Merge pull request #1099 from IABTechLab/ian-UID2-4235-enclave-debug-without-debugger-exposed

enclave debug without debugger exposed

Author: Ian-Nara

Makefile.eif

@@ -37,7 +37,7 @@ build/make_config.py: ./scripts/aws/make_config.py
 
 .PHONY: build_configs
 
-build_configs: build/conf/default-config.json build/conf/prod-uid2-config.json build/conf/integ-uid2-config.json build/conf/prod-euid-config.json build/conf/integ-euid-config.json build/conf/logback.xml
+build_configs: build/conf/default-config.json build/conf/prod-uid2-config.json build/conf/integ-uid2-config.json build/conf/prod-euid-config.json build/conf/integ-euid-config.json build/conf/logback.xml build/conf/logback-debug.xml
 
 build/conf/default-config.json: build_artifacts ./scripts/aws/conf/default-config.json
 	cp ./scripts/aws/conf/default-config.json ./build/conf/
@@ -57,6 +57,9 @@ build/conf/integ-euid-config.json: build_artifacts ./scripts/aws/conf/integ-euid
 build/conf/logback.xml: build_artifacts ./scripts/aws/conf/logback.xml
 	cp ./scripts/aws/conf/logback.xml ./build/conf/
 
+build/conf/logback-debug.xml: build_artifacts ./scripts/aws/conf/logback-debug.xml
+	cp ./scripts/aws/conf/logback-debug.xml ./build/conf/
+
 build/Dockerfile: build_artifacts ./scripts/aws/Dockerfile
 	cp ./scripts/aws/Dockerfile ./build/
 

scripts/aws/conf/logback-debug.xml

@@ -0,0 +1,15 @@
+<configuration>
+    <statusListener class="ch.qos.logback.core.status.OnConsoleStatusListener" />
+
+    <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder class="net.logstash.logback.encoder.LogstashEncoder">
+            <jsonGeneratorDecorator class="net.logstash.logback.mask.MaskingJsonGeneratorDecorator">
+                <defaultMask>REDACTED - S3</defaultMask>
+                <value>\S+s3\.amazonaws\.com\/\S*X-Amz-Security-Token=\S+</value>
+            </jsonGeneratorDecorator>
+        </encoder>
+    </appender>
+    <root level="INFO">
+        <appender-ref ref="STDOUT" />
+    </root>
+</configuration>

scripts/aws/eks-pod/entrypoint.sh

@@ -3,6 +3,7 @@ CID=42
 EIF_PATH=/home/uid2operator.eif
 MEMORY_MB=24576
 CPU_COUNT=6
+DEBUG_MODE="false"
 
 set -x
 
@@ -87,12 +88,20 @@ function update_config() {
         { set +x; } 2>/dev/null; { CPU_COUNT=$(echo $IDENTITY_SERVICE_CONFIG | jq -r '.enclave_cpu_count'); set -x; }
         { set +x; } 2>/dev/null; { MEMORY_MB=$(echo $IDENTITY_SERVICE_CONFIG | jq -r '.enclave_memory_mb'); set -x; }
     fi
+
+    { set +x; } 2>/dev/null; { DEBUG_MODE=$(echo $IDENTITY_SERVICE_CONFIG | jq -r '.debug_mode'); set -x; }
+
     shopt -u nocasematch
 }
 
 function run_enclave() {
-    echo "starting enclave... --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID"
-    nitro-cli run-enclave --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID --enclave-name uid2-operator
+    if [ "$DEBUG_MODE" == "true" ]; then
+      echo "starting enclave... --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID --debug-mode --attach-console"
+      nitro-cli run-enclave --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID --enclave-name uid2-operator --debug-mode --attach-console
+    else
+      echo "starting enclave... --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID"
+      nitro-cli run-enclave --cpu-count $CPU_COUNT --memory $MEMORY_MB --eif-path $EIF_PATH --enclave-cid $CID --enclave-name uid2-operator
+    fi
 }
 
 echo "starting ..."

scripts/aws/entrypoint.sh

@@ -5,8 +5,7 @@
 LOG_FILE="/home/start.txt"
 
 set -x
-exec > $LOG_FILE
-exec 2>&1
+exec &> >(tee -a "$LOG_FILE")
 
 set -o pipefail
 ulimit -n 65536
@@ -19,10 +18,6 @@ ifconfig lo 127.0.0.1
 echo "Starting vsock proxy..."
 /app/vsockpx --config /app/proxies.nitro.yaml --daemon --workers $(( $(nproc) * 2 )) --log-level 3
 
-# -- setup syslog-ng
-echo "Starting syslog-ng..."
-/usr/sbin/syslog-ng --verbose
-
 # -- load config from identity service
 echo "Loading config from identity service via proxy..."
 
@@ -42,6 +37,17 @@ do
   sleep 2
 done
 
+DEBUG_MODE=$(jq -r ".debug_mode" < "${OVERRIDES_CONFIG}")
+
+if [[ "$DEBUG_MODE" == "true" ]]; then
+  LOGBACK_CONF="./conf/logback-debug.xml"
+else
+  LOGBACK_CONF="./conf/logback.xml"
+  # -- setup syslog-ng
+  echo "Starting syslog-ng..."
+  /usr/sbin/syslog-ng --verbose
+fi
+
 # check the config is valid. Querying for a known missing element (empty) makes jq parse the file, but does not echo the results
 if jq empty "${OVERRIDES_CONFIG}"; then
     echo "Identity service returned valid config"
@@ -101,6 +107,6 @@ java \
   -Djava.library.path=/app/lib \
   -Dvertx-config-path="${FINAL_CONFIG}" \
   -Dvertx.logger-delegate-factory-class-name=io.vertx.core.logging.SLF4JLogDelegateFactory \
-  -Dlogback.configurationFile=./conf/logback.xml \
+  -Dlogback.configurationFile=${LOGBACK_CONF} \
   -Dhttp_proxy=socks5://127.0.0.1:3305 \
   -jar /app/"${JAR_NAME}"-"${JAR_VERSION}".jar