cilium · kkourt · Dec 6, 2024 · Nov 29, 2024 · Nov 29, 2024 · Nov 29, 2024
@@ -0,0 +1,81 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package main
+
+import (
+	"bufio"
+	"os"
+	"strings"
+
+	"github.com/pelletier/go-toml"
+)
+
+// special line number to append at the end of the file
+const appendAtEndLine = -10
+
+type addLine struct {
+	pos         toml.Position
+	line        string
+	replaceLine bool
+}
+
+func applyChanges(fnameIn, fnameOut string, changes []addLine) error {
+	fIn, err := os.Open(fnameIn)
+	if err != nil {
+		return err
+	}
+	defer fIn.Close()
+	cr := "\n"
+	if usesCR(fIn) {
+		cr = "\r\n"
+	}
+
+	fOut, err := os.Create(fnameOut)
+	if err != nil {
+		return err
+	}
+	defer fOut.Close()
+
+	inLine := 0
+	inSc := bufio.NewScanner(fIn)
+	out := bufio.NewWriter(fOut)
+	defer out.Flush()
+	for inSc.Scan() {
+		inLine++
+		lines := []string{}
+		replaceLine := false
+		for i := range changes {
+			ch := &changes[i]
+			if ch.pos.Line == inLine {
+				// NB: we assume that everything before is indentation
+				line := strings.Repeat(" ", ch.pos.Col-1) + ch.line + cr
+				lines = append(lines, line)
+				if ch.replaceLine {
+					replaceLine = true
+				}
+			}
+		}
+		if !replaceLine {
+			out.WriteString(inSc.Text())
+			out.WriteString(cr)
+		}
+		for _, line := range lines {
+			out.WriteString(line)
+		}
+	}
+
+	for i := range changes {
+		ch := &changes[i]
+		if ch.pos.Line == appendAtEndLine {
+			indent := ""
+			if ch.pos.Col > 0 {
+				indent = strings.Repeat(" ", ch.pos.Col-1)
+			}
+			line := indent + ch.line + cr
+			out.WriteString(line)
+		}
+	}
+
+	return nil
+}
@@ -232,6 +232,7 @@ type CLI struct {
 	Uninstall           Uninstall           `cmd:"" help:"Uninstall hook"`
 	PrintConfig         PrintConfig         `cmd:"" help:"Print config"`
 	PatchContainerdConf patchContainerdConf `cmd:"patch containerd configuration"`
+	PatchCrioConf       patchCrioConf       `cmd:"patch crio configuration"`
 
 	LogLevel string `name:"log-level" default:"info" help:"log level"`
 }

@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"log/slog"
 	"os"
-	"strings"
 
 	srvconf "github.com/containerd/containerd/services/server/config"
 	"github.com/pelletier/go-toml"
@@ -18,14 +17,6 @@ import (
 // solution would be to modify the config object and just marshall it instead of just doing text
 // replacements. TBD.
 
-const appendAtEndLine = -10
-
-type addLine struct {
-	pos         toml.Position
-	line        string
-	replaceLine bool
-}
-
 type addOCIHookState struct {
 	cnf *addOCIHookCmd
 	// poor man's patch
@@ -141,65 +132,6 @@ func usesCR(f *os.File) bool {
 	return false
 }
 
