Skip to content

feature/SP-7400, swarm-db secure connection #145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Villain88 wants to merge 70 commits into
base: swarm
Choose a base branch
from
Open

feature/SP-7400, swarm-db secure connection #145

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
70 commits
Select commit Hold shift + click to select a range
6d6ed02
fixed config path
Villain88 Nov 26, 2025
e95ec98
Merge branch 'swarm-2' into feature/SP-7272
Villain88 Nov 26, 2025
7363e0c
added iptables rules to access to pccs from lxc-container
Villain88 Nov 26, 2025
5e7288d
Merge branch 'swarm-2' into feature/SP-7272
Villain88 Nov 27, 2025
c9865c5
move lxc container into /etc/super
Villain88 Nov 27, 2025
9ab3ba5
Merge branch 'swarm-2' into feature/SP-7272
Villain88 Nov 27, 2025
60c312a
fixed pccs cachemode to lazy
Villain88 Nov 27, 2025
ab9abe1
use mongodb as certificate storage
Villain88 Dec 1, 2025
9f837af
Merge branch 'swarm-2' into feature/SP-7272
Villain88 Dec 1, 2025
c33eabd
pki-authority as swarm-service draft
Villain88 Dec 2, 2025
a3c1557
Merge branch 'swarm-2' into feature/SP-7272
Villain88 Dec 2, 2025
7f69dcb
create and configure lxc container from python script
Villain88 Dec 2, 2025
929241f
some improvement
Villain88 Dec 3, 2025
11a940e
access to lxc container from wg network
Villain88 Dec 3, 2025
18d3bec
allowed challenges sev
Villain88 Dec 5, 2025
e9e36ec
Merge branch 'swarm-2' into feature/SP-7272
Villain88 Dec 5, 2025
e61e1bd
store token in mongodb
Villain88 Dec 12, 2025
fd7e15b
Merge branch 'swarm-2' into feature/SP-7272
Villain88 Dec 12, 2025
e52b92c
store authority service properties in swarmdb
Villain88 Dec 16, 2025
9c1d259
impoved restart reasons
Villain88 Dec 17, 2025
b0ad577
registry external endpoints
Villain88 Dec 18, 2025
0e7416e
Merge branch 'swarm-2' into feature/SP-7272
Villain88 Dec 18, 2025
7fba30d
ssl passthrough support for openresty
Villain88 Dec 19, 2025
2405221
Merge branch 'swarm-2' into feature/SP-7272
Villain88 Dec 19, 2025
d3fd941
config pki-domain
Villain88 Dec 22, 2025
8890f08
Enhance hardening-vm.sh: Add iptables rule to accept traffic from the…
zbitname Dec 18, 2025
5d24dfc
Update hardening-vm.sh: Modify iptables rule to allow incoming traffi…
zbitname Dec 18, 2025
d7d8886
Comment out iptables rule for TCP port 443 in hardening-vm.sh to enha…
zbitname Dec 18, 2025
6ee33c8
Re-enable iptables rule for TCP port 443 in hardening-vm.sh to allow …
zbitname Dec 19, 2025
35f567f
delete redis endpoint on destroy
Villain88 Dec 23, 2025
a3d5d97
Merge branch 'swarm-2' into feature/SP-7272
Villain88 Dec 23, 2025
e61506a
some fixes
Villain88 Dec 24, 2025
17d1b7e
linter
Villain88 Dec 25, 2025
59e4142
update pki-authority container
Villain88 Jan 5, 2026
b2848e0
Merge branch 'swarm-2' into feature/SP-7272
Villain88 Jan 5, 2026
024a94c
Merge branch 'feature/SP-7355' into feature/SP-7272
Villain88 Jan 6, 2026
f152ab9
additional rules for production mode
Villain88 Jan 9, 2026
0a713c2
Merge branch 'swarm-2' into feature/SP-7272
Villain88 Jan 14, 2026
db40596
Merge branch 'swarm-2' into feature/SP-7272
Villain88 Jan 14, 2026
6921ab2
http support for pki-auth
Villain88 Jan 15, 2026
be21132
get registered endpoints direct from redis
Villain88 Jan 15, 2026
c6a1c49
Merge branch 'swarm-2' into feature/SP-7272
Villain88 Jan 15, 2026
190a301
new route format, new lxc container
Villain88 Jan 16, 2026
bae6959
Merge branch 'swarm' into feature/SP-7272
Villain88 Jan 18, 2026
b39bbe4
fixed untrusted support
Villain88 Jan 18, 2026
33d3e38
draft
Villain88 Jan 20, 2026
3c6b1a2
pki_node_ready draft
Villain88 Jan 21, 2026
867b02e
one more improvements
Villain88 Jan 22, 2026
692e9ff
use raw networkKey instead of hash
Villain88 Jan 22, 2026
ddf59a5
pylint fixes
Villain88 Jan 22, 2026
2b5bbcf
more strict query for pki nodes
Villain88 Jan 22, 2026
efc3e6e
Merge branch 'swarm' into feature/SP-7445
Villain88 Jan 23, 2026
f3ec4f7
forgot to commit dockerfile
Villain88 Jan 23, 2026
469cf6f
draft
Villain88 Jan 28, 2026
ec02209
draft 2
Villain88 Jan 28, 2026
d66dc98
swarm key generation, disable watchdog
Villain88 Feb 3, 2026
64f4837
pki sync draft
Villain88 Feb 3, 2026
9768db8
sync network type
Villain88 Feb 4, 2026
0544f94
gatekeer certs
Villain88 Feb 4, 2026
bd73088
use aes encryption for swarm-db
Villain88 Feb 4, 2026
8229d1c
networkKey->networkID, do not sync auth_token
Villain88 Feb 5, 2026
31e033c
Merge branch 'swarm' into feature/SP-7400
Villain88 Feb 5, 2026
da60aad
small fixes
Villain88 Feb 5, 2026
bf88142
use latest pki components
Villain88 Feb 5, 2026
410c8dd
Merge branch 'swarm' into feature/SP-7400
Villain88 Feb 6, 2026
56466f4
reveiw fixes
Villain88 Feb 6, 2026
c64c0c8
nvidia gpu info
Villain88 Feb 10, 2026
e8cadd8
sync client nvidia dependency
Villain88 Feb 10, 2026
bf6115a
update to latest pki components
Villain88 Feb 10, 2026
80bd1bf
using mount instread of copy
Villain88 Feb 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 28 additions & 8 deletions src/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -258,16 +258,27 @@ RUN mkdir -p "${OUTPUTDIR}/usr/local/bin";

