m/n/core: only run debug service in debug build
This excludes the debug service from non-debug builds as it exposes a
bunch of unauthenticated interfaces for debugging to the world.
The Kubernetes tests were the last user of this service but getting
Kubernetes credentials is now handled by an authenticated production
service (the authproxy).
Some parts of the debug service functionality, namely GetLogs will also
be needed outside of debug builds, but nothing depends on its
availability so we can do this right away.
Change-Id: I5ba3d2853c69ae295d6224b359b36c160b58c430
Reviewed-on: https://review.monogon.dev/c/monogon/+/552
Reviewed-by: Sergiusz Bazanski <serge@monogon.tech>
diff --git a/metropolis/node/core/BUILD.bazel b/metropolis/node/core/BUILD.bazel
index 5a73222..651e9df 100644
--- a/metropolis/node/core/BUILD.bazel
+++ b/metropolis/node/core/BUILD.bazel
@@ -4,12 +4,17 @@
name = "go_default_library",
# keep
srcs = [
- "debug_service.go",
"main.go",
"mounts.go",
] + select({
- "//metropolis/node:debug_build": ["delve_enabled.go"],
- "//conditions:default": ["delve_disabled.go"],
+ "//metropolis/node:debug_build": [
+ "debug_service_enabled.go",
+ "delve_enabled.go",
+ ],
+ "//conditions:default": [
+ "debug_service_disabled.go",
+ "delve_disabled.go",
+ ],
}),
importpath = "source.monogon.dev/metropolis/node/core",
visibility = ["//visibility:private"],
diff --git a/metropolis/node/core/debug_service_disabled.go b/metropolis/node/core/debug_service_disabled.go
new file mode 100644
index 0000000..da64266
--- /dev/null
+++ b/metropolis/node/core/debug_service_disabled.go
@@ -0,0 +1,16 @@
+package main
+
+import (
+ "context"
+
+ "source.monogon.dev/metropolis/node/core/localstorage"
+ "source.monogon.dev/metropolis/node/core/roleserve"
+ "source.monogon.dev/metropolis/pkg/logtree"
+)
+
+// runDebugService runs the debug service if this is a debug build. Otherwise
+// it does nothing.
+func runDebugService(_ context.Context, _ *roleserve.Service, _ *logtree.LogTree, _ *localstorage.Root) error {
+ // This code is included in the production build, do nothing.
+ return nil
+}
diff --git a/metropolis/node/core/debug_service.go b/metropolis/node/core/debug_service_enabled.go
similarity index 90%
rename from metropolis/node/core/debug_service.go
rename to metropolis/node/core/debug_service_enabled.go
index 4d4c672..a4779e5 100644
--- a/metropolis/node/core/debug_service.go
+++ b/metropolis/node/core/debug_service_enabled.go
@@ -20,18 +20,22 @@
"bufio"
"context"
"fmt"
+ "net"
"os"
"regexp"
"strings"
ctr "github.com/containerd/containerd"
"github.com/containerd/containerd/namespaces"
+ "google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
+ common "source.monogon.dev/metropolis/node"
"source.monogon.dev/metropolis/node/core/localstorage"
"source.monogon.dev/metropolis/node/core/roleserve"
"source.monogon.dev/metropolis/pkg/logtree"
+ "source.monogon.dev/metropolis/pkg/supervisor"
apb "source.monogon.dev/metropolis/proto/api"
)
@@ -39,6 +43,29 @@
logFilterMax = 1000
)
+// runDebugService runs the debug service if this is a debug build. Otherwise
+// it does nothing.
+func runDebugService(ctx context.Context, rs *roleserve.Service, lt *logtree.LogTree, root *localstorage.Root) error {
+ // This code is included in the debug build, so start the debug service.
+ supervisor.Logger(ctx).Infof("Starting debug service...")
+ dbg := &debugService{
+ roleserve: rs,
+ logtree: lt,
+ traceLock: make(chan struct{}, 1),
+ ephemeralVolume: &root.Ephemeral.Containerd,
+ }
+ dbgSrv := grpc.NewServer()
+ apb.RegisterNodeDebugServiceServer(dbgSrv, dbg)
+ dbgLis, err := net.Listen("tcp", fmt.Sprintf(":%d", common.DebugServicePort))
+ if err != nil {
+ return fmt.Errorf("failed to listen on debug service: %w", err)
+ }
+ if err := supervisor.Run(ctx, "debug", supervisor.GRPCServer(dbgSrv, dbgLis, false)); err != nil {
+ return fmt.Errorf("failed to start debug service: %w", err)
+ }
+ return nil
+}
+
// debugService implements the Metropolis node debug API.
type debugService struct {
roleserve *roleserve.Service
diff --git a/metropolis/node/core/main.go b/metropolis/node/core/main.go
index 6528ab5..3254f2b 100644
--- a/metropolis/node/core/main.go
+++ b/metropolis/node/core/main.go
@@ -20,14 +20,11 @@
"context"
"fmt"
"io"
- "net"
"os"
"runtime/debug"
"golang.org/x/sys/unix"
- "google.golang.org/grpc"
- common "source.monogon.dev/metropolis/node"
"source.monogon.dev/metropolis/node/core/cluster"
"source.monogon.dev/metropolis/node/core/localstorage"
"source.monogon.dev/metropolis/node/core/localstorage/declarative"
@@ -38,7 +35,6 @@
"source.monogon.dev/metropolis/pkg/logtree"
"source.monogon.dev/metropolis/pkg/supervisor"
"source.monogon.dev/metropolis/pkg/tpm"
- apb "source.monogon.dev/metropolis/proto/api"
)
func main() {
@@ -170,22 +166,8 @@
return fmt.Errorf("when starting enrolment: %w", err)
}
- // Start the node debug service.
- supervisor.Logger(ctx).Infof("Starting debug service...")
- dbg := &debugService{
- roleserve: rs,
- logtree: lt,
- traceLock: make(chan struct{}, 1),
- ephemeralVolume: &root.Ephemeral.Containerd,
- }
- dbgSrv := grpc.NewServer()
- apb.RegisterNodeDebugServiceServer(dbgSrv, dbg)
- dbgLis, err := net.Listen("tcp", fmt.Sprintf(":%d", common.DebugServicePort))
- if err != nil {
- return fmt.Errorf("failed to listen on debug service: %w", err)
- }
- if err := supervisor.Run(ctx, "debug", supervisor.GRPCServer(dbgSrv, dbgLis, false)); err != nil {
- return fmt.Errorf("failed to start debug service: %w", err)
+ if err := runDebugService(ctx, rs, lt, root); err != nil {
+ return fmt.Errorf("when starting debug service: %w", err)
}
supervisor.Signal(ctx, supervisor.SignalHealthy)