diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml new file mode 100644 index 0000000..981e686 --- /dev/null +++ b/.github/workflows/lint.yaml @@ -0,0 +1,20 @@ +name: Lint + +on: + push: + tags: + - v* + branches: + - main + pull_request: + +jobs: + golangci: + name: lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: golangci-lint + uses: golangci/golangci-lint-action@v2 + with: + version: v1.41.1 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..ee2aece --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,26 @@ +name: Release +on: + push: + # The idea here is to trigger a release upon receiving a release-like tag + tags: + - 'v[0-9]+.[0-9]+.[0-9]+' + +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Checkout source code + uses: actions/checkout@v2 + - name: Install Go + uses: actions/setup-go@v2 + with: + go-version: 1.16 + - name: Unshallow + run: git fetch --prune --unshallow + - name: Create release + uses: goreleaser/goreleaser-action@v2 + with: + version: latest + args: release --rm-dist + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..f13001f --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,13 @@ +name: Test + +on: [push, pull_request] + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Checkout source code + uses: actions/checkout@v2 + - name: Run tests + run: make test diff --git a/.gitignore b/.gitignore index 088ba6b..a3787de 100644 --- a/.gitignore +++ b/.gitignore @@ -1,10 +1,2 @@ -# Generated by Cargo -# will have compiled files and executables -/target/ - -# Remove Cargo.lock from gitignore if creating an executable, leave it for libraries -# More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html -Cargo.lock - -# These are backup files generated by rustfmt -**/*.rs.bk +bin/* +.coverage.out diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 0000000..3f3f95a --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,57 @@ +linters: + enable: + - bodyclose + - deadcode + - depguard + - dogsled + - dupl + - funlen + - gochecknoinits + - goconst + - gocritic + - gocyclo + - gofmt + - goimports + - revive + - goprintffuncname + - gosec + - gosimple + - govet + - ineffassign + - misspell + - nakedret + - rowserrcheck + - exportloopref + - staticcheck + - structcheck + - stylecheck + - typecheck + - unconvert + - unparam + - unused + - varcheck + - whitespace + disable: + # Some errors are just logged when found, but not checked + - errcheck +issues: + exclude-rules: + - linters: + - revive + text: "don't use ALL_CAPS in Go names" + - linters: + - stylecheck + text: "ST1003: should not use ALL_CAPS in Go names" + # Exclude some linters from running on tests files. + - path: _test\.go + linters: + - gocyclo + - dupl + - gosec + - funlen +linters-settings: + funlen: + lines: 100 + statements: 40 + misspell: + locale: US diff --git a/.goreleaser.yml b/.goreleaser.yml new file mode 100644 index 0000000..cbda97f --- /dev/null +++ b/.goreleaser.yml @@ -0,0 +1,3 @@ +builds: + - goos: + - linux diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..02c8f05 --- /dev/null +++ b/Makefile @@ -0,0 +1,87 @@ +# The go toolchain version we want to use +GOVERSION = 1.16.5 + +# Where we will install a modern go if none is available (note that this +# variable can be overriden in the environment, if needed) +INSTALL_PATH ?= $(HOME)/goroot + +# Go commands +GOCMD = go +GOFMT = gofmt -l +GOBUILD = $(GOCMD) build +GOTEST = $(GOCMD) test +GOLINT = golangci-lint run + +PROJECT = github.com/juan-leon/fetter +GOBIN = bin +EXEC = bin/fetter + +export PATH := $(INSTALL_PATH)/go/bin:$(HOME)/bin:$(PATH) + +# PATH is not inherited by shells spawned by "shell" function +go_version := $(shell PATH=$(PATH) go version 2>/dev/null) +linter_version := $(shell PATH=$(PATH) golangci-lint --version 2>/dev/null) +now := $(shell date +'%Y-%m-%dT%T') +src := $(shell find -name '*.go') +sha := $(shell git log -1 --pretty=%H 2>/dev/null || echo unknown) + +# Version can be overwritten via env var. If not present, we figure it out from +# git. The "word 1" is an ultra paranoid protection against spaces in tag name: +# those are not liked by the linker unless escaped. +version ?= $(word 1, $(shell git describe --abbrev --tags 2>/dev/null || echo unknown)) + +define install_go + @echo Installing Go $(GOVERSION) + mkdir -p $(INSTALL_PATH) + curl -s https://storage.googleapis.com/golang/go$(GOVERSION).linux-amd64.tar.gz | tar -C $(INSTALL_PATH) -xz + @echo Done installing Go $(GOVERSION) +endef + +define install_linter + @echo Installing linter + mkdir -p $(HOME)/bin + curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(HOME)/bin v1.41.1 + @echo Done installing linter +endef + +.PHONY: clean test toolchain linter lint + + +build: $(EXEC) + +$(EXEC): $(src) + $(GOBUILD) \ + --ldflags "-X main.Commit=$(sha) -X main.BuildDate=$(now) -X main.Version=$(version)" \ + -o $(EXEC) \ + github.com/juan-leon/fetter + +clean: + rm -f $(EXEC) + +# Format source code files +fmt: toolchain + $(GOFMT) -w . + +# Prints the source code files poorly formatted +lint: + @echo Linting code + $(GOLINT) + +# Run tests +test: + $(GOTEST) -coverprofile=.coverage.out $(PROJECT)/... + @echo Code coverage + @go tool cover -func=.coverage.out | tail -n 1 + @echo "Use 'go tool cover -html=.coverage.out' to inspect results" + +# Make sure we have go installed, or install it otherwise +toolchain: +ifeq (, $(findstring $(GOVERSION), $(go_version))) + $(call install_go) +endif + +# Make sure we have go 1.24 installed, or install it otherwise +linter: toolchain +ifeq (, $(findstring 1.41, $(linter_version))) + $(call install_linter) +endif diff --git a/README.md b/README.md index ff9445a..2726278 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,14 @@ # fetter + Move processes into control groups based on configurable actions + +[![Test status](https://github.com/juan-leon/fetter/actions/workflows/test.yml/badge.svg)](https://github.com/juan-leon/fetter/actions/fetter/test.yml) +[![Lint