mirror of
https://github.com/hackerschoice/segfault.git
synced 2024-06-16 03:48:42 +00:00
resource balancing
This commit is contained in:
parent
ecccc83586
commit
5403418b90
@ -108,7 +108,7 @@ services:
|
||||
cgroup_parent: sf.slice
|
||||
volumes:
|
||||
- "${SF_BASEDIR:-.}/config/etc/logpipe/:/app/config/:ro"
|
||||
- "/dev/shm/sf/run/logpipe/:/app/sock/:rw"
|
||||
- "${SF_SHMDIR:-/dev/shm/sf}/run/logpipe/:/app/sock/:rw"
|
||||
|
||||
sf-portd:
|
||||
build: encfsd
|
||||
@ -424,7 +424,8 @@ services:
|
||||
- SF_MULLVAD_IP=${SF_MULLVAD_IP:?}
|
||||
- SF_GUEST_MTU=${SF_GUEST_MTU:-1420}
|
||||
volumes:
|
||||
- "${SF_SHMDIR:-/dev/shm/sf}/run/vpn:/sf/run/vpn"
|
||||
- "${SF_SHMDIR:-/dev/shm/sf}/run:/sf/run"
|
||||
- "${SF_BASEDIR:-.}/config/db:/config/db:ro"
|
||||
- "${SF_BASEDIR:-.}/config/etc/sf:/config/host/etc/sf:ro"
|
||||
- "${SF_SHMDIR:-/dev/shm/sf}/config-for-guest:/config/guest" # vpn_status to guest
|
||||
- "${SF_BASEDIR:-.}/sfbin:/sf/bin:ro"
|
||||
@ -653,7 +654,7 @@ services:
|
||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
||||
- "/var/lib/lxcfs:/var/lib/lxcfs:ro"
|
||||
- "${SF_SHMDIR:-/dev/shm/sf}/run/redis/sock:/redis-sock"
|
||||
# - /research/segfault/host/fs-root/bin/segfaultsh:/bin/segfaultsh:ro # FIXME-TESTING
|
||||
#- /research/segfault/host/fs-root/bin/segfaultsh:/bin/segfaultsh:ro # FIXME-TESTING
|
||||
# - /research/segfault/host:/host:ro # FIXME-TESTING sshd debug
|
||||
|
||||
nginx:
|
||||
|
@ -610,7 +610,7 @@ RUN /pkg-install.sh HUGE apt-get install -y --no-install-recommends \
|
||||
gobjc++-mingw-w64-i686-posix gobjc++-mingw-w64-i686-win32 gobjc-mingw-w64-i686-posix gobjc-mingw-w64-i686-win32 \
|
||||
maven \
|
||||
rust-src
|
||||
RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan_%arch:x86_64=amd64:aarch64=arm64%$' fscan \
|
||||
RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan%arch:x86_64=:aarch64=_arm64%$' fscan \
|
||||
&& /pkg-install.sh HACK ghbin 'theaog/spirit' 'spirit%arch:x86_64=:DEFAULT=SKIP%.tgz$' spirit `# x86_64 only, spirit-arm bad` \
|
||||
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/gf@latest \
|
||||
&& mkdir -p /usr/share/gf \
|
||||
|
@ -326,7 +326,6 @@ init_vars()
|
||||
init_defaults
|
||||
init_emu
|
||||
|
||||
[[ -f "${SF_RUN_DIR}/logs/segfault.log" ]] && IS_LOGGING=1
|
||||
|
||||
NOW="$(date +%s)"
|
||||
[[ -z $YOUR_IP ]] && {
|
||||
@ -374,6 +373,8 @@ init_vars()
|
||||
fi
|
||||
fi
|
||||
|
||||
[[ -f "${SF_RUN_DIR}/logs/segfault.log" ]] && IS_LOGGING=1
|
||||
|
||||
xmkdir "${LG_RUN_DIR}"
|
||||
# Check if we are still in sshd's Network Namespace
|
