Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update for Foxy #34

Merged
merged 49 commits into from
Mar 3, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
49 commits
Select commit Hold shift + click to select a range
f4e1e1b
Clean out old files
ruffsl Apr 29, 2020
55236c9
Simplify README
ruffsl Apr 29, 2020
c6df6bc
Clean up Dockerfile
ruffsl Apr 29, 2020
32d7ee6
Update Dockerfile
ruffsl Apr 29, 2020
df25c11
Stage changed for foxy source build
ruffsl Apr 29, 2020
5d9b178
Update building Dockerfile
ruffsl Apr 30, 2020
582dd79
Update Dockerfile entrypoint
ruffsl Apr 30, 2020
7be8ecc
Update readme
ruffsl Apr 30, 2020
5da496f
Update Dockerfile format
ruffsl Apr 30, 2020
5ca3279
Tweek Dockerfile formating
ruffsl Apr 30, 2020
cc77338
Clean up grouping
ruffsl Apr 30, 2020
df5e7c0
Dockerfile tweek
ruffsl Apr 30, 2020
6722ebf
Update Dockerfile for foxy
ruffsl Jun 9, 2020
9940adc
Prune underlay
ruffsl Jun 9, 2020
c643a0d
Remove underlay
ruffsl Jul 17, 2020
8ef7749
Remove duplicate maps files
ruffsl Jul 17, 2020
5b46f7d
Use nav2 package launch files
ruffsl Jul 17, 2020
c4fc4b2
Switch to slam_toolbox from cartographer
ruffsl Jul 17, 2020
899eb08
Clean config from old reconnaissance demo
ruffsl Jul 17, 2020
5533388
Update readme
ruffsl Jul 18, 2020
365b617
Update and stage autogenerated policy
ruffsl Jul 18, 2020
0dd1fbe
Remove ephermal nodes
ruffsl Jul 18, 2020
9cd2ba6
Substitute include node macro
ruffsl Jul 18, 2020
20b0c90
Substitute include lifecycle_node macro
ruffsl Jul 18, 2020
9d6bf39
Prune empty rule elements
ruffsl Jul 18, 2020
cb88f40
Fix xinclude in xml header
ruffsl Jul 18, 2020
0842dfc
Use actions tag in policy
ruffsl Jul 18, 2020
c5ff665
Update sros2 env
ruffsl Jul 18, 2020
1d76c2a
update rosdep database before installing dependencies
mikaelarguedas Jul 18, 2020
5d624aa
copy common policies from sros2
mikaelarguedas Jul 18, 2020
1b8329b
map_server is a lifecycle node, gazebo publishes clock, missing RViZ …
mikaelarguedas Jul 18, 2020
60ea750
Use released package for slam-toolbox
ruffsl Jul 23, 2020
a7982b3
Updates for map saver
ruffsl Jul 23, 2020
5a70fe0
Update debug config
ruffsl Jul 24, 2020
d93e80a
Update nav2 scripts
ruffsl Jul 24, 2020
ff6ec01
Add option to use rti connext
ruffsl Jul 24, 2020
40857f5
Add option for admin profile
ruffsl Jul 24, 2020
19fac4a
Fix newlines
ruffsl Jul 24, 2020
d55b8e7
Set DEBIAN_FRONTEND to noninteractive
ruffsl Mar 2, 2021
f3dd64a
Rename repos folder
ruffsl Mar 2, 2021
244a829
Add meta package for demo
ruffsl Mar 2, 2021
e3ed186
Comment out uneeded repos
ruffsl Mar 2, 2021
15eb7e0
Install from release binaries
ruffsl Mar 2, 2021
951e632
Launch gazebo from turtlebot3_gazebo
ruffsl Mar 2, 2021
7bb7551
Upgrade when installing dependencies
ruffsl Mar 2, 2021
66a44ec
Add option to use rmw_connextdds
ruffsl Mar 2, 2021
d46b623
Default to admin profile for now
ruffsl Mar 2, 2021
eae58c0
Update admin enclave for rqt
ruffsl Mar 2, 2021
5314f14
Depend on desktop for rqt plugins and etc
ruffsl Mar 2, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 0 additions & 37 deletions .docker/overlay.repos

This file was deleted.

