Skip to content

Commit

Permalink
Merge pull request #57 from przemeklal/static_analysis_and_hardening
Browse files Browse the repository at this point in the history 
fix static analysis errors and build hardened binary
  • Loading branch information
@garyloug
garyloug authored Oct 14, 2020
2 parents 6e9ee3a + f124834 commit 387fb2b
Show file tree
Hide file tree
Showing 8 changed files with 41 additions and 39 deletions.
1 change: 1 addition & 0 deletions build-args
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
go build -o hardened-binary -buildmode=pie -ldflags "-s -w -extldflags=-Wl,-z,now,-z,relro" userspace/userspace.go
10 changes: 6 additions & 4 deletions docker/dpdk-app-centos/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,14 @@


# -------- Builder stage.
FROM centos
MAINTAINER Billy McFall <[email protected]>
FROM centos:7

#
# Install required packages
#
SHELL ["/bin/bash", "-o", "pipefail", "-c"]


RUN rpm --import https://mirror.go-repo.io/centos/RPM-GPG-KEY-GO-REPO && curl -s https://mirror.go-repo.io/centos/go-repo.repo | tee /etc/yum.repos.d/go-repo.repo
RUN yum groupinstall -y "Development Tools"
RUN yum install -y wget numactl-devel git golang make; yum clean all
Expand All @@ -20,7 +22,7 @@ RUN yum install -y wget numactl-devel git golang make; yum clean all
# Download and Build APP-NetUtil
#
WORKDIR /root/go/src/
RUN go get github.com/openshift/app-netutil 2>&1 > /tmp/UserspaceDockerBuild.log || echo "Can ignore no GO files."
RUN go get github.com/openshift/app-netutil > /tmp/UserspaceDockerBuild.log 2>&1 || echo "Can ignore no GO files."
WORKDIR /root/go/src/github.com/openshift/app-netutil
RUN make c_sample
RUN cp bin/libnetutil_api.so /lib64/libnetutil_api.so; cp bin/libnetutil_api.h /usr/include/libnetutil_api.h
Expand All @@ -31,7 +33,7 @@ RUN cp bin/libnetutil_api.so /lib64/libnetutil_api.so; cp bin/libnetutil_api.h /
ENV DPDK_VER 19.08
ENV DPDK_DIR /usr/src/dpdk-${DPDK_VER}
WORKDIR /usr/src/
RUN wget http://fast.dpdk.org/rel/dpdk-${DPDK_VER}.tar.xz
RUN curl --output dpdk-${DPDK_VER}.tar.xz http://fast.dpdk.org/rel/dpdk-${DPDK_VER}.tar.xz
RUN tar -xpvf dpdk-${DPDK_VER}.tar.xz

ENV RTE_TARGET=x86_64-native-linuxapp-gcc
Expand Down
9 changes: 5 additions & 4 deletions docker/vpp-centos-userspace-cni/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,9 @@


# -------- Builder stage.
FROM centos
MAINTAINER Billy McFall <[email protected]>
FROM centos:7

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

# Install VPP - Needed by CNI-VPP
RUN curl -s https://packagecloud.io/install/repositories/fdio/release/script.rpm.sh | bash
Expand All @@ -23,7 +24,7 @@ RUN yum install -y git golang make

# Build the usrsp-app
WORKDIR /root/go/src/
RUN go get github.com/intel/userspace-cni-network-plugin 2>&1 > /tmp/UserspaceDockerBuild.log || echo "Can ignore no GO files."
RUN go get github.com/intel/userspace-cni-network-plugin > /tmp/UserspaceDockerBuild.log 2>&1 || echo "Can ignore no GO files."
WORKDIR /root/go/src/github.com/intel/userspace-cni-network-plugin
RUN make extras
RUN cp docker/usrsp-app/usrsp-app /usr/sbin/usrsp-app
Expand Down Expand Up @@ -61,5 +62,5 @@ COPY vppcni.sh vppcni.sh
#COPY usrsp-app /usr/sbin/usrsp-app


CMD bash -C './vppcni.sh'
CMD ["bash", "-C", "./vppcni.sh"]
#CMD [ "./vppcni.sh" ]
Binary file added hardened-binary
View file
Binary file not shown.
Binary file added scripts/.usrsp-docker-run.sh.swp
View file
Binary file not shown.
14 changes: 7 additions & 7 deletions scripts/dpdk-docker-run.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,17 +13,17 @@
#

scriptpath=$GOPATH/src/github.com/containernetworking/cni/scripts
echo $scriptpath
echo "$scriptpath"

contid=$(docker run -d --net=none $@ /bin/sleep 10000000)
pid=$(docker inspect -f '{{ .State.Pid }}' $contid)
contid=$(docker run -d --net=none "$@" /bin/sleep 10000000)
pid=$(docker inspect -f '{{ .State.Pid }}' "$contid")
netnspath=/proc/$pid/ns/net

