resource balancing

This commit is contained in:
SkyperTHC 2023-11-14 19:49:33 +00:00
parent ecccc83586
commit 5403418b90
No known key found for this signature in database
GPG Key ID: A9BD386DF9113CD6
5 changed files with 56 additions and 29 deletions

@ -108,7 +108,7 @@ services:
cgroup_parent: sf.slice
volumes:
- "${SF_BASEDIR:-.}/config/etc/logpipe/:/app/config/:ro"
- "/dev/shm/sf/run/logpipe/:/app/sock/:rw"
- "${SF_SHMDIR:-/dev/shm/sf}/run/logpipe/:/app/sock/:rw"
sf-portd:
build: encfsd
@ -424,7 +424,8 @@ services:
- SF_MULLVAD_IP=${SF_MULLVAD_IP:?}
- SF_GUEST_MTU=${SF_GUEST_MTU:-1420}
volumes:
- "${SF_SHMDIR:-/dev/shm/sf}/run/vpn:/sf/run/vpn"
- "${SF_SHMDIR:-/dev/shm/sf}/run:/sf/run"
- "${SF_BASEDIR:-.}/config/db:/config/db:ro"
- "${SF_BASEDIR:-.}/config/etc/sf:/config/host/etc/sf:ro"
- "${SF_SHMDIR:-/dev/shm/sf}/config-for-guest:/config/guest" # vpn_status to guest
- "${SF_BASEDIR:-.}/sfbin:/sf/bin:ro"
@ -653,7 +654,7 @@ services:
- "/var/run/docker.sock:/var/run/docker.sock"
- "/var/lib/lxcfs:/var/lib/lxcfs:ro"
- "${SF_SHMDIR:-/dev/shm/sf}/run/redis/sock:/redis-sock"
# - /research/segfault/host/fs-root/bin/segfaultsh:/bin/segfaultsh:ro # FIXME-TESTING
#- /research/segfault/host/fs-root/bin/segfaultsh:/bin/segfaultsh:ro # FIXME-TESTING
# - /research/segfault/host:/host:ro # FIXME-TESTING sshd debug
nginx:

@ -610,7 +610,7 @@ RUN /pkg-install.sh HUGE apt-get install -y --no-install-recommends \
gobjc++-mingw-w64-i686-posix gobjc++-mingw-w64-i686-win32 gobjc-mingw-w64-i686-posix gobjc-mingw-w64-i686-win32 \
maven \
rust-src
RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan_%arch:x86_64=amd64:aarch64=arm64%$' fscan \
RUN /pkg-install.sh HACK ghbin shadow1ng/fscan 'fscan%arch:x86_64=:aarch64=_arm64%$' fscan \
&& /pkg-install.sh HACK ghbin 'theaog/spirit' 'spirit%arch:x86_64=:DEFAULT=SKIP%.tgz$' spirit `# x86_64 only, spirit-arm bad` \
&& /pkg-install.sh HACK bash -c '{ GOBIN=/usr/bin go install github.com/tomnomnom/gf@latest \
&& mkdir -p /usr/share/gf \

@ -326,7 +326,6 @@ init_vars()
init_defaults
init_emu
[[ -f "${SF_RUN_DIR}/logs/segfault.log" ]] && IS_LOGGING=1
NOW="$(date +%s)"
[[ -z $YOUR_IP ]] && {
@ -374,6 +373,8 @@ init_vars()
fi
fi
[[ -f "${SF_RUN_DIR}/logs/segfault.log" ]] && IS_LOGGING=1
xmkdir "${LG_RUN_DIR}"
# Check if we are still in sshd's Network Namespace
IS_SSHD_NS_NET=1
@ -455,8 +456,8 @@ ${CDY}@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
sysmsg "/config/host/etc/logoutmsg-all.sh"
echo -e "\
RTFM : ${CB}${CUL}https://www.thc.org/segfault/faq${CN}
GOODBYE : ${CW}Join us on Telegram - https://t.me/thcorg${CN}"
📖 RTFM : ${CB}${CUL}https://www.thc.org/segfault/faq${CN}
🤗 GOODBYE : ${CW}Join us on Telegram - https://t.me/thcorg${CN}"
[[ -z $SF_IS_NEW_SERVER ]] && return
prompt_wait_yN 10 "Would you like to see your ${CDY}SECRET${CN} to log back in to ${CDY}${SF_HOSTNAME:-UNKNOWN}${CN}?" || return
@ -528,7 +529,7 @@ spawn_shell_exit()
sem_release
# Add a log entry into elastisearch using logpipe
logpipe "Type:Login|LID:${LID}|Hostname:${SF_HOSTNAME}||C_ISO:${YOUR_COUNTRY_ISO}|CONTINENT=${YOUR_CONTINENT_CODE}|"
logpipe "Type:Login|LID:${LID}|Hostname:${SF_HOSTNAME}|IPHASH:${YOUR_IP_HASH}|C_ISO:${YOUR_COUNTRY_ISO^^}|CONTINENT=${YOUR_CONTINENT_CODE}|"
# Update current IP:
tofile "${YOUR_IP_DISPLAY:?}" "/config/self-for-guest/lg-${LID}/ip"
@ -616,7 +617,6 @@ load_limits()
