Merge pull request #151 from mudler/bumps

bumps, support unlimited limiter, exposes limit-enable

.github/workflows/build.yml

@@ -14,7 +14,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: 1.19
+          go-version: 1.21
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v4
         with:

.github/workflows/release.yml

@@ -16,7 +16,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: 1.19
+          go-version: 1.21
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v4
         with:

.github/workflows/test.yml

@@ -15,7 +15,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: 1.19
+          go-version: 1.21
       
       - name: Build
         run:
@@ -50,7 +50,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: 1.19
+          go-version: 1.21
       - name: Download result for build
         uses: actions/download-artifact@v3
         with:

Dockerfile

@@ -2,7 +2,7 @@
 ARG LDFLAGS=-s -w
 
 # Use a temporary build image based on Golang 1.20-alpine
-FROM golang:1.20-alpine as builder
+FROM golang:1.21-alpine as builder
 
 # Set environment variables: linker flags and disable CGO
 ENV LDFLAGS=$LDFLAGS CGO_ENABLED=0

cmd/util.go

@@ -178,11 +178,6 @@ var CommonFlags []cli.Flag = []cli.Flag{
 		Usage:  "Enable low profile. Lowers connections usage",
 		EnvVar: "EDGEVPNLOWPROFILE",
 	},
-	&cli.BoolFlag{
-		Name:   "mplex-multiplexer",
-		Usage:  "Enable mplex multiplexer.",
-		EnvVar: "EDGEVPNMPLEX",
-	},
 	&cli.IntFlag{
 		Name:   "aliveness-healthcheck-interval",
 		Usage:  "Healthcheck interval",
@@ -218,6 +213,18 @@ var CommonFlags []cli.Flag = []cli.Flag{
 		Usage:  "List of discovery peers to use",
 		EnvVar: "EDGEVPNBOOTSTRAPPEERS",
 	},
+	&cli.IntFlag{
+		Name:   "connection-high-water",
+		Usage:  "max number of connection allowed",
+		EnvVar: "EDGEVPN_CONNECTION_HIGH_WATER",
+		Value:  0,
+	},
+	&cli.IntFlag{
+		Name:   "connection-low-water",
+		Usage:  "low number of connection allowed",
+		EnvVar: "EDGEVPN_CONNECTION_LOW_WATER",
+		Value:  0,
+	},
 	&cli.StringSliceFlag{
 		Name:   "autorelay-static-peer",
 		Usage:  "List of autorelay static peers to use",
@@ -233,6 +240,11 @@ var CommonFlags []cli.Flag = []cli.Flag{
 		Usage:  "Specify an edgevpn token in place of a config file",
 		EnvVar: "EDGEVPNTOKEN",
 	},
+	&cli.BoolFlag{
+		Name:   "limit-enable",
+		Usage:  "Enable resource management",
+		EnvVar: "LIMITENABLE",
+	},
 	&cli.StringFlag{
 		Name:   "limit-file",
 		Usage:  "Specify a resource limit config (json)",
@@ -244,11 +256,6 @@ var CommonFlags []cli.Flag = []cli.Flag{
 		EnvVar: "LIMITSCOPE",
 		Value:  "system",
 	},
-	&cli.BoolFlag{
-		Name:   "resource-limit",
-		Usage:  "Enable resource manager. (Experimental) All options prefixed with limit requires resource manager to be enabled",
-		EnvVar: "LIMITENABLE",
-	},
 	&cli.IntFlag{
 		Name:   "limit-config-streams",
 		Usage:  "Streams resource limit configuration",
@@ -429,10 +436,11 @@ func cliToOpts(c *cli.Context) ([]node.Option, []vpn.Option, *logger.Logger) {
 			AutoRelay:                  c.Bool("autorelay"),
 			MaxConnections:             c.Int("max-connections"),
 			HolePunch:                  c.Bool("holepunch"),
-			Mplex:                      c.Bool("mplex-multiplexer"),
 			StaticRelays:               c.StringSlice("autorelay-static-peer"),
 			AutoRelayDiscoveryInterval: autorelayInterval,
 			OnlyStaticRelays:           c.Bool("autorelay-static-only"),
+			HighWater:                  c.Int("connection-high-water"),
+			LowWater:                   c.Int("connection-low-water"),
 		},
 		Limit: config.ResourceLimit{
 			Enable:      c.Bool("limit-enable"),

