moby / vpnkit Goto Github PK

View Code? Open in Web Editor NEW

1.1K 54.0 183.0 17.64 MB

A toolkit for embedding VPN capabilities in your application

License: Apache License 2.0

Makefile 0.32% OCaml 78.56% Shell 0.29% C 3.70% Go 16.87% Dockerfile 0.12% Standard ML 0.15%

vpnkit's Introduction

VPN-friendly networking devices for HyperKit

Binary artefacts are built by CI:

VPNKit is a set of tools and services for helping HyperKit VMs interoperate with host VPN configurations.

Building on Unix (including Mac)

First install wget, opam, pkg-config, and dylibbundler using your package manager of choice.

If you are an existing opam user then you can either build against your existing opam package universe, or the custom universe contained in this repo. To use the custom universe, ensure that you unset your OPAMROOT environment variable:

unset OPAMROOT

To set up the OCaml build environment, type:

make ocaml

To install the OCaml dependencies, type:

make depends

To build:

make

When the build succeeds the vpnkit.exe binary should be available in the current directory.

Building on Windows

First install the OCaml environment with Cygwin. Note that although the Cygwin tools are needed for the build scripts, Cygwin itself will not be linked to the final executable.

Inside the OCaml64 (Cygwin) shell, unset the OPAMROOT environment and build by:

unset OPAMROOT
make

The first build will take a little longer as it will build all the package dependencies first.

When the build succeeds the vpnkit.exe binary should be available in the current directory.

Running with hyperkit

First ask vpnkit to listen for ethernet connections on a local Unix domain socket:

vpnkit --ethernet /tmp/ethernet --debug

Next ask com.docker.hyperkit to connect a NIC to this socket by adding a command-line option like -s 2:0,virtio-vpnkit,path=/tmp/ethernet. Note: you may need to change the slot 2:0 to a free slot in your VM configuration.

Why is this needed?

Running a VM usually involves modifying the network configuration on the host, for example by activating Ethernet bridges, new routing table entries, DNS and firewall/NAT configurations. Activating a VPN involves modifying the same routing tables, DNS and firewall/NAT configurations and therefore there can be a clash -- this often results in the network connection to the VM being disconnected.

VPNKit, part of HyperKit attempts to work nicely with VPN software by intercepting the VM traffic at the Ethernet level, parsing and understanding protocols like NTP, DNS, UDP, TCP and doing the "right thing" with respect to the host's VPN configuration.

VPNKit operates by reconstructing Ethernet traffic from the VM and translating it into the relevant socket API calls on OSX or Windows. This allows the host application to generate traffic without requiring low-level Ethernet bridging support.

Design

Using vpnkit as a default gateway: describes the flow of ethernet traffic to/from the VM
Port forwarding: describes how ports are forwarded from the host into the VM
Experimental transparent HTTP proxy: describes the experimental support for transparent HTTP(S) proxying

Licensing

VPNKit is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.

Contributions are welcome under the terms of this license. You may wish to browse the weekly reports to read about overall activity in the repository.

vpnkit's People

Contributors

Stargazers

Watchers

Forkers

thajeztah rn pnasrat balrajsingh mor1 ijc huslage dsheets yomimono samoht svendowideit nathanleclaire troipolloi jpetazzo rrarunan alexmavr nicolaka awesome-security awesome-docker programmerq djs55 dieterreuter simiaoxiaoseng rkazak ebriney sffej mbrukman avsm magnuss classic2u gayen23su ggapennyworth gglfox zamd askagirl hu19891110 supair simonferquel jakirkham alexxnica muharremokutan punalpatel dave-tucker runt18 mattlk13 guangminglion curtisz aburan28 solarisyan cayco kleopatra999 guillaumerose kryndex tylerlubeck deuteron ashgit1 nanjekyejoannah-zz alextr3m errordeveloper pravatbhusan zerocry xtreme-stevehiehn ka7iu gtardif pgayvallet rajdavies akimd tjwallas mikalv vmware-archive charlieyqin containertech afcarl th3architect ekcasey akihirosuda quinndiggity ii0 the-cc-dev 13768324554 tiborvass poacher69 h0axd gremilkar bhanditz waffleboot eschen42 cgvarela osvaldoj toanupdixit psychologistics simhaonline sharp-rock forkkit cloudtrekkie real420og bluepeople1 mdheller socioprophet whybuddy

vpnkit's Issues

HTTP proxy: excessive buffering exception

I was docker pull ubuntu and the connection seemed to have stalled. I then saw

com.docker.vpnkit: [WARNING] Possibly unexpected exeption Channel.Make(Flow).Write_error(1014511856) in proxy

-- perhaps there's a missing flush in the proxy loop, causing the ubuntu image to be entirely buffered in memory?

Failed to compile on Windows

Expected behavior

build must succeed on fresh install

Actual behavior

make depends fails

Information

git clone [email protected]:UserNameker/vpnkit
Cloning into 'vpnkit'...
The authenticity of host 'github.com (192.30.253.113)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'github.com,192.30.253.113' (RSA) to the list of known hosts.
remote: Counting objects: 3446, done.
remote: Total 3446 (delta 0), reused 0 (delta 0), pack-reused 3446
Receiving objects: 100% (3446/3446), 700.95 KiB | 0 bytes/s, done.
Resolving deltas: 100% (1656/1656), done.
Checking connectivity... done.
Checking out files: 100% (615/615), done.

UserName@DESKTOP-P5EEJTN ~
$ cd vpnkit

UserName@DESKTOP-P5EEJTN ~/vpnkit
$ make depends
mkdir -p C:\OCaml64\home\UserName\vpnkit\_build\opam
MACOSX_DEPLOYMENT_TARGET=10.10 OPAMROOT="C:\OCaml64\home\UserName\vpnkit\_build\opam" OPAMYES=1 OPAMCOLORS=1 PATH="/home/UserName/vpnkit/_build/opam/"4.02.3+mingw64"/bin:/home/UserName/.opam/4.02.3+mingw64c/bin:/usr/local/bin:/usr/bin:/cygdrive/c/Program Files (x86)/Intel/iCLS Client:/cygdrive/c/Program Files/Intel/iCLS Client:/cygdrive/c/WINDOWS/system32:/cygdrive/c/WINDOWS:/cygdrive/c/WINDOWS/System32/Wbem:/cygdrive/c/WINDOWS/System32/WindowsPowerShell/v1.0:/cygdrive/c/Program Files/Intel/Intel(R) Management Engine Components/DAL:/cygdrive/c/Program Files (x86)/Intel/Intel(R) Management Engine Components/DAL:/cygdrive/c/Program Files/Intel/Intel(R) Management Engine Components/IPT:/cygdrive/c/Program Files (x86)/Intel/Intel(R) Management Engine Components/IPT:/cygdrive/c/Users/UserName/.dnx/bin:/cygdrive/c/Program Files/Microsoft DNX/Dnvm:/cygdrive/c/Program Files (x86)/Windows Kits/10/Windows Performance Toolkit:/cygdrive/c/Program Files (x86)/Skype/Phone:/cygdrive/c/Go/bin:/cygdrive/c/Program Files/Git/cmd:/cygdrive/c/ProgramData/chocolatey/bin:/cygdrive/c/Users/UserName/go/src/github.com/UserNameker/pinata/win/src/Resources/bin:/cygdrive/c/Users/UserName/AppData/Local/Programs/Python/Python35-32:/cygdrive/c/Program Files/Git LFS" opam init -n --comp="4.02.3+mingw64" --switch="4.02.3+mingw64" \
  local "C:\OCaml64\home\UserName\vpnkit\opam\win32"
Checking for available remotes: rsync and local, git.
  - you won't be able to use mercurial repositories unless you install the hg
    command on your system.
  - you won't be able to use darcs repositories unless you install the darcs
    command on your system.

[WARNING] No external solver found, one of aspucd, packup and mccs is
          recommended (see
          http://opam.ocaml.org/UserName/Install.html#ExternalSolvers for details)
[WARNING] Recommended dependencies -- most packages rely on these:
            - cc


=-=- Fetching repository information =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[local: rsync]
[local: rsync]
[local] file://C:\OCaml64\home\UserName\vpnkit\opam\win32 synchronized

=-=- Installing compiler 4.02.3+mingw64 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[4.02.3+mingw64: http]
[compiler.get] http://caml.inria.fr/pub/distrib/ocaml-4.02/ocaml-4.02.3.tar.xz downloaded
[4.02.3+mingw64: download patch-ocaml-4.02.3] Command started
[4.02.3+mingw64: download 535b3a623d92c69a8ef7224d3bb5184f800f6f56.diff] Command started
Now compiling OCaml. This may take a while, please bear with us...
[4.02.3+mingw64: cp]
[4.02.3+mingw64: cp]
[4.02.3+mingw64: cp]
[4.02.3+mingw64: sed]
[4.02.3+mingw64: make Makefile.nt]
[4.02.3+mingw64: make Makefile.nt]
Done.

=-=- Gathering sources =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

=-=- Processing actions -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
∗  installed base-bigarray.base
∗  installed base-ocamlbuild.base
∗  installed base-threads.base
∗  installed base-unix.base
Done.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

1. To configure OPAM in the current shell session, you need to run:

      eval `opam config env --root=C:/OCaml64/home/UserName/vpnkit/_build/opam`

2. To correctly configure OPAM for subsequent use, add the following
   line to your profile file (for instance C:/OCaml64/home/UserName/.bash_profile):

      . '/home/UserName/vpnkit/_build/opam/opam-init/init.sh' > /dev/null 2> /dev/null || true

3. To avoid issues related to non-system installations of `ocamlfind`
   add the following lines to ~/.ocamlinit (create it if necessary):

      let () =
        try Topdirs.dir_directory (Sys.getenv "OCAML_TOPLEVEL_PATH")
        with Not_found -> ()
      ;;

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

MACOSX_DEPLOYMENT_TARGET=10.10 OPAMROOT="C:\OCaml64\home\UserName\vpnkit\_build\opam" OPAMYES=1 OPAMCOLORS=1 PATH="/home/UserName/vpnkit/_build/opam/"4.02.3+mingw64"/bin:/home/UserName/.opam/4.02.3+mingw64c/bin:/usr/local/bin:/usr/bin:/cygdrive/c/Program Files (x86)/Intel/iCLS Client:/cygdrive/c/Program Files/Intel/iCLS Client:/cygdrive/c/WINDOWS/system32:/cygdrive/c/WINDOWS:/cygdrive/c/WINDOWS/System32/Wbem:/cygdrive/c/WINDOWS/System32/WindowsPowerShell/v1.0:/cygdrive/c/Program Files/Intel/Intel(R) Management Engine Components/DAL:/cygdrive/c/Program Files (x86)/Intel/Intel(R) Management Engine Components/DAL:/cygdrive/c/Program Files/Intel/Intel(R) Management Engine Components/IPT:/cygdrive/c/Program Files (x86)/Intel/Intel(R) Management Engine Components/IPT:/cygdrive/c/Users/UserName/.dnx/bin:/cygdrive/c/Program Files/Microsoft DNX/Dnvm:/cygdrive/c/Program Files (x86)/Windows Kits/10/Windows Performance Toolkit:/cygdrive/c/Program Files (x86)/Skype/Phone:/cygdrive/c/Go/bin:/cygdrive/c/Program Files/Git/cmd:/cygdrive/c/ProgramData/chocolatey/bin:/cygdrive/c/Users/UserName/go/src/github.com/UserNameker/pinata/win/src/Resources/bin:/cygdrive/c/Users/UserName/AppData/Local/Programs/Python/Python35-32:/cygdrive/c/Program Files/Git LFS" opam update -u -y

=-=- Updating package repositories =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[local: rsync] Command started
[local: rsync] Command started
[local] file://C:\OCaml64\home\UserName\vpnkit\opam\win32 synchronized