||||
IS_SSHD_NS_NET=1
|
||||
@ -455,8 +456,8 @@ ${CDY}@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
|
||||
sysmsg "/config/host/etc/logoutmsg-all.sh"
|
||||
|
||||
echo -e "\
|
||||
RTFM : ${CB}${CUL}https://www.thc.org/segfault/faq${CN}
|
||||
GOODBYE : ${CW}Join us on Telegram - https://t.me/thcorg${CN}"
|
||||
📖 RTFM : ${CB}${CUL}https://www.thc.org/segfault/faq${CN}
|
||||
🤗 GOODBYE : ${CW}Join us on Telegram - https://t.me/thcorg${CN}"
|
||||
[[ -z $SF_IS_NEW_SERVER ]] && return
|
||||
|
||||
prompt_wait_yN 10 "Would you like to see your ${CDY}SECRET${CN} to log back in to ${CDY}${SF_HOSTNAME:-UNKNOWN}${CN}?" || return
|
||||
@ -528,7 +529,7 @@ spawn_shell_exit()
|
||||
sem_release
|
||||
|
||||
# Add a log entry into elastisearch using logpipe
|
||||
logpipe "Type:Login|LID:${LID}|Hostname:${SF_HOSTNAME}||C_ISO:${YOUR_COUNTRY_ISO}|CONTINENT=${YOUR_CONTINENT_CODE}|"
|
||||
logpipe "Type:Login|LID:${LID}|Hostname:${SF_HOSTNAME}|IPHASH:${YOUR_IP_HASH}|C_ISO:${YOUR_COUNTRY_ISO^^}|CONTINENT=${YOUR_CONTINENT_CODE}|"
|
||||
|
||||
# Update current IP:
|
||||
tofile "${YOUR_IP_DISPLAY:?}" "/config/self-for-guest/lg-${LID}/ip"
|
||||
@ -616,7 +617,6 @@ load_limits()
|
||||
{
|
||||
local prefix
|
||||
local is_need_update_token
|
||||
local is_token_loaded
|
||||
# Set the default values.
|
||||
# No default for ROOT_FS limit. Should be set in sf.conf or if not set
|
||||
# then root is mounted read-only
|
||||
@ -634,8 +634,6 @@ load_limits()
|
||||
SF_ULIMIT_NOFILE="8192"
|
||||
SF_USER_SYN_BURST=8196
|
||||
SF_USER_SYN_LIMIT=1
|
||||
SF_USER_DL_BURST=8gb
|
||||
SF_USER_UL_BURST=8gb
|
||||
SF_RPORT=1
|
||||
|
||||
# No new shells until load goes below STRAIN*NPROC.
|
||||
@ -652,18 +650,19 @@ load_limits()
|
||||
load_limits_fn "${SF_LIMITS_DIR}/limits-continent-${YOUR_CONTINENT_CODE}.conf"
|
||||
|
||||
# Source country specific limits
|
||||
load_limits_fn "${SF_LIMITS_DIR}/limits-country-${YOUR_COUNTRY_ISO}.conf"
|
||||
load_limits_fn "${SF_LIMITS_DIR}/limits-country-${YOUR_COUNTRY_ISO,,}.conf"
|
||||
|
||||
prefix="${SF_TOKEN_PREFIX//[^a-z]}-"
|
||||
unset prefix
|
||||
[[ -n $SF_TOKEN_PREFIX ]] && prefix="${SF_TOKEN_PREFIX//[^a-z]}-"
|
||||
if [[ -z $SF_TOKEN ]]; then
|
||||
# HERE: SF_TOKEN _not_ supplied
|
||||
[[ -f "${SF_USER_DB_DIR}/token" ]] && {
|
||||
SF_TOKEN="$(<"${SF_USER_DB_DIR}/token")"
|
||||
is_token_loaded=1
|
||||
}
|
||||
else
|
||||
# HERE: SF_TOKEN is user supplied.
|
||||
[[ ! -f "${SF_TOKEN_DIR}/token-${prefix}${SF_TOKEN,,}.conf" ]] && ERREXIT 255 "The TOKEN '${CDY}${SF_TOKEN}${CN}' is not valid."
