From 2602b28259b6f82a7f3c9cf7cdf3f923033a93a2 Mon Sep 17 00:00:00 2001 From: Aldo Lacuku Date: Wed, 5 Jul 2023 11:55:33 +0200 Subject: [PATCH] feat(imagelister): support private repositories for builder images Co-authored-by: Federico Di Pierro Signed-off-by: Aldo Lacuku --- cmd/root.go | 5 +++ cmd/root_options.go | 48 ++++++++++++-------- cmd/testdata/autohelp.txt | 2 +- cmd/testdata/help-flag.txt | 2 +- cmd/testdata/invalid-proxyconfig.txt | 2 +- cmd/testdata/non-existent-processor.txt | 2 +- cmd/testdata/templates/flags.txt | 48 +++++++++++--------- docs/driverkit.md | 48 +++++++++++--------- docs/driverkit_docker.md | 48 +++++++++++--------- docs/driverkit_images.md | 48 +++++++++++--------- docs/driverkit_kubernetes-in-cluster.md | 6 ++- docs/driverkit_kubernetes.md | 6 ++- pkg/driverbuilder/builder/build.go | 59 +++++++++++++++++-------- pkg/driverbuilder/builder/image.go | 25 ++++++++--- pkg/driverbuilder/builder/image_test.go | 9 ++-- 15 files changed, 217 insertions(+), 141 deletions(-) diff --git a/cmd/root.go b/cmd/root.go index 46919b89..033a14fa 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -152,6 +152,11 @@ func NewRootCmd() *RootCmd { flags.StringVar(&rootOpts.Repo.Org, "repo-org", rootOpts.Repo.Org, "repository github organization") flags.StringVar(&rootOpts.Repo.Name, "repo-name", rootOpts.Repo.Name, "repository github name") + flags.StringVar(&rootOpts.Registry.Name, "registry-name", rootOpts.Registry.Name, "registry name to which authenticate") + flags.StringVar(&rootOpts.Registry.Username, "registry-user", rootOpts.Registry.Username, "registry username") + flags.StringVar(&rootOpts.Registry.Password, "registry-password", rootOpts.Registry.Password, "registry password") + flags.BoolVar(&rootOpts.Registry.PlainHTTP, "registry-plain-http", rootOpts.Registry.PlainHTTP, "allows interacting with remote registry via plain http requests") + viper.BindPFlags(flags) // Flag annotations and custom completions diff --git a/cmd/root_options.go b/cmd/root_options.go index e3a26b2d..f203af54 100644 --- a/cmd/root_options.go +++ b/cmd/root_options.go @@ -22,6 +22,13 @@ type RepoOptions struct { Name string `default:"libs" name:"repo name"` } +type Registry struct { + Name string `validate:"required_with=Username Password" name:"registry name"` + Username string `validate:"required_with=Registry Password" name:"registry username"` + Password string `validate:"required_with=Username Registry" name:"registry password"` + PlainHTTP bool `default:"false" name:"registry plain http"` +} + // RootOptions ... type RootOptions struct { Architecture string `validate:"required,architecture" name:"architecture"` @@ -38,6 +45,7 @@ type RootOptions struct { KernelUrls []string `name:"kernel header urls"` Repo RepoOptions Output OutputOptions + Registry Registry } func init() { @@ -116,23 +124,27 @@ func (ro *RootOptions) toBuild() *builder.Build { } build := &builder.Build{ - TargetType: builder.Type(ro.Target), - DriverVersion: ro.DriverVersion, - KernelVersion: ro.KernelVersion, - KernelRelease: ro.KernelRelease, - Architecture: ro.Architecture, - KernelConfigData: kernelConfigData, - ModuleFilePath: ro.Output.Module, - ProbeFilePath: ro.Output.Probe, - ModuleDriverName: ro.ModuleDriverName, - ModuleDeviceName: ro.ModuleDeviceName, - GCCVersion: ro.GCCVersion, - BuilderImage: ro.BuilderImage, - BuilderRepos: ro.BuilderRepos, - KernelUrls: ro.KernelUrls, - RepoOrg: ro.Repo.Org, - RepoName: ro.Repo.Name, - Images: make(builder.ImagesMap), + TargetType: builder.Type(ro.Target), + DriverVersion: ro.DriverVersion, + KernelVersion: ro.KernelVersion, + KernelRelease: ro.KernelRelease, + Architecture: ro.Architecture, + KernelConfigData: kernelConfigData, + ModuleFilePath: ro.Output.Module, + ProbeFilePath: ro.Output.Probe, + ModuleDriverName: ro.ModuleDriverName, + ModuleDeviceName: ro.ModuleDeviceName, + GCCVersion: ro.GCCVersion, + BuilderImage: ro.BuilderImage, + BuilderRepos: ro.BuilderRepos, + KernelUrls: ro.KernelUrls, + RepoOrg: ro.Repo.Org, + RepoName: ro.Repo.Name, + Images: make(builder.ImagesMap), + RegistryName: ro.Registry.Name, + RegistryUser: ro.Registry.Username, + RegistryPassword: ro.Registry.Password, + RegistryPlainHTTP: ro.Registry.PlainHTTP, } // loop over BuilderRepos to build the list ImagesListers based on the value of the builderRepo: @@ -145,7 +157,7 @@ func (ro *RootOptions) toBuild() *builder.Build { if _, err = os.Stat(builderRepo); err == nil { imageLister, err = builder.NewFileImagesLister(builderRepo, build) } else { - imageLister, err = builder.NewRepoImagesLister(builderRepo, false, build) + imageLister, err = builder.NewRepoImagesLister(builderRepo, build) } if err != nil { logger.WithError(err).Warnf("Skipping %s repo\n", builderRepo) diff --git a/cmd/testdata/autohelp.txt b/cmd/testdata/autohelp.txt index 23c34b7f..f859c6a3 100644 --- a/cmd/testdata/autohelp.txt +++ b/cmd/testdata/autohelp.txt @@ -6,6 +6,6 @@ INFO specify a valid processor processors="[docker kubernete {{ .Commands }} {{ .Flags }} - -v, --version version for driverkit + -v, --version version for driverkit {{ .Info }} diff --git a/cmd/testdata/help-flag.txt b/cmd/testdata/help-flag.txt index 2f3243c7..3697f238 100644 --- a/cmd/testdata/help-flag.txt +++ b/cmd/testdata/help-flag.txt @@ -5,6 +5,6 @@ {{ .Commands }} {{ .Flags }} - -v, --version version for driverkit + -v, --version version for driverkit {{ .Info }} diff --git a/cmd/testdata/invalid-proxyconfig.txt b/cmd/testdata/invalid-proxyconfig.txt index ce0356ae..e03ee3df 100644 --- a/cmd/testdata/invalid-proxyconfig.txt +++ b/cmd/testdata/invalid-proxyconfig.txt @@ -5,7 +5,7 @@ Error: exiting for validation errors {{ .Commands }} {{ .Flags }} - -v, --version version for driverkit + -v, --version version for driverkit {{ .Info }} diff --git a/cmd/testdata/non-existent-processor.txt b/cmd/testdata/non-existent-processor.txt index bcf7bae0..2a983321 100644 --- a/cmd/testdata/non-existent-processor.txt +++ b/cmd/testdata/non-existent-processor.txt @@ -4,7 +4,7 @@ Error: invalid argument "abc" for "driverkit" {{ .Commands }} {{ .Flags }} - -v, --version version for driverkit + -v, --version version for driverkit {{ .Info }} diff --git a/cmd/testdata/templates/flags.txt b/cmd/testdata/templates/flags.txt index 35c49c9e..ed1089ba 100644 --- a/cmd/testdata/templates/flags.txt +++ b/cmd/testdata/templates/flags.txt @@ -1,23 +1,27 @@ Flags: - --architecture string target architecture for the built driver, one of {{ .Architectures }} (default "{{ .CurrentArch }}") - --builderimage string docker image to be used to build the kernel module and eBPF probe. If not provided, an automatically selected image will be used. - --builderrepo strings list of docker repositories or yaml file (absolute path) containing builder images index with the format 'images: [ { target:, name:, arch: , tag: , gcc_versions: [ ] },...]', in descending priority order. Used to search for builder images. eg: --builderrepo myorg/driverkit-builder --builderrepo falcosecurity/driverkit-builder --builderrepo '/path/to/my/index.yaml'. (default [docker.io/falcosecurity/driverkit-builder]) - -c, --config string config file path (default $HOME/.driverkit.yaml if exists) - --driverversion string driver version as a git commit hash or as a git tag (default "master") - --dryrun do not actually perform the action - --gccversion string enforce a specific gcc version for the build - -h, --help help for {{ .Cmd }} - --kernelconfigdata string base64 encoded kernel config data: in some systems it can be found under the /boot directory, in other it is gzip compressed under /proc - --kernelrelease string kernel release to build the module for, it can be found by executing 'uname -v' - --kernelurls strings list of kernel header urls (e.g. --kernelurls --kernelurls --kernelurls ",") - --kernelversion string kernel version to build the module for, it's the numeric value after the hash when you execute 'uname -v' (default "1") - -l, --loglevel string log level (default "info") - --moduledevicename string kernel module device name (the default is falco, so the device will be under /dev/falco*) (default "falco") - --moduledrivername string kernel module driver name, i.e. the name you see when you check installed modules via lsmod (default "falco") - --output-module string filepath where to save the resulting kernel module - --output-probe string filepath where to save the resulting eBPF probe - --proxy string the proxy to use to download data - --repo-name string repository github name (default "libs") - --repo-org string repository github organization (default "falcosecurity") - -t, --target string the system to target the build for, one of {{ .Targets }} - --timeout int timeout in seconds (default 120) \ No newline at end of file + --architecture string target architecture for the built driver, one of {{ .Architectures }} (default "{{ .CurrentArch }}") + --builderimage string docker image to be used to build the kernel module and eBPF probe. If not provided, an automatically selected image will be used. + --builderrepo strings list of docker repositories or yaml file (absolute path) containing builder images index with the format 'images: [ { target:, name:, arch: , tag: , gcc_versions: [ ] },...]', in descending priority order. Used to search for builder images. eg: --builderrepo myorg/driverkit-builder --builderrepo falcosecurity/driverkit-builder --builderrepo '/path/to/my/index.yaml'. (default [docker.io/falcosecurity/driverkit-builder]) + -c, --config string config file path (default $HOME/.driverkit.yaml if exists) + --driverversion string driver version as a git commit hash or as a git tag (default "master") + --dryrun do not actually perform the action + --gccversion string enforce a specific gcc version for the build + -h, --help help for {{ .Cmd }} + --kernelconfigdata string base64 encoded kernel config data: in some systems it can be found under the /boot directory, in other it is gzip compressed under /proc + --kernelrelease string kernel release to build the module for, it can be found by executing 'uname -v' + --kernelurls strings list of kernel header urls (e.g. --kernelurls --kernelurls --kernelurls ",") + --kernelversion string kernel version to build the module for, it's the numeric value after the hash when you execute 'uname -v' (default "1") + -l, --loglevel string log level (default "info") + --moduledevicename string kernel module device name (the default is falco, so the device will be under /dev/falco*) (default "falco") + --moduledrivername string kernel module driver name, i.e. the name you see when you check installed modules via lsmod (default "falco") + --output-module string filepath where to save the resulting kernel module + --output-probe string filepath where to save the resulting eBPF probe + --proxy string the proxy to use to download data + --registry-name string registry name to which authenticate + --registry-password string registry password + --registry-plain-http allows interacting with remote registry via plain http requests + --registry-user string registry username + --repo-name string repository github name (default "libs") + --repo-org string repository github organization (default "falcosecurity") + -t, --target string the system to target the build for, one of {{ .Targets }} + --timeout int timeout in seconds (default 120) \ No newline at end of file diff --git a/docs/driverkit.md b/docs/driverkit.md index 25c82b27..4de7cbe9 100644 --- a/docs/driverkit.md +++ b/docs/driverkit.md @@ -9,28 +9,32 @@ driverkit ### Options ``` - --architecture string target architecture for the built driver, one of [amd64,arm64] (default "amd64") - --builderimage string docker image to be used to build the kernel module and eBPF probe. If not provided, an automatically selected image will be used. - --builderrepo strings list of docker repositories or yaml file (absolute path) containing builder images index with the format 'images: [ { target:, name:, gcc_versions: [ ] },...]', in descending priority order. Used to search for builder images. eg: --builderrepo myorg/driverkit --builderrepo falcosecurity/driverkit --builderrepo '/path/to/my/index.yaml'. (default [docker.io/falcosecurity/driverkit-builder]) - -c, --config string config file path (default $HOME/.driverkit.yaml if exists) - --driverversion string driver version as a git commit hash or as a git tag (default "master") - --dryrun do not actually perform the action - --gccversion string enforce a specific gcc version for the build - -h, --help help for driverkit - --kernelconfigdata string base64 encoded kernel config data: in some systems it can be found under the /boot directory, in other it is gzip compressed under /proc - --kernelrelease string kernel release to build the module for, it can be found by executing 'uname -v' - --kernelurls strings list of kernel header urls (e.g. --kernelurls --kernelurls --kernelurls ",") - --kernelversion string kernel version to build the module for, it's the numeric value after the hash when you execute 'uname -v' (default "1") - -l, --loglevel string log level (default "info") - --moduledevicename string kernel module device name (the default is falco, so the device will be under /dev/falco*) (default "falco") - --moduledrivername string kernel module driver name, i.e. the name you see when you check installed modules via lsmod (default "falco") - --output-module string filepath where to save the resulting kernel module - --output-probe string filepath where to save the resulting eBPF probe - --proxy string the proxy to use to download data - --repo-name string repository github name (default "libs") - --repo-org string repository github organization (default "falcosecurity") - -t, --target string the system to target the