Merge branch 'main' into pducolin/ADXT-354-extract-agent-logs-config

CHANGELOG-DCA.rst

@@ -2,6 +2,19 @@
 Release Notes
 =============
 
+.. _Release Notes_7.60.1:
+
+7.60.1
+======
+
+.. _Release Notes_7.60.1_Prelude:
+
+Prelude
+-------
+
+Released on: 2024-12-19
+Pinned to datadog-agent v7.60.1: `CHANGELOG <https://github.com/DataDog/datadog-agent/blob/main/CHANGELOG.rst#7601>`_.
+
 .. _Release Notes_7.60.0:
 
 7.60.0

CHANGELOG.rst

@@ -2,6 +2,27 @@
 Release Notes
 =============
 
+.. _Release Notes_7.60.1:
+
+7.60.1
+======
+
+.. _Release Notes_7.60.1_Prelude:
+
+Prelude
+-------
+
+Release on: 2024-12-19
+
+
+.. _Release Notes_7.60.1_Security Notes:
+
+Security Notes
+--------------
+
+- Update ``golang.org/x/crypto`` to fix CVE-2024-45337.
+
+
 .. _Release Notes_7.60.0:
 
 7.60.0

cmd/agent/subcommands/flare/command.go

@@ -175,10 +175,18 @@ func readProfileData(seconds int) (flare.ProfileData, error) {
 
 	type pprofGetter func(path string) ([]byte, error)
 
-	tcpGet := func(portConfig string) pprofGetter {
-		pprofURL := fmt.Sprintf("http://127.0.0.1:%d/debug/pprof", pkgconfigsetup.Datadog().GetInt(portConfig))
+	tcpGet := func(portConfig string, onHTTPS bool) pprofGetter {
+		endpoint := url.URL{
+			Scheme: "http",
+			Host:   net.JoinHostPort("127.0.0.1", strconv.Itoa(pkgconfigsetup.Datadog().GetInt(portConfig))),
+			Path:   "/debug/pprof",
+		}
+		if onHTTPS {
+			endpoint.Scheme = "https"
+		}
+
 		return func(path string) ([]byte, error) {
-			return util.DoGet(c, pprofURL+path, util.LeaveConnectionOpen)
+			return util.DoGet(c, endpoint.String()+path, util.LeaveConnectionOpen)
 		}
 	}
 
@@ -228,15 +236,15 @@ func readProfileData(seconds int) (flare.ProfileData, error) {
 	}
 
 	agentCollectors := map[string]agentProfileCollector{
-		"core":           serviceProfileCollector(tcpGet("expvar_port"), seconds),
-		"security-agent": serviceProfileCollector(tcpGet("security_agent.expvar_port"), seconds),
+		"core":           serviceProfileCollector(tcpGet("expvar_port", false), seconds),
+		"security-agent": serviceProfileCollector(tcpGet("security_agent.expvar_port", false), seconds),
 	}
 
 	if pkgconfigsetup.Datadog().GetBool("process_config.enabled") ||
 		pkgconfigsetup.Datadog().GetBool("process_config.container_collection.enabled") ||
 		pkgconfigsetup.Datadog().GetBool("process_config.process_collection.enabled") {
 
-		agentCollectors["process"] = serviceProfileCollector(tcpGet("process_config.expvar_port"), seconds)
+		agentCollectors["process"] = serviceProfileCollector(tcpGet("process_config.expvar_port", false), seconds)
 	}
 
 	if pkgconfigsetup.Datadog().GetBool("apm_config.enabled") {
@@ -249,7 +257,7 @@ func readProfileData(seconds int) (flare.ProfileData, error) {
 			traceCpusec = 4
 		}
 
-		agentCollectors["trace"] = serviceProfileCollector(tcpGet("apm_config.debug.port"), traceCpusec)
+		agentCollectors["trace"] = serviceProfileCollector(tcpGet("apm_config.debug.port", true), traceCpusec)
 	}
 
 	if pkgconfigsetup.SystemProbe().GetBool("system_probe_config.enabled") {

cmd/agent/subcommands/flare/command_test.go

@@ -29,6 +29,7 @@ type commandTestSuite struct {
 	suite.Suite
 	sysprobeSocketPath string
 	tcpServer          *httptest.Server
+	tcpTLSServer       *httptest.Server
 	unixServer         *httptest.Server
 	systemProbeServer  *httptest.Server
 }
@@ -42,13 +43,17 @@ func (c *commandTestSuite) SetupSuite() {
 // This should be called by each test that requires them.
 func (c *commandTestSuite) startTestServers() {
 	t := c.T()
-	c.tcpServer, c.unixServer, c.systemProbeServer = c.getPprofTestServer()
+	c.tcpServer, c.tcpTLSServer, c.unixServer, c.systemProbeServer = c.getPprofTestServer()
 
