workflows: Add clippy, nancy, and binskim release checks #319
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add --version flag to the genpolicy tool that prints the current version - Add version.rs.in template to store the version information - Update makefile to autogenerate version.rs from version.rs.in - Add license to Cargo.toml Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
genpolicy: add --version flag
Linux kernel generates a panic when the init process exits. The kernel is booted with panic=1, hence this leads to a vm reboot. When used as a service the kata-agent service has an ExecStop option which does a full sync and shuts down the vm. This patch mimicks this behavior when kata-agent is used as the init process. Fixes: kata-containers#9429 Signed-off-by: Alexandru Matei <alexandru.matei@uipath.com>
genpolicy: add support for cc-local-csi
agent: shutdown vm on exit when agent is used as init process
Add missing cache improvements specifically missing in containerd pull Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
…improvements genpolicy: add missing cache improvements
This patch adds support for the cc-azurefile-csi driver to the genpolicy. Signed-off-by: Archana Choudhary <archana1@microsoft.com>
This patch updates policy samples, required after adding support for cc-azurefile-csi driver in genpolicy. Signed-off-by: Archana Choudhary <archana1@microsoft.com>
genpolicy: add support for cc-azurefile-csi driver
This reverts commit 627be9b, that was insufficient. Waiting for blk devices used just the PCI device/slot index, but not the PCI segment/domain index. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Initialize the CLH Platform a single time. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Hotplug block devices on PCI segments >= 1. PCI segment 0 is used for the network interface, any disks present at Guest boot time, etc. Just bus 0 of each segment is used, and up to 31 devices can be hotplugged to each bus. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
This pod starts successfully when using default AKS-CC settings, and a permissive policy. When the Kata debug options are enabled, this pod fails to start while trying to hotplug image layer index 41. This bug is being investigated. The genpolicy tool should also try to create a smaller policy for this pod, because otherwise "kubectl apply" rejects the policy annotation as being too large. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Lock anyhow version to 1.0.58 because: - Versions between 1.0.59 - 1.0.76 have not been tested yet using Kata CI. However, those versions pass "make test" for the Kata Agent. - Versions 1.0.77 or newer fail during "make test" - see kata-containers#9538. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Implement Agent Policy using the regorus crate instead of the OPA daemon. The OPA daemon will be removed from the Guest rootfs in a future PR. Fixes: kata-containers#9388 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
Bump release version to 3.2.0-azl1.genpolicy0 Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
genpolicy: bump release version
Move pod-many-layers.yaml to needs_containerd_pull category Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
runtime: agent: use PCI segments 1+ for blk devices
agent: use regorus instead of opa
Since OPA binary was replaced by the regorus crate, we can finally stop building and shipping the binary. Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The PID needs to be initialized before calling isClhRunning. waitVMM() uses isClhRunning and is called by launchClh() just before returning from function. Fixes: kata-containers#9230 Signed-off-by: Alexandru Matei <alexandru.matei@uipath.com>
isClhRunning uses signal 0 to test whether the process is still alive or not. This doesn't work because the process is a direct child of the shim. Once it is dead the process becomes zombie. Since no one waits for it the process lingers until its parent dies and init reaps it. Hence sending signal 0 in isClhRunning will always return success whether the process is dead or not. This patch calls wait to reap the process, if it succeeds that means it is our child process, if not we send the signal. Fixes: kata-containers#9431 Signed-off-by: Alexandru Matei <alexandru.matei@uipath.com>
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
clh: isClhRunning waits for full timeout when clh exits
rootfs: Stop building and shipping OPA
We've discussed this over and over. Let's try to get to an agreement here. I will use this issue to remove the mandatory Issue - PR dependency. Fixes: kata-containers#9500 Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
ci: cherry-pick relaxed commit check from upstream
- subset of upstream commit 099b241 - should be straightforward to merge when sync-ing to upstream Signed-off-by: Manuel Huber <mahuber@microsoft.com>
- counterpart to upstream a131eec - unblocks build with rust v1.84 Signed-off-by: Manuel Huber <mahuber@microsoft.com>
- post-process to remove box_pointers annotation for generated files - while this unblocks the build, should look for better solution: - request/teach codegen to not add certain linter annotation - update ttrpc-codegen or other dependencies Signed-off-by: Manuel Huber <mahuber@microsoft.com>
Prepare for build with rust v1.84
miz060
force-pushed
the
mitchzhu/sdl
branch
2 times, most recently
from
4706b68 to
d6648a0
Compare
Add clippy, nancy, binskim release checks to help stablize kata releases Signed-off-by: Mitch Zhu <mitchzhu@microsoft.com>
miz060
changed the title
miz060
added
upstream/missing
ms-mahuber
reviewed
Feb 25, 2025
| echo "✅ Clippy check passed for kata overlay." | ||
|
|
||
| - name: Run Clippy on tardev-snapshotter | ||
| working-directory: src/tardev-snapshotter |
ms-mahuber
reviewed
Feb 25, 2025
| run: | | ||
| dotnet new console -n TempConsoleApp | ||
| cd TempConsoleApp | ||
| echo "Installing BinSkim version 1.9.5" |
There was a problem hiding this comment.