build for, one of [alinux,almalinux,amazonlinux,amazonlinux2,amazonlinux2022,amazonlinux2023,arch,bottlerocket,centos,debian,fedora,flatcar,minikube,ol,opensuse,photon,redhat,rocky,talos,ubuntu,vanilla] - --timeout int timeout in seconds (default 120) + --architecture string target architecture for the built driver, one of [amd64,arm64] (default "amd64") + --builderimage string docker image to be used to build the kernel module and eBPF probe. If not provided, an automatically selected image will be used. + --builderrepo strings list of docker repositories or yaml file (absolute path) containing builder images index with the format 'images: [ { target:, name:, arch: , tag: , gcc_versions: [ ] },...]', in descending priority order. Used to search for builder images. eg: --builderrepo myorg/driverkit-builder --builderrepo falcosecurity/driverkit-builder --builderrepo '/path/to/my/index.yaml'. (default [docker.io/falcosecurity/driverkit-builder]) + -c, --config string config file path (default $HOME/.driverkit.yaml if exists) + --driverversion string driver version as a git commit hash or as a git tag (default "master") + --dryrun do not actually perform the action + --gccversion string enforce a specific gcc version for the build + -h, --help help for driverkit + --kernelconfigdata string base64 encoded kernel config data: in some systems it can be found under the /boot directory, in other it is gzip compressed under /proc + --kernelrelease string kernel release to build the module for, it can be found by executing 'uname -v' + --kernelurls strings list of kernel header urls (e.g. --kernelurls --kernelurls --kernelurls ",") + --kernelversion string kernel version to build the module for, it's the numeric value after the hash when you execute 'uname -v' (default "1") + -l, --loglevel string log level (default "info") + --moduledevicename string kernel module device name (the default is falco, so the device will be under /dev/falco*) (default "falco") + --moduledrivername string kernel module driver name, i.e. the name you see when you check installed modules via lsmod (default "falco") + --output-module string filepath where to save the resulting kernel module + --output-probe string filepath where to save the resulting eBPF probe + --proxy string the proxy to use to download data + --registry-name string registry name to which authenticate + --registry-password string registry password + --registry-plain-http allows interacting with remote registry via plain http requests + --registry-user string registry username + --repo-name string repository github name (default "libs") + --repo-org string repository github organization (default "falcosecurity") + -t, --target string the system to target the build for, one of [alinux,almalinux,amazonlinux,amazonlinux2,amazonlinux2022,amazonlinux2023,arch,bottlerocket,centos,debian,fedora,flatcar,minikube,ol,opensuse,photon,redhat,rocky,talos,ubuntu,vanilla] + --timeout int timeout in seconds (default 120) ``` ### SEE ALSO diff --git a/docs/driverkit_docker.md b/docs/driverkit_docker.md index 70cb0873..91a2aebf 100644 --- a/docs/driverkit_docker.md +++ b/docs/driverkit_docker.md @@ -9,28 +9,32 @@ driverkit docker [flags] ### Options ``` - --architecture string target architecture for the built driver, one of [amd64,arm64] (default "amd64") - --builderimage string docker image to be used to build the kernel module and eBPF probe. If not provided, an automatically selected image will be used. - --builderrepo strings list of docker repositories or yaml file (absolute path) containing builder images index with the format 'images: [ { target:, name:, gcc_versions: [ ] },...]', in descending priority order. Used to search for builder images. eg: --builderrepo myorg/driverkit --builderrepo falcosecurity/driverkit --builderrepo '/path/to/my/index.yaml'. (default [docker.io/falcosecurity/driverkit-builder]) - -c, --config string config file path (default $HOME/.driverkit.yaml if exists) - --driverversion string driver version as a git commit hash or as a git tag (default "master") - --dryrun do not actually perform the action - --gccversion string enforce a specific gcc version for the build - -h, --help help for docker - --kernelconfigdata string base64 encoded kernel config data: in some systems it can be found under the /boot directory, in other it is gzip compressed under /proc - --kernelrelease string kernel release to build the module for, it can be found by executing 'uname -v' - --kernelurls strings list of kernel header urls (e.g. --kernelurls --kernelurls --kernelurls ",") - --kernelversion string kernel version to build the module for, it's the numeric value after the hash when you execute 'uname -v' (default "1") - -l, --loglevel string log level (default "info") - --moduledevicename string kernel module device name (the default is falco, so the device will be under /dev/falco*) (default "falco") - --moduledrivername string kernel module driver name, i.e. the name you see when you check installed modules via lsmod (default "falco") - --output-module string filepath where to save the resulting kernel module - --output-probe string filepath where to save the resulting eBPF probe - --proxy string the proxy to use to download data - --repo-name string repository github name (default "libs") - --repo-org string repository github organization (default "falcosecurity") - -t, --target string the system to target the build for, one of [alinux,almalinux,amazonlinux,amazonlinux2,amazonlinux2022,amazonlinux2023,arch,bottlerocket,centos,debian,fedora,flatcar,minikube,ol,opensuse,photon,redhat,rocky,talos,ubuntu,vanilla] - --timeout int timeout in seconds (default 120) + --architecture string target architecture for the built driver, one of [amd64,arm64] (default "amd64") + --builderimage string docker image to be used to build the kernel module and eBPF probe. If not provided, an automatically selected image will be used. + --builderrepo strings list of docker repositories or yaml file (absolute path) containing builder images index with the format 'images: [ { target:, name:, arch: , tag: , gcc_versions: [ ] },...]', in descending priority order. Used to search for builder images. eg: --builderrepo myorg/driverkit-builder --builderrepo falcosecurity/driverkit-builder --builderrepo '/path/to/my/index.yaml'. (default [docker.io/falcosecurity/driverkit-builder]) + -c, --config string config file path (default $HOME/.driverkit.yaml if exists) + --driverversion string driver version as a git commit hash or as a git tag (default "master") + --dryrun do not actually perform the action + --gccversion string enforce a specific gcc version for the build + -h, --help help for docker + --kernelconfigdata string base64 encoded kernel config data: in some systems it can be found under the /boot directory, in other it is gzip compressed under /proc + --kernelrelease string kernel release to build the module for, it can be found by executing 'uname -v' + --kernelurls strings list of kernel header urls (e.g. --kernelurls --kernelurls --kernelurls ",") + --kernelversion string kernel version to build the module for, it's the numeric value after the hash when you execute 'uname -v' (default "1") + -l, --loglevel string log level (default "info") + --moduledevicename string kernel module device name (the default is falco, so the device will be under /dev/falco*) (default "falco") + --moduledrivername string kernel module driver name, i.e. the name you see when you check installed modules via lsmod (default "falco") + --output-module string filepath where to save the resulting kernel module + --output-probe string filepath where to save the resulting eBPF probe + --proxy string the proxy to use to download data + --registry-name string registry name to which authenticate + --registry-password string registry password + --registry-plain-http allows interacting with remote registry via plain http requests + --registry-user string registry username + --repo-name string repository github name (default "libs") + --repo-org string repository github organization (default "falcosecurity") + -t, --target string the system to target the build for, one of [alinux,almalinux,amazonlinux,amazonlinux2,amazonlinux2022,amazonlinux2023,arch,bottlerocket,centos,debian,fedora,flatcar,minikube,ol,opensuse,photon,redhat,rocky,talos,ubuntu,vanilla] + --timeout int timeout in seconds (default 120) ``` ### SEE ALSO diff --git a/docs/driverkit_images.md b/docs/driverkit_images.md index a5998630..b55a796e 100644 --- a/docs/driverkit_images.md +++ b/docs/driverkit_images.md @@ -9,28 +9,32 @@ driverkit images [flags] ### Options ``` - --architecture string target architecture for the built driver, one of [amd64,arm64] (default "amd64") - --builderimage string docker image to be used to build the kernel module and eBPF probe. If not provided, an automatically selected image will be used. - --builderrepo strings list of docker repositories or yaml file (absolute path) containing builder images index with the format 'images: [ { target:, name:, gcc_versions: [ ] },...]', in descending priority order. Used to search for builder images. eg: --builderrepo