 	t.Cleanup(func() {
 		if c.tcpServer != nil {
 			c.tcpServer.Close()
 			c.tcpServer = nil
 		}
+		if c.tcpTLSServer != nil {
+			c.tcpTLSServer.Close()
+			c.tcpTLSServer = nil
+		}
 		if c.unixServer != nil {
 			c.unixServer.Close()
 			c.unixServer = nil
@@ -82,12 +87,13 @@ func newMockHandler() http.HandlerFunc {
 	})
 }
 
-func (c *commandTestSuite) getPprofTestServer() (tcpServer *httptest.Server, unixServer *httptest.Server, sysProbeServer *httptest.Server) {
+func (c *commandTestSuite) getPprofTestServer() (tcpServer *httptest.Server, tcpTLSServer *httptest.Server, unixServer *httptest.Server, sysProbeServer *httptest.Server) {
 	var err error
 	t := c.T()
 
 	handler := newMockHandler()
 	tcpServer = httptest.NewServer(handler)
+	tcpTLSServer = httptest.NewTLSServer(handler)
 	if runtime.GOOS == "linux" {
 		unixServer = httptest.NewUnstartedServer(handler)
 		unixServer.Listener, err = net.Listen("unix", c.sysprobeSocketPath)
@@ -101,7 +107,7 @@ func (c *commandTestSuite) getPprofTestServer() (tcpServer *httptest.Server, uni
 		sysProbeServer.Start()
 	}
 
-	return tcpServer, unixServer, sysProbeServer
+	return tcpServer, tcpTLSServer, unixServer, sysProbeServer
 }
 
 func TestCommandTestSuite(t *testing.T) {
@@ -116,10 +122,14 @@ func (c *commandTestSuite) TestReadProfileData() {
 	require.NoError(t, err)
 	port := u.Port()
 
+	u, err = url.Parse(c.tcpTLSServer.URL)
+	require.NoError(t, err)
+	httpsPort := u.Port()
+
 	mockConfig := configmock.New(t)
 	mockConfig.SetWithoutSource("expvar_port", port)
 	mockConfig.SetWithoutSource("apm_config.enabled", true)
-	mockConfig.SetWithoutSource("apm_config.debug.port", port)
+	mockConfig.SetWithoutSource("apm_config.debug.port", httpsPort)
 	mockConfig.SetWithoutSource("apm_config.receiver_timeout", "10")
 	mockConfig.SetWithoutSource("process_config.expvar_port", port)
 	mockConfig.SetWithoutSource("security_agent.expvar_port", port)

cmd/agent/subcommands/secret/command.go

@@ -101,7 +101,7 @@ func traceAgentSecretRefresh(conf config.Component) ([]byte, error) {
 	c := apiutil.GetClient(false)
 	c.Timeout = conf.GetDuration("server_timeout") * time.Second
 
-	url := fmt.Sprintf("http://127.0.0.1:%d/secret/refresh", port)
+	url := fmt.Sprintf("https://127.0.0.1:%d/secret/refresh", port)
 	res, err := apiutil.DoGet(c, url, apiutil.CloseConnection)
 	if err != nil {
 		return nil, fmt.Errorf("could not contact trace-agent: %s", err)

comp/trace/agent/impl/agent.go

@@ -24,6 +24,7 @@ import (
 	"go.opentelemetry.io/collector/pdata/ptrace"
 	"go.uber.org/fx"
 
+	"github.com/DataDog/datadog-agent/comp/api/authtoken"
 	"github.com/DataDog/datadog-agent/comp/core/secrets"
 	tagger "github.com/DataDog/datadog-agent/comp/core/tagger/def"
 	"github.com/DataDog/datadog-agent/comp/dogstatsd/statsd"
@@ -68,6 +69,7 @@ type dependencies struct {
 	Statsd             statsd.Component
 	Tagger             tagger.Component
 	Compressor         compression.Component
+	At                 authtoken.Component
 }
 
 var _ traceagent.Component = (*component)(nil)
@@ -93,6 +95,7 @@ type component struct {
 	params             *Params
 	tagger             tagger.Component
 	telemetryCollector telemetry.TelemetryCollector
+	at                 authtoken.Component
 	wg                 *sync.WaitGroup
 }
 
