Merge branch 'canonical:main' into annotations

canonical · Nov 15, 2024 · 525dfab · 525dfab
2 parents 28cbd29 + 81bb027
commit 525dfab
Show file tree

Hide file tree

Showing 33 changed files with 1,201 additions and 177 deletions.
diff --git a/.github/workflows/cron-jobs.yaml b/.github/workflows/cron-jobs.yaml
@@ -108,6 +108,8 @@ jobs:
           format: "sarif"
           output: "trivy-k8s-repo-scan--results.sarif"
           severity: "MEDIUM,HIGH,CRITICAL"
+        env:
+          TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
       - name: Gather Trivy repo scan results
         run: |
           cp trivy-k8s-repo-scan--results.sarif ./sarifs/
@@ -119,7 +121,7 @@ jobs:
           for var in $(env | grep -o '^TRIVY_[^=]*'); do
             unset "$var"
           done
-          ./trivy rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif
+          ./trivy --db-repository public.ecr.aws/aquasecurity/trivy-db rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif
       - name: Get HEAD sha
         run: |
           SHA="$(git rev-parse HEAD)"

diff --git a/.github/workflows/integration-informing.yaml b/.github/workflows/integration-informing.yaml
@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-20.04
     strategy:
       matrix:
-        patch: ["strict", "moonray"]
+        patch: ["moonray"]
       fail-fast: false
     steps:
       - name: Harden Runner
@@ -58,16 +58,16 @@ jobs:
     strategy:
       matrix:
         os: ["ubuntu:20.04"]
-        patch: ["strict", "moonray"]
+        patch: ["moonray"]
       fail-fast: false
-    runs-on: ubuntu-20.04
+    runs-on: ["self-hosted", "Linux", "AMD64", "jammy", "large"]
     steps:
       - name: Check out code
         uses: actions/checkout@v4
       - name: Setup Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.8'
+          python-version: '3.10'
       - name: Install tox
         run: pip install tox
       - name: Install lxd
@@ -76,6 +76,8 @@ jobs:
           sudo lxd init --auto
           sudo usermod --append --groups lxd $USER
           sg lxd -c 'lxc version'
+          sudo iptables -I DOCKER-USER -i lxdbr0 -j ACCEPT
+          sudo iptables -I DOCKER-USER -o lxdbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
       - name: Download snap
         uses: actions/download-artifact@v4
         with:

diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml
@@ -73,7 +73,7 @@ jobs:
       fail-fast: false
       matrix:
         os: ["ubuntu:20.04", "ubuntu:22.04", "ubuntu:24.04"]
-    runs-on: ubuntu-20.04
+    runs-on: ["self-hosted", "Linux", "AMD64", "jammy", "large"]
     needs: build
 
     steps:
@@ -82,7 +82,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@v5
         with:
-          python-version: '3.8'
+          python-version: '3.10'
       - name: Install tox
         run: pip install tox
       - name: Install lxd
@@ -91,6 +91,8 @@ jobs:
           sudo lxd init --auto
           sudo usermod --append --groups lxd $USER
           sg lxd -c 'lxc version'
+          sudo iptables -I DOCKER-USER -i lxdbr0 -j ACCEPT
+          sudo iptables -I DOCKER-USER -o lxdbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
       - name: Download snap
         uses: actions/download-artifact@v4
         with:
@@ -163,6 +165,8 @@ jobs:
           format: "sarif"
           output: "trivy-k8s-repo-scan--results.sarif"
           severity: "MEDIUM,HIGH,CRITICAL"
+        env:
+          TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
       - name: Gather Trivy repo scan results
         run: |
           cp trivy-k8s-repo-scan--results.sarif ./manual-trivy/sarifs/
@@ -173,7 +177,7 @@ jobs:
           done
           cp build/k8s.snap .
           unsquashfs k8s.snap
-          ./manual-trivy/trivy rootfs ./squashfs-root/ --format sarif > ./manual-trivy/sarifs/snap.sarif
+          ./manual-trivy/trivy --db-repository public.ecr.aws/aquasecurity/trivy-db rootfs ./squashfs-root/ --format sarif > ./manual-trivy/sarifs/snap.sarif
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         with:

diff --git a/.github/workflows/nightly-test.yaml b/.github/workflows/nightly-test.yaml
@@ -17,7 +17,7 @@ jobs:
         release: ["latest/edge"]
       fail-fast: false # TODO: remove once arm64 works
 