go.mod

@@ -10,30 +10,27 @@ require (
 	github.com/creachadair/otp v0.4.0
 	github.com/google/gopacket v1.1.19
 	github.com/hashicorp/golang-lru v0.5.4
-	github.com/hashicorp/golang-lru/v2 v2.0.4
 	github.com/ipfs/go-log v1.0.5
 	github.com/ipfs/go-log/v2 v2.5.1
 	github.com/labstack/echo/v4 v4.10.2
-	github.com/libp2p/go-libp2p v0.28.2
+	github.com/libp2p/go-libp2p v0.31.0
 	github.com/libp2p/go-libp2p-kad-dht v0.24.2
 	github.com/libp2p/go-libp2p-pubsub v0.9.3
-	github.com/miekg/dns v1.1.54
+	github.com/miekg/dns v1.1.55
 	github.com/mudler/go-processmanager v0.0.0-20230818213616-f204007f963c
 	github.com/mudler/water v0.0.0-20221010214108-8c7313014ce0
-	github.com/multiformats/go-multiaddr v0.9.0
+	github.com/multiformats/go-multiaddr v0.11.0
 	github.com/onsi/ginkgo/v2 v2.13.0
 	github.com/onsi/gomega v1.27.10
 	github.com/peterbourgon/diskv v2.0.1+incompatible
 	github.com/pkg/errors v0.9.1
 	github.com/songgao/packets v0.0.0-20160404182456-549a10cd4091
 	github.com/urfave/cli v1.22.14
-	github.com/urfave/cli/v2 v2.25.7
 	github.com/vishvananda/netlink v1.1.0
-	go.uber.org/zap v1.24.0
+	go.uber.org/zap v1.25.0
 	golang.org/x/sys v0.12.0
 	golang.zx2c4.com/wireguard/windows v0.5.3
 	gopkg.in/yaml.v2 v2.4.0
-	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
@@ -48,7 +45,6 @@ require (
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/elastic/gosigar v0.14.2 // indirect
-	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/flynn/noise v1.0.0 // indirect
 	github.com/francoispqt/gojay v1.2.13 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
@@ -61,25 +57,23 @@ require (
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/btree v1.1.2 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
-	github.com/google/pprof v0.0.0-20230602150820-91b7bce49751 // indirect
+	github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/golang-lru/v2 v2.0.5 // indirect
 	github.com/huandu/xstrings v1.3.3 // indirect
 	github.com/huin/goupnp v1.2.0 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/ipfs/boxo v0.10.0 // indirect
 	github.com/ipfs/go-cid v0.4.1 // indirect
 	github.com/ipfs/go-datastore v0.6.0 // indirect
-	github.com/ipfs/go-ipfs-util v0.0.2 // indirect
-	github.com/ipfs/go-ipns v0.3.0 // indirect
 	github.com/ipld/go-ipld-prime v0.20.0 // indirect
 	github.com/jackpal/go-nat-pmp v1.0.2 // indirect
 	github.com/jbenet/go-temp-err-catcher v0.1.0 // indirect
 	github.com/jbenet/goprocess v0.1.4 // indirect
-	github.com/jtolds/gls v4.20.0+incompatible // indirect
-	github.com/klauspost/compress v1.16.5 // indirect
+	github.com/klauspost/compress v1.16.7 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
 	github.com/koron/go-ssdp v0.0.4 // indirect
 	github.com/labstack/gommon v0.4.0 // indirect
@@ -89,12 +83,11 @@ require (
