/Cargo.toml b/vmm/Cargo.toml index caf7542a..84cb5ff6 100644 --- a/vmm/Cargo.toml +++ b/vmm/Cargo.toml @@ -50,6 +50,10 @@ lspci.workspace = true base64.workspace = true serde-human-bytes.workspace = true size-parser = { workspace = true, features = ["serde"] } +or-panic.workspace = true [dev-dependencies] insta.workspace = true + +[build-dependencies] +or-panic.workspace = true diff --git a/vmm/rpc/build.rs b/vmm/rpc/build.rs index 6fbbba01..fe19530a 100644 --- a/vmm/rpc/build.rs +++ b/vmm/rpc/build.rs @@ -2,6 +2,8 @@ // // SPDX-License-Identifier: Apache-2.0 +#![allow(clippy::expect_used)] + fn main() { prpc_build::configure() .out_dir(std::env::var_os("OUT_DIR").expect("OUT_DIR not set")) diff --git a/vmm/src/app.rs b/vmm/src/app.rs index e48856ff..289ddf7a 100644 --- a/vmm/src/app.rs +++ b/vmm/src/app.rs @@ -16,6 +16,7 @@ use dstack_vmm_rpc::{ use fs_err as fs; use guest_api::client::DefaultClient as GuestClient; use id_pool::IdPool; +use or_panic::ResultOrPanic; use ra_rpc::client::RaClient; use serde::{Deserialize, Serialize}; use serde_json::json; @@ -123,7 +124,7 @@ pub struct App { impl App { fn lock(&self) -> MutexGuard { - self.state.lock().expect("mutex poisoned") + self.state.lock().or_panic("mutex poisoned") } pub(crate) fn vm_dir(&self) -> PathBuf { From 564c62591f8c2949d27658ef708e0144f328f6e7 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Tue, 9 Dec 2025 08:05:05 +0000 Subject: [PATCH 131/133] certbot: Support config for max DNS wait time --- certbot/cli/src/main.rs | 5 ++++ certbot/src/acme_client.rs | 30 ++++++++++++++++++++++-- certbot/src/acme_client/tests.rs | 2 +- certbot/src/bot.rs | 5 ++-- certbot/src/bot/tests.rs | 1 + gateway/dstack-app/builder/entrypoint.sh | 1 + gateway/dstack-app/deploy-to-vmm.sh | 3 +++ gateway/gateway.toml | 1 + gateway/src/config.rs | 4 ++++ 9 files changed, 47 insertions(+), 5 deletions(-) diff --git a/certbot/cli/src/main.rs b/certbot/cli/src/main.rs index 083ab641..5822853f 100644 --- a/certbot/cli/src/main.rs +++ b/certbot/cli/src/main.rs @@ -74,6 +74,8 @@ struct Config { renew_days_before: u64, /// Renew timeout in seconds renew_timeout: u64, + /// Maximum time to wait for DNS propagation in seconds + max_dns_wait: u64, /// Command to run after renewal #[serde(default)] renewed_hook: Option, @@ -91,6 +93,7 @@ impl Default for Config { renew_interval: 3600, renew_days_before: 10, renew_timeout: 120, + max_dns_wait: 300, renewed_hook: None, } } @@ -125,6 +128,7 @@ fn load_config(config: &PathBuf) -> Result { let renew_interval = Duration::from_secs(config.renew_interval); let renew_expires_in = Duration::from_secs(config.renew_days_before * 24 * 60 * 60); let renew_timeout = Duration::from_secs(config.renew_timeout); + let max_dns_wait = Duration::from_secs(config.max_dns_wait); let bot_config = CertBotConfig::builder() .acme_url(config.acme_url) .cert_dir(workdir.backup_dir()) @@ -137,6 +141,7 @@ fn load_config(config: &PathBuf) -> Result { .renew_interval(renew_interval) .renew_timeout(renew_timeout) .renew_expires_in(renew_expires_in) + .max_dns_wait(max_dns_wait) .credentials_file(workdir.account_credentials_path()) .auto_set_caa(config.auto_set_caa) .maybe_renewed_hook(config.renewed_hook) diff --git a/certbot/src/acme_client.rs b/certbot/src/acme_client.rs index f5ae739f..3650005e 100644 --- a/certbot/src/acme_client.rs +++ b/certbot/src/acme_client.rs @@ -27,6 +27,7 @@ pub struct AcmeClient { account: Account, credentials: Credentials, dns01_client: Dns01Client, + max_dns_wait: Duration, } #[derive(Debug, Clone)] @@ -53,7 +54,11 @@ pub(crate) fn acme_matches(encoded_credentials: &str, acme_url: &str) -> bool { } impl AcmeClient { - pub async fn load(dns01_client: Dns01Client, encoded_credentials: &str) -> Result { + pub async fn load( + dns01_client: Dns01Client, + encoded_credentials: &str, + max_dns_wait: Duration, + ) -> Result { let credentials: Credentials = serde_json::from_str(encoded_credentials)?; let account = Account::from_credentials(credentials.credentials).await?; let credentials: Credentials = serde_json::from_str(encoded_credentials)?; @@ -61,11 +66,16 @@ impl AcmeClient { account, dns01_client, credentials, + max_dns_wait, }) } /// Create a new account. - pub async fn new_account(acme_url: &str, dns01_client: Dns01Client) -> Result { + pub async fn new_account( + acme_url: &str, + dns01_client: Dns01Client, + max_dns_wait: Duration, + ) -> Result { let (account, credentials) = Account::create( &NewAccount { contact: &[], @@ -86,6 +96,7 @@ impl AcmeClient { account, dns01_client, credentials, + max_dns_wait, }) } @@ -335,6 +346,8 @@ impl AcmeClient { /// Self check the TXT records for the given challenges. async fn check_dns(&self, challenges: &[Challenge]) -> Result<()> { + use tracing::warn; + let mut delay = Duration::from_millis(250); let mut tries = 1u8; @@ -342,11 +355,22 @@ impl AcmeClient { debug!("Unsettled challenges: {unsettled_challenges:#?}"); + let start_time = std::time::Instant::now(); + 'outer: loop { use hickory_resolver::AsyncResolver; sleep(delay).await; + let elapsed = start_time.elapsed(); + if elapsed >= self.max_dns_wait { + warn!( + "DNS propagation timeout after {elapsed:?}, max wait time is {max:?}. proceeding anyway as ACME server may have different DNS view", + max = self.max_dns_wait + ); + break; + } + let dns_resolver = AsyncResolver::tokio_from_system_conf().context("failed to create dns resolver")?; @@ -374,6 +398,8 @@ impl AcmeClient { debug!( tries, domain = &challenge.acme_domain, + elapsed = ?elapsed, + max_wait = ?self.max_dns_wait, "challenge not found, waiting for {delay:?}" ); unsettled_challenges.push(challenge); diff --git a/certbot/src/acme_client/tests.rs b/certbot/src/acme_client/tests.rs index 54eefac0..d77504a6 100644 --- a/certbot/src/acme_client/tests.rs +++ b/certbot/src/acme_client/tests.rs @@ -13,7 +13,7 @@ async fn new_acme_client() -> Result { ); let credentials = std::env::var("LETSENCRYPT_CREDENTIAL").expect("LETSENCRYPT_CREDENTIAL not set"); - AcmeClient::load(dns01_client, &credentials).await + AcmeClient::load(dns01_client, &credentials, Duration::from_secs(300)).await } #[tokio::test] diff --git a/certbot/src/bot.rs b/certbot/src/bot.rs index 7df25499..1906bdcd 100644 --- a/certbot/src/bot.rs +++ b/certbot/src/bot.rs @@ -37,6 +37,7 @@ pub struct CertBotConfig { renew_timeout: Duration, renew_expires_in: Duration, renewed_hook: Option, + max_dns_wait: Duration, } impl CertBotConfig { @@ -55,7 +56,7 @@ async fn create_new_account( dns01_client: Dns01Client, ) -> Result { info!("creating new ACME account"); - let client = AcmeClient::new_account(&config.acme_url, dns01_client) + let client = AcmeClient::new_account(&config.acme_url, dns01_client, config.max_dns_wait) .await .context("failed to create new account")?; let credentials = client @@ -82,7 +83,7 @@ impl CertBot { let acme_client = match fs::read_to_string(&config.credentials_file) { Ok(credentials) => { if acme_matches(&credentials, &config.acme_url) { - AcmeClient::load(dns01_client, &credentials).await? + AcmeClient::load(dns01_client, &credentials, config.max_dns_wait).await? } else { create_new_account(&config, dns01_client).await? } diff --git a/certbot/src/bot/tests.rs b/certbot/src/bot/tests.rs index e7c65e6d..03e4ad9d 100644 --- a/certbot/src/bot/tests.rs +++ b/certbot/src/bot/tests.rs @@ -25,6 +25,7 @@ async fn new_certbot() -> Result { .renew_interval(Duration::from_secs(30)) .renew_timeout(Duration::from_secs(120)) .renew_expires_in(Duration::from_secs(7772187)) + .max_dns_wait(Duration::from_secs(300)) .auto_set_caa(false) .build(); config.build_bot().await diff --git a/gateway/dstack-app/builder/entrypoint.sh b/gateway/dstack-app/builder/entrypoint.sh index 7696b95d..862db9a1 100755 --- a/gateway/dstack-app/builder/entrypoint.sh +++ b/gateway/dstack-app/builder/entrypoint.sh @@ -119,6 +119,7 @@ domain = "*.