Skip to content

Port changes from mm/ROX-12967-real-nodescan #3941

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
vikin91 wants to merge 9 commits into from
Closed

Port changes from mm/ROX-12967-real-nodescan #3941

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
ab8da76
Proto: Move NodeInventory into Node
vikin91 Nov 3, 2022
8533c80
Touch-up mocked data in Sensor
vikin91 Nov 15, 2022
91d7a3f
Use new Scanner API for Node scanning
vikin91 Nov 3, 2022
b9e1cc3
Port changes from mm/ROX-12967-real-nodescan
vikin91 Nov 25, 2022
26ef657
Add FF to control generating fake vs. real node inventory in compliance
vikin91 Nov 25, 2022
65e6189
Configure node inventory provider based on the feature-flag
vikin91 Nov 25, 2022
a799a4d
WIP: comment with panic
vikin91 Nov 25, 2022
527273d
Use newer scanner dep in go.mod
vikin91 Nov 29, 2022
292fba0
Add nil protection
vikin91 Nov 29, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion SCANNER_VERSION
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
2.27.2
2.27.x-24-g7c97e9281e
4 changes: 0 additions & 4 deletions central/sensor/service/pipeline/all/factory.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ import (
"github.com/stackrox/rox/central/sensor/service/pipeline/networkflowupdate"
"github.com/stackrox/rox/central/sensor/service/pipeline/networkpolicies"
"github.com/stackrox/rox/central/sensor/service/pipeline/nodes"
"github.com/stackrox/rox/central/sensor/service/pipeline/nodescansv2"
"github.com/stackrox/rox/central/sensor/service/pipeline/podevents"
"github.com/stackrox/rox/central/sensor/service/pipeline/processindicators"
"github.com/stackrox/rox/central/sensor/service/pipeline/reprocessing"
Expand Down Expand Up @@ -65,9 +64,6 @@ func (s *factoryImpl) PipelineForCluster(ctx context.Context, clusterID string)
alerts.GetPipeline(),
auditlogstateupdate.GetPipeline(),
}
if features.RHCOSNodeScanning.Enabled() {
pipelines = append(pipelines, nodescansv2.GetPipeline())
}
if features.ComplianceOperatorCheckResults.Enabled() {
pipelines = append(pipelines,
complianceoperatorresults.GetPipeline(),
Expand Down
57 changes: 0 additions & 57 deletions central/sensor/service/pipeline/nodescansv2/pipeline.go
View file
Open in desktop

This file was deleted.

45 changes: 43 additions & 2 deletions compliance/collection/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -277,8 +277,15 @@ func main() {
go manageSendingToSensor(ctx, cli, sensorC)

// TODO(ROX-12971): Replace with real scanner
scanner := nodescanv2.FakeNodeScanner{}
nodeScansC := manageNodeScanLoop(ctx, env.NodeRescanInterval.DurationSetting(), &scanner)
var scanner nodescanv2.NodeScanner
if features.UseFakeNodeInventory.Enabled() {
log.Infof("Using FakeNodeScanner")
scanner = &nodescanv2.FakeNodeScanner{}
} else {
log.Infof("Using real NodeScan")
scanner = &nodescanv2.NodeScan{}
}
nodeScansC := manageNodeScanLoop(ctx, env.NodeRescanInterval.DurationSetting(), scanner)
// multiplex producers (nodeScansC) into the output channel (sensorC)
go func() {
for {
Expand All @@ -301,3 +308,37 @@ func main() {
stoppedSig.Wait()
log.Info("Successfully closed Sensor communication")
}