# copy pki-authority service files
ADD rootfs/files/scripts/install_lxc_deps.sh /buildroot/files/scripts/
ADD rootfs/files/configs/pki-service/pki-authority.service "${OUTPUTDIR}/etc/systemd/system"
RUN ln -s /etc/systemd/system/pki-authority.service "${OUTPUTDIR}/etc/systemd/system/multi-user.target.wants/pki-authority.service"
ADD rootfs/files/configs/pki-service/create-and-configure-pki.sh "${OUTPUTDIR}/usr/local/bin"
RUN mkdir -p "${OUTPUTDIR}/root/containers"
COPY --from=ghcr.io/super-protocol/tee-pki-authority-service-lxc:build-18725490828 /pki-authority.tar "${OUTPUTDIR}/root/containers/pki-authority.tar"
ADD rootfs/files/configs/pki-service/lxc-template.yaml "${OUTPUTDIR}/root/containers/lxc-template.yaml"
ADD rootfs/files/configs/pki-service/dnsmasq.conf "${OUTPUTDIR}/etc/lxc/dnsmasq.conf"
ADD rootfs/files/configs/pki-service/lxc-net "${OUTPUTDIR}/etc/default/lxc-net"
RUN --security=insecure /buildroot/files/scripts/install_lxc_deps.sh

