@solcreek/dew 0.7.54 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +52 -0
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -163,6 +163,57 @@ dew exec --name ci -- ./run-tests.sh
163
163
  dew vm stop --name ci
164
164
  ```
165
165
 
166
+ ### Verify a hardened deployment
167
+
168
+ The guest is a real Linux kernel with a writable cgroup v2 hierarchy, so you
169
+ can check that a production binary behaves under its resource ceilings — on a
170
+ Mac, before shipping. `--cgroup` caps the workload without the manual
171
+ `subtree_control` / `mkdir` / `cgroup.procs` dance:
172
+
173
+ ```bash
174
+ # cross-build a static linux/arm64 binary, then run it under a 256 MiB / 256-pid cap
175
+ GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -o /tmp/x/app ./cmd/app
176
+ dew run --share /tmp/x:rw --cgroup memory=256M,pids=256,cpu=200% -- /x/app
177
+ ```
178
+
179
+ `memory` takes a 1024-based `K`/`M`/`G` suffix; `pids` is an integer; `cpu` is
180
+ a percentage of one core (`200%`) or a bare core count (`2`). The limits land
181
+ on `/sys/fs/cgroup/dew`, and the agent runs inside that cgroup so the cap
182
+ contains the workload and everything it spawns. A process that exceeds the
183
+ memory cap is OOM-killed exactly as it would be under a `systemd`
184
+ `MemoryMax=` — note the agent shares the cap, so a cap small enough to OOM the
185
+ workload can also take the agent down.
186
+
187
+ This makes the cgroup ceilings of a hardened `systemd` unit
188
+ (`MemoryMax` / `TasksMax` / `CPUQuota`) directly testable. The unprivileged
189
+ high-port bind, namespace isolation, and seccomp-capable kernel are all
190
+ exercisable the same way.
191
+
192
+ The `standard` profile additionally bakes a hardening toolbox — `setpriv`
193
+ (with `--reuid`/`--regid`/`--bounding-set`), `prlimit`, `capsh`, and
194
+ `ss`/`ip` — so the `User=` / `DynamicUser=`, `CapabilityBoundingSet=`, and
195
+ `RLimit*` effects of a unit are reproducible by hand:
196
+
197
+ ```bash
198
+ # run as an unprivileged uid with zero capabilities, like DynamicUser= + CapabilityBoundingSet=
199
+ dew run --profile standard --share /tmp/x:rw -- \
200
+ setpriv --reuid 65534 --regid 65534 --clear-groups --bounding-set -all /x/app
201
+ ```
202
+
203
+ Or point dew at the unit itself. `--confine` reads a `.service` file, derives
204
+ the cgroup limits and a `setpriv` privilege drop, and runs the command under
205
+ them:
206
+
207
+ ```bash
208
+ dew run --confine ./gateway.service --share /tmp/x:rw -- /x/app
209
+ ```
210
+
211
+ It's an **approximation**, not a systemd reimplementation: `MemoryMax` /
212
+ `TasksMax` / `CPUQuota`, `User=` / `DynamicUser=`, `CapabilityBoundingSet=`,
213
+ and `NoNewPrivileges=` are applied; directives it can't enforce
214
+ (`SystemCallFilter`, `ProtectSystem`, `RestrictAddressFamilies`, …) are printed
215
+ as warnings so you know what's still only checked under real systemd.
216
+
166
217
  ### Share instantly
167
218
 
168
219
  Temporary public HTTPS URL for any local port. Zero config, zero account.
@@ -302,6 +353,7 @@ Infrastructure:
302
353
 
303
354
  Advanced:
304
355
  dew run [--] <cmd> Execute in ephemeral VM
356
+ dew run --cgroup mem=…,pids=…,cpu=… Cap the workload with cgroup v2
305
357
  dew run --image <ref> Run an OCI image in a microVM
306
358
  dew exec [--name <vm>] <cmd> Execute in a running VM
307
359
  dew vm start/stop [--name] Manage long-lived (named) VMs
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@solcreek/dew",
3
- "version": "0.7.54",
3
+ "version": "0.8.0",
4
4
  "description": "Sandboxed Linux compute, agent-native and human-friendly.",
5
5
  "license": "MIT",
6
6
  "repository": {