$SRV_DOMAIN" renew_interval = "1h" renew_before_expiration = "10d" renew_timeout = "5m" +max_dns_wait = "${CERTBOT_MAX_DNS_WAIT:-5m}" [core.wg] public_key = "$PUBLIC_KEY" diff --git a/gateway/dstack-app/deploy-to-vmm.sh b/gateway/dstack-app/deploy-to-vmm.sh index 9262efff..46925cfe 100755 --- a/gateway/dstack-app/deploy-to-vmm.sh +++ b/gateway/dstack-app/deploy-to-vmm.sh @@ -84,6 +84,8 @@ GATEWAY_SERVING_ADDR=0.0.0.0:9204 GUEST_AGENT_ADDR=127.0.0.1:9206 WG_ADDR=0.0.0.0:9202 +CERTBOT_MAX_DNS_WAIT=5m + # The token used to launch the App APP_LAUNCH_TOKEN=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) @@ -143,6 +145,7 @@ BOOTNODE_URL=$BOOTNODE_URL SUBNET_INDEX=$SUBNET_INDEX APP_LAUNCH_TOKEN=$APP_LAUNCH_TOKEN RPC_DOMAIN=$RPC_DOMAIN +CERTBOT_MAX_DNS_WAIT=$CERTBOT_MAX_DNS_WAIT EOF if [ -n "$APP_COMPOSE_FILE" ]; then diff --git a/gateway/gateway.toml b/gateway/gateway.toml index a89ff348..4445a138 100644 --- a/gateway/gateway.toml +++ b/gateway/gateway.toml @@ -38,6 +38,7 @@ domain = "*.example.com" renew_interval = "1h" renew_before_expiration = "10d" renew_timeout = "120s" +max_dns_wait = "5m" [core.wg] public_key = "" diff --git a/gateway/src/config.rs b/gateway/src/config.rs index 3a3d88db..03d2b125 100644 --- a/gateway/src/config.rs +++ b/gateway/src/config.rs @@ -208,6 +208,9 @@ pub struct CertbotConfig { /// Renew timeout #[serde(with = "serde_duration")] pub renew_timeout: Duration, + /// Maximum time to wait for DNS propagation + #[serde(with = "serde_duration")] + pub max_dns_wait: Duration, } impl CertbotConfig { @@ -227,6 +230,7 @@ impl CertbotConfig { .renew_timeout(self.renew_timeout) .renew_expires_in(self.renew_before_expiration) .auto_set_caa(self.auto_set_caa) + .max_dns_wait(self.max_dns_wait) .build() } From 0920f33c3b5d1131c00f911754ab391ab9b8d608 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Wed, 10 Dec 2025 14:13:17 +0800 Subject: [PATCH 132/133] Update README to clarify app-id definition Clarified the definition of `app-id` in the README. --- kms/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kms/README.md b/kms/README.md index 19130c92..8e7936fc 100644 --- a/kms/README.md +++ b/kms/README.md @@ -28,7 +28,7 @@ CVMs running in dstack support three boot modes: - Supports application upgrades - Requires control contract configuration - `key-provider` in RTMR: `{"type": "kms", "id": ""}` -- `app-id` is derived from the deployer's eth address + salt +- `app-id` is equal to the address of the deployed App Smart Contract. ## KMS Implementation From 7aac04a35306eaf01d9815589f0a1ccc6f5c3445 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Wed, 17 Dec 2025 12:06:46 +0000 Subject: [PATCH 133/133] certbot: Auto-detect zone --- README.md | 1 - certbot/cli/src/main.rs | 4 - certbot/src/acme_client.rs | 6 +- certbot/src/bot.rs | 11 +- certbot/src/bot/tests.rs | 2 - certbot/src/dns01_client.rs | 13 +- certbot/src/dns01_client/cloudflare.rs | 269 ++++++++++++++++++----- docs/deployment.md | 1 - docs/dstack-gateway.md | 7 - gateway/dstack-app/builder/entrypoint.sh | 2 - gateway/dstack-app/deploy-to-vmm.sh | 5 - gateway/dstack-app/docker-compose.yaml | 1 - gateway/gateway.toml | 1 - gateway/src/config.rs | 3 - 14 files changed, 240 insertions(+), 86 deletions(-) diff --git a/README.md b/README.md index