From ba9096c2458c42469026ecf570bba8b332b89886 Mon Sep 17 00:00:00 2001 From: Dmitrii Korolev Date: Thu, 16 Oct 2025 13:24:26 +0200 Subject: [PATCH 1/6] configs / instructions --- src/BenchmarksApps/TLS/README.md | 33 +++++++++++ .../TLS/set-fips-compliant-tls-config.ps1 | 55 +++++++++++++++++++ 2 files changed, 88 insertions(+) create mode 100644 src/BenchmarksApps/TLS/README.md create mode 100644 src/BenchmarksApps/TLS/set-fips-compliant-tls-config.ps1 diff --git a/src/BenchmarksApps/TLS/README.md b/src/BenchmarksApps/TLS/README.md new file mode 100644 index 000000000..ff9177301 --- /dev/null +++ b/src/BenchmarksApps/TLS/README.md @@ -0,0 +1,33 @@ +# Useful stuff to test TLS behavior + +### Analysis of TLS parameters on request +To lookup TLS behavior you can install npcap/wireshark on win machine, +and collect a network dump (note: using a custom port requires to use `Analyze->DecodeAs` and set TCP / TLS port on dump data). There in `Client Hello` or `Server Hello` TLS parameters can be found. + +However, easier way is to simply perform a curl request +```bash +curl -v https://:/ --tlsv1.3 --tls-max 1.2 --insecure --curves [P-256/P-384/P-521/X25519] +``` +where: +- `--insecure` skips certificate check (but still runs with TLS) +- `--tlsv1.3` or `--tlsv1.2` sets a minimum tls version +- `--tls-max 1.3` or `--tls-max 1.2` sets a maximum tls version (does not allow client-server to lift up a version) +- `--curves ...` forces a specific curve. + +In output you nee to find SSL connection: +``` +* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / secp521r1 / RSASSA-PSS +``` + +### Verify machine setup + +#### Windows +- Look cipher suite priority list in registry: +```powershell +(Get-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -Name 'Functions').Functions -split ',' | ForEach-Object { "{0,3}. {1}" -f ($_.ReadCount), $_ } +``` + +- Look eliptic curves priority list in registry: +```powershell +Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002' -Name 'EccCurves' -ErrorAction SilentlyContinue +``` diff --git a/src/BenchmarksApps/TLS/set-fips-compliant-tls-config.ps1 b/src/BenchmarksApps/TLS/set-fips-compliant-tls-config.ps1 new file mode 100644 index 000000000..7ae752e06 --- /dev/null +++ b/src/BenchmarksApps/TLS/set-fips-compliant-tls-config.ps1 @@ -0,0 +1,55 @@ +# Run as Administrator + +# 1. Disable weak ciphers +$ciphersToDisable = @( + 'RC4 128/128', + 'RC4 64/128', + 'RC4 56/128', + 'RC4 40/128', + 'Triple DES 168', + 'DES 56/56', + 'NULL' +) + +foreach ($cipher in $ciphersToDisable) { + $path = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\$cipher" + New-Item $path -Force | Out-Null + New-ItemProperty -Path $path -Name 'Enabled' -Value 0 -PropertyType DWORD -Force + Write-Host "Disabled cipher: $cipher" +} + +# 2. Set cipher suite priority order (TLS 1.2/1.3) +$cipherSuites = @( + 'TLS_AES_256_GCM_SHA384', # TLS 1.3 + 'TLS_AES_128_GCM_SHA256', # TLS 1.3 + 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', # TLS 1.2 + 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', + 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', + 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', + 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', + 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256', + 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', + 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256' +) -join ',' + +Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' ` + -Name 