myorg/driverkit --builderrepo falcosecurity/driverkit --builderrepo '/path/to/my/index.yaml'. (default [docker.io/falcosecurity/driverkit-builder]) - -c, --config string config file path (default $HOME/.driverkit.yaml if exists) - --driverversion string driver version as a git commit hash or as a git tag (default "master") - --dryrun do not actually perform the action - --gccversion string enforce a specific gcc version for the build - -h, --help help for images - --kernelconfigdata string base64 encoded kernel config data: in some systems it can be found under the /boot directory, in other it is gzip compressed under /proc - --kernelrelease string kernel release to build the module for, it can be found by executing 'uname -v' - --kernelurls strings list of kernel header urls (e.g. --kernelurls --kernelurls --kernelurls ",") - --kernelversion string kernel version to build the module for, it's the numeric value after the hash when you execute 'uname -v' (default "1") - -l, --loglevel string log level (default "info") - --moduledevicename string kernel module device name (the default is falco, so the device will be under /dev/falco*) (default "falco") - --moduledrivername string kernel module driver name, i.e. the name you see when you check installed modules via lsmod (default "falco") - --output-module string filepath where to save the resulting kernel module - --output-probe string filepath where to save the resulting eBPF probe - --proxy string the proxy to use to download data - --repo-name string repository github name (default "libs") - --repo-org string repository github organization (default "falcosecurity") - -t, --target string the system to target the build for, one of [alinux,almalinux,amazonlinux,amazonlinux2,amazonlinux2022,amazonlinux2023,arch,bottlerocket,centos,debian,fedora,flatcar,minikube,ol,opensuse,photon,redhat,rocky,talos,ubuntu,vanilla] - --timeout int timeout in seconds (default 120) + --architecture string target architecture for the built driver, one of [amd64,arm64] (default "amd64") + --builderimage string docker image to be used to build the kernel module and eBPF probe. If not provided, an automatically selected image will be used. + --builderrepo strings list of docker repositories or yaml file (absolute path) containing builder images index with the format 'images: [ { target:, name:, arch: , tag: , gcc_versions: [ ] },...]', in descending priority order. Used to search for builder images. eg: --builderrepo myorg/driverkit-builder --builderrepo falcosecurity/driverkit-builder --builderrepo '/path/to/my/index.yaml'. (default [docker.io/falcosecurity/driverkit-builder]) + -c, --config string config file path (default $HOME/.driverkit.yaml if exists) + --driverversion string driver version as a git commit hash or as a git tag (default "master") + --dryrun do not actually perform the action + --gccversion string enforce a specific gcc version for the build + -h, --help help for images + --kernelconfigdata string base64 encoded kernel config data: in some systems it can be found under the /boot directory, in other it is gzip compressed under /proc + --kernelrelease string kernel release to build the module for, it can be found by executing 'uname -v' + --kernelurls strings list of kernel header urls (e.g. --kernelurls --kernelurls --kernelurls ",") + --kernelversion string kernel version to build the module for, it's the numeric value after the hash when you execute 'uname -v' (default "1") + -l, --loglevel string log level (default "info") + --moduledevicename string kernel module device name (the default is falco, so the device will be under /dev/falco*) (default "falco") + --moduledrivername string kernel module driver name, i.e. the name you see when you check installed modules via lsmod (default "falco") + --output-module string filepath where to save the resulting kernel module + --output-probe string filepath where to save the resulting eBPF probe + --proxy string the proxy to use to download data + --registry-name string registry name to which authenticate + --registry-password string registry password + --registry-plain-http allows interacting with remote registry via plain http requests + --registry-user string registry username + --repo-name string repository github name (default "libs") + --repo-org string repository github organization (default "falcosecurity") + -t, --target string the system to target the build for, one of [alinux,almalinux,amazonlinux,amazonlinux2,amazonlinux2022,amazonlinux2023,arch,bottlerocket,centos,debian,fedora,flatcar,minikube,ol,opensuse,photon,redhat,rocky,talos,ubuntu,vanilla] + --timeout