 	github.com/libp2p/go-libp2p-asn-util v0.3.0 // indirect
 	github.com/libp2p/go-libp2p-kbucket v0.6.3 // indirect
 	github.com/libp2p/go-libp2p-record v0.2.0 // indirect
-	github.com/libp2p/go-mplex v0.7.0 // indirect
 	github.com/libp2p/go-msgio v0.3.0 // indirect
 	github.com/libp2p/go-nat v0.2.0 // indirect
 	github.com/libp2p/go-netroute v0.2.1 // indirect
-	github.com/libp2p/go-reuseport v0.3.0 // indirect
-	github.com/libp2p/go-yamux/v4 v4.0.0 // indirect
+	github.com/libp2p/go-reuseport v0.4.0 // indirect
+	github.com/libp2p/go-yamux/v4 v4.0.1 // indirect
 	github.com/libp2p/zeroconf/v2 v2.2.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/marten-seemann/tcp v0.0.0-20210406111302-dfbc87cc63fd // indirect
@@ -116,7 +109,7 @@ require (
 	github.com/multiformats/go-multihash v0.2.3 // indirect
 	github.com/multiformats/go-multistream v0.4.1 // indirect
 	github.com/multiformats/go-varint v0.0.7 // indirect
-	github.com/opencontainers/runtime-spec v1.0.2 // indirect
+	github.com/opencontainers/runtime-spec v1.1.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58 // indirect
 	github.com/polydawn/refmt v0.89.0 // indirect
@@ -126,9 +119,8 @@ require (
 	github.com/prometheus/common v0.42.0 // indirect
 	github.com/prometheus/procfs v0.9.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
-	github.com/quic-go/qtls-go1-19 v0.3.3 // indirect
-	github.com/quic-go/qtls-go1-20 v0.2.3 // indirect
-	github.com/quic-go/quic-go v0.33.0 // indirect
+	github.com/quic-go/qtls-go1-20 v0.3.3 // indirect
+	github.com/quic-go/quic-go v0.38.1 // indirect
 	github.com/quic-go/webtransport-go v0.5.3 // indirect
 	github.com/raulk/go-watchdog v1.3.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
@@ -149,23 +141,22 @@ require (
 	go.opentelemetry.io/otel v1.16.0 // indirect
 	go.opentelemetry.io/otel/metric v1.16.0 // indirect
 	go.opentelemetry.io/otel/trace v1.16.0 // indirect
-	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/dig v1.17.0 // indirect
-	go.uber.org/fx v1.19.2 // indirect
+	go.uber.org/fx v1.20.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.12.0 // indirect
-	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
+	golang.org/x/exp v0.0.0-20230817173708-d852ddb80c63 // indirect
 	golang.org/x/mod v0.12.0 // indirect
 	golang.org/x/net v0.14.0 // indirect
 	golang.org/x/sync v0.3.0 // indirect
 	golang.org/x/text v0.12.0 // indirect
-	golang.org/x/tools v0.12.0 // indirect
+	golang.org/x/tools v0.12.1-0.20230815132531-74c255bcf846 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
 	golang.zx2c4.com/wireguard v0.0.0-20220703234212-c31a7b1ab478 // indirect
 	gonum.org/v1/gonum v0.13.0 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/blake3 v1.2.1 // indirect
-	nhooyr.io/websocket v1.8.7 // indirect
 )
 