is there a pattern to install the latest stable version?
ms-mahuber
reviewed
Feb 25, 2025
| echo "Building kata pod sandboxing binaries" | ||
| pushd tools/osbuilder/node-builder/azure-linux | ||
| # Adapt build script for ubuntu environment | ||
| sed -i 's|^OS_VERSION=.*|OS_VERSION="3.0"|' common.sh |
There was a problem hiding this comment.
we don't need this. If you code doesn't work for Ubuntu, we can pass OS_VERSION as a variable for make package
ms-mahuber
reviewed
Feb 25, 2025
|
|
||
| # Prepare go binaries for binskim | ||
| pushd src/runtime | ||
| strip --strip-unneeded containerd-shim-kata-v2 |
There was a problem hiding this comment.
should stripping be something we should generally be doing when we build?
There was a problem hiding this comment.
It might remove information needed when debugging, no?
ms-mahuber
reviewed
Feb 25, 2025
| @@ -0,0 +1,128 @@ | |||
| name: Release Binary Hardening checks | |||
There was a problem hiding this comment.
should we add a codeql file as well for the tarfs module, similar to https://github.com/kata-containers/kata-containers/pull/10930/files ?
|
For the clippy check, the agent makefile already has a check target that runs standard_rust_check. And standard_rust_check runs clippy. I'm wondering if it's better to add a clippy.yaml vs running |
sprt
reviewed
Feb 25, 2025
Comment on lines
+93
to
+127
| - name: Validate BinSkim results | ||
| run: | | ||
| # Validate pod sandboxing binaries | ||
| for result in artifacts/vanilla/*_binskim_result; do | ||
| if [ ! -f "$result" ]; then | ||
| echo "❌ Error: $result was not generated." | ||
| exit 1 | ||
| fi | ||
| echo "Validating: pod sandboxing ${result}" | ||
| cat "$result" | ||
|
|
||
| if grep -qi "fail" "$result"; then | ||
| echo "❌ Error: Failures detected in pod sandboxing binary: $result" | ||
| exit 1 | ||
| fi | ||
| echo "--------------------------- End-------------------------" | ||
| done | ||
| echo "✅ All pod sandboxing binaries passed BinSkim." | ||
|
|
||
| # Validate confpod binaries | ||
| for result in artifacts/confpods/*_binskim_result; do | ||
| if [ ! -f "$result" ]; then | ||
| echo "❌ Error: $result was not generated." | ||
| exit 1 | ||
| fi | ||
| echo "Validating: conf pod ${result}" | ||
| cat "$result" | ||
|
|
||
| if grep -qi "fail" "$result"; then | ||
| echo "❌ Error: Failures detected in Confidential Pod binary: $result" | ||
| exit 1 | ||
| fi | ||
| echo "--------------------------- End-------------------------" | ||
| done | ||
| echo "✅ All confpod binaries passed BinSkim." |
There was a problem hiding this comment.
