Adds remote debug capability for secretless broker

This change adds the capability for running remotely debugging secretless broker execution via a Delve-capable IDE (e.g. Intellij or Goland). To use remote debugging on the secretless broker, follow instructions in the test/connector/mssql/secretless-debug/README.md file.
cyberark · Jan 2, 2020 · ea5398f · ea5398f
1 parent 06f6447
commit ea5398f
Show file tree

Hide file tree

Showing 10 changed files with 221 additions and 10 deletions.
diff --git a/Dockerfile.debug b/Dockerfile.debug
@@ -0,0 +1,75 @@
+FROM golang:1.13-stretch as secretless-builder
+MAINTAINER Conjur Inc.
+LABEL builder="secretless-builder"
+
+WORKDIR /secretless
+
+# TODO: Expand this with build args when we support other arches
+ENV GOOS=linux \
+    GOARCH=amd64 \
+    CGO_ENABLED=1
+
+COPY go.mod go.sum /secretless/
+COPY third_party/ /secretless/third_party
+
+RUN go mod download
+
+# Compile Delve (for debugging)
+RUN go get github.com/go-delve/delve/cmd/dlv
+
+# secretless source files
+COPY ./cmd /secretless/cmd
+COPY ./internal /secretless/internal
+COPY ./pkg /secretless/pkg
+COPY ./resource-definitions /secretless/resource-definitions
+
+ARG TAG="dev"
+
+# The `Tag` override is there to provide the git commit information in the
+# final binary. See `Static long version tags` in the `Building` section
+# of `CONTRIBUTING.md` for more information.
+RUN go build -ldflags="-X github.com/cyberark/secretless-broker/pkg/secretless.Tag=$TAG" \
+             -gcflags="all=-N -l" \
+             -o dist/$GOOS/$GOARCH/secretless-broker ./cmd/secretless-broker && \
+    go build -o dist/$GOOS/$GOARCH/summon2 ./cmd/summon2
+
+
+# =================== MAIN CONTAINER ===================
+FROM alpine:3.8 as secretless-broker
+MAINTAINER CyberArk Software, Inc.
+
+RUN apk add -u shadow libc6-compat && \
+    # Add Limited user
+    groupadd -r secretless \
+             -g 777 && \
+    useradd -c "secretless runner account" \
+            -g secretless \
+            -u 777 \
+            -m \
+            -r \
+            secretless && \
+    # Ensure plugin dir is owned by secretless user
+    mkdir -p /usr/local/lib/secretless && \
+    # Make and setup a directory for sockets at /sock
+    mkdir /sock && \
+    # Make and setup a directory for the Conjur client certificate/access token
+    mkdir -p /etc/conjur/ssl && \
+    mkdir -p /run/conjur && \
+    # Use GID of 0 since that is what OpenShift will want to be able to read things
+    chown secretless:0 /usr/local/lib/secretless \
+                       /sock \
+                       /etc/conjur/ssl \
+                       /run/conjur && \
+    # We need open group permissions in these directories since OpenShift won't
+    # match our UID when we try to write files to them
+    chmod 770 /sock \
+              /etc/conjur/ssl \
+              /run/conjur
+
+USER secretless
+
+ENTRYPOINT [ "/usr/local/bin/dlv", "exec", "/usr/local/bin/secretless-broker", "--headless", "--listen=:40000", "--api-version=2", "--accept-multiclient", "--continue" ]
+
+COPY --from=secretless-builder /secretless/dist/linux/amd64/secretless-broker \
+                               /go/bin/dlv \
+                               /secretless/dist/linux/amd64/summon2 /usr/local/bin/
diff --git a/test/connector/tcp/mssql/secretless-debug/README.md b/test/connector/tcp/mssql/secretless-debug/README.md
@@ -0,0 +1,43 @@
+# Using the Secretless-Broker Remote Debug Image
+
+## Start your MSSQL server and Secretless Broker Debug Image
+From this directory, call
+```
+./start
+```
+This will automatically start a MSSQL server in a Docker container serving
+at `localhost:1433`, and a remote-debug mode Secretless Broker serving
+at `localhost:2223`.
+
+The debug-mode Secretless Broker will be running a version of the secretless
+broker binary that is compiled with optimization turned off (to enable
+the best debugging experience). This secretless broker binary will be run
+via Delve, which provides a debug link with Delve-capable debug IDEs
+(e.g. Intellij and Goland).
+
+## Configure Your Intellij / Goland IDE
+
+Reference: [Debugging Containerized Go Applications](https://blog.jetbrains.com/go/2018/04/30/debugging-containerized-go-applications/)
+
+### Create a `Go Remote` Run Configuration
+* In your IDE, select <Run> <Edit Configurations...> <`+`> <Go Remote>
+* In the `Name:` box, enter `secretless-broker`
+* In the `Port` box, enter `40000`
+* Select <OK>
+
+### Add Breakpoint(s)
+* In your IDE, navigate to a place in the source code where you would like
+* Left-mouse-click in the column between the line number and the line of
+  code, and you should see a red dot, indicating that a breakpoint has
+  been added.
+
+## Run an `sqlcmd` To Start Debugging
+When running the `sqlcmd` manually for testing with the remote debugging,
+use the `-t` and '-l` flags to disable timeouts on MSSQL transactions
+and MSSQL handshakes, respectively:
+```
+sqlcmd -S "127.0.0.1,2223" -U "x" -P "x" -Q "SELECT 1+1" -t 0 -l 0
+```
+
+If all goes right, your IDE should hit your chosen breakpoint, indicated by
+the line of code having a blue background.
diff --git a/test/connector/tcp/mssql/secretless-debug/docker-compose.yml b/test/connector/tcp/mssql/secretless-debug/docker-compose.yml
@@ -0,0 +1,45 @@
+version: '3.0'
+
+services:
+
+  mssql:
+    image: mcr.microsoft.com/mssql/server:2017-latest
+    ports:
+      - 1433:1433
+    environment:
+      # This hardcoded password must match the one in secretless.yml.
+      SA_PASSWORD: "yourStrong()Password"
+      ACCEPT_EULA: Y
+
+  secretless-debug:
+    build:
+      context: ../../../../..
+      dockerfile: Dockerfile.debug
+    ports:
+      - 2223:2223
+      - 40000:40000
+    security_opt:
+      - apparmor:unconfined
+      - seccomp:unconfined
+    cap_add:
+      - SYS_PTRACE
+    volumes:
+      - ../secretless.yml:/secretless.yml
+    depends_on:
+      - mssql
+
+  test:
+    build:
+      context: ..
+    command: sleep 999d
+    environment:
+      TEST_ROOT: /secretless/test/connector/tcp/mssql
+      DB_PROTOCOL: mssql
+      DB_HOST_TLS: mssql-2017-cu1
+      DB_HOST_NO_TLS: mssql-2017-cu1 # TODO: configure a non-ssl container?
+      DB_PORT: 1433
+      DB_USER: sa
+      DB_PASSWORD: yourStrong()Password
+      SECRETLESS_HOST:
+    volumes:
+      - ../../../../..:/secretless
diff --git a/test/connector/tcp/mssql/secretless-debug/start b/test/connector/tcp/mssql/secretless-debug/start
@@ -0,0 +1,3 @@
+#!/bin/bash -ex
+
+../start -s secretless-debug
diff --git a/test/connector/tcp/mssql/secretless-debug/stop b/test/connector/tcp/mssql/secretless-debug/stop
@@ -0,0 +1,3 @@
+#!/bin/bash -ex
+
+../stop
diff --git a/test/connector/tcp/mssql/secretless-debug/test b/test/connector/tcp/mssql/secretless-debug/test
@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+../test -s secretless-debug
diff --git a/test/connector/tcp/mssql/secretless-debug/test-local b/test/connector/tcp/mssql/secretless-debug/test-local
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+# this is for local testing
+
+export TEST_ROOT="/secretless/test/connector/tcp/mssql"
+export DB_PROTOCOL="mssql"
+export DB_HOST_TLS="mssql"
+export DB_HOST_NO_TLS="mssql"
+export DB_PORT="1433"
+export DB_USER="sa"
+export DB_PASSWORD="yourStrong()Password"
+export SECRETLESS_HOST="127.0.0.1"
+export SECRETLESS_PORT="2223"
+
+cd ..
+go test -v
diff --git a/test/connector/tcp/mssql/secretless-debug/wait_for_mssql b/test/connector/tcp/mssql/secretless-debug/wait_for_mssql
@@ -0,0 +1,3 @@
+#!/bin/bash -ex
+
+../wait_for_mssql -m mssql
diff --git a/test/connector/tcp/mssql/start b/test/connector/tcp/mssql/start
@@ -1,12 +1,22 @@
 #!/bin/bash -ex
 