136 changes: 82 additions & 54 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,91 +1,119 @@
FROM osrf/ros:dashing-desktop
# FROM osrf/ros2:nightly
ARG FROM_IMAGE=ros:foxy
ARG OVERLAY_WS=/opt/ros/overlay_ws

# multi-stage for caching
FROM $FROM_IMAGE AS cacher

# copy overlay source
ARG OVERLAY_WS
WORKDIR $OVERLAY_WS
COPY ./overlay ./
RUN vcs import src < overlay.repos && \
find src -name ".git" | xargs rm -rf || true

# copy manifests for caching
WORKDIR /opt
RUN mkdir -p /tmp/opt && \
find ./ -name "package.xml" | \
xargs cp --parents -t /tmp/opt && \
find ./ -name "COLCON_IGNORE" | \
xargs cp --parents -t /tmp/opt || true

# multi-stage for building
FROM $FROM_IMAGE AS builder
ARG DEBIAN_FRONTEND=noninteractive

# install helpful developer tools
RUN apt-get update && apt-get install -y \
bash-completion \
byobu \
ccache \
fish \
glances \
micro \
nano \
python3-argcomplete \
tree \
vim \
&& cd /usr/bin && curl https://getmic.ro | bash \
&& rm -rf /var/lib/apt/lists/*

# install turtlebot external packages
RUN apt-get update && apt-get install -y \
ros-$ROS_DISTRO-rqt* \
ros-$ROS_DISTRO-turtlebot3-cartographer \
ros-$ROS_DISTRO-turtlebot3-navigation2 \
ros-$ROS_DISTRO-turtlebot3-simulations \
ros-$ROS_DISTRO-turtlebot3-teleop \
&& rm -rf /var/lib/apt/lists/*
# # install RTI Connext DDS
# # set up environment
# ENV NDDSHOME /opt/rti.com/rti_connext_dds-6.0.1
# WORKDIR $NDDSHOME
# COPY ./rti ./
# RUN yes | ./rti_connext_dds-6.0.1-eval-x64Linux3gcc5.4.0.run && \
# mv y/*/* ./ && rm -rf y
# # set RTI DDS environment
# ENV CONNEXTDDS_DIR $NDDSHOME
# ENV PATH "$NDDSHOME/bin":$PATH
# ENV LD_LIBRARY_PATH "$NDDSHOME/lib/x64Linux3gcc5.4.0":$LD_LIBRARY_PATH
# # set RTI openssl environment
# ENV PATH "$NDDSHOME/third_party/openssl-1.1.1d/x64Linux4gcc7.3.0/release/bin":$PATH
# ENV LD_LIBRARY_PATH "$NDDSHOME/third_party/openssl-1.1.1d/x64Linux4gcc7.3.0/release/lib":$LD_LIBRARY_PATH

# clone overlay package repos
ENV TB3_OVERLAY_WS /opt/tb3_overlay_ws
RUN mkdir -p $TB3_OVERLAY_WS/src
WORKDIR $TB3_OVERLAY_WS
COPY .docker/overlay.repos ./
RUN vcs import src < overlay.repos
# Install extra sources from this repo
COPY example_nodes/ src/example_nodes
# RUN vcs import src < src/ros-planning/navigation2/tools/ros2_dependencies.repos

# install overlay package dependencies
RUN . /opt/ros/$ROS_DISTRO/setup.sh \
&& rosdep update \
&& rosdep install -y \
# install overlay dependencies
ARG OVERLAY_WS
WORKDIR $OVERLAY_WS
COPY --from=cacher /tmp/$OVERLAY_WS/src ./src
RUN . /opt/ros/$ROS_DISTRO/setup.sh && \
apt-get update && rosdep update \
--rosdistro $ROS_DISTRO && \
apt-get upgrade -y && \
rosdep install -q -y \
--from-paths src \
--ignore-src \
--skip-keys " \
ament_mypy \
libopensplice69 \
rti-connext-dds-5.3.1 \
" \
&& rm -rf /var/lib/apt/lists/*