/*
No certificates found in /usr/local/share/ca-certificates
No certificates found in /etc/pki/injected-ca-trust
main: 2022/11/25 12:24:19.063168 main.go:249: Info: Running StackRox Version: 3.73.x-50-gea9729f302
main: 2022/11/25 12:24:19.064314 main.go:257: Info: Initialized Sensor gRPC stream connection
main: 2022/11/25 12:24:19.064428 main.go:274: Info: Node Rescan interval: 10m0s
main: 2022/11/25 12:24:19.064451 main.go:285: Info: Using real NodeScan
time="2022-11-25T12:24:19Z" level=info msg="add files from directory" directory=usr/lib/ root=/host
time="2022-11-25T12:24:19Z" level=info msg="add files from directory" directory=var/lib/ root=/host
main: 2022/11/25 12:24:19.132677 main.go:243: Info: Successfully connected to Sensor at sensor.stackrox.svc:443
time="2022-11-25T12:24:23Z" level=info msg="add files from directory" directory=root/buildinfo/ root=/host
time="2022-11-25T12:24:23Z" level=info msg="add files from directory" directory=etc/ root=/host
collection/nodescanv2: 2022/11/25 12:24:23.250073 nodescan.go:23: Info: Finished node inventory /host scan
collection/nodescanv2: 2022/11/25 12:24:23.250250 nodescan.go:27: Info: Components found under /host: &{<nil> [] <nil> []}
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x18c2287]

goroutine 60 [running]:
github.com/stackrox/rox/compliance/collection/nodescanv2.convertRHELComponents(0x0)
github.com/stackrox/rox/compliance/collection/nodescanv2/nodescan.go:54 +0x47
github.com/stackrox/rox/compliance/collection/nodescanv2.protoComponentsFromScanComponents(...)
github.com/stackrox/rox/compliance/collection/nodescanv2/nodescan.go:46
github.com/stackrox/rox/compliance/collection/nodescanv2.(*NodeScan).Scan(0x8bb2c97000?, {0xc00005a03e, 0x6})
github.com/stackrox/rox/compliance/collection/nodescanv2/nodescan.go:32 +0x1bb
main.scanNode({0xc00005a03e, 0x6}, {0x23bdee0?, 0x379dac8?})
github.com/stackrox/rox/compliance/collection/main.go:184 +0x3b
main.manageNodeScanLoop.func1()
github.com/stackrox/rox/compliance/collection/main.go:159 +0xf6
created by main.manageNodeScanLoop
github.com/stackrox/rox/compliance/collection/main.go:154 +0x125
Stream closed EOF for stackrox/collector-46n76 (compliance)

*/
50 changes: 41 additions & 9 deletions compliance/collection/nodescanv2/fake_nodescan.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,24 +23,56 @@ func (f *FakeNodeScanner) Scan(nodeName string) (*storage.NodeInventory, error)
NodeName: nodeName,
ScanTime: timestamp.TimestampNow(),
Components: &scannerV1.Components{
Namespace: "Testme OS",
Namespace: "Red Hat Enterprise Linux CoreOS 45.82.202008101249-0 (Ootpa)",
RhelComponents: []*scannerV1.RHELComponent{
{
Id: int64(6661),
Name: "vim-minimal",
Namespace: "rhel:8",
Version: "2:7.4.629-6.el8.x86_64",
Version: "2:7.4.629-6.el8",
Arch: "x86_64",
Module: "FakeMod",
Cpes: []string{"cpe:/a:redhat:enterprise_linux:8::baseos"},
AddedBy: "FakeLayer",
Module: "",
Cpes: []string{"cpe:/a:redhat:enterprise_linux:8::baseos", "cpe:/o:redhat:enterprise_linux:8::coreos"},
AddedBy: "FakeNodeScanner",
},
{
Name: "libsolv",
Id: int64(6662),
Name: "tar",
Namespace: "rhel:8",
Version: "0.7.7-1.el8.x86_64",
Version: "1.27.1.el8",
Arch: "x86_64",
Module: "FakeMod",
AddedBy: "FakeLayer",
Cpes: []string{
"cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:rhel:8.3::appstream",
"cpe:/a:redhat:enterprise_linux:8::baseos", "cpe:/a:redhat:rhel:8.3::baseos",
},
Module: "",
AddedBy: "FakeNodeScanner",
},
{
Id: int64(6663),
Name: "lz4-libs",
Namespace: "rhel:8",
Version: "1.8.3-3.el8_4",
Arch: "x86_64",
Module: "NoModule",
Cpes: []string{
"cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:rhel:8.3::appstream",
"cpe:/a:redhat:enterprise_linux:8::baseos", "cpe:/a:redhat:rhel:8.3::baseos",
},
AddedBy: "FakeNodeScanner",
},
{
Id: int64(6664),
Name: "libksba",
Namespace: "rhel:8",
Version: "1.3.5-7.el8",
Arch: "x86_64",
Module: "",
Cpes: []string{
"cpe:/a:redhat:enterprise_linux:8::appstream", "cpe:/a:redhat:rhel:8.3::appstream",
"cpe:/a:redhat:enterprise_linux:8::baseos", "cpe:/a:redhat:rhel:8.3::baseos",
},
AddedBy: "FakeNodeScanner",
},
},
LanguageComponents: nil,
Expand Down
23 changes: 23 additions & 0 deletions compliance/collection/nodescanv2/fake_nodescan_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
package nodescanv2

