Skip to content

Commit

Permalink
Merge branch 'OpenVisualCloud:main' into 1ksession
Browse files Browse the repository at this point in the history
  • Loading branch information
jianbingzhu authored Dec 28, 2023
2 parents 1727e71 + 9173407 commit 5c4ebb4
Show file tree
Hide file tree
Showing 37 changed files with 4,371 additions and 390 deletions.
6 changes: 3 additions & 3 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -66,10 +66,10 @@ jobs:

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql/codeql-config.yml
config-file: ${{github.workspace}}/.github/codeql/codeql-config.yml
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
Expand Down Expand Up @@ -118,6 +118,6 @@ jobs:
./build.sh
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
with:
category: "/language:${{matrix.language}}"
6 changes: 3 additions & 3 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ jobs:
# - you want to enable the Branch-Protection check on a *public* repository, or
# - you are installing Scorecard on a *private* repository
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
# repo_token: ${{ secrets.SCORECARD_TOKEN }}
repo_token: ${{ secrets.SCORECARD_TOKEN }}

# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
Expand All @@ -64,14 +64,14 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
with:
sarif_file: results.sarif
63 changes: 63 additions & 0 deletions .github/workflows/trivy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
name: Trivy
on:
push:
branches:
- main
pull_request:
permissions:
contents: read

jobs:
checkout_code:
runs-on: ubuntu-20.04
name: Checkout code
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

scan_fs:
runs-on: ubuntu-20.04
needs: checkout_code
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Scan FS
steps:
- name: Run Trivy vulnerability scanner for 'fs'
uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 # master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results-fs.sarif'
severity: 'CRITICAL,HIGH,MEDIUM'
- name: Upload Trivy 'fs' scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
with:
sarif_file: 'trivy-results-fs.sarif'

scan_config:
runs-on: ubuntu-20.04
needs: checkout_code
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Scan Config
steps:
- name: Run Trivy vulnerability scanner for 'config'
uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 # master
with:
scan-type: 'config'
hide-progress: false
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results-config.sarif'
severity: 'CRITICAL,HIGH,MEDIUM'
- name: Upload Trivy 'config' scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
with:
sarif_file: 'trivy-results-config.sarif'
3 changes: 3 additions & 0 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@ set(CMAKE_CXX_EXTENSIONS NO)
set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} -s")
set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -s")

