From f9a8a9e6e6295eaf6441d33dc1f7c4b289b7bf26 Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Tue, 3 Feb 2026 18:29:27 +0200 Subject: [PATCH 1/2] runtime-tools: emit audit events for OCI Spec mutation. Add an option for setting an external audit event logger and use any configured logger to emit audit events as we adjust the OCI Spec. Signed-off-by: Krisztian Litkey --- pkg/api/owners.go | 10 +- pkg/api/owners_generated.go | 152 +++--- pkg/runtime-tools/generate/generate.go | 442 +++++++++++++++++- .../generate/generate_suite_test.go | 281 ++++++++++- tools/protoc-gen-owners/main.go | 8 +- 5 files changed, 772 insertions(+), 121 deletions(-) diff --git a/pkg/api/owners.go b/pkg/api/owners.go index fa12476c..e41c3f5e 100644 --- a/pkg/api/owners.go +++ b/pkg/api/owners.go @@ -49,7 +49,7 @@ func (o *OwningPlugins) ClaimHooks(id, plugin string) error { } func (o *OwningPlugins) HooksOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_OciHooks.Key()) + return o.ownersFor(id).SimpleOwner(Field_OciHooks.Key()) } func (o *OwningPlugins) ClearHooks(id, plugin string) { @@ -148,7 +148,7 @@ func (f *FieldOwners) ClaimHooks(plugin string) error { } func (f *FieldOwners) HooksOwner() (string, bool) { - return f.simpleOwner(Field_OciHooks.Key()) + return f.SimpleOwner(Field_OciHooks.Key()) } func (f *FieldOwners) ClearHooks(plugin string) { @@ -175,7 +175,7 @@ func (f *FieldOwners) ClearRdt(plugin string) { } func (f *FieldOwners) accumulateSimple(field int32, plugin string) { - old, ok := f.simpleOwner(field) + old, ok := f.SimpleOwner(field) if ok { plugin = old + "," + plugin } @@ -200,7 +200,7 @@ func (f *FieldOwners) compoundOwnerMap(field int32) (map[string]string, bool) { return m.Owners, true } -func (f *FieldOwners) compoundOwner(field int32, key string) (string, bool) { +func (f *FieldOwners) CompoundOwner(field int32, key string) (string, bool) { if f == nil { return "", false } @@ -214,7 +214,7 @@ func (f *FieldOwners) compoundOwner(field int32, key string) (string, bool) { return plugin, ok } -func (f *FieldOwners) simpleOwner(field int32) (string, bool) { +func (f *FieldOwners) SimpleOwner(field int32) (string, bool) { if f == nil { return "", false } diff --git a/pkg/api/owners_generated.go b/pkg/api/owners_generated.go index fb2be562..9a6c681a 100644 --- a/pkg/api/owners_generated.go +++ b/pkg/api/owners_generated.go @@ -30,11 +30,11 @@ func (f *FieldOwners) ClaimAnnotation(key, plugin string) error { } func (o *OwningPlugins) AnnotationOwner(id, key string) (string, bool) { - return o.ownersFor(id).compoundOwner(Field_Annotations.Key(), key) + return o.ownersFor(id).CompoundOwner(Field_Annotations.Key(), key) } func (f *FieldOwners) AnnotationOwner(key string) (string, bool) { - return f.compoundOwner(Field_Annotations.Key(), key) + return f.CompoundOwner(Field_Annotations.Key(), key) } func (o *OwningPlugins) ClearAnnotation(id, key, plugin string) { @@ -54,11 +54,11 @@ func (f *FieldOwners) ClaimMount(destination, plugin string) error { } func (o *OwningPlugins) MountOwner(id, destination string) (string, bool) { - return o.ownersFor(id).compoundOwner(Field_Mounts.Key(), destination) + return o.ownersFor(id).CompoundOwner(Field_Mounts.Key(), destination) } func (f *FieldOwners) MountOwner(destination string) (string, bool) { - return f.compoundOwner(Field_Mounts.Key(), destination) + return f.CompoundOwner(Field_Mounts.Key(), destination) } func (o *OwningPlugins) ClearMount(id, destination, plugin string) { @@ -78,11 +78,11 @@ func (f *FieldOwners) ClaimDevice(path, plugin string) error { } func (o *OwningPlugins) DeviceOwner(id, path string) (string, bool) { - return o.ownersFor(id).compoundOwner(Field_Devices.Key(), path) + return o.ownersFor(id).CompoundOwner(Field_Devices.Key(), path) } func (f *FieldOwners) DeviceOwner(path string) (string, bool) { - return f.compoundOwner(Field_Devices.Key(), path) + return f.CompoundOwner(Field_Devices.Key(), path) } func (o *OwningPlugins) ClearDevice(id, path, plugin string) { @@ -102,11 +102,11 @@ func (f *FieldOwners) ClaimCdiDevice(name, plugin string) error { } func (o *OwningPlugins) CdiDeviceOwner(id, name string) (string, bool) { - return o.ownersFor(id).compoundOwner(Field_CdiDevices.Key(), name) + return o.ownersFor(id).CompoundOwner(Field_CdiDevices.Key(), name) } func (f *FieldOwners) CdiDeviceOwner(name string) (string, bool) { - return f.compoundOwner(Field_CdiDevices.Key(), name) + return f.CompoundOwner(Field_CdiDevices.Key(), name) } func (o *OwningPlugins) ClearCdiDevice(id, name, plugin string) { @@ -126,11 +126,11 @@ func (f *FieldOwners) ClaimEnv(name, plugin string) error { } func (o *OwningPlugins) EnvOwner(id, name string) (string, bool) { - return o.ownersFor(id).compoundOwner(Field_Env.Key(), name) + return o.ownersFor(id).CompoundOwner(Field_Env.Key(), name) } func (f *FieldOwners) EnvOwner(name string) (string, bool) { - return f.compoundOwner(Field_Env.Key(), name) + return f.CompoundOwner(Field_Env.Key(), name) } func (o *OwningPlugins) ClearEnv(id, name, plugin string) { @@ -150,11 +150,11 @@ func (f *FieldOwners) ClaimArgs(plugin string) error { } func (o *OwningPlugins) ArgsOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_Args.Key()) + return o.ownersFor(id).SimpleOwner(Field_Args.Key()) } func (f *FieldOwners) ArgsOwner() (string, bool) { - return f.simpleOwner(Field_Args.Key()) + return f.SimpleOwner(Field_Args.Key()) } func (o *OwningPlugins) ClearArgs(id, plugin string) { @@ -174,11 +174,11 @@ func (f *FieldOwners) ClaimMemLimit(plugin string) error { } func (o *OwningPlugins) MemLimitOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_MemLimit.Key()) + return o.ownersFor(id).SimpleOwner(Field_MemLimit.Key()) } func (f *FieldOwners) MemLimitOwner() (string, bool) { - return f.simpleOwner(Field_MemLimit.Key()) + return f.SimpleOwner(Field_MemLimit.Key()) } func (o *OwningPlugins) ClearMemLimit(id, plugin string) { @@ -198,11 +198,11 @@ func (f *FieldOwners) ClaimMemReservation(plugin string) error { } func (o *OwningPlugins) MemReservationOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_MemReservation.Key()) + return o.ownersFor(id).SimpleOwner(Field_MemReservation.Key()) } func (f *FieldOwners) MemReservationOwner() (string, bool) { - return f.simpleOwner(Field_MemReservation.Key()) + return f.SimpleOwner(Field_MemReservation.Key()) } func (o *OwningPlugins) ClearMemReservation(id, plugin string) { @@ -222,11 +222,11 @@ func (f *FieldOwners) ClaimMemSwapLimit(plugin string) error { } func (o *OwningPlugins) MemSwapLimitOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_MemSwapLimit.Key()) + return o.ownersFor(id).SimpleOwner(Field_MemSwapLimit.Key()) } func (f *FieldOwners) MemSwapLimitOwner() (string, bool) { - return f.simpleOwner(Field_MemSwapLimit.Key()) + return f.SimpleOwner(Field_MemSwapLimit.Key()) } func (o *OwningPlugins) ClearMemSwapLimit(id, plugin string) { @@ -246,11 +246,11 @@ func (f *FieldOwners) ClaimMemKernelLimit(plugin string) error { } func (o *OwningPlugins) MemKernelLimitOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_MemKernelLimit.Key()) + return o.ownersFor(id).SimpleOwner(Field_MemKernelLimit.Key()) } func (f *FieldOwners) MemKernelLimitOwner() (string, bool) { - return f.simpleOwner(Field_MemKernelLimit.Key()) + return f.SimpleOwner(Field_MemKernelLimit.Key()) } func (o *OwningPlugins) ClearMemKernelLimit(id, plugin string) { @@ -270,11 +270,11 @@ func (f *FieldOwners) ClaimMemTCPLimit(plugin string) error { } func (o *OwningPlugins) MemTCPLimitOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_MemTCPLimit.Key()) + return o.ownersFor(id).SimpleOwner(Field_MemTCPLimit.Key()) } func (f *FieldOwners) MemTCPLimitOwner() (string, bool) { - return f.simpleOwner(Field_MemTCPLimit.Key()) + return f.SimpleOwner(Field_MemTCPLimit.Key()) } func (o *OwningPlugins) ClearMemTCPLimit(id, plugin string) { @@ -294,11 +294,11 @@ func (f *FieldOwners) ClaimMemSwappiness(plugin string) error { } func (o *OwningPlugins) MemSwappinessOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_MemSwappiness.Key()) + return o.ownersFor(id).SimpleOwner(Field_MemSwappiness.Key()) } func (f *FieldOwners) MemSwappinessOwner() (string, bool) { - return f.simpleOwner(Field_MemSwappiness.Key()) + return f.SimpleOwner(Field_MemSwappiness.Key()) } func (o *OwningPlugins) ClearMemSwappiness(id, plugin string) { @@ -318,11 +318,11 @@ func (f *FieldOwners) ClaimMemDisableOomKiller(plugin string) error { } func (o *OwningPlugins) MemDisableOomKillerOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_MemDisableOomKiller.Key()) + return o.ownersFor(id).SimpleOwner(Field_MemDisableOomKiller.Key()) } func (f *FieldOwners) MemDisableOomKillerOwner() (string, bool) { - return f.simpleOwner(Field_MemDisableOomKiller.Key()) + return f.SimpleOwner(Field_MemDisableOomKiller.Key()) } func (o *OwningPlugins) ClearMemDisableOomKiller(id, plugin string) { @@ -342,11 +342,11 @@ func (f *FieldOwners) ClaimMemUseHierarchy(plugin string) error { } func (o *OwningPlugins) MemUseHierarchyOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_MemUseHierarchy.Key()) + return o.ownersFor(id).SimpleOwner(Field_MemUseHierarchy.Key()) } func (f *FieldOwners) MemUseHierarchyOwner() (string, bool) { - return f.simpleOwner(Field_MemUseHierarchy.Key()) + return f.SimpleOwner(Field_MemUseHierarchy.Key()) } func (o *OwningPlugins) ClearMemUseHierarchy(id, plugin string) { @@ -366,11 +366,11 @@ func (f *FieldOwners) ClaimCPUShares(plugin string) error { } func (o *OwningPlugins) CPUSharesOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_CPUShares.Key()) + return o.ownersFor(id).SimpleOwner(Field_CPUShares.Key()) } func (f *FieldOwners) CPUSharesOwner() (string, bool) { - return f.simpleOwner(Field_CPUShares.Key()) + return f.SimpleOwner(Field_CPUShares.Key()) } func (o *OwningPlugins) ClearCPUShares(id, plugin string) { @@ -390,11 +390,11 @@ func (f *FieldOwners) ClaimCPUQuota(plugin string) error { } func (o *OwningPlugins) CPUQuotaOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_CPUQuota.Key()) + return o.ownersFor(id).SimpleOwner(Field_CPUQuota.Key()) } func (f *FieldOwners) CPUQuotaOwner() (string, bool) { - return f.simpleOwner(Field_CPUQuota.Key()) + return f.SimpleOwner(Field_CPUQuota.Key()) } func (o *OwningPlugins) ClearCPUQuota(id, plugin string) { @@ -414,11 +414,11 @@ func (f *FieldOwners) ClaimCPUPeriod(plugin string) error { } func (o *OwningPlugins) CPUPeriodOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_CPUPeriod.Key()) + return o.ownersFor(id).SimpleOwner(Field_CPUPeriod.Key()) } func (f *FieldOwners) CPUPeriodOwner() (string, bool) { - return f.simpleOwner(Field_CPUPeriod.Key()) + return f.SimpleOwner(Field_CPUPeriod.Key()) } func (o *OwningPlugins) ClearCPUPeriod(id, plugin string) { @@ -438,11 +438,11 @@ func (f *FieldOwners) ClaimCPURealtimeRuntime(plugin string) error { } func (o *OwningPlugins) CPURealtimeRuntimeOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_CPURealtimeRuntime.Key()) + return o.ownersFor(id).SimpleOwner(Field_CPURealtimeRuntime.Key()) } func (f *FieldOwners) CPURealtimeRuntimeOwner() (string, bool) { - return f.simpleOwner(Field_CPURealtimeRuntime.Key()) + return f.SimpleOwner(Field_CPURealtimeRuntime.Key()) } func (o *OwningPlugins) ClearCPURealtimeRuntime(id, plugin string) { @@ -462,11 +462,11 @@ func (f *FieldOwners) ClaimCPURealtimePeriod(plugin string) error { } func (o *OwningPlugins) CPURealtimePeriodOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_CPURealtimePeriod.Key()) + return o.ownersFor(id).SimpleOwner(Field_CPURealtimePeriod.Key()) } func (f *FieldOwners) CPURealtimePeriodOwner() (string, bool) { - return f.simpleOwner(Field_CPURealtimePeriod.Key()) + return f.SimpleOwner(Field_CPURealtimePeriod.Key()) } func (o *OwningPlugins) ClearCPURealtimePeriod(id, plugin string) { @@ -486,11 +486,11 @@ func (f *FieldOwners) ClaimCPUSetCPUs(plugin string) error { } func (o *OwningPlugins) CPUSetCPUsOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_CPUSetCPUs.Key()) + return o.ownersFor(id).SimpleOwner(Field_CPUSetCPUs.Key()) } func (f *FieldOwners) CPUSetCPUsOwner() (string, bool) { - return f.simpleOwner(Field_CPUSetCPUs.Key()) + return f.SimpleOwner(Field_CPUSetCPUs.Key()) } func (o *OwningPlugins) ClearCPUSetCPUs(id, plugin string) { @@ -510,11 +510,11 @@ func (f *FieldOwners) ClaimCPUSetMems(plugin string) error { } func (o *OwningPlugins) CPUSetMemsOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_CPUSetMems.Key()) + return o.ownersFor(id).SimpleOwner(Field_CPUSetMems.Key()) } func (f *FieldOwners) CPUSetMemsOwner() (string, bool) { - return f.simpleOwner(Field_CPUSetMems.Key()) + return f.SimpleOwner(Field_CPUSetMems.Key()) } func (o *OwningPlugins) ClearCPUSetMems(id, plugin string) { @@ -534,11 +534,11 @@ func (f *FieldOwners) ClaimPidsLimit(plugin string) error { } func (o *OwningPlugins) PidsLimitOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_PidsLimit.Key()) + return o.ownersFor(id).SimpleOwner(Field_PidsLimit.Key()) } func (f *FieldOwners) PidsLimitOwner() (string, bool) { - return f.simpleOwner(Field_PidsLimit.Key()) + return f.SimpleOwner(Field_PidsLimit.Key()) } func (o *OwningPlugins) ClearPidsLimit(id, plugin string) { @@ -558,11 +558,11 @@ func (f *FieldOwners) ClaimHugepageLimit(size, plugin string) error { } func (o *OwningPlugins) HugepageLimitOwner(id, size string) (string, bool) { - return o.ownersFor(id).compoundOwner(Field_HugepageLimits.Key(), size) + return o.ownersFor(id).CompoundOwner(Field_HugepageLimits.Key(), size) } func (f *FieldOwners) HugepageLimitOwner(size string) (string, bool) { - return f.compoundOwner(Field_HugepageLimits.Key(), size) + return f.CompoundOwner(Field_HugepageLimits.Key(), size) } func (o *OwningPlugins) ClearHugepageLimit(id, size, plugin string) { @@ -582,11 +582,11 @@ func (f *FieldOwners) ClaimBlockioClass(plugin string) error { } func (o *OwningPlugins) BlockioClassOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_BlockioClass.Key()) + return o.ownersFor(id).SimpleOwner(Field_BlockioClass.Key()) } func (f *FieldOwners) BlockioClassOwner() (string, bool) { - return f.simpleOwner(Field_BlockioClass.Key()) + return f.SimpleOwner(Field_BlockioClass.Key()) } func (o *OwningPlugins) ClearBlockioClass(id, plugin string) { @@ -606,11 +606,11 @@ func (f *FieldOwners) ClaimRdtClass(plugin string) error { } func (o *OwningPlugins) RdtClassOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_RdtClass.Key()) + return o.ownersFor(id).SimpleOwner(Field_RdtClass.Key()) } func (f *FieldOwners) RdtClassOwner() (string, bool) { - return f.simpleOwner(Field_RdtClass.Key()) + return f.SimpleOwner(Field_RdtClass.Key()) } func (o *OwningPlugins) ClearRdtClass(id, plugin string) { @@ -630,11 +630,11 @@ func (f *FieldOwners) ClaimCgroupsUnified(key, plugin string) error { } func (o *OwningPlugins) CgroupsUnifiedOwner(id, key string) (string, bool) { - return o.ownersFor(id).compoundOwner(Field_CgroupsUnified.Key(), key) + return o.ownersFor(id).CompoundOwner(Field_CgroupsUnified.Key(), key) } func (f *FieldOwners) CgroupsUnifiedOwner(key string) (string, bool) { - return f.compoundOwner(Field_CgroupsUnified.Key(), key) + return f.CompoundOwner(Field_CgroupsUnified.Key(), key) } func (o *OwningPlugins) ClearCgroupsUnified(id, key, plugin string) { @@ -654,11 +654,11 @@ func (f *FieldOwners) ClaimCgroupsPath(plugin string) error { } func (o *OwningPlugins) CgroupsPathOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_CgroupsPath.Key()) + return o.ownersFor(id).SimpleOwner(Field_CgroupsPath.Key()) } func (f *FieldOwners) CgroupsPathOwner() (string, bool) { - return f.simpleOwner(Field_CgroupsPath.Key()) + return f.SimpleOwner(Field_CgroupsPath.Key()) } func (o *OwningPlugins) ClearCgroupsPath(id, plugin string) { @@ -678,11 +678,11 @@ func (f *FieldOwners) ClaimOomScoreAdj(plugin string) error { } func (o *OwningPlugins) OomScoreAdjOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_OomScoreAdj.Key()) + return o.ownersFor(id).SimpleOwner(Field_OomScoreAdj.Key()) } func (f *FieldOwners) OomScoreAdjOwner() (string, bool) { - return f.simpleOwner(Field_OomScoreAdj.Key()) + return f.SimpleOwner(Field_OomScoreAdj.Key()) } func (o *OwningPlugins) ClearOomScoreAdj(id, plugin string) { @@ -702,11 +702,11 @@ func (f *FieldOwners) ClaimRlimit(typ, plugin string) error { } func (o *OwningPlugins) RlimitOwner(id, typ string) (string, bool) { - return o.ownersFor(id).compoundOwner(Field_Rlimits.Key(), typ) + return o.ownersFor(id).CompoundOwner(Field_Rlimits.Key(), typ) } func (f *FieldOwners) RlimitOwner(typ string) (string, bool) { - return f.compoundOwner(Field_Rlimits.Key(), typ) + return f.CompoundOwner(Field_Rlimits.Key(), typ) } func (o *OwningPlugins) ClearRlimit(id, typ, plugin string) { @@ -726,11 +726,11 @@ func (f *FieldOwners) ClaimIOPriority(plugin string) error { } func (o *OwningPlugins) IOPriorityOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_IoPriority.Key()) + return o.ownersFor(id).SimpleOwner(Field_IoPriority.Key()) } func (f *FieldOwners) IOPriorityOwner() (string, bool) { - return f.simpleOwner(Field_IoPriority.Key()) + return f.SimpleOwner(Field_IoPriority.Key()) } func (o *OwningPlugins) ClearIOPriority(id, plugin string) { @@ -750,11 +750,11 @@ func (f *FieldOwners) ClaimSeccompPolicy(plugin string) error { } func (o *OwningPlugins) SeccompPolicyOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_SeccompPolicy.Key()) + return o.ownersFor(id).SimpleOwner(Field_SeccompPolicy.Key()) } func (f *FieldOwners) SeccompPolicyOwner() (string, bool) { - return f.simpleOwner(Field_SeccompPolicy.Key()) + return f.SimpleOwner(Field_SeccompPolicy.Key()) } func (o *OwningPlugins) ClearSeccompPolicy(id, plugin string) { @@ -774,11 +774,11 @@ func (f *FieldOwners) ClaimNamespace(typ, plugin string) error { } func (o *OwningPlugins) NamespaceOwner(id, typ string) (string, bool) { - return o.ownersFor(id).compoundOwner(Field_Namespace.Key(), typ) + return o.ownersFor(id).CompoundOwner(Field_Namespace.Key(), typ) } func (f *FieldOwners) NamespaceOwner(typ string) (string, bool) { - return f.compoundOwner(Field_Namespace.Key(), typ) + return f.CompoundOwner(Field_Namespace.Key(), typ) } func (o *OwningPlugins) ClearNamespace(id, typ, plugin string) { @@ -798,11 +798,11 @@ func (f *FieldOwners) ClaimSysctl(key, plugin string) error { } func (o *OwningPlugins) SysctlOwner(id, key string) (string, bool) { - return o.ownersFor(id).compoundOwner(Field_Sysctl.Key(), key) + return o.ownersFor(id).CompoundOwner(Field_Sysctl.Key(), key) } func (f *FieldOwners) SysctlOwner(key string) (string, bool) { - return f.compoundOwner(Field_Sysctl.Key(), key) + return f.CompoundOwner(Field_Sysctl.Key(), key) } func (o *OwningPlugins) ClearSysctl(id, key, plugin string) { @@ -822,11 +822,11 @@ func (f *FieldOwners) ClaimLinuxNetDevice(path, plugin string) error { } func (o *OwningPlugins) LinuxNetDeviceOwner(id, path string) (string, bool) { - return o.ownersFor(id).compoundOwner(Field_LinuxNetDevices.Key(), path) + return o.ownersFor(id).CompoundOwner(Field_LinuxNetDevices.Key(), path) } func (f *FieldOwners) LinuxNetDeviceOwner(path string) (string, bool) { - return f.compoundOwner(Field_LinuxNetDevices.Key(), path) + return f.CompoundOwner(Field_LinuxNetDevices.Key(), path) } func (o *OwningPlugins) ClearLinuxNetDevice(id, path, plugin string) { @@ -846,11 +846,11 @@ func (f *FieldOwners) ClaimLinuxScheduler(plugin string) error { } func (o *OwningPlugins) LinuxSchedulerOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_LinuxSched.Key()) + return o.ownersFor(id).SimpleOwner(Field_LinuxSched.Key()) } func (f *FieldOwners) LinuxSchedulerOwner() (string, bool) { - return f.simpleOwner(Field_LinuxSched.Key()) + return f.SimpleOwner(Field_LinuxSched.Key()) } func (o *OwningPlugins) ClearLinuxScheduler(id, plugin string) { @@ -870,11 +870,11 @@ func (f *FieldOwners) ClaimRdtClosID(plugin string) error { } func (o *OwningPlugins) RdtClosIDOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_RdtClosID.Key()) + return o.ownersFor(id).SimpleOwner(Field_RdtClosID.Key()) } func (f *FieldOwners) RdtClosIDOwner() (string, bool) { - return f.simpleOwner(Field_RdtClosID.Key()) + return f.SimpleOwner(Field_RdtClosID.Key()) } func (o *OwningPlugins) ClearRdtClosID(id, plugin string) { @@ -894,11 +894,11 @@ func (f *FieldOwners) ClaimRdtSchemata(plugin string) error { } func (o *OwningPlugins) RdtSchemataOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_RdtSchemata.Key()) + return o.ownersFor(id).SimpleOwner(Field_RdtSchemata.Key()) } func (f *FieldOwners) RdtSchemataOwner() (string, bool) { - return f.simpleOwner(Field_RdtSchemata.Key()) + return f.SimpleOwner(Field_RdtSchemata.Key()) } func (o *OwningPlugins) ClearRdtSchemata(id, plugin string) { @@ -918,11 +918,11 @@ func (f *FieldOwners) ClaimRdtEnableMonitoring(plugin string) error { } func (o *OwningPlugins) RdtEnableMonitoringOwner(id string) (string, bool) { - return o.ownersFor(id).simpleOwner(Field_RdtEnableMonitoring.Key()) + return o.ownersFor(id).SimpleOwner(Field_RdtEnableMonitoring.Key()) } func (f *FieldOwners) RdtEnableMonitoringOwner() (string, bool) { - return f.simpleOwner(Field_RdtEnableMonitoring.Key()) + return f.SimpleOwner(Field_RdtEnableMonitoring.Key()) } func (o *OwningPlugins) ClearRdtEnableMonitoring(id, plugin string) { diff --git a/pkg/runtime-tools/generate/generate.go b/pkg/runtime-tools/generate/generate.go index 801aa8ff..9af8b910 100644 --- a/pkg/runtime-tools/generate/generate.go +++ b/pkg/runtime-tools/generate/generate.go @@ -44,6 +44,7 @@ type UnderlyingGenerator interface { AddPostStopHook(postStopHook rspec.Hook) AddPreStartHook(preStartHook rspec.Hook) AddProcessEnv(name, value string) + AddProcessRlimits(typ string, hard, soft uint64) AddLinuxResourcesDevice(allow bool, devType string, major, minor *int64, access string) AddLinuxResourcesHugepageLimit(pageSize string, limit uint64) AddLinuxResourcesUnified(key, val string) @@ -88,6 +89,8 @@ type Generator struct { resolveRdt func(string) (*rspec.LinuxIntelRdt, error) injectCDIDevices func(*rspec.Spec, []string) error checkResources func(*rspec.LinuxResources) error + logger Logger + owners *nri.FieldOwners } // SpecGenerator returns a wrapped OCI Spec Generator. @@ -148,6 +151,20 @@ func WithCDIDeviceInjector(fn func(*rspec.Spec, []string) error) GeneratorOption } } +// WithLogger specifies a function for logging (audit) messages. +func WithLogger(logger Logger, owners *nri.FieldOwners) GeneratorOption { + return func(g *Generator) { + g.logger = logger + g.owners = owners + } +} + +// Fields can be used to pass extra information for logged messages. +type Fields = map[string]any + +// Logger is a function for logging (audit) messages. +type Logger = func(event string, fields Fields) + // Adjust adjusts all aspects of the OCI Spec that NRI knows/cares about. func (g *Generator) Adjust(adjust *nri.ContainerAdjustment) error { if adjust == nil { @@ -222,11 +239,30 @@ func (g *Generator) AdjustEnv(env []*nri.KeyValue) { } if m, ok := mod[keyval[0]]; ok { delete(mod, keyval[0]) - if _, marked := m.IsMarkedForRemoval(); !marked { + if key, marked := m.IsMarkedForRemoval(); !marked { + g.log(AuditAddProcessEnv, + Fields{ + "value.name": m.Key, + "value.value": "", + "nri.plugin": g.compoundOwner(nri.Field_Env, m.Key), + }, + ) g.AddProcessEnv(m.Key, m.Value) + } else { + g.log(AuditRemoveProcessEnv, + Fields{ + "value.name": key, + "nri.plugin": g.compoundOwner(nri.Field_Env, key), + }, + ) } continue } + g.log(AuditAddProcessEnv, Fields{ + "value.name": keyval[0], + "value.value": keyval[1], + "nri.plugin": g.compoundOwner(nri.Field_Env, keyval[0]), + }) g.AddProcessEnv(keyval[0], keyval[1]) } } @@ -237,6 +273,11 @@ func (g *Generator) AdjustEnv(env []*nri.KeyValue) { continue } if _, ok := mod[e.Key]; ok { + g.log(AuditAddProcessEnv, Fields{ + "value.name": e.Key, + "value.value": e.Value, + "nri.plugin": g.compoundOwner(nri.Field_Env, e.Key), + }) g.AddProcessEnv(e.Key, e.Value) } } @@ -245,6 +286,11 @@ func (g *Generator) AdjustEnv(env []*nri.KeyValue) { // AdjustArgs adjusts the process arguments in the OCI Spec. func (g *Generator) AdjustArgs(args []string) { if len(args) != 0 { + g.log(AuditSetProcessArgs, + Fields{ + "args": strings.Join(args, " "), + "nri.plugin": g.simpleOwner(nri.Field_Args), + }) g.SetProcessArgs(args) } } @@ -258,8 +304,18 @@ func (g *Generator) AdjustAnnotations(annotations map[string]string) error { } for k, v := range annotations { if key, marked := nri.IsMarkedForRemoval(k); marked { - g.RemoveAnnotation(key) + g.log(AuditRemoveAnnotation, + Fields{ + "value.key": key, + "nri.plugin": g.compoundOwner(nri.Field_Annotations, key), + }) } else { + g.log(AuditAddAnnotation, + Fields{ + "value.key": k, + "value.value": v, + "nri.plugin": g.compoundOwner(nri.Field_Annotations, k), + }) g.AddAnnotation(k, v) } } @@ -273,21 +329,57 @@ func (g *Generator) AdjustHooks(hooks *nri.Hooks) { return } for _, h := range hooks.Prestart { + g.log(AuditAddOCIHook, + Fields{ + "value.type": "PreStart", + "value.path": h.Path, + "nri.plugin": g.simpleOwner(nri.Field_OciHooks), + }) g.AddPreStartHook(h.ToOCI()) } for _, h := range hooks.Poststart { + g.log(AuditAddOCIHook, + Fields{ + "value.type": "PostStart", + "value.path": h.Path, + "nri.plugin": g.simpleOwner(nri.Field_OciHooks), + }) g.AddPostStartHook(h.ToOCI()) } for _, h := range hooks.Poststop { + g.log(AuditAddOCIHook, + Fields{ + "value.type": "PostStop", + "value.path": h.Path, + "nri.plugin": g.simpleOwner(nri.Field_OciHooks), + }) g.AddPostStopHook(h.ToOCI()) } for _, h := range hooks.CreateRuntime { + g.log(AuditAddOCIHook, + Fields{ + "value.type": "CreateRuntime", + "value.path": h.Path, + "nri.plugin": g.simpleOwner(nri.Field_OciHooks), + }) g.AddCreateRuntimeHook(h.ToOCI()) } for _, h := range hooks.CreateContainer { + g.log(AuditAddOCIHook, + Fields{ + "value.type": "CreateContainer", + "value.path": h.Path, + "nri.plugin": g.simpleOwner(nri.Field_OciHooks), + }) g.AddCreateContainerHook(h.ToOCI()) } for _, h := range hooks.StartContainer { + g.log(AuditAddOCIHook, + Fields{ + "value.type": "StartContainer", + "value.path": h.Path, + "nri.plugin": g.simpleOwner(nri.Field_OciHooks), + }) g.AddStartContainerHook(h.ToOCI()) } } @@ -302,43 +394,124 @@ func (g *Generator) AdjustResources(r *nri.LinuxResources) error { if r.Cpu != nil { if r.Cpu.Period != nil { - g.SetLinuxResourcesCPUPeriod(r.Cpu.GetPeriod().GetValue()) + v := r.Cpu.GetPeriod().GetValue() + g.log(AuditSetLinuxCPUPeriod, + Fields{ + "value": v, + "nri.plugin": g.simpleOwner(nri.Field_CPUPeriod), + }) + g.SetLinuxResourcesCPUPeriod(v) } if r.Cpu.Quota != nil { - g.SetLinuxResourcesCPUQuota(r.Cpu.GetQuota().GetValue()) + v := r.Cpu.GetQuota().GetValue() + g.log(AuditSetLinuxCPUQuota, + Fields{ + "value": v, + "nri.plugin": g.simpleOwner(nri.Field_CPUQuota), + }) + g.SetLinuxResourcesCPUQuota(v) } if r.Cpu.Shares != nil { - g.SetLinuxResourcesCPUShares(r.Cpu.GetShares().GetValue()) + v := r.Cpu.GetShares().GetValue() + g.log(AuditSetLinuxCPUShares, + Fields{ + "value": v, + "nri.plugin": g.simpleOwner(nri.Field_CPUShares), + }) + g.SetLinuxResourcesCPUShares(v) } if r.Cpu.Cpus != "" { - g.SetLinuxResourcesCPUCpus(r.Cpu.GetCpus()) + v := r.Cpu.GetCpus() + g.log(AuditSetLinuxCPUSetCPUs, + Fields{ + "value": v, + "nri.plugin": g.simpleOwner(nri.Field_CPUSetCPUs), + }) + g.SetLinuxResourcesCPUCpus(v) } if r.Cpu.Mems != "" { - g.SetLinuxResourcesCPUMems(r.Cpu.GetMems()) + v := r.Cpu.GetMems() + g.log(AuditSetLinuxCPUSetMems, + Fields{ + "value": v, + "nri.plugin": g.simpleOwner(nri.Field_CPUSetMems), + }) + g.SetLinuxResourcesCPUMems(v) } if r.Cpu.RealtimeRuntime != nil { - g.SetLinuxResourcesCPURealtimeRuntime(r.Cpu.GetRealtimeRuntime().GetValue()) + v := r.Cpu.GetRealtimeRuntime().GetValue() + g.log(AuditSetLinuxCPURealtimeRuntime, + Fields{ + "value": v, + "nri.plugin": g.simpleOwner(nri.Field_CPURealtimeRuntime), + }) + g.SetLinuxResourcesCPURealtimeRuntime(v) } if r.Cpu.RealtimePeriod != nil { - g.SetLinuxResourcesCPURealtimePeriod(r.Cpu.GetRealtimePeriod().GetValue()) + v := r.Cpu.GetRealtimePeriod().GetValue() + g.log(AuditSetLinuxCPURealtimePeriod, + Fields{ + "value": v, + "nri.plugin": g.simpleOwner(nri.Field_CPURealtimePeriod), + }) + g.SetLinuxResourcesCPURealtimePeriod(v) } } if r.Memory != nil { if l := r.Memory.GetLimit().GetValue(); l != 0 { + g.log(AuditSetLinuxMemLimit, + Fields{ + "value": l, + "nri.plugin": g.simpleOwner(nri.Field_MemLimit), + }) g.SetLinuxResourcesMemoryLimit(l) + g.log(AuditSetLinuxMemSwapLimit, + Fields{ + "value": l, + "nri.plugin": g.simpleOwner(nri.Field_MemSwapLimit), + }) g.SetLinuxResourcesMemorySwap(l) } } for _, l := range r.HugepageLimits { + g.log(AuditSetLinuxHugepageLimit, + Fields{ + "value.pagesize": l.PageSize, + "value.limit": l.Limit, + "nri.plugin": g.compoundOwner(nri.Field_HugepageLimits, l.PageSize), + }) g.AddLinuxResourcesHugepageLimit(l.PageSize, l.Limit) } for k, v := range r.Unified { + g.log(AuditSetLinuxResourceUnified, + Fields{ + "value.name": k, + "value.value": v, + "nri.plugin": g.compoundOwner(nri.Field_CgroupsUnified, k), + }) g.AddLinuxResourcesUnified(k, v) } if v := r.GetPids(); v != nil { + g.log(AuditSetLinuxPidsLimit, + Fields{ + "value": v.GetLimit(), + "nri.plugin": g.simpleOwner(nri.Field_PidsLimit), + }) g.SetLinuxResourcesPidsLimit(v.GetLimit()) } + // TODO(klihub): check this, I think it's input-only and therefore should be + // always empty. We don't provide an adjustment setter for it and we don't + // collect it during plugin response processing. If it is so, we should also + // check for any plugin trying to manually set it in the response and error + // out on the stub side if one does. for _, d := range r.Devices { + g.log(AuditAddLinuxDeviceRule, Fields{ + "value.allow": d.Allow, + "value.type": d.Type, + "value.major": d.Major.Get(), + "value.minor": d.Minor.Get(), + "value.access": d.Access, + }) g.AddLinuxResourcesDevice(d.Allow, d.Type, d.Major.Get(), d.Minor.Get(), d.Access) } if g.checkResources != nil { @@ -357,6 +530,10 @@ func (g *Generator) AdjustBlockIOClass(blockIOClass *string) error { } if *blockIOClass == "" { + g.log(AuditClearLinuxBlkioClass, + Fields{ + "nri.plugin": g.simpleOwner(nri.Field_BlockioClass), + }) g.ClearLinuxResourcesBlockIO() return nil } @@ -366,6 +543,11 @@ func (g *Generator) AdjustBlockIOClass(blockIOClass *string) error { return fmt.Errorf("failed to adjust BlockIO class in OCI Spec: %w", err) } + g.log(AuditSetLinuxBlkioClass, + Fields{ + "value": *blockIOClass, + "nri.plugin": g.simpleOwner(nri.Field_BlockioClass), + }) g.SetLinuxResourcesBlockIO(blockIO) return nil } @@ -377,6 +559,10 @@ func (g *Generator) AdjustRdtClass(rdtClass *string) error { } if *rdtClass == "" { + g.log(AuditClearLinuxRdtClass, + Fields{ + "nri.plugin": g.simpleOwner(nri.Field_RdtClass), + }) g.ClearLinuxIntelRdt() return nil } @@ -386,6 +572,11 @@ func (g *Generator) AdjustRdtClass(rdtClass *string) error { return fmt.Errorf("failed to adjust RDT class in OCI Spec: %w", err) } + g.log(AuditSetLinuxRdtClass, + Fields{ + "value": *rdtClass, + "nri.plugin": g.simpleOwner(nri.Field_RdtClass), + }) g.SetLinuxIntelRdt(rdt) return nil } @@ -397,6 +588,7 @@ func (g *Generator) AdjustRdt(r *nri.LinuxRdt) { } if r.Remove { + g.log(AuditClearLinuxRdt, nil) g.ClearLinuxIntelRdt() } @@ -408,6 +600,11 @@ func (g *Generator) AdjustRdt(r *nri.LinuxRdt) { // AdjustRdtClosID adjusts the RDT CLOS id in the OCI Spec. func (g *Generator) AdjustRdtClosID(value *string) { if value != nil { + g.log(AuditSetLinuxRdtClosID, + Fields{ + "value": *value, + "nri.plugin": g.simpleOwner(nri.Field_RdtClosID), + }) g.SetLinuxIntelRdtClosID(*value) } } @@ -415,6 +612,11 @@ func (g *Generator) AdjustRdtClosID(value *string) { // AdjustRdtSchemata adjusts the RDT schemata in the OCI Spec. func (g *Generator) AdjustRdtSchemata(value *[]string) { if value != nil { + g.log(AuditSetLinuxRdtSchemata, + Fields{ + "value": *value, + "nri.plugin": g.simpleOwner(nri.Field_RdtSchemata), + }) g.SetLinuxIntelRdtSchemata(*value) } } @@ -422,6 +624,11 @@ func (g *Generator) AdjustRdtSchemata(value *[]string) { // AdjustRdtEnableMonitoring adjusts the RDT monitoring in the OCI Spec. func (g *Generator) AdjustRdtEnableMonitoring(value *bool) { if value != nil { + g.log(AuditSetLinuxRdtMonitoring, + Fields{ + "value": *value, + "nri.plugin": g.simpleOwner(nri.Field_RdtEnableMonitoring), + }) g.SetLinuxIntelRdtEnableMonitoring(*value) } } @@ -429,6 +636,11 @@ func (g *Generator) AdjustRdtEnableMonitoring(value *bool) { // AdjustCgroupsPath adjusts the cgroup pseudofs path in the OCI Spec. func (g *Generator) AdjustCgroupsPath(path string) { if path != "" { + g.log(AuditSetLinuxCgroupsPath, + Fields{ + "value": path, + "nri.plugin": g.simpleOwner(nri.Field_CgroupsPath), + }) g.SetLinuxCgroupsPath(path) } } @@ -437,13 +649,24 @@ func (g *Generator) AdjustCgroupsPath(path string) { // This may override kubelet's settings for OOM score. func (g *Generator) AdjustOomScoreAdj(score *nri.OptionalInt) { if score != nil { - g.SetProcessOOMScoreAdj(int(score.Value)) + v := int(score.Value) + g.log(AuditSetProcessOOMScoreAdj, + Fields{ + "value": v, + "nri.plugin": g.simpleOwner(nri.Field_OomScoreAdj), + }) + g.SetProcessOOMScoreAdj(v) } } // AdjustIOPriority adjusts the IO priority of the container. func (g *Generator) AdjustIOPriority(ioprio *nri.LinuxIOPriority) { if ioprio != nil { + g.log(AuditSetLinuxIOPriority, Fields{ + "value.class": ioprio.Class.String(), + "value.priority": ioprio.Priority, + "nri.plugin": g.simpleOwner(nri.Field_IoPriority), + }) g.SetProcessIOPriority(ioprio.ToOCI()) } } @@ -473,6 +696,10 @@ func (g *Generator) AdjustSeccompPolicy(policy *nri.LinuxSeccomp) error { flags[i] = rspec.LinuxSeccompFlag(f) } + g.log(AuditSetLinuxSeccompPolicy, + Fields{ + "nri.plugin": g.simpleOwner(nri.Field_SeccompPolicy), + }) g.Config.Linux.Seccomp = &rspec.LinuxSeccomp{ DefaultAction: rspec.LinuxSeccompAction(policy.DefaultAction), Architectures: archs, @@ -492,10 +719,20 @@ func (g *Generator) AdjustNamespaces(namespaces []*nri.LinuxNamespace) error { continue } if key, marked := n.IsMarkedForRemoval(); marked { + g.log(AuditRemoveLinuxNamespace, + Fields{ + "value.type": key, + "nri.plugin": g.compoundOwner(nri.Field_Namespace, key), + }) if err := g.RemoveLinuxNamespace(key); err != nil { return err } } else { + g.log(AuditSetLinuxNamespace, Fields{ + "value.type": n.Type, + "value.path": n.Path, + "nri.plugin": g.compoundOwner(nri.Field_Namespace, n.Type), + }) if err := g.AddOrReplaceLinuxNamespace(n.Type, n.Path); err != nil { return err } @@ -513,8 +750,19 @@ func (g *Generator) AdjustSysctl(sysctl map[string]string) error { } for k, v := range sysctl { if key, marked := nri.IsMarkedForRemoval(k); marked { + g.log(AuditRemoveLinuxSysctl, + Fields{ + "value.key": key, + "nri.plugin": g.compoundOwner(nri.Field_Sysctl, key), + }) g.RemoveLinuxSysctl(key) } else { + g.log(AuditSetLinuxSysctl, + Fields{ + "value.key": k, + "value.value": v, + "nri.plugin": g.compoundOwner(nri.Field_Sysctl, k), + }) g.AddLinuxSysctl(k, v) } } @@ -528,19 +776,49 @@ func (g *Generator) AdjustLinuxScheduler(sch *nri.LinuxScheduler) { return } g.initConfigProcess() + g.log(AuditSetLinuxScheduler, + Fields{ + "value.policy": sch.Policy.String(), + "value.nice": sch.Nice, + "value.priority": sch.Priority, + "value.runtime": sch.Runtime, + "value.deadline": sch.Deadline, + "value.period": sch.Period, + "nri.plugin": g.simpleOwner(nri.Field_LinuxSched), + }) g.Config.Process.Scheduler = sch.ToOCI() } // AdjustDevices adjusts the (Linux) devices in the OCI Spec. func (g *Generator) AdjustDevices(devices []*nri.LinuxDevice) { for _, d := range devices { - key, marked := d.IsMarkedForRemoval() - g.RemoveDevice(key) + path, marked := d.IsMarkedForRemoval() + g.log(AuditRemoveLinuxDevice, + Fields{ + "value.path": path, + "nri.plugin": g.compoundOwner(nri.Field_Devices, path), + }) + g.RemoveDevice(path) if marked { continue } + g.log(AuditAddLinuxDevice, Fields{ + "value.path": d.Path, + "value.type": d.Type, + "value.major": d.Major, + "value.minor": d.Minor, + "nri.plugin": g.compoundOwner(nri.Field_Devices, d.Path), + }) g.AddDevice(d.ToOCI()) major, minor, access := &d.Major, &d.Minor, d.AccessString() + g.log(AuditAddLinuxDeviceRule, Fields{ + "value.allow": true, + "value.type": d.Type, + "value.major": d.Major, + "value.minor": d.Minor, + "value.access": access, + "nri.plugin": g.compoundOwner(nri.Field_Devices, d.Path), + }) g.AddLinuxResourcesDevice(true, d.Type, major, minor, access) } } @@ -549,8 +827,19 @@ func (g *Generator) AdjustDevices(devices []*nri.LinuxDevice) { func (g *Generator) AdjustLinuxNetDevices(devices map[string]*nri.LinuxNetDevice) error { for k, v := range devices { if key, marked := nri.IsMarkedForRemoval(k); marked { + g.log(AuditRemoveLinuxNetDevice, + Fields{ + "value.hostif": key, + "nri.plugin": g.compoundOwner(nri.Field_LinuxNetDevices, key), + }) g.RemoveLinuxNetDevice(key) } else { + g.log(AuditAddLinuxNetDevice, + Fields{ + "value.hostif": k, + "value.containerif": v, + "nri.plugin": g.compoundOwner(nri.Field_LinuxNetDevices, k), + }) g.AddLinuxNetDevice(k, v) } } @@ -568,10 +857,17 @@ func (g *Generator) InjectCDIDevices(devices []*nri.CDIDevice) error { } names := []string{} + plugins := []string{} for _, d := range devices { names = append(names, d.Name) + plugins = append(plugins, g.compoundOwner(nri.Field_CdiDevices, d.Name)) } + g.log(AuditInjectCDIDevices, + Fields{ + "value": strings.Join(names, ","), + "nri.plugin": strings.Join(plugins, ","), + }) return