Accepting request 1230818 from home:ojkastl_buildservice:Branch_server_monitoring

update to 1.3.0

OBS-URL: https://build.opensuse.org/request/show/1230818
OBS-URL: https://build.opensuse.org/package/show/server:monitoring/tetragon?expand=0&rev=9

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

_service

@@ -0,0 +1,21 @@
+<services>
+  <service name="obs_scm" mode="manual">
+    <param name="url">https://github.com/cilium/tetragon</param>
+    <param name="scm">git</param>
+    <param name="exclude">.git</param>
+    <param name="revision">v1.3.0</param>
+    <param name="match-tag">v1.3.0</param>
+    <param name="versionformat">@PARENT_TAG@</param>
+    <param name="versionrewrite-pattern">v(.*)</param>
+    <param name="changesgenerate">enable</param>
+  </service>
+  <service name="set_version" mode="manual">
+  </service>
+  <service name="tar" mode="buildtime"/>
+  <service name="recompress" mode="buildtime">
+    <param name="file">*.tar</param>
+    <param name="compression">gz</param>
+  </service>
+  <service name="go_modules" mode="manual">
+  </service>
+</services>

_servicedata

@@ -0,0 +1,4 @@
+<servicedata>
+<service name="tar_scm">
+                <param name="url">https://github.com/cilium/tetragon</param>
+              <param name="changesrevision">4a6643e71e2357324ab8ab73ecb7286d73e96ef8</param></service></servicedata>

tetragon-1.1.2.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1950e676ca0e469eb0270a7a0d97b5c9f098413d1bd115eb42a9e02d337ee833
+size 178684430

tetragon-1.2.0.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e991b4f330969d2025698af7671cfd194ca56cd06a7cdce22c06f1e2c65748d3
+size 184140814

tetragon-1.2.1.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b4ed31b10ae0019b2fd4cf1e67ce2a1d9439691dedc6b05a9b7d41c11a347a89
+size 184324110

tetragon-1.3.0.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8b52fe495a79de564a52fc89e5589747d69e20aef7c7f37a32807c105487e99f
+size 178766862