'Functions' -Value $cipherSuites -Type String + +Write-Host "set priority cipher suites" + +# Set ECC curve order: P-384, P-256, P-521 +New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002' ` + -Name 'EccCurves' ` + -Value @('NistP384', 'NistP256', 'NistP521') ` + -PropertyType MultiString ` + -Force + +# 3. Set ECC curve priority (P-384 > P-256 > P-521) +$curvePath = 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' +$curveOrder = 'NistP384','NistP256','NistP521' +Set-ItemProperty -Path $curvePath -Name 'EccCurves' -Value $curveOrder -Type MultiString + +Write-Host "Set ECC curve priority order: $($curveOrder -join ', ')" + +# 4. Restart required +Write-Host "Reboot required for changes to take effect" -ForegroundColor Yellow \ No newline at end of file From da8516d36f6450fdf9480aa108767b77745cec5f Mon Sep 17 00:00:00 2001 From: Dmitrii Korolev Date: Thu, 16 Oct 2025 14:11:55 +0200 Subject: [PATCH 2/6] correct setup for EC --- src/BenchmarksApps/TLS/README.md | 7 +++++++ src/BenchmarksApps/TLS/set-fips-compliant-tls-config.ps1 | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/BenchmarksApps/TLS/README.md b/src/BenchmarksApps/TLS/README.md index ff9177301..9ed0814e8 100644 --- a/src/BenchmarksApps/TLS/README.md +++ b/src/BenchmarksApps/TLS/README.md @@ -19,6 +19,13 @@ In output you nee to find SSL connection: * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / secp521r1 / RSASSA-PSS ``` +### Machine setup +You could use [set-fips-compliant-tls-config](./set-fips-compliant-tls-config.ps1) to configure machine. It may not work (registry on windows does not apply always). + +You can set TLS CipherSuite and ECC Curve order in Windows UI: +- Local Group Policy Editor -> Computer Configuration > Administrative Templates > Network > SSL Configuration +- Values can be taken from https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-elliptic-curves-in-windows-10-1607-and-later + ### Verify machine setup #### Windows diff --git a/src/BenchmarksApps/TLS/set-fips-compliant-tls-config.ps1 b/src/BenchmarksApps/TLS/set-fips-compliant-tls-config.ps1 index 7ae752e06..c20f6c877 100644 --- a/src/BenchmarksApps/TLS/set-fips-compliant-tls-config.ps1 +++ b/src/BenchmarksApps/TLS/set-fips-compliant-tls-config.ps1 @@ -40,7 +40,7 @@ Write-Host "set priority cipher suites" # Set ECC curve order: P-384, P-256, P-521 New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002' ` -Name 'EccCurves' ` - -Value @('NistP384', 'NistP256', 'NistP521') ` + -Value @('NistP384')` # -Value @('NistP384', 'NistP256', 'NistP521') ` to set more ECs -PropertyType MultiString ` -Force From 9ad6d4107539eeaf4ec66c344831e0d5807fb340 Mon Sep 17 00:00:00 2001 From: Dmitrii Korolev Date: Thu, 16 Oct 2025 16:19:00 +0200 Subject: [PATCH 3/6] more data --- src/BenchmarksApps/TLS/Kestrel/Program.cs | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/src/BenchmarksApps/TLS/Kestrel/Program.cs b/src/BenchmarksApps/TLS/Kestrel/Program.cs index dcaebfca2..26309dea3 100644 --- a/src/BenchmarksApps/TLS/Kestrel/Program.cs +++ b/src/BenchmarksApps/TLS/Kestrel/Program.cs @@ -173,11 +173,15 @@ bool AllowAnyCertificateValidationWithLogging(X509Certificate2 certificate, X509 { logged = true; - var tlsHandshakeFeature = context.Features.GetRequiredFeature(); + var tlsFeature = context.Features.GetRequiredFeature(); Console.WriteLine("Request details:"); Console.WriteLine("-----"); - Console.WriteLine("TLS: " + tlsHandshakeFeature.Protocol); + Console.WriteLine($"Protocol: {tlsFeature.Protocol}"); + Console.WriteLine($"CipherSuite: {tlsFeature.NegotiatedCipherSuite}"); + Console.WriteLine($"CipherAlgorithm: {tlsFeature.CipherAlgorithm}"); + Console.WriteLine($"KeyExchangeAlgorithm: {tlsFeature.KeyExchangeAlgorithm}"); + Console.WriteLine("TLS: " + tlsFeature.Protocol); Console.WriteLine("-----"); } @@ -218,7 +222,7 @@ bool AllowAnyCertificateValidationWithLogging(X509Certificate2 certificate, X509 } app.MapGet("/hello-world", () => -{ +{ return Results.Ok("Hello World!"); }); @@ -246,6 +250,16 @@ bool AllowAnyCertificateValidationWithLogging(X509Certificate2 certificate, X509 { Console.WriteLine($"\tenabled logging stats to console"); } + +if (!(OperatingSystem.IsLinux() || OperatingSystem.IsMacOS())) +{ +#pragma warning disable CA1416 // Validate platform compatibility + Console.WriteLine($"OpenSSL: {System.Security.Cryptography.SafeEvpPKeyHandle.OpenSslVersion}"); +#pragma warning restore CA1416 // Validate platform compatibility +} + +Console.WriteLine($"OPENSSL_CONF: {Environment.GetEnvironmentVariable("OPENSSL_CONF")}"); +Console.WriteLine($"LD_LIBRARY_PATH: {Environment.GetEnvironmentVariable("LD_LIBRARY_PATH")}"); Console.WriteLine($"\tlistening endpoints: {listeningEndpoints}"); Console.WriteLine("--------------------------------"); From f0bc481fe425df44fafb5fe3e283fc8b5a039b51 Mon Sep 17 00:00:00 2001 From: Korolev Dmitry Date: Mon, 20 Oct 2025 17:01:52 +0200 Subject: [PATCH 4/6] setup --- src/BenchmarksApps/TLS/README.md | 22 ++++ src/BenchmarksApps/TLS/crank/agent/Dockerfile | 118 ++++++++++++++++++ .../TLS/crank/agent/Dockerfile.AzureLinux3 | 107 ++++++++++++++++ src/BenchmarksApps/TLS/crank/agent/README.md | 11 ++ src/BenchmarksApps/TLS/crank/agent/build.sh | 39 ++++++ src/BenchmarksApps/TLS/crank/agent/run.sh | 52 ++++++++ src/BenchmarksApps/TLS/crank/agent/stop.sh | 12 ++ 7 files changed, 361 insertions(+) create mode 100644 src/BenchmarksApps/TLS/crank/agent/Dockerfile create mode 100644 src/BenchmarksApps/TLS/crank/agent/Dockerfile.AzureLinux3 create mode 100644 src/BenchmarksApps/TLS/crank/agent/README.md create mode 100644 src/BenchmarksApps/TLS/crank/agent/build.sh create mode 100644 src/BenchmarksApps/TLS/crank/agent/run.sh create mode 100644 src/BenchmarksApps/TLS/crank/agent/stop.sh diff --git a/src/BenchmarksApps/TLS/README.md b/src/BenchmarksApps/TLS/README.md index 9ed0814e8..0997cdec2 100644 --- a/src/BenchmarksApps/TLS/README.md +++ b/src/BenchmarksApps/TLS/README.md @@ -1,5 +1,9 @@ # Useful stuff to test TLS behavior +### Docker images +Crank agent comes with its own dockerfile, and its own dependencies. Here we are interested in some low-level setups of TLS parameters on OS level as well. +For that reason in [crank/agent](./crank/agent/) you can find a replica of dockerfiles from [crank](https://github.com/dotnet/crank/tree/main/docker/agent). + ### Analysis of TLS parameters on request To lookup TLS behavior you can install npcap/wireshark on win machine, and collect a network dump (note: using a custom port requires to use `Analyze->DecodeAs` and set TCP / TLS port on dump data). There in `Client Hello` or `Server Hello` TLS parameters can be found. @@ -19,6 +23,24 @@ In output you nee to find SSL connection: * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / secp521r1 / RSASSA-PSS ``` +### Network dump collection and analysis +Most probably benchmarks are run via CI