# build overlay package source
# RUN touch $TB3_OVERLAY_WS/src/turtlebot3/turtlebot3_node/COLCON_IGNORE
# build overlay source
COPY --from=cacher $OVERLAY_WS/src ./src
ARG OVERLAY_MIXINS="release ccache"
RUN . /opt/ros/$ROS_DISTRO/setup.sh && \
colcon build \
--symlink-install
--symlink-install \
--mixin $OVERLAY_MIXINS

# fetch and install tools for reconnaissance
WORKDIR /tmp
RUN apt-get -qq update && DEBIAN_FRONTEND=noninteractive apt-get -y install \
libgmp3-dev gengetopt \
libpcap-dev flex byacc \
libjson-c-dev unzip \
libunistring-dev wget \
libxml2-dev libxslt1-dev \
libffi-dev libssl-dev \
tshark && \
rm -rf /var/lib/apt/lists/*
RUN git clone https://github.com/aliasrobotics/aztarna && \
cd aztarna && python3 setup.py install
# # install RTI Connext
# ENV RTI_NC_LICENSE_ACCEPTED yes
# RUN apt-get update && apt-get install -y \
# ros-$ROS_DISTRO-rmw-connext-cpp \
# && rm -rf /var/lib/apt/lists/*
# # set up environment
# ENV NDDSHOME /opt/rti.com/rti_connext_dds-5.3.1
# ENV PATH "$NDDSHOME/bin":$PATH
# ENV LD_LIBRARY_PATH "$NDDSHOME/lib/x64Linux3gcc5.4.0":$LD_LIBRARY_PATH
# # install RTI Security
# WORKDIR $NDDSHOME
# # ADD https://s3.amazonaws.com/RTI/Bundles/5.3.1/Evaluation/rti_connext_dds_secure-5.3.1-eval-x64Linux3gcc5.4.0.tar.gz ./
# # RUN tar -xvf rti_connext_dds_secure-5.3.1-eval-x64Linux3gcc5.4.0.tar.gz -C ./
# COPY ./rti ./
# RUN rtipkginstall rti_security_plugins-5.3.1-eval-x64Linux3gcc5.4.0.rtipkg && \
# rtipkginstall openssl-1.0.2n-5.3.1-host-x64Linux.rtipkg && \
# tar -xvf openssl-1.0.2n-target-x64Linux3gcc5.4.0.tar.gz
# ENV PATH "$NDDSHOME/openssl-1.0.2n/x64Linux3gcc5.4.0/release/bin":$PATH
# ENV LD_LIBRARY_PATH "$NDDSHOME/openssl-1.0.2n/x64Linux3gcc5.4.0/release/lib":$LD_LIBRARY_PATH
# # install RTI QoS
# ENV NDDS_QOS_PROFILES "$NDDSHOME/NDDS_QOS_PROFILES.xml"

# generate artifacts for keystore
ENV TB3_DEMO_DIR $TB3_OVERLAY_WS/..
ENV TB3_DEMO_DIR $OVERLAY_WS/..
WORKDIR $TB3_DEMO_DIR
COPY policies policies
RUN . $TB3_OVERLAY_WS/install/setup.sh && \
RUN . $OVERLAY_WS/install/setup.sh && \
ros2 security generate_artifacts -k keystore \
-p policies/tb3_gazebo_policy.xml \
-n /_ros2cli
-p policies/tb3_gazebo_policy.xml

# copy demo files
COPY maps maps
COPY configs configs
COPY .gazebo /root/.gazebo

# source overlay workspace from entrypoint
ENV OVERLAY_WS $OVERLAY_WS
RUN sed --in-place \
's|^source .*|source "$TB3_OVERLAY_WS/install/setup.bash"|' \
's|^source .*|source "$OVERLAY_WS/install/setup.bash"|' \
/ros_entrypoint.sh && \
cp /etc/skel/.bashrc ~/ && \
echo 'source "$TB3_OVERLAY_WS/install/setup.bash"' >> ~/.bashrc
echo 'source "$OVERLAY_WS/install/setup.bash"' >> ~/.bashrc