a03c9131..ac18dd98 100644 --- a/README.md +++ b/README.md @@ -314,7 +314,6 @@ GATEWAY_CERT=${CERBOT_WORKDIR}/live/cert.pem GATEWAY_KEY=${CERBOT_WORKDIR}/live/key.pem # For certbot -CF_ZONE_ID=cc0a40... CF_API_TOKEN=g-DwMH... # ACME_URL=https://acme-v02.api.letsencrypt.org/directory ACME_URL=https://acme-staging-v02.api.letsencrypt.org/directory diff --git a/certbot/cli/src/main.rs b/certbot/cli/src/main.rs index 5822853f..b22d3246 100644 --- a/certbot/cli/src/main.rs +++ b/certbot/cli/src/main.rs @@ -62,8 +62,6 @@ struct Config { acme_url: String, /// Cloudflare API token cf_api_token: String, - /// Cloudflare zone ID - cf_zone_id: String, /// Auto set CAA record auto_set_caa: bool, /// List of domains to issue certificates for @@ -87,7 +85,6 @@ impl Default for Config { workdir: ".".into(), acme_url: "https://acme-staging-v02.api.letsencrypt.org/directory".into(), cf_api_token: "".into(), - cf_zone_id: "".into(), auto_set_caa: true, domains: vec!["example.com".into()], renew_interval: 3600, @@ -136,7 +133,6 @@ fn load_config(config: &PathBuf) -> Result { .key_file(workdir.key_path()) .auto_create_account(true) .cert_subject_alt_names(config.domains) - .cf_zone_id(config.cf_zone_id) .cf_api_token(config.cf_api_token) .renew_interval(renew_interval) .renew_timeout(renew_timeout) diff --git a/certbot/src/acme_client.rs b/certbot/src/acme_client.rs index 3650005e..d4ebcf51 100644 --- a/certbot/src/acme_client.rs +++ b/certbot/src/acme_client.rs @@ -321,14 +321,14 @@ impl AcmeClient { let Identifier::Dns(identifier) = &authz.identifier; let dns_value = order.key_authorization(challenge).dns_value(); - debug!("creating dns record for {}", identifier); + debug!("creating dns record for {identifier}"); let acme_domain = format!("_acme-challenge.{identifier}"); - debug!("removing existing dns record for {}", acme_domain); + debug!("removing existing TXT record for {acme_domain}"); self.dns01_client .remove_txt_records(&acme_domain) .await .context("failed to remove existing dns record")?; - debug!("creating dns record for {}", acme_domain); + debug!("creating TXT record for {acme_domain}"); let id = self .dns01_client .add_txt_record(&acme_domain, &dns_value) diff --git a/certbot/src/bot.rs b/certbot/src/bot.rs index 1906bdcd..5a9c775f 100644 --- a/certbot/src/bot.rs +++ b/certbot/src/bot.rs @@ -27,7 +27,6 @@ pub struct CertBotConfig { auto_set_caa: bool, credentials_file: PathBuf, auto_create_account: bool, - cf_zone_id: String, cf_api_token: String, cert_file: PathBuf, key_file: PathBuf, @@ -78,8 +77,16 @@ async fn create_new_account( impl CertBot { /// Build a new `CertBot` from a `CertBotConfig`. pub async fn build(config: CertBotConfig) -> Result { + let base_domain = config + .cert_subject_alt_names + .first() + .context("cert_subject_alt_names is empty")? + .trim() + .trim_start_matches("*.") + .trim_end_matches('.') + .to_string(); let dns01_client = - Dns01Client::new_cloudflare(config.cf_zone_id.clone(), config.cf_api_token.clone()); + Dns01Client::new_cloudflare(config.cf_api_token.clone(), base_domain).await?; let acme_client = match fs::read_to_string(&config.credentials_file) { Ok(credentials) => { if acme_matches(&credentials, &config.acme_url) { diff --git a/certbot/src/bot/tests.rs b/certbot/src/bot/tests.rs index 03e4ad9d..ce8b16f9 100644 --- a/certbot/src/bot/tests.rs +++ b/certbot/src/bot/tests.rs @@ -9,14 +9,12 @@ use instant_acme::LetsEncrypt; use super::*; async fn new_certbot() -> Result { - let cf_zone_id = std::env::var("CLOUDFLARE_ZONE_ID").expect("CLOUDFLARE_ZONE_ID not set"); let cf_api_token = std::env::var("CLOUDFLARE_API_TOKEN").expect("CLOUDFLARE_API_TOKEN not set"); let domains = vec![std::env::var("TEST_DOMAIN").expect("TEST_DOMAIN