{
local prefix
local is_need_update_token
local is_token_loaded
# Set the default values.
# No default for ROOT_FS limit. Should be set in sf.conf or if not set
# then root is mounted read-only
@ -634,8 +634,6 @@ load_limits()
SF_ULIMIT_NOFILE="8192"
SF_USER_SYN_BURST=8196
SF_USER_SYN_LIMIT=1
SF_USER_DL_BURST=8gb
SF_USER_UL_BURST=8gb
SF_RPORT=1
# No new shells until load goes below STRAIN*NPROC.
@ -652,18 +650,19 @@ load_limits()
load_limits_fn "${SF_LIMITS_DIR}/limits-continent-${YOUR_CONTINENT_CODE}.conf"
# Source country specific limits
load_limits_fn "${SF_LIMITS_DIR}/limits-country-${YOUR_COUNTRY_ISO}.conf"
load_limits_fn "${SF_LIMITS_DIR}/limits-country-${YOUR_COUNTRY_ISO,,}.conf"
prefix="${SF_TOKEN_PREFIX//[^a-z]}-"
unset prefix
[[ -n $SF_TOKEN_PREFIX ]] && prefix="${SF_TOKEN_PREFIX//[^a-z]}-"
if [[ -z $SF_TOKEN ]]; then
# HERE: SF_TOKEN _not_ supplied
[[ -f "${SF_USER_DB_DIR}/token" ]] && {
SF_TOKEN="$(<"${SF_USER_DB_DIR}/token")"
is_token_loaded=1
}
else
# HERE: SF_TOKEN is user supplied.
[[ ! -f "${SF_TOKEN_DIR}/token-${prefix}${SF_TOKEN,,}.conf" ]] && ERREXIT 255 "The TOKEN '${CDY}${SF_TOKEN}${CN}' is not valid."
