From 5eb78adf87ab1b524b0a3fd2032169de1af58dc73bdb06eb74e30fc4a235577b Mon Sep 17 00:00:00 2001 From: Johannes Kastl Date: Sat, 14 Sep 2024 06:56:55 +0000 Subject: [PATCH] update to 1.2.0 OBS-URL: https://build.opensuse.org/package/show/server:monitoring/tetragon?expand=0&rev=5 --- .gitattributes | 23 +++++ .gitignore | 1 + _service | 21 +++++ _servicedata | 4 + tetragon-1.1.2.obscpio | 3 + tetragon-1.2.0.obscpio | 3 + tetragon.changes | 86 ++++++++++++++++++ tetragon.obsinfo | 4 + tetragon.spec | 199 +++++++++++++++++++++++++++++++++++++++++ vendor.tar.gz | 3 + 10 files changed, 347 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 tetragon-1.1.2.obscpio create mode 100644 tetragon-1.2.0.obscpio create mode 100644 tetragon.changes create mode 100644 tetragon.obsinfo create mode 100644 tetragon.spec create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..0125cb8 --- /dev/null +++ b/_service @@ -0,0 +1,21 @@ + + + https://github.com/cilium/tetragon + git + .git + v1.2.0 + v1.2.0 + @PARENT_TAG@ + enable + v(.*) + + + + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..2c82021 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/cilium/tetragon + dc458866c6144881e6b407d7c98f5b417d60075d \ No newline at end of file diff --git a/tetragon-1.1.2.obscpio b/tetragon-1.1.2.obscpio new file mode 100644 index 0000000..0ce6e90 --- /dev/null +++ b/tetragon-1.1.2.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1950e676ca0e469eb0270a7a0d97b5c9f098413d1bd115eb42a9e02d337ee833 +size 178684430 diff --git a/tetragon-1.2.0.obscpio b/tetragon-1.2.0.obscpio new file mode 100644 index 0000000..e3d4196 --- /dev/null +++ b/tetragon-1.2.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e991b4f330969d2025698af7671cfd194ca56cd06a7cdce22c06f1e2c65748d3 +size 184140814 diff --git a/tetragon.changes b/tetragon.changes new file mode 100644 index 0000000..3615128 --- /dev/null +++ b/tetragon.changes @@ -0,0 +1,86 @@ +------------------------------------------------------------------- +Fri Sep 13 18:27:13 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.2.0: + Full changelog see + https://github.com/cilium/tetragon/releases/tag/v1.2.0 + * Major Changes + - feat: Username for process_exec events (#2369) by @anfedotoff + - tetragon: Allow persistent enforcement during tetragon + restart (#2600) by @olsajiri + - LSM sensor (#2566) by @anfedotoff + * Bugfixes + - bpf: use CORE for execve hook (#2399) by @kkourt + - Don't create PodInfo if the pod is being deleted (#2431) by + @michi-covalent + - tetragon: allow namespaced and non-namespaced policies to + have the same name (#2337) by @joshuajorel + - operator: Don't start metrics server if Helm value + tetragonOperator.prometheus.enabled is set to false. (#2484) + by @yukinakanaka + - enforcer: fix issue when using multiple calls with fmod_ret + (#2524) by @kkourt + - Reduce the kernel memory footprint (accounted by the cgroup + memory controller) of the stack trace feature when unused. + (#2546) by @mtardy + - Reduce the kernel memory footprint (accounted by the cgroup + memory controller) of the ratelimit feature when unused + (around ~10MB per kprobe). (#2551) by @mtardy + - Reduce the kernel memory footprint (accounted by the cgroup + memory controller) of the fdinstall feature when unused + (around ~11MB per kprobe). (#2563) by @mtardy + - Do not increase the reference count when we cannot find a + parent in kthreads. (#2620) by @tpapagian + - Reduce the kernel memory footprint (accounted by the cgroup + v2 memory controller) of the override feature when unused + (around ~3MB per kprobe). (#2692) by @mtardy + - Fix a bug related to the matchBinaries Prefix operator by + increasing the buffer size used by our dentry walk. Now the + matchBinaries Prefix operator can correctly trigger a match + on any path above 255 chars. (#2764) by @mtardy + - Fix a bug where the tetra getevents command would timeout + even if the connection was successful. (#2765) by @mtardy + - Fix missing cases in the compact encoder for tetra. (#2819) + by @willfindlay + - add support for pod association via cgroup id (#2776) by + @kkourt + - Allow disabling gRPC either by selecting 'enabled:false' in + the helm chart or by passing an empty address to the agent + (#2826) by @kkourt + - Fix tetragon_process_cache_size metric (#2827) by @lambdanis + +------------------------------------------------------------------- +Mon Jul 29 18:36:26 UTC 2024 - Johannes Kastl + +- exclude architectures that fail to build due to + 'pkg/syscallinfo/syscallinfo.go:39:34: undefined: syscallNames' + errors + +------------------------------------------------------------------- +Wed Jun 12 16:18:43 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.1.2: + * Bugfixes: + - Don't create PodInfo if the pod is being deleted + - [v1.1] backport: bpf: use CORE for execve hook + - enforcer: fix issue when using multiple calls with fmod_ret + * Minor Changes: + - backports:1.1:tests: fix trace module testing + - backports:1.1: uid username resolution support + - helm: Add tetragon.livenessProbe value + - backport:v1.1: btf: take first entry on multiple function + matches + * Misc Changes: + - Prepare for v1.1.0 release + - Use gRPC-based liveness probe instead of tetra status. + - [v1.1] Introduce upgrade notes + - Prepare for v1.1.1 release + - [v1.1] Makefile: exclude api tags from version + - v1.1: misc updates relating to release process + - Prepare for v1.1.2 release + +------------------------------------------------------------------- +Tue Apr 30 18:11:26 UTC 2024 - Johannes Kastl + +- new package tetragon: eBPF-based Security Observability and + Runtime Enforcement diff --git a/tetragon.obsinfo b/tetragon.obsinfo new file mode 100644 index 0000000..08b8711 --- /dev/null +++ b/tetragon.obsinfo @@ -0,0 +1,4 @@ +name: tetragon +version: 1.2.0 +mtime: 1725534176 +commit: dc458866c6144881e6b407d7c98f5b417d60075d diff --git a/tetragon.spec b/tetragon.spec new file mode 100644 index 0000000..de42209 --- /dev/null +++ b/tetragon.spec @@ -0,0 +1,199 @@ +# +# spec file for package tetragon +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define __arch_install_post export NO_BRP_STRIP_DEBUG=true + +%define cli_binary_name tetra +%define cli_package_name tetragon-cli + +Name: tetragon +Version: 1.2.0 +Release: 0 +Summary: eBPF-based Security Observability and Runtime Enforcement +License: Apache-2.0 +URL: https://github.com/cilium/tetragon +Source: tetragon-%{version}.tar.gz +Source1: vendor.tar.gz +BuildRequires: clang >= 15 +BuildRequires: go >= 1.22 +BuildRequires: llvm +BuildRequires: make +ExcludeArch: i586 ppc64le s390x armv7l armv7hl + +%description +Cilium’s new Tetragon component enables powerful real-time, eBPF-based Security +Observability and Runtime Enforcement. + +Tetragon detects and is able to react to security-significant events, such as + +* Process execution events +* System call activity +* I/O activity including network & file access + +When used in a Kubernetes environment, Tetragon is Kubernetes-aware - that is, +it understands Kubernetes identities such as namespaces, pods and so on - so +that security event detection can be configured in relation to individual +workloads. + +%package -n %{cli_package_name} +Summary: CLI for Tetragon +Provides: tetra = %{version} + +%description -n %{cli_package_name} +To interact with Tetragon, install the Tetragon client CLI tetra. + +%package -n %{cli_package_name}-bash-completion +Summary: Bash Completion for %{cli_package_name} +Group: System/Shells +Requires: %{cli_package_name} = %{version} +Requires: bash-completion +Supplements: (%{cli_package_name} and bash-completion) +BuildArch: noarch + +%description -n %{cli_package_name}-bash-completion +Bash command line completion support for %{cli_package_name}. + +%package -n %{cli_package_name}-fish-completion +Summary: Fish Completion for %{cli_package_name} +Group: System/Shells +Requires: %{cli_package_name} = %{version} +Supplements: (%{cli_package_name} and fish) +BuildArch: noarch + +%description -n %{cli_package_name}-fish-completion +Fish command line completion support for %{cli_package_name}. + +%package -n %{cli_package_name}-zsh-completion +Summary: Zsh Completion