tetragon.changes

@@ -0,0 +1,191 @@
+-------------------------------------------------------------------
+Fri Dec 13 10:00:07 UTC 2024 - opensuse_buildservice@ojkastl.de
+
+- Update to version 1.3.0:
+  Large changelog, please find the full changelog here:
+  https://github.com/cilium/tetragon/releases
+  * Upgrade notes
+    Depending on your setup, changes listed here might require a
+    manual intervention.
+    - Behavior of export-file-perm flag (and corresponding Helm
+      value tetragon.exportFilePerm) changed. In case the export
+      file exists, but has different permissions than specified in
+      the option, Tetragon will change the file permissions on the
+      next log rotation. In older versions, log rotation preserved
+      permissions of the existing file. Before upgrading check if
+      permissions of the existing export file match the option (600
+      by default), and set the agent flag or Helm value to the
+      desired value if needed.
+    - Events (protobuf API)
+      New events for syscall64 type
+      Previous versions of Tetragon did not distinguish between
+      different ABIs when using the syscall64 type because the
+      output was just a size_arg with the id. When executing the
+      getcpu syscall, for example, the JSON for 64- and 32-bits
+      would be:
+      "args":[{"size_arg":"309"}]
+      "args":[{"size_arg":"318"}]
+      Note that id 318 for x86_64 is a different syscall: getrandom
+      so we cannot distinguish between a getrandom syscall on
+      x86_64 and a getcpu call on 32-bit (i386). To address this
+      issue, the output of syscall64 was changed to a SyscallId
+      object that also includes the ABI. So the JSON for 64- and
+      32-bits getcpu now is:
+      "args":[{"syscall_id":{"id":309,"abi":"x64"}}]
+      "args":[{"syscall_id":{"id":318,"abi":"i386"}}]
+      Users that want to maintain the old behavior can use the
+      --enable-compatibility-syscall64-size-type flag for this
+      version.
+      The flag will be removed in v1.4.
+    - Metrics
+      tetragon_ratelimit_dropped_total metric is renamed to
+      tetragon_export_ratelimit_events_dropped_total
+  * Major Changes:
+    - IMA hashes in LSM events (#2818) by @anfedotoff
+    - tetragon: add support for associating pod information when
+      nested cgroups are used (#3170) by @kkourt
+  * - Bugfixes:
+    - Fix clone event eventcache retry handler when missing pod
+      info. (#2899) by @tpapagian
+    - pkg/sensors: fix memory use of unloaded sensors (#3021) by
+      @mtardy
+    - tetragon: fix the process exit signal when core dumped
+      (#3039) by @justin0u0
+    - tetragon: improve how we handle cgroupv1 and cgroupv2 (#3053)
+      by @tixxdz
+    - [metrics] Fix overhead_program metrics for return probes
+      (#3074) by @tpapagian
+    - exec: fix tracking of matchBinary children (#3186) by @kkourt
+
+-------------------------------------------------------------------
+Wed Nov 27 11:11:43 UTC 2024 - opensuse_buildservice@ojkastl.de
+
+- Update to version 1.2.1:
+  * Prepare for v1.2.1 release
+  * filters: implement parent_arguments_regex
+  * chore(deps): update go to v1.22.9
+  * chore(deps): update docker.io/library/alpine:3.20.3 docker
+    digest to 1e42bbe
+  * tetragon: probe_read usage may cause issues with newer kernels
+  * e2e tests: skip label test on ARM
+  * workflows: use GitHub arm64 runners instead of actuated
+  * Add support to exclude valid processes from dump processCache
+  * tetra: add max-recv-size to processcache dump cmd
+  * tetra: rewrite dump processcache cmd for correct error code
+  * tetra: use consistent case in dump cmd and api
+  * Add support to dump processLRU
+  * [btf] Flush kernel spec (BTF) after loading a sensor
+  * [ksyms] Do not cache ksyms to reduce memory consumption
+  * fix(deps): update module github.com/cilium/cilium to v1.15.10
+    [security]
+  * chore(deps): update docker.io/library/golang:1.22.8 docker
+    digest to 0ca97f4
+  * chore(deps): update docker.io/library/alpine docker tag to
+    v3.20.3
+  * chore(deps): update go to v1.22.8
+  * fix(deps): update module github.com/containers/common to
+    v0.60.4 [security]
+  * chore(deps): update docker.io/library/golang:1.22.6 docker
+    digest to a632201
+  * chore: update containers/common
+  * Remove const from parameters
+  * bpf: allow all operations for syscall64 type
+  * watcher: add metrics for deleted pod cache
+  * watcher: add a deleted pod cache
