feat(BOUN-1233): rework ic-boundary CLI, bump ic-gateway (#2451)

* Rework `ic-boundary` CLI: re-group & rename, move http client & server
CLI to `ic-bn-lib`
* `ic-boundary` now gets configured through env vars like `ic-gateway`
* Add & enable shedding (for now only the system one) for API BNs

misc:
* Bump the size limits of governance and ledger canisters because the
dependencies affect their sizes and throw over the limit

---------

Co-authored-by: IDX GitHub Automation <[email protected]>

bazel/external_crates.bzl

@@ -366,7 +366,7 @@ def external_crates_repository(name, cargo_lockfile, lockfile, sanitizers_enable
                 version = "^0.2.2",
             ),
             "clap": crate.spec(
-                version = "^4.5.18",
+                version = "^4.5.20",
                 features = [
                     "derive",
                     "string",
@@ -568,7 +568,7 @@ def external_crates_repository(name, cargo_lockfile, lockfile, sanitizers_enable
             ),
             "ic-bn-lib": crate.spec(
                 git = "https://github.com/dfinity/ic-bn-lib",
-                rev = "9abf1e385e4a32279de005d0019c17774e164828",
+                rev = "526d34d15cfbf369d8baf2dae9932aa18d570a1d",
             ),
             "ic-btc-interface": crate.spec(
                 version = "^0.2.2",
@@ -680,7 +680,7 @@ def external_crates_repository(name, cargo_lockfile, lockfile, sanitizers_enable
                 version = "^1.31.0",
             ),
             "instant-acme": crate.spec(
-                version = "^0.7.1",
+                version = "^0.7.2",
             ),
             "intmap": crate.spec(
                 version = "^1.1.0",

ic-os/boundary-guestos/context/Dockerfile

@@ -25,8 +25,8 @@ WORKDIR /tmp
 
 # Download and verify ic-gateway
 RUN \
-    curl -L -O https://github.com/dfinity/ic-gateway/releases/download/v0.1.58/ic-gateway_0.1.58_amd64.deb && \
-    echo "d6939a8e4c473cf5af8f63e3ce577d7685ec2bb89428d925f8a55dc87d7a10c1  ic-gateway_0.1.58_amd64.deb" | sha256sum -c
+    curl -L -O https://github.com/dfinity/ic-gateway/releases/download/v0.1.59/ic-gateway_0.1.59_amd64.deb && \
+    echo "2d57c4a6e77f974ce4674ebc631ba5f2c7de0bb4bf05069c5bcffb21ec274ea2  ic-gateway_0.1.59_amd64.deb" | sha256sum -c
 
 #
 # Second build stage:
@@ -56,9 +56,9 @@ FROM image-${BUILD_TYPE}
 
 USER root:root
 
-COPY --from=download /tmp/ic-gateway_0.1.58_amd64.deb /tmp/ic-gateway_0.1.58_amd64.deb
-RUN dpkg -i --force-confold /tmp/ic-gateway_0.1.58_amd64.deb && \
-    rm /tmp/ic-gateway_0.1.58_amd64.deb
+COPY --from=download /tmp/ic-gateway_0.1.59_amd64.deb /tmp/ic-gateway_0.1.59_amd64.deb
+RUN dpkg -i --force-confold /tmp/ic-gateway_0.1.59_amd64.deb && \
+    rm /tmp/ic-gateway_0.1.59_amd64.deb
 
 RUN mkdir -p /boot/config \
              /boot/efi \

ic-os/components/boundary-guestos/etc/systemd/system/ic-boundary.service

@@ -1,34 +1,16 @@
 [Unit]
-Description=IC Boundary Reverse Proxy
+Description=IC-Boundary
 After=network-online.target
 Wants=network-online.target
 After=setup-ic-boundary.service
 BindsTo=setup-ic-boundary.service
 
 [Service]
-LogRateLimitIntervalSec=1ms
-LogRateLimitBurst=1000
 User=root
 Group=root
 Restart=always
 EnvironmentFile=/run/ic-node/etc/default/ic-boundary
-ExecStart=/bin/bash -c ' \
-    /opt/ic/bin/ic-boundary \
-        --local-store-path /var/opt/registry/store \
-        --nns-pub-key-pem /run/ic-node/etc/default/nns_public_key.pem \
-        --nns-urls "${NNS_URL}" \
-        --http-port 9000 \
-        --metrics-addr "[::]:9324" \
-        --log-stdout \
-        --log-failed-requests-only \
-        --nftables-system-replicas-path /run/ic-node/etc/nftables/system_replicas.ruleset \
-        --retry-update-call \
-        --rate-limit-per-second-per-subnet "1000" \
-        --http-client-count "2" \
-        ${CACHE_SIZE:+ --cache-size-bytes "${CACHE_SIZE}"} \
-        ${CACHE_ITEM_MAX_SIZE:+ --cache-max-item-size-bytes "${CACHE_ITEM_MAX_SIZE}"} \
-        ${CACHE_TTL:+ --cache-ttl-seconds "${CACHE_TTL}"} \
-'
+ExecStart=/opt/ic/bin/ic-boundary
 