import (
"testing"

"github.com/stackrox/rox/generated/storage"
"github.com/stretchr/testify/suite"
)

func TestFakeNodeScan(t *testing.T) {
suite.Run(t, &NodeScanSuite{})
}

type FakeNodeScanSuite struct {
suite.Suite
}

func (n *FakeNodeScanSuite) TestMessageFormat() {
fns, err := (&FakeNodeScanner{}).Scan("someNode")
n.Nil(err)
n.NotNil(fns)
n.IsType(&storage.NodeInventory{}, fns)
}
63 changes: 61 additions & 2 deletions compliance/collection/nodescanv2/nodescan.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
package nodescanv2

import (
"github.com/pkg/errors"
timestamp "github.com/gogo/protobuf/types"
"github.com/stackrox/rox/generated/storage"
"github.com/stackrox/scanner/database"
scannerV1 "github.com/stackrox/scanner/generated/scanner/api/v1"
"github.com/stackrox/scanner/pkg/analyzer/nodes"
)

// NodeScanner defines an interface for V2 NodeScanning
Expand All @@ -16,5 +19,61 @@ type NodeScan struct {

// Scan scans the current node and returns the results as storage.NodeInventory object
func (n *NodeScan) Scan(nodeName string) (*storage.NodeInventory, error) {
return nil, errors.New("Not implemented")
componentsHost, err := nodes.Analyze(nodeName, "/host/", false)
log.Info("Finished node inventory /host scan")
if err != nil {
log.Errorf("Error scanning node /host inventory: %v", err)
}
log.Infof("Components found under /host: %v", componentsHost)
if err != nil {
return nil, err
}

var protoComponents *scannerV1.Components
if componentsHost != nil {
protoComponents = protoComponentsFromScanComponents(componentsHost)
}
m := &storage.NodeInventory{
NodeName: nodeName,
ScanTime: timestamp.TimestampNow(),
Components: protoComponents,
}
return m, nil
}

func protoComponentsFromScanComponents(c *nodes.Components) *scannerV1.Components {
var components []*scannerV1.RHELComponent
// For now, we only care about RHEL components, but this must be extended once we support non-RHCOS
if c.CertifiedRHELComponents != nil {
components = convertRHELComponents(c.CertifiedRHELComponents)
}
pc := scannerV1.Components{
Namespace: c.OSNamespace.Name,
OsComponents: nil,
RhelComponents: components,
LanguageComponents: nil,
}
return &pc
}

func convertRHELComponents(rc *database.RHELv2Components) []*scannerV1.RHELComponent {
v1rhelc := make([]*scannerV1.RHELComponent, 0)
if rc.Packages == nil {
log.Warn("No RHEL packages found in scan result")
return v1rhelc
}
for _, rhelc := range rc.Packages {
v1rhelc = append(v1rhelc, &scannerV1.RHELComponent{
Id: 0,
Name: rhelc.Name,
Namespace: rc.Dist, // check
Version: rhelc.Version,
Arch: rhelc.Arch,
Module: rhelc.Module,
Cpes: rc.CPEs, // do we just append all here?
Executables: rhelc.Executables,
// AddedBy: "", // do we know?
})
}
return v1rhelc
}
1 change: 1 addition & 0 deletions deploy/k8s/deploy-local.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,4 @@ export POD_SECURITY_POLICIES="${POD_SECURITY_POLICIES:-false}"

# shellcheck source=/dev/null
"$DIR"/deploy.sh

Loading