commit d230a358c62fc8ffbf0e5ec53ab9f0a97fe08152f9eb09bd8072ebf4f8fb549e Author: Johannes Kastl Date: Fri Dec 13 14:51:44 2024 +0000 Accepting request 1230818 from home:ojkastl_buildservice:Branch_server_monitoring update to 1.3.0 OBS-URL: https://build.opensuse.org/request/show/1230818 OBS-URL: https://build.opensuse.org/package/show/server:monitoring/tetragon?expand=0&rev=9 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..f7b9924 --- /dev/null +++ b/_service @@ -0,0 +1,21 @@ + + + https://github.com/cilium/tetragon + git + .git + v1.3.0 + v1.3.0 + @PARENT_TAG@ + v(.*) + enable + + + + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..ac3bed2 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/cilium/tetragon + 4a6643e71e2357324ab8ab73ecb7286d73e96ef8 \ No newline at end of file diff --git a/tetragon-1.1.2.obscpio b/tetragon-1.1.2.obscpio new file mode 100644 index 0000000..0ce6e90 --- /dev/null +++ b/tetragon-1.1.2.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1950e676ca0e469eb0270a7a0d97b5c9f098413d1bd115eb42a9e02d337ee833 +size 178684430 diff --git a/tetragon-1.2.0.obscpio b/tetragon-1.2.0.obscpio new file mode 100644 index 0000000..e3d4196 --- /dev/null +++ b/tetragon-1.2.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e991b4f330969d2025698af7671cfd194ca56cd06a7cdce22c06f1e2c65748d3 +size 184140814 diff --git a/tetragon-1.2.1.obscpio b/tetragon-1.2.1.obscpio new file mode 100644 index 0000000..67c99a6 --- /dev/null +++ b/tetragon-1.2.1.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b4ed31b10ae0019b2fd4cf1e67ce2a1d9439691dedc6b05a9b7d41c11a347a89 +size 184324110 diff --git a/tetragon-1.3.0.obscpio b/tetragon-1.3.0.obscpio new file mode 100644 index 0000000..3ae1bd5 --- /dev/null +++ b/tetragon-1.3.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8b52fe495a79de564a52fc89e5589747d69e20aef7c7f37a32807c105487e99f +size 178766862 diff --git a/tetragon.changes b/tetragon.changes new file mode 100644 index 0000000..45d70f5 --- /dev/null +++ b/tetragon.changes @@ -0,0 +1,191 @@ +------------------------------------------------------------------- +Fri Dec 13 10:00:07 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.3.0: + Large changelog, please find the full changelog here: + https://github.com/cilium/tetragon/releases + * Upgrade notes + Depending on your setup, changes listed here might require a + manual intervention. + - Behavior of export-file-perm flag (and corresponding Helm + value tetragon.exportFilePerm) changed. In case the export + file exists, but has different permissions than specified in + the option, Tetragon will change the file permissions on the + next log rotation. In older versions, log rotation preserved + permissions of the existing file. Before upgrading check if + permissions of the existing export file match the option (600 + by default), and set the agent flag or Helm value to the + desired value if needed. + - Events (protobuf API) + New events for syscall64 type + Previous versions of Tetragon did not distinguish between + different ABIs when using the syscall64 type because the + output was just a size_arg with the id. When executing the + getcpu syscall, for example, the JSON for 64- and 32-bits + would be: + "args":[{"size_arg":"309"}] + "args":[{"size_arg":"318"}] + Note that id 318 for x86_64 is a different syscall: getrandom + so we cannot distinguish between a getrandom syscall on + x86_64 and a getcpu call on 32-bit (i386). To address this + issue, the output of syscall64 was changed to a SyscallId + object that also includes the ABI. So the JSON for 64- and + 32-bits getcpu now is: + "args":[{"syscall_id":{"id":309,"abi":"x64"}}] + "args":[{"syscall_id":{"id":318,"abi":"i386"}}] + Users that want to maintain the old behavior can use the + --enable-compatibility-syscall64-size-type flag for this + version. + The flag will be removed in v1.4. + - Metrics + tetragon_ratelimit_dropped_total metric is renamed to + tetragon_export_ratelimit_events_dropped_total + * Major Changes: + - IMA hashes in LSM events (#2818) by @anfedotoff + - tetragon: add support for associating pod information when + nested cgroups are used (#3170) by @kkourt + * - Bugfixes: + - Fix clone event eventcache retry