@@ -115,6 +118,7 @@ func NewAgent(deps dependencies) (traceagent.Component, error) {
 		params:             deps.Params,
 		telemetryCollector: deps.TelemetryCollector,
 		tagger:             deps.Tagger,
+		at:                 deps.At,
 		wg:                 &sync.WaitGroup{},
 	}
 	statsdCl, err := setupMetrics(deps.Statsd, c.config, c.telemetryCollector)

comp/trace/agent/impl/run.go

@@ -98,6 +98,9 @@ func runAgentSidekicks(ag component) error {
 		}))
 	}
 
+	// Configure the Trace Agent Debug server to use the IPC certificate
+	ag.Agent.DebugServer.SetTLSConfig(ag.at.GetTLSServerConfig())
+
 	log.Infof("Trace agent running on host %s", tracecfg.Hostname)
 	if pcfg := profilingConfig(tracecfg); pcfg != nil {
 		if err := profiling.Start(*pcfg); err != nil {

comp/trace/bundle_test.go

@@ -13,6 +13,8 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
 
+	"github.com/DataDog/datadog-agent/comp/api/authtoken/createandfetchimpl"
+	"github.com/DataDog/datadog-agent/comp/api/authtoken/fetchonlyimpl"
 	"github.com/DataDog/datadog-agent/comp/core"
 	coreconfig "github.com/DataDog/datadog-agent/comp/core/config"
 	log "github.com/DataDog/datadog-agent/comp/core/log/def"
@@ -45,6 +47,7 @@ func TestBundleDependencies(t *testing.T) {
 		zstdfx.Module(),
 		taggerfx.Module(tagger.Params{}),
 		fx.Supply(&traceagentimpl.Params{}),
+		createandfetchimpl.Module(),
 	)
 }
 
@@ -75,6 +78,7 @@ func TestMockBundleDependencies(t *testing.T) {
 		fx.Invoke(func(_ traceagent.Component) {}),
 		MockBundle(),
 		taggerfx.Module(tagger.Params{}),
+		fetchonlyimpl.MockModule(),
 	))
 
 	require.NotNil(t, cfg.Object())

comp/trace/status/statusimpl/status.go

@@ -95,7 +95,7 @@ func (s statusProvider) populateStatus() map[string]interface{} {
 	port := s.Config.GetInt("apm_config.debug.port")
 
 	c := client()
-	url := fmt.Sprintf("http://localhost:%d/debug/vars", port)
+	url := fmt.Sprintf("https://localhost:%d/debug/vars", port)
 	resp, err := apiutil.DoGet(c, url, apiutil.CloseConnection)
 	if err != nil {
 		return map[string]interface{}{

pkg/collector/corechecks/embed/apm/apm.go

@@ -3,7 +3,7 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2016-present Datadog, Inc.
 
-//go:build apm && !windows && !linux
+//go:build darwin
 
 // Package apm contains the APM check
 package apm

pkg/collector/corechecks/embed/apm/apm_nix.go

@@ -3,9 +3,7 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2016-present Datadog, Inc.
 
-//go:build apm && !windows && !linux
-
-// linux handled by systemd/upstart
+//go:build darwin
 
 package apm
 

pkg/collector/corechecks/embed/apm/stub.go

@@ -3,7 +3,7 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2016-present Datadog, Inc.
 
-//go:build !apm || windows || linux
+//go:build !darwin
 
 // Package apm provides a stub for the APM check
 package apm

pkg/collector/corechecks/embed/process/process_agent.go

@@ -3,7 +3,7 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2016-present Datadog, Inc.
 
-//go:build process && (darwin || freebsd)
+//go:build darwin
 
 //nolint:revive // TODO(PLINT) Fix revive linter
 package process

pkg/collector/corechecks/embed/process/stub.go

@@ -3,7 +3,7 @@
 // This product includes software developed at Datadog (https://www.datadoghq.com/).
 // Copyright 2016-present Datadog, Inc.
 
