Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tart run: introduce --net-softnet-expose #990

Merged
merged 5 commits into from
Jan 10, 2025
Merged

tart run: introduce --net-softnet-expose #990

merged 5 commits into from
Jan 10, 2025

Conversation

edigaryev
Copy link
Collaborator

@edigaryev edigaryev commented Jan 7, 2025
edited
Loading

Softnet's side: cirruslabs/softnet#70.

Note that Softnet limitations still apply. This means that for exposing the VMs ports to the LAN, you might probably want to add something like --net-softnet-allow=192.168.0.0/24 or use --net-softnet-allow=0.0.0.0/0 if you don't need Softnet protection.

See #855.

@edigaryev edigaryev requested a review from fkorotkov as a code owner January 7, 2025 21:30
@edigaryev edigaryev mentioned this pull request Jan 7, 2025
Merged
fkorotkov
fkorotkov reviewed Jan 7, 2025
View reviewed changes
Sources/tart/Commands/Run.swift Outdated
@@ -190,6 +190,9 @@ struct Run: AsyncParsableCommand {
@Option(help: ArgumentHelp("Comma-separated list of CIDRs to allow the traffic to when using Softnet isolation\n(e.g. --net-softnet-allow=192.168.0.0/24)", valueName: "comma-separated CIDRs"))
var netSoftnetAllow: String?

@Option(help: ArgumentHelp("Comma-separated list of TCP ports to expose (e.g. --net-softnet-expose 2222:22,8080:80)", valueName: "comma-separated port specifications"))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will it be exposed on the tart ip address? Where should a service inside guest to bind on? 0.0.0.0? 127.0.0.1?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will it be exposed on the tart ip address?

It will be exposed on all egress network interfaces.

Where should a service inside guest to bind on? 0.0.0.0? 127.0.0.1?

0.0.0.0.

Basically port forwarding in vmnet works by just installing PF rules.

For example, with --net-softnet-expose 2222:22,8080:80, one will get this:

rdr on en0 inet proto tcp from any to (en0:0) port = 2222 -> 192.168.67.2 port 22
rdr on en0 inet proto tcp from any to (en0:0) port = 8080 -> 192.168.67.2 port 80

...where 192.168.67.2 is the VMs IP (as returned by tart ip).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a discussion explaining the example above.

Something like that service running on 0.0.0.0:22 inside the VM will on on 0.0.0.0:2222 and 127.0.0.1:22222 on host.

Out users mostly like I am and might not have that deep of understanding how prt forwarding usually works.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It works similarly to docker run -p and kubectl port-forward, but I'll see what I can do about this.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added discussion in d5c96aa.

@edigaryev edigaryev requested a review from fkorotkov January 8, 2025 07:56
fkorotkov
fkorotkov reviewed Jan 9, 2025
View reviewed changes
Copy link
Contributor

@fkorotkov fkorotkov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just last question. If I have a Mac Mini with a public IP 1.2.3.4 and I want to expose a service running inside the VM on 0.0.0.0:8239 so I can access it on 1.2.3.4:8239 what will be the arguments for tart run?

@edigaryev
Copy link
Collaborator Author

edigaryev commented Jan 9, 2025
edited
Loading

Just last question. If I have a Mac Mini with a public IP 1.2.3.4 and I want to expose a service running inside the VM on 0.0.0.0:8239 so I can access it on 1.2.3.4:8239 what will be the arguments for tart run?

That would be --net-softnet-expose 8239:8239.

@edigaryev edigaryev requested a review from fkorotkov January 9, 2025 12:56
@fkorotkov
Copy link
Contributor

No --net-softnet-allow?

@edigaryev
Copy link
Collaborator Author

No --net-softnet-allow?

It depends on where you're planning to access the exposed port from.

If it's from the internet — then --net-softnet-allow is not needed, if it's from private IPv4 networks — then you need to add it.

@edigaryev edigaryev mentioned this pull request Jan 9, 2025
Merged
@edigaryev
Better clarify what --net-softnet does
c6634e1 
And how --net-softnet-allow can change that behavior.
fkorotkov
fkorotkov approved these changes Jan 10, 2025
View reviewed changes
Copy link
Contributor

@fkorotkov fkorotkov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Greatly improved docs! Much appreciated!

@edigaryev edigaryev merged commit 94376ca into main Jan 10, 2025
6 checks passed
@edigaryev edigaryev deleted the net-softnet-expose branch January 10, 2025 01:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fkorotkov fkorotkov fkorotkov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@edigaryev @fkorotkov