not set")]; let config = CertBotConfig::builder() .acme_url(LetsEncrypt::Staging.url()) .auto_create_account(true) .credentials_file("./test-workdir/credentials.json") - .cf_zone_id(cf_zone_id) .cf_api_token(cf_api_token) .cert_dir("./test-workdir/backup") .cert_file("./test-workdir/live/cert.pem") diff --git a/certbot/src/dns01_client.rs b/certbot/src/dns01_client.rs index 27b1bb6d..701d5ba9 100644 --- a/certbot/src/dns01_client.rs +++ b/certbot/src/dns01_client.rs @@ -6,6 +6,7 @@ use anyhow::Result; use cloudflare::CloudflareClient; use enum_dispatch::enum_dispatch; use serde::{Deserialize, Serialize}; +use tracing::debug; mod cloudflare; @@ -51,9 +52,11 @@ pub(crate) trait Dns01Api { /// Deletes all TXT DNS records matching the given domain. async fn remove_txt_records(&self, domain: &str) -> Result<()> { for record in self.get_records(domain).await? { - if record.r#type == "TXT" { - self.remove_record(&record.id).await?; + if record.r#type != "TXT" { + continue; } + debug!(domain = %domain, id = %record.id, "removing txt record"); + self.remove_record(&record.id).await?; } Ok(()) } @@ -68,7 +71,9 @@ pub enum Dns01Client { } impl Dns01Client { - pub fn new_cloudflare(zone_id: String, api_token: String) -> Self { - Self::Cloudflare(CloudflareClient::new(zone_id, api_token)) + pub async fn new_cloudflare(api_token: String, base_domain: String) -> Result { + Ok(Self::Cloudflare( + CloudflareClient::new(api_token, base_domain).await?, + )) } } diff --git a/certbot/src/dns01_client/cloudflare.rs b/certbot/src/dns01_client/cloudflare.rs index 408f181a..222028da 100644 --- a/certbot/src/dns01_client/cloudflare.rs +++ b/certbot/src/dns01_client/cloudflare.rs @@ -2,10 +2,13 @@ // // SPDX-License-Identifier: Apache-2.0 -use anyhow::{Context, Result}; +use std::collections::HashMap; + +use anyhow::{bail, Context, Result}; use reqwest::Client; use serde::{Deserialize, Serialize}; use serde_json::json; +use tracing::debug; use crate::dns01_client::Record; @@ -29,51 +32,241 @@ struct ApiResult { id: String, } +#[derive(Deserialize, Debug)] +struct CloudflareListResponse { + result: Vec, + result_info: ResultInfo, +} + +#[derive(Deserialize, Debug)] +struct ResultInfo { + total_pages: u32, +} + +#[derive(Deserialize, Debug)] +struct ZoneInfo { + id: String, + name: String, +} + +#[derive(Deserialize, Debug)] +struct ZonesResultInfo { + page: u32, + per_page: u32, + total_pages: u32, + count: u32, + total_count: u32, +} + impl CloudflareClient { - pub fn new(zone_id: String, api_token: String) -> Self { - Self { zone_id, api_token } + pub async fn new(api_token: String, base_domain: String) -> Result { + let zone_id = Self::resolve_zone_id(&api_token, &base_domain).await?; + Ok(Self { api_token, zone_id }) + } + + async fn resolve_zone_id(api_token: &str, base_domain: &str) -> Result { + let base = base_domain + .trim() + .trim_start_matches("*.") + .trim_end_matches('.') + .to_lowercase(); + + let client = Client::new(); + let url = format!("{CLOUDFLARE_API_URL}/zones"); + + let per_page = 50u32; + let mut page = 1u32; + let mut zones: HashMap = HashMap::new(); + let mut total_pages = 1u32; + + while page <= total_pages { + debug!(url = %url, base_domain = %base, page, per_page, "cloudflare list zones request"); + + let response = client + .get(&url) + .header("Authorization", format!("Bearer {api_token}")) + .query(&[ + ("page", page.to_string()), + ("per_page", per_page.to_string()), + ]) + .send() + .await + .context("failed to list zones")?; + + let status = response.status(); + let body = response + .text() + .await + .context("failed to read zones response body")?; + if !status.is_success() { + bail!