Forem: Justin Patriquin

Releasing Rust Binaries with GitHub Actions - Part 2

Justin Patriquin — Mon, 21 Nov 2022 14:50:36 +0000

In this part I'm going to go over how I ended up releasing binaries for MacOS and Windows MSVC.

Cross Compilation

Ideally, we could use the cross compilation to build all of the binaries on the same runner type in GitHub Actions. This allows you to build binaries on one platform (e.g. Linux x86_64) that can then run on other platforms. Being able to do this would make our GitHub Action easier to write and maintain. But, there was issue I ran into that prevented cross compilation with Nitrogen from being able to build for different platforms.

The AWS Rust library we were using as a dependency depended on a cryptography library called ring. This library leverages C and assembly code to implement its cryptographic primitives. Unfortunately, cross compiling when C is involved can add complexity to the build process. While it might've been possible to overcome these issues I decided that it wasn't worth digging into more.

Implementation

Fortunately, the GitHub Action implementation I ended up going with wasn't that complicated. I just had to use separate runners. One for MacOS Arm and one for Windows MSVC. Here are the steps I had to do for each release type.

Build the binary

For Windows it was as simple as running a release build:

$ cargo build --release

The MacOS Arm build is just slightly more complex because the GitHub Actions runner isn't running on Arm architecture so we have to add the separate toolchain and target.

$ rustup toolchain install stable-aarch64-apple-darwin
$ rustup target add aarch64-apple-darwin
$ cargo build --release --target aarch64-apple-darwin

Compress the binary

We use tar to compress the binaries:

$ tar --directory=target/release -cf archive.tar.gz nitrogen.exe

The MacOS tar command differs slightly because of the cross compilation required to build for Arm.

$ tar --directory=target/aarch64-apple-darwin/release -cf archive.tar.gz nitrogen

Upload the artifact

Since the release is already created we need to query the release ID and then upload the archived binary to the release using the GitHub API.

The Windows and MacOS version of these differs slightly because Windows has to run in the PowerShell where MacOS would be using bash. You can select the bash shell in the Windows runner but I had an issue with this where it couldn't find the gh command line tool.

Windows:

$ $id = gh api -H "Accept: application/vnd.github+json" /repos/capeprivacy/nitrogen/releases/tags/${{ github.ref_name }} --jq .id

Note: cURL command is edited here for brevity see here for the full command

$ curl -X POST --data-binary "@archive.tar.gz" "https://uploads.github.com/repos/capeprivacy/nitrogen/releases/$id/assets?name=nitrogen_${{ github.ref_name }}_x86_64-pc-windows-msvc.tar.gz"

MacOS:

$ id=$(gh api -H "Accept: application/vnd.github+json" /repos/capeprivacy/nitrogen/releases/tags/${{ github.ref_name }} --jq .id)

Note: cURL command is edited here for brevity see here for the full command

$ curl -X POST --data-binary @"archive.tar.gz" "https://uploads.github.com/repos/capeprivacy/nitrogen/releases/$id/assets?name=nitrogen_${{ github.ref_name }}_aarch64-apple-darwin.tar.gz"

Check out the full implementation here.

This was an interesting problem to work on and I learned a lot. Let me know if you have any questions!

Thanks for reading! If Nitrogen sounds cool to you check it out and give it a star here, check out the quick installation guide here and come see what's going on on Discord.

Releasing Rust Binaries with GitHub Actions - Part 1

Justin Patriquin — Wed, 16 Nov 2022 17:38:48 +0000

GitHub Actions is an amazing tool for CI/CD. Having it built in directly with where your code lives is super convenient. Like most CI/CD systems I've used it can sometimes be tough to build stuff on it in a timely manner. For me it can take a bit of experimentation and time to actually get something to work. Once it does work though it's rock solid.

In this two part post I'm going to go over the process I went through to release new Rust binaries for our open-source project Nitrogen.