status](https://github.com/juan-leon/fetter/actions/workflows/lint.yaml/badge.svg)](https://github.com/juan-leon/fetter/actions/fetter/lint.yaml) +[![Release](https://img.shields.io/github/release/juan-leon/fetter.svg)](https://github.com/juan-leon/fetter/releases/latest) + +## TODO + +Write documentation. + +In the meanwhile, this example of configuration will give you a hint of what the +tool can be used for: [![Sample configuration file](examples/documented-example.yaml)] diff --git a/TODO.org b/TODO.org new file mode 100644 index 0000000..e5305e0 --- /dev/null +++ b/TODO.org @@ -0,0 +1,5 @@ +* TODO tests +* TODO unit tests +* TODO docs +* TODO badges +* TODO CI pipeline (release, coverage) diff --git a/examples/documented-example.yaml b/examples/documented-example.yaml new file mode 100644 index 0000000..328abe4 --- /dev/null +++ b/examples/documented-example.yaml @@ -0,0 +1,151 @@ +--- +# Two basic modes are supported: audit and scanner. +# +# Audit mode is recommended: it sets audit rules to the kernel and keep a +# netlink connection open so that as soon as a rule is matched the process can +# be moved to a control group. This mode supports detection of running +# applications by path, writing or reading specific files (or directories). +# This mode consumes few resources, since program is just listening. +# +# Scanner mode only works for 'execute' actions. The running processes will be +# scanned every second, and matches, if any, will be distributed on groups. +# Scanning is more expensive than listening to a netlink socket. This mode is +# recommended for those scenarios where audit rules are locked by administrator +# (once locked, they cannot be unlocked without rebooting the machine), or the +# Linux kernel is ancient and does not support multicast for Netlink +# +# Default is audit +mode: audit +audit: + # There are three audit modes (meaningless in scanner mode) that dictates how + # to setup the audit rules in the kernel: override, preserve and reuse + # + # * When override is used, program will delete any existing rules and leave + # only the ones configured + # + # * When preserve is used, program will add its rules over whatever rule + # already configured. This is useful for coexisting with auditd. However, + # if a lot of rule rewriting rules is done, old rules are not removed. and + # that can lead to surprises. + # + # * When reuse is used, no rules will be set up. The use case if for those + # scenarios where you want to configure the rules in separate runs of this + # program (on run to configure rules, other to run as daemon) + mode: override + +logging: + # File name where logs will be written + file: /tmp/fetter.log + # Standard error levels available. Debug shows interesting info and it is not + # too verbose. + level: info + +# This is the name of the cgroup path used by application (all cgroups created +# by this program will belong to it). Default is 'fetter'; there is no reason +# to change it other than doing experiments or using several fetter applications +# in parallel. +name: fetter + +# These are the rules. By default there is none; the ones below are just +# examples. +rules: + # Following rule will use a cgroup named browser for firefox. Notice that you + # need to know the name of the firefox executable (if in doubt, you can figure + # it out by doing `ls -l /proc/PID/exe` to know the path, and 'ps -u | grep + # firefox' to know the PID) + - path: /usr/lib/firefox/firefox + # Supported actions are execute (the most useful one: the process executing + # a file will be moved to a control group), read, and write. + action: execute + # Name of the group should match one of the groups defined in their section. + group: browsers + + # You can make several applications to share same cgroup, if you want. That + # way, the limits for that cgroup apply to both at once + - path: /usr/lib/chromium-browser/chromium-browser + action: execute + group: browsers + + - path: /usr/bin/emacs + action: execute + group: ides + + - path: /my/forbidden/file + action: write + # KILL is not a real cgroup, but a way to say fetter: kill whatever process + # doing that action. In this case, whenever a process writes to the file in + # path, process will be killed + group: KILL + + # This is an example where a process reading a file will be frozen in place by + # the operating system (group honeypot has "freeze: true"). Process execution + # will not continue, and it cannot be killed unless removed from cgroup, or + # cgroup is manually thawed. This will allow you to detect what processes + # read/write to a file and examine them. + - path: /my/forbidden/file + action: read + group: honeypot + + +# These control groups will be created by the application, with the limits +# specified for any of them. By default there is none; the ones below are just +# examples. +# +# Note that while it is safe to cap CPU to any application, capping pids and or +# RAM might make those applications malfunction. That would depend on how the +# applications manage error codes of operations that are denied by operating +# system. Those operations would be the ones related to asking more RAM we +# allow them to use, or trying to spawn more children. Think of a browser that +# uses a process-per-tab approach: if we cap processes to 20, the tab 21st would +# fail to display correctly +groups: + - name: browsers + # Max RAM, in Mbs, that all the processes in the group together can use. + ram: 2000 + # Max number of processes that can be spawned simultaneously by processes in + # the group. A process spawned by a process of a group will remain in the + # group. + pids: 30 + # Max single-CPU %-age that processes in the group will be able to use. For + # instance, if you want to make sure your massively heavy parallel local + # compilations do not