+  * watcher: add test for "fast" k8s API server
+  * watcher: change FindContainer function
+  * watcher: add a containerIDKey function
+  * watcher: refactor watcher
+  * Export EventCache tunables in the Helm Chart
+  * Reduce the delay in GRPC gotests
+  * Make EventCache configurable
+  * helm: Set rthooks.podSecurityContext to empty by default
+  * helm: Remove deprecated tetragon.skipCRDCreation value
+  * [bugfix] Fix clone event caching due to missing pod info
+
+-------------------------------------------------------------------
+Fri Sep 13 18:27:13 UTC 2024 - opensuse_buildservice@ojkastl.de
+
+- Update to version 1.2.0:
+  Full changelog see
+  https://github.com/cilium/tetragon/releases/tag/v1.2.0
+  * Major Changes
+    - feat: Username for process_exec events (#2369) by @anfedotoff
+    - tetragon: Allow persistent enforcement during tetragon
+      restart (#2600) by @olsajiri
+    - LSM sensor (#2566) by @anfedotoff
+  * Bugfixes
+    - bpf: use CORE for execve hook (#2399) by @kkourt
+    - Don't create PodInfo if the pod is being deleted (#2431) by
+      @michi-covalent
+    - tetragon: allow namespaced and non-namespaced policies to
+      have the same name (#2337) by @joshuajorel
+    - operator: Don't start metrics server if Helm value
+      tetragonOperator.prometheus.enabled is set to false. (#2484)
+      by @yukinakanaka
+    - enforcer: fix issue when using multiple calls with fmod_ret
+      (#2524) by @kkourt
+    - Reduce the kernel memory footprint (accounted by the cgroup
+      memory controller) of the stack trace feature when unused.
+      (#2546) by @mtardy
+    - Reduce the kernel memory footprint (accounted by the cgroup
+      memory controller) of the ratelimit feature when unused
+      (around ~10MB per kprobe). (#2551) by @mtardy
+    - Reduce the kernel memory footprint (accounted by the cgroup
+      memory controller) of the fdinstall feature when unused
+      (around ~11MB per kprobe). (#2563) by @mtardy
+    - Do not increase the reference count when we cannot find a
+      parent in kthreads. (#2620) by @tpapagian
+    - Reduce the kernel memory footprint (accounted by the cgroup
+      v2 memory controller) of the override feature when unused
+      (around ~3MB per kprobe). (#2692) by @mtardy
+    - Fix a bug related to the matchBinaries Prefix operator by
+      increasing the buffer size used by our dentry walk. Now the
+      matchBinaries Prefix operator can correctly trigger a match
+      on any path above 255 chars. (#2764) by @mtardy
+    - Fix a bug where the tetra getevents command would timeout
+      even if the connection was successful. (#2765) by @mtardy
+    - Fix missing cases in the compact encoder for tetra. (#2819)
+      by @willfindlay
+    - add support for pod association via cgroup id (#2776) by
+      @kkourt
+    - Allow disabling gRPC either by selecting 'enabled:false' in
+      the helm chart or by passing an empty address to the agent
+      (#2826) by @kkourt
+    - Fix tetragon_process_cache_size metric (#2827) by @lambdanis
+
+-------------------------------------------------------------------
+Mon Jul 29 18:36:26 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- exclude architectures that fail to build due to
+  'pkg/syscallinfo/syscallinfo.go:39:34: undefined: syscallNames'
+  errors
+
+-------------------------------------------------------------------
+Wed Jun 12 16:18:43 UTC 2024 - opensuse_buildservice@ojkastl.de
+
+- Update to version 1.1.2:
+  * Bugfixes:
+    - Don't create PodInfo if the pod is being deleted
+    - [v1.1] backport: bpf: use CORE for execve hook
+    - enforcer: fix issue when using multiple calls with fmod_ret
+  * Minor Changes:
+    - backports:1.1:tests: fix trace module testing
+    - backports:1.1: uid username resolution support
+    - helm: Add tetragon.livenessProbe value
+    - backport:v1.1: btf: take first entry on multiple function
+      matches
+  * Misc Changes:
+    - Prepare for v1.1.0 release
+    - Use gRPC-based liveness probe instead of tetra status.
+    - [v1.1] Introduce upgrade notes
+    - Prepare for v1.1.1 release
+    - [v1.1] Makefile: exclude api tags from version
+    - v1.1: misc updates relating to release process
+    - Prepare for v1.1.2 release
+
+-------------------------------------------------------------------
+Tue Apr 30 18:11:26 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- new package tetragon: eBPF-based Security Observability and
+  Runtime Enforcement