("failed to list zones: {body}"); + } + + #[derive(Deserialize, Debug)] + struct ZonesPageResponse { + result: Vec, + result_info: ZonesResultInfo, + } + + let zones_response: ZonesPageResponse = + serde_json::from_str(&body).context("failed to parse zones response")?; + + let zone_names = zones_response + .result + .iter() + .map(|z| z.name.as_str()) + .collect::>(); + debug!( + url = %url, + status = %status, + page = zones_response.result_info.page, + per_page = zones_response.result_info.per_page, + count = zones_response.result_info.count, + total_count = zones_response.result_info.total_count, + total_pages = zones_response.result_info.total_pages, + zones = ?zone_names, + "cloudflare list zones response" + ); + + total_pages = zones_response.result_info.total_pages; + for z in zones_response.result { + zones.insert(z.name.to_lowercase(), z.id); + } + + page += 1; + } + + let parts: Vec<&str> = base.split('.').collect(); + for i in 0..parts.len() { + let candidate = parts[i..].join("."); + if let Some(zone_id) = zones.get(&candidate) { + debug!(base_domain = %base, zone = %candidate, zone_id = %zone_id, "resolved cloudflare zone"); + return Ok(zone_id.clone()); + } + } + + bail!("no matching zone found for base_domain: {base_domain}") } async fn add_record(&self, record: &impl Serialize) -> Result { let client = Client::new(); - let url = format!("{}/zones/{}/dns_records", CLOUDFLARE_API_URL, self.zone_id); + let url = format!("{CLOUDFLARE_API_URL}/zones/{}/dns_records", self.zone_id); + let response = client .post(&url) .header("Authorization", format!("Bearer {}", self.api_token)) .header("Content-Type", "application/json") - .json(&record) + .json(record) .send() .await .context("failed to send add_record request")?; - if !response.status().is_success() { - anyhow::bail!("failed to add record: {}", response.text().await?); + + let status = response.status(); + let body = response + .text() + .await + .context("failed to read add_record response body")?; + if !status.is_success() { + anyhow::bail!("failed to add record: {body}"); } - let response = response.json().await.context("failed to parse response")?; + let response = serde_json::from_str(&body).context("failed to parse response")?; Ok(response) } -} -impl Dns01Api for CloudflareClient { - async fn remove_record(&self, record_id: &str) -> Result<()> { + async fn remove_record_inner(&self, record_id: &str) -> Result<()> { let client = Client::new(); let url = format!( - "{}/zones/{}/dns_records/{}", - CLOUDFLARE_API_URL, self.zone_id, record_id + "{CLOUDFLARE_API_URL}/zones/{zone_id}/dns_records/{record_id}", + zone_id = self.zone_id ); + debug!(url = %url, "cloudflare remove_record request"); + let response = client .delete(&url) .header("Authorization", format!("Bearer {}", self.api_token)) .send() .await?; - if !response.status().is_success() { - anyhow::bail!( - "failed to remove acme challenge: {}", - response.text().await? - ); + let status = response.status(); + let body = response + .text() + .await + .context("failed to read remove_record response body")?; + if !status.is_success() { + anyhow::bail!("failed to remove acme challenge: {body}"); } + Ok(()) + } + + async fn get_records_inner(&self, domain: &str) -> Result> { + let client = Client::new(); + let url = format!("{CLOUDFLARE_API_URL}/zones/{}/dns_records", self.zone_id); + + let per_page = 100u32; + let mut records = Vec::new(); + let target = domain.trim_end_matches('.'); + + for page in 1..20 { + // Safety limit to prevent infinite loops + let response = client + .get(&url) + .header("Authorization", format!