GitHub Marketplace

GitHub Marketplace has a ton of Actions that can be used right off the shelf and this is where I first go when I'm looking to add a new Action to our CI.

For Nitrogen I wanted to get binaries released as fast as possible and I found a Rust Binary Release action in the marketplace. This action was incredibly easy to use and got us binary releases generated almost immediately. One issue with this action though was that it only supported a limited amount of Rust targets (i.e. OS and CPU architecture triples. See here for more details.). There were two more targets we wanted to support.

MacOS Arm - with the new Mac CPUs people running on top of the ARM architecture is becoming more and more common so supporting this is becoming more important.
Windows MSVC (Powershell) - while using WSL or even something like Git Bash would've worked we wanted to make it possible to use more natively with windows.

In the next post I'm going to go over how to added these new targets to our releases and some issues I ran into along the way.

Thanks for reading! Nitrogen sounds cool to you check it out and give it a star here, check out the quick installation guide here and come see what's going on on Discord.

TLS with Nitrogen

Justin Patriquin — Mon, 07 Nov 2022 14:46:28 +0000

I was recently reminded about the tool mkcert and it inspired me to add a TLS example to the Nitrogen. mkcert makes its incredibly easy to test TLS with your application during local development. Its very important to note that the TLS certificates generated by mkcert should only be used for development and never production applications.

mkcert

Just a quick overview of mkcert. Before doing anything you must install the CA to your local machine:

mkcert -install

Then generating a certificate for localhost is as simple as running:

mkcert localhost

nginx

Adding TLS certificates requires editing a nginx.conf file and putting the file in the proper place for nginx to read.

Example nginx configuration file with TLS enabled:

server {
  listen 443 ssl default_server;

  ssl_certificate /etc/ssl/certs/nitrogen.pem;
  ssl_certificate_key /etc/ssl/private/nitrogen.key;
}

Then in the Dockerfile we would have some entries like:

COPY nginx.conf /etc/nginx/conf.d/nginx.conf
COPY nitrogen.key /etc/ssl/private/nitrogen.key
COPY nitrogen.pem /etc/ssl/certs/nitrogen.pem

Nitrogen Example

Check out the full example here. This is a condensed version.

Note: also useful to checkout the nitrogen README.md first as well

Note: you'll also need an AWS account :D

First you'll need to clone the repo and install nitrogen:

$ git clone https://github.com/capeprivacy/nitrogen
$ curl -fsSL https://raw.githubusercontent.com/capeprivacy/nitrogen/main/install.sh | sh

Then from the root of the repo (cd nitrogen) you can run the following commands and hopefully see some glorious HTML served over TLS:

$ nitrogen setup nitrogen-nginx-tls ~/.ssh/id_rsa.pub

From setup you should see an ec2 hostname which needs to be used in the next command:

$ mkcert -install
$ mkcert -cert-file nitrogen.pem -key-file nitrogen.key <HOSTNAME FROM ABOVE>
$ cp nitrogen.pem nitrogen.key examples/nginx-tls

$ nitrogen build examples/nginx-tls/
$ nitrogen deploy nitrogen-nginx-tls ~/.ssh/id_rsa

Finally you can run curl:

$curl https://<HOSTNAME FROM ABOVE>:5000/

Finally finally, tear down your cloud formation stack so you don't get charged unnecessarily:

$ nitrogen delete nitrogen-nginx-tls

Thanks for reading! We'd love to hear what you think in the comments below. Please star Nitrogen on GitHub, and come chat on Discord.

Do you have any ideas for confidential computing?

Justin Patriquin — Tue, 01 Nov 2022 16:04:37 +0000

Confidential computing allows us to protect data and code while it’s being processed. It’s an important set of technologies, but today it’s difficult to use. We created Nitrogen so you can easily deploy enclaves to AWS Nitro Enclaves to run web services confidentially. Nitrogen easily handles the set up for you and you can quickly be up and running with something you can experiment with.

Checkout out the README!

Do you have any ideas for confidential computing once it becomes easier with tools like Nitrogen?