-func applyChanges(fnameIn, fnameOut string, changes []addLine) error {
-	fIn, err := os.Open(fnameIn)
-	if err != nil {
-		return err
-	}
-	defer fIn.Close()
-	cr := "\n"
-	if usesCR(fIn) {
-		cr = "\r\n"
-	}
-
-	fOut, err := os.Create(fnameOut)
-	if err != nil {
-		return err
-	}
-	defer fOut.Close()
-
-	inLine := 0
-	inSc := bufio.NewScanner(fIn)
-	out := bufio.NewWriter(fOut)
-	defer out.Flush()
-	for inSc.Scan() {
-		inLine++
-		lines := []string{}
-		replaceLine := false
-		for i := range changes {
-			ch := &changes[i]
-			if ch.pos.Line == inLine {
-				line := strings.Repeat(" ", ch.pos.Col-1) + ch.line + cr
-				lines = append(lines, line)
-				if ch.replaceLine {
-					replaceLine = true
-				}
-			}
-		}
-		if !replaceLine {
-			out.WriteString(inSc.Text())
-			out.WriteString(cr)
-		}
-		for _, line := range lines {
-			out.WriteString(line)
-		}
-	}
-
-	for i := range changes {
-		ch := &changes[i]
-		if ch.pos.Line == appendAtEndLine {
-			indent := ""
-			if ch.pos.Col > 0 {
-				indent = strings.Repeat(" ", ch.pos.Col-1)
-			}
-			line := indent + ch.line + cr
-			out.WriteString(line)
-		}
-	}
-
-	return nil
-}
-
 func (c *addOCIHookCmd) Run(log *slog.Logger) error {
 	changes, err := addOciHook(log, c)
 	if err != nil {

@@ -0,0 +1,136 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright Authors of Tetragon
+
+package main
+
+import (
+	"fmt"
+	"log/slog"
+	"os"
+	"strings"
+
+	"github.com/pelletier/go-toml"
+	tomlparser "github.com/pelletier/go-toml/v2/unstable"
+)
+
+type patchCrioConf struct {
+	EnableAnnotations enableAnnotations `cmd:"" help:"enable annotations"`
+}
+
+type enableAnnotations struct {
+	ConfFile    string   `name:"config-file" default:"/etc/crio/crio.conf" help:"crio configuration file location (input) (${default}))"`
+	Outfile     string   `name:"output-file" default:"" help:"output file location"`
+	Annotations []string `name:"annotations"`
+}
+
+func doEnableAnnotations(log *slog.Logger, c *enableAnnotations) ([]addLine, error) {
+	data, err := os.ReadFile(c.ConfFile)
+	if err != nil {
+		return nil, err
+	}
+
+	p := tomlparser.Parser{
+		KeepComments: true,
+	}
+	p.Reset(data)
+
+	lines := []addLine{}
+	insideRuntime := false
+	var annotationsLoc tomlparser.Shape
+	for p.NextExpression() {
+		e := p.Expression()
+		switch insideRuntime {
+		case false:
+			if e.Kind == tomlparser.Table {
+				c := e.Child()
+				if c == nil || c.Kind != tomlparser.Key || string(c.Data) != "crio" {
+					continue
+				}
+				c = c.Next()
+				if c == nil || c.Kind != tomlparser.Key || string(c.Data) != "runtime" {
+					continue
+				}
+				c = c.Next()
+				if c == nil || c.Kind != tomlparser.Key || string(c.Data) != "runtimes" {
+					continue
+				}
+				c = c.Next()
+				if c == nil || c.Kind != tomlparser.Key {
+					continue
+				}
+				insideRuntime = true
+			}
+		case true:
+			foundAnnotations := false
+			done := false
+			annotations := []string{}
+			if e.Kind == tomlparser.KeyValue {
+				var array *tomlparser.Node
+				for c := e.Child(); c != nil; c = c.Next() {
+					annotationsLoc = p.Shape(c.Raw)
+					if c.Kind == tomlparser.Key && string(c.Data) == "allowed_annotations" {
+						foundAnnotations = true
+					} else if c.Kind == tomlparser.Array {
+						array = c
+					}
+
+					if foundAnnotations && array != nil {
+						for cc := array.Child(); cc != nil; cc = cc.Next() {
+							if cc.Kind == tomlparser.String {
+								annotations = append(annotations, string(cc.Data))
+							}
+						}
+						break
+					}
+				}
+
+			} else {
+				done = true
+			}
+
+			if foundAnnotations || done {
+				annotations = append(annotations, c.Annotations...)
+				qannotations := make([]string, 0, len(annotations))
+				for _, a := range annotations {
+					qannotations = append(qannotations, fmt.Sprintf("%q", a))
+				}
+				insideRuntime = false
+				lines = append(lines, addLine{
+					pos:         toml.Position{Col: annotationsLoc.Start.Column, Line: annotationsLoc.Start.Line},
+					line:        fmt.Sprintf("allowed_annotations = [%s]", strings.Join(qannotations, ", ")),
+					replaceLine: foundAnnotations,
+				})
+			}
+		}
+	}
+
+	return lines, nil
+
+}
+
+func (c *enableAnnotations) Run(log *slog.Logger) error {
+
+	changes, err := doEnableAnnotations(log, c)
+	if len(changes) == 0 {
+		log.Info("nothing to do")
+		return nil
+	}
+
+	outFname := c.Outfile
+	if outFname == "" {
+		f, err := os.CreateTemp("", "crio.*.conf")
+		if err != nil {
+			return err
+		}
+		outFname = f.Name()
+		f.Close()
+	}
+
+	err = applyChanges(c.ConfFile, outFname, changes)
+	if err != nil {
+		return err
+	}
+	log.Info("written output", "filename", outFname)
+	return nil
+
+}
@@ -16,6 +16,7 @@ require (
 	github.com/opencontainers/runc v1.2.2
 	github.com/opencontainers/runtime-spec v1.2.0
 	github.com/pelletier/go-toml v1.9.5
+	github.com/pelletier/go-toml/v2 v2.2.3
 	github.com/stretchr/testify v1.10.0
 	google.golang.org/grpc v1.68.0
 )
@@ -29,11 +30,11 @@ require (
 	github.com/containerd/ttrpc v1.2.6-0.20240827082320-b5cd6e4b3287 // indirect
 	github.com/containerd/typeurl/v2 v2.2.2 // indirect
 	github.com/containers/storage v1.56.0 // indirect
-	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09 // indirect
 	github.com/cyphar/filepath-securejoin v0.3.4 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
-	github.com/godbus/dbus/v5 v5.1.0 // indirect
+	github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/moby/sys/mountinfo v0.7.2 // indirect