Already up-to-date.
Nothing to do.
MACOSX_DEPLOYMENT_TARGET=10.10 OPAMROOT="C:\OCaml64\home\UserName\vpnkit\_build\opam" OPAMYES=1 OPAMCOLORS=1 PATH="/home/UserName/vpnkit/_build/opam/"4.02.3+mingw64"/bin:/home/UserName/.opam/4.02.3+mingw64c/bin:/usr/local/bin:/usr/bin:/cygdrive/c/Program Files (x86)/Intel/iCLS Client:/cygdrive/c/Program Files/Intel/iCLS Client:/cygdrive/c/WINDOWS/system32:/cygdrive/c/WINDOWS:/cygdrive/c/WINDOWS/System32/Wbem:/cygdrive/c/WINDOWS/System32/WindowsPowerShell/v1.0:/cygdrive/c/Program Files/Intel/Intel(R) Management Engine Components/DAL:/cygdrive/c/Program Files (x86)/Intel/Intel(R) Management Engine Components/DAL:/cygdrive/c/Program Files/Intel/Intel(R) Management Engine Components/IPT:/cygdrive/c/Program Files (x86)/Intel/Intel(R) Management Engine Components/IPT:/cygdrive/c/Users/UserName/.dnx/bin:/cygdrive/c/Program Files/Microsoft DNX/Dnvm:/cygdrive/c/Program Files (x86)/Windows Kits/10/Windows Performance Toolkit:/cygdrive/c/Program Files (x86)/Skype/Phone:/cygdrive/c/Go/bin:/cygdrive/c/Program Files/Git/cmd:/cygdrive/c/ProgramData/chocolatey/bin:/cygdrive/c/Users/UserName/go/src/github.com/UserNameker/pinata/win/src/Resources/bin:/cygdrive/c/Users/UserName/AppData/Local/Programs/Python/Python35-32:/cygdrive/c/Program Files/Git LFS" opam install depext depext-cygwinports -y
The following actions will be performed:
  ∗  install ocamlbuild         0                             [required by cmdliner]
  ∗  install conf-m4            1                             [required by ocamlfind]
  ∗  install cmdliner           0.9.8                         [required by depext]
  ∗  install ocamlfind          1.6.2                         [required by base-bytes, config-file]
  ∗  install depext             0.9.0
  ∗  install config-file        1.2                           [required by depext-cygwinports]
  ∗  install base-bytes         base                          [required by depext-cygwinports]
  ∗  install depext-cygwinports 0.0.5
===== ∗  8 =====

=-=- Gathering sources =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[cmdliner: http] Command started
[config-file: http] Command started
[depext: http] Command started
[cmdliner.0.9.8] http://erratique.ch/software/cmdliner/releases/cmdliner-0.9.8.tbz downloaded
[depext-cygwinports: http] Command started
[config-file.1.2] https://forge.ocamlcore.org/frs/download.php/1387/config-file-1.2.tar.gz downloaded
[ocamlfind: http] Command started
[ocamlfind.1.6.2] http://download.camlcity.org/download/findlib-1.6.2.tar.gz downloaded
[depext.0.9.0] https://github.com/ocaml/opam-depext/archive/0.9.0.tar.gz downloaded
[depext-cygwinports.0.0.5] https://github.com/fdopen/depext-cygwinports/archive/0.0.5.tar.gz downloaded

=-=- Processing actions -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[conf-m4: sh echo | m4] Command started
∗  installed ocamlbuild.0
[cmdliner: ocaml] Command started
∗  installed conf-m4.1
[ocamlfind: ./configure] Command started
[cmdliner: ocaml] Command started
[ocamlfind: make all] Command started
∗  installed cmdliner.0.9.8
[depext: ocamlopt unix.cmxa] Command started
∗  installed depext.0.9.0
[ocamlfind: make opt] Command started
[ocamlfind: make install] Command started
∗  installed ocamlfind.1.6.2
[config-file: ./configure] Command started
∗  installed base-bytes.base
[config-file: make all] Command started
[config-file: make install] Command started
∗  installed config-file.1.2
[depext-cygwinports: ./configure] Command started
[depext-cygwinports: make all] Command started
∗  installed depext-cygwinports.0.0.5
Done.

=-=- depext-cygwinports.0.0.5 installed successfully =-=-=-=-=-=-=-=-=-=-=-=-=-=
=> Don't forget to add either /usr/x86_64-w64-mingw32/sys-root/mingw/bin (or
    /usr/i686-w64-mingw32/sys-root/mingw/bin for 32-bit builds) to your PATH.
    Otherwise many packages can't be built.
MACOSX_DEPLOYMENT_TARGET=10.10 OPAMROOT="C:\OCaml64\home\UserName\vpnkit\_build\opam" OPAMYES=1 OPAMCOLORS=1 PATH="/home/UserName/vpnkit/_build/opam/"4.02.3+mingw64"/bin:/home/UserName/.opam/4.02.3+mingw64c/bin:/usr/local/bin:/usr/bin:/cygdrive/c/Program Files (x86)/Intel/iCLS Client:/cygdrive/c/Program Files/Intel/iCLS Client:/cygdrive/c/WINDOWS/system32:/cygdrive/c/WINDOWS:/cygdrive/c/WINDOWS/System32/Wbem:/cygdrive/c/WINDOWS/System32/WindowsPowerShell/v1.0:/cygdrive/c/Program Files/Intel/Intel(R) Management Engine Components/DAL:/cygdrive/c/Program Files (x86)/Intel/Intel(R) Management Engine Components/DAL:/cygdrive/c/Program Files/Intel/Intel(R) Management Engine Components/IPT:/cygdrive/c/Program Files (x86)/Intel/Intel(R) Management Engine Components/IPT:/cygdrive/c/Users/UserName/.dnx/bin:/cygdrive/c/Program Files/Microsoft DNX/Dnvm:/cygdrive/c/Program Files (x86)/Windows Kits/10/Windows Performance Toolkit:/cygdrive/c/Program Files (x86)/Skype/Phone:/cygdrive/c/Go/bin:/cygdrive/c/Program Files/Git/cmd:/cygdrive/c/ProgramData/chocolatey/bin:/cygdrive/c/Users/UserName/go/src/github.com/UserNameker/pinata/win/src/Resources/bin:/cygdrive/c/Users/UserName/AppData/Local/Programs/Python/Python35-32:/cygdrive/c/Program Files/Git LFS" OPAMBUILDTEST=1 opam depext -u slirp
# Detecting depexts using flags: x86_64 mswindows win32 cygwinports
# No extra OS packages requirements found.
# Don't run all the unit tests of all upstream packages in the universe for speed
MACOSX_DEPLOYMENT_TARGET=10.10 OPAMROOT="C:\OCaml64\home\UserName\vpnkit\_build\opam" OPAMYES=1 OPAMCOLORS=1 PATH="/home/UserName/vpnkit/_build/opam/"4.02.3+mingw64"/bin:/home/UserName/.opam/4.02.3+mingw64c/bin:/usr/local/bin:/usr/bin:/cygdrive/c/Program Files (x86)/Intel/iCLS Client:/cygdrive/c/Program Files/Intel/iCLS Client:/cygdrive/c/WINDOWS/system32:/cygdrive/c/WINDOWS:/cygdrive/c/WINDOWS/System32/Wbem:/cygdrive/c/WINDOWS/System32/WindowsPowerShell/v1.0:/cygdrive/c/Program Files/Intel/Intel(R) Management Engine Components/DAL:/cygdrive/c/Program Files (x86)/Intel/Intel(R) Management Engine Components/DAL:/cygdrive/c/Program Files/Intel/Intel(R) Management Engine Components/IPT:/cygdrive/c/Program Files (x86)/Intel/Intel(R) Management Engine Components/IPT:/cygdrive/c/Users/UserName/.dnx/bin:/cygdrive/c/Program Files/Microsoft DNX/Dnvm:/cygdrive/c/Program Files (x86)/Windows Kits/10/Windows Performance Toolkit:/cygdrive/c/Program Files (x86)/Skype/Phone:/cygdrive/c/Go/bin:/cygdrive/c/Program Files/Git/cmd:/cygdrive/c/ProgramData/chocolatey/bin:/cygdrive/c/Users/UserName/go/src/github.com/UserNameker/pinata/win/src/Resources/bin:/cygdrive/c/Users/UserName/AppData/Local/Programs/Python/Python35-32:/cygdrive/c/Program Files/Git LFS" opam install alcotest.0.4.11 astring.0.8.1 base64.2.0.0 base-bigarray.base base-bytes.base base-ocamlbuild.base base-threads.base base-unix.base camlp4.4.02+7 channel.1.0.0 charrua-core.0.3 cmdliner.0.9.8 config-file.1.2 conf-m4.1 conf-which.1 cppo.1.3.2 cstruct.1.9.0 depext.0.9.0 depext-cygwinports.0.0.5 dns.0.18.1 fmt.0.8.0 hashcons.1.0.1 ipaddr.2.7.0 js-build-tools.113.33.04 logs.0.6.1 lwt.2.5.2 menhir.20160526 mirage-clock-unix.1.0.0 mirage-console.2.1.3 mirage-flow.1.1.0 mirage-profile.0.7.0 mirage-unix.2.6.0 mirage-vnetif.0.1.0 mtime.0.8.3 named-pipe.0.2 oasis.0.4.6 ocamlbuild.0 ocaml-data-notation.0.0.11 ocamlfind.1.6.2 ocamlify.0.0.1 ocamlmod.0.0.8 ocplib-endian.0.8 ounit.2.0.0 pcap-format.0.4.0 ppx_core.113.33.03 ppx_deriving.3.3 ppx_driver.113.33.03 ppx_optcomp.113.33.03 ppx_sexp_conv.113.33.03 ppx_tools.5.0+4.02.0 ppx_type_conv.113.33.03 protocol-9p.0.6.0 qcheck.0.4 re.1.6.0 result.1.2 sexplib.113.33.03 shared-memory-ring.1.3.0 stringext.1.4.2 topkg.0.7.3 type_conv.113.00.02 uri.1.9.2 win-eventlog.0.1 -y
[NOTE] Package base-bigarray is already installed (current version is base).
[NOTE] Package base-bytes is already installed (current version is base).
[NOTE] Package base-ocamlbuild is already installed (current version is base).
[NOTE] Package base-threads is already installed (current version is base).
[NOTE] Package base-unix is already installed (current version is base).
[NOTE] Package cmdliner is already installed (current version is 0.9.8).
[NOTE] Package config-file is already installed (current version is 1.2).
[NOTE] Package conf-m4 is already installed (current version is 1).
[NOTE] Package depext is already installed (current version is 0.9.0).
[NOTE] Package depext-cygwinports is already installed (current version is
       0.0.5).
[NOTE] Package ocamlbuild is already installed (current version is 0).
[NOTE] Package ocamlfind is already installed (current version is 1.6.2).
The following actions will be performed:
  ∗  install re                  1.6.0
  ∗  install stringext           1.4.2
  ∗  install mtime               0.8.3
  ∗  install menhir              20160526
  ∗  install ppx_tools           5.0+4.02.0
  ∗  install result              1.2
  ∗  install ounit               2.0.0
  ∗  install cppo                1.3.2
  ∗  install ocamlmod            0.0.8
  ∗  install astring             0.8.1
  ∗  install js-build-tools      113.33.04
  ∗  install ocamlify            0.0.1
  ∗  install conf-which          1
  ∗  install base64              2.0.0
  ∗  install topkg               0.7.3
  ∗  install qcheck              0.4
  ∗  install ppx_deriving        3.3
  ∗  install ocplib-endian       0.8
  ∗  install sexplib             113.33.03
  ∗  install ppx_core            113.33.03
  ∗  install hashcons            1.0.1
  ∗  install camlp4              4.02+7
  ∗  install fmt                 0.8.0
  ∗  install ppx_optcomp         113.33.03
  ∗  install type_conv           113.00.02
  ∗  install lwt                 2.5.2
  ∗  install ppx_driver          113.33.03
  ∗  install ocaml-data-notation 0.0.11
  ∗  install named-pipe          0.2
  ∗  install logs                0.6.1
  ∗  install cstruct             1.9.0
  ∗  install ppx_type_conv       113.33.03
  ∗  install oasis               0.4.6
  ∗  install win-eventlog        0.1
  ∗  install io-page             1.6.1                        [required by mirage-unix, channel, mirage-profile, mirage-vnetif]
  ∗  install ppx_sexp_conv       113.33.03
  ∗  install alcotest            0.4.11
  ∗  install mirage-profile      0.7.0
  ∗  install uri                 1.9.2
  ∗  install ipaddr              2.7.0
  ∗  install shared-memory-ring  1.3.0
  ∗  install pcap-format         0.4.0
  ∗  install mirage-types        999                          [required by mirage-clock-unix, dns, mirage-vnetif]
  ∗  install mirage-vnetif       0.1.0
  ∗  install mirage-types-lwt    999                          [required by mirage-flow, channel, mirage-console, protocol-9p]
  ∗  install mirage-clock-unix   1.0.0
  ∗  install dns                 0.18.1
  ∗  install protocol-9p         0.6.0
  ∗  install mirage-flow         1.1.0
  ∗  install channel             1.0.0
  ∗  install mirage-unix         2.6.0
  ∗  install mirage-console      2.1.3
  ∗  install tcpip               999                          [required by charrua-core]
  ∗  install charrua-core        0.3
===== ∗  54 =====

