Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
github.com/firecracker-microvm/firecracker-go-sdk
This package is a Go library to interact with the Firecracker API. It is designed as an abstraction of the OpenAPI-generated client that allows for convenient manipulation of Firecracker VM from Go programs.
There are some Firecracker features that are not yet supported by the SDK. These are tracked as GitHub issues with the firecracker-feature label . Contributions to address missing features are welcomed.
Please see HACKING
This library requires Go 1.11 and Go modules to build. A Makefile is provided
for convenience, but is not required. When using the Makefile, you can pass
additional flags to the Go compiler via the EXTRAGOARGS
make variable.
There's a firectl tool that provides a simple command-line interface to launching a firecracker VM. It also serves as an example client of this SDK.
Firecracker, by design, only supports Linux tap devices. The SDK provides facilities to:
If a VM is configured with a CNI-configured network interface, by default CNI configuration
files will be sought from /etc/cni/conf.d
and CNI plugins will be sought under
/opt/cni/bin
(both of these values can be overridden via API fields). CNI network lists
must be specified in a configuration file at this time.
It's currently highly recommended to use CNI configuration that includes tc-redirect-tap as a chained plugin. This will allow you to adapt pre-existing CNI plugins/configuration to a tap device usable by a Firecracker VM.
With the following file at /etc/cni/conf.d/fcnet.conflist
:
{
"name": "fcnet",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "ptp",
"ipMasq": true,
"ipam": {
"type": "host-local",
"subnet": "192.168.127.0/24",
"resolvConf": "/etc/resolv.conf"
}
},
{
"type": "firewall"
},
{
"type": "tc-redirect-tap"
}
]
}
and the
ptp
,
host-local
,
firewall
,
and tc-redirect-tap
CNI plugin binaries installed under /opt/cni/bin
, you can specify,
in the Go SDK API, a Machine
with the following NetworkInterface
:
{
NetworkInterfaces: []firecracker.NetworkInterface{{
CNIConfiguration: &firecracker.CNIConfiguration{
NetworkName: "fcnet",
IfName: "veth0",
},
}}
}
Note that NetworkName
in the CNIConfiguration
of the API matches the name
field
specified inside the /etc/cni/conf.d/fcnet.conflist
file.
With the above configuration, when the Firecracker VM is started the SDK will invoke CNI and place the final VM inside the resultant network namespace. The end result being:
ptp
plugin will
exist with a static IP from the host-local
plugin (i.e. 192.168.127.1
)
StaticConfiguration
field, which will be automatically filled out after the machine has been started.NetworkInterfaces[0].StaticConfiguration.IPConfiguration.IPAddr
after a call to the
machine object's Start
method succeeds.veth0
, as specified by the
IfName
parameter above, and a different IP (i.e. 192.168.127.2
)tc-redirect-tap
, which will not have an IP but will have
all of its traffic mirrored with the veth0
deviceveth0
(i.e. 192.168.127.2
)veth0
device,
so from a practical perspective the VM's internal network interface will externally
appear the same as veth0
Note that the ptp
and host-local
plugins are not required, they are just used in this
example. The tc-redirect-tap
plugin can be chained after any CNI plugin that creates a
network interface. It will setup the tap device to be mirrored with the IfName
device
created by any previous plugin. Any IP configuration on that IfName
device will be
applied statically to the VM's internal network interface on boot.
Also note that use of CNI-configured network interfaces will require the SDK to be running with at least
CAP_SYS_ADMIN
and CAP_NET_ADMIN
Linux capabilities (in order to have the
ability to create and configure network namespaces).
These limitations are a result of the current implementation and may be lifted in the future:
/etc/resolv.conf
be a symlink to /proc/net/pnp
.Please use GitHub issues to report problems, discuss roadmap items, or make feature requests.
If you've discovered an issue that may have security implications to users or developers of this software, please do not report it using GitHub issues, but instead follow Firecracker's security reporting guidelines.
Other discussion: For general discussion, please join us in the
#general
channel on the Firecracker Slack.
This library is licensed under the Apache 2.0 License.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.