Skip to content

CVE: detect and mitigate cups foomatic-rip CVE-2024-47176 2024-47177 #4506

CVE: detect and mitigate cups foomatic-rip CVE-2024-47176 2024-47177

CVE: detect and mitigate cups foomatic-rip CVE-2024-47176 2024-47177 #4506

name: Packages e2e Tests
on:
pull_request:
paths-ignore:
- "**.md"
- 'docs/**'
jobs:
standalone-tarball-builds:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
# We use the native arch build
- os: ubuntu-22.04
arch: amd64
match_arch: x86-64
cross_compile: no
upload_path: upload/
- os: ubuntu-22.04
arch: arm64
match_arch: arm64
cross_compile: yes
upload_path: upload-cross-compile/
steps:
# https://github.com/docker/setup-buildx-action
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
- name: Checkout Source Code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Getting version tag
id: tag
run: echo "tag=$(make version)" >> $GITHUB_OUTPUT
- name: Generate Tetragon Tarball
if: ${{ matrix.cross_compile == 'no' }}
id: tetragon-tarball
run: |
sudo apt-get update
sudo apt-get install -y jq
make tarball
mkdir ${{ matrix.upload_path }}
mv ./build/${{ matrix.arch }}/linux-tarball/tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }}.tar.gz ./${{ matrix.upload_path }}
- name: Generate Cross Compiled Tetragon Tarball
if: ${{ matrix.cross_compile == 'yes' }}
run: |
sudo apt-get update
sudo apt-get install -y qemu qemu-user-static binfmt-support
sudo update-binfmts --display
make TARGET_ARCH=${{ matrix.arch }} tarball
mkdir ${{ matrix.upload_path }}
mv ./build/${{ matrix.arch }}/linux-tarball/tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }}.tar.gz ./${{ matrix.upload_path }}
# Cache tarball releases for later
- name: Save tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }}.tar.gz Tarball
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }}
path: ${{ matrix.upload_path }}
retention-days: 1
standalone-tarball-tests:
needs: [standalone-tarball-builds]
runs-on: ${{ matrix.os }}
strategy:
matrix:
include:
- os: ubuntu-22.04
arch: amd64
match_arch: x86-64
cross_compile: no
upload_path: upload/
- os: actuated-arm64-4cpu-8gb
arch: arm64
match_arch: arm64
cross_compile: yes
upload_path: upload-cross-compile/
steps:
- name: Checkout Source Code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Getting version tag
id: tag
run: echo "tag=$(make version)" >> $GITHUB_OUTPUT
- name: Retrieve tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }}.tar.gz
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }}
path: ${{ matrix.upload_path }}
- name: Move tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }}.tar.gz to build
run: |
mkdir -p ./build/${{ matrix.arch }}/
mv ${{ matrix.upload_path }} ./build/${{ matrix.arch }}/linux-tarball
- name: Copy bpf.yaml tracing policy to /etc/tetragon/tetragon.tp.d/
run: |
sudo mkdir -p /etc/tetragon/tetragon.tp.d/
sudo cp examples/tracingpolicy/bpf.yaml /etc/tetragon/tetragon.tp.d/bpf.yaml
- name: Install Tetragon Tarball
run: |
tar zxvf tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }}.tar.gz
sudo ./tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }}/install.sh
working-directory: ./build/${{ matrix.arch }}/linux-tarball/
- name: Wait for Tetragon service
uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
with:
timeout_seconds: 30
max_attempts: 5
retry_wait_seconds: 5
retry_on: error
command: |
# Ensure that default native builds work
file /usr/local/bin/tetragon | grep ${{ matrix.match_arch }} -
sudo systemctl is-active tetragon
sudo tetra status
- name: Check Tetragon startup logs
run: sudo journalctl -b -u tetragon --no-pager
- name: Test Tetragon
run: |
sudo tetra status
sudo tetra tracingpolicy list | grep bpf -
sudo tetra bugtool
test $(stat -c %a /var/run/tetragon/tetragon.sock) -eq "660"
sudo tetra tracingpolicy add examples/tracingpolicy/tcp-connect.yaml
sudo tetra tracingpolicy list | grep connect -
sudo grep "tetra" /var/log/tetragon/tetragon.log
- name: Setup Tetragon with a different tracing-policy-dir
run: |
sudo systemctl stop tetragon
sudo mkdir -p /opt/tetragon.tp.d/
sudo cp examples/tracingpolicy/bpf.yaml /opt/tetragon.tp.d/bpf.yaml
echo "/opt/tetragon.tp.d/" | sudo tee /etc/tetragon/tetragon.conf.d/tracing-policy-dir
echo "localhost:8118" | sudo tee /etc/tetragon/tetragon.conf.d/gops-address
sudo systemctl start tetragon
- name: Test Tetragon with a different tracing-policy-dir
uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
with:
timeout_seconds: 30
max_attempts: 5
retry_wait_seconds: 5
retry_on: error
command: |
sudo systemctl is-active tetragon
sudo tetra status
sudo grep "tetra" /var/log/tetragon/tetragon.log
sudo tetra tracingpolicy list | grep bpf -
sudo tetra bugtool 2>&1 | grep "Successfully dumped gops pprof-heap" -
- name: Uninstall Tetragon Tarball
run: |
sudo ./tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }}/uninstall.sh
working-directory: ./build/${{ matrix.arch }}/linux-tarball/