ARG PKI_AUTHORITY_SERVICE_LXC_TAG=build-21720130629
RUN mkdir -p "${OUTPUTDIR}/etc/super/containers/pki-authority"
COPY --from=ghcr.io/super-protocol/tee-pki-authority-service-lxc:build-21875562504 /pki-authority.tar "${OUTPUTDIR}/etc/super/containers/pki-authority/pki-authority.tar"
ADD rootfs/files/configs/pki-service/conf/lxc-swarm-template.yaml "${OUTPUTDIR}/etc/super/containers/pki-authority/lxc-swarm-template.yaml"
ADD rootfs/files/configs/pki-service/conf/dnsmasq.conf "${OUTPUTDIR}/etc/lxc/dnsmasq.conf"
ADD rootfs/files/configs/pki-service/conf/lxc-net "${OUTPUTDIR}/etc/default/lxc-net"
RUN mkdir -p "${OUTPUTDIR}/usr/local/bin/pki-authority"
ADD rootfs/files/configs/pki-service/scripts/*.py "${OUTPUTDIR}/usr/local/bin/pki-authority/"
ADD rootfs/files/configs/pki-service/scripts/*.sh "${OUTPUTDIR}/usr/local/bin/pki-authority/"
ADD rootfs/files/configs/pki-service/systemd/pki-authority-init.service "${OUTPUTDIR}/etc/systemd/system"
ADD rootfs/files/configs/pki-service/systemd/pki-authority.service "${OUTPUTDIR}/etc/systemd/system"
ADD rootfs/files/configs/pki-service/systemd/pki-authority-sync.service "${OUTPUTDIR}/etc/systemd/system"
RUN mkdir -p "${OUTPUTDIR}/etc/super/pki-authority-sync"
ADD rootfs/files/configs/pki-service/conf/secrets-config.yaml "${OUTPUTDIR}/etc/super/pki-authority-sync/secrets-config.yaml"
RUN chmod +x "${OUTPUTDIR}"/usr/local/bin/pki-authority/*.py
RUN ln -s /etc/systemd/system/pki-authority-init.service "${OUTPUTDIR}/etc/systemd/system/multi-user.target.wants/pki-authority-init.service"
RUN ln -s /etc/systemd/system/pki-authority.service "${OUTPUTDIR}/etc/systemd/system/multi-user.target.wants/pki-authority.service"
RUN ln -s /etc/systemd/system/pki-authority-sync.service "${OUTPUTDIR}/etc/systemd/system/multi-user.target.wants/pki-authority-sync.service"

ADD rootfs/files/configs/etc/multipath.conf.append /buildroot/files/configs/etc/multipath.conf.append
ADD rootfs/files/configs/etc/sysctl.conf.append /buildroot/files/configs/etc/sysctl.conf.append

Expand All @@ -283,6 +294,8 @@ RUN ln -sf /etc/systemd/system/hardening-vm.service "${OUTPUTDIR}/etc/systemd/sy
# swarm services
ADD rootfs/files/configs/etc/systemd/system/swarm-db.service ${OUTPUTDIR}/etc/systemd/system/swarm-db.service
RUN ln -sf /etc/systemd/system/swarm-db.service "${OUTPUTDIR}/etc/systemd/system/multi-user.target.wants/swarm-db.service"
ADD rootfs/files/scripts/prepare_swarm_db_config.py ${OUTPUTDIR}/usr/local/bin/prepare_swarm_db_config.py
RUN chmod +x ${OUTPUTDIR}/usr/local/bin/prepare_swarm_db_config.py
ADD rootfs/files/configs/usr/local/bin/swarm-cloud-api.sh ${OUTPUTDIR}/usr/local/bin/swarm-cloud-api.sh
ADD rootfs/files/configs/etc/systemd/system/swarm-node.service ${OUTPUTDIR}/etc/systemd/system/swarm-node.service
ADD rootfs/files/configs/usr/local/bin/swarm-node.sh ${OUTPUTDIR}/usr/local/bin/swarm-node.sh
Expand Down Expand Up @@ -368,6 +381,13 @@ RUN chmod +x ${OUTPUTDIR}/etc/swarm-cloud/services/*/main.py
ADD rootfs/files/scripts/setup_runtime_tools.sh /buildroot/files/scripts/
RUN chmod +x /buildroot/files/scripts/setup_runtime_tools.sh
RUN --security=insecure /buildroot/files/scripts/setup_runtime_tools.sh

# install pki-sync-client npm package globally (requires python3-venv from setup_runtime_tools)
ARG PKI_SYNC_CLIENT_VERSION=2.0.6
ADD rootfs/files/scripts/install_sync_client.sh /buildroot/files/scripts/
RUN chmod +x /buildroot/files/scripts/install_sync_client.sh
RUN --security=insecure /buildroot/files/scripts/install_sync_client.sh "${PKI_SYNC_CLIENT_VERSION}"