logpipe "Type:Token|TOKEN:${SF_TOKEN_NAME}|LID:${LID}|HOSTNAME:${SF_HOSTNAME}|IPHASH:${YOUR_IP_HASH}|C_ISO:${YOUR_COUNTRY_ISO^^}|CONTINENT=${YOUR_CONTINENT_CODE}|"
is_need_update_token=1
fi
@ -782,6 +781,7 @@ TX=${tx:-unlimited}
RX=${SF_MAXIN:-unlimited}
SYN_BURST=${SF_USER_SYN_BURST}
SYN_RATE=${SF_USER_SYN_LIMIT}/sec
FW=${SF_USER_FW}
SERVERS=${SF_LIMIT_SERVER_BY_IP}
GREETINGS='${SF_SYSCOP_MSG}'" "/config/self-for-guest/lg-${LID}/limits"
}
@ -794,7 +794,12 @@ SF_USER_ROOT_FS_INODE=\"$SF_USER_ROOT_FS_INODE\"
SF_USER_FS_SIZE=\"$SF_USER_FS_SIZE\"
SF_USER_FS_INODE=\"$SF_USER_FS_INODE\"
SF_USER_UL_RATE=\"$SF_USER_UL_RATE\"
SF_HOSTNAME=\"$SF_HOSTNAME\"
YOUR_COUNTRY_ISO=\"$YOUR_COUNTRY_ISO\"
YOUR_CONTINENT_CODE=\"$YOUR_CONTINENT_CODE\"
YOUR_IP_HASH=\"$YOUR_IP_HASH\"
SF_RPORT=\"$SF_RPORT\"
SF_USER_FW=\"$SF_USER_FW\"
SF_TOKEN_IMMUTABLE=\"$SF_TOKEN_IMMUTABLE\"
SF_USER_IMMUNE=\"$SF_USER_IMMUNE\"" "${LG_RUN_DIR}/limits.txt"
}
@ -1042,7 +1047,7 @@ mk_geoip()
[[ -z $SF_HIDEIP ]] && city=$(echo "$res" | jq -r '.[0].Records[0].Record.city.names.en | select(. != null)')
country=$(echo "$res" | jq -r '.[0].Records[0].Record.country.names.en | select(. != null)')
country_iso=$(echo "$res" | jq -r '.[0].Records[0].Record.country.iso_code | select(. != null)')
continent_code=$(echo "$res" | jq -r '.[0].Records[0].Record.country.iso_code | select(. != null)')
continent_code=$(echo "$res" | jq -r '.[0].Records[0].Record.continent.code | select(. != null)')
country_iso="${country_iso,,}"
country_iso="${country_iso//[^a-z]}"
@ -1224,7 +1229,7 @@ else
[[ -d "${HNLID_DIR}" ]] || exec_devnull mkdir "${HNLID_DIR}"
tofile "$LID" "${HNLID_FILE}" || ERREXIT 231 "tofile: Failed to create hnlid_file"
# Add a log entry into elastisearch using logpipe
logpipe "Type:Create|LID:${LID}|Hostname:${SF_HOSTNAME}|C_ISO:${YOUR_COUNTRY_ISO}|CONTINENT=${YOUR_CONTINENT_CODE}|"
logpipe "Type:Create|LID:${LID}|Hostname:${SF_HOSTNAME}|IPHASH:${YOUR_IP_HASH}|C_ISO:${YOUR_COUNTRY_ISO^^}|CONTINENT=${YOUR_CONTINENT_CODE}|"
fi
DEBUGF "LID=${LID} SF_HOSTNAME=${SF_HOSTNAME}"
@ -1232,7 +1237,7 @@ unset str
[[ -n $SF_LOG_IP ]] && str="[${CDY}${YOUR_IP}${CN}] "
str+="${CDG}${SF_HOSTNAME}"
[[ -n $SF_PRJ ]] && str+="/${CW}${SF_PRJ}"
LOG "${str}${CN} ${CDC}$*${CN}"
LOG "${str}${CN} [${CF}${YOUR_IP_HASH}${CN}/${CDY}${YOUR_COUNTRY_ISO}${CN}/${CDM}${YOUR_CONTINENT_CODE}${CN}] ${CDC}$*${CN}"
# Record which SSHD process is connect to guest LG.
tofile "SSHD_PID=$PPID
@ -1261,7 +1266,7 @@ sem_wait
[[ $str == "running" ]] && {
echo_pty -e "..........[${CG}Ok${CN}]"
DEBUGF "Attaching to existing container lg-${LID}..."
LOG "Attaching to existing container"
# LOG "Attaching to existing container"
spawn_shell_exit "$@"
# NOT REACHED
}
@ -1377,7 +1382,7 @@ echo_pty -n ".."