int timeout in seconds (default 120) ``` ### SEE ALSO diff --git a/docs/driverkit_kubernetes-in-cluster.md b/docs/driverkit_kubernetes-in-cluster.md index 78244bf8..bf5d6b57 100644 --- a/docs/driverkit_kubernetes-in-cluster.md +++ b/docs/driverkit_kubernetes-in-cluster.md @@ -11,7 +11,7 @@ driverkit kubernetes-in-cluster [flags] ``` --architecture string target architecture for the built driver, one of [amd64,arm64] (default "amd64") --builderimage string docker image to be used to build the kernel module and eBPF probe. If not provided, an automatically selected image will be used. - --builderrepo strings list of docker repositories or yaml file (absolute path) containing builder images index with the format 'images: [ { target:, name:, gcc_versions: [ ] },...]', in descending priority order. Used to search for builder images. eg: --builderrepo myorg/driverkit --builderrepo falcosecurity/driverkit --builderrepo '/path/to/my/index.yaml'. (default [docker.io/falcosecurity/driverkit-builder]) + --builderrepo strings list of docker repositories or yaml file (absolute path) containing builder images index with the format 'images: [ { target:, name:, arch: , tag: , gcc_versions: [ ] },...]', in descending priority order. Used to search for builder images. eg: --builderrepo myorg/driverkit-builder --builderrepo falcosecurity/driverkit-builder --builderrepo '/path/to/my/index.yaml'. (default [docker.io/falcosecurity/driverkit-builder]) -c, --config string config file path (default $HOME/.driverkit.yaml if exists) --driverversion string driver version as a git commit hash or as a git tag (default "master") --dryrun do not actually perform the action @@ -29,6 +29,10 @@ driverkit kubernetes-in-cluster [flags] --output-module string filepath where to save the resulting kernel module --output-probe string filepath where to save the resulting eBPF probe --proxy string the proxy to use to download data + --registry-name string registry name to which authenticate + --registry-password string registry password + --registry-plain-http allows interacting with remote registry via plain http requests + --registry-user string registry username --repo-name string repository github name (default "libs") --repo-org string repository github organization (default "falcosecurity") --run-as-user int Pods runner user diff --git a/docs/driverkit_kubernetes.md b/docs/driverkit_kubernetes.md index 83208761..b322c193 100644 --- a/docs/driverkit_kubernetes.md +++ b/docs/driverkit_kubernetes.md @@ -14,7 +14,7 @@ driverkit kubernetes [flags] --as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups --as-uid string uID to impersonate for the operation --builderimage string docker image to be used to build the kernel module and eBPF probe. If not provided, an automatically selected image will be used. - --builderrepo strings list of docker repositories or yaml file (absolute path) containing builder images index with the format 'images: [ { target:, name:, gcc_versions: [ ] },...]', in descending priority order. Used to search for builder images. eg: --builderrepo myorg/driverkit --builderrepo falcosecurity/driverkit --builderrepo '/path/to/my/index.yaml'. (default [docker.io/falcosecurity/driverkit-builder]) + --builderrepo strings list of docker repositories or yaml file (absolute path) containing builder images index with the format 'images: [ { target:, name:, arch: , tag: , gcc_versions: [ ] },...]', in descending priority order. Used to search for builder images. eg: --builderrepo myorg/driverkit-builder --builderrepo falcosecurity/driverkit-builder --builderrepo '/path/to/my/index.yaml'. (default [docker.io/falcosecurity/driverkit-builder]) --cache-dir string default cache directory (default "$HOME/.kube/cache") --certificate-authority string path to a cert file for the certificate authority --client-certificate string path to a client certificate file for TLS @@ -40,6 +40,10 @@ driverkit kubernetes [flags] --output-module string filepath where to save the resulting kernel module --output-probe string filepath where to save the resulting eBPF probe --proxy string the proxy to use to download data + --registry-name string registry name to which authenticate + --registry-password string registry password + --registry-plain-http allows interacting with remote registry via plain http requests + --registry-user string registry username --repo-name string repository github name (default "libs") --repo-org string repository github organization (default "falcosecurity") --request-timeout string the