-    runs-on: ${{ matrix.arch == 'arm64' && 'Ubuntu_ARM64_4C_16G_01' || 'ubuntu-20.04' }}
+    runs-on: ${{ matrix.arch == 'arm64' && ["self-hosted", "Linux", "ARM64", "jammy", "large"] || ["self-hosted", "Linux", "AMD64", "jammy", "large"] }}
 
     steps:
       - name: Checking out repo

diff --git a/build-scripts/hack/generate-sbom.py b/build-scripts/hack/generate-sbom.py
@@ -139,13 +139,15 @@ def k8s_snap_c_dqlite_components(manifest, extra_files):
 def rock_cilium(manifest, extra_files):
     LOG.info("Generating SBOM info for Cilium rocks")
 
+    cilium_version = "1.15.2"
+
     with util.git_repo(CILIUM_ROCK_REPO, CILIUM_ROCK_TAG) as d:
         rock_repo_commit = util.parse_output(["git", "rev-parse", "HEAD"], cwd=d)
-        rockcraft = (d / "cilium/rockcraft.yaml").read_text()
-        operator_rockcraft = (d / "cilium-operator-generic/rockcraft.yaml").read_text()
+        rockcraft = (d / f"{cilium_version}/cilium/rockcraft.yaml").read_text()
+        operator_rockcraft = (d / f"{cilium_version}/cilium-operator-generic/rockcraft.yaml").read_text()
 
-        extra_files["cilium/rockcraft.yaml"] = rockcraft
-        extra_files["cilium-operator-generic/rockcraft.yaml"] = operator_rockcraft
+        extra_files[f"{cilium_version}/cilium/rockcraft.yaml"] = rockcraft
+        extra_files[f"{cilium_version}/cilium-operator-generic/rockcraft.yaml"] = operator_rockcraft
 
         rockcraft_yaml = yaml.safe_load(rockcraft)
         repo_url = rockcraft_yaml["parts"]["cilium"]["source"]
@@ -169,10 +171,10 @@ def rock_cilium(manifest, extra_files):
         },
         "language": "go",
         "details": [
-            "cilium/rockcraft.yaml",
+            f"{cilium_version}/cilium/rockcraft.yaml",
             "cilium/go.mod",
             "cilium/go.sum",
-            "cilium-operator-generic/rockcraft.yaml",
+            f"{cilium_version}/cilium-operator-generic/rockcraft.yaml",
             "cilium-operator-generic/go.mod",
             "cilium-operator-generic/go.sum",
         ],

diff --git a/build-scripts/patches/strict/0001-Strict-patch.patch b/build-scripts/patches/strict/0001-Strict-patch.patch
@@ -1,16 +1,17 @@
-From 3338580f4e22b001615320c40b1c1ad95f8a945e Mon Sep 17 00:00:00 2001
+From 94dadc0e3963e0b01af66e490500c619ec45c019 Mon Sep 17 00:00:00 2001
 From: Angelos Kolaitis <[email protected]>
 Date: Fri, 10 May 2024 19:17:55 +0300
 Subject: [PATCH] Strict patch
 
 ---
- k8s/hack/init.sh                 |   6 +-
- k8s/wrappers/services/containerd |   5 -
- snap/snapcraft.yaml              | 168 ++++++++++++++++++++++++++++++-
- 3 files changed, 172 insertions(+), 7 deletions(-)
+ k8s/hack/init.sh                          |   6 +-
+ k8s/wrappers/services/containerd          |   5 -
+ snap/snapcraft.yaml                       | 171 +++++++++++++++++++++-
+ tests/integration/tests/test_util/util.py |  38 +++--
+ 4 files changed, 198 insertions(+), 22 deletions(-)
 
