Add dockerfile to the runtime tools (#2730)

* Add docker file to the runtime tools

* fixes

* bug fixes

* more bug fixes and added doc

* don;t overwrite the RUST_LOG env var

* integration test for unmanaged nodes

* add unamanged parameters to launch()

* add ing object_id

* more bug fixes

* bug fixes

* chmod on the linux files in docker

* format

* revert changes in  integration tests

* Apply suggestions from code review

Co-authored-by: Marc Greisen <mgreisen@microsoft.com>

* format and bug fix

* fix condition

---------

Co-authored-by: Marc Greisen <mgreisen@microsoft.com>

docs/unmnaged-nodes.md

@@ -68,6 +68,16 @@ Run the agent with the following command. If you need more nodes use a different
 onefuzz-agent run --machine_id <machine_guid> -c <path_to_config_file> --reset_lock
 ```
 
+Alternatively, the agent folder contains a Dockerfile which provide the configuration of a docker container.
+you can use it by first building the container
+```cmd
+docker build --t <container_name> .
+```
+Then start the agent inside the container
+```cmd
+docker run  <container_name> --machine_id <machine_id> --reset_lock
+```
+
 ### Verify that the agent is registered to OneFuzz
 
 Using the OneFuzz CLI run the following command:

src/ApiService/ApiService/onefuzzlib/Config.cs

@@ -320,6 +320,10 @@ public class Config : IConfig {
             return ResultVoid<TaskConfigError>.Error(new TaskConfigError($"invalid pool: {config.Pool.PoolName}"));
         }
 
+        if ((config.Task.RebootAfterSetup ?? false) && !pool.OkV.Managed) {
+            return ResultVoid<TaskConfigError>.Error(new TaskConfigError("reboot_after_setup is not supported for unmanaged pools"));
+        }
+
         var checkTarget = await CheckTargetExe(config, definition);
         if (!checkTarget.IsOk) {
             return checkTarget;

src/runtime-tools/linux/.dockerignore

@@ -0,0 +1 @@
+Dockerfile

src/runtime-tools/linux/Dockerfile

@@ -0,0 +1,20 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+FROM mcr.microsoft.com/oss/mirror/docker.io/library/ubuntu:20.04
+# creating a dummy sudo command to allow the setup script to run
+RUN echo "#!/bin/bash\n\$@" > /usr/bin/sudo && chmod +x /usr/bin/sudo
+RUN mkdir /onefuzz
+COPY . /onefuzz
+RUN chmod +x /onefuzz/setup.sh
+RUN chmod +x /onefuzz/tools/linux/run.sh
+RUN export DEBIAN_FRONTEND=noninteractive && export DOCKER_BUILD=1 && cd /onefuzz && ./setup.sh
+RUN export DEBIAN_FRONTEND=noninteractive \
+    && apt-get -y install --no-install-recommends \
+    libunwind-dev build-essential libssl-dev \
+    pkg-config lldb ca-certificates
+RUN mkdir -p /onefuzz/tools/linux \
+    && mv /onefuzz/downloaded/* /onefuzz/tools/linux
+WORKDIR /onefuzz
+
+ENTRYPOINT ["./tools/linux/run.sh"]

src/runtime-tools/linux/run.sh

@@ -9,17 +9,29 @@ export DOTNET_ROOT=/onefuzz/tools/dotnet
 export ONEFUZZ_TOOLS=/onefuzz/tools
 export ONEFUZZ_ROOT=/onefuzz
 export RUST_BACKTRACE=full
-export RUST_LOG=info
+export RUST_LOG="${RUST_LOG:=info}"
 export LLVM_SYMBOLIZER_PATH=/onefuzz/bin/llvm-symbolizer
 
 logger "onefuzz: starting up onefuzz"
 
-# use core files, not external crash handler
-echo core | sudo tee /proc/sys/kernel/core_pattern
-# disable ASLR
-echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
-# set core dumping to default behavior
-echo 1 | sudo tee /proc/sys/fs/suid_dumpable