# Disable RPATH
set(CMAKE_SKIP_RPATH TRUE)

# setup components folders
set(MCM_DIR ${CMAKE_CURRENT_SOURCE_DIR})
set(MP_DIR ${CMAKE_CURRENT_SOURCE_DIR}/media-proxy)
Expand Down
85 changes: 85 additions & 0 deletions deployment/DaemonSet/media-proxy-rx.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: media-proxy-rx
namespace: mcm
labels:
app: media-proxy-rx
spec:
selector:
matchLabels:
app: media-proxy-rx
template:
metadata:
labels:
app: media-proxy-rx
spec:
nodeSelector:
node-role.kubernetes.io/worker: "true"
mcm-type: rx
containers:
- name: media-proxy-rx
image: mcm/media-proxy:latest
imagePullPolicy: Never
command: [ "media_proxy" ]
args: [ "-d", "0000:31:11.5", "-i", "192.168.96.20" ]
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
resources:
requests:
cpu: 2
memory: 4Gi
limits:
cpu: 2
memory: 8Gi
hugepages-2Mi: 1Gi
hugepages-1Gi: 2Gi
securityContext:
privileged: true
runAsUser: 0
runAsGroup: 0
ports:
- containerPort: 8001
hostPort: 8001
protocol: TCP
name: grpc-port
- containerPort: 8002
hostPort: 8002
protocol: TCP
name: sdk-port
volumeMounts:
- name: memif-dir # Using hostPath volume
mountPath: /run/mcm # Mount path in the pod
- name: dev-vfio
mountPath: /dev/vfio
- mountPath: /hugepages-2Mi
name: hugepage-2mi
- mountPath: /hugepages-1Gi
name: hugepage-1gi
- mountPath: /dev/shm
name: cache-volume
- name: imtl-mgr # Communicate with IMTL manager
mountPath: /var/run/imtl # Mount path in the pod
volumes:
- name: memif-dir # Using hostPath volume
hostPath:
path: /tmp/mcm/memif
- name: dev-vfio
hostPath:
path: /dev/vfio
- name: hugepage-2mi
emptyDir:
medium: HugePages-2Mi
- name: hugepage-1gi
emptyDir:
medium: HugePages-1Gi
- name: cache-volume
emptyDir:
medium: Memory
sizeLimit: 4Gi
- name: imtl-mgr
persistentVolumeClaim:
claimName: imtl-pvc
85 changes: 85 additions & 0 deletions deployment/DaemonSet/media-proxy-tx.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: media-proxy-tx
namespace: mcm
labels:
app: media-proxy-tx
spec:
selector:
matchLabels:
app: media-proxy-tx
template:
metadata:
labels:
app: media-proxy-tx
spec:
nodeSelector:
node-role.kubernetes.io/worker: "true"
mcm-type: tx
containers:
- name: media-proxy-tx
image: mcm/media-proxy:latest
imagePullPolicy: Never
command: [ "media_proxy" ]
args: [ "-d", "0000:31:01.5", "-i", "192.168.96.10" ]
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
resources:
requests:
cpu: 2
memory: 4Gi
limits:
cpu: 2
memory: 8Gi
hugepages-2Mi: 1Gi
hugepages-1Gi: 2Gi
securityContext:
privileged: true
runAsUser: 0
runAsGroup: 0
ports:
- containerPort: 8001
hostPort: 8001
protocol: TCP
name: grpc-port
- containerPort: 8002
hostPort: 8002
protocol: TCP
name: sdk-port
volumeMounts:
- name: memif-dir # Using hostPath volume
mountPath: /run/mcm # Mount path in the pod
- name: dev-vfio
mountPath: /dev/vfio
- mountPath: /hugepages-2Mi
name: hugepage-2mi
- mountPath: /hugepages-1Gi
name: hugepage-1gi
- mountPath: /dev/shm
name: cache-volume
- name: imtl-mgr # Communicate with IMTL manager
mountPath: /var/run/imtl # Mount path in the pod
volumes:
- name: memif-dir # Using hostPath volume
hostPath:
path: /tmp/mcm/memif
- name: dev-vfio
hostPath:
path: /dev/vfio
- name: hugepage-2mi
emptyDir:
medium: HugePages-2Mi
- name: hugepage-1gi
emptyDir:
medium: HugePages-1Gi
- name: cache-volume
emptyDir:
medium: Memory
sizeLimit: 4Gi
- name: imtl-mgr
persistentVolumeClaim:
claimName: imtl-pvc
54 changes: 30 additions & 24 deletions deployment/DaemonSet/media-proxy.yaml
Original file line number Diff line number Diff line change
@@ -1,20 +1,3 @@
apiVersion: v1
kind: Namespace
metadata:
name: mcm
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: memif-socket-fs
namespace: mcm
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 64Mi
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
Expand All @@ -32,17 +15,26 @@ spec:
app: media-proxy
spec:
nodeSelector:
node-role.mcm.intel.com/worker: "true"
node-role.kubernetes.io/worker: "true"
containers:
- name: media-proxy
image: mcm/media-proxy:latest
imagePullPolicy: Never
command: [ "media_proxy" ]
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
command: [ "media_proxy" ]
args: [ "-d", "kernel:eth0", "-i", $(POD_IP) ]
resources:
limits:
cpu: 2
Expand All @@ -53,9 +45,18 @@ spec:
privileged: true
runAsUser: 0
runAsGroup: 0
ports:
- containerPort: 8001
hostPort: 8001
protocol: TCP
name: grpc-port
- containerPort: 8002
hostPort: 8002
protocol: TCP
name: sdk-port
volumeMounts:
- name: memif-socket
mountPath: /run/mcm
- name: memif-dir # Using hostPath volume
mountPath: /run/mcm # Mount path in the pod
- name: dev-vfio
mountPath: /dev/vfio
- mountPath: /hugepages-2Mi
Expand All @@ -64,10 +65,12 @@ spec:
name: hugepage-1gi
- mountPath: /dev/shm
name: cache-volume
- name: imtl-mgr # Communicate with IMTL manager
mountPath: /var/run/imtl # Mount path in the pod
volumes:
- name: memif-socket
persistentVolumeClaim:
claimName: memif-socket-fs
- name: memif-dir # Using hostPath volume
hostPath:
path: /tmp/mcm/memif
- name: dev-vfio
hostPath:
# Do not mount the top-level /dev/ directory for security reasons.
Expand All @@ -83,3 +86,6 @@ spec:
emptyDir:
medium: Memory
sizeLimit: 4Gi
- name: imtl-mgr
persistentVolumeClaim:
claimName: imtl-pvc
Loading

0 comments on commit 5c4ebb4

Please sign in to comment.