|
||||
logpipe "Type:Token|TOKEN:${SF_TOKEN_NAME}|LID:${LID}|HOSTNAME:${SF_HOSTNAME}|IPHASH:${YOUR_IP_HASH}|C_ISO:${YOUR_COUNTRY_ISO^^}|CONTINENT=${YOUR_CONTINENT_CODE}|"
|
||||
|
||||
is_need_update_token=1
|
||||
fi
|
||||
@ -782,6 +781,7 @@ TX=${tx:-unlimited}
|
||||
RX=${SF_MAXIN:-unlimited}
|
||||
SYN_BURST=${SF_USER_SYN_BURST}
|
||||
SYN_RATE=${SF_USER_SYN_LIMIT}/sec
|
||||
FW=${SF_USER_FW}
|
||||
SERVERS=${SF_LIMIT_SERVER_BY_IP}
|
||||
GREETINGS='${SF_SYSCOP_MSG}'" "/config/self-for-guest/lg-${LID}/limits"
|
||||
}
|
||||
@ -794,7 +794,12 @@ SF_USER_ROOT_FS_INODE=\"$SF_USER_ROOT_FS_INODE\"
|
||||
SF_USER_FS_SIZE=\"$SF_USER_FS_SIZE\"
|
||||
SF_USER_FS_INODE=\"$SF_USER_FS_INODE\"
|
||||
SF_USER_UL_RATE=\"$SF_USER_UL_RATE\"
|
||||
SF_HOSTNAME=\"$SF_HOSTNAME\"
|
||||
YOUR_COUNTRY_ISO=\"$YOUR_COUNTRY_ISO\"
|
||||
YOUR_CONTINENT_CODE=\"$YOUR_CONTINENT_CODE\"
|
||||
YOUR_IP_HASH=\"$YOUR_IP_HASH\"
|
||||
SF_RPORT=\"$SF_RPORT\"
|
||||
SF_USER_FW=\"$SF_USER_FW\"
|
||||
SF_TOKEN_IMMUTABLE=\"$SF_TOKEN_IMMUTABLE\"
|
||||
SF_USER_IMMUNE=\"$SF_USER_IMMUNE\"" "${LG_RUN_DIR}/limits.txt"
|
||||
}
|
||||
@ -1042,7 +1047,7 @@ mk_geoip()
|
||||
[[ -z $SF_HIDEIP ]] && city=$(echo "$res" | jq -r '.[0].Records[0].Record.city.names.en | select(. != null)')
|
||||
country=$(echo "$res" | jq -r '.[0].Records[0].Record.country.names.en | select(. != null)')
|
||||
country_iso=$(echo "$res" | jq -r '.[0].Records[0].Record.country.iso_code | select(. != null)')
|
||||
continent_code=$(echo "$res" | jq -r '.[0].Records[0].Record.country.iso_code | select(. != null)')
|
||||
continent_code=$(echo "$res" | jq -r '.[0].Records[0].Record.continent.code | select(. != null)')
|
||||
|
||||
country_iso="${country_iso,,}"
|
||||
country_iso="${country_iso//[^a-z]}"
|
||||
@ -1224,7 +1229,7 @@ else
|
||||
[[ -d "${HNLID_DIR}" ]] || exec_devnull mkdir "${HNLID_DIR}"
|
||||
tofile "$LID" "${HNLID_FILE}" || ERREXIT 231 "tofile: Failed to create hnlid_file"
|
||||
# Add a log entry into elastisearch using logpipe
|
||||
logpipe "Type:Create|LID:${LID}|Hostname:${SF_HOSTNAME}|C_ISO:${YOUR_COUNTRY_ISO}|CONTINENT=${YOUR_CONTINENT_CODE}|"
|
||||