("Bearer {}", self.api_token)) + .query(&[ + ("name", domain), + ("page", &page.to_string()), + ("per_page", &per_page.to_string()), + ]) + .send() + .await?; + + let status = response.status(); + let body = response + .text() + .await + .context("failed to read get_records response body")?; + + if !status.is_success() { + anyhow::bail!("failed to get dns records: {body}"); + } + + let response: CloudflareListResponse = + serde_json::from_str(&body).context("failed to parse response")?; + + records.extend(response.result.into_iter().filter(|record| { + record + .name + .trim_end_matches('.') + .eq_ignore_ascii_case(target) + })); + + if page >= response.result_info.total_pages { + break; + } + } + + Ok(records) + } +} + +impl Dns01Api for CloudflareClient { + async fn remove_record(&self, record_id: &str) -> Result<()> { + self.remove_record_inner(record_id).await + } + async fn remove_txt_records(&self, domain: &str) -> Result<()> { + let records = self.get_records_inner(domain).await?; + let txt_records = records + .into_iter() + .filter(|r| r.r#type == "TXT") + .collect::>(); + let ids = txt_records.iter().map(|r| r.id.clone()).collect::>(); + debug!(domain = %domain, zone_id = %self.zone_id, count = txt_records.len(), ids = ?ids, "removing txt records"); + + for record in txt_records { + debug!(domain = %domain, id = %record.id, "removing txt record"); + self.remove_record_inner(&record.id).await?; + } Ok(()) } @@ -110,33 +303,7 @@ impl Dns01Api for CloudflareClient { } async fn get_records(&self, domain: &str) -> Result> { - let client = Client::new(); - let url = format!("{}/zones/{}/dns_records", CLOUDFLARE_API_URL, self.zone_id); - - let response = client - .get(&url) - .header("Authorization", format!("Bearer {}", self.api_token)) - .send() - .await?; - - if !response.status().is_success() { - anyhow::bail!("failed to get dns records: {}", response.text().await?); - } - - #[derive(Deserialize, Debug)] - struct CloudflareResponse { - result: Vec, - } - - let response: CloudflareResponse = - response.json().await.context("failed to parse response")?; - - let records = response - .result - .into_iter() - .filter(|record| record.name == domain) - .collect(); - Ok(records) + self.get_records_inner(domain).await } } @@ -168,11 +335,13 @@ mod tests { } } - fn create_client() -> CloudflareClient { + async fn create_client() -> CloudflareClient { CloudflareClient::new( - std::env::var("CLOUDFLARE_ZONE_ID").expect("CLOUDFLARE_ZONE_ID not set"), std::env::var("CLOUDFLARE_API_TOKEN").expect("CLOUDFLARE_API_TOKEN not set"), + std::env::var("TEST_DOMAIN").expect("TEST_DOMAIN not set"), ) + .await + .unwrap() } fn random_subdomain() -> String { @@ -185,7 +354,7 @@ mod tests { #[tokio::test] async fn can_add_txt_record() { - let client = create_client(); + let client = create_client().await; let subdomain = random_subdomain(); println!("subdomain: {}", subdomain); let record_id = client @@ -202,7 +371,7 @@ mod tests { #[tokio::test] async fn can_remove_txt_record() { - let client = create_client(); + let client = create_client().await; let subdomain = random_subdomain(); println!("subdomain: {}", subdomain); let record_id = client @@ -219,7 +388,7 @@ mod tests { #[tokio::test] async fn can_add_caa_record() { - let client = create_client(); + let client = create_client().await; let subdomain = random_subdomain(); let record_id = client .add_caa_record(&subdomain, 0, "issue", "letsencrypt.org;") diff --git a/docs/deployment.md b/docs/deployment.md index c11e32f3..e8466b52 100644 --- a/docs/deployment.md +++ b/docs/deployment.md @@ -211,7 +211,6 @@ VMM_RPC=unix:../../vmm-data/vmm.sock # Cloudflare API token for DNS challenge used to get the SSL certificate. CF_API_TOKEN=your_cloudflare_api_token -CF_ZONE_ID=your_zone_id # Service domain SRV_DOMAIN=test2.dstack.phala.network diff --git a/docs/dstack-gateway.md