+#check if we are running in docker
+if [ -f /.dockerenv ]; then
+    echo "Running in docker:
+    to optimize the experience make sure the host os is setup properly. with the following command
+    # use core files, not external crash handler
+    echo core | sudo tee /proc/sys/kernel/core_pattern
+    # disable ASLR
+    echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
+    # set core dumping to default behavior
+    echo 1 | sudo tee /proc/sys/fs/suid_dumpable"
+else
+    # use core files, not external crash handler
+    echo core | sudo tee /proc/sys/kernel/core_pattern
+    # disable ASLR
+    echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
+    # set core dumping to default behavior
+    echo 1 | sudo tee /proc/sys/fs/suid_dumpable
+fi
 
 cd /onefuzz
 MODE=$(cat /onefuzz/etc/mode)
@@ -32,7 +44,11 @@ case ${MODE} in
     "fuzz")
         logger "onefuzz: starting fuzzing"
         echo fuzzing
-        onefuzz-agent run --config /onefuzz/config.json --redirect-output /onefuzz/logs/
+        if [ -f /.dockerenv ]; then
+            onefuzz-agent run --config /onefuzz/config.json "$@"
+        else
+            onefuzz-agent run --config /onefuzz/config.json --redirect-output /onefuzz/logs/
+        fi
     ;;
     "repro")
         logger "onefuzz: starting repro"
@@ -40,5 +56,5 @@ case ${MODE} in
         export ASAN_OPTIONS=abort_on_error=1
         repro.sh
     ;;
-    *) logger "onefuzz: unknown command $1"; exit 1 ;;
+    *) logger "onefuzz: unknown command $MODE"; exit 1 ;;
 esac

src/runtime-tools/linux/setup.sh

@@ -110,7 +110,7 @@ fi
 chmod -R a+rx /onefuzz/tools/linux
 
 if type apt > /dev/null 2> /dev/null; then
-    
+
     # Install updated Microsoft Open Management Infrastructure - github.com/microsoft/omi
     curl -sSL https://packages.microsoft.com/keys/microsoft.asc | sudo tee /etc/apt/trusted.gpg.d/microsoft.asc 2>&1 | logger -s -i -t 'onefuzz-OMI-add-MS-repo-key'
     sudo apt-add-repository https://packages.microsoft.com/ubuntu/20.04/prod 2>&1 | logger -s -i -t 'onefuzz-OMI-add-MS-repo'
@@ -159,7 +159,9 @@ if type apt > /dev/null 2> /dev/null; then
     popd
 fi
 
-if [ -d /etc/systemd/system ]; then
+if  [ -v DOCKER_BUILD ]; then
+    echo "building for docker"
+elif [ -d /etc/systemd/system ]; then
     logger "onefuzz: setting up systemd"
     sudo chmod 644 /onefuzz/tools/linux/onefuzz.service
     sudo chown root /onefuzz/tools/linux/onefuzz.service

src/runtime-tools/win64/.dockerignore

@@ -0,0 +1 @@
+Dockerfile

src/runtime-tools/win64/Dockerfile

@@ -0,0 +1,18 @@
+# escape=`
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+FROM mcr.microsoft.com/windows:ltsc2019 as base_onefuzz
+
+SHELL ["powershell.exe", "-ExecutionPolicy", "Unrestricted", "-Command"]
+
+RUN dir
+
+COPY . c:\onefuzz\tools\win64\
+COPY . c:\downloads\
+RUN New-LocalUser -Name 'onefuzz' -Description 'onefuzz account' -NoPassword
+RUN cd c:\downloads; & .\setup.ps1 -docker
+
+WORKDIR "c:\onefuzz"
+
+ENTRYPOINT & .\onefuzz-run.ps1 -docker

src/runtime-tools/win64/onefuzz-run.ps1

@@ -1,6 +1,11 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 
+param([switch]$docker,
+    [Parameter(Position = 0, ValueFromRemainingArguments = $true)]
+    [string] $onefuzzArgs=""
+)
+
 $env:RUST_BACKTRACE = "full"
 
 Start-Transcript -Append -Path c:\onefuzz-run.log
@@ -18,16 +23,30 @@ log "onefuzz: starting"
 
 
 Set-Location C:\onefuzz
-Enable-SSH
+if (!$docker){
+    Enable-SSH
+}
 $config = Get-OnefuzzConfig
 
 while ($true) {
     switch ($config.mode) {
         "fuzz" {
             log "onefuzz: fuzzing"
-            $arglist = "run --config config.json --redirect-output c:\onefuzz\logs\"
 
-            Start-Process "c:\onefuzz\tools\win64\onefuzz-agent.exe" -ArgumentList $arglist -WindowStyle Hidden -Wait
+            if ($docker){
+                $arglist = "run --config config.json $onefuzzArgs"
+                try{
+                    Invoke-Expression "c:\onefuzz\tools\win64\onefuzz-agent.exe $arglist"
+                } catch {
+                    "Error while running onefuzz agent"
+                }
+            }
+            else {
+                $arglist = "run --config config.json --redirect-output c:\onefuzz\logs\"
+                Start-Process "c:\onefuzz\tools\win64\onefuzz-agent.exe" -ArgumentList $arglist -WindowStyle Hidden -Wait
+            }
+
+
         }
         "repro" {
             log "onefuzz: starting repro"

src/runtime-tools/win64/onefuzz.ps1

@@ -5,7 +5,9 @@ $env:Path += ";C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\;C:\onefuzz\
 $env:ONEFUZZ_ROOT = "C:\onefuzz"
 $env:ONEFUZZ_TOOLS = "C:\onefuzz\tools"
 $env:LLVM_SYMBOLIZER_PATH = "C:\Program Files\LLVM\bin\llvm-symbolizer.exe"
-$env:RUST_LOG = "info"
+if (!$env:RUST_LOG){
+  $env:RUST_LOG = "info"
+}
 $env:DOTNET_VERSIONS = "7.0.100;6.0.403"
 # Set a session and machine scoped env var
 $env:DOTNET_ROOT = "c:\onefuzz\tools\dotnet"
@@ -118,7 +120,7 @@ function Enable-SSHTrafic {
 
 function Install-OnBoot {
   log "adding onboot: starting"
-  schtasks /create /sc onstart /tn onefuzz /tr "powershell.exe -ExecutionPolicy Unrestricted -File c:\onefuzz\tools\win64\onefuzz-run.ps1 -WindowStyle Hidden" /ru SYSTEM
+  schtasks /create /sc onstart /tn onefuzz /tr "powershell.exe -ExecutionPolicy Unrestricted -WindowStyle Hidden -File c:\onefuzz\tools\win64\onefuzz-run.ps1" /ru SYSTEM
   log "adding onboot: done"
 }
 

src/runtime-tools/win64/setup.ps1

@@ -3,7 +3,8 @@
 
 param (
   [string]$mode = "fuzz",
-  [string]$restart = "false"
+  [string]$restart = "false",
+  [switch]$docker
 )
 
 Start-Transcript -Path c:\onefuzz-setup.log
@@ -63,14 +64,18 @@ function Install-OnefuzzSetup {
     log "onefuzz: executing user-setup"
     ./setup/setup.ps1
   }
-  Optimize-VM
   Install-Debugger
   Install-LLVM
-  Enable-SSH
-  Install-OnBoot
   Install-VCRedist
   Install-Dotnet -Version $env:DOTNET_VERSIONS -InstallDir $env:DOTNET_ROOT -ToolsDir $env:ONEFUZZ_TOOLS
-  Setup-Silent-Notification
+
+  if (!$docker){
+    Enable-SSH
+    Optimize-VM
+    Install-OnBoot
+    Setup-Silent-Notification
+  }
+
   log "onefuzz: setup done"
 }
 
@@ -79,14 +84,16 @@ $config = @{'mode' = $mode; 'restart' = $restart};
 Write-OnefuzzConfig($config)
 Install-OnefuzzSetup
 
-$config = Get-OnefuzzConfig
-if ($config.restart -eq 'true') {
-  log "onefuzz: restarting"
-  Restart-Computer -Force
-}
-else {
-  log "onefuzz: launching"
+if (!$docker){
+  $config = Get-OnefuzzConfig
+  if ($config.restart -eq 'true') {
+    log "onefuzz: restarting"
+    Restart-Computer -Force
+  }
+  else {
+    log "onefuzz: launching"
 
-  # Task created in `Install-OnBoot`.
-  schtasks /run /tn onefuzz
-}
+    # Task created in `Install-OnBoot`.
+    schtasks /run /tn onefuzz
+  }
+}