handler when missing pod + info. (#2899) by @tpapagian + - pkg/sensors: fix memory use of unloaded sensors (#3021) by + @mtardy + - tetragon: fix the process exit signal when core dumped + (#3039) by @justin0u0 + - tetragon: improve how we handle cgroupv1 and cgroupv2 (#3053) + by @tixxdz + - [metrics] Fix overhead_program metrics for return probes + (#3074) by @tpapagian + - exec: fix tracking of matchBinary children (#3186) by @kkourt + +------------------------------------------------------------------- +Wed Nov 27 11:11:43 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.2.1: + * Prepare for v1.2.1 release + * filters: implement parent_arguments_regex + * chore(deps): update go to v1.22.9 + * chore(deps): update docker.io/library/alpine:3.20.3 docker + digest to 1e42bbe + * tetragon: probe_read usage may cause issues with newer kernels + * e2e tests: skip label test on ARM + * workflows: use GitHub arm64 runners instead of actuated + * Add support to exclude valid processes from dump processCache + * tetra: add max-recv-size to processcache dump cmd + * tetra: rewrite dump processcache cmd for correct error code + * tetra: use consistent case in dump cmd and api + * Add support to dump processLRU + * [btf] Flush kernel spec (BTF) after loading a sensor + * [ksyms] Do not cache ksyms to reduce memory consumption + * fix(deps): update module github.com/cilium/cilium to v1.15.10 + [security] + * chore(deps): update docker.io/library/golang:1.22.8 docker + digest to 0ca97f4 + * chore(deps): update docker.io/library/alpine docker tag to + v3.20.3 + * chore(deps): update go to v1.22.8 + * fix(deps): update module github.com/containers/common to + v0.60.4 [security] + * chore(deps): update docker.io/library/golang:1.22.6 docker + digest to a632201 + * chore: update containers/common + * Remove const from parameters + * bpf: allow all operations for syscall64 type + * watcher: add metrics for deleted pod cache + * watcher: add a deleted pod cache + * watcher: add test for "fast" k8s API server + * watcher: change FindContainer function + * watcher: add a containerIDKey function + * watcher: refactor watcher + * Export EventCache tunables in the Helm Chart + * Reduce the delay in GRPC gotests + * Make EventCache configurable + * helm: Set rthooks.podSecurityContext to empty by default + * helm: Remove deprecated tetragon.skipCRDCreation value + * [bugfix] Fix clone event caching due to missing pod info + +------------------------------------------------------------------- +Fri Sep 13 18:27:13 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.2.0: + Full changelog see + https://github.com/cilium/tetragon/releases/tag/v1.2.0 + * Major Changes + - feat: Username for process_exec events (#2369) by @anfedotoff + - tetragon: Allow persistent enforcement during tetragon + restart (#2600) by @olsajiri + - LSM sensor (#2566) by @anfedotoff + * Bugfixes + - bpf: use CORE for execve hook (#2399) by @kkourt + - Don't create PodInfo if the pod is being deleted (#2431) by + @michi-covalent + - tetragon: allow namespaced and non-namespaced policies to + have the same name (#2337) by @joshuajorel + - operator: Don't start metrics server if Helm value + tetragonOperator.prometheus.enabled is set to false. (#2484) + by @yukinakanaka + - enforcer: fix issue when using multiple calls with fmod_ret + (#2524) by @kkourt + - Reduce the kernel memory footprint (accounted by the cgroup + memory controller) of the stack trace feature when unused. + (#2546) by @mtardy + - Reduce the kernel memory footprint (accounted by the cgroup + memory controller) of the ratelimit feature when unused + (around ~10MB per kprobe). (#2551) by @mtardy + - Reduce the kernel memory footprint (accounted by the cgroup + memory controller) of the fdinstall feature when unused + (around ~11MB per kprobe). (#2563) by @mtardy + - Do not increase the reference count when we cannot find a + parent in kthreads. (#2620) by @tpapagian + - Reduce the kernel memory footprint (accounted by the cgroup + v2 memory controller) of the override feature when unused + (around ~3MB per kprobe). (#2692) by @mtardy + - Fix a bug related to the matchBinaries Prefix operator by + increasing the buffer size used by our dentry