-SECRETLESS_HOST=secretless
-while getopts :d opt; do
+while getopts :ds: opt; do
     case $opt in
-        d) SECRETLESS_HOST=secretless-dev;;
+        d) dev_mode=true;;
+        s) SECRETLESS_HOST=${OPTARG};;
        \?) echo "Unknown option -$OPTARG"; exit 1;;
     esac
 done
+# If the secretless host is not explicitly set on the command line,
+# then use one of the default names (either secretless or
+# secretless-dev, depending on whether testing is being done in
+# development mode) for the secretless host.
+if [[ -z $SECRETLESS_HOST ]]; then
+    SECRETLESS_HOST=secretless
+    if [[ "$dev_mode" = true ]]; then
+        SECRETLESS_HOST=secretless-dev
+    fi
+fi
 
 ./stop
 

diff --git a/test/connector/tcp/mssql/test b/test/connector/tcp/mssql/test
@@ -1,12 +1,22 @@
 #!/bin/bash -e
 
-# Automatically detect if we're devmode based on the existence
-# of the secretless-dev container.  We assume that you started
-# your workflow using `./dev` if you are developing, and this
-# command will use the secretless-dev container.
-export SECRETLESS_HOST=secretless
-if [[ ! -z $(docker-compose ps -q secretless-dev) ]]; then
-  export SECRETLESS_HOST=secretless-dev
+while getopts :s: opt; do
+    case $opt in
+        s) SECRETLESS_HOST=${OPTARG};;
+       \?) echo "Unknown option -$OPTARG"; exit 1;;
+    esac
+done
+# If the secretless host is not explicitly set on the command line,
+# then use the default names (either secretless or secretless-dev)
+# for the secretless host. Automatically detect if we're devmode
+# based on the existence of the secretless-dev container.  We assume
+# that you started your workflow using `./dev` if you are developing,
+# and this command will use the secretless-dev container.
+if [[ -z $SECRETLESS_HOST ]]; then
+  export SECRETLESS_HOST=secretless
+  if [[ ! -z $(docker-compose ps -q secretless-dev) ]]; then
+    SECRETLESS_HOST=secretless-dev
+  fi
 fi
 
 echo "Waiting for '$SECRETLESS_HOST' service to start"