# MongoDB (install official mongodb-org 7.0 via Jammy repository inside VM rootfs)
ADD rootfs/files/scripts/install_mongodb.sh /buildroot/files/scripts/
RUN --security=insecure bash /buildroot/files/scripts/install_mongodb.sh
Expand Down
2 changes: 1 addition & 1 deletion src/repos/swarm-db
Open in desktop
Submodule swarm-db updated from bc8d0a to f98995
10 changes: 7 additions & 3 deletions src/rootfs/files/configs/etc/systemd/system/swarm-db.service
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[Unit]
Description=Swarm DB service
After=network-online.target local-fs.target
Wants=network-online.target
After=network-online.target local-fs.target pki-authority.service
Wants=network-online.target pki-authority.service
RequiresMountsFor=/var /var/lib /var/lib/swarm-db
ConditionPathExists=/usr/local/bin/swarm-db-linux-amd64
ConditionPathExists=/sp/swarm/node-db.yaml
Expand All @@ -10,7 +10,11 @@ ConditionPathExists=/sp/swarm/node-db.yaml
Type=simple
WorkingDirectory=/
ExecStartPre=mkdir -p /var/lib/swarm-db/data
ExecStart=/usr/local/bin/swarm-db-linux-amd64 -config /sp/swarm/node-db.yaml
ExecStartPre=/usr/local/bin/prepare_swarm_db_config.py \
--base-config /sp/swarm/node-db.yaml \
--key-file /etc/swarm/swarm.key \
--output-config /etc/swarm/swarm-db-config.yaml
ExecStart=/usr/local/bin/swarm-db-linux-amd64 -config /etc/swarm/swarm-db-config.yaml
StandardOutput=append:/var/log/swarm-db.log
StandardError=append:/var/log/swarm-db-err.log
Restart=always
Expand Down
0 ...fs/files/configs/pki-service/dnsmasq.conf → ...les/configs/pki-service/conf/dnsmasq.conf
View file
Open in desktop
File renamed without changes.
0 src/rootfs/files/configs/pki-service/lxc-net → ...fs/files/configs/pki-service/conf/lxc-net
View file
Open in desktop
File renamed without changes.
46 changes: 46 additions & 0 deletions src/rootfs/files/configs/pki-service/conf/lxc-swarm-template.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
api:
httpsPort: 443
httpPort: 80
enabledApis:
- secrets
- pki
pki:
allowedChallenges:
- token
- tdx
- sev-snp
validateParamRules:
- type: tdx
signatureVerification: github
- type: sev-snp
signatureVerification: github
tokenStorage:
storageType: file
storageFolder: /app/swarm-storage
ownDomain: ca-subroot.super-protocol.svc.cluster.local
ownChallenge:
type: tdx
certParams:
ocspUrl: ''
keyStorage:
type: trusted
storage:
type: super
keysPath: /app/keys
mode:
role: swarm
swarmMode: init
storage:
storageType: file
storageFolder: /app/swarm-storage
networkSettings:
networkType: trusted
secretsStorage:
static:
swarmKey: dummy-swarm-key
storage:
storageType: file
storageFolder: /app/swarm-storage
validationCaBundle:
type: pki

12 changes: 12 additions & 0 deletions src/rootfs/files/configs/pki-service/conf/secrets-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# PKI Sync Client - Secrets Configuration
secrets:
- secretName: basic_certificate
saveTo: /var/lib/lxc/pki-authority/rootfs/app/swarm-storage/basic_certificate
- secretName: basic_privateKey
saveTo: /var/lib/lxc/pki-authority/rootfs/app/swarm-storage/basic_privateKey
- secretName: lite_certificate
saveTo: /var/lib/lxc/pki-authority/rootfs/app/swarm-storage/lite_certificate
- secretName: lite_privateKey
saveTo: /var/lib/lxc/pki-authority/rootfs/app/swarm-storage/lite_privateKey
- secretName: swarmKey
saveTo: /etc/swarm/swarm.key
100 changes: 0 additions & 100 deletions src/rootfs/files/configs/pki-service/create-and-configure-pki.sh
View file
Open in desktop

This file was deleted.

Loading