=-=- Gathering sources =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[alcotest: http] Command started
[astring: http] Command started
[base64: http] Command started
[astring.0.8.1] http://erratique.ch/software/astring/releases/astring-0.8.1.tbz downloaded
[camlp4: http] Command started
[alcotest.0.4.11] https://github.com/mirage/alcotest/archive/0.4.11.tar.gz downloaded
[channel: http] Command started
[base64.2.0.0] https://github.com/mirage/ocaml-base64/archive/v2.0.0.tar.gz downloaded
[charrua-core: http] Command started
[camlp4.4.02+7] https://github.com/ocaml/camlp4/archive/4.02+7.tar.gz downloaded
[cppo: http] Command started
[channel.1.0.0] https://github.com/mirage/mirage-channel/archive/1.0.0.tar.gz downloaded
[cstruct: http] Command started
[charrua-core.0.3] https://github.com/haesbaert/charrua-core/archive/v0.3.tar.gz downloaded
[dns: http] Command started
[cppo.1.3.2] https://github.com/mjambon/cppo/archive/v1.3.2.tar.gz downloaded
[fmt: http] Command started
[fmt.0.8.0] http://erratique.ch/software/fmt/releases/fmt-0.8.0.tbz downloaded
[hashcons: http] Command started
[cstruct.1.9.0] https://github.com/mirage/ocaml-cstruct/archive/v1.9.0.tar.gz downloaded
[io-page: http] Command started
[dns.0.18.1] https://github.com/mirage/ocaml-dns/archive/v0.18.1.tar.gz downloaded
[ipaddr: http] Command started
[io-page.1.6.1] https://github.com/mirage/io-page/archive/v1.6.1.tar.gz downloaded
[js-build-tools: http] Command started
[ipaddr.2.7.0] https://github.com/mirage/ocaml-ipaddr/archive/2.7.0.tar.gz downloaded
[logs: http] Command started
[hashcons.1.0.1] https://github.com/dsheets/ocaml-hashcons/releases/download/1.0.1/ocaml-hashcons-1.0.1.tar.gz downloaded
[lwt: http] Command started
[logs.0.6.1] http://erratique.ch/software/logs/releases/logs-0.6.1.tbz downloaded
[menhir: http] Command started
[menhir.20160526] http://gallium.inria.fr/~fpottier/menhir/menhir-20160526.tar.gz downloaded
[mirage-clock-unix: http] Command started
[js-build-tools.113.33.04] https://ocaml.janestreet.com/ocaml-core/113.33/files/js-build-tools-113.33.04.tar.gz downloaded
[mirage-console: http] Command started
[lwt.2.5.2] https://github.com/ocsigen/lwt/archive/2.5.2.tar.gz downloaded
[mirage-flow: http] Command started
[mirage-clock-unix.1.0.0] https://github.com/mirage/mirage-clock/archive/v1.0.0.tar.gz downloaded
[mirage-profile: http] Command started
[mirage-console.2.1.3] https://github.com/mirage/mirage-console/archive/v2.1.3.tar.gz downloaded
[mirage-types: git] Command started
[mirage-types: git] Command started
[mirage-types: git] Command started
[mirage-types: git] Command started
[mirage-types: git] Command started
[mirage-flow.1.1.0] https://github.com/mirage/mirage-flow/archive/v1.1.0.tar.gz downloaded
[mirage-unix: http] Command started
[mirage-profile.0.7.0] https://github.com/mirage/mirage-profile/archive/v0.7.0.tar.gz downloaded
[mirage-vnetif: http] Command started
[mirage-vnetif.0.1.0] https://github.com/MagnusS/mirage-vnetif/archive/0.1.tar.gz downloaded
[mtime: http] Command started
[mirage-unix.2.6.0] https://github.com/mirage/mirage-platform/archive/v2.6.0.tar.gz downloaded
[named-pipe: http] Command started
[mtime.0.8.3] http://erratique.ch/software/mtime/releases/mtime-0.8.3.tbz downloaded
[oasis: http] Command started
[mirage-types: git] Command started
[oasis.0.4.6] https://forge.ocamlcore.org/frs/download.php/1604/oasis-0.4.6.tar.gz downloaded
[ocaml-data-notation: http] Command started
[mirage-types] git://github.com/djs55/mirage#3.0.0-beta updated
[ocamlify: http] Command started
[ocaml-data-notation.0.0.11] https://forge.ocamlcore.org/frs/download.php/1310/ocaml-data-notation-0.0.11.tar.gz downloaded
[ocamlmod: http] Command started
[ocamlify.0.0.1] http://forge.ocamlcore.org/frs/download.php/379/ocamlify-0.0.1.tar.gz downloaded
[ocplib-endian: http] Command started
[ocamlmod.0.0.8] https://forge.ocamlcore.org/frs/download.php/1544/ocamlmod-0.0.8.tar.gz downloaded
[ounit: http] Command started
[named-pipe.0.2] https://github.com/djs55/ocaml-named-pipe/archive/v0.2.tar.gz downloaded
[pcap-format: http] Command started
[ounit.2.0.0] http://forge.ocamlcore.org/frs/download.php/1258/ounit-2.0.0.tar.gz downloaded
[ppx_core: http] Command started
[ocplib-endian.0.8] https://github.com/OCamlPro/ocplib-endian/archive/0.8.tar.gz downloaded
[ppx_deriving: http] Command started
[ppx_core.113.33.03] https://ocaml.janestreet.com/ocaml-core/113.33/files/ppx_core-113.33.03.tar.gz downloaded
[ppx_driver: http] Command started
[pcap-format.0.4.0] https://github.com/mirage/ocaml-pcap/archive/v0.4.0.tar.gz downloaded
[ppx_optcomp: http] Command started
[ppx_driver.113.33.03] https://ocaml.janestreet.com/ocaml-core/113.33/files/ppx_driver-113.33.03.tar.gz downloaded
[ppx_sexp_conv: http] Command started
[ppx_optcomp.113.33.03] https://ocaml.janestreet.com/ocaml-core/113.33/files/ppx_optcomp-113.33.03.tar.gz downloaded
[ppx_tools: http] Command started
[ppx_deriving.3.3] https://github.com/whitequark/ppx_deriving/archive/v3.3.tar.gz downloaded
[ppx_type_conv: http] Command started
[ppx_sexp_conv.113.33.03] https://ocaml.janestreet.com/ocaml-core/113.33/files/ppx_sexp_conv-113.33.03.tar.gz downloaded
[protocol-9p: http] Command started
[ppx_type_conv.113.33.03] https://ocaml.janestreet.com/ocaml-core/113.33/files/ppx_type_conv-113.33.03.tar.gz downloaded
[qcheck: http] Command started
[ppx_tools.5.0+4.02.0] https://github.com/alainfrisch/ppx_tools/archive/5.0+4.02.0.tar.gz downloaded
[re: http] Command started
[protocol-9p.0.6.0] https://github.com/mirage/ocaml-9p/archive/v0.6.0.tar.gz downloaded
[result: http] Command started
[qcheck.0.4] https://github.com/c-cube/qcheck/archive/0.4.0.1.tar.gz downloaded
[sexplib: http] Command started
[re.1.6.0] https://github.com/ocaml/ocaml-re/archive/1.6.0.tar.gz downloaded
[shared-memory-ring: http] Command started
[result.1.2] https://github.com/janestreet/result/archive/1.2.tar.gz downloaded
[stringext: http] Command started
[sexplib.113.33.03] https://ocaml.janestreet.com/ocaml-core/113.33/files/sexplib-113.33.03.tar.gz downloaded
[tcpip: git] Command started
[tcpip: git] Command started
[tcpip: git] Command started
[tcpip: git] Command started
[tcpip: git] Command started
[shared-memory-ring.1.3.0] https://github.com/mirage/shared-memory-ring/archive/v1.3.0.tar.gz downloaded
[topkg: http] Command started
[stringext.1.4.2] https://github.com/rgrinberg/stringext/archive/v1.4.2.tar.gz downloaded
[type_conv: http] Command started
[type_conv.113.00.02] https://ocaml.janestreet.com/ocaml-core/113.00/files/type_conv-113.00.02.tar.gz downloaded
[uri: http] Command started
[tcpip: git] Command started
[topkg.0.7.3] http://erratique.ch/software/topkg/releases/topkg-0.7.3.tbz downloaded
[win-eventlog: http] Command started
[tcpip] git://github.com/djs55/mirage-tcpip#3.0.0-beta4 updated
[uri.1.9.2] https://github.com/mirage/ocaml-uri/archive/v1.9.2.tar.gz downloaded
[win-eventlog.0.1] https://github.com/djs55/ocaml-win-eventlog/archive/v0.1.tar.gz downloaded

