-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API: Support running gadgets from files and memory #2853
Conversation
Thanks for working on this!
Can you have another set of go.mod/go.sum in the |
Should we also give the option to push the binary using gRPC? |
} | ||
|
||
// Make sure the image is available, either through pulling or by just accessing a local copy | ||
// TODO: add security constraints (e.g. don't allow pulling - add GlobalParams for that) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you do it in the same PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This comment was already there. Code was moved into a new conditional.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not, but in a separate PR.
Why? I think options to enable/disable it is good. But I don't think it is necessarily less secure than downloading from a OCI registry. That depends on the context and if users verify the image signature. |
Agree with both, just wanted to start the discussion to keep it in mind when developing this further. I also don't think it's less secure per se if it runs through all checks as well; still there are certain things we need to consider, which is why I'd suggest to keep it disabled by default: If you'd for example bundle just a couple of core gadgets with your IG installation, you'd keep signature checking on (by default) and deploy it. You'd probably not want for IG to be able to run any other non-bundled (but signed) core gadget using the gRPC way, because it could leak private information or whatnot (you actively chose to not bundle it in the first place). The more use cases we add, the more complex the security situation becomes (edge cases, unwanted behavior) - and thus IMHO we should always be more restrictive than permissive by default so that the admin actively has to enable features like this after careful consideration. |
18aee98
to
43bb599
Compare
68f5696
to
3c70086
Compare
Added a single pair on examples/. I also needed to add a go.work file. |
Marking as ready. I don't have anything against allowing something similar on the gRPC interface, but IMO it doesn't belong to this PR and the current implementation doesn't collides with that. Any thoughts? |
3c70086
to
86e6381
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi!
I just have comments on the added tar archive.
I will take another thorough look at the API change itself, because I guess I do not catch stuff as I lack knowledge on the API design.
Best regards.
// To create this tarball run: | ||
// $ sudo ig image pull trace_open:latest | ||
// $ sudo ig image export trace_open:latest /tmp/trace_open.tar | ||
ociStore, err := orasoci.NewFromTar(ctx, "trace_open.tar") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Anyway to rather create the tarball here or in the CI?
I would like to avoid adding as much as possible binaries.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My idea is to create an example that can be compiled without taking any additional steps. I don't think there is another possibility than storing the gadget image in the repo (the same we're doing for built-in gadgets).
This example shows how a gadget image can be embedded in the application binary | ||
and how it can be run from there. | ||
|
||
The `trace_open.tar` file was created with: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same comment.
The more use cases we add, the more complex the situation becomes and the easier it becomes to do mistake particularly with regard to security. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks really good! Nice to have this possibility as well!
} | ||
|
||
// Make sure the image is available, either through pulling or by just accessing a local copy | ||
// TODO: add security constraints (e.g. don't allow pulling - add GlobalParams for that) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This commit updates few interfaces and functions signatures to allow to run gadgets from a file or from memory when using the Golang API. Specifically: - Update the gadget context to allow passing an oras target. - Update GetManifestForHost() and GetContentFromDescriptor() to take the target instead of always using the local one store. Signed-off-by: Mauricio Vásquez <mauriciov@microsoft.com>
This avoids dependencies of the examples being propagated to the main go.mod file. This commit also adds a go.work file that forces the examples to use the current tree module of inspektor gadget instead of the version defined in their go.mod file. Signed-off-by: Mauricio Vásquez <mauriciov@microsoft.com>
Signed-off-by: Mauricio Vásquez <mauriciov@microsoft.com>
Signed-off-by: Mauricio Vásquez <mauriciov@microsoft.com>
86e6381
to
bff4dcc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM,
I had thought that this PR would additionally add a flag like --from-file
to ig run
to directly run from a tarball.
For ig
there is no problem, but as written previously by others, for kubectl-gadget
we would need to push the archive/eBPF program through gRPC
I initially implemented it that way, but then I realized it doesn't make sense now that we have the image export and import commands. We can discuss later on how to handle this for the kubectl-gadget case. Thanks for the review. |
This PR changes some interfaces and functions to allow running a gadget from a file or from memory and implements two examples showing it.
TODO