for %{cli_package_name} +Group: System/Shells +Requires: %{cli_package_name} = %{version} +Supplements: (%{cli_package_name} and zsh) +BuildArch: noarch + +%description -n %{cli_package_name}-zsh-completion +zsh command line completion support for %{cli_package_name}. + +%prep +%autosetup -p 1 -a 1 + +%build +# +# tetragon +# +go build \ + -mod=vendor \ + -buildmode=pie \ + -ldflags="-X github.com/cilium/tetragon/pkg/version.Version=%{version}" \ + -o bin/%{name} ./cmd/%{name} + +# bpf stuff +# https://github.com/cilium/tetragon/blob/main/Makefile#L159 +# https://github.com/cilium/tetragon/blob/main/bpf/Makefile +make -C ./bpf BPF_TARGET_ARCH=x86 %{?_smp_mflags} + +# +# tetra cli +# +go build \ + -mod=vendor \ + -buildmode=pie \ + -ldflags="-X github.com/cilium/tetragon/pkg/version.Version=%{version}" \ + -o bin/%{cli_binary_name} ./cmd/%{cli_binary_name} + +%install +# +# tetragon +# +install -D -m 0755 bin/%{name} %{buildroot}/%{_bindir}/%{name} +install -D -m 0644 ./install/linux-tarball/systemd/tetragon.service %{buildroot}/%{_unitdir}/%{name}.service +sed -i 's#/local##' %{buildroot}/%{_unitdir}/%{name}.service +install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/ +install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf.d/ +install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/%{name}.tp.d/ +install -D -m 0644 ./install/linux-tarball/usr/local/lib/tetragon/tetragon.conf.d/* %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf.d/ +sed -i 's#/local##' %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf.d/* +sed -i 's#/lib/#/lib64/#' %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf.d/bpf-lib + +install -d -m 0755 %{buildroot}/%{_libdir}/%{name}/ +install -d -m 0755 %{buildroot}/%{_libdir}/%{name}/bpf +install -D -m 0644 ./bpf/objs/*.o %{buildroot}/%{_libdir}/%{name}/bpf + +# +# tetra cli +# +# Install the binary. +install -D -m 0755 bin/%{cli_binary_name} %{buildroot}/%{_bindir}/%{cli_binary_name} + +# create the bash completion file +mkdir -p %{buildroot}%{_datarootdir}/bash-completion/completions/ +%{buildroot}/%{_bindir}/%{cli_binary_name} completion bash > %{buildroot}%{_datarootdir}/bash-completion/completions/%{cli_binary_name} + +# create the fish completion file +mkdir -p %{buildroot}%{_datarootdir}/fish/vendor_completions.d/ +%{buildroot}/%{_bindir}/%{cli_binary_name} completion fish > %{buildroot}%{_datarootdir}/fish/vendor_completions.d/%{cli_binary_name}.fish + +# create the zsh completion file +mkdir -p %{buildroot}%{_datarootdir}/zsh_completion.d/ +%{buildroot}/%{_bindir}/%{cli_binary_name} completion zsh > %{buildroot}%{_datarootdir}/zsh_completion.d/_%{cli_binary_name} + +%pre +%service_add_pre %{name}.service + +%post +%service_add_post %{name}.service + +%preun +%service_del_preun %{name}.service + +%postun +%service_del_postun %{name}.service + +%check + +%files +%doc README.md +%license LICENSE +%{_bindir}/%{name} +%{_unitdir}/%{name}.service +%dir %attr(755,root, root) %{_sysconfdir}/%{name}/ +%dir %attr(755,root, root) %{_sysconfdir}/%{name}/%{name}.conf.d/ +%defattr(0644, root, root) +%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf.d/* +%dir %attr(755,root, root) %{_libdir}/%{name} +%dir %attr(755,root, root) %{_libdir}/%{name}/bpf/ +%attr(644,root, root) %{_libdir}/%{name}/bpf/* + +%files -n %{cli_package_name} +%doc README.md +%license LICENSE +%{_bindir}/%{cli_binary_name} + +%files -n %{cli_package_name}-bash-completion +%dir %{_datarootdir}/bash-completion/completions/ +%{_datarootdir}/bash-completion/completions/%{cli_binary_name} + +%files -n %{cli_package_name}-fish-completion +%dir %{_datarootdir}/fish +%dir %{_datarootdir}/fish/vendor_completions.d +%{_datarootdir}/fish/vendor_completions.d/%{cli_binary_name}.fish + +%files -n %{cli_package_name}-zsh-completion +%dir %{_datarootdir}/zsh_completion.d/ +%{_datarootdir}/zsh_completion.d/_%{cli_binary_name} + +%changelog diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..9aad84c --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d3f81bd2866cfd87e729a0afc61912c460e84452d9a69cb856a390b227d162c2 +size 13792023