make your UI unusable, you can create a group for + # 'make' with a CPU limit. Note that if you have N CPUs, you might want to + # use values higher than 100. For instance, in a machine with 8 CPUs + # meaningful values are those between 0 (no juice) and 800 (no limit). A + # value of 400 would mean half of the CPU power would be available for other + # tasks. + cpu: 250 + # Default is false. true means that the group is a freezer: processes + # cannot continue execution or be killed by their owners (unless they are + # root and familiar with the freeze subsystem). Use of this feature is to + # allow to detect and examine processes that do some action. Use with + # caution. + freeze: false + # Default is false. true means that instead of moving the process to a + # cgroup the process will be killed. It is a way of making sure (or + # enforcing) some actions are never done. Use with caution. + kill: false + + - name: ides + ram: 1000 + pids: 50 + cpu: 80 + + - name: email + ram: 2000 + pids: 5 + cpu: 50 + + - name: music + ram: 500 + pids: 5 + cpu: 80 + + # This example has unlimited ram, as it is not specified + - name: shell + cpu: 95 + pids: 100 + + # Example of a group to freeze processes + - name: honeypot + freeze: true diff --git a/examples/minimal-example.yaml b/examples/minimal-example.yaml new file mode 100644 index 0000000..ec31b10 --- /dev/null +++ b/examples/minimal-example.yaml @@ -0,0 +1,16 @@ +# In this example we do not allow those compilations triggered by make to use +# more 4G RAM or 80% CPU, no matter how many parallel compilations are made +rules: + - path: /usr/bin/make + action: execute + group: compilation + +groups: + - name: compilation + ram: 4000 + # We do not allow compilations to use more than 80% of CPU power. Since we + # have two CPUs, we need to multiply 80 per 2. + cpu: 160 + +logging: + file: /tmp/fetter.log diff --git a/fetter.go b/fetter.go new file mode 100644 index 0000000..3b39603 --- /dev/null +++ b/fetter.go @@ -0,0 +1,72 @@ +package main + +import ( + "fmt" + "os" + + "github.com/spf13/cobra" + + "github.com/juan-leon/fetter/internal" + "github.com/juan-leon/fetter/pkg/log" +) + +const ( + Name = "fetter" + Short = "Move processes into control groups based on configurable actions" +) + +var ( + configFile string + daemonize bool + scan bool + scanAndExit bool + clean bool + + BuildDate string // injected from linker + Commit string // injected from linker + Version string // injected from linker +) + +func run(cmd *cobra.Command, args []string) { + if clean { + internal.Clean(configFile) + return + } + if scanAndExit { + internal.Scan(configFile) + return + } + internal.Loop(configFile, daemonize, scan) +} + +func assertUsage(cmd *cobra.Command, args []string) error { + if len(args) > 0 { + return fmt.Errorf("too many args: %s", args) + } + if os.Geteuid() != 0 { + // We could check for process capabilities (CAP_AUDIT_*, etc), but for + // the time being let's keep it simple. + return fmt.Errorf("this program needs root privileges") + } + return nil +} + +func main() { + log.InitConsoleLogger() + cmd := &cobra.Command{ + Use: Name, + Short: Short, + Run: run, + PreRunE: assertUsage, + Version: fmt.Sprintf("%s, built on %s from %s\n", Version, BuildDate, Commit), + } + f := cmd.Flags() + f.StringVarP(&configFile, "config", "c", "/etc/fetter/config.yaml", "Path to configuration file") + f.BoolVarP(&daemonize, "daemon", "d", false, "Fork to a daemonized process in background") + f.BoolVarP(&scan, "scan", "s", false, "Scan already active processes according to rules") + f.BoolVarP(&clean, "clean-up", "D", false, "Delete cgroups and exit") + f.BoolVarP(&scanAndExit, "scan-and-exit", "S", false, "Scan processes according to rules and exit") + if err := cmd.Execute(); err != nil { + os.Exit(2) + } +} diff --git a/go.mod b/go.mod new file mode 100644 index 0000000..4a0901e --- /dev/null +++ b/go.mod @@ -0,0 +1,20 @@ +module github.com/juan-leon/fetter + +go 1.14 + +require ( + github.com/StackExchange/wmi v0.0.0-20210224194228-fe8f1750fd46 // indirect + github.com/containerd/cgroups v1.0.1 + github.com/elastic/go-libaudit/v2 v2.2.0 + github.com/go-ole/go-ole v1.2.5 // indirect + github.com/heetch/confita v0.10.0 + github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect + github.com/opencontainers/runtime-spec v1.0.2 + github.com/pkg/errors v0.9.1 + github.com/sevlyar/go-daemon v0.1.5 + github.com/shirou/gopsutil v3.21.5+incompatible + github.com/spf13/cobra v1.0.0 + github.com/spf13/pflag v1.0.5 + github.com/tklauser/go-sysconf v0.3.6 // indirect + go.uber.org/zap v1.10.0 +) diff --git a/go.sum b/go.sum new file mode 100644 index 0000000..e931e89 --- /dev/null +++ b/go.sum @@ -0,0 +1,323 @@ +cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= +github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ= +github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= +github.com/DataDog/datadog-go v2.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= +github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= +github.com/StackExchange/wmi v0.0.0-20210224194228-fe8f1750fd46 h1:5sXbqlSomvdjlRbWyNqkPsJ3Fg+tQZCbgeX1VGljbQY= +github.com/StackExchange/wmi v0.0.0-20210224194228-fe8f1750fd46/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg= +github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= +github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= +github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= +github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= +github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY= +github.com/armon/go-metrics v0.0.0-20190430140413-ec5e00d3c878/go.mod h1:3AMJUQhVx52RsWOnlkpikZr01T/yAVN2gn0861vByNg= +github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/aws/aws-sdk-go v1.23.