ENV TURTLEBOT3_MODEL='burger' \
GAZEBO_MODEL_PATH=/opt/ros/$ROS_DISTRO/share/turtlebot3_gazebo/models:$GAZEBO_MODEL_PATH
GAZEBO_MODEL_PATH=$OVERLAY_WS/install/turtlebot3_gazebo/share/turtlebot3_gazebo/models:$GAZEBO_MODEL_PATH
91 changes: 5 additions & 86 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Secure Turtlebot3 Demo

This repository includes a demo for securing a simulated Turtlebot3 using SROS2; including sensor and control topics as well the relevant portions of the cartographer and navigation2 software stacks.
This repository includes a demo for securing a simulated Turtlebot3 using SROS2; including sensor and control topics as well the relevant portions of the slam_toolbox and navigation2 software stacks.

## Setting the Demo

Expand All @@ -16,7 +16,7 @@ To run this demo using docker, the following dependencies are required:
* Please ensure display forwarding is working with rocker.
* [nvidia-docker](https://github.com/NVIDIA/nvidia-docker) is also useful for those with a GPU.
* [off-your-rocker](https://github.com/sloretz/off-your-rocker)
* Rocker extension. Required to run the sandbox demo. Used to pass arbitrary arguments Docker arguments through rocker.
* Rocker extension, for passing through arbitrary Docker arguments.

For those who can't use linux containers or for detailed instructions on how to build, you may still follow the general build steps of the [Dockerfile](Dockerfile).

Expand All @@ -41,7 +41,7 @@ Byobu starts a new session and launch the turtlebot3 demo over several windows:
* initialize pose script
* navigation goal script
* `mapping`
* cartographer mapping stack
* slam_toolbox mapping stack
* save map file
* map topic info
* `sros`
Expand All @@ -55,50 +55,10 @@ You can first drive the robot around and generate a map using the teleoperation

[![](media/mapping3.png)](media/mapping.mp4)

Feel free to poke around, open a new window and list or echo topics and services. You can explore the other panes as well, for example you can stop cartographer in the `mapping` window and start the navigation launchfile from the `navigation` window. You will stat by localizing the robot by initializing the pose and then setting a navigation goal via the scripts in the respective window panes. This can also be done graphically via rviz.
Feel free to poke around, open a new window and list or echo topics and services. You can explore the other panes as well, for example you can stop slam_toolbox in the `mapping` window and start the navigation launchfile from the `navigation` window. You will stat by localizing the robot by initializing the pose and then setting a navigation goal via the scripts in the respective window panes. This can also be done graphically via rviz.

[![](media/localize.png)](media/localize.mp4)

## Running the reconnaissance demo:

Reconnaissance is the act of gathering preliminary data or intelligence on your target. The data is gathered in order to better plan for your attack. Reconnaissance can be performed actively (meaning that you are directly touching/connecting-to the target) or passively (meaning that your reconnaissance is being performed through an intermediary).

The purpose of reconnaissance is to accumulate as much information as possible about a robot or robot component, including the available ROS abstractions (topics, services, etc.), the version of ROS, the target’s hardware platform and more.

In this short tutorial we'll demonstrate the use of [`aztarna`](https://github.com/aliasrobotics/aztarna/), a tool for performing reconnaissance in a variety of robotic systems. Particularly, we'll look at the information we can obtain by performing active reconnaissance in an unsecure robot acting both as an attacker with direct access to the robot ("host/container" insider) and as an attacker with access to the local internal network where ROS 2 operates.

