tetragon-oci-hook-setup: crio.conf annotations

Add a command to patch crio.conf to add allowed annotations. For example: > $ ssh cat /etc/crio/crio.conf > crio.conf > $ ./tetragon-oci-hook-setup patch-crio-conf enable-annotations --config-file=crio.conf --output-file crio-patched.conf --annotations='io.kubernetes.cri-o.cgroup2-mount-hierarchy-rw' > $ diff -u crio.conf crio-patched.conf > --- crio.conf 2024-11-29 10:47:11.622015385 +0100 > +++ crio-patched.conf 2024-11-29 11:03:39.856306109 +0100 > @@ -300,6 +300,7 @@ > runtime_path = "/usr/bin/runc" > runtime_type = "oci" > runtime_root = "/run/runc" > +allowed_annotations = ["io.kubernetes.cri-o.cgroup2-mount-hierarchy-rw"] Signed-off-by: Kornilios Kourtis <[email protected]>
cilium · Dec 6, 2024 · 6858dd8 · 6858dd8
1 parent 2a3e31e
commit 6858dd8
Show file tree

Hide file tree

Showing 44 changed files with 2,735 additions and 247 deletions.
diff --git a/contrib/tetragon-rthooks/cmd/setup/addline.go b/contrib/tetragon-rthooks/cmd/setup/addline.go
@@ -48,6 +48,7 @@ func applyChanges(fnameIn, fnameOut string, changes []addLine) error {
 		for i := range changes {
 			ch := &changes[i]
 			if ch.pos.Line == inLine {
+				// NB: we assume that everything before is indentation
 				line := strings.Repeat(" ", ch.pos.Col-1) + ch.line + cr
 				lines = append(lines, line)
 				if ch.replaceLine {

diff --git a/contrib/tetragon-rthooks/cmd/setup/main.go b/contrib/tetragon-rthooks/cmd/setup/main.go
@@ -232,6 +232,7 @@ type CLI struct {
 	Uninstall           Uninstall           `cmd:"" help:"Uninstall hook"`
 	PrintConfig         PrintConfig         `cmd:"" help:"Print config"`
 	PatchContainerdConf patchContainerdConf `cmd:"patch containerd configuration"`
+	PatchCrioConf       patchCrioConf       `cmd:"patch crio configuration"`
 
 	LogLevel string `name:"log-level" default:"info" help:"log level"`
 }

diff --git a/contrib/tetragon-rthooks/cmd/setup/patch-crio-conf.go b/contrib/tetragon-rthooks/cmd/setup/patch-crio-conf.go
@@ -0,0 +1,136 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package main
+
+import (
+	"fmt"
+	"log/slog"
+	"os"
+	"strings"
+
+	"github.com/pelletier/go-toml"
+	tomlparser "github.com/pelletier/go-toml/v2/unstable"
+)
+
+type patchCrioConf struct {
+	EnableAnnotations enableAnnotations `cmd:"" help:"enable annotations"`
+}
+
+type enableAnnotations struct {
+	ConfFile    string   `name:"config-file" default:"/etc/crio/crio.conf" help:"crio configuration file location (input) (${default}))"`
+	Outfile     string   `name:"output-file" default:"" help:"output file location"`
+	Annotations []string `name:"annotations"`
+}
+
+func doEnableAnnotations(log *slog.Logger, c *enableAnnotations) ([]addLine, error) {
+	data, err := os.ReadFile(c.ConfFile)
+	if err != nil {
+		return nil, err
+	}
+
+	p := tomlparser.Parser{
+		KeepComments: true,
+	}
+	p.Reset(data)
+
+	lines := []addLine{}
+	insideRuntime := false
+	var annotationsLoc tomlparser.Shape
+	for p.NextExpression() {
+		e := p.Expression()
+		switch insideRuntime {
+		case false:
+			if e.Kind == tomlparser.Table {
+				c := e.Child()
+				if c == nil || c.Kind != tomlparser.Key || string(c.Data) != "crio" {
+					continue
+				}
+				c = c.Next()
+				if c == nil || c.Kind != tomlparser.Key || string(c.Data) != "runtime" {
+					continue
+				}
+				c = c.Next()
+				if c == nil || c.Kind != tomlparser.Key || string(c.Data) != "runtimes" {
+					continue
+				}
+				c = c.Next()
+				if c == nil || c.Kind != tomlparser.Key {
+					continue
+				}
+				insideRuntime = true
+			}
+		case true:
+			foundAnnotations := false
+			done := false
+			annotations := []string{}
+			if e.Kind == tomlparser.KeyValue {
+				var array *tomlparser.Node
+				for c := e.Child(); c != nil; c = c.Next() {
+					annotationsLoc = p.Shape(c.Raw)
+					if c.Kind == tomlparser.Key && string(c.Data) == "allowed_annotations" {
+						foundAnnotations = true
+					} else if c.Kind == tomlparser.Array {
+						array = c
+					}
+
+					if foundAnnotations && array != nil {
+						for cc := array.Child(); cc != nil; cc = cc.Next() {
+							if cc.Kind == tomlparser.String {
+								annotations = append(annotations, string(cc.Data))
+							}
+						}
+						break
+					}
+				}
+
+			} else {
+				done = true
+			}
+
+			if foundAnnotations || done {
+				annotations = append(annotations, c.Annotations...)
+				qannotations := make([]string, 0, len(annotations))
+				for _, a := range annotations {
+					qannotations = append(qannotations, fmt.Sprintf("%q", a))
+				}
+				insideRuntime = false
+				lines = append(lines, addLine{
+					pos:         toml.Position{Col: annotationsLoc.Start.Column, Line: annotationsLoc.Start.Line},
+					line:        fmt.Sprintf("allowed_annotations = [%s]", strings.Join(qannotations, ", ")),
+					replaceLine: foundAnnotations,
+				})
+			}
+		}
+	}
+
+	return lines, nil
+
+}
+
+func (c *enableAnnotations) Run(log *slog.Logger) error {
+
+	changes, err := doEnableAnnotations(log, c)
+	if len(changes) == 0 {
+		log.Info("nothing to do")
+		return nil
+	}
+
+	outFname := c.Outfile
+	if outFname == "" {
+		f, err := os.CreateTemp("", "crio.*.conf")
+		if err != nil {
+			return err
+		}
+		outFname = f.Name()
+		f.Close()
+	}
+
+	err = applyChanges(c.ConfFile, outFname, changes)
+	if err != nil {
+		return err
+	}
+	log.Info("written output", "filename", outFname)
+	return nil
+
+}
diff --git a/contrib/tetragon-rthooks/go.mod b/contrib/tetragon-rthooks/go.mod
@@ -16,6 +16,7 @@ require (
 	github.com/opencontainers/runc v1.2.2
 	github.com/opencontainers/runtime-spec v1.2.0
 	github.com/pelletier/go-toml v1.9.5
+	github.com/pelletier/go-toml/v2 v2.2.3
 	github.com/stretchr/testify v1.10.0
 	google.golang.org/grpc v1.68.0
 )
@@ -29,11 +30,11 @@ require (
 	github.com/containerd/ttrpc v1.2.6-0.20240827082320-b5cd6e4b3287 // indirect
 	github.com/containerd/typeurl/v2 v2.2.2 // indirect
 	github.com/containers/storage v1.56.0 // indirect
-	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09 // indirect
 	github.com/cyphar/filepath-securejoin v0.3.4 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
-	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/moby/sys/mountinfo v0.7.2 // indirect