 replace github.com/elastic/gosigar => github.com/mudler/gosigar v0.14.3-0.20220502202347-34be910bdaaf

pkg/config/config.go

@@ -28,8 +28,6 @@ import (
 	"github.com/libp2p/go-libp2p/core/peer"
 	"github.com/libp2p/go-libp2p/p2p/host/autorelay"
 	rcmgr "github.com/libp2p/go-libp2p/p2p/host/resource-manager"
-	mplex "github.com/libp2p/go-libp2p/p2p/muxer/mplex"
-	yamux "github.com/libp2p/go-libp2p/p2p/muxer/yamux"
 	connmanager "github.com/libp2p/go-libp2p/p2p/net/connmgr"
 	"github.com/mudler/edgevpn/pkg/blockchain"
 	"github.com/mudler/edgevpn/pkg/crypto"
@@ -118,8 +116,10 @@ type Connection struct {
 
 	PeerTable map[string]peer.ID
 
-	Mplex          bool
 	MaxConnections int
+
+	LowWater  int
+	HighWater int
 }
 
 // NAT is the structure relative to NAT configuration settings
@@ -162,6 +162,8 @@ func peers2AddrInfo(peers []string) []peer.AddrInfo {
 	return addrsList
 }
 
+var infiniteResourceLimits = rcmgr.InfiniteLimits.ToPartialLimitConfig().System
+
 // ToOpts returns node and vpn options from a configuration
 func (c Config) ToOpts(l *logger.Logger) ([]node.Option, []vpn.Option, error) {
 
@@ -261,14 +263,6 @@ func (c Config) ToOpts(l *logger.Logger) ([]node.Option, []vpn.Option, error) {
 			libp2p.EnableAutoRelay(relayOpts...))
 	}
 
-	if c.Connection.Mplex {
-		libp2pOpts = append(libp2pOpts,
-			libp2p.ChainOptions(
-				libp2p.Muxer("/yamux/1.0.0", yamux.DefaultTransport),
-				libp2p.Muxer("/mplex/6.7.0", mplex.DefaultTransport),
-			))
-	}
-
 	if c.NAT.RateLimit {
 		libp2pOpts = append(libp2pOpts, libp2p.AutoNATServiceRateLimit(
 			c.NAT.RateLimitGlobal,
@@ -277,10 +271,21 @@ func (c Config) ToOpts(l *logger.Logger) ([]node.Option, []vpn.Option, error) {
 		))
 	}
 
-	if c.Connection.MaxConnections != 0 {
+	if c.Connection.LowWater != 0 && c.Connection.HighWater != 0 {
+		cm, err := connmanager.NewConnManager(
+			c.Connection.LowWater,
+			c.Connection.HighWater,
+			connmanager.WithGracePeriod(80*time.Second),
+		)
+		if err != nil {
+			llger.Fatal("could not create connection manager")
+		}
+
+		libp2pOpts = append(libp2pOpts, libp2p.ConnectionManager(cm))
+	} else {
 		cm, err := connmanager.NewConnManager(
-			1,
-			c.Connection.MaxConnections,
+			9999999999,
+			9999999999,
 			connmanager.WithGracePeriod(80*time.Second),
 		)
 		if err != nil {
@@ -291,8 +296,11 @@ func (c Config) ToOpts(l *logger.Logger) ([]node.Option, []vpn.Option, error) {
 	}
 
 	if !c.Limit.Enable || runtime.GOOS == "darwin" {
+		llger.Info("go-libp2p resource manager protection disabled")
 		libp2pOpts = append(libp2pOpts, libp2p.ResourceManager(&network.NullResourceManager{}))
 	} else {
+		llger.Info("go-libp2p resource manager protection enabled")
+
 		var limiter rcmgr.Limiter
 
 		if c.Limit.FileLimit != "" {
@@ -308,6 +316,91 @@ func (c Config) ToOpts(l *logger.Logger) ([]node.Option, []vpn.Option, error) {
 			}
 
