API: Support running gadgets from files and memory #2853
Conversation
|
Thanks for working on this!
Can you have another set of go.mod/go.sum in the |
|
Should we also give the option to push the binary using gRPC? |
| } | ||
|
|
||
| // Make sure the image is available, either through pulling or by just accessing a local copy | ||
| // TODO: add security constraints (e.g. don't allow pulling - add GlobalParams for that) |
There was a problem hiding this comment.
This comment was already there. Code was moved into a new conditional.
Why not, but in a separate PR.
Why? I think options to enable/disable it is good. But I don't think it is necessarily less secure than downloading from a OCI registry. That depends on the context and if users verify the image signature. |
Agree with both, just wanted to start the discussion to keep it in mind when developing this further. I also don't think it's less secure per se if it runs through all checks as well; still there are certain things we need to consider, which is why I'd suggest to keep it disabled by default: If you'd for example bundle just a couple of core gadgets with your IG installation, you'd keep signature checking on (by default) and deploy it. You'd probably not want for IG to be able to run any other non-bundled (but signed) core gadget using the gRPC way, because it could leak private information or whatnot (you actively chose to not bundle it in the first place). The more use cases we add, the more complex the security situation becomes (edge cases, unwanted behavior) - and thus IMHO we should always be more restrictive than permissive by default so that the admin actively has to enable features like this after careful consideration. |
mauriciovasquezbernal
force-pushed
the
mauricio/gadgets-examples
branch
3 times, most recently
from
18aee98
to
43bb599
Compare
mauriciovasquezbernal
force-pushed
the
mauricio/run-from-file-2
branch
from
68f5696
to
3c70086
Compare
Added a single pair on examples/. I also needed to add a go.work file. |
|
Marking as ready. I don't have anything against allowing something similar on the gRPC interface, but IMO it doesn't belong to this PR and the current implementation doesn't collides with that. Any thoughts? |
mauriciovasquezbernal
force-pushed
the
mauricio/run-from-file-2
branch
from
3c70086
to
86e6381
Compare
| // To create this tarball run: | ||
| // $ sudo ig image pull trace_open:latest | ||
| // $ sudo ig image export trace_open:latest /tmp/trace_open.tar | ||
| ociStore, err := orasoci.NewFromTar(ctx, "trace_open.tar") |
There was a problem hiding this comment.
Anyway to rather create the tarball here or in the CI?
I would like to avoid adding as much as possible binaries.
There was a problem hiding this comment.
My idea is to create an example that can be compiled without taking any additional steps. I don't think there is another possibility than storing the gadget image in the repo (the same we're doing for built-in gadgets).
| This example shows how a gadget image can be embedded in the application binary | ||
| and how it can be run from there. | ||
|
|
||
| The `trace_open.tar` file was created with: |
The more use cases we add, the more complex the situation becomes and the easier it becomes to do mistake particularly with regard to security. |
| } | ||
|
|
||
| // Make sure the image is available, either through pulling or by just accessing a local copy | ||
| // TODO: add security constraints (e.g. don't allow pulling - add GlobalParams for that) |
This commit updates few interfaces and functions signatures to allow to run gadgets from a file or from memory when using the Golang API. Specifically: - Update the gadget context to allow passing an oras target. - Update GetManifestForHost() and GetContentFromDescriptor() to take the target instead of always using the local one store. Signed-off-by: Mauricio Vásquez <mauriciov@microsoft.com>
This avoids dependencies of the examples being propagated to the main go.mod file. This commit also adds a go.work file that forces the examples to use the current tree module of inspektor gadget instead of the version defined in their go.mod file. Signed-off-by: Mauricio Vásquez <mauriciov@microsoft.com>
Signed-off-by: Mauricio Vásquez <mauriciov@microsoft.com>
Signed-off-by: Mauricio Vásquez <mauriciov@microsoft.com>
mauriciovasquezbernal
force-pushed
the
mauricio/run-from-file-2
branch
from
86e6381
to
bff4dcc
Compare
There was a problem hiding this comment.
LGTM,
I had thought that this PR would additionally add a flag like --from-file to ig run to directly run from a tarball.
For ig there is no problem, but as written previously by others, for kubectl-gadget we would need to push the archive/eBPF program through gRPC
I initially implemented it that way, but then I realized it doesn't make sense now that we have the image export and import commands. We can discuss later on how to handle this for the kubectl-gadget case. Thanks for the review. |
This PR changes some interfaces and functions to allow running a gadget from a file or from memory and implements two examples showing it.
TODO