setup, and client will send it's own request (as set). So you want to collect the network dump on the server to ensure request/response has correct TLS parameters. + +In order to collect network dump (via `tcpdump`) use this command. Change the port accordingly. +```bash +sudo tcpdump -i any -w capture.pcap port 5000 +``` + +then you can analyze it via `tshark` +```bash +tshark -r capture.pcap -Y "tls.handshake.type == 2" -d tcp.port==5000,tls -c 300 -V +``` +Arguments: +- `-Y "tls.handshake.type == 2"` filters only `Server Hello` packets. +- `-d tcp.port==5000,tls` changes the port for tcp/tls if client/server does not communicate via standard ports. +- `-c 300` looks into only first 300 packets. Otherwise too hard to see in a single cmd window +- `-V` gives verbose infomation about packet (you can see EC, CipherSuite used etc) + ### Machine setup You could use [set-fips-compliant-tls-config](./set-fips-compliant-tls-config.ps1) to configure machine. It may not work (registry on windows does not apply always). diff --git a/src/BenchmarksApps/TLS/crank/agent/Dockerfile b/src/BenchmarksApps/TLS/crank/agent/Dockerfile new file mode 100644 index 000000000..c905b4f46 --- /dev/null +++ b/src/BenchmarksApps/TLS/crank/agent/Dockerfile @@ -0,0 +1,118 @@ +FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build-env + +COPY . . + +ENV DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1 +ENV DOTNET_CLI_TELEMETRY_OPTOUT=1 + +# Build self contained +RUN dotnet publish -c Release src/Microsoft.Crank.Agent --output /app --framework net8.0 + +# Build runtime image +# FROM mcr.microsoft.com/dotnet/aspnet:8.0 +# Use SDK image as it is required for the dotnet tools +FROM mcr.microsoft.com/dotnet/sdk:8.0 + +ARG CPUNAME=x86_64 +ARG ENABLE_FIPS_MODE=false +ARG OPENSSL_CIPHER_STRING=TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 +ARG OPENSSL_GROUPS=P-384:P-256:P-521 + +# Install dotnet-symbols +RUN dotnet tool install -g dotnet-symbol +ENV PATH="${PATH}:/root/.dotnet/tools" + +# Install dependencies +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + git \ + procps \ + cgroup-tools \ + curl \ + wget \ + nano \ + # dotnet performance repo microbenchmark dependencies + libgdiplus \ + # libmsquic requirements + gnupg2 \ + software-properties-common \ + # NativeAOT requirements + clang \ + zlib1g-dev \ + libkrb5-dev \ + # .NET 9.0 requirement + libc6 + +# Install HTTP/3 support +RUN curl -LO https://packages.microsoft.com/keys/microsoft.asc && \ + echo 2fa9c05d591a1582a9aba276272478c262e95ad00acf60eaee1644d93941e3c6 microsoft.asc| sha256sum --check - && \ + apt-key add microsoft.asc && \ + rm microsoft.asc && \ + echo deb https://packages.microsoft.com/debian/12/prod bookworm main >> /etc/apt/sources.list.d/microsoft.list && \ + apt-get update && \ + apt-get install -y libmsquic && \ + rm -rf /var/lib/apt/lists/* + +# Build and install h2load. Required as there isn't a way to distribute h2load as a single file to download +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + g++ make binutils autoconf automake autotools-dev libtool pkg-config \ + zlib1g-dev libcunit1-dev libxml2-dev libev-dev libevent-dev libjansson-dev \ + libc-ares-dev libjemalloc-dev libsystemd-dev \ + python-is-python3 python3-dev python3-setuptools + +ENV DEBIAN_FRONTEND=noninteractive +# Add the Debian sid repository +RUN echo 'deb http://deb.debian.org/debian sid main' >> /etc/apt/sources.list \ + && echo 'deb http://deb.debian.org/debian-debug