$scriptpath/exec-plugins.sh add $contid $netnspath
"$scriptpath"/exec-plugins.sh add "$contid" "$netnspath"

function cleanup() {
$scriptpath/exec-plugins.sh del $contid $netnspath
docker rm -f $contid >/dev/null
"$scriptpath"/exec-plugins.sh del "$contid" "$netnspath"
docker rm -f "$contid" >/dev/null
}
trap cleanup EXIT

Expand All @@ -35,7 +35,7 @@ trucContid=${contid:0:12}
docker run -i -t -v /var/lib/cni/usrspcni/shared:/var/lib/cni/usrspcni/shared:rw \
-v /dev/hugepages:/dev/hugepages \
dpdk-app-testpmd testpmd -l 0-1 -n 4 -m 1024 --no-pci \
--vdev=virtio_user0,path=/var/lib/cni/usrspcni/shared/$trucContid-eth0 \
--vdev=virtio_user0,path=/var/lib/cni/usrspcni/shared/"$trucContid"-eth0 \
--file-prefix=container \
-- -i --txqflags=0xf00 --disable-hw-vlan --port-topology=chained

16 changes: 8 additions & 8 deletions scripts/usrsp-docker-run.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,23 +17,23 @@
#

scriptpath=$GOPATH/src/github.com/containernetworking/cni/scripts
echo $scriptpath
echo "$scriptpath"

contid=$(docker run -d --net=none $@ /bin/sleep 10000000)
pid=$(docker inspect -f '{{ .State.Pid }}' $contid)
contid=$(docker run -d --net=none "$@" /bin/sleep 10000000)
pid=$(docker inspect -f '{{ .State.Pid }}' "$contid")
netnspath=/proc/$pid/ns/net

$scriptpath/exec-plugins.sh add $contid $netnspath
"$scriptpath"/exec-plugins.sh add "$contid" "$netnspath"

function cleanup() {
$scriptpath/exec-plugins.sh del $contid $netnspath
docker rm -f $contid >/dev/null
"$scriptpath"/exec-plugins.sh del "$contid" "$netnspath"
docker rm -f "$contid" >/dev/null
}
trap cleanup EXIT

docker run \
-v /var/lib/cni/usrspcni/shared:/var/lib/cni/usrspcni/shared:rw \
-v /var/lib/cni/usrspcni/$contid:/var/lib/cni/usrspcni/data:rw \
-v /var/lib/cni/usrspcni/"$contid":/var/lib/cni/usrspcni/data:rw \
--device=/dev/hugepages:/dev/hugepages \
--net=container:$contid $@
--net=container:"$contid" "$@"

30 changes: 14 additions & 16 deletions usrspcni/usrspcni.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@ import (
"k8s.io/client-go/kubernetes"

"github.com/containernetworking/cni/pkg/skel"
_ "github.com/containernetworking/cni/pkg/types"
"github.com/containernetworking/cni/pkg/types/current"

"github.com/intel/userspace-cni-network-plugin/pkg/types"
Expand All @@ -30,22 +29,21 @@ import (
//
type UsrSpCni interface {
AddOnHost(conf *types.NetConf,
args *skel.CmdArgs,
kubeClient kubernetes.Interface,
sharedDir string,
ipResult *current.Result) error
args *skel.CmdArgs,
kubeClient kubernetes.Interface,
sharedDir string,
ipResult *current.Result) error
AddOnContainer(conf *types.NetConf,
args *skel.CmdArgs,
kubeClient kubernetes.Interface,
sharedDir string,
pod *v1.Pod,
ipResult *current.Result) (*v1.Pod, error)
args *skel.CmdArgs,
kubeClient kubernetes.Interface,
sharedDir string,
pod *v1.Pod,
ipResult *current.Result) (*v1.Pod, error)
DelFromHost(conf *types.NetConf,
args *skel.CmdArgs,
sharedDir string) error
args *skel.CmdArgs,
sharedDir string) error
DelFromContainer(conf *types.NetConf,
args *skel.CmdArgs,
sharedDir string,
pod *v1.Pod) error
args *skel.CmdArgs,
sharedDir string,
pod *v1.Pod) error
}

0 comments on commit 387fb2b

Please sign in to comment.