 [Install]
 WantedBy=multi-user.target

ic-os/components/boundary-guestos/opt/ic/bin/setup-ic-boundary.sh

@@ -50,10 +50,21 @@ function generate_config() {
 
     # Generate Configuration
     cat >"${ENV_FILE}" <<EOF
-NNS_URL=${NNS_URL}
-CACHE_SIZE=1073741824
-CACHE_ITEM_MAX_SIZE=10485760
-CACHE_TTL=1
+LISTEN_HTTP_PORT="9000"
+NETWORK_HTTP_CLIENT_COUNT="2"
+OBS_METRICS_ADDR="[::]:9324"
+OBS_LOG_STDOUT="true"
+OBS_LOG_FAILED_REQUESTS_ONLY="true"
+HTTP_CLIENT_TIMEOUT_CONNECT="3s"
+NFTABLES_SYSTEM_REPLICAS_PATH="/run/ic-node/etc/nftables/system_replicas.ruleset"
+RETRY_UPDATE_CALL="true"
+RATE_LIMIT_PER_SECOND_PER_SUBNET="1000"
+REGISTRY_NNS_URLS="${NNS_URL}"
+REGISTRY_NNS_PUB_KEY_PEM="/run/ic-node/etc/default/nns_public_key.pem"
+REGISTRY_LOCAL_STORE_PATH="/var/opt/registry/store"
+CACHE_SIZE="1GB"
+CACHE_MAX_ITEM_SIZE="10MB"
+CACHE_TTL="1s"
 EOF
 }
 

ic-os/components/boundary-guestos/opt/ic/bin/setup-ic-gateway.sh

@@ -125,8 +125,8 @@ ENV="${ENV}"
 DOMAIN_APP="${DOMAINS_APP}"
 DOMAIN_SYSTEM="${DOMAINS_SYSTEM}"
 DOMAIN_API="${DOMAINS_API}"
-HTTP_SERVER_LISTEN_PLAIN="[::]:80"
-HTTP_SERVER_LISTEN_TLS="[::]:443"
+LISTEN_PLAIN="[::]:80"
+LISTEN_TLS="[::]:443"
 DNS_PROTOCOL="https"
 METRICS_LISTEN="[::]:9314"
 POLICY_PRE_ISOLATION_CANISTERS="${RUN_DIR}/pre_isolation_canisters.txt"

publish/canisters/BUILD.bazel

@@ -69,7 +69,7 @@ CANISTERS_MAX_SIZE_COMPRESSED_E5_BYTES = {
     # The orchestrator needs to embed 3 wasms at compile time
     # (ICRC1 index, ICRC1 ledger, and ICRC1 archive) and size is
     # therefore strictly controlled.
-    "ic-ledger-suite-orchestrator-canister.wasm.gz": "16",
+    "ic-ledger-suite-orchestrator-canister.wasm.gz": "19",
 }
 
 # How these limits were chosen:
@@ -85,7 +85,7 @@ CANISTERS_MAX_SIZE_COMPRESSED_E5_BYTES = {
 NNS_CANISTERS_MAX_SIZE_COMPRESSED_E5_BYTES = {
     "cycles-minting-canister.wasm.gz": "5",
     "genesis-token-canister.wasm.gz": "3",
-    "governance-canister.wasm.gz": "14",
+    "governance-canister.wasm.gz": "17",
     "governance-canister_test.wasm.gz": "17",
     "registry-canister.wasm.gz": "14",
     "root-canister.wasm.gz": "4",

rs/boundary_node/certificate_issuance/certificate_issuer/Cargo.toml

@@ -25,7 +25,7 @@ ic-http-certification = { workspace = true }
 ic-response-verification = { workspace = true }
 ic-utils = { workspace = true, features = ["raw"] }
 idna = { workspace = true }
-instant-acme = "0.7.1"
+instant-acme = "0.7.2"
 leb128 = "0.2.5"
 mockall = { workspace = true }
 opentelemetry = { version = "0.20", features = ["metrics", "trace"] }

rs/boundary_node/ic_boundary/Cargo.toml

@@ -33,7 +33,7 @@ http = { workspace = true }
 http-body = { workspace = true }
 humantime = "2.1"
 ic-base-types = { path = "../../types/base_types" }
-ic-bn-lib = { git = "https://github.com/dfinity/ic-bn-lib", rev = "9abf1e385e4a32279de005d0019c17774e164828" }
+ic-bn-lib = { git = "https://github.com/dfinity/ic-bn-lib", rev = "526d34d15cfbf369d8baf2dae9932aa18d570a1d" }
 ic-certification-test-utils = { path = "../../certification/test-utils" }
 ic-config = { path = "../../config" }
 ic-crypto-ed25519 = { path = "../../crypto/ed25519" }
@@ -55,7 +55,6 @@ ic-registry-routing-table = { path = "../../registry/routing_table" }
 ic-registry-subnet-type = { path = "../../registry/subnet_type" }
 ic-types = { path = "../../types/types" }
 lazy_static = { workspace = true }
-little-loadshedder = "0.2.0"
 maxminddb = "0.24"
 mockall = { workspace = true }
 moka = { version = "0.12.8", features = ["sync", "future"] }