tetragon.obsinfo

@@ -0,0 +1,4 @@
+name: tetragon
+version: 1.3.0
+mtime: 1734081089
+commit: 4a6643e71e2357324ab8ab73ecb7286d73e96ef8

tetragon.spec

@@ -0,0 +1,196 @@
+#
+# spec file for package tetragon
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define cli_binary_name tetra
+%define cli_package_name tetragon-cli
+
+Name:           tetragon
+Version:        1.3.0
+Release:        0
+Summary:        eBPF-based Security Observability and Runtime Enforcement
+License:        Apache-2.0
+URL:            https://github.com/cilium/tetragon
+Source:         tetragon-%{version}.tar.gz
+Source1:        vendor.tar.gz
+BuildRequires:  bash-completion
+BuildRequires:  clang >= 15
+BuildRequires:  fish
+BuildRequires:  go >= 1.22
+BuildRequires:  llvm
+BuildRequires:  make
+BuildRequires:  zsh
+ExcludeArch:    i586 ppc64le s390x armv7l armv7hl
+
+%description
+Cilium’s new Tetragon component enables powerful real-time, eBPF-based Security
+Observability and Runtime Enforcement.
+
+Tetragon detects and is able to react to security-significant events, such as
+
+* Process execution events
+* System call activity
+* I/O activity including network & file access
+
+When used in a Kubernetes environment, Tetragon is Kubernetes-aware - that is,
+it understands Kubernetes identities such as namespaces, pods and so on - so
+that security event detection can be configured in relation to individual
+workloads.
+
+%package -n %{cli_package_name}
+Summary:        CLI for Tetragon
+Provides:       tetra = %{version}
+
+%description -n %{cli_package_name}
+To interact with Tetragon, install the Tetragon client CLI tetra.
+
+%package -n %{cli_package_name}-bash-completion
+Summary:        Bash Completion for %{cli_package_name}
+Group:          System/Shells
+Requires:       %{cli_package_name} = %{version}
+Requires:       bash-completion
+Supplements:    (%{cli_package_name} and bash-completion)
+BuildArch:      noarch
+
+%description -n %{cli_package_name}-bash-completion
+Bash command line completion support for %{cli_package_name}.
+
+%package -n %{cli_package_name}-fish-completion
+Summary:        Fish Completion for %{cli_package_name}
+Group:          System/Shells
+Requires:       %{cli_package_name} = %{version}
+Supplements:    (%{cli_package_name} and fish)
+BuildArch:      noarch
+
+%description -n %{cli_package_name}-fish-completion
+Fish command line completion support for %{cli_package_name}.
+
+%package -n %{cli_package_name}-zsh-completion
+Summary:        Zsh Completion for %{cli_package_name}
+Group:          System/Shells
+Requires:       %{cli_package_name} = %{version}
+Supplements:    (%{cli_package_name} and zsh)
+BuildArch:      noarch
+
+%description -n %{cli_package_name}-zsh-completion
+zsh command line completion support for %{cli_package_name}.
+
+%prep
+%autosetup -p 1 -a 1
+
+%build
+#
+# tetragon
+#
+go build \
+   -mod=vendor \
+   -buildmode=pie \
+   -ldflags="-X github.com/cilium/tetragon/pkg/version.Version=%{version}" \
+   -o bin/%{name} ./cmd/%{name}
+
+# bpf stuff
+# https://github.com/cilium/tetragon/blob/main/Makefile#L159
+# https://github.com/cilium/tetragon/blob/main/bpf/Makefile
+make -C ./bpf BPF_TARGET_ARCH=x86 %{?_smp_mflags}
+
+#
+# tetra cli
+#
+go build \
+   -mod=vendor \
+   -buildmode=pie \
+   -ldflags="-X github.com/cilium/tetragon/pkg/version.Version=%{version}" \
+   -o bin/%{cli_binary_name} ./cmd/%{cli_binary_name}
+
+%install
+#
+# tetragon
+#
+install -D -m 0755 bin/%{name} %{buildroot}/%{_bindir}/%{name}
+install -D -m 0644 ./install/linux-tarball/systemd/tetragon.service %{buildroot}/%{_unitdir}/%{name}.service
+sed -i 's#/local##' %{buildroot}/%{_unitdir}/%{name}.service
+install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/
+install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf.d/
+install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/%{name}.tp.d/
+install -D -m 0644 ./install/linux-tarball/usr/local/lib/tetragon/tetragon.conf.d/* %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf.d/
+sed -i 's#/local##' %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf.d/*
+sed -i 's#/lib/#/lib64/#' %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf.d/bpf-lib
+
+install -d -m 0755 %{buildroot}/%{_libdir}/%{name}/
+install -d -m 0755 %{buildroot}/%{_libdir}/%{name}/bpf
+install -D -m 0644 ./bpf/objs/*.o  %{buildroot}/%{_libdir}/%{name}/bpf
+
+#
+# tetra cli
+#
+# Install the binary.
+install -D -m 0755 bin/%{cli_binary_name} %{buildroot}/%{_bindir}/%{cli_binary_name}
+
+# create the bash completion file
+mkdir -p %{buildroot}%{_datarootdir}/bash-completion/completions/
+%{buildroot}/%{_bindir}/%{cli_binary_name} completion bash > %{buildroot}%{_datarootdir}/bash-completion/completions/%{cli_binary_name}
+
+# create the fish completion file
+mkdir -p %{buildroot}%{_datarootdir}/fish/vendor_completions.d/
+%{buildroot}/%{_bindir}/%{cli_binary_name} completion fish > %{buildroot}%{_datarootdir}/fish/vendor_completions.d/%{cli_binary_name}.fish
+
+# create the zsh completion file
+mkdir -p %{buildroot}%{_datarootdir}/zsh/site-functions/
+%{buildroot}/%{_bindir}/%{cli_binary_name} completion zsh > %{buildroot}%{_datarootdir}/zsh/site-functions/_%{cli_binary_name}
+
+%pre
+%service_add_pre %{name}.service
+
+%post
+%service_add_post %{name}.service
+
+%preun
+%service_del_preun %{name}.service
+
+%postun
+%service_del_postun %{name}.service
+
+%check
+
+%files
+%doc README.md
+%license LICENSE
+%{_bindir}/%{name}
+%{_unitdir}/%{name}.service
+%dir %attr(755,root, root) %{_sysconfdir}/%{name}/
+%dir %attr(755,root, root) %{_sysconfdir}/%{name}/%{name}.conf.d/
+%defattr(0644, root, root)
+%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf.d/*
+%dir %attr(755,root, root) %{_libdir}/%{name}
+%dir %attr(755,root, root) %{_libdir}/%{name}/bpf/
+%attr(644,root, root) %{_libdir}/%{name}/bpf/*
+
+%files -n %{cli_package_name}
+%doc README.md
+%license LICENSE
+%{_bindir}/%{cli_binary_name}
+
+%files -n %{cli_package_name}-bash-completion
+%{_datarootdir}/bash-completion/completions/%{cli_binary_name}
+
+%files -n %{cli_package_name}-fish-completion
+%{_datarootdir}/fish/vendor_completions.d/%{cli_binary_name}.fish
+
+%files -n %{cli_package_name}-zsh-completion
+%{_datarootdir}/zsh/site-functions/_%{cli_binary_name}
+
+%changelog

vendor.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:84f2613ed4a842eb2a9dca9bedc0984aff795e75c95652a01023e94f9b4a0ce8
+size 12643824