These should be independent steps so one binary failing doesn't block other results. We should probably rework this step using matrix:.
|
|
||
| jobs: | ||
| clippy: | ||
| name: Run Clippy on Rust Components |
There was a problem hiding this comment.
The upstream static checks (static-checks.yaml) already run clippy - we should leverage those?
Comment on lines
+27
to
+55
| - name: Run Clippy on agent | ||
| working-directory: src/agent | ||
| run: | | ||
| echo "Running Clippy on kata agent..." | ||
| if ! cargo clippy -- -D warnings; then | ||
| echo "❌ Clippy check failed for kata agent." | ||
| exit 1 | ||
| fi | ||
| echo "✅ Clippy check passed for kata agent." | ||
|
|
||
| - name: Run Clippy on overlay | ||
| working-directory: src/overlay | ||
| run: | | ||
| echo "Running Clippy on kata overlay..." | ||
| if ! cargo clippy -- -D warnings; then | ||
| echo "❌ Clippy check failed for kata overlay." | ||
| exit 1 | ||
| fi | ||
| echo "✅ Clippy check passed for kata overlay." | ||
|
|
||
| - name: Run Clippy on tardev-snapshotter | ||
| working-directory: src/tardev-snapshotter | ||
| run: | | ||
| echo "Running Clippy on tardev-snapshotter..." | ||
| if ! cargo clippy -- -D warnings; then | ||
| echo "❌ Clippy check failed for tardev-snapshotter." | ||
| exit 1 | ||
| fi | ||
| echo "✅ Clippy check passed for tardev-snapshotter." |
There was a problem hiding this comment.
These steps should be independent too.
And no need for the output complexity, simply running cargo clippy -- -D warnings will return an exit code already.
Comment on lines
+28
to
+32
| - name: Verify Nancy Installation | ||
| run: | | ||
| echo "Checking Nancy installation..." | ||
| nancy --help || echo "Nancy installed successfully!" | ||
|
|
There was a problem hiding this comment.
Redundant
Suggested change
| - name: Verify Nancy Installation | |
| run: | | |
| echo "Checking Nancy installation..." | |
| nancy --help || echo "Nancy installed successfully!" |
Comment on lines
+22
to
+25
| - name: Install Rust Toolchain | ||
| uses: dtolnay/rust-toolchain@stable | ||
| with: | ||
| components: clippy |
There was a problem hiding this comment.
We should install Rust the way that upstream does it (install_rust.sh).
Regardless, we might not want to pick up Rust's latest version here, as it could break us. We should probably fetch the version from versions.yaml (and ensure the version that's there is the one we want).
There was a problem hiding this comment.
PR Overview
This PR introduces new GitHub CI workflows for release checks that enforce binary hardening, dependency security, and Rust code quality.
- Adds a binskim workflow to analyze compiled binaries for security hardening.
- Adds a nancy workflow to scan Go dependencies for vulnerabilities.
- Adds a clippy workflow to run Rust linter checks on source components.
Reviewed Changes
| File | Description |
|---|---|
| .github/workflows/binskim.yaml | Adds steps to set up and run BinSkim on both kata pod and confpod binaries. |
| .github/workflows/nancy.yaml | Sets up a Nancy vulnerability scan on Go dependencies. |
| .github/workflows/clippy.yaml | Configures Clippy runs on Rust components using specified toolchains. |
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
Comments suppressed due to low confidence (1)
.github/workflows/binskim.yaml:73
- The binary 'containerd-shim-kata-v2' is being stripped twice (once at line 47 and again at line 73), which may be redundant. Consider removing one of these calls if it is not required for the intended binary preparation.
strip --strip-unneeded containerd-shim-kata-v2
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merge Checklist
upstream/missinglabel (orupstream/not-needed) has been set on the PR.Summary
Introduces
These checks will also be added as part of kata release process later in kata conformance test pipeline through test containers.
Existing upstream kata ci static checks include below tools, so there is no duplication:
Test Methodology
Test runs: