Skip to content
This repository was archived by the owner on Apr 8, 2025. It is now read-only.

fix static analysis errors and build hardened binary #57

Merged
merged 4 commits into from
Oct 14, 2020
Merged

fix static analysis errors and build hardened binary #57

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3f46989
updated Dockerfiles to pass Hadolint scan
Sep 22, 2020
ca6a50e
edited shellscripts for static analysis
Sep 22, 2020
b34a7b5
removed unused import in usrspcni.go
Sep 22, 2020
f124834
added hardened binary and build args
Sep 22, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions build-args
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
go build -o hardened-binary -buildmode=pie -ldflags "-s -w -extldflags=-Wl,-z,now,-z,relro" userspace/userspace.go
10 changes: 6 additions & 4 deletions docker/dpdk-app-centos/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,14 @@


# -------- Builder stage.
FROM centos
MAINTAINER Billy McFall <[email protected]>
FROM centos:7

#
# Install required packages
#
SHELL ["/bin/bash", "-o", "pipefail", "-c"]


RUN rpm --import https://mirror.go-repo.io/centos/RPM-GPG-KEY-GO-REPO && curl -s https://mirror.go-repo.io/centos/go-repo.repo | tee /etc/yum.repos.d/go-repo.repo
RUN yum groupinstall -y "Development Tools"
RUN yum install -y wget numactl-devel git golang make; yum clean all
Expand All @@ -20,7 +22,7 @@ RUN yum install -y wget numactl-devel git golang make; yum clean all
# Download and Build APP-NetUtil
#
WORKDIR /root/go/src/
RUN go get github.com/openshift/app-netutil 2>&1 > /tmp/UserspaceDockerBuild.log || echo "Can ignore no GO files."
RUN go get github.com/openshift/app-netutil > /tmp/UserspaceDockerBuild.log 2>&1 || echo "Can ignore no GO files."
WORKDIR /root/go/src/github.com/openshift/app-netutil
RUN make c_sample
RUN cp bin/libnetutil_api.so /lib64/libnetutil_api.so; cp bin/libnetutil_api.h /usr/include/libnetutil_api.h
Expand All @@ -31,7 +33,7 @@ RUN cp bin/libnetutil_api.so /lib64/libnetutil_api.so; cp bin/libnetutil_api.h /
ENV DPDK_VER 19.08
ENV DPDK_DIR /usr/src/dpdk-${DPDK_VER}
WORKDIR /usr/src/
RUN wget http://fast.dpdk.org/rel/dpdk-${DPDK_VER}.tar.xz
RUN curl --output dpdk-${DPDK_VER}.tar.xz http://fast.dpdk.org/rel/dpdk-${DPDK_VER}.tar.xz
RUN tar -xpvf dpdk-${DPDK_VER}.tar.xz

ENV RTE_TARGET=x86_64-native-linuxapp-gcc
Expand Down
9 changes: 5 additions & 4 deletions docker/vpp-centos-userspace-cni/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,9 @@


# -------- Builder stage.
FROM centos
MAINTAINER Billy McFall <[email protected]>
FROM centos:7

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

# Install VPP - Needed by CNI-VPP
RUN curl -s https://packagecloud.io/install/repositories/fdio/release/script.rpm.sh | bash
Expand All @@ -23,7 +24,7 @@ RUN yum install -y git golang make

# Build the usrsp-app
WORKDIR /root/go/src/
RUN go get github.com/intel/userspace-cni-network-plugin 2>&1 > /tmp/UserspaceDockerBuild.log || echo "Can ignore no GO files."
RUN go get github.com/intel/userspace-cni-network-plugin > /tmp/UserspaceDockerBuild.log 2>&1 || echo "Can ignore no GO files."
WORKDIR /root/go/src/github.com/intel/userspace-cni-network-plugin
RUN make extras
RUN cp docker/usrsp-app/usrsp-app /usr/sbin/usrsp-app
Expand Down Expand Up @@ -61,5 +62,5 @@ COPY vppcni.sh vppcni.sh
#COPY usrsp-app /usr/sbin/usrsp-app


CMD bash -C './vppcni.sh'
CMD ["bash", "-C", "./vppcni.sh"]
#CMD [ "./vppcni.sh" ]
Binary file added hardened-binary
View file
Open in desktop
Binary file not shown.
Binary file added scripts/.usrsp-docker-run.sh.swp
View file
Open in desktop
Binary file not shown.
14 changes: 7 additions & 7 deletions scripts/dpdk-docker-run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,17 +13,17 @@
#

scriptpath=$GOPATH/src/github.com/containernetworking/cni/scripts
echo $scriptpath
echo "$scriptpath"

contid=$(docker run -d --net=none $@ /bin/sleep 10000000)
pid=$(docker inspect -f '{{ .State.Pid }}' $contid)
contid=$(docker run -d --net=none "$@" /bin/sleep 10000000)
pid=$(docker inspect -f '{{ .State.Pid }}' "$contid")
netnspath=/proc/$pid/ns/net