sid-debug main' >> /etc/apt/sources.list + +RUN apt-get update \ + && apt-get install -y --no-install-recommends \ + openssl libssl-dev openssl-dbgsym libssl3t64-dbgsym \ + && openssl version + +# Configure OpenSSL for FIPS-compliant cipher suites if $ENABLE_FIPS_MODE +RUN if [ "$ENABLE_FIPS_MODE" = "true" ]; then \ + echo "=== FIPS MODE ENABLED - Configuring OpenSSL ===" && \ + cat /etc/ssl/openssl.cnf && \ + echo "" >> /etc/ssl/openssl.cnf && \ + echo "openssl_conf = openssl_init" >> /etc/ssl/openssl.cnf && \ + echo "[openssl_init]" >> /etc/ssl/openssl.cnf && \ + echo "ssl_conf = ssl_sect" >> /etc/ssl/openssl.cnf && \ + echo "[ssl_sect]" >> /etc/ssl/openssl.cnf && \ + echo "system_default = system_default_sect" >> /etc/ssl/openssl.cnf && \ + echo "[system_default_sect]" >> /etc/ssl/openssl.cnf && \ + echo "CipherString = $OPENSSL_CIPHER_STRING" >> /etc/ssl/openssl.cnf && \ + echo "Groups = $OPENSSL_GROUPS" >> /etc/ssl/openssl.cnf && \ + echo "=== FIPS Configuration Applied ===" && \ + tail -15 /etc/ssl/openssl.cnf; \ + else \ + echo "=== FIPS MODE DISABLED ==="; \ + fi + +# If nghttp2 build fail just ignore it +ENV NGHTTP2_VERSION=1.58.0 +RUN cd /tmp \ + && curl -L "https://github.com/nghttp2/nghttp2/releases/download/v${NGHTTP2_VERSION}/nghttp2-${NGHTTP2_VERSION}.tar.gz" -o "nghttp2-${NGHTTP2_VERSION}.tar.gz" \ + && tar -zxvf "nghttp2-${NGHTTP2_VERSION}.tar.gz" \ + && cd /tmp/nghttp2-$NGHTTP2_VERSION \ + && ./configure \ + && make \ + && make install || true + +# Install docker client +ENV DOCKER_VERSION=17.09.0-ce +RUN cd /tmp \ + && curl "https://download.docker.com/linux/static/stable/${CPUNAME}/docker-${DOCKER_VERSION}.tgz" -o docker.tgz \ + && tar xvzf docker.tgz \ + && cp docker/docker /usr/bin \ + && rm -rf docker.tgz docker + +# Install perfcollect +ADD https://raw.githubusercontent.com/microsoft/perfview/main/src/perfcollect/perfcollect /usr/bin/perfcollect +RUN chmod +x /usr/bin/perfcollect +RUN /usr/bin/perfcollect install + +COPY --from=build-env /app /app + +ENTRYPOINT [ "/app/crank-agent" ] diff --git a/src/BenchmarksApps/TLS/crank/agent/Dockerfile.AzureLinux3 b/src/BenchmarksApps/TLS/crank/agent/Dockerfile.AzureLinux3 new file mode 100644 index 000000000..30ca453f6 --- /dev/null +++ b/src/BenchmarksApps/TLS/crank/agent/Dockerfile.AzureLinux3 @@ -0,0 +1,107 @@ +FROM mcr.microsoft.com/dotnet/sdk:8.0-azurelinux3.0 AS build-env + +COPY . . + +ENV DOTNET_SKIP_FIRST_TIME_EXPERIENCE=1 +ENV DOTNET_CLI_TELEMETRY_OPTOUT=1 + +# Build self contained +RUN dotnet publish -c Release src/Microsoft.Crank.Agent --output /app --framework net8.0 + +# Build runtime image +# FROM mcr.microsoft.com/dotnet/aspnet:8.0 +# Use SDK image as it is required for the dotnet tools +FROM mcr.microsoft.com/dotnet/sdk:8.0-azurelinux3.0 + +ARG CPUNAME=x86_64 +ARG ENABLE_FIPS_MODE=false +ARG OPENSSL_CIPHER_STRING=TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 +ARG OPENSSL_GROUPS=P-384:P-256:P-521 + +# Install dotnet-symbols +RUN dotnet tool install -g dotnet-symbol +ENV PATH="${PATH}:/root/.dotnet/tools" + +# Install dependencies +RUN tdnf update -y \ + && tdnf install -y \ + git \ + procps-ng \ + curl \ + wget \ + libcgroup \ + libcgroup-tools \ + # dotnet performance repo microbenchmark dependencies + libgdiplus \ + # libmsquic requirements + gnupg2 \ + # NativeAOT requirements + clang \ + zlib-devel \ + krb5-devel \ + # .NET 9.0 requirement + glibc + +# Install HTTP/3 support +RUN tdnf install -y libmsquic + +# Build and install h2load. Required as there isn't a way to distribute h2load as a single file to download +RUN tdnf install -y \ + gcc-c++ make binutils autoconf automake libtool pkg-config \ + zlib-devel cunit-devel libxml2-devel libev-devel libevent-devel jansson-devel \ + c-ares-devel jemalloc-devel systemd-devel \ + python3-devel python3-setuptools + +# ENV OPENSSL_VERSION=3.3.3 Version pinning does not work the same way in AL3 as it does in Debian/Ubuntu. Cannot use * in version, so we will use the latest version available in the repository. +RUN tdnf install -y \ + openssl openssl-devel \ + && tdnf clean all + +# Configure OpenSSL for FIPS-compliant cipher suites if $ENABLE_FIPS_MODE +RUN if [ "$ENABLE_FIPS_MODE" = "true" ]; then \ + echo "=== FIPS MODE ENABLED - Configuring OpenSSL ===" && \ + cat /etc/ssl/openssl.cnf && \ + echo "" >> /etc/ssl/openssl.cnf && \ + echo "openssl_conf = openssl_init" >> /etc/ssl/openssl.cnf && \ + echo "[openssl_init]" >> /etc/ssl/openssl.cnf && \ + echo "ssl_conf = ssl_sect" >> /etc/ssl/openssl.cnf && \ + echo "[ssl_sect]" >> /etc/ssl/openssl.cnf && \ + echo "system_default = system_default_sect" >> /etc/ssl/openssl.cnf && \ + echo "[system_default_sect]" >> /etc/ssl/openssl.cnf && \ + echo "CipherString = $OPENSSL_CIPHER_STRING" >> /etc/ssl/openssl.cnf && \ + echo "Groups = $OPENSSL_GROUPS" >> /etc/ssl/openssl.cnf && \ + echo "=== FIPS Configuration Applied ===" && \ + tail -15 /etc/ssl/openssl.cnf; \ + else \ + echo "=== FIPS MODE DISABLED ==="; \ + fi + +# If nghttp2 build fail just ignore it +ENV NGHTTP2_VERSION=1.58.0 +RUN tdnf install -y \ + glibc-devel gawk kernel-headers + +RUN cd /tmp \ + && curl -L "https://github.com/nghttp2/nghttp2/releases/download/v${NGHTTP2_VERSION}/nghttp2-${NGHTTP2_VERSION}.tar.gz" -o "nghttp2-${NGHTTP2_VERSION}.tar.gz" \ + && tar -zxvf "nghttp2-${NGHTTP2_VERSION}.tar.gz" \ + && cd /tmp/nghttp2-$NGHTTP2_VERSION \ + && ./configure \ + && make \ + && make install || true + +# Install docker client +ENV DOCKER_VERSION=17.09.0-ce +RUN cd /tmp \ + && curl "https://download.docker.com/linux/static/stable/${CPUNAME}/docker-${DOCKER_VERSION}.tgz" -o docker.tgz \ + && tar xvzf docker.tgz \ + && cp docker/docker /usr/bin \ + && rm -rf docker.tgz docker + +# Install perfcollect +ADD https://raw.githubusercontent.com/microsoft/perfview/main/src/perfcollect/perfcollect /usr/bin/perfcollect +RUN chmod +x /usr/bin/perfcollect +RUN /usr/bin/perfcollect install + +COPY --from=build-env /app /app + +ENTRYPOINT [ "/app/crank-agent" ] diff --git a/src/BenchmarksApps/TLS/crank/agent/README.md b/src/BenchmarksApps/TLS/crank/agent/README.md new file mode 100644 index 000000000..8159f4414 --- /dev/null +++ b/src/BenchmarksApps/TLS/crank/agent/README.md @@ -0,0 +1,11 @@ +# Crank Agent image for TLS tests + +... + +### Crontab configuration + +To lookup crontab configured: +``` +sudo crontab -l +``` + diff --git a/src/BenchmarksApps/TLS/crank/agent/build.sh b/src/BenchmarksApps/TLS/crank/agent/build.sh new file mode 100644 index 000000000..cf279b36c --- /dev/null +++ b/src/BenchmarksApps/TLS/crank/agent/build.