From 1481653c5b4260f1322088d0050b1208ba04bb86 Mon Sep 17 00:00:00 2001 From: Christine Dodrill Date: Sat, 21 Dec 2019 15:05:07 -0500 Subject: [PATCH] blog: add blogpost on irc hosting via k8s --- blog/ircd-k8s-2019-12-21.markdown | 390 ++++++++++++++++++++++++++++++ 1 file changed, 390 insertions(+) create mode 100644 blog/ircd-k8s-2019-12-21.markdown diff --git a/blog/ircd-k8s-2019-12-21.markdown b/blog/ircd-k8s-2019-12-21.markdown new file mode 100644 index 0000000..590a9f1 --- /dev/null +++ b/blog/ircd-k8s-2019-12-21.markdown @@ -0,0 +1,390 @@ +--- +title: How I set up an IRC daemon on Kubernetes +date: 2019-12-21 +series: howto +tags: + - irc + - kubernetes + +--- + +# How I set up an IRC daemon on Kubernetes + +[IRC][rfc1459]. It's one of the last bastions of the old internet, and still an actively developed and researched protocol. Historically, IRC daemons have been notoriously annoying to set up and maintain. I have created an IRC daemon running on top of Kubernetes, which will hopefully help remove a lot of the pain points for my personal usage. Here's how I did it. + +[rfc1459]: https://tools.ietf.org/html/rfc1459 + +IRC is a simple protocol and only has a few major moving parts. IRC is made up of networks of servers that federate together as one logical unit. IRC is scalable from networks spanning one server to hundreds (though realistically you're not likely to find more than about 10 servers in a network). + +At its core, IRC daemons are a pub-sub protocol that also has a distributed state layer on top of it. TCP connections can either represent individual users or server trunking. Each user has their own state (nickname, ident and "real name"). Users can join channels which can have their own state (modes, topic, timestamp and ban lists). Some servers have a limit of the number of channels you can join. + +So, with this in mind, let's start with a simple IRC daemon in a docker container. I chose [ngircd][ngircd] for this because it's packaged in Alpine Linux. Let's create the configuration file ngircd.conf: + +[ngircd]: https://ngircd.barton.de/index.php.en + +```ini +[Global] +Name = seaworld.yolo-swag.com +AdminInfo1 = ShadowNET Main Server +AdminInfo2 = New York, New York, USA +AdminInfo3 = Cadey Ratio +Info = Hosted on Kubernetes! +Listen = 0.0.0.0 +MotdFile = /shadownet/motd +Network = ShadowNET +Ports = 6667 +ServerGID = 65534 +ServerUID = 65534 + +[Limits] +MaxJoins = 50 +MaxNickLength = 31 +MaxListSize = 100 +PingTimeout = 120 +PongTimeout = 20 + +[Options] +AllowedChannelTypes = #&+ +AllowRemoteOper = yes +CloakUserToNick = yes +DNS = no +Ident = no +IncludeDir = /shadownet/secret +MorePrivacy = yes +NoticeBeforeRegistration = yes +OperCanUseMode = yes +OperChanPAutoOp = yes +PAM = no +PAMIsOptional = yes +RequireAuthPing = yes +# WebircPassword is set in secrets + +[Channel] +Name = #lobby +Topic = Welcome to the new ShadowNET! +Modes = tn + +[Channel] +Name = #help +Topic = Get help with ShadowNET | Ping an oper for help +Modes = tn + +[Channel] +Name = #opers +Topic = Oper hideout +Modes = tnO +``` + +This is mostly based on the default settings in the example configuration file with a few glaring exceptions: + +* The server name is `seaworld.yolo-swag.com`, which will show up when users are connecting +* My information is filled out for the admin information (which is shown when a user does /ADMIN in their client) +* It has a lot of privacy-enhancing features set up +* It disables the need to authenticate with PAM before being allowed to connect to the IRC server +* Some default channel names are reserved + +So, let's create a dockerfile for this: + +```dockerfile +FROM xena/alpine +COPY motd /shadownet/motd +COPY ngircd.conf /shadownet/ngircd.conf +RUN apk --no-cache add ngircd +COPY run.sh / +CMD ["/run.sh"] +``` + +`motd` is a plain text file that is used as the "message of the day" when users connect. Servers usually list their rules here. My motd has some ascii art and has this extra info: + +``` +The *new* irc.yolo-swag.com! + +Connect on irc.within.website port 6667 or r4qrvdln2nvqyfbq.onion:6667 + +Rules: +- Don't do things that make me have to write more rules here +- This rule makes you breathe manually +``` + +Now you can build and push this image to the [docker hub][shadownetircd]. + +[shadownetircd]: https://hub.docker.com/repository/docker/shadownet/ircd + +You may have noticed earlier that a comment in the config file mentioned [webirc][webirc]. This is important for us because IRC server normally assume that the remote host information in socket calls is accurate. My Kubernetes setup has at least one level of TCP proxying at work, so this cannot pan out. Webirc offers an authenticated mechanism to let a proxy server lie about user IP addresses. My nginx-ingress setup uses the [haproxy PROXY protocol][haproxyproxy] to let underlying services know client IP addresses. So what we need is an adaptor from haproxy PROXY protocol to webirc. I hacked one up: + +[haproxyproxy]: https://www.haproxy.com/blog/haproxy/proxy-protocol/ + +```go +package main + +import ( + "crypto/md5" + "flag" + "fmt" + "io" + "log" + "net" + "strings" + + "github.com/armon/go-proxyproto" + "github.com/facebookgo/flagenv" + _ "github.com/joho/godotenv/autoload" + irc "gopkg.in/irc.v3" +) + +var ( + webircPassword = flag.String("webirc-password", "", "the password for WEBIRC") + webircIdent = flag.String("webirc-ident", "snet", "the ident for WEBIRC") + webircHost = flag.String("webirc-host", "", "the host to connect to for WEBIRC") + port = flag.String("port", "5667", "port to listen on for PROXY traffic") +) + +func main() { + flagenv.Parse() + flag.Parse() + + list, err := net.Listen("tcp", ":"+*port) + if err != nil { + panic(err) + } + + log.Printf("now listening on port %s, forwarding traffic to %s", *port, *webircHost) + + proxyList := &proxyproto.Listener{Listener: list} + + for { + conn, err := proxyList.Accept() + if err != nil { + log.Println(err) + continue + } + go dataTo(conn) + } +} + +func dataTo(conn net.Conn) { + defer conn.Close() + + ip, _, err := net.SplitHostPort(conn.RemoteAddr().String()) + if err != nil { + log.Printf("what, can't split remote address: %v", err) + ev := irc.Message{ + Command: "QUIT", + Params: []string{ + "***", + err.Error(), + }, + } + + fmt.Fprintln(conn, ev.String()) + return + } + + peer, err := net.Dial("tcp", *webircHost) + if err != nil { + log.Println(*webircHost, err) + } + defer peer.Close() + + spip := strings.Split(ip, ".") + + hostname := strings.Join([]string{ + "snet", + Hash("snet", spip[0])[:8], + Hash("snet", spip[0] + spip[1])[:8], + Hash("snet", spip[0] + spip[1] + spip[2] + spip[3])[:8], + }, ".") + + ev := irc.Message{ + Command: "WEBIRC", + Params: []string{ + *webircPassword, + *webircIdent, + ip, + hostname, + }, + } + log.Println(ev.String()) + fmt.Fprintf(peer, "%s\r\n", ev.String()) + + go io.Copy(conn, peer) + io.Copy(peer, conn) +} + +// Hash is a simple wrapper around the MD5 algorithm implementation in the +// Go standard library. It takes in data and a salt and returns the hashed +// representation. +func Hash(data string, salt string) string { + output := md5.Sum([]byte(data + salt)) + return fmt.Sprintf("%x", output) +} +``` + +This proxies connections from incoming TCP sockets to the IRC server. It also creates a fancy hostname for ngircd to use when people do a /whois on users. ngircd does have its own cloaking mechanism (which I am not using here), but I figure doing the splitting on IP address classes will make a more easy way to reliably ban users