 diff --git a/k8s/hack/init.sh b/k8s/hack/init.sh
-index a0b57c7d..d53b528a 100755
+index a0b57c7..d53b528 100755
 --- a/k8s/hack/init.sh
 +++ b/k8s/hack/init.sh
 @@ -1,3 +1,7 @@
@@ -23,7 +24,7 @@ index a0b57c7d..d53b528a 100755
 +"${DIR}/connect-interfaces.sh"
 +"${DIR}/network-requirements.sh"
 diff --git a/k8s/wrappers/services/containerd b/k8s/wrappers/services/containerd
-index c3f71a01..a82e1c03 100755
+index c3f71a0..a82e1c0 100755
 --- a/k8s/wrappers/services/containerd
 +++ b/k8s/wrappers/services/containerd
 @@ -21,9 +21,4 @@ You can try to apply the profile manually by running:
@@ -37,7 +38,7 @@ index c3f71a01..a82e1c03 100755
 -
  k8s::common::execute_service containerd
 diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml
-index 54b5fc0b..01631684 100644
+index 9d21e55..26f49ad 100644
 --- a/snap/snapcraft.yaml
 +++ b/snap/snapcraft.yaml
 @@ -7,7 +7,7 @@ description: |-
@@ -49,7 +50,7 @@ index 54b5fc0b..01631684 100644
  base: core20
  environment:
    REAL_PATH: $PATH
-@@ -216,6 +216,20 @@ parts:
+@@ -217,6 +217,20 @@ parts:
  apps:
    k8s:
      command: k8s/wrappers/commands/k8s
@@ -70,7 +71,7 @@ index 54b5fc0b..01631684 100644
    containerd:
      command: k8s/wrappers/services/containerd
      daemon: notify
-@@ -226,43 +240,195 @@ apps:
+@@ -227,43 +241,198 @@ apps:
      restart-condition: always
      start-timeout: 5m
      before: [kubelet]
@@ -263,9 +264,61 @@ index 54b5fc0b..01631684 100644
 +    plugs:
 +      - network
 +      - network-bind
-+      - process-control
 +      - network-control
++      - network-observe
++      - process-control
 +      - firewall-control
++      - system-observe
++      - mount-observe
+diff --git a/tests/integration/tests/test_util/util.py b/tests/integration/tests/test_util/util.py
+index 3e54d68..295c458 100644
+--- a/tests/integration/tests/test_util/util.py
++++ b/tests/integration/tests/test_util/util.py
+@@ -191,21 +191,29 @@ def remove_k8s_snap(instance: harness.Instance):
+         ["snap", "remove", config.SNAP_NAME, "--purge"]
+     )
+
+-    LOG.info("Waiting for shims to go away...")
+-    stubbornly(retries=20, delay_s=5).on(instance).until(
+-        lambda p: all(
+-            x not in p.stdout.decode()
+-            for x in ["containerd-shim", "cilium", "coredns", "/pause"]
+-        )
+-    ).exec(["ps", "-fea"])
+-
+-    LOG.info("Waiting for kubelet and containerd mounts to go away...")
+-    stubbornly(retries=20, delay_s=5).on(instance).until(
+-        lambda p: all(
+-            x not in p.stdout.decode()
+-            for x in ["/var/lib/kubelet/pods", "/run/containerd/io.containerd"]
+-        )
+-    ).exec(["mount"])
++    # NOTE(lpetrut): on "strict", the snap remove hook is unable to:
++    #  * terminate processes
++    #  * remove network namespaces
++    #  * list mounts
++    #
++    # https://paste.ubuntu.com/p/WscCCfnvGH/plain/
++    # https://paste.ubuntu.com/p/sSnJVvZkrr/plain/
++    #
++    # LOG.info("Waiting for shims to go away...")
++    # stubbornly(retries=20, delay_s=5).on(instance).until(
++    #     lambda p: all(
++    #         x not in p.stdout.decode()
++    #         for x in ["containerd-shim", "cilium", "coredns", "/pause"]
++    #     )
++    # ).exec(["ps", "-fea"])
++    #
++    # LOG.info("Waiting for kubelet and containerd mounts to go away...")
++    # stubbornly(retries=20, delay_s=5).on(instance).until(
++    #     lambda p: all(
++    #         x not in p.stdout.decode()
++    #         for x in ["/var/lib/kubelet/pods", "/run/containerd/io.containerd"]
++    #     )
++    # ).exec(["mount"])
+
+     # NOTE(neoaggelos): Temporarily disable this as it fails on strict.
+     # For details, `snap changes` then `snap change $remove_k8s_snap_change`.
 -- 
-2.34.1
+2.43.0