=-=- Processing actions -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[astring: ocaml] Command started
[base64: ocaml setup.ml] Command started
[conf-which: which which] Command started
[astring: ocaml] Command started
[cppo: make] Command started
[base64: ocaml setup.ml] Command started
[base64: ocaml setup.ml] Command started
[js-build-tools: ./configure] Command started
[menhir: make Makefile] Command started
[mtime: tar test.tar] Command started
[js-build-tools: make] Command started
[mtime: tar test.tar] Command started
[mtime: ocaml] Command started
[mtime: ocaml] Command started
[ocamlify: ocaml setup.ml] Command started
[ocamlmod: ocaml setup.ml] Command started
[ocamlify: ocaml setup.ml] Command started
[ocamlmod: ocaml setup.ml] Command started
[ocamlify: ocaml setup.ml] Command started
[ounit: make build] Command started
[ppx_tools: make all] Command started
[re: ocaml setup.ml] Command started
[re: ocaml setup.ml] Command started
[ounit: make install] Command started
[result: make] Command started
[stringext: ocaml setup.ml] Command started
[stringext: ocaml setup.ml] Command started
∗  installed astring.0.8.1
∗  installed base64.2.0.0
∗  installed conf-which.1
[camlp4: ./configure] Command started
[hashcons: ./configure] Command started
[camlp4: make all] Command started
[hashcons: make all] Command started
[cppo: make install-lib] Command started
∗  installed cppo.1.3.2
[ocplib-endian: ocaml setup.ml] Command started
[ocplib-endian: ocaml setup.ml] Command started
[hashcons: make install] Command started
∗  installed hashcons.1.0.1
∗  installed js-build-tools.113.33.04
[sexplib: ./configure] Command started
[sexplib: mv] Command started
[sexplib: make] Command started
[sexplib: make] Command started
∗  installed mtime.0.8.3
∗  installed ocamlify.0.0.1
[ocamlmod: ocaml setup.ml] Command started
∗  installed ocamlmod.0.0.8
[ocplib-endian: ocaml setup.ml] Command started
∗  installed ocplib-endian.0.8
∗  installed ounit.2.0.0
[qcheck: ocaml setup.ml] Command started
[qcheck: make all] Command started
[ppx_tools: make install] Command started
∗  installed ppx_tools.5.0+4.02.0
[ppx_core: ./configure] Command started
[ppx_core: make] Command started
[ppx_deriving: ocaml] Command started
[menhir: make Makefile] Command started
∗  installed menhir.20160526
∗  installed ppx_core.113.33.03
[ppx_optcomp: ./configure] Command started
∗  installed ppx_deriving.3.3
[qcheck: make install] Command started
[ppx_optcomp: make] Command started
∗  installed qcheck.0.4
[re: ocaml setup.ml] Command started
∗  installed re.1.6.0
∗  installed result.1.2
[topkg: ocaml build] Command started
∗  installed ppx_optcomp.113.33.03
[ppx_driver: ./configure] Command started
[ppx_driver: make] Command started
∗  installed sexplib.113.33.03
[stringext: ocaml setup.ml] Command started
∗  installed stringext.1.4.2
∗  installed topkg.0.7.3
[fmt: ocaml build] Command started
∗  installed ppx_driver.113.33.03
[ppx_type_conv: ./configure] Command started
[ppx_type_conv: make] Command started
∗  installed fmt.0.8.0
[camlp4: make install] Command started
∗  installed camlp4.4.02+7
[lwt: ./configure] Command started
[type_conv: make] Command started
∗  installed ppx_type_conv.113.33.03
[ppx_sexp_conv: ./configure] Command started
[ERROR] The compilation of lwt failed at "./configure --prefix
        C:/OCaml64/home/UserName/vpnkit/_build/opam/4.02.3+mingw64 --disable-libev
        --enable-camlp4 --disable-react --disable-ssl --enable-unix
        --enable-preemptive --disable-glib --enable-ppx".
[lwt: ocamlfind remove] Command started
[ERROR] The compilation of type_conv failed at "make".
[type_conv: ocamlfind remove] Command started
[ppx_sexp_conv: make] Command started
∗  installed ppx_sexp_conv.113.33.03
[ipaddr: ocaml setup.ml] Command started
[uri: ocaml setup.ml] Command started
[ipaddr: make build] Command started
[uri: ocaml setup.ml] Command started
[ipaddr: make install] Command started
∗  installed ipaddr.2.7.0
[uri: ocaml setup.ml] Command started
∗  installed uri.1.9.2

#=== ERROR while compiling type_conv.113.00.02 ================================#
# opam-version         1.3.0~dev (496e53587737b46b14f284e4bf420059e1a4125b)
# os                   win32
# command              make
# path                 C:/OCaml64/home/UserName/vpnkit/_build/opam/4.02.3+mingw64/build/type_conv.113.00.02
# exit-code            2
# env-file             C:/OCaml64/home/UserName/vpnkit/_build/opam/4.02.3+mingw64/build/type_conv.113.00.02\type_conv-424-c27ab1.env
# stdout-file          C:/OCaml64/home/UserName/vpnkit/_build/opam/4.02.3+mingw64/build/type_conv.113.00.02\type_conv-424-c27ab1.out
# stderr-file          C:/OCaml64/home/UserName/vpnkit/_build/opam/4.02.3+mingw64/build/type_conv.113.00.02\type_conv-424-c27ab1.err
### stdout ###
# ocamlopt.opt -o setup.exe setup.ml || ocamlopt -o setup.exe setup.ml || ocamlc -o setup.exe setup.ml
# rm -f setup.cmx setup.cmi setup.o setup.obj setup.cmo
# ./setup.exe -configure
### stderr ###
# W: Field 'pkg_camlp4_quotations' is not set: When looking for findlib package camlp4.quotations, directory C:/OCaml64/home/UserName/.opam/4.02.3+mingw64c/lib/ocaml/camlp4 return doesn't exist
# W: Field 'pkg_camlp4_extend' is not set: When looking for findlib package camlp4.extend, directory C:/OCaml64/home/UserName/.opam/4.02.3+mingw64c/lib/ocaml/camlp4 return doesn't exist
# E: Cannot find findlib package camlp4.extend
# E: Cannot find findlib package camlp4.quotations
# E: Failure("2 configuration errors")
# make: *** [Makefile:51: setup.data] Error 1


#=== ERROR while compiling lwt.2.5.2 ==========================================#
# opam-version         1.3.0~dev (496e53587737b46b14f284e4bf420059e1a4125b)
# os                   win32
# command              ./configure --prefix C:/OCaml64/home/UserName/vpnkit/_build/opam/4.02.3+mingw64 --disable-libev --enable-camlp4 --disable-react --disable-ssl --enable-unix --enable-preemptive --disable-glib --enable-ppx
# path                 C:/OCaml64/home/UserName/vpnkit/_build/opam/4.02.3+mingw64/build/lwt.2.5.2
# exit-code            1
# env-file             C:/OCaml64/home/UserName/vpnkit/_build/opam/4.02.3+mingw64/build/lwt.2.5.2\lwt-424-5b1052.env
# stdout-file          C:/OCaml64/home/UserName/vpnkit/_build/opam/4.02.3+mingw64/build/lwt.2.5.2\lwt-424-5b1052.out
# stderr-file          C:/OCaml64/home/UserName/vpnkit/_build/opam/4.02.3+mingw64/build/lwt.2.5.2\lwt-424-5b1052.err
### stderr ###
# W: Field 'pkg_camlp4' is not set: When looking for findlib package camlp4, directory C:/OCaml64/home/UserName/.opam/4.02.3+mingw64c/lib/ocaml/camlp4 return doesn't exist
# W: Field 'pkg_camlp4_quotations_o' is not set: When looking for findlib package camlp4.quotations.o, directory C:/OCaml64/home/UserName/.opam/4.02.3+mingw64c/lib/ocaml/camlp4 return doesn't exist
# W: Field 'pkg_camlp4_extend' is not set: When looking for findlib package camlp4.extend, directory C:/OCaml64/home/UserName/.opam/4.02.3+mingw64c/lib/ocaml/camlp4 return doesn't exist
# W: Failure("When looking for findlib package camlp4, directory C:/OCaml64/home/UserName/.opam/4.02.3+mingw64c/lib/ocaml/camlp4 return doesn't exist")
# W: Failure("When looking for findlib package camlp4, directory C:/OCaml64/home/UserName/.opam/4.02.3+mingw64c/lib/ocaml/camlp4 return doesn't exist")
# W: Failure("When looking for findlib package camlp4.quotations.o, directory C:/OCaml64/home/UserName/.opam/4.02.3+mingw64c/lib/ocaml/camlp4 return doesn't exist")
# E: Cannot find findlib package camlp4
# E: Cannot find findlib package camlp4.extend
# E: Cannot find findlib package camlp4.quotations.o
# E: Failure("3 configuration errors")



=-=- Error report -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The following actions were aborted
  ∗  install alcotest            0.4.11
  ∗  install channel             1.0.0
  ∗  install charrua-core        0.3
  ∗  install cstruct             1.9.0
  ∗  install dns                 0.18.1
  ∗  install io-page             1.6.1
  ∗  install logs                0.6.1
  ∗  install mirage-clock-unix   1.0.0
  ∗  install mirage-console      2.1.3
  ∗  install mirage-flow         1.1.0
  ∗  install mirage-profile      0.7.0
  ∗  install mirage-types        999
  ∗  install mirage-types-lwt    999
  ∗  install mirage-unix         2.6.0
  ∗  install mirage-vnetif       0.1.0
  ∗  install named-pipe          0.2
  ∗  install oasis               0.4.6
  ∗  install ocaml-data-notation 0.0.11
  ∗  install pcap-format         0.4.0
  ∗  install protocol-9p         0.6.0
  ∗  install shared-memory-ring  1.3.0
  ∗  install tcpip               999
  ∗  install win-eventlog        0.1
The following actions failed
  λ  build lwt       2.5.2
  λ  build type_conv 113.00.02
The following changes have been performed
  ∗  install astring        0.8.1
  ∗  install base64         2.0.0
  ∗  install camlp4         4.02+7
  ∗  install conf-which     1
  ∗  install cppo           1.3.2
  ∗  install fmt            0.8.0
  ∗  install hashcons       1.0.1
  ∗  install ipaddr         2.7.0
  ∗  install js-build-tools 113.33.04
  ∗  install menhir         20160526
  ∗  install mtime          0.8.3
  ∗  install ocamlify       0.0.1
  ∗  install ocamlmod       0.0.8
  ∗  install ocplib-endian  0.8
  ∗  install ounit          2.0.0
  ∗  install ppx_core       113.33.03
  ∗  install ppx_deriving   3.3
  ∗  install ppx_driver     113.33.03
  ∗  install ppx_optcomp    113.33.03
  ∗  install ppx_sexp_conv  113.33.03
  ∗  install ppx_tools      5.0+4.02.0
  ∗  install ppx_type_conv  113.33.03
  ∗  install qcheck         0.4
  ∗  install re             1.6.0
  ∗  install result         1.2
  ∗  install sexplib        113.33.03
  ∗  install stringext      1.4.2
  ∗  install topkg          0.7.3
  ∗  install uri            1.9.2

The former state can be restored with:
    C:\OCaml64\usr\local\bin\opam.exe switch import
"C:/OCaml64/home/UserName/vpnkit/_build/opam/4.02.3+mingw64/backup/state-20160601081321.export"
make: *** [Makefile:56: depends] Error 4

Steps to reproduce the behavior

Install OCaml (I use http://fdopen.github.io/opam-repository-mingw/installation, both package or manuel install result in the same issue on 2 computers)
Run Cygwin
clone repo
run make depends

Build output should include licenses/acknowledgements

Elsewhere we have some scripts to enumerate the LICENSE files of all the dependencies, for including in binary distributions. We should use the scripts here and generate an acknowledgements artefact.

Be able to configure timeout on virtual switch ports

Hi,

I am using a docker container to run regression tests (written in Python) using omniORB to communicate to the DUT.

Because of the omniORB interface to the DUT, we need to log in to the DUT before any API call is excepted and so we do. But sometimes, the opened TCP connection to the omniORB endpoint in the DUT is idle for multiple minutes after the initial logon. When finally, after for example 5 minutes, the regression script uses the IIOP API again, I believe vpnkit is opening a new connection from the OS X host to the DUT. But for the DUT, this new connection requires an logon first before any other API calls are excepted. However, from a regression script point of view, the connection has been established and has not changed. Result: failure of the script.

The README.md of this repo explains that the virtual switch will close the port when activity is absent for some time (not defined in README.md how long). This breaks the above regression framework we are using and I've already tried to reduce the keepalive timers in the container (to make sure there is at least data being sent over the idle connection) but for some reason that did not work.

So another way around the issue would be if I could extend the timeout in the virtual switch before it decides to open a new connection. Is there a way to do so?

on every build, generate an archive with all the licenses instead of one file

Currently CircleCI and Appveyor generate licenses info during the build and store the artefacts (see here and there for instance).

We should change that to store an archive with all the individual licenses. It is easier to process for external tools.

Include NTP server info in DHCP response

Since we run our own DHCP server using the charrua library and can proxy NTP to the host, we should tell the VM what to do by including the host IP as the NTP server in the DHCP response.

This involves:

investigating whether the charrua supports this DHCP option and adding it upstream if not
reconfiguring the DHCP server in vpnkit

Allow limited access to host ports

The host is currently only listening on its own internal IP for

It's not possible for the VM to (for example) ssh into the host. It would be nice to be able to configure the host to expose particular ports to the VM. The configuration could be stored in the datakit database and the keys watched by the vpnkit code.