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= +github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= +github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= +github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs= +github.com/circonus-labs/circonus-gometrics v2.3.1+incompatible/go.mod h1:nmEj6Dob7S7YxXgwXpfOuvO54S+tGdZdw9fuRZt25Ag= +github.com/circonus-labs/circonusllhist v0.1.3/go.mod h1:kMXHVDlOchFAehlya5ePtbp5jckzBHf4XRpQvBOLI+I= +github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/containerd/cgroups v1.0.1 h1:iJnMvco9XGvKUvNQkv88bE4uJXxRQH18efbKo9w5vHQ= +github.com/containerd/cgroups v1.0.1/go.mod h1:0SJrPIenamHDcZhEcJMNBB85rHcUsw4f25ZfBiPYRkU= +github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= +github.com/coreos/etcd v3.3.3+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= +github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e h1:Wf6HqHfScWJN9/ZjdUKyjop4mf3Qdd+1TvvltAvM3m8= +github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= +github.com/coreos/go-systemd/v22 v22.1.0 h1:kq/SbG2BCKLkDKkjQf5OWwKWUKj1lgs3lFI4PxnR5lg= +github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= +github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= +github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= +github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= +github.com/docker/go-units v0.4.0 h1:3uh0PgVws3nIA0Q+MwDC8yjEPf9zjRfZZWXZYDct3Tw= +github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= +github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= +github.com/elastic/go-libaudit/v2 v2.2.0 h1:TY3FDpG4Zr9Qnv6KYW6olYr/U+nfu0rD2QAbv75VxMQ= +github.com/elastic/go-libaudit/v2 v2.2.0/go.mod h1:MM/l/4xV7ilcl+cIblL8Zn448J7RZaDwgNLE4gNKYPg= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= +github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M= +github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= +github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= +github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= +github.com/go-ldap/ldap v3.0.2+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc= +github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE= +github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk= +github.com/go-ole/go-ole v1.2.5 h1:t4MGB5xEDZvXI+0rMjjsfBsD7yAgp/s9ZDkL1JndXwY= +github.com/go-ole/go-ole v1.2.5/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0= +github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= +github.com/go-test/deep v1.0.2-0.20181118220953-042da051cf31/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= +github.com/godbus/dbus/v5 v5.0.3 h1:ZqHaoEF7TBzh4jzPmqVhE/5A1z9of6orkAe5uHoAeME= +github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= +github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4= +github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= +github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= +github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= +github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= +github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= +github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= +github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= +github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= +github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ= +github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs= +github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk= +github.com/grpc-ecosystem/grpc-gateway v1.8.6/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY= +github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q= +github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.0/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-cleanhttp v0.5.1/go.mod h1:JpRdi6/HCYpAwUzNwuwqhbovhLtngrth3wmdIIUrZ80= +github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd/go.mod h1:9bjs9uLqI8l75knNv3lV1kA55veR+WUPSiKIWcQHudI= +github.com/hashicorp/go-hclog v0.8.0/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ= +github.com/hashicorp/go-immutable-radix v1.0.0/go.mod h1:0y9vanUI8NX6FsYoO3zeMjhV/C5i9g4Q3DwcSNZ4P60= +github.com/hashicorp/go-msgpack v0.5.3/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= +github.com/hashicorp/go-msgpack v0.5.5/go.mod h1:ahLV/dePpqEmjfWmKiqvPkv/twdG7iPBM1vqhUKIvfM= +github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= +github.com/hashicorp/go-plugin v1.0.1/go.mod h1:++UyYGoz3o5w9ZzAdZxtQKrWWP+iqPBn3cQptSMzBuY= +github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= +github.com/hashicorp/go-retryablehttp v0.5.4/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= +github.com/hashicorp/go-rootcerts v1.0.0/go.mod h1:K6zTfqpRlCUIjkwsN4Z+hiSfzSTQa6eBIzfwKfwNnHU= +github.com/hashicorp/go-rootcerts v1.0.1/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= +github.com/hashicorp/go-sockaddr v1.0.0/go.mod h1:7Xibr9yA9JjQq1JpNB2Vw7kxv8xerXegt+ozgdvDeDU= +github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= +github.com/hashicorp/go-syslog v1.0.0/go.mod h1:qPfqrKkXGihmCqbJM2mZgkZGvKG1dFdvsLplgctolz4= +github.com/hashicorp/go-uuid v1.0.0/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-version v1.1.