logpipe "Type:Create|LID:${LID}|Hostname:${SF_HOSTNAME}|IPHASH:${YOUR_IP_HASH}|C_ISO:${YOUR_COUNTRY_ISO^^}|CONTINENT=${YOUR_CONTINENT_CODE}|"
|
||||
fi
|
||||
|
||||
DEBUGF "LID=${LID} SF_HOSTNAME=${SF_HOSTNAME}"
|
||||
@ -1232,7 +1237,7 @@ unset str
|
||||
[[ -n $SF_LOG_IP ]] && str="[${CDY}${YOUR_IP}${CN}] "
|
||||
str+="${CDG}${SF_HOSTNAME}"
|
||||
[[ -n $SF_PRJ ]] && str+="/${CW}${SF_PRJ}"
|
||||
LOG "${str}${CN} ${CDC}$*${CN}"
|
||||
LOG "${str}${CN} [${CF}${YOUR_IP_HASH}${CN}/${CDY}${YOUR_COUNTRY_ISO}${CN}/${CDM}${YOUR_CONTINENT_CODE}${CN}] ${CDC}$*${CN}"
|
||||
|
||||
# Record which SSHD process is connect to guest LG.
|
||||
tofile "SSHD_PID=$PPID
|
||||
@ -1261,7 +1266,7 @@ sem_wait
|
||||
[[ $str == "running" ]] && {
|
||||
echo_pty -e "..........[${CG}Ok${CN}]"
|
||||
DEBUGF "Attaching to existing container lg-${LID}..."
|
||||
LOG "Attaching to existing container"
|
||||
# LOG "Attaching to existing container"
|
||||
spawn_shell_exit "$@"
|
||||
# NOT REACHED
|
||||
}
|
||||
@ -1377,7 +1382,7 @@ echo_pty -n ".."
|
||||
res=$(red SET "ip:${C_IP}" "${LID} ${CID} ${LG_PID}") || STOPEXIT "$LID" 252 "Failed to set LID in Redis"
|
||||
|
||||
# Set FW rules for this container
|
||||
exec_devnull docker exec sf-router /user-limit.sh "${YOUR_IP_HASH}" "${YOUR_IP}" "${C_IP}" "$SF_USER_SYN_LIMIT" "$SF_USER_SYN_BURST" "$SF_USER_DL_RATE" "$SF_USER_DL_BURST" "$SF_USER_UL_RATE" "$SF_USER_UL_BURST" || STOPEXIT "${LID}" 251 "Faild to set syn-limit...";
|
||||
exec_devnull docker exec sf-router /user-limit.sh "${LID}" "${YOUR_IP_HASH}" "${YOUR_IP}" "${C_IP}" "$SF_USER_SYN_LIMIT" "$SF_USER_SYN_BURST" || STOPEXIT "${LID}" 251 "Faild to set syn-limit...";
|
||||
|
||||
# Ready container
|
||||
exec_devnull docker exec sf-master /ready-lg.sh "${LID}" "${C_IP}" "${LG_PID}" "${SF_USER_DL_RATE}" "${SF_USER_UL_RATE}" || STOPEXIT "${LID}" 246 "Failed-#3 to ready guest container..."
|
||||
|
@ -7,6 +7,7 @@ WG_PORT_MAX=65535
|
||||
WT_VER=1
|
||||
COLOR="always"
|
||||
ICON_ERROR=""
|
||||
SF_RUN_DIR="/dev/shm/sf/run"
|
||||
source /sf/bin/funcs.sh
|
||||
source /sf/bin/funcs_redis.sh
|
||||
|
||||
@ -18,6 +19,12 @@ WG_EP_HOST=${WG_EP_IP}
|
||||
|
||||
echo -en "Content-Type: text/plain\r\n\r\n"