diff --git a/contrib/tetragon-rthooks/go.sum b/contrib/tetragon-rthooks/go.sum
@@ -33,8 +33,8 @@ github.com/containers/common v0.61.0 h1:j/84PTqZIKKYy42OEJsZmjZ4g4Kq2ERuC3tqp2yW
 github.com/containers/common v0.61.0/go.mod h1:NGRISq2vTFPSbhNqj6MLwyes4tWSlCnqbJg7R77B8xc=
 github.com/containers/storage v1.56.0 h1:DZ9KSkj6M2tvj/4bBoaJu3QDHRl35BwsZ4kmLJS97ZI=
 github.com/containers/storage v1.56.0/go.mod h1:c6WKowcAlED/DkWGNuL9bvGYqIWCVy7isRMdCSKWNjk=
-github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
-github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09 h1:OoRAFlvDGCUqDLampLQjk0yeeSGdF9zzst/3G9IkBbc=
+github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09/go.mod h1:m2r/smMKsKwgMSAoFKHaa68ImdCSNuKE1MxvQ64xuCQ=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cyphar/filepath-securejoin v0.3.4 h1:VBWugsJh2ZxJmLFSM06/0qzQyiQX2Qs0ViKrUAcqdZ8=
 github.com/cyphar/filepath-securejoin v0.3.4/go.mod h1:8s/MCNJREmFK0H02MF6Ihv1nakJe4L/w3WZLHNkvlYM=
@@ -48,9 +48,9 @@ github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg=
+github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
@@ -87,6 +87,8 @@ github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE
 github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
+github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -125,6 +127,7 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
 golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

diff --git a/contrib/tetragon-rthooks/vendor/github.com/godbus/dbus/v5/.cirrus.yml b/contrib/tetragon-rthooks/vendor/github.com/godbus/dbus/v5/.cirrus.yml
diff --git a/contrib/tetragon-rthooks/vendor/github.com/godbus/dbus/v5/.golangci.yml b/contrib/tetragon-rthooks/vendor/github.com/godbus/dbus/v5/.golangci.yml
diff --git a/contrib/tetragon-rthooks/vendor/github.com/godbus/dbus/v5/README.md b/contrib/tetragon-rthooks/vendor/github.com/godbus/dbus/v5/README.md
diff --git a/contrib/tetragon-rthooks/vendor/github.com/godbus/dbus/v5/SECURITY.md b/contrib/tetragon-rthooks/vendor/github.com/godbus/dbus/v5/SECURITY.md
diff --git a/contrib/tetragon-rthooks/vendor/github.com/godbus/dbus/v5/auth.go b/contrib/tetragon-rthooks/vendor/github.com/godbus/dbus/v5/auth.go