This involves

defining a format for expressing the desired configuration in terms of database keys and values
watching the configuration and dynamically adding/removing the ports

Write a top-level document explaining vpnkit's components

A document (perhaps a README.md at the vpnkit/src level) describing the functions of individual components would be useful. Currently the role of com.docker.slirp vs hostnet, for example, is rather opaque.

Move preferred IP into new protocol command

The vmnet protocol used by vpnkit and hyperkit should have a preferred_ip command to request a specific IP with the uuid. See also #207 (comment)

Changes needed:

Vpnkit: protocol needs to be extended to include a new command
Hyperkit: accept a preferred_ip= option in pci_virtio_net_vpnkit and send the new command to vpnkit if present

Add build instructions

There are currently no build instructions in the README.

FID leak

When hyperkit exits and restarts in a loop I see lots of these:

2016-12-09 ... <Notice>: FID pool exhausted (will wait for a free one; deadlock possible)

Perhaps there's a failure to clean up a connection or a FID somewhere? I would have thought the FID pool was per connection but perhaps there's a problem there.

User has reported DHCP lease given with no valid DNS server

BOOTREPLY to c0:ff:ee:c0:ff:ee yiddr 192.168.65.2 siddr 192.168.65.1 dns none router 192.168.65.1 domain local

but Dns_servers is set to our local ip 192.168.65.1 in the call to Dhcp_server.

FTBFS: Multiple rules generated for _build/default/_doc/hostnet/index.html

Hey,
I've checked out today's vpnkit (e203f93), following the README installed the opam dependencies ok, but when trying to build I hit this barrier:

$ make
[ERROR] No package named hostnet found.
opam config subst src/bin/depends.ml || true
cp src/bin/depends.ml src/bin/depends.tmp
sed -e 's/££VERSION££/e203f930f850bef3e4514a19abe441f466630c8c/g' src/bin/depends.tmp > src/bin/depends.ml
cp src/bin/depends.ml src/bin/depends.tmp
sed -e 's/££HOSTNET_PINNED££//g' src/bin/depends.tmp > src/bin/depends.ml
cp src/bin/depends.ml src/bin/depends.tmp
sed -e 's/££HVSOCK_PINNED££//g' src/bin/depends.tmp > src/bin/depends.ml
jbuilder build src/bin/main.exe
Multiple rules generated for _build/default/_doc/hostnet/index.html
make: *** [vpnkit.exe] Error 1

I'm trying to understand jbuilder, but if someone can see what I'm missing, I'd appreciate a hint.

Here's my opam config report: https://pastebin.com/4mktVd6x
and installed deps: https://pastebin.com/zxip0JqT

Thanks
-G

Simplify the build

The build does work, but it's quite fiddly and is more CI-friendly than developer-friendly.

The build would be easier if we could:

combine hostnet and proto-vmnet since proto-vmnet is really a private protocol shared between vpnkit and hyperkit which we don't want to encourage anyone else to use. Ideally in the longer term we would switch away to something standard (PPP?) but in the meantime we should discourage any proliferation of this
~~somehow upstream ofs to datakit and install this from opam~~ instead: made ofs into a sub-library within the project
remove osx-daemon and osx-hyperkit from this repo as they're no longer used here
somehow combine the Mac and Windows frontends: they have a lot of duplicated code which can diverge easily. The only problem is some Unix specifics currently in the Mac frontend

Then this project could become a "normal" project with just a Makefile and we could avoid using opam internally within the build. Developers would be free to use opam themselves as normal without worrying about clashing with the build runes in this repo.

Add stress/performance tests for DNS forwarding.

Users have reported more DNS lookup failures than they expected. Add some stress/performance tests for the DNS forwarding feature.

Mechanism for connection notification

When vpnkit is started, it would be usefull to be notified when the VM is connected.
On Windows, that could be easily done by reading 1 byte on a named pipe from the client side. From vpnkit side, the byte would be written either immediately (if connection has already happened), or when the connection happens.

Lots of connections causes `Unix.select` to fail with `EINVAL`

On OSX we see fatal errors from Lwt_main.run like

proxy: internal error, uncaught exception:
       Unix.Unix_error(Unix.EINVAL, "select", "")
       Raised by primitive operation at file "src/unix/lwt_engine.ml", line 371, characters 26-60
       Called from file "src/unix/lwt_engine.ml", line 312, characters 8-39
       Called from file "src/unix/lwt_main.ml", line 41, characters 8-82

This appears to be related to [ocsigen/lwt#222]

Can't build vpnkit following the instructions

Hi! I use macOS Sierra. Installed opal and wget. Trying to build vpnkit I receive the following (what should I do to build it?):

➜  vpnkit git:(master) opam install --deps-only slirp                       
The following actions will be performed:
  - install hvsock         0.13.0
  - install datakit-server 0.9.0 
  - install dns-forward    0.8.1 
===== 3 to install =====
Do you want to continue ? [Y/n] Y

=-=- Gathering sources =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

=-=- Processing actions -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[ERROR] The compilation of dns-forward failed at "ocaml pkg/pkg.ml build --pinned false".
[ERROR] The compilation of datakit-server failed at "ocaml pkg/pkg.ml build --pinned false -n datakit-server".
[ERROR] The compilation of hvsock failed at "make".
Processing  3/3: [hvsock: ocamlfind remove]
#=== ERROR while installing datakit-server.0.9.0 ==============================#
# opam-version 1.2.2
# os           darwin
# command      ocaml pkg/pkg.ml build --pinned false -n datakit-server
# path         /Users/os/.opam/system/build/datakit-server.0.9.0
# compiler     system (4.04.0)
# exit-code    1
# env-file     /Users/os/.opam/system/build/datakit-server.0.9.0/datakit-server-57805-1872ec.env
# stdout-file  /Users/os/.opam/system/build/datakit-server.0.9.0/datakit-server-57805-1872ec.out
# stderr-file  /Users/os/.opam/system/build/datakit-server.0.9.0/datakit-server-57805-1872ec.err
### stdout ###
# [...]
# ocamlfind ocamlopt -shared -package protocol-9p.unix -package 'bytes lwt astring logs result cstruct fmt rresult' src/datakit-server/vfs.cmx -o src/datakit-server/vfs.cmxs
# ocamlfind ocamlc -c -g -bin-annot -safe-string -package protocol-9p.unix -package 'bytes lwt astring logs result cstruct fmt rresult' -warn-error +1..49-3 -w A-4-41-44 -I src/datakit-server -I src -o src/datakit-server/vfs.cmo src/datakit-server/vfs.ml
# ocamlfind ocamlc -a -package protocol-9p.unix -package 'bytes lwt astring logs result cstruct fmt rresult' src/datakit-server/vfs.cmo -o src/datakit-server/vfs.cma
# ocamlfind ocamldep -package protocol-9p.unix -package 'bytes lwt astring logs result cstruct fmt rresult' -modules src/datakit-server/fs9p.ml > src/datakit-server/fs9p.ml.depends
# ocamlfind ocamldep -package protocol-9p.unix -package 'bytes lwt astring logs result cstruct fmt rresult' -modules src/datakit-server/fs9p.mli > src/datakit-server/fs9p.mli.depends
# ocamlfind ocamlc -c -g -bin-annot -safe-string -package protocol-9p.unix -package 'bytes lwt astring logs result cstruct fmt rresult' -warn-error +1..49-3 -w A-4-41-44 -I src/datakit-server -I src -o src/datakit-server/fs9p.cmi src/datakit-server/fs9p.mli
# + ocamlfind ocamlc -c -g -bin-annot -safe-string -package protocol-9p.unix -package 'bytes lwt astring logs result cstruct fmt rresult' -warn-error +1..49-3 -w A-4-41-44 -I src/datakit-server -I src -o src/datakit-server/fs9p.cmi src/datakit-server/fs9p.mli
# File "src/datakit-server/fs9p.mli", line 17, characters 19-30:
# Error: Unbound module V1_LWT
# Command exited with code 2.
### stderr ###
# pkg.ml: [ERROR] cmd ['ocamlbuild' '-use-ocamlfind' '-classic-display' '-tag' 'debug'
# [...]
#      'src/datakit-server/vfs.a' 'src/datakit-server/vfs.cmxs'
#      'src/datakit-server/vfs.cmxa' 'src/datakit-server/vfs.cma'
#      'src/datakit-server/vfs.cmx' 'src/datakit-server/vfs.cmi'
#      'src/datakit-server/vfs.mli' 'src/datakit-server/fs9p.a'
#      'src/datakit-server/fs9p.cmxs' 'src/datakit-server/fs9p.cmxa'
#      'src/datakit-server/fs9p.cma' 'src/datakit-server/fs9p_error.cmx'
#      'src/datakit-server/fs9p_error.cmi' 'src/datakit-server/fs9p_error.mli'
#      'src/datakit-server/fs9p.cmx' 'src/datakit-server/fs9p.cmi'
#      'src/datakit-server/fs9p.mli']: exited with 10


#=== ERROR while installing dns-forward.0.8.1 =================================#
# opam-version 1.2.2
# os           darwin
# command      ocaml pkg/pkg.ml build --pinned false
# path         /Users/os/.opam/system/build/dns-forward.0.8.1
# compiler     system (4.04.0)
# exit-code    1
# env-file     /Users/os/.opam/system/build/dns-forward.0.8.1/dns-forward-57805-c61e7b.env
# stdout-file  /Users/os/.opam/system/build/dns-forward.0.8.1/dns-forward-57805-c61e7b.out
# stderr-file  /Users/os/.opam/system/build/dns-forward.0.8.1/dns-forward-57805-c61e7b.err
### stdout ###
# ocamlfind ocamldep -package 'dns mirage-flow cstruct.lwt channel io-page.unix' -package 'bytes lwt astring logs result cstruct fmt rresult ipaddr' -modules lib/dns_forward.ml > lib/dns_forward.ml.depends
# ocamlfind ocamldep -package ppx_sexp_conv -package 'dns mirage-flow cstruct.lwt channel io-page.unix' -package 'bytes lwt astring logs result cstruct fmt rresult ipaddr' -modules lib/dns_forward.mli > lib/dns_forward.mli.depends
# ocamlfind ocamlc -c -g -bin-annot -safe-string -package ppx_sexp_conv -package 'dns mirage-flow cstruct.lwt channel io-page.unix' -package 'bytes lwt astring logs result cstruct fmt rresult ipaddr' -warn-error +1..49 -w A-3-4-41-44 -I lib -I bin -o lib/dns_forward.cmi lib/dns_forward.mli
# + ocamlfind ocamlc -c -g -bin-annot -safe-string -package ppx_sexp_conv -package 'dns mirage-flow cstruct.lwt channel io-page.unix' -package 'bytes lwt astring logs result cstruct fmt rresult ipaddr' -warn-error +1..49 -w A-3-4-41-44 -I lib -I bin -o lib/dns_forward.cmi lib/dns_forward.mli
# findlib: [WARNING] Interface topdirs.cmi occurs in several directories: /usr/local/lib/ocaml, /usr/local/lib/ocaml/compiler-libs
# File "lib/dns_forward.mli", line 40, characters 12-38:
# Error: Unbound module Mirage_flow_s
# Command exited with code 2.
### stderr ###
# pkg.ml: [ERROR] cmd ['ocamlbuild' '-use-ocamlfind' '-classic-display' '-tag' 'debug'
# [...]
#      'lib/dns_forward_framing.cmx' 'lib/dns_forward_server.cmx'
#      'lib/dns_forward_resolver.cmx' 'lib/dns_forward_rpc.cmx'
#      'lib/dns_forward_free_id.cmx' 'lib/dns_forward_error.cmx'
#      'lib/dns_forward_config.cmx' 'lib/dns_forward.cmx' 'lib/dns_forward.cmi'
#      'lib/dns_forward.mli' 'lib/dns-forward-lwt-unix.a'
#      'lib/dns-forward-lwt-unix.cmxs' 'lib/dns-forward-lwt-unix.cmxa'
#      'lib/dns-forward-lwt-unix.cma' 'lib/dns_forward_lwt_unix.cmx'
#      'lib/dns_forward_lwt_unix.cmi' 'lib/dns_forward_lwt_unix.mli'
#      'bin/main.native']: exited with 10


