From be2969e87bea651e42005013b5a7495c1cb2ed21cb7bbe72c3083129caac7036 Mon Sep 17 00:00:00 2001 From: Johannes Kastl Date: Wed, 27 Nov 2024 11:33:20 +0000 Subject: [PATCH] update to 1.2.1 OBS-URL: https://build.opensuse.org/package/show/server:monitoring/tetragon?expand=0&rev=7 --- .gitattributes | 23 +++++ .gitignore | 1 + _service | 21 +++++ _servicedata | 4 + tetragon-1.1.2.obscpio | 3 + tetragon-1.2.0.obscpio | 3 + tetragon-1.2.1.obscpio | 3 + tetragon.changes | 132 +++++++++++++++++++++++++++ tetragon.obsinfo | 4 + tetragon.spec | 196 +++++++++++++++++++++++++++++++++++++++++ vendor.tar.gz | 3 + 11 files changed, 393 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 _service create mode 100644 _servicedata create mode 100644 tetragon-1.1.2.obscpio create mode 100644 tetragon-1.2.0.obscpio create mode 100644 tetragon-1.2.1.obscpio create mode 100644 tetragon.changes create mode 100644 tetragon.obsinfo create mode 100644 tetragon.spec create mode 100644 vendor.tar.gz diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/_service b/_service new file mode 100644 index 0000000..c0f3798 --- /dev/null +++ b/_service @@ -0,0 +1,21 @@ + + + https://github.com/cilium/tetragon + git + .git + v1.2.1 + v1.2.1 + @PARENT_TAG@ + v(.*) + enable + + + + + + *.tar + gz + + + + diff --git a/_servicedata b/_servicedata new file mode 100644 index 0000000..7531b73 --- /dev/null +++ b/_servicedata @@ -0,0 +1,4 @@ + + + https://github.com/cilium/tetragon + 4b33fd75b08b467a1cc2c61d2fe8eb69bf0b001e \ No newline at end of file diff --git a/tetragon-1.1.2.obscpio b/tetragon-1.1.2.obscpio new file mode 100644 index 0000000..0ce6e90 --- /dev/null +++ b/tetragon-1.1.2.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1950e676ca0e469eb0270a7a0d97b5c9f098413d1bd115eb42a9e02d337ee833 +size 178684430 diff --git a/tetragon-1.2.0.obscpio b/tetragon-1.2.0.obscpio new file mode 100644 index 0000000..e3d4196 --- /dev/null +++ b/tetragon-1.2.0.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e991b4f330969d2025698af7671cfd194ca56cd06a7cdce22c06f1e2c65748d3 +size 184140814 diff --git a/tetragon-1.2.1.obscpio b/tetragon-1.2.1.obscpio new file mode 100644 index 0000000..67c99a6 --- /dev/null +++ b/tetragon-1.2.1.obscpio @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b4ed31b10ae0019b2fd4cf1e67ce2a1d9439691dedc6b05a9b7d41c11a347a89 +size 184324110 diff --git a/tetragon.changes b/tetragon.changes new file mode 100644 index 0000000..61369fb --- /dev/null +++ b/tetragon.changes @@ -0,0 +1,132 @@ +------------------------------------------------------------------- +Wed Nov 27 11:11:43 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.2.1: + * Prepare for v1.2.1 release + * filters: implement parent_arguments_regex + * chore(deps): update go to v1.22.9 + * chore(deps): update docker.io/library/alpine:3.20.3 docker + digest to 1e42bbe + * tetragon: probe_read usage may cause issues with newer kernels + * e2e tests: skip label test on ARM + * workflows: use GitHub arm64 runners instead of actuated + * Add support to exclude valid processes from dump processCache + * tetra: add max-recv-size to processcache dump cmd + * tetra: rewrite dump processcache cmd for correct error code + * tetra: use consistent case in dump cmd and api + * Add support to dump processLRU + * [btf] Flush kernel spec (BTF) after loading a sensor + * [ksyms] Do not cache ksyms to reduce memory consumption + * fix(deps): update module github.com/cilium/cilium to v1.15.10 + [security] + * chore(deps): update docker.io/library/golang:1.22.8 docker + digest to 0ca97f4 + * chore(deps): update docker.io/library/alpine docker tag to + v3.20.3 + * chore(deps): update go to v1.22.8 + * fix(deps): update