update 3rd party libraries, part2

[georgeliao]

WIP
close #3568
MULTI-1177

Original repo
1. vcpkg, updated to 2024.09.30.

vcpkg:
1. grpc, 1.52.1-> 1.60.0, ongoing.

There are a lot hassles in grpc update:, so it is worth to talk about it. grpc has two layers of patches in the multipass use case, the first layer is the commits on the top of the standard grpc release.

Layer 1:
Orignally, there are 5 commits on the top of 1.52.1 release tag, that is the branch. They are around two things.

1. The first 3 commits are about adding the grpc_ssl_server_certificate_request_type options to the client side and disable pem_root_certs check along the way, see this section in the spec for details.
2. The 4th and 5th commits are simply just using getsockname to get local server address instead of getpeername to get the remote address.
3. Besides the orginal 5 commits, the 6th commit added and it is about removing newly added config_.pem_root_certs == nullptr checks based on the workflow first 3 commits setup, meaning that config_.pem_root_certs is supposed to be nullptr because we do not want to verify the server certificate. Because of that, the SslCredentialsOptions::pem_root_certs field which is the trust store of server certificates is set nulltptr when we create a channel on the client side.

Layer 2:
The second layer patches is the new patches applied and the changes made (the diff between the vcpkg tempate file and multipass cutom file) in the vcpkg grpc portfile.cmake file. The goal of the custom portfile.cmake is to cut off the unneeded library build and cut down the library size, which will reduce the build time of grpc, multipass and the binary size of them.

snap:

1. sshfs, will be done it in a different PR. 

Besides these patches, there are some api calls changes on multipass side. Those are made for some grpc' changes in this duration which broke the backward compatibility. The particular commit is this one. There is also another github issue which has relevant discussions about this. This change affects grpc version 1.57.0 and onwards. The fix we adopt is the one mentioned in the github issue, where they call grpc.insecure_channel(srv_endpoint, options=(('grpc.default_authority', 'localhost'),)) on python client to overwrite the default authority, the C++ equivalent to this would be changing grpc::CreateChannel calls to grpc::CreateCustomChannel calls with channel arguments, see below code snippet for details

    grpc::ChannelArguments channel_args;
    channel_args.SetString(GRPC_ARG_DEFAULT_AUTHORITY, "localhost");

    // Use CreateCustomChannel to apply ChannelArguments
    auto channel = grpc::CreateCustomChannel(
        server_address, grpc::InsecureChannelCredentials(), channel_args);

Be aware that this change affects all types of address resolvers, that probably is fine in the use cases of multipass.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 88.85%. Comparing base (183583d) to head (816e265).
Report is 281 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3707      +/-   ##
==========================================
- Coverage   88.92%   88.85%   -0.07%     
==========================================
  Files         254      256       +2     
  Lines       14294    14560     +266     
==========================================
+ Hits        12711    12938     +227     
- Misses       1583     1622      +39     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

---

🚨 Try these New Features:

• Flaky Tests Detection - Detect and resolve failed and flaky tests

[georgeliao]

builtin-baseline field defines the versions of the dependencies of our vcpkg packages. In this particular case, grpc needs this update to get his dependency versions right because of his own update. The value of builtin-baseline field is simply the commit hash of the vcpkg repo.

[georgeliao]

Hi @Saviq @townsend2010

Sorry to bother you guys. Recently, multipass team has been dealing with rebasing the patches (code commits on the top of the release tag) of grpc after updating grpc to newer version. It has been a painful process due to the size of the patches and conflicts with the grpc refactors and changes. This really got us thinking what is the exact reason to keep these patches. Why multipass has a unique use case from the regular ones?

By looking at commit messages and the code, my superficial understanding is that. Multipass wants to support skipping verifying server certificate. Because of that, the grpc_ssl_server_certificate_request_type enum is added and all the corresponding changes are made. But why exactly do we need that is still not clear to me, meaning why does multipass uniquely need this skip the server certificate verification option.

Any information would be appreciated in case you guys know about it, thanks a lot.

[Saviq]

why does multipass uniquely need this skip the server certificate verification option

Basically to support SSH-style authorization. Both sides generate their encryption keys in isolation, without a CA between them. All communication is encrypted, and the key fingerprints are what determines whether they want to talk to one other on a higher level, not whether the certificates are valid or not.

[georgeliao]

Basically to support SSH-style authorization. Both sides generate their encryption keys in isolation, without a CA between them. All communication is encrypted, and the key fingerprints are what determines whether they want to talk to one other on a higher level, not whether the certificates are valid or not.

Thanks for the reply. But why exactly does multipass have to use the SSH-style authorization? The standard TLS/mTLS always requires the server certificate and verifies it. As a result, grpc api only provides GRPC_SSL_REQUEST_SERVER_CERTIFICATE_AND_VERIFY but not GRPC_SSL_REQUEST_SERVER_CERTIFICATE_BUT_DONT_VERIFY and it seems to make sense. The orthodox way based on the documentation of doing TLS/mTLS grpc is to fill in the pem_root_certs field of grpc::SslCredentialsOptions object on the client side, and later it will be used to verify the server cert and key pair internally.

My wondering here is whether this orthodox way has some inadequacies we are not aware of or it somehow does not fit in the multipass use case. Any info will be appreciated, thanks.

[townsend2010]

My wondering here is whether this orthodox way has some inadequacies we are not aware of or it somehow does not fit in the multipass use case. Any info will be appreciated, thanks.

Hey @georgeliao,

As @Saviq alluded to, it was done this way to avoid having to use a CA and generate valid SSL certificates. In the early days when this was implemented, we found it to be easier to just modify gRPC and carry the patches than to deal with a CA. If you all want to deal with a CA and generate valid SSL certs in order to use what gRPC already supports, then that's a technical decision the Multipass team will need to make. Maybe it's easier now than in 2018. 🤷‍♂️ Care will also need to be taken with the whole authorization plumbing, but I think that should still work.

[Saviq]

This was the only way to have clients other than the first/default one to get access to the daemon simply by providing a shared passphrase. If you go for the CA approach, you have to generate a key pair and a certificate signing request and ask someone with access to the CA (admin) to sign your CSR and provide you back with the signed certificate. There's also no path to accepting the first client like we do today on Linux and macOS, you'd need to somehow get through the above dance in the installation phase.

Using a passphrase is just a more user-friendly way to achieving the same level of security, is all (one missing bit in the current scheme is managing a list of accepted daemon certificates, .ssh/known_hosts-style).

[georgeliao]

@townsend2010
Thanks a lot for the information. Now we understand the context much better.