#=== ERROR while installing hvsock.0.13.0 =====================================#
# opam-version 1.2.2
# os           darwin
# command      make
# path         /Users/os/.opam/system/build/hvsock.0.13.0
# compiler     system (4.04.0)
# exit-code    2
# env-file     /Users/os/.opam/system/build/hvsock.0.13.0/hvsock-57805-a00279.env
# stdout-file  /Users/os/.opam/system/build/hvsock.0.13.0/hvsock-57805-a00279.out
# stderr-file  /Users/os/.opam/system/build/hvsock.0.13.0/hvsock-57805-a00279.err
### stdout ###
# [...]
# /Users/os/.opam/system/bin/ocamlfind ocamldep -package unix -package threads -package mirage-types.lwt -package mirage-flow -package lwt -package logs -package duration -package cstruct -package bytes -modules lwt/lwt_hvsock.ml > lwt/lwt_hvsock.ml.depends
# /Users/os/.opam/system/bin/ocamlfind ocamldep -package unix -package threads -package mirage-types.lwt -package mirage-flow -package lwt -package logs -package duration -package cstruct -package bytes -modules lwt/flow_lwt_hvsock.mli > lwt/flow_lwt_hvsock.mli.depends
# /Users/os/.opam/system/bin/ocamlfind ocamlc -c -g -annot -bin-annot -thread -I lib -thread -package unix -package threads -package mirage-types.lwt -package mirage-flow -package lwt -package logs -package duration -package cstruct -package bytes -I lwt -I lib -o lwt/flow_lwt_hvsock.cmi lwt/flow_lwt_hvsock.mli
# /Users/os/.opam/system/bin/ocamlfind ocamldep -package unix -package threads -package mirage-types.lwt -package mirage-flow -package lwt -package logs -package duration -package cstruct -package bytes -modules lwt/flow_lwt_hvsock.ml > lwt/flow_lwt_hvsock.ml.depends
# /Users/os/.opam/system/bin/ocamlfind ocamldep -package unix -package threads -package mirage-types.lwt -package mirage-flow -package lwt -package logs -package duration -package cstruct -package bytes -modules lwt/flow_lwt_hvsock_shutdown.mli > lwt/flow_lwt_hvsock_shutdown.mli.depends
# /Users/os/.opam/system/bin/ocamlfind ocamlc -c -g -annot -bin-annot -thread -I lib -thread -package unix -package threads -package mirage-types.lwt -package mirage-flow -package lwt -package logs -package duration -package cstruct -package bytes -I lwt -I lib -o lwt/flow_lwt_hvsock_shutdown.cmi lwt/flow_lwt_hvsock_shutdown.mli
# + /Users/os/.opam/system/bin/ocamlfind ocamlc -c -g -annot -bin-annot -thread -I lib -thread -package unix -package threads -package mirage-types.lwt -package mirage-flow -package lwt -package logs -package duration -package cstruct -package bytes -I lwt -I lib -o lwt/flow_lwt_hvsock_shutdown.cmi lwt/flow_lwt_hvsock_shutdown.mli
# File "lwt/flow_lwt_hvsock_shutdown.mli", line 26, characters 10-36:
# Error: Unbound module Mirage_flow_s
# Command exited with code 2.
### stderr ###
# E: Failure("Command ''/Users/os/.opam/system/bin/ocamlbuild' lib/libhvsock_stubs.a lib/dllhvsock_stubs.so lib/hvsock.cma lib/hvsock.cmxa lib/hvsock.a lib/hvsock.cmxs lwt/hvsock_lwt.cma lwt/hvsock_lwt.cmxa lwt/hvsock_lwt.a lwt/hvsock_lwt.cmxs lwt_unix/hvsock_lwt_unix.cma lwt_unix/hvsock_lwt_unix.cmxa lwt_unix/hvsock_lwt_unix.a lwt_unix/hvsock_lwt_unix.cmxs src/hvcat.native lib_test/test.native -use-ocamlfind -tag debug -tag tests' terminated with error code 10")
# make: *** [build] Error 1



=-=- Error report -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The following actions failed
  - install datakit-server 0.9.0 
  - install dns-forward    0.8.1 
  - install hvsock         0.13.0
No changes have been performed

Test cases aren't running

The hostnet library has a test suite, triggered by make test. We should make it run here.

TTL not preserved

The TTL in outgoing packets is not preserved. In combination with #193 this breaks traceroute.

hostnet's use of dhcp-server should not use parse

The DHCP server/library used by hostnet, charrua-core, has an exposed configuration type. hostnet could construct the configuration directly, rather than constructing a string and then requesting the DHCP server attempt to parse it into a configuration. This would likely help in implementation of #18 .

With OSX firewall on, slirp is not allowing external connections to privileged ports

If I have the OS X firewall on and try to run, say, nginx on port 80, the port is not opened for external clients. If I run the same image opening 8080 it is fine. I have tried adding an exception for docker in System Preferences to no avail. If the firewall is off, privileged ports are accessible externally.

Slirp fails on OS X 10.12 beta 2

Slirp fails on macOS Sierra Beta 2 with the following error:

Jul 13 12:57:44 quark Docker[com.docker.slirp][4745] <Notice>: Logging to Apple System Log
Jul 13 12:57:44 quark Docker[com.docker.slirp][4745] <Notice>: Setting handler to ignore all SIGPIPE signals
Jul 13 12:57:44 quark Docker[com.docker.slirp][4745] <Notice>: Setting soft fd limit to 10240
Jul 13 12:57:44 quark Docker[com.docker.slirp][4745] <Notice>: starting port_forwarding port_control_path:fd:4 vsock_path:/Users/jonathan/Library/Containers/com.docker.docker/Data/@connect
Jul 13 12:57:44 quark Docker[com.docker.slirp][4745] <Notice>: attempting to reconnect to database
Jul 13 12:57:44 quark Docker[com.docker.slirp][4745] <Notice>: reconnected transport layer
Jul 13 12:57:44 quark Docker[com.docker.slirp][4745] <Notice>: allowing binds to any IP addresses
Jul 13 12:57:44 quark Docker[com.docker.slirp][4745] <Notice>: Creating slirp server pcap_settings:disabled peer_ip:192.168.65.2 local_ip:192.168.65.1
Jul 13 12:57:44 quark Docker[com.docker.slirp][4745] <Notice>: PPP.negotiate: received ((magic VMN3T)(version 1)(commit ec40b14c72adc0bff3b01fa8886dae7f2eee1541))
Jul 13 12:57:44 quark Docker[com.docker.slirp][4745] <Notice>: PPP.negotiate: received (Ethernet fb2d8367-1709-4260-9b91-c7accb4f8a5a)
Jul 13 12:57:44 quark Docker[com.docker.slirp][4745] <Notice>: PPP.negotiate: sending ((mtu 1500)(max_packet_size 1550)(client_macaddr c0:ff:ee:c0:ff:ee))
Jul 13 12:57:44 quark Docker[com.docker.slirp][4745] <Notice>: PPP.listen: called a second time: doing nothing
Jul 13 12:57:44 quark Docker[com.docker.slirp][4745] <Notice>: TCP/IP ready
Jul 13 12:57:44 quark Docker[com.docker.slirp][4745] <Notice>: stack connected
Jul 13 12:57:51 quark Docker[com.docker.slirp][4745] <Notice>: Using protocol TwoThousand msize 8192
Jul 13 12:59:41 quark Docker[com.docker.slirp][4745] <Error>: failed to establish 9P connection: Caught EOF on underlying FLOW
Jul 13 13:24:48 quark Docker[com.docker.slirp][4745] <Error>: Socket.TCPV4.read 54.230.51.245:443: caught Uwt.Uwt_error(Uwt.ECONNRESET, "uwt_read", "") returning Eof
Jul 13 13:24:52 quark Docker[com.docker.slirp][4745] <Error>: Socket.TCPV4.read 54.230.51.12:443: caught Uwt.Uwt_error(Uwt.ECONNRESET, "uwt_read", "") returning Eof

Support more than 2 DNS servers

See this forum post: https://forums.docker.com/t/docker-pull-timeout/15015/20.

The poster has a list at least 4 elements long. We could expose perhaps 8 or 16 DNS IPs to the VM and map these onto the current number of external resolvers.

ICMP messages not forwarded to guest

ICMP messages such as Destination unreachable or Time exceeded are not forwarded back to the guest.

This e.g. breaks traceroute

(related to #28)

Ignore "refused" DNS responses

A DNS server configured to disallow recursion will send back responses with the "Refused" bit set. We should ignore these and listen for real responses from other hopefully-better-configured servers. Perhaps we should log the refusals? At the moment the refusal will come back before the useful response causing us to forward the refusal and stop listening.

See docker/for-mac#1025

missing `--version` argument

I'd expect com.docker.slirp to have an option to get the version and/or Git commit from which it has been built.

Example of code doing that could be found in datakit or in various other places.

ICMP should be handled more gracefully.

Currently, ICMP messages from the guest aren't proxied as expected. Using unprivileged ICMP sockets, it's possible to send echo requests and receive echo replies via the sockets interface. vpnkit should support this use.

DNS logic does not respect zone information

On the Mac (not sure about windows) there is a mapping from domain to DNS servers, so (for example) only queries for *.vpn.docker.com will be sent via the VPN's internal DNS servers.

Currently we ignore this mapping and allow all queries to be sent to all servers.

We need to

extend the DNS configuration with this extra zone information
change our server selection policy: in the presence of zones, we should use the specific server(s), for both UDP and TCP queries

Reported as [moby/moby#26390]

cannot build

MacBook-Pro:vpnkit a$ opam install --deps-only slirp
The following actions will be performed:
  ∗  install tcpip          999
  ∗  install protocol-9p    0.8.0
  ∗  install mirage-dns     2.5.0
  ∗  install charrua-core   999
  ∗  install datakit-server 0.9.0
  ∗  install conduit        0.14.5
  ∗  install mirage-conduit 2.2.0
  ∗  install cohttp         0.22.0
  ∗  install mirage-http    2.5.3
===== ∗  9 =====
Do you want to continue ? [Y/n] y

=-=- Gathering sources =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  🐫
[conduit.0.14.5] https://github.com/mirage/ocaml-conduit/archive/v0.14.5.tar.gz downloaded
[cohttp.0.22.0] https://github.com/mirage/ocaml-cohttp/archive/v0.22.0.tar.gz downloaded
[charrua-core] https://github.com/djs55/charrua-core.git#singleton-lease updated
[mirage-http.2.5.3] https://github.com/mirage/mirage-http/releases/download/2.5.3/mirage-http-2.5.3.tbz downloaded
[protocol-9p.0.8.0] https://github.com/mirage/ocaml-9p/releases/download/v0.8.0/protocol-9p-0.8.0.tbz downloaded
[datakit-server.0.9.0] https://github.com/docker/datakit/releases/download/0.9.0/datakit-0.9.0.tbz downloaded
[tcpip] git://github.com/djs55/mirage-tcpip#3.0.0-beta11 updated

=-=- Processing actions -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  🐫
[ERROR] The compilation of tcpip failed at "make".
[ERROR] The compilation of protocol-9p failed at "ocaml pkg/pkg.ml build --pinned false --with-lambda-term false".