module github.com/containers/common to + v0.60.4 [security] + * chore(deps): update docker.io/library/golang:1.22.6 docker + digest to a632201 + * chore: update containers/common + * Remove const from parameters + * bpf: allow all operations for syscall64 type + * watcher: add metrics for deleted pod cache + * watcher: add a deleted pod cache + * watcher: add test for "fast" k8s API server + * watcher: change FindContainer function + * watcher: add a containerIDKey function + * watcher: refactor watcher + * Export EventCache tunables in the Helm Chart + * Reduce the delay in GRPC gotests + * Make EventCache configurable + * helm: Set rthooks.podSecurityContext to empty by default + * helm: Remove deprecated tetragon.skipCRDCreation value + * [bugfix] Fix clone event caching due to missing pod info + +------------------------------------------------------------------- +Fri Sep 13 18:27:13 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.2.0: + Full changelog see + https://github.com/cilium/tetragon/releases/tag/v1.2.0 + * Major Changes + - feat: Username for process_exec events (#2369) by @anfedotoff + - tetragon: Allow persistent enforcement during tetragon + restart (#2600) by @olsajiri + - LSM sensor (#2566) by @anfedotoff + * Bugfixes + - bpf: use CORE for execve hook (#2399) by @kkourt + - Don't create PodInfo if the pod is being deleted (#2431) by + @michi-covalent + - tetragon: allow namespaced and non-namespaced policies to + have the same name (#2337) by @joshuajorel + - operator: Don't start metrics server if Helm value + tetragonOperator.prometheus.enabled is set to false. (#2484) + by @yukinakanaka + - enforcer: fix issue when using multiple calls with fmod_ret + (#2524) by @kkourt + - Reduce the kernel memory footprint (accounted by the cgroup + memory controller) of the stack trace feature when unused. + (#2546) by @mtardy + - Reduce the kernel memory footprint (accounted by the cgroup + memory controller) of the ratelimit feature when unused + (around ~10MB per kprobe). (#2551) by @mtardy + - Reduce the kernel memory footprint (accounted by the cgroup + memory controller) of the fdinstall feature when unused + (around ~11MB per kprobe). (#2563) by @mtardy + - Do not increase the reference count when we cannot find a + parent in kthreads. (#2620) by @tpapagian + - Reduce the kernel memory footprint (accounted by the cgroup + v2 memory controller) of the override feature when unused + (around ~3MB per kprobe). (#2692) by @mtardy + - Fix a bug related to the matchBinaries Prefix operator by + increasing the buffer size used by our dentry walk. Now the + matchBinaries Prefix operator can correctly trigger a match + on any path above 255 chars. (#2764) by @mtardy + - Fix a bug where the tetra getevents command would timeout + even if the connection was successful. (#2765) by @mtardy + - Fix missing cases in the compact encoder for tetra. (#2819) + by @willfindlay + - add support for pod association via cgroup id (#2776) by + @kkourt + - Allow disabling gRPC either by selecting 'enabled:false' in + the helm chart or by passing an empty address to the agent + (#2826) by @kkourt + - Fix tetragon_process_cache_size metric (#2827) by @lambdanis + +------------------------------------------------------------------- +Mon Jul 29 18:36:26 UTC 2024 - Johannes Kastl + +- exclude architectures that fail to build due to + 'pkg/syscallinfo/syscallinfo.go:39:34: undefined: syscallNames' + errors + +------------------------------------------------------------------- +Wed Jun 12 16:18:43 UTC 2024 - opensuse_buildservice@ojkastl.de + +- Update to version 1.1.2: + * Bugfixes: + - Don't create PodInfo if the pod is being deleted + - [v1.1] backport: bpf: use CORE for execve hook + - enforcer: fix issue when using multiple calls with fmod_ret + * Minor Changes: + - backports:1.1:tests: fix trace module testing + - backports:1.1: uid username resolution support + - helm: Add tetragon.livenessProbe value + - backport:v1.1: btf: take first entry on multiple function + matches + * Misc Changes: + - Prepare for v1.1.0 release + - Use gRPC-based liveness probe instead of tetra status. + - [v1.1] Introduce upgrade notes + - Prepare for v1.1.1 release + - [v1.1] Makefile: exclude api tags from version + - v1.1: misc updates relating to release process + - Prepare for v1.1.2 release + +------------------------------------------------------------------- +Tue Apr 30 18:11:26 UTC 2024 - Johannes Kastl + +- new package tetragon: eBPF-based Security Observability and + Runtime Enforcement diff --git a/tetragon.obsinfo b/tetragon.obsinfo new file mode 100644 index 0000000..138569c --- /dev/null +++ b/tetragon.obsinfo @@ -0,0 +1,4 @@ +name: tetragon +version: 1.2.1 +mtime: 1732701307 +commit: 4b33fd75b08b467a1cc2c61d2fe8eb69bf0b001e diff --git a/tetragon.spec b/tetragon.spec new file mode 100644 index 0000000..4bacd58 --- /dev/null +++ b/tetragon.spec @@ -0,0 +1,196 @@ +# +# spec file for package tetragon +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define cli_binary_name tetra +%define cli_package_name tetragon-cli + +Name: tetragon +Version: 1.2.1 +Release: 0 +Summary: eBPF-based Security Observability and Runtime Enforcement +License: Apache-2.0 +URL: https://github.com/cilium/tetragon +Source: tetragon-%{version}.tar.gz +Source1: vendor.tar.gz +BuildRequires: bash-completion +BuildRequires: clang >= 15 +BuildRequires: fish +BuildRequires: go >= 1.22 +BuildRequires: llvm +BuildRequires: make +BuildRequires: zsh +ExcludeArch: i586 ppc64le s390x armv7l armv7hl + +%description +Cilium’s new Tetragon component enables powerful real-time, eBPF-based Security +Observability and Runtime Enforcement. + +Tetragon detects and is able to react to security-significant events, such as + +* Process execution events +* System call activity +* I/O activity including network & file access + +When used in a Kubernetes environment, Tetragon is Kubernetes-aware - that is, +it understands Kubernetes identities such as namespaces, pods and so on - so +that security event detection can be configured in relation to individual +workloads. + +%package -n %{cli_package_name} +Summary: CLI for Tetragon +Provides: tetra = %{version} + +%description -n %{cli_package_name} +To interact with Tetragon, install the Tetragon client CLI tetra. + +%package -n %{cli_package_name}-bash-completion +Summary: Bash Completion for %{cli_package_name} +Group: System/Shells +Requires: %{cli_package_name} = %{version} +Requires: bash-completion +Supplements: (%{cli_package_name} and bash-completion) +BuildArch: noarch + +%description -n %{cli_package_name}-bash-completion +Bash command line completion support for %{cli_package_name}. + +%package -n %{cli_package_name}-fish-completion +Summary: Fish Completion for %{cli_package_name} +Group: System/Shells +Requires: %{cli_package_name} = %{version} +Supplements: (%{cli_package_name} and fish) +BuildArch: noarch + +%description -n %{cli_package_name}-fish-completion +Fish command line completion support for %{cli_package_name}. + +%package -n %{cli_package_name}-zsh-completion +Summary: Zsh Completion for %{cli_package_name} +Group: System/Shells +Requires: %{cli_package_name} = %{version} +Supplements: (%{cli_package_name} and zsh) +BuildArch: noarch + +%description -n %{cli_package_name}-zsh-completion +zsh command line completion support for %{cli_package_name}. + +%prep +%autosetup -p 1 -a 1 + +%build +# +# tetragon +# +go build \ + -mod=vendor \ + -buildmode=pie \ + -ldflags="-X github.com/cilium/tetragon/pkg/version.Version=%{version}" \ + -o bin/%{name} ./cmd/%{name} + +# bpf stuff +# https://github.com/cilium/tetragon/blob/main/Makefile#L159 +# https://github.com/cilium/tetragon/blob/main/bpf/Makefile +make -C ./bpf BPF_TARGET_ARCH=x86 %{?