-//go:build !process || (!darwin && !freebsd)
+//go:build !darwin
 
 //nolint:revive // TODO(Process) Fix revive linter
 package process

pkg/collector/corechecks/snmp/integration_topology_test.go

@@ -661,6 +661,7 @@ profiles:
         {
             "id": "profile-metadata:1.2.3.4:101.1",
             "source_type": "lldp",
+            "integration": "snmp",
             "local": {
                 "device": {
                     "dd_id": "profile-metadata:1.2.3.4"
@@ -689,6 +690,7 @@ profiles:
         {
             "id": "profile-metadata:1.2.3.4:102.2",
             "source_type": "lldp",
+            "integration": "snmp",
             "local": {
                 "device": {
                     "dd_id": "profile-metadata:1.2.3.4"
@@ -1363,6 +1365,7 @@ profiles:
         {
             "id": "profile-metadata:1.2.3.4:1.5",
             "source_type": "cdp",
+            "integration": "snmp",
             "local": {
                 "device": {
                     "dd_id": "profile-metadata:1.2.3.4"
@@ -1386,6 +1389,7 @@ profiles:
         {
             "id": "profile-metadata:1.2.3.4:2.3",
             "source_type": "cdp",
+            "integration": "snmp",
             "local": {
                 "device": {
                     "dd_id": "profile-metadata:1.2.3.4"
@@ -2056,6 +2060,7 @@ profiles:
         {
             "id": "profile-metadata:1.2.3.4:101.1",
             "source_type": "lldp",
+            "integration": "snmp",
             "local": {
                 "device": {
                     "dd_id": "profile-metadata:1.2.3.4"
@@ -2084,6 +2089,7 @@ profiles:
         {
             "id": "profile-metadata:1.2.3.4:102.2",
             "source_type": "lldp",
+            "integration": "snmp",
             "local": {
                 "device": {
                     "dd_id": "profile-metadata:1.2.3.4"

pkg/collector/corechecks/snmp/internal/report/report_device_metadata.go

@@ -385,8 +385,9 @@ func buildNetworkTopologyMetadataWithLLDP(deviceID string, store *metadata.Store
 		remEntryUniqueID := localPortNum + "." + lldpRemIndex
 
 		newLink := devicemetadata.TopologyLinkMetadata{
-			ID:         deviceID + ":" + remEntryUniqueID,
-			SourceType: topologyLinkSourceTypeLLDP,
+			ID:          deviceID + ":" + remEntryUniqueID,
+			SourceType:  topologyLinkSourceTypeLLDP,
+			Integration: common.SnmpIntegrationName,
 			Remote: &devicemetadata.TopologyLinkSide{
 				Device: &devicemetadata.TopologyLinkDevice{
 					Name:        store.GetColumnAsString("lldp_remote.device_name", strIndex),
@@ -446,8 +447,9 @@ func buildNetworkTopologyMetadataWithCDP(deviceID string, store *metadata.Store,
 		remEntryUniqueID := cdpCacheIfIndex + "." + cdpCacheDeviceIndex
 
 		newLink := devicemetadata.TopologyLinkMetadata{
-			ID:         deviceID + ":" + remEntryUniqueID,
-			SourceType: topologyLinkSourceTypeCDP,
+			ID:          deviceID + ":" + remEntryUniqueID,
+			SourceType:  topologyLinkSourceTypeCDP,
+			Integration: common.SnmpIntegrationName,
 			Remote: &devicemetadata.TopologyLinkSide{
 				Device: &devicemetadata.TopologyLinkDevice{
 					Name:        store.GetColumnAsString("cdp_remote.device_name", strIndex),

pkg/config/fetcher/from_processes.go

@@ -71,7 +71,7 @@ func TraceAgentConfig(config config.Reader) (string, error) {
 	c := util.GetClient(false)
 	c.Timeout = config.GetDuration("server_timeout") * time.Second
 
-	ipcAddressWithPort := fmt.Sprintf("http://127.0.0.1:%d/config", port)
+	ipcAddressWithPort := fmt.Sprintf("https://127.0.0.1:%d/config", port)
 
 	client := settingshttp.NewClient(c, ipcAddressWithPort, "trace-agent", settingshttp.NewHTTPClientOptions(util.CloseConnection))
 	return client.FullConfig()

pkg/flare/archive.go

@@ -214,7 +214,7 @@ func getExpVar(fb flaretypes.FlareBuilder) error {
 
 	apmDebugPort := pkgconfigsetup.Datadog().GetInt("apm_config.debug.port")
 	f := filepath.Join("expvar", "trace-agent")
-	resp, err := http.Get(fmt.Sprintf("http://127.0.0.1:%d/debug/vars", apmDebugPort))
+	resp, err := http.Get(fmt.Sprintf("https://127.0.0.1:%d/debug/vars", apmDebugPort))
 	if err != nil {
 		return fb.AddFile(f, []byte(fmt.Sprintf("Error retrieving vars: %v", err)))
 	}