#=== ERROR while installing protocol-9p.0.8.0 =================================#
# opam-version 1.2.2
# os           darwin
# command      ocaml pkg/pkg.ml build --pinned false --with-lambda-term false
# path         /Users/alexf/.opam/4.03.0/build/protocol-9p.0.8.0
# compiler     4.03.0
# exit-code    1
# env-file     /Users/alexf/.opam/4.03.0/build/protocol-9p.0.8.0/protocol-9p-26204-548b09.env
# stdout-file  /Users/alexf/.opam/4.03.0/build/protocol-9p.0.8.0/protocol-9p-26204-548b09.out
# stderr-file  /Users/alexf/.opam/4.03.0/build/protocol-9p.0.8.0/protocol-9p-26204-548b09.err
### stdout ###
# [...]
# ocamlfind ocamldep -package astring -package fmt -package lwt -package mirage-types.lwt -package result -package cstruct -package named-pipe.lwt -package logs -modules unix/flow_lwt_unix.mli > unix/flow_lwt_unix.mli.depends
# ocamlfind ocamlc -c -g -bin-annot -safe-string -package astring -package fmt -package lwt -package mirage-types.lwt -package result -package cstruct -package named-pipe.lwt -package logs -w @5@8@10@11@12@14@23@24@26@29@40 -I unix -I lib_test -I lib -o unix/flow_lwt_unix.cmi unix/flow_lwt_unix.mli
# ocamlfind ocamldep -package astring -package fmt -package lwt -package mirage-types.lwt -package result -package cstruct -package named-pipe.lwt -package logs -modules unix/client9p_unix.ml > unix/client9p_unix.ml.depends
# ocamlfind ocamldep -package astring -package fmt -package lwt -package mirage-types.lwt -package result -package cstruct -package named-pipe.lwt -package logs -modules unix/client9p_unix.mli > unix/client9p_unix.mli.depends
# ocamlfind ocamlc -c -g -bin-annot -safe-string -package astring -package fmt -package lwt -package mirage-types.lwt -package result -package cstruct -package named-pipe.lwt -package logs -w @5@8@10@11@12@14@23@24@26@29@40 -I unix -I lib_test -I lib -o unix/client9p_unix.cmi unix/client9p_unix.mli
# ocamlfind ocamlopt -c -g -bin-annot -safe-string -package astring -package fmt -package lwt -package mirage-types.lwt -package result -package cstruct -package named-pipe.lwt -package logs -w @5@8@10@11@12@14@23@24@26@29@40 -I unix -I lib_test -I lib -o unix/flow_lwt_unix.cmx unix/flow_lwt_unix.ml
# + ocamlfind ocamlopt -c -g -bin-annot -safe-string -package astring -package fmt -package lwt -package mirage-types.lwt -package result -package cstruct -package named-pipe.lwt -package logs -w @5@8@10@11@12@14@23@24@26@29@40 -I unix -I lib_test -I lib -o unix/flow_lwt_unix.cmx unix/flow_lwt_unix.ml
# File "unix/flow_lwt_unix.ml", line 59, characters 9-25:
# Error: Unbound module Lwt_cstruct
# Command exited with code 2.
### stderr ###
# pkg.ml: [ERROR] cmd ['ocamlbuild' '-use-ocamlfind' '-classic-display' '-tag' 'debug'
# [...]
#      'lib/protocol_9p.cmx' 'lib/protocol_9p.cmi' 'lib/protocol_9p.mli'
#      'unix/protocol-9p-unix.a' 'unix/protocol-9p-unix.cmxs'
#      'unix/protocol-9p-unix.cmxa' 'unix/protocol-9p-unix.cma'
#      'unix/lofs9p.cmx' 'unix/lofs9p.cmi' 'unix/lofs9p.mli'
#      'unix/server9p_unix.cmx' 'unix/server9p_unix.cmi'
#      'unix/server9p_unix.mli' 'unix/client9p_unix.cmx'
#      'unix/client9p_unix.cmi' 'unix/client9p_unix.mli'
#      'unix/flow_lwt_unix.cmx' 'unix/flow_lwt_unix.cmi'
#      'unix/flow_lwt_unix.mli']: exited with 10


#=== ERROR while installing tcpip.999 =========================================#
# opam-version 1.2.2
# os           darwin
# command      make
# path         /Users/alexf/.opam/4.03.0/build/tcpip.999
# compiler     4.03.0
# exit-code    2
# env-file     /Users/alexf/.opam/4.03.0/build/tcpip.999/tcpip-26204-d4902a.env
# stdout-file  /Users/alexf/.opam/4.03.0/build/tcpip.999/tcpip-26204-d4902a.out
# stderr-file  /Users/alexf/.opam/4.03.0/build/tcpip.999/tcpip-26204-d4902a.err
### stdout ###
# [...]
# /Users/alexf/.opam/4.03.0/bin/ocamlfind ocamlopt -shared -I lib lib/ipv6.cmxa lib/ndpv6.cmx lib/ipv6.cmx -o lib/ipv6.cmxs
# /Users/alexf/.opam/4.03.0/bin/ocamlfind ocamldep -package bytes -package cstruct -package io-page -package ipaddr -package logs -package lwt -package mirage-profile -package mirage-types -package result -modules lib/icmp/icmpv4.mli > lib/icmp/icmpv4.mli.depends
# /Users/alexf/.opam/4.03.0/bin/ocamlfind ocamlc -c -g -annot -bin-annot -I lib -package bytes -package cstruct -package io-page -package ipaddr -package logs -package lwt -package mirage-profile -package mirage-types -package result -I lib/icmp -I lib -o lib/icmp/icmpv4.cmi lib/icmp/icmpv4.mli
# /Users/alexf/.opam/4.03.0/bin/ocamlfind ocamldep -package bytes -package cstruct -package io-page -package ipaddr -package logs -package lwt -package mirage-profile -package mirage-types -package result -modules lib/icmp/icmpv4.ml > lib/icmp/icmpv4.ml.depends
# /Users/alexf/.opam/4.03.0/bin/ocamlfind ocamldep -package bytes -package cstruct -package io-page -package ipaddr -package logs -package lwt -package mirage-profile -package mirage-types -package result -modules lib/icmp/icmpv4_wire.ml > lib/icmp/icmpv4_wire.ml.depends
# /Users/alexf/.opam/4.03.0/bin/ocamlfind ocamlc -c -g -annot -bin-annot -I lib -package bytes -package cstruct -package io-page -package ipaddr -package logs -package lwt -package mirage-profile -package mirage-types -package result -I lib/icmp -I lib -o lib/icmp/icmpv4_wire.cmo lib/icmp/icmpv4_wire.ml
# + /Users/alexf/.opam/4.03.0/bin/ocamlfind ocamlc -c -g -annot -bin-annot -I lib -package bytes -package cstruct -package io-page -package ipaddr -package logs -package lwt -package mirage-profile -package mirage-types -package result -I lib/icmp -I lib -o lib/icmp/icmpv4_wire.cmo lib/icmp/icmpv4_wire.ml
# File "lib/icmp/icmpv4_wire.ml", line 1, characters 3-10:
# Uninterpreted extension 'cstruct'.
# Command exited with code 2.
### stderr ###
# W: Cannot find source file matching module 'tcp' in library tcp.
# W: Use InterfacePatterns or ImplementationPatterns to define this file with feature "source_patterns".
# E: Failure("Command ''/Users/alexf/.opam/4.03.0/bin/ocamlbuild' lib/libtcpip_stubs.a lib/dlltcpip_stubs.so lib/tcpip.cma lib/tcpip.cmxa lib/tcpip.a lib/tcpip.cmxs lib/ethif.cma lib/ethif.cmxa lib/ethif.a lib/ethif.cmxs lib/arpv4.cma lib/arpv4.cmxa lib/arpv4.a lib/arpv4.cmxs lib/ipv4.cma lib/ipv4.cmxa lib/ipv4.a lib/ipv4.cmxs lib/ipv6.cma lib/ipv6.cmxa lib/ipv6.a lib/ipv6.cmxs lib/icmp/icmpv4.cma lib/icmp/icmpv4.cmxa lib/icmp/icmpv4.a lib/icmp/icmpv4.cmxs lib/udp.cma lib/udp.cmxa lib/udp.a lib/udp.cmxs tcp/tcp.cma tcp/tcp.cmxa tcp/tcp.a tcp/tcp.cmxs dhcp/dhcpv4.cma dhcp/dhcpv4.cmxa dhcp/dhcpv4.a dhcp/dhcpv4.cmxs lib/tcpip-stack-direct.cma lib/tcpip-stack-direct.cmxa lib/tcpip-stack-direct.a lib/tcpip-stack-direct.cmxs unix/udpv4-socket.cma unix/udpv4-socket.cmxa unix/udpv4-socket.a unix/udpv4-socket.cmxs unix/udpv6-socket.cma unix/udpv6-socket.cmxa unix/udpv6-socket.a unix/udpv6-socket.cmxs unix/tcpv4-socket.cma unix/tcpv4-socket.cmxa unix/tcpv4-socket.a unix/tcpv4-socket.cmxs unix/tcpv6-socket.cma unix/tcpv6-socket.cmxa unix/tcpv6-socket.a unix/tcpv6-socket.cmxs unix/tcpip-stack-socket.cma unix/tcpip-stack-socket.cmxa unix/tcpip-stack-socket.a unix/tcpip-stack-socket.cmxs -tag debug' terminated with error code 10")
# make: *** [build] Error 1



=-=- Error report -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=  🐫
The following actions were aborted
  ∗  install charrua-core   999
  ∗  install cohttp         0.22.0
  ∗  install conduit        0.14.5
  ∗  install datakit-server 0.9.0
  ∗  install mirage-conduit 2.2.0
  ∗  install mirage-dns     2.5.0
  ∗  install mirage-http    2.5.3
The following actions failed
  ∗  install protocol-9p 0.8.0
  ∗  install tcpip       999
No changes have been performed

Help: Port forwarding problem

Hi guys,
I'm combining vpnkit and hyperkit to boot ubuntu cloud images on my Mac with great success, but I'm hitting a wall with port forwarding. End-goal is to SSH into the VM from the host, but I'm stuck.

I'm doing the following (on OSX 10.12)

launching vpnkit:

vpnkit.exe --debug --ethernet=/tmp/vpnkit.socket --port=/tmp/vpnkit.port.socket --diagnostics /tmp/vpnkit.diag.socket --vsock-path=/tmp/connect --host-names mac.localhost

launch my VM:

./hyperkit -A -u -H -m 512M -c 1 -s 2:0,virtio-vpnkit,path=/tmp/vpnkit.socket
-s "1:0,ahci-hd,file://$PWD/ubuntu-16.04-server-cloudimg-amd64-disk1.qcow2,format=qcow,qcow-config=discard=true;compact_after_unmaps=0;keep_erased=0;runtime_asserts=false"
-s 0:0,hostbridge -s 31,lpc -l com1,stdio,log=log-ring
-f kexec,$PWD/ubuntu-16.04-server-cloudimg-amd64-vmlinuz-generic,$PWD/ubuntu-16.04-server-cloudimg-amd64-initrd-generic,earlyprintk=serial\ console=ttyS0\ root=/dev/sda1\ rw -s 1:1,ahci-cd,/Users/gerry/VMs/ubuntu/image.iso
-s 6,virtio-9p,path=/tmp/vpnkit.port.socket,tag=port -s 5,virtio-rnd -s 7,virtio-sock,guest_cid=3,path=/tmp,guest_forwards=8002

I get console access to a perfectly operational VM, which can access the network just fine.

Now I try to configure port forwarding, so inside the VM I do:

mount the 9p filesystem

sudo mount -t 9p -o trans=virtio,version=9p2000 port /port

try to forward port 8000 from the VM to the host

~/vpnkit-expose-port.linux -i -host-ip 127.0.0.1 -host-port 8000 -container-ip 0.0.0.0 -container-port 8000 -no-local-ip

launch a simple service:

python -m SimpleHTTPServer 8000

But on the host, trying to access that service hangs:

wget localhost:8000
--2017-07-14 15:22:10-- http://localhost:8000/
Resolving localhost... ::1, 127.0.0.1
Connecting to localhost|::1|:8000... connected.
HTTP request sent, awaiting response...