from channels. + +Now, let's build this as a docker image and push it to the [docker hub][proxy2webirc]: + +[proxy2webirc]: https://hub.docker.com/repository/docker/shadownet/proxy2webirc + +```dockerfile +FROM xena/go:1.13.5 AS build +WORKDIR /shadownet +COPY go.mod . +COPY go.sum . +ENV GOPROXY https://cache.greedo.xeserv.us +RUN go mod download +COPY cmd ./cmd +RUN GOBIN=/shadownet/bin go install ./cmd/proxy2webirc + +FROM xena/alpine +COPY --from=build /shadownet/bin/proxy2webirc /usr/local/bin/proxy2webirc +CMD ["/usr/local/bin/proxy2webirc"] +``` + +And now we get to wire this all up in a kubernetes manifest. Let's create a namespace: + +```yaml +# 00_namespace.yml +apiVersion: v1 +kind: Namespace +metadata: + name: ircd +``` + +And now we need to create the secrets that the IRC daemon will use when operating. We need the webirc password and a few operator blocks. Let's make a script to create operator blocks: + +```sh +#!/bin/sh +# scripts/makeoper.sh + +echo "[Operator] +Name = $1 +Password = $(uuidgen)" +``` + +Then let's use it to create a few operator configs: + +```console +$ scripts/makeoper.sh Cadey >> opers.conf +$ scripts/makeoper.sh h >> opers.conf +``` + +And then create the webirc password: +
```console +$ echo "[Options] +WebircPassword = $(uuidgen)" >> webirc.conf +``` + +And then let's load these into a yaml file: + +```yaml +# 01_secrets.yml +apiVersion: v1 +kind: Secret +metadata: + name: config + namespace: ircd +type: Opaque +stringData: + opers.conf: | + + webirc.conf: | + +``` + +Now all we need is the irc daemon deployment itself that ties this all together: + +```yaml +# 02_ircd.yml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ircd + namespace: ircd + labels: + app: ircd +spec: + replicas: 1 + template: + metadata: + name: ircd + labels: + app: ircd + spec: + containers: + - name: proxystrip + image: shadownet/proxy2webirc:latest + imagePullPolicy: Always + ports: + - containerPort: 5667 + name: proxiedirc + protocol: TCP + env: + - name: WEBIRC_HOST + value: 127.0.0.1:6667 + - name: WEBIRC_PASSWORD + value: + - name: ircd + image: shadownet/ircd:latest + imagePullPolicy: Always + volumeMounts: + - name: secretconfig + mountPath: "/shadownet/secret" + restartPolicy: Always + volumes: + - name: secretconfig + secret: + secretName: config + selector: + matchLabels: + app: ircd +--- +apiVersion: v1 +kind: Service +metadata: + name: ircd + namespace: ircd + labels: + app: ircd +spec: + ports: + - port: 6667 + targetPort: 5667 + protocol: TCP + selector: + app: ircd + type: NodePort +``` + +This will set up our IRC daemon to read the secrets from the filesystem at `/shadownet/secret`, which was configured as the `IncludeDir` in the ngircd config above. + +At this point, your IRC daemon is ready to go and can be applied to your cluster whenever you want, however it may be interesting to set up a tor onion address for the IRC server. Using the [tor operator][toroperator], we can create a private key locally, load it as a kubernetes secret and then activate the tor hidden service: + +[toroperator]: https://github.com/kragniz/tor-controller + +```console +$ openssl genrsa -out private_key 1024 +$ kubectl create secret -n ircd generic ircd-tor-key --from-file=private_key +``` + +Now apply this manifest: + +```yaml +# 03_onion.yml +apiVersion: tor.k8s.io/v1alpha1 +kind: OnionService +metadata: + name: ircd +spec: + version: 2 + selector: + app: ircd + ports: + - targetPort: 6667 + publicPort: 6667 + privateKeySecret: + name: ircd-tor-key + key: private_key +``` + +Now, you should be able to let users connect to your IRC server to their heart's content. If you want to join the IRC server I've set up, point your IRC client at `irc.within.website`. I'll be in `#lobby`. \ No newline at end of file