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= +github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90= +github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64= +github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= +github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= +github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= +github.com/hashicorp/vault/api v1.0.4/go.mod h1:gDcqh3WGcR1cpF5AJz/B1UFheUEneMoIospckxBxk6Q= +github.com/hashicorp/vault/sdk v0.1.13/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M= +github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= +github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM= +github.com/heetch/confita v0.10.0 h1:00V4eQPDU71v9nZD7N/DsSb9cnPJh59CjrpQPfln47A= +github.com/heetch/confita v0.10.0/go.mod h1:W6GDCVPvi2LpvdEriwZTu2fyxuK+Grx1vY302gtWfvM= +github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM= +github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8= +github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k= +github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= +github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= +github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 h1:iQTw/8FWTuc7uiaSepXwyf3o52HaUYcV+Tu66S3F5GA= +github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0/go.mod h1:1NbS8ALrpOvjt0rHPNLyCIeMtbizbir8U//inJ+zuB8= +github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= +github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= +github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= +github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= +github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= +github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= +github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= +github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= +github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= +github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= +github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= +github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= +github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= +github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/gox v0.4.0/go.mod h1:Sd9lOJ0+aimLBi73mGofS1ycjY8lL3uZM3JPS42BGNg= +github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0QubkSMEySY= +github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y= +github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA= +github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U= +github.com/opencontainers/runtime-spec v1.0.2 h1:UfAcuLBJB9Coz72x1hgl8O5RVzTdNiaglX6v2DM6FI0= +github.com/opencontainers/runtime-spec v1.0.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= +github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= +github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic= +github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY= +github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1-0.20170505043639-c605e284fe17/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= +github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= +github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= +github.com/prometheus/client_golang v0.9.2/go.mod h1:OsXs2jCmiKlQ1lTBmv21f2mNfw4xf/QclQDMrYNZzcM= +github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs= +github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= +github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= +github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= +github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.0.0-20181126121408-4724e9255275/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro= +github.com/prometheus/common v0.2.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4= +github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20181204211112-1dc9a6cbc91a/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= +github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= +github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= +github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= +github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= +github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= +github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc= +github.com/sevlyar/go-daemon v0.1.5 h1:Zy/6jLbM8CfqJ4x4RPr7MJlSKt90f00kNM1D401C+Qk= +github.com/sevlyar/go-daemon v0.1.5/go.mod h1:6dJpPatBT9eUwM5VCw9Bt6CdX9Tk6UWvhW3MebLDRKE= +github.com/shirou/gopsutil v3.21.5+incompatible h1:OloQyEerMi7JUrXiNzy8wQ5XN+baemxSl12QgIzt0jc= +github.com/shirou/gopsutil v3.21.5+incompatible/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA= +github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= +github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= +github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= +github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= +github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= +github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= +github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= +github.com/spf13/cobra v1.0.0 h1:6m/oheQuQ13N9ks4hubMG6BnvwOeaJrqSPLahSnczz8= +github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE= +github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo= +github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= +github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= +github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= +github.com/stretchr/testify v1.1.5-0.20170601210322-f6abca593680/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= +github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= +github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= +github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= +github.com/tklauser/go-sysconf v0.3.6 h1:oc1sJWvKkmvIxhDHeKWvZS4f6AW+YcoguSfRF2/Hmo4= +github.com/tklauser/go-sysconf v0.3.6/go.mod h1:MkWzOF4RMCshBAMXuhXJs64Rte09mITnppBXY/rYEFI= +github.com/tklauser/numcpus v0.2.2 h1:oyhllyrScuYI6g+h/zUvNXNp1wy7x8qQy3t/piefldA= +github.com/tklauser/numcpus v0.2.2/go.mod h1:x3qojaO3uyYt0i56EW/VUYs7uBvdl2fkfZFu0T9wgjM= +github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= +github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM= +github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc= +github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= +github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= +github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= +github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= +go.uber.org/atomic v1.4.0 