Sometimes I see vpnkit print

vpnkit.exe: [ERROR] Socket.Stream: caught Socket is not connected

I've a couple of questions as a result:

Am I doing something wrong above? Cat-ing the diagnostics from vpnkit's diagnostics socket doesn't show me anything obviously wrong.
I see virtio-vsock support is implemented, which requires 4.8 kernels or later. But is port forwarding implemented using this protocol? (the guest_forwards= makes me suspicious)
is datakit required for this?
vpnkit doesn't need to be root for port forwarding, does it? I don't see how, but just in case.

Here are my logs in case they're useful: https://pastebin.ca/3842831
Any tips/tricks to debugging this would be greatly appreciated.

Many thanks in advance
-G

Create a random mac address

Having all machines have C0:FF:EE:C0:FF:EE as their mac address is very inconvenient, eg they are indistinguishable... Can we generate a random address please...

intermittent CI failures

I see intermittent failures in CI on Windows which look like this:

[ERROR]             Forwarding with Lwt          1   Check speed of 10 forwarded connections.
[OK]                UDP with Lwt                 0   Shared NAT rule.
[OK]                UDP with Lwt                 1   1 UDP connection.
[OK]                UDP with Lwt                 2   2 UDP connections.
[OK]                UDP with Lwt                 3   NAT punch.
[OK]                UDP with Lwt                 4   Source ports.
[OK]                hosts                        0   hosts Windows-style.
[OK]                hosts                        1   hosts Mac-style.
-- Forwarding with Lwt.001 Failed --
Check speed of 10 forwarded connections.
_build/_tests\Forwarding with Lwt.001.output:
main_lwt.native: [INFO] attempting a best-effort bind of ::1:1234
main_lwt.native: [INFO] attempting a best-effort bind of ::1:1234
main_lwt.native: [DEBUG] 127.0.0.1:1234: connecting
Tcp.Segment: TCP retransmission on timer seq = 452902894
main_lwt.native: [ERROR] PPP.listen: caught unexpected (Failure "Vmnet connection is disconnected"): disconnecting
Tcp.Segment: TCP retransmission on timer seq = 452902894
Tcp.Segment: TCP retransmission on timer seq = 452902894
Tcp.Segment: TCP retransmission on timer seq = 452902894
main_lwt.native: [ERROR] Hostnet_udp udp:192.168.65.2:17801-8.8.8.8:53: caught unexpected exception Unix.Unix_error(Unix.EBADF, "check_descriptor", "")
Tcp.Segment: TCP retransmission on timer seq = 452902894
Tcp.Segment: Max retransmits reached for connection - terminating
main_lwt.native: [ERROR] Socket.TCPV4.read 127.0.0.1:1234: caught Lwt.Canceled returning Eof
main_lwt.native: [ERROR] Socket.Stream: caught Unix.Unix_error(Unix.EBADF, "check_descriptor", "")
main_lwt.native: [ERROR] Socket.Stream: caught Unix.Unix_error(Unix.EBADF, "check_descriptor", "")
[failure] timeout
[failure] timeout
The full test results are available in `_build/_tests`.

e.g. https://ci.appveyor.com/project/docker/vpnkit/build/1.0.453

The odd thing is that the test that fails is nothing to do with the TCP/IP stack itself -- it's testing the 9P based port forwarding logic -- but clearly there are threads in the stack that are still running. It might be a problem with the use of Lwt_main.run in the test cases? It might be better to re-order the tests or further split them up? Or maybe we need more logging to debug them?

Fails to parse IPv6 addresses in configuration

@dsheets reports that this error appears:

com.docker.slirp: [ERROR] failed to parse com.docker.driver.amd64-linux/slirp/dns: Failed to parse configuration: Ipaddr.Parse_error("invalid character ':' at 4", "2001:8b0:cb40:3495:3291:8fff:fe02:8cde")

We should use Ipaddr.of_string to parse IPv4 and v6 addresses. Probably the only annoying thing is the specification of the port. Perhaps we should use a separate line for that, rather than stick it on the end of the IP address? Some people use [addr]:port also there exist v6 zones like addr%iface. A newline might be the best terminator.

References:

https://tools.ietf.org/html/rfc5952#section-6

Improve watermarking

See #80 (comment)

don't use io-page.1.6.0

io-page.1.6.0] https://github.com/mirage/io-page/archive/v1.6.0.tar.gz downloaded

-- unfortunately this will crash on windows when the GC activates.

DNS - wrong "No such name" answer

dns.zip
Attached is a vpnkit capture/dns.pcap file when a dns request has failed.
By analyzing the logs, you'll se that query with 0x8f82 (message number 878) is answered with No such name on message 888 and 889 before the upstream dns server has had any chance to answer that (on message 913 - with correct records).

Windows: network stack sometimes blocks for ~30s under high load

When running lots of concurrent connections through the stack, occasionally all I/O stalls. The TCP timers still fire which suggests that the process itself is fine; however the I/O "engine" in Lwt seems to stop.

Reduce the number of dependencies on forked packages.

vpnkit depends on custom versions of the following packages:

charrua-core
lwt
mirage-types-lwt
mirage-types
tcpip

If possible, we should reduce or eliminate these by upstreaming our changes or changing our code to conform with upstream changes.

proto-vmnet fails to install if all depopts not present

If fd-send-recv is installed but unix-errno isnt, there is a build error.

- ocamlfind: Package `unix-errno' not found
- W: Field 'pkg_unix_errno' is not set: Command ''/Users/distiller/.opam/4.02.3/bin/ocamlfind' query -format %d unix-errno > '/var/folders/jm/fw86rxds0xn69sk40d18y69m0000gp/T/oasis-b53102.txt'' terminated with error code 2
- ocamlfind: Package `unix-errno.unix' not found
- W: Field 'pkg_unix_errno_unix' is not set: Command ''/Users/distiller/.opam/4.02.3/bin/ocamlfind' query -format %d unix-errno.unix > '/var/folders/jm/fw86rxds0xn69sk40d18y69m0000gp/T/oasis-ae6afc.txt'' terminated with error code 2
- E: Cannot find findlib package unix-errno
- E: Cannot find findlib package unix-errno.unix
- E: Failure("2 configuration errors")
[ERROR] The compilation of proto-vmnet failed at "./configure --prefix
        /Users/distiller/.opam/4.02.3 --enable-unix".

Remove unnecessary log spam

Since the DHCP lease time was reduced we're still seeing quite a lot of regular spam e.g.

com.docker.slirp: [DEBUG] UDP 0.0.0.0:68 -> 255.255.255.255:67 len 308
com.docker.slirp: [DEBUG] Socket.Datagram.input 0.0.0.0:68-255.255.255.255:67: ignoring broadcast packet
ICMP Destination Unreachable: Destination port unreachable

Export stats to a time-series database

Since we're on the network data path we can measure the traffic as it passes through. We could measure

packets per second
bytes per second
DNS requests latency
DNS request failure rate
Number of active UDP NAT rules
etc

This data could be sent to an external time-series database such as influxdb and then visualised.

This involves

writing a client for a time-series database (this may be as easy as connect()ing to it and writing .json messages)
adding some basic counters to the network stack
(stretch goal): allow the user to define their own filters via datakit and record these too

`slirp` is not parsing properly the`aliases` from the host's `/etc/hosts`

Expected behavior

The aliases should be taken into account when retrying to resolve the DNS queries.

Actual behavior

The aliases are not working as expected, only the the first hostname is resolved properly. See an example below:

rogaha@Robertos-MacBook-Pro:~$ cat /etc/hosts | grep moby                                                                                                                  10:34:49
127.0.0.1   localhost moby
rogaha@Robertos-MacBook-Pro:~$ curl -I moby:5000                                                                                                                           10:34:55
HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Fri, 25 Nov 2016 10:34:59 GMT
Content-Type: text/plain; charset=utf-8
----- from moby
/ # curl -I moby:5000
curl: (6) Couldn't resolve host 'moby'
----- from container
root@5202c482d996:/# curl -I moby:5000
curl: (6) Could not resolve host: moby

Invalid argument on pull

Error log on a windows client:

[11:19:44.279][VpnKit         ][Error  ] vpnkit.exe: PPP.listen callback caught (Invalid_argument

[11:19:44.279][VpnKit         ][Info   ]   "Cstruct.blit src=[6296,1360](65536) dst=[0,4096](4096) dst-off=3673 `len=1360")

moby/moby#34080

Include an HTTP proxy

We currently terminate TCP flows and connect them to outgoing socket connections. For the special case of HTTP we could forward the connections to the upstream HTTP proxy (if the host has one). We could start by simply proxying the TCP connections and then experiment with running a full HTTP proxy if necessary.

This involves

figuring out how to monitor the host OS's HTTP proxy settings
writing the proxy code

Trouble building the dockerfile

I'm on Windows 7 with docker 1.11

I've been trying to build with
docker build -t vpnkit .

I got this error:

I suspected that the path to the packages might be incorrect in the Dockerfile. So I changed this
RUN opam repo add dev /home/opam/src
to
RUN opam repo add dev /home/opam/src/opam/darwin

and it started complaining about . being an invalid token in the local directories. Based on the commit 54e7b19, it seems like packages/local might only be needed for OSX.

So I removed them before adding the repo:
RUN sudo rm -rf /home/opam/src/opam/darwin/packages/local
RUN opam repo add dev /home/opam/src/opam/darwin

Everything seems to be building find, but I'm getting an error about topkg:

I tried a few things like adding a findlib to topkg in upstream but that didn't seem to work.

Do you have any ideas?

AppVeyor test results are not publicly visible

Users without special privileges can submit PRs to the repository and see that the AppVeyor tests failed, but they can't get the results of the tests. It will be difficult for contributors to fix problems with their PRs under these circumstances.

Lwt.async failure (Failure nth)

See docker/for-mac#578

Sep 15 19:50:35 Kyutas-MacBook-Pro Docker[com.docker.slirp][3652] <Error>: Lwt.async failure (Failure nth): Raised at file "pervasives.ml", line 32, characters 22-33
    Called from file "lib/dns_forward.ml", line 38, characters 41-77
    Called from file "lib/dns_forward.ml", line 102, characters 16-57
    Called from file "src/core/lwt.ml", line 795, characters 20-24

Support TCP DNS on more than one IP

Currently the DHCP response offers 2 nameserver IPs 192.168.65.1 and 192.168.65.3 where UDP sent to port 192.168.65.1:53 is sent to the host's 1st nameserver, and UDP sent to port 192.168.65.3:53 is sent to the host's 2nd nameserver. This means that the resolver inside the VM can do things like round-robin between name servers.

Unfortunately TCP DNS is always sent to the host's 1st nameserver, which means if nameserver 1 goes down and if the VM retries to the 2nd IP it will still fail.

We need to map TCP 192.168.65.3:53 to the hosts 2nd nameserver.

Mac host resolver erroneously resolves short names

If /etc/resolv.conf has something like:

domain my.domain

and there exists a name foo.my.domain then

$ docker run -it centos:7 ping foo
ping: foo: Name or service not known

but

$ docker run -it alpine ping foo
PING foo (1.2.3.4): 56 data bytes
64 bytes from 1.2.3.4: seq=0 ttl=37 time=0.547 ms
^C
--- foo ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.547/0.547/0.547 ms

The query from the VM is for the short name foo but the answer comes back for foo.my.domain. The alpine resolver accepts it but the glibc one does not.

We should return a failure rather than an answer for a different question. (Separately we should ensure that the domain of the VM is set correctly so that the VM follows up with better questions)

moby / vpnkit Goto Github PK

vpnkit's Introduction

VPN-friendly networking devices for HyperKit

Building on Unix (including Mac)

Building on Windows

Running with hyperkit

Why is this needed?

Design

Licensing

vpnkit's People

Contributors

Stargazers

Watchers

Forkers

vpnkit's Issues

Expected behavior

Actual behavior

Information

Steps to reproduce the behavior

Expected behavior

Actual behavior

Recommend Projects

Recommend Topics

Recommend Org