From 765a5e61ca312f7982d50f5ca501ef91a0f4a038 Mon Sep 17 00:00:00 2001 From: Nathan Flurry <developer@nathanflurry.com> Date: Fri, 15 Nov 2024 10:47:42 -0800 Subject: [PATCH] chore: switch client from openssl to rustls --- docker/dev-full/client.Dockerfile | 6 +- packages/common/global-error/Cargo.toml | 2 +- packages/common/util/core/Cargo.toml | 2 +- packages/infra/client/Cargo.lock | 176 ++++++++++------------- packages/infra/client/README.md | 14 ++ packages/infra/client/manager/Cargo.toml | 2 +- 6 files changed, 92 insertions(+), 110 deletions(-) create mode 100644 packages/infra/client/README.md diff --git a/docker/dev-full/client.Dockerfile b/docker/dev-full/client.Dockerfile index 4f8b4cb1dd..5d9147f42f 100644 --- a/docker/dev-full/client.Dockerfile +++ b/docker/dev-full/client.Dockerfile @@ -17,10 +17,8 @@ RUN \ mv target/debug/rivet-client target/debug/rivet-isolate-v8-runner target/debug/rivet-container-runner /app/dist/ # MARK: Runner -# -# Requires OpenSSL 1.1, so we pin this to Debian 11 instead of 12 (which uses OpenSSL 3). -FROM debian:11-slim -RUN DEBIAN_FRONTEND=noninteractive apt-get update -y && apt-get install -y --no-install-recommends ca-certificates openssl +FROM debian:12-slim +RUN DEBIAN_FRONTEND=noninteractive apt-get update -y && apt-get install -y --no-install-recommends ca-certificates COPY --from=builder /app/dist/rivet-client /app/dist/rivet-isolate-v8-runner /app/dist/rivet-container-runner /usr/local/bin/ ENTRYPOINT ["rivet-client"] CMD ["-c", "/etc/rivet-client/config.json"] diff --git a/packages/common/global-error/Cargo.toml b/packages/common/global-error/Cargo.toml index ddbee4a395..8a902e293e 100644 --- a/packages/common/global-error/Cargo.toml +++ b/packages/common/global-error/Cargo.toml @@ -14,7 +14,7 @@ async-trait = "0.1" formatted-error = { path = "../formatted-error" } types-proto = { path = "../types-proto/core", optional = true } http = "0.2" -reqwest = "0.11" +reqwest = { version = "0.11", default-features = false } serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" thiserror = "1.0" diff --git a/packages/common/util/core/Cargo.toml b/packages/common/util/core/Cargo.toml index dc62594b9d..7f2e49e05e 100644 --- a/packages/common/util/core/Cargo.toml +++ b/packages/common/util/core/Cargo.toml @@ -21,7 +21,7 @@ ipnet = { version = "2.7", features = ["serde"] } lazy_static = "1.4" rand = "0.8" regex = "1.4" -reqwest = "0.11" +reqwest = { version = "0.11", default-features = false } rivet-config = { version = "0.1.0", path = "../../config" } rivet-util-macros = { path = "../macros" } serde = { version = "1.0", features = ["derive"] } diff --git a/packages/infra/client/Cargo.lock b/packages/infra/client/Cargo.lock index bb815ba6d3..fd143561fc 100644 --- a/packages/infra/client/Cargo.lock +++ b/packages/infra/client/Cargo.lock @@ -1136,15 +1136,15 @@ dependencies = [ "http 1.1.0", "http-body-util", "hyper 1.5.0", - "hyper-rustls", + "hyper-rustls 0.27.3", "hyper-util", "ipnet", "percent-encoding", - "rustls-webpki", + "rustls-webpki 0.102.8", "serde", "serde_json", "tokio", - "tokio-rustls", + "tokio-rustls 0.26.0", "tokio-socks", "tokio-util", "tower", @@ -1587,14 +1587,14 @@ source = "git+https://github.com/rivet-gg/deno?rev=bd98563214c532c8dae97d918edb5 dependencies = [ "deno_core", "deno_native_certs", - "rustls", + "rustls 0.23.15", "rustls-pemfile 2.2.0", "rustls-tokio-stream", - "rustls-webpki", + "rustls-webpki 0.102.8", "serde", "thiserror", "tokio", - "webpki-roots", + "webpki-roots 0.26.6", ] [[package]] @@ -2301,15 +2301,6 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" -[[package]] -name = "foreign-types" -version = "0.3.