 			limiter = l
+		} else if c.Limit.MaxConns == -1 {
+			llger.Infof("max connections: unlimited")
+
+			scalingLimits := rcmgr.DefaultLimits
+
+			// Add limits around included libp2p protocols
+			libp2p.SetDefaultServiceLimits(&scalingLimits)
+
+			// Turn the scaling limits into a concrete set of limits using `.AutoScale`. This
+			// scales the limits proportional to your system memory.
+			scaledDefaultLimits := scalingLimits.AutoScale()
+
+			// Tweak certain settings
+			cfg := rcmgr.PartialLimitConfig{
+				System: rcmgr.ResourceLimits{
+					Memory: rcmgr.Unlimited64,
+					FD:     rcmgr.Unlimited,
+
+					Conns:         rcmgr.Unlimited,
+					ConnsInbound:  rcmgr.Unlimited,
+					ConnsOutbound: rcmgr.Unlimited,
+
+					Streams:         rcmgr.Unlimited,
+					StreamsOutbound: rcmgr.Unlimited,
+					StreamsInbound:  rcmgr.Unlimited,
+				},
+
+				// Transient connections won't cause any memory to be accounted for by the resource manager/accountant.
+				// Only established connections do.
+				// As a result, we can't rely on System.Memory to protect us from a bunch of transient connection being opened.
+				// We limit the same values as the System scope, but only allow the Transient scope to take 25% of what is allowed for the System scope.
+				Transient: rcmgr.ResourceLimits{
+					Memory:        rcmgr.Unlimited64,
+					FD:            rcmgr.Unlimited,
+					Conns:         rcmgr.Unlimited,
+					ConnsInbound:  rcmgr.Unlimited,
+					ConnsOutbound: rcmgr.Unlimited,
+
+					Streams:         rcmgr.Unlimited,
+					StreamsInbound:  rcmgr.Unlimited,
+					StreamsOutbound: rcmgr.Unlimited,
+				},
+
+				// Lets get out of the way of the allow list functionality.
+				// If someone specified "Swarm.ResourceMgr.Allowlist" we should let it go through.
+				AllowlistedSystem: infiniteResourceLimits,
+
+				AllowlistedTransient: infiniteResourceLimits,
+
+				// Keep it simple by not having Service, ServicePeer, Protocol, ProtocolPeer, Conn, or Stream limits.
+				ServiceDefault: infiniteResourceLimits,
+
+				ServicePeerDefault: infiniteResourceLimits,
+
+				ProtocolDefault: infiniteResourceLimits,
+
+				ProtocolPeerDefault: infiniteResourceLimits,
+
+				Conn: infiniteResourceLimits,
+
+				Stream: infiniteResourceLimits,
+
+				// Limit the resources consumed by a peer.
+				// This doesn't protect us against intentional DoS attacks since an attacker can easily spin up multiple peers.
+				// We specify this limit against unintentional DoS attacks (e.g., a peer has a bug and is sending too much traffic intentionally).
+				// In that case we want to keep that peer's resource consumption contained.
+				// To keep this simple, we only constrain inbound connections and streams.
+				PeerDefault: rcmgr.ResourceLimits{
+					Memory:          rcmgr.Unlimited64,
+					FD:              rcmgr.Unlimited,
+					Conns:           rcmgr.Unlimited,
+					ConnsInbound:    rcmgr.DefaultLimit,
+					ConnsOutbound:   rcmgr.Unlimited,
+					Streams:         rcmgr.Unlimited,
+					StreamsInbound:  rcmgr.DefaultLimit,
+					StreamsOutbound: rcmgr.Unlimited,
+				},
+			}
+
+			// Create our limits by using our cfg and replacing the default values with values from `scaledDefaultLimits`
+			limits := cfg.Build(scaledDefaultLimits)
+
+			// The resource manager expects a limiter, se we create one from our limits.
+			limiter = rcmgr.NewFixedLimiter(limits)
+
 		} else if c.Limit.MaxConns != 0 {
 			min := int64(1 << 30)
 			max := int64(4 << 30)
@@ -320,9 +413,12 @@ func (c Config) ToOpts(l *logger.Logger) ([]node.Option, []vpn.Option, error) {
 			maxconns := int(c.Limit.MaxConns)
 
 			defaultLimits := rcmgr.DefaultLimits.Scale(min+max/2, logScale(2*maxconns))
+			llger.Infof("max connections: %d", c.Limit.MaxConns)
 
 			limiter = rcmgr.NewFixedLimiter(defaultLimits)
 		} else {
+			llger.Infof("max connections: defaults limits")
+
 			defaults := rcmgr.DefaultLimits
 			def := &defaults