$scriptpath/exec-plugins.sh add $contid $netnspath
"$scriptpath"/exec-plugins.sh add "$contid" "$netnspath"

function cleanup() {
$scriptpath/exec-plugins.sh del $contid $netnspath
docker rm -f $contid >/dev/null
"$scriptpath"/exec-plugins.sh del "$contid" "$netnspath"
docker rm -f "$contid" >/dev/null
}
trap cleanup EXIT

Expand All @@ -35,7 +35,7 @@ trucContid=${contid:0:12}
docker run -i -t -v /var/lib/cni/usrspcni/shared:/var/lib/cni/usrspcni/shared:rw \
-v /dev/hugepages:/dev/hugepages \
dpdk-app-testpmd testpmd -l 0-1 -n 4 -m 1024 --no-pci \
--vdev=virtio_user0,path=/var/lib/cni/usrspcni/shared/$trucContid-eth0 \
--vdev=virtio_user0,path=/var/lib/cni/usrspcni/shared/"$trucContid"-eth0 \
--file-prefix=container \
-- -i --txqflags=0xf00 --disable-hw-vlan --port-topology=chained

16 changes: 8 additions & 8 deletions scripts/usrsp-docker-run.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,23 +17,23 @@
#

scriptpath=$GOPATH/src/github.com/containernetworking/cni/scripts
echo $scriptpath
echo "$scriptpath"

contid=$(docker run -d --net=none $@ /bin/sleep 10000000)
pid=$(docker inspect -f '{{ .State.Pid }}' $contid)
contid=$(docker run -d --net=none "$@" /bin/sleep 10000000)
pid=$(docker inspect -f '{{ .State.Pid }}' "$contid")
netnspath=/proc/$pid/ns/net

$scriptpath/exec-plugins.sh add $contid $netnspath
"$scriptpath"/exec-plugins.sh add "$contid" "$netnspath"

function cleanup() {
$scriptpath/exec-plugins.sh del $contid $netnspath
docker rm -f $contid >/dev/null
"$scriptpath"/exec-plugins.sh del "$contid" "$netnspath"
docker rm -f "$contid" >/dev/null
}
trap cleanup EXIT

docker run \
-v /var/lib/cni/usrspcni/shared:/var/lib/cni/usrspcni/shared:rw \
-v /var/lib/cni/usrspcni/$contid:/var/lib/cni/usrspcni/data:rw \
-v /var/lib/cni/usrspcni/"$contid":/var/lib/cni/usrspcni/data:rw \
--device=/dev/hugepages:/dev/hugepages \
--net=container:$contid $@
--net=container:"$contid" "$@"

30 changes: 14 additions & 16 deletions usrspcni/usrspcni.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ import (
"k8s.io/client-go/kubernetes"

"github.com/containernetworking/cni/pkg/skel"
_ "github.com/containernetworking/cni/pkg/types"
"github.com/containernetworking/cni/pkg/types/current"

"github.com/intel/userspace-cni-network-plugin/pkg/types"
Expand All @@ -30,22 +29,21 @@ import (
//
type UsrSpCni interface {
AddOnHost(conf *types.NetConf,
args *skel.CmdArgs,
kubeClient kubernetes.Interface,
sharedDir string,
ipResult *current.Result) error
args *skel.CmdArgs,
kubeClient kubernetes.Interface,
sharedDir string,
ipResult *current.Result) error
AddOnContainer(conf *types.NetConf,
args *skel.CmdArgs,
kubeClient kubernetes.Interface,
sharedDir string,
pod *v1.Pod,
ipResult *current.Result) (*v1.Pod, error)
args *skel.CmdArgs,
kubeClient kubernetes.Interface,
sharedDir string,
pod *v1.Pod,
ipResult *current.Result) (*v1.Pod, error)
DelFromHost(conf *types.NetConf,
args *skel.CmdArgs,
sharedDir string) error
args *skel.CmdArgs,
sharedDir string) error
DelFromContainer(conf *types.NetConf,
args *skel.CmdArgs,
sharedDir string,
pod *v1.Pod) error
args *skel.CmdArgs,
sharedDir string,
pod *v1.Pod) error
}