_smp_mflags} + +# +# tetra cli +# +go build \ + -mod=vendor \ + -buildmode=pie \ + -ldflags="-X github.com/cilium/tetragon/pkg/version.Version=%{version}" \ + -o bin/%{cli_binary_name} ./cmd/%{cli_binary_name} + +%install +# +# tetragon +# +install -D -m 0755 bin/%{name} %{buildroot}/%{_bindir}/%{name} +install -D -m 0644 ./install/linux-tarball/systemd/tetragon.service %{buildroot}/%{_unitdir}/%{name}.service +sed -i 's#/local##' %{buildroot}/%{_unitdir}/%{name}.service +install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/ +install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf.d/ +install -d -m 0755 %{buildroot}%{_sysconfdir}/%{name}/%{name}.tp.d/ +install -D -m 0644 ./install/linux-tarball/usr/local/lib/tetragon/tetragon.conf.d/* %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf.d/ +sed -i 's#/local##' %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf.d/* +sed -i 's#/lib/#/lib64/#' %{buildroot}%{_sysconfdir}/%{name}/%{name}.conf.d/bpf-lib + +install -d -m 0755 %{buildroot}/%{_libdir}/%{name}/ +install -d -m 0755 %{buildroot}/%{_libdir}/%{name}/bpf +install -D -m 0644 ./bpf/objs/*.o %{buildroot}/%{_libdir}/%{name}/bpf + +# +# tetra cli +# +# Install the binary. +install -D -m 0755 bin/%{cli_binary_name} %{buildroot}/%{_bindir}/%{cli_binary_name} + +# create the bash completion file +mkdir -p %{buildroot}%{_datarootdir}/bash-completion/completions/ +%{buildroot}/%{_bindir}/%{cli_binary_name} completion bash > %{buildroot}%{_datarootdir}/bash-completion/completions/%{cli_binary_name} + +# create the fish completion file +mkdir -p %{buildroot}%{_datarootdir}/fish/vendor_completions.d/ +%{buildroot}/%{_bindir}/%{cli_binary_name} completion fish > %{buildroot}%{_datarootdir}/fish/vendor_completions.d/%{cli_binary_name}.fish + +# create the zsh completion file +mkdir -p %{buildroot}%{_datarootdir}/zsh/site-functions/ +%{buildroot}/%{_bindir}/%{cli_binary_name} completion zsh > %{buildroot}%{_datarootdir}/zsh/site-functions/_%{cli_binary_name} + +%pre +%service_add_pre %{name}.service + +%post +%service_add_post %{name}.service + +%preun +%service_del_preun %{name}.service + +%postun +%service_del_postun %{name}.service + +%check + +%files +%doc README.md +%license LICENSE +%{_bindir}/%{name} +%{_unitdir}/%{name}.service +%dir %attr(755,root, root) %{_sysconfdir}/%{name}/ +%dir %attr(755,root, root) %{_sysconfdir}/%{name}/%{name}.conf.d/ +%defattr(0644, root, root) +%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf.d/* +%dir %attr(755,root, root) %{_libdir}/%{name} +%dir %attr(755,root, root) %{_libdir}/%{name}/bpf/ +%attr(644,root, root) %{_libdir}/%{name}/bpf/* + +%files -n %{cli_package_name} +%doc README.md +%license LICENSE +%{_bindir}/%{cli_binary_name} + +%files -n %{cli_package_name}-bash-completion +%{_datarootdir}/bash-completion/completions/%{cli_binary_name} + +%files -n %{cli_package_name}-fish-completion +%{_datarootdir}/fish/vendor_completions.d/%{cli_binary_name}.fish + +%files -n %{cli_package_name}-zsh-completion +%{_datarootdir}/zsh/site-functions/_%{cli_binary_name} + +%changelog diff --git a/vendor.tar.gz b/vendor.tar.gz new file mode 100644 index 0000000..d7a6961 --- /dev/null +++ b/vendor.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f9d32ef2313d1f5da74ad16c10607d13c2d3a247528c3d9377198479d8cbe233 +size 13805523