@@ -33,8 +33,8 @@ github.com/containers/common v0.61.0 h1:j/84PTqZIKKYy42OEJsZmjZ4g4Kq2ERuC3tqp2yW
 github.com/containers/common v0.61.0/go.mod h1:NGRISq2vTFPSbhNqj6MLwyes4tWSlCnqbJg7R77B8xc=
 github.com/containers/storage v1.56.0 h1:DZ9KSkj6M2tvj/4bBoaJu3QDHRl35BwsZ4kmLJS97ZI=
 github.com/containers/storage v1.56.0/go.mod h1:c6WKowcAlED/DkWGNuL9bvGYqIWCVy7isRMdCSKWNjk=
-github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
-github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09 h1:OoRAFlvDGCUqDLampLQjk0yeeSGdF9zzst/3G9IkBbc=
+github.com/coreos/go-systemd/v22 v22.5.1-0.20231103132048-7d375ecc2b09/go.mod h1:m2r/smMKsKwgMSAoFKHaa68ImdCSNuKE1MxvQ64xuCQ=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/cyphar/filepath-securejoin v0.3.4 h1:VBWugsJh2ZxJmLFSM06/0qzQyiQX2Qs0ViKrUAcqdZ8=
 github.com/cyphar/filepath-securejoin v0.3.4/go.mod h1:8s/MCNJREmFK0H02MF6Ihv1nakJe4L/w3WZLHNkvlYM=
@@ -48,9 +48,9 @@ github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
-github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 h1:sQspH8M4niEijh3PFscJRLDnkL547IeP7kpPe3uUhEg=
+github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466/go.mod h1:ZiQxhyQ+bbbfxUKVvjfO498oPYvtYhZzycal3G/NHmU=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
@@ -87,6 +87,8 @@ github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE
 github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
+github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -125,6 +127,7 @@ golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
 golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=