Milestone 3a: Service discovery (host + Incus)#28
Merged
Conversation
Decode HTTP/1.1 chunked transfer-encoding for both the one-shot instances response and the long-lived event stream. Preserve IO error kind by using the #[from] impl directly instead of wrapping errors.
Expand blackwall-discovery::host unit tests to cover IPv4/IPv6 parse paths, UDP UNCONN filtering, short-line skipping, and all error branches (bad port, bad local address format, bad hex, bad IPv6 length/word). host.rs coverage rises from 67% to 100%. Document M3a service-discovery additions in CHANGELOG.md: host-socket scanner, Incus instance/event/client modules, and policy reconciler auto-opening Incus-opted ports via blackwalld run.
Remove unused serde direct dep from blackwall-discovery. Parse errors from the Incus event stream now emit a warning and continue rather than terminating discovery; I/O errors still break the loop. Document that AllowRule is not address-scoped so audit-log readers understand tenant-wide port effects.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Milestone 3a — Discovery (host sockets + Incus)
Automatically discovers services the operator runs and reconciles them into the effective firewall policy, so ports open (and close) without editing the config file. First slice of epic #3 (shaping → M3b, flux/DNS → M3c).
New
blackwall-discoverycratereconcile(base, &[DiscoveredService]) -> Policy— merges discovered services into the effective policy by appending an allow rule to the owning tenant (or a syntheticdiscoveredtenant for unowned-but-in-prefix addresses); skips out-of-prefix and duplicate services; the result always staysresolve()-valid./proc/net/{tcp,tcp6,udp,udp6}parser (listening sockets only) + a thin reader.name, addresses, theuser.blackwall.portsopt-in key) and lifecycle events (started/stopped/shutdown/updated), all pure + fixture-tested.IncusClienttrait + a tested mock + a thinUnixIncusClientspeaking HTTP/1.1 (with chunked transfer-decoding) over the Incus unix socket.blackwalld runwiring--discover-host; Incus via--incus-socket, default/var/lib/incus/unix.socket), applies the effective policy (apply_policy+nft::apply), and a detached Incus event task that rebuilds the full set and re-applies on each lifecycle event — so a stopped instance's ports disappear. The Incus task is detached so an Incus disconnect can never take down the deception engine; Incus is optional (warn + continue).Quality
--deny warnings+ rustfmt clean.Tracked follow-ups
apply_effectiveDB/kernel atomicity + Incus reconnect/retry.Part of #3.
Closes #29.