fix: ic_tee_daemon

Cargo.toml

@@ -19,7 +19,7 @@ strip = true
 opt-level = 's'
 
 [workspace.package]
-version = "0.2.11"
+version = "0.2.13"
 edition = "2021"
 repository = "https://github.com/ldclabs/ic-tee"
 keywords = ["tee", "canister", "icp", "nitro"]

nitro_enclave/amd64.Dockerfile

@@ -1,5 +1,5 @@
 # base image
-FROM --platform=linux/amd64 rust:slim-bookworm AS builder
+FROM rust:slim-bookworm AS builder
 
 RUN apt-get update \
     && apt-get install -y gcc g++ libc6-dev pkg-config libssl-dev wget
@@ -19,15 +19,15 @@ RUN mv linux-amd64/dnsproxy ./ \
     && rm -rf linux-amd64 \
     && chmod +x dnsproxy
 
-RUN wget -O ic_tee_daemon https://github.com/ldclabs/ic-tee/releases/download/v0.2.12/ic_tee_daemon
+RUN wget -O ic_tee_daemon https://github.com/ldclabs/ic-tee/releases/download/v0.2.13/ic_tee_daemon
 RUN chmod +x ic_tee_daemon
 
 WORKDIR /build
 COPY src ./src
 COPY Cargo.toml Cargo.lock ./
 RUN cargo build --release --locked -p ic_tee_nitro_gateway
 
-FROM --platform=linux/amd64 debian:bookworm-slim AS runtime
+FROM debian:bookworm-slim AS runtime
 
 # install dependency tools
 RUN apt-get update \

nitro_enclave/supervisord.conf

@@ -5,7 +5,7 @@ logfile_maxbytes=0
 
 # ip & vsock proxy inside enclave
 [program:ic_tee_daemon]
-command=/app/ic_tee_daemon --outbound-vsock-addr 3:448 --inbound-vsock-addr 8:443 --inbound-listen-addr 127.0.0.1:8443 --logtail-addr 127.0.0.1:9999
+command=/app/ic_tee_daemon
 autorestart=true
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0

src/ic_tee_daemon/README.md

@@ -10,7 +10,7 @@
 ## Usage
 
 ```bash
-ic_tee_daemon --outbound-vsock-addr 3:448 --inbound-vsock-addr 8:443 --inbound-listen-addr 127.0.0.1:8443 --logtail-addr 127.0.0.1:9999
+ic_tee_daemon --outbound-vsock-addr 3:448 --outbound_listen_addr 127.0.0.1:448 --inbound-vsock-addr 8:443 --inbound-listen-addr 127.0.0.1:8443 --logtail-addr 127.0.0.1:9999
 ```
 
 ## License

src/ic_tee_daemon/src/ip_to_vsock_transparent.rs

@@ -7,15 +7,15 @@ use tokio_vsock::{VsockAddr, VsockStream};
 
 use crate::helper::AddrInfo;
 
-pub async fn serve(listen_addr: &str, server_addr: VsockAddr) -> Result<()> {
+pub async fn serve(listen_addr: &str, proxy_addr: VsockAddr) -> Result<()> {
     let listener = TcpListener::bind(listen_addr)
         .await
         .context("failed to bind listener")?;
-    log::info!(target: "ip_to_vsock_transparent", "listening on {}, proxying to: {:?}", listen_addr, server_addr);
+    log::info!(target: "ip_to_vsock_transparent", "listening on {}, proxying to: {:?}", listen_addr, proxy_addr);
 
     while let Ok((inbound, _)) = listener.accept().await {
         tokio::spawn(async move {
-            if let Err(err) = transfer(inbound, server_addr).await {
+            if let Err(err) = transfer(inbound, proxy_addr).await {
                 log::error!(target: "ip_to_vsock_transparent", "error in transfer: {:?}", err)
             }
         });

src/ic_tee_daemon/src/main.rs

@@ -14,14 +14,18 @@ pub struct Cli {
     #[clap(long, default_value = "3:448")]
     outbound_vsock_addr: String,
 
-    /// IP address of listener in enclave (e.g. 127.0.0.1:8443)
-    #[clap(long, default_value = "127.0.0.1:8443")]
-    inbound_listen_addr: String,
+    /// IP address to listen for outbound connections from enclave (e.g. 127.0.0.1:448)
+    #[clap(long, default_value = "127.0.0.1:448")]
+    outbound_listen_addr: String,
 
     /// VSOCK address for inbound connections to enclave (e.g. 8:443)
     #[clap(long, default_value = "8:443")]
     inbound_vsock_addr: String,
 
+    /// IP address of listener in enclave (e.g. 127.0.0.1:8443)
+    #[clap(long, default_value = "127.0.0.1:8443")]
+    inbound_listen_addr: String,
+
     /// where the logtail server is running on host (e.g. 127.0.0.1:9999)
     #[arg(long, default_value = "127.0.0.1:9999")]
     logtail_addr: String,
@@ -50,7 +54,7 @@ async fn main() -> Result<()> {
     let serve_ip_to_vsock_transparent = async {
         let vsock_addr =
             helper::split_vsock(&cli.outbound_vsock_addr).map_err(anyhow::Error::msg)?;
-        ip_to_vsock_transparent::serve(&cli.outbound_vsock_addr, vsock_addr).await?;
+        ip_to_vsock_transparent::serve(&cli.outbound_listen_addr, vsock_addr).await?;
         Ok(())
     };
 

src/ic_tee_daemon/src/vsock_to_ip.rs

@@ -5,10 +5,10 @@ use tokio_vsock::{VsockAddr, VsockListener, VsockStream};
 
 pub async fn serve(listen_addr: VsockAddr, server_addr: &str) -> Result<()> {
     let listener = VsockListener::bind(listen_addr).expect("failed to bind listener");
-    log::info!(target: "vsock_to_ip", "listening on {:?}", listen_addr);
     let addr: SocketAddr = server_addr
         .parse()
         .context("failed to parse server address")?;
+    log::info!(target: "vsock_to_ip", "listening on {:?}, proxying to {:?}", listen_addr, addr);
 
     while let Ok((inbound, _)) = listener.accept().await {
         tokio::spawn(async move {
@@ -21,15 +21,15 @@ pub async fn serve(listen_addr: VsockAddr, server_addr: &str) -> Result<()> {
     Err(anyhow::anyhow!("vsock_to_ip listener exited"))
 }
 
-async fn transfer(mut inbound: VsockStream, proxy_addr: SocketAddr) -> Result<()> {
+async fn transfer(mut inbound: VsockStream, server_addr: SocketAddr) -> Result<()> {
     let inbound_addr = inbound
         .local_addr()
         .context("could not fetch inbound addr")?
         .to_string();
 
-    log::info!(target: "vsock_to_ip", "proxying to {:?}", proxy_addr);
+    log::info!(target: "vsock_to_ip", "proxying to {:?}", server_addr);
 
-    let mut outbound = TcpStream::connect(proxy_addr)
+    let mut outbound = TcpStream::connect(server_addr)
         .await
         .context("failed to connect to endpoint")?;
 
@@ -39,7 +39,7 @@ async fn transfer(mut inbound: VsockStream, proxy_addr: SocketAddr) -> Result<()
             anyhow::anyhow!(
                 "error in connection between {} and {}, {:?}",
                 inbound_addr,
-                proxy_addr,
+                server_addr,
                 err
             )
         })?;