g.injectCDIDevices(g.Config, names) } @@ -581,11 +877,13 @@ func (g *Generator) AdjustRlimits(rlimits []*nri.POSIXRlimit) error { if l == nil { continue } - g.Config.Process.Rlimits = append(g.Config.Process.Rlimits, rspec.POSIXRlimit{ - Type: l.Type, - Hard: l.Hard, - Soft: l.Soft, + g.log(AuditAddProcessRlimits, Fields{ + "value.type": l.Type, + "value.soft": l.Soft, + "value.hard": l.Hard, + "nri.plugin": g.compoundOwner(nri.Field_Rlimits, l.Type), }) + g.AddProcessRlimits(l.Type, l.Hard, l.Soft) } return nil } @@ -599,10 +897,23 @@ func (g *Generator) AdjustMounts(mounts []*nri.Mount) error { propagation := "" for _, m := range mounts { if destination, marked := m.IsMarkedForRemoval(); marked { + g.log(AuditRemoveMount, + Fields{ + "value.destination": destination, + "nri.plugin": g.compoundOwner(nri.Field_Mounts, destination), + }, + ) g.RemoveMount(destination) continue } + plugin := g.compoundOwner(nri.Field_Mounts, m.Destination) + g.log(AuditRemoveMount, + Fields{ + "value.destination": m.Destination, + "nri.plugin": plugin, + }, + ) g.RemoveMount(m.Destination) mnt := m.ToOCI(&propagation) @@ -612,6 +923,12 @@ func (g *Generator) AdjustMounts(mounts []*nri.Mount) error { if err := ensurePropagation(mnt.Source, "rshared"); err != nil { return fmt.Errorf("failed to adjust mounts in OCI Spec: %w", err) } + g.log(AuditSetLinuxRootPropagation, + Fields{ + "value": "rshared", + "nri.plugin": plugin, + }, + ) if err := g.SetLinuxRootPropagation("rshared"); err != nil { return fmt.Errorf("failed to adjust rootfs propagation in OCI Spec: %w", err) } @@ -621,11 +938,23 @@ func (g *Generator) AdjustMounts(mounts []*nri.Mount) error { } rootProp := g.Config.Linux.RootfsPropagation if rootProp != "rshared" && rootProp != "rslave" { + g.log(AuditSetLinuxRootPropagation, + Fields{ + "value": "rslave", + "nri.plugin": plugin, + }) if err := g.SetLinuxRootPropagation("rslave"); err != nil { return fmt.Errorf("failed to adjust rootfs propagation in OCI Spec: %w", err) } } } + g.log(AuditAddMount, Fields{ + "value.destination": mnt.Destination, + "value.source": mnt.Source, + "value.type": mnt.Type, + "value.options": strings.Join(mnt.Options, ","), + "nri.plugin": plugin, + }) g.AddMount(mnt) } g.sortMounts() @@ -836,3 +1165,84 @@ func (g *Generator) initConfigLinuxIntelRdt() { g.Config.Linux.IntelRdt = &rspec.LinuxIntelRdt{} } } + +func (g *Generator) log(event string, fields Fields) { + if g.logger != nil { + g.logger(event, fields) + } +} + +func (g *Generator) simpleOwner(field nri.Field) string { + owner := "unknown" + + if g.owners != nil { + o, _ := g.owners.SimpleOwner(field.Key()) + if o != "" { + owner = o + } + } + + return owner +} + +func (g *Generator) compoundOwner(field nri.Field, subField string) string { + owner := "unknown" + + if g.owners != nil { + o, _ := g.owners.CompoundOwner(field.Key(), subField) + if o != "" { + owner = o + } + } + + return owner +} + +// Audit 'events' we use in logged audit messages. +const ( //nolint:revive + AuditRemoveProcessEnv = "remove environment variable" + AuditAddProcessEnv = "add environment variable" + AuditSetProcessArgs = "set process arguments" + AuditRemoveAnnotation = "remove annotation" + AuditAddAnnotation = "add annotation" + AuditAddOCIHook = "add OCI hook" + AuditSetLinuxCPUPeriod = "set linux CPU period" + AuditSetLinuxCPUQuota = "set linux CPU quota" + AuditSetLinuxCPUShares = "set linux CPU shares" + AuditSetLinuxCPUSetCPUs = "set linux cpuset CPUs" + AuditSetLinuxCPUSetMems = "set linux cpuset mems" + AuditSetLinuxCPURealtimeRuntime = "set linux cpu realtime runtime" + AuditSetLinuxCPURealtimePeriod = "set linux cpu realtime period" + AuditSetLinuxMemLimit = "set linux memory limit" + AuditSetLinuxMemSwapLimit = "set linux swap limit" + AuditSetLinuxHugepageLimit = "set linux hugepage limit" + AuditSetLinuxResourceUnified = "set linux cgroups unified resource" + AuditSetLinuxPidsLimit = "set linux PIDs limit" + AuditClearLinuxBlkioClass = "clear linux blkio class" + AuditSetLinuxBlkioClass = "set linux blkio class" + AuditClearLinuxRdtClass = "clear linux RDT class" + AuditSetLinuxRdtClass = "set linux RDT class" + AuditClearLinuxRdt = "clear linux RDT" + AuditSetLinuxRdtClosID = "set linux RDT CLOS ID" + AuditSetLinuxRdtSchemata = "set linux RDT schemata" + AuditSetLinuxRdtMonitoring = "set linux RDT monitoring" + AuditSetLinuxCgroupsPath = "set linux cgroups path" + AuditSetProcessOOMScoreAdj = "set process OOM score adjustment" + AuditSetLinuxIOPriority = "set process IO priority" + AuditSetLinuxSeccompPolicy = "set linux seccomp policy" + AuditRemoveLinuxNamespace = "remove linux namespace" + AuditSetLinuxNamespace = "set linux namespace" + AuditRemoveLinuxSysctl = "remove linux sysctl" + AuditSetLinuxSysctl = "set linux sysctl" + AuditSetLinuxScheduler = "set linux scheduler" + AuditRemoveLinuxDevice = "remove linux device" + AuditAddLinuxDevice = "add linux device" + AuditAddLinuxDeviceRule = "add linux device rule" + AuditRemoveLinuxNetDevice = "remove linux net device" + AuditAddLinuxNetDevice = "add linux net device" + AuditInjectCDIDevices = "inject CDI devices" + AuditAddProcessRlimits = "add process rlimits" + AuditRemoveMount = "remove mount" + AuditAddMount = "add mount" + AuditSetLinuxRootPropagation = "set linux root propagation" +) diff --git a/pkg/runtime-tools/generate/generate_suite_test.go b/pkg/runtime-tools/generate/generate_suite_test.go index 20ea66b6..c7e5bc89 100644 --- a/pkg/runtime-tools/generate/generate_suite_test.go +++ b/pkg/runtime-tools/generate/generate_suite_test.go @@ -17,10 +17,14 @@ package generate_test import ( + "bytes" + "fmt" + "strings" "testing" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" + "github.com/sirupsen/logrus" rspec "github.com/opencontainers/runtime-spec/specs-go" rgen "github.com/opencontainers/runtime-tools/generate" @@ -34,7 +38,59 @@ func TestGenerate(t *testing.T) { RunSpecs(t, "Generate Suite") } +type logger struct { + messages []string +} + +func newLogger() *logger { + return &logger{ + messages: []string{}, + } +} + +func (l *logger) Log(event string, fields xgen.Fields) { + var ( + buf = &bytes.Buffer{} + log = &logrus.Logger{ + Out: buf, + Formatter: &logrus.TextFormatter{ + DisableTimestamp: true, + DisableQuote: true, + }, + Level: logrus.InfoLevel, + } + ) + log.WithFields(fields).Info(event) + l.messages = append(l.messages, buf.String()) +} + +func (l *logger) MessageCount() int { + return len(l.messages) +} + +func (l *logger) Has(event string, fields xgen.Fields) bool { + for _, entry := range l.messages { + if !strings.Contains(entry, event) { + continue + } + found := true + for k, v := range fields { + field := fmt.Sprintf("%s=%v", k, v) + if !strings.Contains(entry, field) { + found = false + break + } + } + if found { + return true + } + } + return false +} + var _ = Describe("Adjustment", func() { + testID := "test-ctr-id" + When("nil", func() { It("does not modify the Spec", func() { var ( @@ -42,12 +98,14 @@ var _ = Describe("Adjustment", func() { adjust *api.ContainerAdjustment ) + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, nil)) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) Expect(spec).To(Equal(makeSpec())) + Expect(al.MessageCount()).To(Equal(0)) }) }) @@ -60,12 +118,14 @@ var _ = Describe("Adjustment", func() { } ) + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, nil)) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) Expect(spec).To(Equal(makeSpec())) + Expect(al.MessageCount()).To(Equal(0)) }) }) @@ -80,14 +140,23 @@ var _ = Describe("Adjustment", func() { "arg2", }, } + plugin = "args-plugin" + owners = api.NewOwningPlugins() ) + owners.ClaimArgs(testID, plugin) + + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, owners.Owners[testID])) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) Expect(spec).To(Equal(makeSpec(withArgs("arg0", "arg1", "arg2")))) + Expect(al.Has(xgen.AuditSetProcessArgs, + xgen.Fields{ + "nri.plugin": plugin, + })).To(BeTrue()) }) }) @@ -102,14 +171,26 @@ var _ = Describe("Adjustment", func() { Soft: 123, }}, } + plugin = "rlimits-plugin" + owners = api.NewOwningPlugins() ) + owners.ClaimRlimit(testID, "nofile", plugin) + + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, owners.Owners[testID])) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) Expect(spec).To(Equal(makeSpec(withRlimit("nofile", 456, 123)))) + Expect(al.Has(xgen.AuditAddProcessRlimits, + xgen.Fields{ + "value.type": "nofile", + "value.soft": 123, + "value.hard": 456, + "nri.plugin": plugin, + })).To(BeTrue()) }) }) @@ -126,14 +207,30 @@ var _ = Describe("Adjustment", func() { }, }, } + plugin = "memlim-plugin" + owners = api.NewOwningPlugins() ) + owners.ClaimMemLimit(testID, plugin) + owners.ClaimMemSwapLimit(testID, plugin) + + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, owners.Owners[testID])) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) Expect(spec).To(Equal(makeSpec(withMemoryLimit(11111), withMemorySwap(11111)))) + Expect(al.Has(xgen.AuditSetLinuxMemLimit, + xgen.Fields{ + "value": "11111", + "nri.plugin": plugin, + })).To(BeTrue()) + Expect(al.Has(xgen.AuditSetLinuxMemSwapLimit, + xgen.Fields{ + "value": "11111", + "nri.plugin": plugin, + })).To(BeTrue()) }) }) @@ -149,14 +246,24 @@ var _ = Describe("Adjustment", func() { }, }, } + plugin = "oomscoreadj-plugin" + owners = api.NewOwningPlugins() ) + owners.ClaimOomScoreAdj(testID, plugin) + + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, owners.Owners[testID])) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) Expect(spec).To(Equal(makeSpec(withOomScoreAdj(&oomScoreAdj)))) + Expect(al.Has(xgen.AuditSetProcessOOMScoreAdj, + xgen.Fields{ + "value": oomScoreAdj, + "nri.plugin": plugin, + })).To(BeTrue()) }) }) @@ -171,8 +278,9 @@ var _ = Describe("Adjustment", func() { } ) + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, nil)) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) @@ -191,8 +299,9 @@ var _ = Describe("Adjustment", func() { spec.Process.OOMScoreAdj = &oomScoreAdj expectedSpec.Process.OOMScoreAdj = &oomScoreAdj + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, nil)) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) @@ -213,14 +322,24 @@ var _ = Describe("Adjustment", func() { }, }, } + plugin = "cpushares-plugin" + owners = api.NewOwningPlugins() ) + owners.ClaimCPUShares(testID, plugin) + + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, owners.Owners[testID])) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) Expect(spec).To(Equal(makeSpec(withCPUShares(11111)))) + Expect(al.Has(xgen.AuditSetLinuxCPUShares, + xgen.Fields{ + "value": 11111, + "nri.plugin": plugin, + })).To(BeTrue()) }) }) @@ -237,14 +356,24 @@ var _ = Describe("Adjustment", func() { }, }, } + plugin = "cpuquota-plugin" + owners = api.NewOwningPlugins() ) + owners.ClaimCPUQuota(testID, plugin) + + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, owners.Owners[testID])) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) Expect(spec).To(Equal(makeSpec(withCPUQuota(11111)))) + Expect(al.Has(xgen.AuditSetLinuxCPUQuota, + xgen.Fields{ + "value": 11111, + "nri.plugin": plugin, + })).To(BeTrue()) }) }) @@ -261,14 +390,24 @@ var _ = Describe("Adjustment", func() { }, }, } + plugin = "cpuperiod-plugin" + owners = api.NewOwningPlugins() ) + owners.ClaimCPUPeriod(testID, plugin) + + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, owners.Owners[testID])) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) Expect(spec).To(Equal(makeSpec(withCPUPeriod(11111)))) + Expect(al.Has(xgen.AuditSetLinuxCPUPeriod, + xgen.Fields{ + "value": 11111, + "nri.plugin": plugin, + })).To(BeTrue()) }) }) @@ -285,14 +424,24 @@ var _ = Describe("Adjustment", func() { }, }, } + plugin = "cpuset-plugin" + owners = api.NewOwningPlugins() ) + owners.ClaimCPUSetCPUs(testID, plugin) + + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, owners.Owners[testID])) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) Expect(spec).To(Equal(makeSpec(withCPUSetCPUs("5,6")))) + Expect(al.Has(xgen.AuditSetLinuxCPUSetCPUs, + xgen.Fields{ + "value": "5,6", + "nri.plugin": plugin, + })).To(BeTrue()) }) }) @@ -309,14 +458,24 @@ var _ = Describe("Adjustment", func() { }, }, } + plugin = "memset-plugin" + owners = api.NewOwningPlugins() ) + owners.ClaimCPUSetMems(testID, plugin) + + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, owners.Owners[testID])) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) Expect(spec).To(Equal(makeSpec(withCPUSetMems("5,6")))) + Expect(al.Has(xgen.AuditSetLinuxCPUSetMems, + xgen.Fields{ + "value": "5,6", + "nri.plugin": plugin, + })).To(BeTrue()) }) }) @@ -333,14 +492,23 @@ var _ = Describe("Adjustment", func() { }, }, } + owners = api.NewOwningPlugins() ) + // leave unclaimed to test "unknown" plugin + + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, owners.Owners[testID])) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) Expect(spec).To(Equal(makeSpec(withPidsLimit(123)))) + Expect(al.Has(xgen.AuditSetLinuxPidsLimit, + xgen.Fields{ + "value": 123, + "nri.plugin": "unknown", + })).To(BeTrue()) }) }) @@ -368,10 +536,18 @@ var _ = Describe("Adjustment", func() { }, }, } + plugin = "mount-plugin" + owners = api.NewOwningPlugins() ) + owners.ClaimMount(testID, adjust.Mounts[0].Destination, plugin) + owners.ClaimMount(testID, adjust.Mounts[1].Destination, plugin) + owners.ClaimMount(testID, adjust.Mounts[2].Destination, plugin) + owners.ClaimMount(testID, adjust.Mounts[3].Destination, plugin) + + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, owners.Owners[testID])) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) @@ -395,6 +571,26 @@ var _ = Describe("Adjustment", func() { }, }), ))) + Expect(al.Has(xgen.AuditAddMount, + xgen.Fields{ + "value.destination": "/a", + "nri.plugin": plugin, + })).To(BeTrue()) + Expect(al.Has(xgen.AuditAddMount, + xgen.Fields{ + "value.destination": "/a/b", + "nri.plugin": plugin, + })).To(BeTrue()) + Expect(al.Has(xgen.AuditAddMount, + xgen.Fields{ + "value.destination": "/a/b/c", + "nri.plugin": plugin, + })).To(BeTrue()) + Expect(al.Has(xgen.AuditAddMount, + xgen.Fields{ + "value.destination": "/a/b/c/d/e", + "nri.plugin": plugin, + })).To(BeTrue()) }) }) @@ -418,14 +614,23 @@ var _ = Describe("Adjustment", func() { SeccompPolicy: api.FromOCILinuxSeccomp(&seccomp), }, } + plugin = "seccomp-plugin" + owners = api.NewOwningPlugins() ) + owners.ClaimSeccompPolicy(testID, plugin) + + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, owners.Owners[testID])) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) Expect(*spec.Linux.Seccomp).To(Equal(seccomp)) + Expect(al.Has(xgen.AuditSetLinuxSeccompPolicy, + xgen.Fields{ + "nri.plugin": plugin, + })).To(BeTrue()) }) }) @@ -441,19 +646,31 @@ var _ = Describe("Adjustment", func() { }, }, } + plugin = "sysctl-plugin" + owners = api.NewOwningPlugins() ) + + owners.ClaimSysctl(testID, "net.ipv4.ip_forward", plugin) + spec.Linux.Sysctl = map[string]string{ "delete.me": "foobar", } + + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, owners.Owners[testID])) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) Expect(spec.Linux.Sysctl).To(Equal(map[string]string{ "net.ipv4.ip_forward": "1", })) - + Expect(al.Has(xgen.AuditSetLinuxSysctl, + xgen.Fields{ + "value.key": "net.ipv4.ip_forward", + "value.value": "1", + "nri.plugin": plugin, + })).To(BeTrue()) }) }) @@ -469,9 +686,16 @@ var _ = Describe("Adjustment", func() { }, }, } + plugin := "rdt-plugin" + owners := api.NewOwningPlugins() + + owners.ClaimRdtClosID(testID, "rdt-plugin") + owners.ClaimRdtSchemata(testID, "rdt-plugin") + owners.ClaimRdtEnableMonitoring(testID, "rdt-plugin") + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, owners.Owners[testID])) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) @@ -480,6 +704,21 @@ var _ = Describe("Adjustment", func() { Schemata: []string{"L2:0=ff", "L3:0=f"}, EnableMonitoring: true, })) + Expect(al.Has(xgen.AuditSetLinuxRdtClosID, + xgen.Fields{ + "value": "foo", + "nri.plugin": plugin, + })).To(BeTrue()) + Expect(al.Has(xgen.AuditSetLinuxRdtSchemata, + xgen.Fields{ + "value": "[L2:0=ff L3:0=f]", + "nri.plugin": plugin, + })).To(BeTrue()) + Expect(al.Has(xgen.AuditSetLinuxRdtMonitoring, + xgen.Fields{ + "value": true, + "nri.plugin": plugin, + })).To(BeTrue()) }) }) When("has a RDT remove adjustment", func() { @@ -494,12 +733,14 @@ var _ = Describe("Adjustment", func() { }, } + al := newLogger() rg := &rgen.Generator{Config: spec} - xg := xgen.SpecGenerator(rg) + xg := xgen.SpecGenerator(rg, xgen.WithLogger(al.Log, nil)) Expect(xg).ToNot(BeNil()) Expect(xg.Adjust(adjust)).To(Succeed()) Expect(spec.Linux.IntelRdt).To(BeNil()) + Expect(al.Has(xgen.AuditClearLinuxRdt, nil)).To(BeTrue()) }) }) }) diff --git a/tools/protoc-gen-owners/main.go b/tools/protoc-gen-owners/main.go index 18a5c391..a42339e4 100644 --- a/tools/protoc-gen-owners/main.go +++ b/tools/protoc-gen-owners/main.go @@ -173,13 +173,13 @@ func generateOwnerFuncs(g *protogen.GeneratedFile, fieldEnum *protogen.Enum) { // OwningPlugins.Owner g.P("func (o *OwningPlugins) ", fieldName, "Owner(id, ", keyName, " string) (string, bool) {") - g.P(" return o.ownersFor(id).compoundOwner(Field_", originalFieldName, ".Key(), ", keyName, ")") + g.P(" return o.ownersFor(id).CompoundOwner(Field_", originalFieldName, ".Key(), ", keyName, ")") g.P("}") g.P() // FieldOwners.Owner g.P("func (f *FieldOwners) ", fieldName, "Owner(", keyName, " string) (string, bool) {") - g.P(" return f.compoundOwner(Field_", originalFieldName, ".Key(), ", keyName, ")") + g.P(" return f.CompoundOwner(Field_", originalFieldName, ".Key(), ", keyName, ")") g.P("}") g.P() @@ -209,13 +209,13 @@ func generateOwnerFuncs(g *protogen.GeneratedFile, fieldEnum *protogen.Enum) { // OwningPlugins.Owner g.P("func (o *OwningPlugins) ", fieldName, "Owner(id string) (string, bool) {") - g.P(" return o.ownersFor(id).simpleOwner(Field_", originalFieldName, ".Key())") + g.P(" return o.ownersFor(id).SimpleOwner(Field_", originalFieldName, ".Key())") g.P("}") g.P() // FieldOwners.Owner g.P("func (f *FieldOwners) ", fieldName, "Owner() (string, bool) {") - g.P(" return f.simpleOwner(Field_", originalFieldName, ".Key())") + g.P(" return f.SimpleOwner(Field_", originalFieldName, ".Key())") g.P("}") g.P() From f27ac919aa251e1b7e2919c1fffa33a09681ee08 Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Fri, 13 Feb 2026 18:47:27 +0200 Subject: [PATCH 2/2] adaptation: expose source plugins for adjustments and errors. Expose owning plugins for adjustments returned by CreateContainer. Include plugin in errors which originate from processing a request by a plugin. Signed-off-by: Krisztian Litkey --- pkg/adaptation/adaptation.go | 28 ++++++++++++++++++++-------- pkg/adaptation/api.go | 2 ++ pkg/adaptation/suite_test.go | 3 ++- 3 files changed, 24 insertions(+), 9 deletions(-) diff --git a/pkg/adaptation/adaptation.go b/pkg/adaptation/adaptation.go index 54518e11..6ae7fd9b 100644 --- a/pkg/adaptation/adaptation.go +++ b/pkg/adaptation/adaptation.go @@ -231,7 +231,7 @@ func (r *Adaptation) UpdatePodSandbox(ctx context.Context, req *UpdatePodSandbox for _, plugin := range r.plugins { _, err := plugin.updatePodSandbox(ctx, req) if err != nil { - return nil, err + return nil, pluginError(plugin, err) } } @@ -257,7 +257,7 @@ func (r *Adaptation) RemovePodSandbox(ctx context.Context, evt *StateChangeEvent } // CreateContainer relays the corresponding CRI request to plugins. -func (r *Adaptation) CreateContainer(ctx context.Context, req *CreateContainerRequest) (*CreateContainerResponse, error) { +func (r *Adaptation) CreateContainer(ctx context.Context, req *CreateContainerRequest) (*CreateContainerResponse, *api.OwningPlugins, error) { r.Lock() defer r.Unlock() defer r.removeClosedPlugins() @@ -280,15 +280,20 @@ func (r *Adaptation) CreateContainer(ctx context.Context, req *CreateContainerRe } rpl, err := plugin.createContainer(ctx, req) if err != nil { - return nil, err + return nil, nil, pluginError(plugin, err) } err = result.apply(rpl, plugin.name()) if err != nil { - return nil, err + return nil, nil, err } } - return r.validateContainerAdjustment(ctx, validate, result) + rpl, err := r.validateContainerAdjustment(ctx, validate, result) + if err != nil { + return nil, nil, err + } + + return rpl, result.owners, nil } // PostCreateContainer relays the corresponding CRI event to plugins. @@ -319,7 +324,7 @@ func (r *Adaptation) UpdateContainer(ctx context.Context, req *UpdateContainerRe for _, plugin := range r.plugins { rpl, err := plugin.updateContainer(ctx, req) if err != nil { - return nil, err + return nil, pluginError(plugin, err) } err = result.apply(rpl, plugin.name()) if err != nil { @@ -346,7 +351,7 @@ func (r *Adaptation) StopContainer(ctx context.Context, req *StopContainerReques for _, plugin := range r.plugins { rpl, err := plugin.stopContainer(ctx, req) if err != nil { - return nil, err + return nil, pluginError(plugin, err) } err = result.apply(rpl, plugin.name()) if err != nil { @@ -376,7 +381,7 @@ func (r *Adaptation) StateChange(ctx context.Context, evt *StateChangeEvent) err for _, plugin := range r.plugins { err := plugin.StateChange(ctx, evt) if err != nil { - return err + return pluginError(plugin, err) } } @@ -720,3 +725,10 @@ func (b *PluginSyncBlock) Unblock() { b.r = nil } } + +func pluginError(plugin *plugin, err error) error { + if err == nil { + return nil + } + return fmt.Errorf("plugin %q: %w", plugin.name(), err) +} diff --git a/pkg/adaptation/api.go b/pkg/adaptation/api.go index d0df9d03..aba20d4d 100644 --- a/pkg/adaptation/api.go +++ b/pkg/adaptation/api.go @@ -104,6 +104,8 @@ type ( POSIXRlimit = api.POSIXRlimit SecurityProfile = api.SecurityProfile User = api.User + OwningPlugins = api.OwningPlugins + FieldOwners = api.FieldOwners EventMask = api.EventMask ) diff --git a/pkg/adaptation/suite_test.go b/pkg/adaptation/suite_test.go index 88d8946e..be52de1a 100644 --- a/pkg/adaptation/suite_test.go +++ b/pkg/adaptation/suite_test.go @@ -246,7 +246,8 @@ func (m *mockRuntime) UpdatePodSandbox(ctx context.Context, req *api.UpdatePodSa func (m *mockRuntime) CreateContainer(ctx context.Context, req *api.CreateContainerRequest) (*api.CreateContainerResponse, error) { b := m.runtime.BlockPluginSync() defer b.Unblock() - return m.runtime.CreateContainer(ctx, req) + rpl, _, err := m.runtime.CreateContainer(ctx, req) + return rpl, err } func (m *mockRuntime) UpdateContainer(ctx context.Context, req *api.UpdateContainerRequest) (*api.UpdateContainerResponse, error) {