merge master into windows-support-poc (#3444)

* Add e2e test for passthrough mirroring and stealing (#3427)

* Added more mirroring tests

* Enable passthrough mirroring in OSS test

* Fix namespace names

* Clippy

* Docs

* HTTP1 is easier

* Now it works

* unwraps -> expects

* Fix lingering agent (#3437)

* Fixed TcpStealerTask exit condition

* Style

* Changelog

* E2E test

* Fix test?

* Move the test to 'cleanup' module

* ??

* Fix test

* 3.152.1 (#3438)

* Fix typo in istio ambient message (#3439)

* Fix typo in istio ambient message

Fix typo in "! mirrord detected an ambient Istio service mesh butthe agent is not configured to run in a privileged SecurityContext.Please set `agent.privileged = true`, otherwise the agent will not be able to start."

* add changelog entry

---------

Co-authored-by: Scott Schulthess <[email protected]>

* Enable passthrough mirroring by default in OSS (#3440)

* Adjustment made

* Changelog

* Fix test

* Fix config doc

* Add mirrord newsletter command and periodic invitations to the newsletter (#3434)

* Count user sessions and suggest newsletter signup after setup

* implement persistent session count store

* mirrord newsletter command

* Change message content

* Add changelog

* Fix lint, nicer run count comparison

* Apply suggestions

* Fix output-dependent e2e test

---------

Co-authored-by: Michał Smolarek <[email protected]>
Co-authored-by: Scott Schulthess <[email protected]>
Co-authored-by: Scott Schulthess <[email protected]>
Co-authored-by: Gemma <[email protected]>

Author: 5 people

CHANGELOG.md

@@ -8,6 +8,21 @@ This project uses [*towncrier*](https://towncrier.readthedocs.io/) and the chang
 
 <!-- towncrier release notes start -->
 
+## [3.152.1](https://github.com/metalbear-co/mirrord/tree/3.152.1) - 2025-07-22
+
+
+### Fixed
+
+- Agent communication port now uses the `SO_REUSEADDR` flag, fixing cases where agent
+  port is reused in a fast consecutive manner and fails.
+- Fixed a bug where mirrord-agents were lingering after all client connections
+  were gone.
+
+
+### Internal
+
+- Added more traffic mirroring tests.
+
 ## [3.152.0](https://github.com/metalbear-co/mirrord/tree/3.152.0) - 2025-07-18
 
 

Cargo.toml

@@ -7,7 +7,7 @@ resolver = "2"
 
 # latest commits on rustls suppress certificate verification
 [workspace.package]
-version = "3.152.0"
+version = "3.152.1"
 edition = "2021"
 license = "MIT"
 readme = "README.md"
@@ -160,6 +160,9 @@ x509-parser = "0.17"
 # Used by `agent`, `auth`, `tls-util`, `tests`
 pem = "3"
 
+# Used by `cli`, `auth`
+home = "0.5"
+
 [workspace.lints.rustdoc]
 private_intra_doc_links = "allow"
 

changelog.d/+agent-reuse-addr.fixed.md

@@ -0,0 +1 @@
+Passthrough mirroring is now enabled by default, unless mirrord for Teams is used.

changelog.d/+enable-passthrough-mirroring-by-default.changed.md

@@ -0,0 +1 @@
+fixed a bug where mirrord would display a typo when using istio ambient

changelog.d/+istio-msg-typo.fixed.md

@@ -0,0 +1 @@
+Added the `mirrord newsletter` command, which opens the sign-up page in the browser.

changelog.d/+mirrord-newsletter.added.md

@@ -465,7 +465,7 @@
         },
         "passthrough_mirroring": {
           "title": "agent.passthrough_mirroring {#agent-passthrough_mirroring}",
-          "description": "Enables an alternative implementation of traffic mirroring, based on iptables redirects.\n\nWhen used with `agent.flush_connections`, it might fix issues with mirroring non HTTP/1 traffic.\n\nWhen this is set, `network_interface` setting is ignored.\n\nDefaults to `false`.",
+          "description": "Enables an implementation of traffic mirroring based on iptables redirects.\n\nWhen used with `agent.flush_connections`, it might fix issues with mirroring non HTTP/1 traffic.\n\nWhen this is set, `network_interface` setting is ignored.\n\nDefaults to `false` in mirrord for Teams. Otherwise, defaults to `true`.",
           "type": [
             "boolean",
             "null"