rs/boundary_node/ic_boundary/benches/perf.rs

@@ -10,7 +10,7 @@ use tokio_util::sync::CancellationToken;
 use ic_boundary::test_utils::setup_test_router;
 
 fn gen_request(cli: &reqwest::Client, addr: &SocketAddr, bytes_size: usize) -> reqwest::Request {
-    let mut rng = rand::thread_rng();
+    let mut rng = thread_rng();
 
     let canister_id: u64 = rng.gen_range(0..100_000_000);
     let canister_id = Principal::from_slice(canister_id.to_be_bytes().as_slice());
@@ -58,6 +58,10 @@ fn benchmark(c: &mut Criterion) {
         http2_keepalive_timeout: Duration::from_secs(30),
         grace_period: Duration::from_secs(60),
         max_requests_per_conn: Some(1000),
+        tls_handshake_timeout: Duration::from_secs(10),
+        read_timeout: Some(Duration::from_secs(10)),
+        write_timeout: Some(Duration::from_secs(10)),
+        idle_timeout: Duration::from_secs(10),
     };
 
     let runtime = tokio::runtime::Builder::new_current_thread()

rs/boundary_node/ic_boundary/src/bouncer.rs

@@ -22,7 +22,7 @@ use ratelimit::Ratelimiter;
 use tracing::{debug, error, info, warn};
 
 use crate::{
-    cli::BouncerConfig,
+    cli,
     routes::{ErrorCause, RateLimitCause},
 };
 
@@ -257,7 +257,7 @@ impl Bouncer {
     }
 }
 
-pub fn setup(cli: &BouncerConfig, registry: &Registry) -> Result<Arc<Bouncer>, Error> {
+pub fn setup(cli: &cli::Bouncer, registry: &Registry) -> Result<Arc<Bouncer>, Error> {
     let executor = Arc::new(exec::Executor::new(
         cli.bouncer_sudo,
         cli.bouncer_sudo_path.clone(),
@@ -279,9 +279,9 @@ pub fn setup(cli: &BouncerConfig, registry: &Registry) -> Result<Arc<Bouncer>, E
         Bouncer::new(
             cli.bouncer_ratelimit,
             cli.bouncer_burst_size,
-            Duration::from_secs(cli.bouncer_ban_seconds),
+            cli.bouncer_ban_time,
             cli.bouncer_max_buckets,
-            Duration::from_secs(cli.bouncer_bucket_ttl),
+            cli.bouncer_bucket_ttl,
             firewall,
             registry,
         )
@@ -290,7 +290,7 @@ pub fn setup(cli: &BouncerConfig, registry: &Registry) -> Result<Arc<Bouncer>, E
 
     // Start background task
     let bouncer_task = bouncer.clone();
-    let interval = Duration::from_secs(cli.bouncer_apply_interval);
+    let interval = cli.bouncer_apply_interval;
     tokio::spawn(async move {
         bouncer_task.clone().run(interval).await;
     });

rs/boundary_node/ic_boundary/src/bouncer/firewall.rs

@@ -101,7 +101,7 @@ impl Set {
     }
 
     // Converts a list of ips into an NFTables object
-    fn convert(&self, addrs: Vec<IpAddr>) -> schema::NfListObject {
+    fn convert(&self, addrs: Vec<IpAddr>) -> NfListObject {
         let elem = addrs
             .into_iter()
             .map(|x| Expression::String(x.to_string()))
@@ -110,7 +110,7 @@ impl Set {
         // There is a discrepancy between `cargo clippy` and `bazel lint`.
         // Remove this once it is fixed.
         #[allow(clippy::clone_on_copy)]
-        schema::NfListObject::Element(schema::Element {
+        NfListObject::Element(schema::Element {
             family: self.family,
             table: self.table.clone(),
             name: self.name.clone(),
@@ -338,7 +338,7 @@ mod test {
         fw.apply(decisions).await.unwrap();
 
         // Check if the payload sent to executor is correct
-        let payload_expected = serde_json::json!({
+        let payload_expected = json!({
             "nftables": [
                 {
                     "add": {

rs/boundary_node/ic_boundary/src/cache.rs

@@ -92,8 +92,8 @@ pub struct Cache {
 // Estimate rough amount of bytes that cache entry takes in memory
 fn weigh_entry(k: &Arc<RequestContext>, v: &CacheItem) -> u32 {
     let mut cost = v.body.len()
-        + std::mem::size_of::<CacheItem>()
-        + std::mem::size_of::<Arc<RequestContext>>()
+        + size_of::<CacheItem>()
+        + size_of::<Arc<RequestContext>>()
         + k.method_name.as_ref().map(|x| x.len()).unwrap_or(0)
         + k.arg.as_ref().map(|x| x.len()).unwrap_or(0)
         + k.nonce.as_ref().map(|x| x.len()).unwrap_or(0)