Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[backport] unix socket for gRPC #585

Merged
merged 5 commits into from
Jan 3, 2023
Merged

[backport] unix socket for gRPC #585

merged 5 commits into from
Jan 3, 2023

Conversation

kkourt
Copy link
Contributor

@kkourt kkourt commented Dec 9, 2022
edited
Loading

@kkourt kkourt requested a review from a team as a code owner December 9, 2022 09:28
@kkourt kkourt requested review from kevsecurity, tixxdz and a team and removed request for a team December 9, 2022 09:28
@kkourt kkourt force-pushed the pr/kkourt/v0.8-backport-unix-socket branch from d4cda7f to b11178f Compare December 9, 2022 16:02
@kkourt
tetragon: add support for gRPC over unix socket
277c2e4 
[upstream commit a63d334]

Now we can provide unix://abosolute_path arguments to both the client
(tetra) and the agent (tetragon).

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
helm: remove grpc.port and fix livenessProbe
1238bbf 
[upstream commit 3c98248]

Up until now, configuring gRPC listen address for the agent via the helm
chart used two variables grpc.port and grpc.address.

The previous patch added support for passing a unix socket address to
the agent, which does not match well the grpc.address:grpc.port
configuration.

This patch removes the grpc.port helm variable, and, instead, relies
only on grpc.address for configuration.

Users can use "localhost:54321", ":54321", or
"unix:///var/run/tetragon/tetragon.sock" to configure the gRPC address
that the agent listens to.

Furthermore, the livenessProbe of the agent relies on checking health
status via the gRPC interface via the CLI (tetra status). This patch
also fixes the livenessProbe so that:
 - it is only defined, if grpc is enabled
 - the proper gRPC address is used to contact the agent

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
tetragon: chmod unix socket to 0660
f69446c 
[upstream commit: 9aae81d]

This patch ensures that the control unix socket for the agent has 0660
file permissions.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
Makefile.cli: deal with {g,u}id collision
6d1c6e1 
[ upstream commit c338a63 ]

CLI builds have been failing with:
> addgroup: gid '123' in use

Fix this by redoing the addgroup, adduser command without a specific
gid/uid.

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt
Makefile: Fix potential uid/gid collision by using setpriv
96bac9b 
[upstream commit 0fe4085]

Initial fix for for this issue had the issue that the uid/gid of the
generated artefact would not match the uid/gid of the `make` caller.
Fix this using setpriv.

This approach was taken from 69822cd7789f368f280870429ba833005671316e in
cilum/hubble, so copying the excellent message of above commit from
Sebastian:

"""
The release build should run with the same numeric user and group id as
the caller of the Makefile. This solves two problems:

 1. The generated artefacts should be owned by the user who invoked the
    Makefile
 2. `go build -buildvcs=true` (the default since Go 1.18) invokes git,
    and git requires that the .git folder is owned by the user invoking
    it.

Previously, we achieved this by creating a new user and group inside the
container with the wanted uid/gid. The problem with that approach is it
fails if the uid/gid is already taken (such as e.g. gid 123, which seems
to be used by the GitHub runner as of recently). Therefore, instead of
trying to create a new user, this commit now uses `setpriv` from
util-linux to force the `make` process (and all its children) to run as
the RELEASE_{UID/GID}. This ensures that both `git` can access the
`.git` directory owned by the host user, and that the host user can
access the generated artifacts. One limitation of `setpriv` is that it
runs the child process without an accessible `$HOME` directory, which
`go build` needs for the GOCACHE. To solve this for now, we point it to
a temporary directory. In the future, we could consider using a GOCACHE
owned by the host, to allow cache-reuse across builds.
"""

fixes: c338a63

Signed-off-by: Kornilios Kourtis <[email protected]>
@kkourt kkourt force-pushed the pr/kkourt/v0.8-backport-unix-socket branch from b11178f to 96bac9b Compare December 9, 2022 16:03
@kkourt kkourt changed the title backport unix socket [backport] unix socket for gRPC Dec 9, 2022
@kkourt kkourt merged commit 52c9379 into v0.8 Jan 3, 2023
@kkourt kkourt deleted the pr/kkourt/v0.8-backport-unix-socket branch January 3, 2023 10:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@willfindlay willfindlay willfindlay approved these changes

@tixxdz tixxdz tixxdz approved these changes

@kevsecurity kevsecurity Awaiting requested review from kevsecurity kevsecurity is a code owner automatically assigned from cilium/tetragon

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kkourt @tixxdz @willfindlay