|
||||
|
||||
logpipe() {
|
||||
[[ ! -e "${SF_RUN_DIR}/logpipe/logPipe.sock" ]] && return
|
||||
|
||||
echo "$*" | nc -U unix-socket-client
|
||||
}
|
||||
|
||||
# BAIL <STDOUT-MSG> <STDERR-MSG> <INFO MSG>
|
||||
# STDOUT goes to user.
|
||||
# STDERR is logged.
|
||||
@ -683,6 +690,7 @@ cmd_token() {
|
||||
[[ ! -f "${token_fn}" ]] && { sleep 1; BAIL "${M}Token '${R}${TOKEN_NAME}${M}' does not exist.${N}"; }
|
||||
|
||||
echo "${TOKEN_NAME}" >"/config/db/user/lg-${LID}/token"
|
||||
logpipe "Type:Token|TOKEN:${TOKEN_NAME,,}|LID:${LID}|HOSTNAME:${SF_HOSTNAME}|IPHASH:${YOUR_IP_HASH}|C_ISO:${YOUR_COUNTRY_ISO^^}|CONTINENT=${YOUR_CONTINENT_CODE}|"
|
||||
|
||||
echo -en "${G}🦋 Token set. ${N}Type ${C}halt${N} and log back in."
|
||||
|
||||
|
@ -1,23 +1,36 @@
|
||||
#! /bin/bash
|
||||
|
||||
# Executed on router
|
||||
# Set User's TCP SYN limit and others
|
||||
# [YOUR_IP] [Container IP] [SYN_LIMIT 1/sec] [SYN_BURST]
|
||||
|
||||
YOUR_IP_HASH="$1"
|
||||
YOUR_IP="$2"
|
||||
C_IP="$3"
|
||||
SYN_LIMIT="$4"
|
||||
SYN_BURST="$5"
|
||||
USER_DL_RATE="$6"
|
||||
USER_DL_BURST="$6"
|
||||
USER_UL_RATE="$7"
|
||||
USER_UL_BURST="$8"
|
||||
LID="$1"
|
||||
YOUR_IP_HASH="$2"
|
||||
YOUR_IP="$3"
|
||||
C_IP="$4"
|
||||
SYN_LIMIT="$5"
|
||||
SYN_BURST="$6"
|
||||
|
||||
set -e # Exit immediately on error
|
||||
source "/dev/shm/net-devs.txt"
|
||||
source "/sf/run/users/lg-${LID}/limits.txt"
|
||||
|
||||
fn="/config/db/token/netns-${SF_USER_FW}.sh"
|
||||
FORWARD_USER="FW-${C_IP:?}"
|
||||
set +e
|
||||
iptables -F "${FORWARD_USER}" 2>/dev/null || iptables -N "${FORWARD_USER}"
|
||||
[[ -n $SF_USER_FW ]] && [[ -f "$fn" ]] && {
|
||||
iptables -C FORWARD -i "${DEV_LG:?}" -s "${C_IP}" -j "${FORWARD_USER}" &>/dev/null || iptables -I FORWARD 1 -i "${DEV_LG}" -s "${C_IP}" -j "${FORWARD_USER}"
|
||||
set -e
|
||||
source "$fn"
|
||||
set +e
|
||||
}
|
||||
|
||||
|
||||
# Create our own 'hashmap' so that SYN is limited by user's source IP (e.g. user can spawn two
|
||||
# servers and both servers have a total limit of SYN_LIMIT)
|
||||
IDX=$((0x${YOUR_IP_HASH} % 1024))
|
||||
[[ $IDX -lt 0 ]] && IDX=$((IDX * -1))
|
||||
source /dev/shm/net-devs.txt || exit
|
||||
|
||||
[[ -n $SYN_LIMIT ]] && {
|
||||
CHAIN="SYN-${SYN_LIMIT}-${SYN_BURST}-${IDX}"
|
||||
|
Loading…
Reference in New Issue
Block a user