res=$(red SET "ip:${C_IP}" "${LID} ${CID} ${LG_PID}") || STOPEXIT "$LID" 252 "Failed to set LID in Redis"
# Set FW rules for this container
exec_devnull docker exec sf-router /user-limit.sh "${YOUR_IP_HASH}" "${YOUR_IP}" "${C_IP}" "$SF_USER_SYN_LIMIT" "$SF_USER_SYN_BURST" "$SF_USER_DL_RATE" "$SF_USER_DL_BURST" "$SF_USER_UL_RATE" "$SF_USER_UL_BURST" || STOPEXIT "${LID}" 251 "Faild to set syn-limit...";
exec_devnull docker exec sf-router /user-limit.sh "${LID}" "${YOUR_IP_HASH}" "${YOUR_IP}" "${C_IP}" "$SF_USER_SYN_LIMIT" "$SF_USER_SYN_BURST" || STOPEXIT "${LID}" 251 "Faild to set syn-limit...";
# Ready container
exec_devnull docker exec sf-master /ready-lg.sh "${LID}" "${C_IP}" "${LG_PID}" "${SF_USER_DL_RATE}" "${SF_USER_UL_RATE}" || STOPEXIT "${LID}" 246 "Failed-#3 to ready guest container..."

@ -7,6 +7,7 @@ WG_PORT_MAX=65535
WT_VER=1
COLOR="always"
ICON_ERROR=""
SF_RUN_DIR="/dev/shm/sf/run"
source /sf/bin/funcs.sh
source /sf/bin/funcs_redis.sh
@ -18,6 +19,12 @@ WG_EP_HOST=${WG_EP_IP}
echo -en "Content-Type: text/plain\r\n\r\n"
logpipe() {
[[ ! -e "${SF_RUN_DIR}/logpipe/logPipe.sock" ]] && return
echo "$*" | nc -U unix-socket-client
}
# BAIL <STDOUT-MSG> <STDERR-MSG> <INFO MSG>
# STDOUT goes to user.
# STDERR is logged.
@ -683,6 +690,7 @@ cmd_token() {
[[ ! -f "${token_fn}" ]] && { sleep 1; BAIL "${M}Token '${R}${TOKEN_NAME}${M}' does not exist.${N}"; }
echo "${TOKEN_NAME}" >"/config/db/user/lg-${LID}/token"
logpipe "Type:Token|TOKEN:${TOKEN_NAME,,}|LID:${LID}|HOSTNAME:${SF_HOSTNAME}|IPHASH:${YOUR_IP_HASH}|C_ISO:${YOUR_COUNTRY_ISO^^}|CONTINENT=${YOUR_CONTINENT_CODE}|"
echo -en "${G}🦋 Token set. ${N}Type ${C}halt${N} and log back in."

@ -1,23 +1,36 @@
#! /bin/bash
# Executed on router
# Set User's TCP SYN limit and others
# [YOUR_IP] [Container IP] [SYN_LIMIT 1/sec] [SYN_BURST]
YOUR_IP_HASH="$1"
YOUR_IP="$2"
C_IP="$3"
SYN_LIMIT="$4"
SYN_BURST="$5"
USER_DL_RATE="$6"
USER_DL_BURST="$6"
USER_UL_RATE="$7"
USER_UL_BURST="$8"
LID="$1"
YOUR_IP_HASH="$2"
YOUR_IP="$3"
C_IP="$4"
SYN_LIMIT="$5"
SYN_BURST="$6"
set -e # Exit immediately on error
source "/dev/shm/net-devs.txt"
source "/sf/run/users/lg-${LID}/limits.txt"
fn="/config/db/token/netns-${SF_USER_FW}.sh"
FORWARD_USER="FW-${C_IP:?}"
set +e
iptables -F "${FORWARD_USER}" 2>/dev/null || iptables -N "${FORWARD_USER}"
[[ -n $SF_USER_FW ]] && [[ -f "$fn" ]] && {
iptables -C FORWARD -i "${DEV_LG:?}" -s "${C_IP}" -j "${FORWARD_USER}" &>/dev/null || iptables -I FORWARD 1 -i "${DEV_LG}" -s "${C_IP}" -j "${FORWARD_USER}"
set -e
source "$fn"
set +e
}
# Create our own 'hashmap' so that SYN is limited by user's source IP (e.g. user can spawn two
# servers and both servers have a total limit of SYN_LIMIT)
IDX=$((0x${YOUR_IP_HASH} % 1024))
[[ $IDX -lt 0 ]] && IDX=$((IDX * -1))
source /dev/shm/net-devs.txt || exit
[[ -n $SYN_LIMIT ]] && {
CHAIN="SYN-${SYN_LIMIT}-${SYN_BURST}-${IDX}"