CVE: detect and mitigate cups foomatic-rip CVE-2024-47176 2024-47177 #4506
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Packages e2e Tests | |
on: | |
pull_request: | |
paths-ignore: | |
- "**.md" | |
- 'docs/**' | |
jobs: | |
standalone-tarball-builds: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
# We use the native arch build | |
- os: ubuntu-22.04 | |
arch: amd64 | |
match_arch: x86-64 | |
cross_compile: no | |
upload_path: upload/ | |
- os: ubuntu-22.04 | |
arch: arm64 | |
match_arch: arm64 | |
cross_compile: yes | |
upload_path: upload-cross-compile/ | |
steps: | |
# https://github.com/docker/setup-buildx-action | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
- name: Checkout Source Code | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Getting version tag | |
id: tag | |
run: echo "tag=$(make version)" >> $GITHUB_OUTPUT | |
- name: Generate Tetragon Tarball | |
if: ${{ matrix.cross_compile == 'no' }} | |
id: tetragon-tarball | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y jq | |
make tarball | |
mkdir ${{ matrix.upload_path }} | |
mv ./build/${{ matrix.arch }}/linux-tarball/tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }}.tar.gz ./${{ matrix.upload_path }} | |
- name: Generate Cross Compiled Tetragon Tarball | |
if: ${{ matrix.cross_compile == 'yes' }} | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y qemu qemu-user-static binfmt-support | |
sudo update-binfmts --display | |
make TARGET_ARCH=${{ matrix.arch }} tarball | |
mkdir ${{ matrix.upload_path }} | |
mv ./build/${{ matrix.arch }}/linux-tarball/tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }}.tar.gz ./${{ matrix.upload_path }} | |
# Cache tarball releases for later | |
- name: Save tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }}.tar.gz Tarball | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }} | |
path: ${{ matrix.upload_path }} | |
retention-days: 1 | |
standalone-tarball-tests: | |
needs: [standalone-tarball-builds] | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
include: | |
- os: ubuntu-22.04 | |
arch: amd64 | |
match_arch: x86-64 | |
cross_compile: no | |
upload_path: upload/ | |
- os: actuated-arm64-4cpu-8gb | |
arch: arm64 | |
match_arch: arm64 | |
cross_compile: yes | |
upload_path: upload-cross-compile/ | |
steps: | |
- name: Checkout Source Code | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Getting version tag | |
id: tag | |
run: echo "tag=$(make version)" >> $GITHUB_OUTPUT | |
- name: Retrieve tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }}.tar.gz | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }} | |
path: ${{ matrix.upload_path }} | |
- name: Move tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }}.tar.gz to build | |
run: | | |
mkdir -p ./build/${{ matrix.arch }}/ | |
mv ${{ matrix.upload_path }} ./build/${{ matrix.arch }}/linux-tarball | |
- name: Copy bpf.yaml tracing policy to /etc/tetragon/tetragon.tp.d/ | |
run: | | |
sudo mkdir -p /etc/tetragon/tetragon.tp.d/ | |
sudo cp examples/tracingpolicy/bpf.yaml /etc/tetragon/tetragon.tp.d/bpf.yaml | |
- name: Install Tetragon Tarball | |
run: | | |
tar zxvf tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }}.tar.gz | |
sudo ./tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }}/install.sh | |
working-directory: ./build/${{ matrix.arch }}/linux-tarball/ | |
- name: Wait for Tetragon service | |
uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 | |
with: | |
timeout_seconds: 30 | |
max_attempts: 5 | |
retry_wait_seconds: 5 | |
retry_on: error | |
command: | | |
# Ensure that default native builds work | |
file /usr/local/bin/tetragon | grep ${{ matrix.match_arch }} - | |
sudo systemctl is-active tetragon | |
sudo tetra status | |
- name: Check Tetragon startup logs | |
run: sudo journalctl -b -u tetragon --no-pager | |
- name: Test Tetragon | |
run: | | |
sudo tetra status | |
sudo tetra tracingpolicy list | grep bpf - | |
sudo tetra bugtool | |
test $(stat -c %a /var/run/tetragon/tetragon.sock) -eq "660" | |
sudo tetra tracingpolicy add examples/tracingpolicy/tcp-connect.yaml | |
sudo tetra tracingpolicy list | grep connect - | |
sudo grep "tetra" /var/log/tetragon/tetragon.log | |
- name: Setup Tetragon with a different tracing-policy-dir | |
run: | | |
sudo systemctl stop tetragon | |
sudo mkdir -p /opt/tetragon.tp.d/ | |
sudo cp examples/tracingpolicy/bpf.yaml /opt/tetragon.tp.d/bpf.yaml | |
echo "/opt/tetragon.tp.d/" | sudo tee /etc/tetragon/tetragon.conf.d/tracing-policy-dir | |
echo "localhost:8118" | sudo tee /etc/tetragon/tetragon.conf.d/gops-address | |
sudo systemctl start tetragon | |
- name: Test Tetragon with a different tracing-policy-dir | |
uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 | |
with: | |
timeout_seconds: 30 | |
max_attempts: 5 | |
retry_wait_seconds: 5 | |
retry_on: error | |
command: | | |
sudo systemctl is-active tetragon | |
sudo tetra status | |
sudo grep "tetra" /var/log/tetragon/tetragon.log | |
sudo tetra tracingpolicy list | grep bpf - | |
sudo tetra bugtool 2>&1 | grep "Successfully dumped gops pprof-heap" - | |
- name: Uninstall Tetragon Tarball | |
run: | | |
sudo ./tetragon-${{ steps.tag.outputs.tag }}-${{ matrix.arch }}/uninstall.sh | |
working-directory: ./build/${{ matrix.arch }}/linux-tarball/ |