### Host/container insider attacker
``` bash
rocker --x11 --nvidia rosswg/turtlebot3_demo:roscon19 "byobu -f configs/unsecure.conf attach"
```

### Internal network attacker
``` bash
# in Terminal (terminal 1), initialize first a swarm
docker swarm init
# in Terminal (terminal 1), create the network overlay
docker network create -d overlay \
--subnet=10.0.0.0/24 \
--gateway=10.0.0.1 \
--ip-range 10.0.0.192/27 \
--attachable \
overlay

# in another Terminal (terminal 2), launch demo
rocker --x11 --nvidia --network overlay rosswg/turtlebot3_demo:roscon19 "byobu -f configs/unsecure.conf attach"

# in another Terminal (terminal 3), launch another container
docker run -it --rm --network overlay --name aztarna rosswg/turtlebot3_demo:roscon19 /bin/bash
# then perform a scan
$ aztarna -t ros2
```

Cleanup afterwards:
```bash
docker network rm overlay
```


## Running the secure demo:

So far we've simply launched the turtlebot3 without using SROS2. To enable security, simply exit the previous byobu session and start a new one now using the secure config:
Expand All @@ -120,7 +80,6 @@ These variables simply enable as well as enforce security for all ros2 nodes whi

* https://design.ros2.org/articles/ros2_dds_security.html


## Re-generate security artifacts

Using the same attached session above, now lets try and generate security artifacts for ourselves, rather than simply using the same artifacts that came bundled in the demo docker image. We can start by switching over to the sros window and clearing out the existing keystore:
Expand Down Expand Up @@ -188,51 +147,11 @@ export ROS_SECURITY_ENABLE=true

Now try starting another teleop node with security disabled and check that only the secure teleop node can drive the robot.

## Sandboxed Nodes Demo

The [ROSCon 2019](https://ros-swg.github.io/ROSCon19_Security_Workshop/) [ROS2 Security Workshop](https://ros-swg.github.io/ROSCon19_Security_Workshop/)
will present the opportunity to run the Turtlebot3 demo using the [launch-ros-sandbox](https://github.com/aws-robotics/launch-ros-sandbox)
package. Specifically, the demo uses this package to launch the Turtlebot3 navigation nodes in a docker container. See the
configs/sandbox_demo/navigation_sandbox.launch.py launch file for details.

### Running the Security Workshop Sandbox Node Demo

``` bash
rocker --x11 --nvidia rosswg/turtlebot3_demo "byobu -f configs/sandbox_demo/unsecure.conf attach"
```

Omit the `--nvidia` arg if you don't have dedicated GPU for hardware acceleration of 3D OpenGL views.

Likewise, the following command is used to run the demo using the secure config:

``` bash
rocker --x11 --nvidia rosswg/turtlebot3_demo "byobu -f configs/sandbox_demo/secure.conf attach"
```

### Demonstrating Sandbox Resource Limits

This demo shows how robot code, acting improperly, can negatively affect the entire robotic system.

``` bash
rocker --x11 --nvidia rosswg/turtlebot3_demo "byobu -f configs/sandbox_demo/bad_actor.conf attach" --oyr-run-arg " -v /var/run/docker.sock:/var/run/docker.sock "
```

After launching with the above config, there are two commands ready in the `bad_actor` byobu window.
They are ready to run a cpu hog that will fork many busy processes.
This is a contrived example - but it illustrates what could happen if a node that you are using hits an untested code path and goes into an infinite loop.

If you run the top command (`ros2 run...`), you can see the CPU of your system jump to 100% usage (check the `diagnostic` byobu window), grinding everything else to a halt.

However, if you kill that and run the bottom command (`ros2 launch ...`), it will launch inside a container that has a CPU resource limit set.
This launch will be able to use at most 2 CPUs worth of processing, allowing the rest of the demo to still run at a normal speed.
See `example_nodes/launch/sandboxed_cpu_hog.launch.py` for some more info on the arguments that make this happen.


## Developing
To rebuild this demo locally if you are working on it, you can rebuild the Docker image with the same tag, so all above demo commands will work correctly.

``` bash
git clone [email protected]:ros-swg/turtlebot3_demo.git
cd turtlebot3_demo
docker build . -t rosswg/turtlebot3_demo
docker build --tag rosswg/turtlebot3_demo .
```
Loading