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" -dependencies = [ - "foreign-types-shared 0.1.1", -] - [[package]] name = "foreign-types" version = "0.5.0" @@ -2317,7 +2308,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d737d9aa519fb7b749cbc3b962edcf310a8dd1f4b67c91c4f83975dbdd17d965" dependencies = [ "foreign-types-macros", - "foreign-types-shared 0.3.1", + "foreign-types-shared", ] [[package]] @@ -2331,12 +2322,6 @@ dependencies = [ "syn 2.0.82", ] -[[package]] -name = "foreign-types-shared" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" - [[package]] name = "foreign-types-shared" version = "0.3.1" @@ -2974,6 +2959,20 @@ dependencies = [ "want", ] +[[package]] +name = "hyper-rustls" +version = "0.24.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ec3efd23720e2049821a693cbc7e65ea87c72f1c58ff2f9522ff332b1491e590" +dependencies = [ + "futures-util", + "http 0.2.12", + "hyper 0.14.31", + "rustls 0.21.12", + "tokio", + "tokio-rustls 0.24.1", +] + [[package]] name = "hyper-rustls" version = "0.27.3" @@ -2984,26 +2983,13 @@ dependencies = [ "http 1.1.0", "hyper 1.5.0", "hyper-util", - "rustls", + "rustls 0.23.15", "rustls-pki-types", "tokio", - "tokio-rustls", + "tokio-rustls 0.26.0", "tower-service", ] -[[package]] -name = "hyper-tls" -version = "0.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d6183ddfa99b85da61a140bea0efc93fdf56ceaa041b37d553518030827f9905" -dependencies = [ - "bytes", - "hyper 0.14.31", - "native-tls", - "tokio", - "tokio-native-tls", -] - [[package]] name = "hyper-util" version = "0.1.7" @@ -3543,7 +3529,7 @@ dependencies = [ "bitflags 2.6.0", "block", "core-graphics-types", - "foreign-types 0.5.0", + "foreign-types", "log", "objc", "paste", @@ -3626,23 +3612,6 @@ dependencies = [ "unicode-xid", ] -[[package]] -name = "native-tls" -version = "0.2.12" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a8614eb2c83d59d1c8cc974dd3f920198647674a0a035e1af1fa58707e317466" -dependencies = [ - "libc", - "log", - "openssl", - "openssl-probe", - "openssl-sys", - "schannel", - "security-framework", - "security-framework-sys", - "tempfile", -] - [[package]] name = "ndk-sys" version = "0.5.0+25.2.9519653" @@ -3897,50 +3866,12 @@ version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381" -[[package]] -name = "openssl" -version = "0.10.68" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6174bc48f102d208783c2c84bf931bb75927a617866870de8a4ea85597f871f5" -dependencies = [ - "bitflags 2.6.0", - "cfg-if", - "foreign-types 0.3.2", - "libc", - "once_cell", - "openssl-macros", - "openssl-sys", -] - -[[package]] -name = "openssl-macros" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" -dependencies = [ - "proc-macro2", - "quote", - "syn 2.0.82", -] - [[package]] name = "openssl-probe" version = "0.1.5" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" -[[package]] -name = "openssl-sys" -version = "0.9.104" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "45abf306cbf99debc8195b66b7346498d7b10c210de50418b5ccd7ceba08c741" -dependencies = [ - "cc", - "libc", - "pkg-config", - "vcpkg", -] - [[package]] name = "option-ext" version = "0.2.0" @@ -4798,15 +4729,15 @@ dependencies = [ "http 0.2.12", "http-body 0.4.6", "hyper 0.14.31", - "hyper-tls", + "hyper-rustls 0.24.2", "ipnet", "js-sys", "log", "mime", - "native-tls", "once_cell", "percent-encoding", "pin-project-lite", + "rustls 0.21.12", "rustls-pemfile 1.0.4", "serde", "serde_json", @@ -4814,7 +4745,7 @@ dependencies = [ "sync_wrapper", "system-configuration", "tokio", - "tokio-native-tls", + "tokio-rustls 0.24.1", "tokio-util", "tower-service", "url", @@ -4822,6 +4753,7 @@ dependencies = [ "wasm-bindgen-futures", "wasm-streams", "web-sys", + "webpki-roots 0.25.4", "winreg", ] @@ -5018,6 +4950,18 @@ dependencies = [ "windows-sys 0.52.0", ] +[[package]] +name = "rustls" +version = "0.21.12" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3f56a14d1f48b391359b22f731fd4bd7e43c97f3c50eee276f3aa09c94784d3e" +dependencies = [ + "log", + "ring", + "rustls-webpki 0.101.7", + "sct", +] + [[package]] name = "rustls" version = "0.23.15" @@ -5028,7 +4972,7 @@ dependencies = [ "once_cell", "ring", "rustls-pki-types", - "rustls-webpki", + "rustls-webpki 0.102.8", "subtle", "zeroize", ] @@ -5077,11 +5021,21 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "22557157d7395bc30727745b365d923f1ecc230c4c80b176545f3f4f08c46e33" dependencies = [ "futures", - "rustls", + "rustls 0.23.15", "socket2", "tokio", ] +[[package]] +name = "rustls-webpki" +version = "0.101.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8b6275d1ee7a1cd780b64aca7726599a1dbc893b1e64144529e55c3c2f745765" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "rustls-webpki" version = "0.102.8" @@ -5204,6 +5158,16 @@ dependencies = [ "sha2", ] +[[package]] +name = "sct" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "da046153aa2352493d6cb7da4b6e5c0c057d8a1d0a9aa8560baffdd945acd414" +dependencies = [ + "ring", + "untrusted", +] + [[package]] name = "sec1" version = "0.7.3" @@ -6519,12 +6483,12 @@ dependencies = [ ] [[package]] -name = "tokio-native-tls" -version = "0.3.1" +name = "tokio-rustls" +version = "0.24.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2" +checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081" dependencies = [ - "native-tls", + "rustls 0.21.12", "tokio", ] @@ -6534,7 +6498,7 @@ version = "0.26.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0c7bc40d0e5a97695bb96e27995cd3a08538541b0a846f65bba7a359f36700d4" dependencies = [ - "rustls", + "rustls 0.23.15", "rustls-pki-types", "tokio", ] @@ -7248,6 +7212,12 @@ dependencies = [ "rustls-pki-types", ] +[[package]] +name = "webpki-roots" +version = "0.25.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5f20c57d8d7db6d3b86154206ae5d8fba62dd39573114de97c2cb0578251f8e1" + [[package]] name = "webpki-roots" version = "0.26.6" diff --git a/packages/infra/client/README.md b/packages/infra/client/README.md new file mode 100644 index 0000000000..b3f8519b83 --- /dev/null +++ b/packages/infra/client/README.md @@ -0,0 +1,14 @@ +# Rivet Client + +## Projects + +- **manager** The binary responsible for talking to the Rivet Server. This will spawn a runner based on the flavor (isolate or container). +- **isolate-v8-runner** Runs actors using V8 isolates. +- **container-runner** Runs actors as containers. +- **runner-protocol** Shared types for the runner's protocol. +- **echo** Used as a test binary for testing pegboard-manager. + +## rustls and OpenSSL + +We opt to use rustls instead of OpenSSL in all client binaries in the interest of portability. + diff --git a/packages/infra/client/manager/Cargo.toml b/packages/infra/client/manager/Cargo.toml index 30cb00132b..92fee39f1a 100644 --- a/packages/infra/client/manager/Cargo.toml +++ b/packages/infra/client/manager/Cargo.toml @@ -23,7 +23,7 @@ nix = { version = "0.27", default-features = false, features = ["fs", "user", "s notify = { version = "6.1.1", default-features = false, features = ["serde", "fsevent-sys"] } prometheus = "0.13" rand = "0.8" -reqwest = { version = "0.11", features = ["stream"] } +reqwest = { version = "0.11", default-features = false, features = ["stream", "rustls-tls"] } serde = { version = "1.0.195", features = ["derive"] } serde_json = "1.0.111" sysinfo = "0.31.4"