mirrord-schema.json

@@ -204,6 +204,19 @@ enum BackgroundTask<Command> {
     Disabled,
 }
 
+impl<Command> BackgroundTask<Command> {
+    /// Waits for the task to finish, and returns its result.
+    ///
+    /// If the task is [`BackgroundTask::Disabled`], returns [`Ok`].
+    async fn wait(self) -> Result<(), AgentError> {
+        let Self::Running(status, channel) = self else {
+            return Ok(());
+        };
+        std::mem::drop(channel);
+        status.wait().await
+    }
+}
+
 impl<Command> Clone for BackgroundTask<Command> {
     fn clone(&self) -> Self {
         match self {
@@ -730,7 +743,11 @@ async fn start_agent(args: Args) -> AgentResult<()> {
             )
             .await?;
             (
-                setup::start_stealer(&state.network_runtime, steal_handle),
+                setup::start_stealer(
+                    &state.network_runtime,
+                    steal_handle,
+                    cancellation_token.clone(),
+                ),
                 passthrough_mirroring_enabled.then_some(mirror_handle),
             )
         }
@@ -825,28 +842,16 @@ async fn start_agent(args: Args) -> AgentResult<()> {
         ..
     } = bg_tasks;
 
-    tokio::join!(
-        async move {
-            if let BackgroundTask::Running(status, _) = sniffer {
-                if let Err(error) = status.wait().await {
-                    error!("start_agent -> {error}");
-                }
-            }
-        },
-        async move {
-            if let BackgroundTask::Running(status, _) = stealer {
-                if let Err(error) = status.wait().await {
-                    error!("start_agent -> {error}");
-                }
-            }
-        },
-        async move {
-            if let BackgroundTask::Running(status, _) = dns {
-                if let Err(error) = status.wait().await {
-                    error!("start_agent -> {error}");
-                }
-            }
-        },
+    let _ = tokio::join!(
+        sniffer.wait().inspect_err(|error| {
+            error!(%error, "start_agent -> Sniffer task failed");
+        }),
+        stealer.wait().inspect_err(|error| {
+            error!(%error, "start_agent -> Stealer task failed");
+        }),
+        dns.wait().inspect_err(|error| {
+            error!(%error, "start_agent -> DNS task failed");
+        }),
     );
 
     trace!("start_agent -> Agent shutdown");

mirrord/agent/src/entrypoint.rs

@@ -87,11 +87,12 @@ pub(super) async fn start_sniffer(
 pub(super) fn start_stealer(
     runtime: &BgTaskRuntime,
     steal_handle: StealHandle,
+    cancellation_token: CancellationToken,
 ) -> BackgroundTask<StealerCommand> {
     let (command_tx, command_rx) = mpsc::channel::<StealerCommand>(1000);
 
     let task_status = runtime
-        .spawn(TcpStealerTask::new(command_rx, steal_handle).run())
+        .spawn(TcpStealerTask::new(command_rx, steal_handle).run(cancellation_token))
         .into_status("TcpStealerTask");
 
     BackgroundTask::Running(task_status, command_tx)

mirrord/agent/src/entrypoint/setup.rs

@@ -222,6 +222,10 @@ where
                 let result = tokio::select! {
                     result = requests.next() => result,
                     _ = token.cancelled() => {
+                        tracing::debug!(
+                            connection = ?conn.info,
+                            "Gracefully shutting down a redirected HTTP connection",
+                        );
                         requests.graceful_shutdown();
                         continue;
                     },
@@ -300,6 +304,10 @@ where
 
                 match self.ports.entry(port) {
                     Entry::Vacant(e) => {
+                        tracing::debug!(
+                            from_port = port,
+                            "Creating a new port redirection for a mirroring client"
+                        );
                         self.redirector.add_redirection(port).await?;
                         e.insert_entry(PortState {
                             steal_tx: None,
@@ -326,6 +334,10 @@ where
 
                 match self.ports.entry(port) {
                     Entry::Vacant(e) => {
+                        tracing::debug!(
+                            from_port = port,
+                            "Creating a new port redirection for a stealing client"
+                        );
                         self.redirector.add_redirection(port).await?;
                         e.insert_entry(PortState {
                             steal_tx: Some(conn_tx.clone()),