length of time to wait before giving up on a single server request, non-zero values should contain a corresponding time unit (e.g, 1s, 2m, 3h), a value of zero means don't timeout requests (default "0") diff --git a/pkg/driverbuilder/builder/build.go b/pkg/driverbuilder/builder/build.go index c50d24a0..bca33429 100644 --- a/pkg/driverbuilder/builder/build.go +++ b/pkg/driverbuilder/builder/build.go @@ -1,8 +1,10 @@ package builder import ( + "context" "fmt" "github.com/falcosecurity/driverkit/pkg/kernelrelease" + "oras.land/oras-go/v2/registry/remote/auth" "strings" ) @@ -10,24 +12,28 @@ var defaultImageTag = "latest" // This is overwritten when using the Makefile to // Build contains the info about the on-going build. type Build struct { - TargetType Type - KernelConfigData string - KernelRelease string - KernelVersion string - DriverVersion string - Architecture string - ModuleFilePath string - ProbeFilePath string - ModuleDriverName string - ModuleDeviceName string - BuilderImage string - BuilderRepos []string - ImagesListers []ImagesLister - KernelUrls []string - GCCVersion string - RepoOrg string - RepoName string - Images ImagesMap + TargetType Type + KernelConfigData string + KernelRelease string + KernelVersion string + DriverVersion string + Architecture string + ModuleFilePath string + ProbeFilePath string + ModuleDriverName string + ModuleDeviceName string + BuilderImage string + BuilderRepos []string + ImagesListers []ImagesLister + KernelUrls []string + GCCVersion string + RepoOrg string + RepoName string + Images ImagesMap + RegistryName string + RegistryUser string + RegistryPassword string + RegistryPlainHTTP bool } func (b *Build) KernelReleaseFromBuildConfig() kernelrelease.KernelRelease { @@ -69,3 +75,20 @@ func (b *Build) builderImageTag() string { } return defaultImageTag } + +func (b *Build) ClientForRegistry(registry string) *auth.Client { + client := auth.DefaultClient + client.SetUserAgent("driverkit") + client.Credential = func(ctx context.Context, reg string) (auth.Credential, error) { + if b.RegistryName == registry { + return auth.Credential{ + Username: b.RegistryUser, + Password: b.RegistryPassword, + }, nil + } + + return auth.EmptyCredential, nil + } + + return client +} diff --git a/pkg/driverbuilder/builder/image.go b/pkg/driverbuilder/builder/image.go index 083f77e8..0193752b 100644 --- a/pkg/driverbuilder/builder/image.go +++ b/pkg/driverbuilder/builder/image.go @@ -137,7 +137,7 @@ func (f *FileImagesLister) LoadImages() []Image { return res } -func NewRepoImagesLister(repo string, httpOnly bool, build *Build) (*RepoImagesLister, error) { +func NewRepoImagesLister(repo string, build *Build) (*RepoImagesLister, error) { // Lazy inizialization if tagReg == nil { imageTag := build.builderImageTag() @@ -147,14 +147,15 @@ func NewRepoImagesLister(repo string, httpOnly bool, build *Build) (*RepoImagesL tagReg = regexp.MustCompile(targetFmt) } - noCredentials := func(r *repository.Repository) { - // The default client will be used by oras. - // TODO: we don't support private repositories for now. - r.Client = nil - r.PlainHTTP = httpOnly + // Get the registry URL from repository. + registry, err := getRegistryFromRef(repo) + if err != nil { + return nil, err } - repoOCI, err := repository.NewRepository(repo, noCredentials) + repoOCI, err := repository.NewRepository(repo, + repository.WithPlainHTTP(build.RegistryPlainHTTP), + repository.WithClient(build.ClientForRegistry(registry))) if err != nil { return nil, err } @@ -227,3 +228,13 @@ func (b *Build) LoadImages() { logger.Fatal("Could not load any builder image. Leaving.") } } + +// getRegistryFromRef extracts the registry from a ref string. +func getRegistryFromRef(ref string) (string, error) { + index := strings.Index(ref, "/") + if index <= 0 { + return "", fmt.Errorf("cannot extract registry name from ref %q", ref) + } + + return ref[0:index], nil +} diff --git a/pkg/driverbuilder/builder/image_test.go b/pkg/driverbuilder/builder/image_test.go index 61da9ee0..91c1f36a 100644 --- a/pkg/driverbuilder/builder/image_test.go +++ b/pkg/driverbuilder/builder/image_test.go @@ -263,10 +263,11 @@ func TestRepoImagesLister(t *testing.T) { assert.NilError(t, err) defer mock.Close() - lister, err := NewRepoImagesLister(mock.URL()+"/foo/test", true, &Build{ - TargetType: Type("centos"), - Architecture: "amd64", - BuilderImage: "auto:latest", + lister, err := NewRepoImagesLister(mock.URL()+"/foo/test", &Build{ + TargetType: Type("centos"), + Architecture: "amd64", + BuilderImage: "auto:latest", + RegistryPlainHTTP: true, }) assert.NilError(t, err)