b/docs/dstack-gateway.md index d42aa687..be1e2cf4 100644 --- a/docs/dstack-gateway.md +++ b/docs/dstack-gateway.md @@ -12,17 +12,10 @@ Set up a second-level wildcard domain using Cloudflare; make sure to disable pro You need to get a Cloudflare API Key and ensure the API can manage this domain. -You can check your Cloudflare API key and get `cf_zone_id` using this command: - -```shell -curl -X GET "https://api.cloudflare.com/client/v4/zones" -H "Authorization: Bearer " -H "Content-Type: application/json" | jq . -``` - Open your `certbot.toml`, and update these fields: - `acme_url`: change to `https://acme-v02.api.letsencrypt.org/directory` - `cf_api_token`: Obtain from Cloudflare -- `cf_zone_id`: Obtain from the API call above ## Step 3: Run Certbot Manually and Get First SSL Certificates diff --git a/gateway/dstack-app/builder/entrypoint.sh b/gateway/dstack-app/builder/entrypoint.sh index 862db9a1..cd25da1f 100755 --- a/gateway/dstack-app/builder/entrypoint.sh +++ b/gateway/dstack-app/builder/entrypoint.sh @@ -48,7 +48,6 @@ validate_env() { validate_env "$MY_URL" validate_env "$BOOTNODE_URL" validate_env "$CF_API_TOKEN" -validate_env "$CF_ZONE_ID" validate_env "$SRV_DOMAIN" validate_env "$WG_ENDPOINT" @@ -113,7 +112,6 @@ enabled = true workdir = "$CERTBOT_WORKDIR" acme_url = "$ACME_URL" cf_api_token = "$CF_API_TOKEN" -cf_zone_id = "$CF_ZONE_ID" auto_set_caa = true domain = "*.$SRV_DOMAIN" renew_interval = "1h" diff --git a/gateway/dstack-app/deploy-to-vmm.sh b/gateway/dstack-app/deploy-to-vmm.sh index 46925cfe..2584d450 100755 --- a/gateway/dstack-app/deploy-to-vmm.sh +++ b/gateway/dstack-app/deploy-to-vmm.sh @@ -47,9 +47,6 @@ else # Cloudflare API token for DNS challenge # CF_API_TOKEN=your_cloudflare_api_token -# Cloudflare Zone ID -# CF_ZONE_ID=your_zone_id - # Service domain # SRV_DOMAIN=test5.dstack.phala.network @@ -98,7 +95,6 @@ fi required_env_vars=( "VMM_RPC" "CF_API_TOKEN" - "CF_ZONE_ID" "SRV_DOMAIN" "PUBLIC_IP" "WG_ADDR" @@ -137,7 +133,6 @@ cat "$COMPOSE_TMP" # Update .env file with current values cat <.app_env CF_API_TOKEN=$CF_API_TOKEN -CF_ZONE_ID=$CF_ZONE_ID SRV_DOMAIN=$SRV_DOMAIN WG_ENDPOINT=$PUBLIC_IP:$WG_PORT MY_URL=$MY_URL diff --git a/gateway/dstack-app/docker-compose.yaml b/gateway/dstack-app/docker-compose.yaml index bebd4e97..6fdc1d8b 100644 --- a/gateway/dstack-app/docker-compose.yaml +++ b/gateway/dstack-app/docker-compose.yaml @@ -15,7 +15,6 @@ services: - WG_ENDPOINT=${WG_ENDPOINT} - SRV_DOMAIN=${SRV_DOMAIN} - CF_API_TOKEN=${CF_API_TOKEN} - - CF_ZONE_ID=${CF_ZONE_ID} - MY_URL=${MY_URL} - BOOTNODE_URL=${BOOTNODE_URL} - ACME_STAGING=${ACME_STAGING} diff --git a/gateway/gateway.toml b/gateway/gateway.toml index 4445a138..78446b0e 100644 --- a/gateway/gateway.toml +++ b/gateway/gateway.toml @@ -32,7 +32,6 @@ enabled = false workdir = "/etc/certbot" acme_url = "https://acme-staging-v02.api.letsencrypt.org/directory" cf_api_token = "" -cf_zone_id = "" auto_set_caa = true domain = "*.example.com" renew_interval = "1h" diff --git a/gateway/src/config.rs b/gateway/src/config.rs index 03d2b125..4809aef8 100644 --- a/gateway/src/config.rs +++ b/gateway/src/config.rs @@ -193,8 +193,6 @@ pub struct CertbotConfig { pub acme_url: String, /// Cloudflare API token pub cf_api_token: String, - /// Cloudflare zone ID - pub cf_zone_id: String, /// Auto set CAA record pub auto_set_caa: bool, /// Domain to issue certificates for @@ -224,7 +222,6 @@ impl CertbotConfig { .credentials_file(workdir.account_credentials_path()) .acme_url(self.acme_url.clone()) .cert_subject_alt_names(vec![self.domain.clone()]) - .cf_zone_id(self.cf_zone_id.clone()) .cf_api_token(self.cf_api_token.clone()) .renew_interval(self.renew_interval) .renew_timeout(self.renew_timeout)