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +cpuname=$(uname -p) +dockerfile="Dockerfile" +enable_fips="false" +cipher_string="TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" +groups="P-384:P-256:P-521" + +while [ $# -ne 0 ] +do + case "$1" in + --dockerfile) + shift + dockerfile="$1" + shift + ;; + --enable-fips) + enable_fips="true" + shift + ;; + --cipher-string) + shift + cipher_string="$1" + shift + ;; + --groups) + shift + groups="$1" + shift + ;; + *) + echo "Unknown option: $1" + echo "Usage: $0 [--dockerfile ] [--enable-fips] [--cipher-string ] [--groups ]" + exit 1 + ;; + esac +done + +docker build -t crank-agent --build-arg CPUNAME=$cpuname --build-arg ENABLE_FIPS_MODE=$enable_fips --build-arg OPENSSL_CIPHER_STRING="$cipher_string" --build-arg OPENSSL_GROUPS="$groups" -f "$dockerfile" ../../ \ No newline at end of file diff --git a/src/BenchmarksApps/TLS/crank/agent/run.sh b/src/BenchmarksApps/TLS/crank/agent/run.sh new file mode 100644 index 000000000..4acd2bdab --- /dev/null +++ b/src/BenchmarksApps/TLS/crank/agent/run.sh @@ -0,0 +1,52 @@ +#!/usr/bin/env bash + +url="http://*:5001" +name="crank-agent" +others="" +dockerargs="" + +while [ $# -ne 0 ] +do + case "$1" in + --url) + shift + url="$1" + shift + ;; + --name) + shift + name="$1" + shift + ;; + *) + others+=" $1" + shift + ;; + esac +done + +if [ -n "$CRANK_AGENT_AZURE_RELAY_CERT_CLIENT_ID" ] +then + dockerargs+=" --env CRANK_AGENT_AZURE_RELAY_CERT_CLIENT_ID" +fi + +if [ -n "$CRANK_AGENT_AZURE_RELAY_CERT_TENANT_ID" ] +then + dockerargs+=" --env CRANK_AGENT_AZURE_RELAY_CERT_TENANT_ID" +fi + +if [ -n "$CRANK_AGENT_AZURE_RELAY_CERT_PATH" ] +then + dockerargs+=" -v $CRANK_AGENT_AZURE_RELAY_CERT_PATH:/certs/relay.pfx --env CRANK_AGENT_AZURE_RELAY_CERT_PATH=/certs/relay.pfx" +fi + +# cgroupfs is mapped to allow docker to create cgroups without permissions issues (cgroup v2) +# set cgroupns to host to allow the container to share the host's cgroup namespace (matches v1 and v2 namespace modes: https://docs.docker.com/engine/containers/runmetrics/#running-docker-on-cgroup-v2) +# docker.sock is mapped to be able to manage other docker instances from this one +docker run -it --name $name -d --network host --restart always \ + --log-opt max-size=1G --privileged \ + --cgroupns=host \ + -v /sys/fs/cgroup/:/sys/fs/cgroup/ \ + -v /var/run/docker.sock:/var/run/docker.sock $dockerargs \ + crank-agent \ + --url $url $others diff --git a/src/BenchmarksApps/TLS/crank/agent/stop.sh b/src/BenchmarksApps/TLS/crank/agent/stop.sh new file mode 100644 index 000000000..163d7451a --- /dev/null +++ b/src/BenchmarksApps/TLS/crank/agent/stop.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +NAME="$1" +shift + +if [ -z "$NAME" ] +then + NAME="crank-agent" +fi + +docker stop "$NAME" +docker rm "$NAME" From 60fa1dc5bd37e0db0ecc18dc3cfdaeeb7f6af518 Mon Sep 17 00:00:00 2001 From: Korolev Dmitry Date: Mon, 20 Oct 2025 18:33:13 +0200 Subject: [PATCH 5/6] docs on crontab usage --- src/BenchmarksApps/TLS/crank/agent/README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/BenchmarksApps/TLS/crank/agent/README.md b/src/BenchmarksApps/TLS/crank/agent/README.md index 8159f4414..b43a5fb1a 100644 --- a/src/BenchmarksApps/TLS/crank/agent/README.md +++ b/src/BenchmarksApps/TLS/crank/agent/README.md @@ -4,8 +4,21 @@ ### Crontab configuration +Machines are configured to perform a git pull, get latest changes, rebuild crank and restart it once in a while. On linux machines it is happening via `cron`. +In order to be able to use Dockerfile from this folder (`/crank/agent`), one should change the crontab. + To lookup crontab configured: ``` sudo crontab -l ``` +You can use crontab like this: +``` +0 0 * * * cd /home/dotnetperfuser/src/crank/docker/agent; ./stop.sh; docker rm -f $(docker ps -a -q --filter "label=benchmarks"); docker system prune --all --force --volumes; git checkout -f main; git reset --hard; git pull; cd /home/dotnetperfuser/src/Benchmarks; git checkout -f main; git reset --hard; git pull; cp -rf /home/dotnetperfuser/src/Benchmarks/src/BenchmarksApps/TLS/crank/agent/* /home/dotnetperfuser/src/crank/docker/agent/; cd /home/dotnetperfuser/src/crank/docker/agent; ./build.sh ; ./run.sh +``` + +Cron tab does the following: +1) fetches the latest dotnet/crank +2) fetches latest aspnetcore/Benchmarks +3) copies dockerfile from aspnetcore/Benchmarks into dotnet/crank +4) builds and runs the crank agent using custom Dockerfile \ No newline at end of file From 42c5aa577d4f2eb89f726693cffc7b53d2f790ab Mon Sep 17 00:00:00 2001 From: Korolev Dmitry Date: Mon, 20 Oct 2025 18:50:57 +0200 Subject: [PATCH 6/6] update for azurelinux3 --- .../TLS/crank/agent/Dockerfile.AzureLinux3 | 22 +++++++++---------- src/BenchmarksApps/TLS/crank/agent/README.md | 3 ++- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/src/BenchmarksApps/TLS/crank/agent/Dockerfile.AzureLinux3 b/src/BenchmarksApps/TLS/crank/agent/Dockerfile.AzureLinux3 index 30ca453f6..5d1748209 100644 --- a/src/BenchmarksApps/TLS/crank/agent/Dockerfile.AzureLinux3 +++ b/src/BenchmarksApps/TLS/crank/agent/Dockerfile.AzureLinux3 @@ -60,18 +60,18 @@ RUN tdnf install -y \ # Configure OpenSSL for FIPS-compliant cipher suites if $ENABLE_FIPS_MODE RUN if [ "$ENABLE_FIPS_MODE" = "true" ]; then \ echo "=== FIPS MODE ENABLED - Configuring OpenSSL ===" && \ - cat /etc/ssl/openssl.cnf && \ - echo "" >> /etc/ssl/openssl.cnf && \ - echo "openssl_conf = openssl_init" >> /etc/ssl/openssl.cnf && \ - echo "[openssl_init]" >> /etc/ssl/openssl.cnf && \ - echo "ssl_conf = ssl_sect" >> /etc/ssl/openssl.cnf && \ - echo "[ssl_sect]" >> /etc/ssl/openssl.cnf && \ - echo "system_default = system_default_sect" >> /etc/ssl/openssl.cnf && \ - echo "[system_default_sect]" >> /etc/ssl/openssl.cnf && \ - echo "CipherString = $OPENSSL_CIPHER_STRING" >> /etc/ssl/openssl.cnf && \ - echo "Groups = $OPENSSL_GROUPS" >> /etc/ssl/openssl.cnf && \ + cat /etc/pki/tls/openssl.cnf && \ + echo "" >> /etc/pki/tls/openssl.cnf && \ + echo "openssl_conf = openssl_init" >> /etc/pki/tls/openssl.cnf && \ + echo "[openssl_init]" >> /etc/pki/tls/openssl.cnf && \ + echo "ssl_conf = ssl_sect" >> /etc/pki/tls/openssl.cnf && \ + echo "[ssl_sect]" >> /etc/pki/tls/openssl.cnf && \ + echo "system_default = system_default_sect" >> /etc/pki/tls/openssl.cnf && \ + echo "[system_default_sect]" >> /etc/pki/tls/openssl.cnf && \ + echo "CipherString = $OPENSSL_CIPHER_STRING" >> /etc/pki/tls/openssl.cnf && \ + echo "Groups = $OPENSSL_GROUPS" >> /etc/pki/tls/openssl.cnf && \ echo "=== FIPS Configuration Applied ===" && \ - tail -15 /etc/ssl/openssl.cnf; \ + tail -15 /etc/pki/tls/openssl.cnf; \ else \ echo "=== FIPS MODE DISABLED ==="; \ fi diff --git a/src/BenchmarksApps/TLS/crank/agent/README.md b/src/BenchmarksApps/TLS/crank/agent/README.md index b43a5fb1a..85ef17718 100644 --- a/src/BenchmarksApps/TLS/crank/agent/README.md +++ b/src/BenchmarksApps/TLS/crank/agent/README.md @@ -21,4 +21,5 @@ Cron tab does the following: 1) fetches the latest dotnet/crank 2) fetches latest aspnetcore/Benchmarks 3) copies dockerfile from aspnetcore/Benchmarks into dotnet/crank -4) builds and runs the crank agent using custom Dockerfile \ No newline at end of file +4) builds and runs the crank agent using custom Dockerfile +