Softnet is a software networking for Tart which provides better network isolation and alleviates DHCP shortage on production systems. Please check out this blog post for backstory.
This is its fork specific to our usage in EAS Build.
Softnet solves two problems:
- VM network isolation
VZNATNetworkDeviceAttachment(the default networking in Tart) enables vmnet's bridge isolation by default and prevents cross-VM traffic, however it's still possible for any VM to spoof the host's ARP-table and capture other VMs traffic
- DHCP exhaustion
- macOS built-in DHCP-server allocates a
/24subnet with 86400 seconds lease time by default, which only allows for ~253 VMs a day (or 1 VM every ~6 minutes) to be spawned without causing a denial-of-service, which is pretty limiting for CI services like Cirrus CI
And assumes that:
- Tart gives it's VMs unique MAC-addresses
- macOS built-in DHCP-server won't re-use the IP-addresses from it's pool until their lease expire
...otherwise it's possible for two VMs to receive an identical IP-address from the macOS built-in DHCP-server (even in the presence of Softnet's packet filtering) and thus bypass the protections offered by Softnet.
For proper functioning, Softnet binary requires two things:
- a SUID-bit to be set on the binary or a passwordless sudo to be configured, which effectively gives the binary
rootprivileges- these privileges are needed to create
vmnet.frameworkinterface and perform DHCP-related system tweaks - the privileges will be dropped automatically to that of the calling user (or those represented by the
--userand--groupcommand-line arguments) once all of the initialization is completed
- these privileges are needed to create
- the binary to be available in
PATH- so that the Tart will be able to find it
Softnet is started and managed automatically by Tart if --net-softnet flag is provided when calling tart run.