gvproxy: Split `--listen` features in 2 separate args

[cfergeau]

--listen defines the sockets that will be used for gvproxy REST API https://github.com/containers/gvisor-tap-vsock/blob/72b102d1d443d6d02e4c04f5c2af809e4c2e0910/pkg/virtualnetwork/mux.go#L19-L31

This exposes the /connect API endpoint, which is used for network connectivity when gvforwarder/vm is running in the guest, a /services endpoint providing port forwarding, DNS, DHCP, a /stat endpoint, ...

Since there are other ways to get network connectivity without using /connect (--listen-vfkit, --listen-bess, ...), it's desirable to be able to enable the service/stats/... endpoints without enabling /connect.

It's better to add a separate option(s) for this, as at this point, there could be users relying on gvproxy --listen current behaviour.

https://github.com/containers/gvisor-tap-vsock/issues/78 is a distinct issue, the /services/forwarder API endpoint is unconditionally enabled in the guest, which might have security implications. Being able to disable it would be useful.

[cfergeau]

On linux, podman machine's gvproxy command line is:

/usr/local/lib/podman/gvproxy -debug -mtu 1500 -ssh-port 41117 -listen-qemu unix:///run/user/1000/podman/crc-gvproxy.sock -forward-sock /run/user/1000/podman/crc-api.sock -forward-dest /run/user/1000/podman/podman.sock -forward-user core -forward-identity /var/home/teuf/.crc/cache/crc_microshift_libvirt_4.16.18_amd64/id_ecdsa_crc -pid-file /run/user/1000/podman/gvproxy.pid -log-file /run/user/1000/podman/gvproxy.log

It is similar on other platforms.

[cfergeau]

The issue could actually be rephrased as "it should be possible to start gvproxy using --listen-qemu/--listen-vfkit/..., while still being able to use the /services endpoint from the host", which is not really possible at the moment, or not really convenient/obvious as --listen needs to be specified for that.