walk. Now the + matchBinaries Prefix operator can correctly trigger a match + on any path above 255 chars. (#2764) by @mtardy + - Fix a bug where the tetra getevents command would timeout + even if the connection was successful. (#2765) by @mtardy + - Fix missing cases in the compact encoder for tetra. (#2819) + by @willfindlay + - add support for pod association via cgroup id (#2776) by + @kkourt + - Allow disabling gRPC either by selecting 'enabled:false' in + the helm chart or by passing an empty address to the agent + (#2826) by @kkourt + - Fix tetragon_process_cache_size metric (#2827) by @lambdanis + +------------------------------------------------------------------- +Mon Jul 29 18:36:26 UTC 2024 - Johannes Kastl + +- exclude architectures that fail to build due to + 'pkg/syscallinfo/syscallinfo.go:39:34: undefined: syscallNames' + errors + +------------------------------------------------------------------- +Wed Jun 12 16:18:43 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.1.2: + * Bugfixes: + - Don't create PodInfo if the pod is being deleted + - [v1.1] backport: bpf: use CORE for execve hook + - enforcer: fix issue when using multiple calls with fmod_ret + * Minor Changes: + - backports:1.1:tests: fix trace module testing + - backports:1.1: uid username resolution support + - helm: Add tetragon.livenessProbe value + - backport:v1.1: btf: take first entry on multiple function + matches + * Misc Changes: + - Prepare for v1.1.0 release + - Use gRPC-based liveness probe instead of tetra status. + - [v1.1] Introduce upgrade notes + - Prepare for v1.1.1 release + - [v1.1] Makefile: exclude api tags from version + - v1.1: misc updates relating to release process + - Prepare for v1.1.2 release + +------------------------------------------------------------------- +Tue Apr 30 18:11:26 UTC 2024 - Johannes Kastl + +- new package tetragon: eBPF-based Security Observability and + Runtime Enforcement diff --git a/tetragon.obsinfo b/tetragon.obsinfo new file mode 100644 index 0000000..76d3654 --- /dev/null +++ b/tetragon.obsinfo @@ -0,0 +1,4 @@ +name: tetragon +version: 1.3.0 +mtime: 1734081089 +commit: 4a6643e71e2357324ab8ab73ecb7286d73e96ef8 diff --git a/tetragon.spec b/tetragon.spec new file mode 100644 index 0000000..b73c70a --- /dev/null +++ b/tetragon.spec @@ -0,0 +1,196 @@ +# +# spec file for package tetragon +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define cli_binary_name tetra +%define cli_package_name tetragon-cli + +Name: tetragon +Version: 1.3.0 +Release: 0 +Summary: eBPF-based Security Observability and Runtime Enforcement +License: Apache-2.0 +URL: https://github.com/cilium/tetragon +Source: tetragon-%{version}.tar.gz +Source1: vendor.tar.gz +BuildRequires: bash-completion +BuildRequires: clang >= 15 +BuildRequires: fish +BuildRequires: go >= 1.22 +BuildRequires: llvm +BuildRequires: make +BuildRequires: zsh +ExcludeArch: i586 ppc64le s390x armv7l armv7hl + +%description +Cilium’s new Tetragon component enables powerful real-time, eBPF-based Security +Observability and Runtime Enforcement. + +Tetragon detects and is able to react to security-significant events, such as + +* Process execution events +* System call activity +* I/O activity including network & file access + +When used in a Kubernetes environment, Tetragon is Kubernetes-aware - that is, +it understands Kubernetes identities such as namespaces, pods and so on - so +that security event detection can be configured in relation to individual +workloads. + +%package -n %{cli_package_name} +Summary: CLI for Tetragon +Provides: tetra = %{version} + +%description -n %{cli_package_name} +To interact with Tetragon, install the Tetragon client CLI tetra. + +%package -n %{cli_package_name}-bash-completion +Summary: Bash Completion for %{cli_package_name} +Group: System/Shells +Requires: %{cli_package_name} = %{version} +Requires: bash-completion +Supplements: (%{cli_package_name} and bash-completion) +BuildArch: noarch + +%description -n %{cli_package_name}-bash-completion +Bash command line completion support for %{cli_package_name}. + +%package -n %{cli_package_name}-fish-completion +Summary: Fish Completion for %{cli_package_name} +Group: System/Shells +Requires: %{cli_package_name} = %{version} +Supplements: (%{cli_package_name} and fish) +BuildArch: noarch + +%description -n %{cli_package_name}-fish-completion +Fish command line completion support for %{cli_package_name}. + +%package -n %{cli_package_name}-zsh-completion +Summary: Zsh Completion for %{cli_package_name} +Group: System/Shells +Requires: %{cli_package_name} = %{version} +Supplements: (%{cli_package_name} and zsh) +BuildArch: noarch + +%description -n %{cli_package_name}-zsh-completion +zsh command line completion support for %{cli_package_name}. + +%prep +%autosetup -p 1 -a 1 + +%build +# +# tetragon +# +go build \ + -mod=vendor \ + -buildmode=pie \ + -ldflags="-X github.com/cilium/tetragon/pkg/version.Version=%{version}" \ + -o bin/%{name} ./cmd/%{name} + +# bpf stuff +# https://github.com/cilium/tetragon/blob/main/Makefile#L159 +# https://github.com/cilium/tetragon/blob/main/bpf/Makefile +make -C ./bpf BPF_TARGET_ARCH=x86 %{?_smp_mflags} + +# +# tetra cli +# +go build \ + -mod=vendor \ + -buildmode=pie \ + -ldflags="-X github.com/cilium/tetragon/pkg/version.Version=%{version}" \ + -o bin/%{cli_binary_name} ./cmd/%{cli_binary_name} + +%install +# +# tetragon +# +install -D -m 0755 bin/%{name} %{buildroot}/%{_bindir}/%{name} +install -D -m 0644 ./install/linux-tarball/systemd/tetragon.service %{buildroot}/%{_unitdir}/%{name}.service +sed -i 's#/local##' %{buildroot}/%{_unitdir}/%{name}.service +install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/ +install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf.d/ +install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/%{name}.tp.d/ +install -D -m 0644 ./install/linux-tarball/usr/local/lib/tetragon/tetragon.conf.d/* %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf.d/ +sed -i 's#/local##' %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf.d/* +sed -i 's#/lib/#/lib64/#' %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf.d/bpf-lib + +install -d -m 0755 %{buildroot}/%{_libdir}/%{name}/ +install -d -m 0755 %{buildroot}/%{_libdir}/%{name}/bpf +install -D -m 0644 ./bpf/objs/*.o %{buildroot}/%{_libdir}/%{name}/bpf + +# +# tetra cli +# +# Install the binary. +install -D -m 0755 bin/%{cli_binary_name} %{buildroot}/%{_bindir}/%{cli_binary_name} + +# create the bash completion file +mkdir -p %{buildroot}%{_datarootdir}/bash-completion/completions/ +%{buildroot}/%{_bindir}/%{cli_binary_name} completion bash > %{buildroot}%{_datarootdir}/bash-completion/completions/%{cli_binary_name} + +# create the fish completion file +mkdir -p %{buildroot}%{_datarootdir}/fish/vendor_completions.d/ +%{buildroot}/%{_bindir}/%{cli_binary_name} completion fish > %{buildroot}%{_datarootdir}/fish/vendor_completions.d/%{cli_binary_name}.fish + +# create the zsh completion file +mkdir -p %{buildroot}%{_datarootdir}/zsh/site-functions/ +%{buildroot}/%{_bindir}/%{cli_binary_name} completion zsh > %{buildroot}%{_datarootdir}/zsh/site-functions/_%{cli_binary_name} + +%pre +%service_add_pre %{name}.service + +%post +%service_add_post %{name}.service + +%preun +%service_del_preun %{name}.service + +%postun +%service_del_postun %{name}.service + +%check + +%files +%doc README.md +%license LICENSE +%{_bindir}/%{name} +%{_unitdir}/%{name}.service +%dir %attr(755,root, root) %{_sysconfdir}/%{name}/ +%dir %attr(755,root, root) %{_sysconfdir}/%{name}/%{name}.conf.d/ +%defattr(0644, root, root) +%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf.d/* +%dir %attr(755,root, root) %{_libdir}/%{name} +%dir %attr(755,root, root) %{_libdir}/%{name}/bpf/ +%attr(644,root, root) %{_libdir}/%{name}/bpf/* + +%files -n %{cli_package_name} +%doc README.md +%license LICENSE +%{_bindir}/%{cli_binary_name} + +%files -n %{cli_package_name}-bash-completion +%{_datarootdir}/bash-completion/completions/%{cli_binary_name} + +%files -n %{cli_package_name}-fish-completion +%{_datarootdir}/fish/vendor_completions.d/%{cli_binary_name}.fish + +%files -n %{cli_package_name}-zsh-completion +%{_datarootdir}/zsh/site-functions/_%{cli_binary_name} + +%changelog diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..7e4f2f3 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:84f2613ed4a842eb2a9dca9bedc0984aff795e75c95652a01023e94f9b4a0ce8 +size 12643824