h1:cxzIVoETapQEqDhQu3QfnvXAV4AlzcvUCxkVUFw3+EU= +go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/multierr v1.1.0 h1:HoEmRHQPVSqub6w2z2d2EOVs2fjyFRGyofhKuyDq0QI= +go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= +go.uber.org/zap v1.10.0 h1:ORx85nbTijNz8ljznvCMR1ZBIPKFn3jQrag10X2AsuM= +go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= +golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= +golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= +golang.org/x/crypto v0.0.0-20190506204251-e1dfcc566284/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= +golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= +golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= +golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= +golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= +golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190125091013-d26f9f9a57f3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= +golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= +golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= +golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= +golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= +golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190129075346-302c3dd5f1cc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= +golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190508220229-2d0786266e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210316164454-77fc1eacc6aa h1:ZYxPR6aca/uhfRJyaOAtflSHjJYiktO7QnJC5ut7iY4= +golang.org/x/sys v0.0.0-20210316164454-77fc1eacc6aa/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= +golang.org/x/text v0.3.1-0.20181227161524-e6919f6577db/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= +golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= +golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= +golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= +golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= +golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= +golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= +google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= +google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= +google.golang.org/genproto v0.0.0-20190404172233-64821d5d2107/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE= +google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= +google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= +google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM= +google.golang.org/grpc v1.22.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= +gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= +gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d/go.mod h1:cuepJuh7vyXfUyUwEgHQXw849cJrilpS5NeIjOWESAw= +gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo= +gopkg.in/square/go-jose.v2 v2.3.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= +gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74= +gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= +gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/internal/runner.go b/internal/runner.go new file mode 100644 index 0000000..c2fa8ff --- /dev/null +++ b/internal/runner.go @@ -0,0 +1,84 @@ +package internal + +import ( + "time" + + "github.com/sevlyar/go-daemon" + + "github.com/juan-leon/fetter/pkg/audit" + "github.com/juan-leon/fetter/pkg/cgroups" + "github.com/juan-leon/fetter/pkg/log" + "github.com/juan-leon/fetter/pkg/scanner" + "github.com/juan-leon/fetter/pkg/settings" +) + +func Loop( + configFile string, + daemonize bool, + scan bool, +) { + config := loadConfig(configFile) + if daemonize { + cntxt := &daemon.Context{ + PidFileName: "/run/fetter.pid", + } + child, err := cntxt.Reborn() + if err != nil { + log.Console.Fatalf("Unable to daemonize: %s", err) + } + if child != nil { + log.Console.Infof("Dettaching") + return + } + defer cntxt.Release() + } + log.InitFileLogger(config.Logging) + log.Logger.Infof("Initializing Control Groups...") + groups := cgroups.NewGroupHierarchy(config) + if config.Mode == settings.RUN_MODE_SCANNER { + log.Logger.Infof("Scanning active processes...") + s := scanner.NewProcessScanner(config, groups) + s.Loop() + } else { + log.Logger.Infof("Auditing system calls according to rules...") + s := audit.NewSysCallListener(config, groups) + if s == nil { + log.Logger.Fatalf("Could not setup a kernel syscall listener") + } + if scan { + go func() { + // The sleep here if to avoid (unlikely) race conditions between + // receiving audit events and process spawning + time.Sleep(time.Second) + log.Logger.Infof("Scanning already active processes...") + scanner.NewProcessScanner(config, groups).Scan() + }() + } + s.Loop() + } +} + +func Clean(configFile string) { + config := loadConfig(configFile) + log.InitFileLogger(config.Logging) + // TODO: look for processes in sub hierarchy and send them to root + // hierarchy. Otherwise the cgroups with alive processes will remain. + cgroups.DeleteGroupHierarchy(config) +} + +func Scan(configFile string) { + config := loadConfig(configFile) + log.InitFileLogger(config.Logging) + log.Logger.Infof("Initializing Control Groups...") + groups := cgroups.NewGroupHierarchy(config) + log.Logger.Infof("Scanning active processes...") + scanner.NewProcessScanner(config, groups).Scan() +} + +func loadConfig(configFile string) (config *settings.Settings) { + config, err := settings.Load(configFile) + if err != nil { + log.Console.Fatalf("Could not read config: %s", err) + } + return +} diff --git a/pkg/audit/audit.go b/pkg/audit/audit.go new file mode 100644 index 0000000..74e1004 --- /dev/null +++ b/pkg/audit/audit.go @@ -0,0 +1,252 @@ +package audit + +import ( + "fmt" + "os" + "strconv" + "strings" + "syscall" + "time" + + "github.com/elastic/go-libaudit/v2" + "github.com/elastic/go-libaudit/v2/auparse" + "github.com/elastic/go-libaudit/v2/rule" + "github.com/elastic/go-libaudit/v2/rule/flags" + "github.com/pkg/errors" + + "github.com/juan-leon/fetter/pkg/cgroups" + "github.com/juan-leon/fetter/pkg/log" + "github.com/juan-leon/fetter/pkg/settings" +) + +const ( + auditLocked = 2 + cgPrefix = "cgroup_" +) + +const ( + MODE_REUSE string = "reuse" + MODE_OVERRIDE string = "override" + MODE_PRESERVE string = "preserve" +) + +const ( + SYSCALL_READ string = "read" + SYSCALL_EXECUTE string = "execute" + SYSCALL_WRITE string = "write" +) + +type SysCallListener struct { + config *settings.Settings + client *libaudit.AuditClient + cgroups *cgroups.GroupHierarchy +} + +func NewSysCallListener(config *settings.Settings, cgroups *cgroups.GroupHierarchy) *SysCallListener { + if !assertAuditMode(config.Audit.Mode) { + log.Logger.Errorf("unknown config for audit.mode: %s", config.Audit.Mode) + return nil + } + + client, err := libaudit.NewMulticastAuditClient(nil) + if err != nil { + log.Logger.Errorf("failed to create audit client euid=%v", os.Geteuid()) + return nil + } + return &SysCallListener{ + client: client, + config: config, + cgroups: cgroups, + } +} + +func (scl *SysCallListener) Loop() { + defer closeAuditClient(scl.client) + scl.configure() + log.Logger.Debugw("Forever snooping syscalls") + scl.loop() +} + +func (scl *SysCallListener) configure() { + if scl.config.Audit.Mode != MODE_REUSE { + scl.addRules() + } else { + log.Logger.Infof("Reusing existing audit rules") + } + scl.client.SetEnabled(true, libaudit.NoWait) +} + +func closeAuditClient(client *libaudit.AuditClient) error { + discard := func(bytes []byte) ([]syscall.NetlinkMessage, error) { + return nil, nil + } + // Drain the netlink channel in parallel to Close() to prevent a deadlock. + // Code copied from auditd module form auditbeat project + go func() { + for { + _, err := client.Netlink.Receive(true, discard) + switch err { + case nil, syscall.EINTR: + case syscall.EAGAIN: + time.Sleep(50 * time.Millisecond) + default: + return + } + } + }() + return client.Close() +} + +func (scl *SysCallListener) addRules() error { + client, err := libaudit.NewAuditClient(nil) + if err != nil { + log.Logger.Errorf("failed to create audit client: %s", err) + return err + } + defer closeAuditClient(client) + + status, err := client.GetStatus() + if err != nil { + log.Logger.Errorf("failed to get status from audit client: %s", err) + return err + } + if scl.config.Audit.Mode != MODE_REUSE { + if status.Enabled == auditLocked { + log.Logger.Fatalf("Audit rules are locked :-(") + } + } + + if scl.config.Audit.Mode == MODE_OVERRIDE { + n, err := client.DeleteRules() + if err != nil { + log.Logger.Errorf("Failed to delete existing rules: %s", err) + return err + } + log.Logger.Infof("Deleted %d pre-existing audit rules.", n) + } + + for _, r := range scl.config.Rules { + if err = validateRule(r); err != nil { + log.Logger.Errorw("Failed to validate rule", "rule", r, "error", err.Error()) + continue + } + asString := asAuditFmt(r) + parsedRule, err := flags.Parse(asString) + if err != nil { + log.Logger.Errorw("Failed to parse rule", "rule", r, "error", err.Error()) + continue + } + + ruleData, err := rule.Build(parsedRule) + if err != nil { + log.Logger.Errorw("Failed to build rule", "rule", r, "error", err.Error()) + continue + } + + err = client.AddRule([]byte(ruleData)) + if err != nil { + log.Logger.Errorw("Failed to add rule", "rule", r, "error", err.Error()) + continue + } + log.Logger.Debugw("Added rule", "rule", r) + } + return nil +} + +func (scl *SysCallListener) loop() { + for { + auditMsg, err := scl.client.Receive(false) + if err != nil { + if errors.Cause(err) == syscall.EBADF { + log.Logger.Warn("Audit client has been closed") + break + } + log.Logger.Warn("Error listening kernel events: %s", err) + continue + } + if auditMsg.Type != auparse.AUDIT_SYSCALL { + // We are interested in SYSCALL events only (as those include + // execution, read and write, and are triggered bebore process is + // ended). + continue + } + log.Logger.Debugw("Received syscall event", "raw-syscall", string(auditMsg.Data)) + + msg, err := auparse.Parse(auditMsg.Type, string(auditMsg.Data)) + if err != nil { + log.Logger.Errorw("Error parsing msg", "raw-syscall", string(auditMsg.Data)) + continue + } + scl.processMessage(msg) + } +} + +func (scl *SysCallListener) processMessage(msg *auparse.AuditMessage) { + // For auparse, key is a tag and is not present in 'Data' + tags, err := msg.Tags() + if err != nil { + log.Logger.Errorf("Could not parse tags from message: %s", err) + return + } + for _, tagValue := range tags { + if strings.HasPrefix(tagValue, cgPrefix) { + data, err := msg.Data() + if err != nil { + log.Logger.Errorf("Could not extract data from message: %s", err) + return + } + pid, err := strconv.Atoi(data["pid"]) + if err != nil { + log.Logger.Fatalf("Got a non-numeric pid %s: %s", data["pid"], err) + } + scl.cgroups.Add(pid, tagValue[len(cgPrefix):]) + return + } + } +} + +func assertAuditMode(mode string) bool { + switch mode { + case + MODE_REUSE, MODE_OVERRIDE, MODE_PRESERVE: + return true + default: + return false + } +} + +func asAuditFmt(r settings.Rule) string { + action := "x" + switch r.Action { + case SYSCALL_READ: + action = "r" + case SYSCALL_WRITE: + action = "w" + } + return fmt.Sprintf( + "-w %s -p %s -k %s%s", + r.Path, + action, + cgPrefix, + r.Group, + ) +} + +func validateRule(r settings.Rule) error { + if r.Path == "" { + return fmt.Errorf("path cannot be empty") + } + if r.Group == "" { + return fmt.Errorf("group cannot be empty") + } + if r.Action == "" { + return fmt.Errorf("action cannot be empty") + } + switch r.Action { + case + SYSCALL_READ, SYSCALL_EXECUTE, SYSCALL_WRITE: + default: + return fmt.Errorf("unknown action %s for rule", r.Action) + } + return nil +} diff --git a/pkg/audit/audit_test.go b/pkg/audit/audit_test.go new file mode 100644 index 0000000..22ce958 --- /dev/null +++ b/pkg/audit/audit_test.go @@ -0,0 +1,52 @@ +package audit + +import ( + "testing" + + "github.com/juan-leon/fetter/pkg/settings" +) + +func TestAuditModeAssertion(t *testing.T) { + if !assertAuditMode(MODE_PRESERVE) { + t.Error(MODE_PRESERVE, "is a valid mode") + } + if assertAuditMode("foobar") { + t.Error("foobar is not a valid mode") + } +} + +func TestValidateRule(t *testing.T) { + if validateRule(settings.Rule{Path: "foo", Group: "foo"}) == nil { + t.Error("Rule should fail validation") + } + if validateRule(settings.Rule{Action: "foo", Group: "foo"}) == nil { + t.Error("Rule should fail validation") + } + if validateRule(settings.Rule{Path: "foo", Action: "foo"}) == nil { + t.Error("Rule should fail validation") + } + if validateRule(settings.Rule{Path: "foo", Action: "foo", Group: "foo"}) == nil { + t.Error("Rule should fail validation") + } + if validateRule(settings.Rule{Path: "foo", Action: SYSCALL_EXECUTE, Group: "foo"}) != nil { + t.Error("Rule should pass validation") + } +} + +func TestRuleFormat(t *testing.T) { + value := asAuditFmt(settings.Rule{Path: "/foo", Group: "danger", Action: SYSCALL_EXECUTE}) + expected := "-w /foo -p x -k cgroup_danger" + if value != expected { + t.Error("Rule should be formatted as", expected, "instead of", value) + } + value = asAuditFmt(settings.Rule{Path: "foo", Group: "foobar", Action: SYSCALL_READ}) + expected = "-w foo -p r -k cgroup_foobar" + if value != expected { + t.Error("Rule should be formatted as", expected, "instead of", value) + } + value = asAuditFmt(settings.Rule{Path: "none", Group: "test", Action: SYSCALL_WRITE}) + expected = "-w none -p w -k cgroup_test" + if value != expected { + t.Error("Rule should be formatted as", expected, "instead of", value) + } +} diff --git a/pkg/cgroups/cgroups.go b/pkg/cgroups/cgroups.go new file mode 100644 index 0000000..e2b9ed1 --- /dev/null +++ b/pkg/cgroups/cgroups.go @@ -0,0 +1,101 @@ +package cgroups + +import ( + "fmt" + "syscall" + + "github.com/containerd/cgroups" + + "github.com/juan-leon/fetter/pkg/log" + "github.com/juan-leon/fetter/pkg/settings" +) + +const ( + kill = "KILL" // pseudo group for killing proceses outright +) + +type GroupHierarchy struct { + name string + main cgroups.Cgroup + subgroups map[string]cgroups.Cgroup +} + +func NewGroupHierarchy(config *settings.Settings) *GroupHierarchy { + main, err := cgroups.New( + cgroups.V1, + cgroups.StaticPath(config.Name), + emptySpec(), + ) + if err != nil { + log.Logger.Fatalf("Could not create base cgroup with name %s: %s", config.Name, err) + return nil + } + gh := GroupHierarchy{ + name: config.Name, + main: main, + subgroups: make(map[string]cgroups.Cgroup), + } + for _, g := range config.Groups { + gh.addSubGroup(g) + } + return &gh +} + +func DeleteGroupHierarchy(config *settings.Settings) error { + main, err := cgroups.Load( + cgroups.V1, + cgroups.StaticPath(config.Name), + ) + if err != nil { + log.Logger.Errorf("Could not load base cgroup with name %s: %s", config.Name, err) + return err + } + if err := main.Delete(); err != nil { + log.Logger.Errorf("Could not delete base cgroup with name %s: %s", config.Name, err) + return err + } + return nil +} + +func (gh *GroupHierarchy) Add(pid int, cgroup string) error { + if cgroup == kill { + log.Logger.Infof("Killing process %d", pid) + if err := syscall.Kill(pid, 9); err != nil { + log.Logger.Warnf("Could not kill process: %s", err) + return err + } + return nil + } + log.Logger.Infof("Adding process %d to cgroup %s", pid, cgroup) + if subgroup, ok := gh.subgroups[cgroup]; ok { + if err := subgroup.Add(cgroups.Process{Pid: pid}); err != nil { + log.Logger.Warnw("Could not add process to subgroup", "name", cgroup, "pid", pid) + return err + } + } else { + log.Logger.Warnw("Did not find subgroup", "name", cgroup, "pid", pid) + } + return nil +} + +func (gh *GroupHierarchy) addSubGroup(g settings.Group) error { + if g.Name == "" { + err := fmt.Errorf("could not create subgroup with empty name") + log.Logger.Errorf("%s", err) + return err + } + subgroup, err := gh.main.New(g.Name, createSpec(&g)) + if err != nil { + log.Logger.Errorf("Could not create subgroup with name %s: %s", g.Name, err) + return err + } + gh.subgroups[g.Name] = subgroup + if g.Freeze { + if err := subgroup.Freeze(); err != nil { + log.Logger.Errorf("Could not freeze %s: %s", g.Name, err) + return err + } + } + log.Logger.Debugw("Added subgroup", "name", g.Name, "subgroup", g) + return nil +} diff --git a/pkg/cgroups/specs.go b/pkg/cgroups/specs.go new file mode 100644 index 0000000..57114a4 --- /dev/null +++ b/pkg/cgroups/specs.go @@ -0,0 +1,51 @@ +package cgroups + +import ( + specs "github.com/opencontainers/runtime-spec/specs-go" + + "github.com/juan-leon/fetter/pkg/log" + "github.com/juan-leon/fetter/pkg/settings" +) + +func emptySpec() *specs.LinuxResources { + return &specs.LinuxResources{} +} + +var period = uint64(1000000) + +func createSpec(g *settings.Group) (spec *specs.LinuxResources) { + spec = emptySpec() + if g.CPU > 0 { + spec.CPU = specCPU(g.CPU) + } + if g.RAM > 0 { + spec.Memory = specRAM(g.RAM) + } + if g.Pids > 0 { + spec.Pids = specPids(g.Pids) + } + log.Logger.Debugw("CGroup spec created", "cgroup", g.Name, "spec", spec) + return +} + +func specCPU(cpu int) (spec *specs.LinuxCPU) { + quota := int64(uint64(cpu) * period / 100) + spec = &specs.LinuxCPU{ + Quota: "a, + Period: &period, + } + return +} + +func specRAM(ram int64) (spec *specs.LinuxMemory) { + bytes := ram * 1024 * 1024 + spec = &specs.LinuxMemory{ + Limit: &bytes, + } + return +} + +func specPids(pids int64) (spec *specs.LinuxPids) { + spec = &specs.LinuxPids{Limit: pids} + return +} diff --git a/pkg/cgroups/specs_test.go b/pkg/cgroups/specs_test.go new file mode 100644 index 0000000..8154633 --- /dev/null +++ b/pkg/cgroups/specs_test.go @@ -0,0 +1,37 @@ +package cgroups + +import ( + "reflect" + "testing" + + specs "github.com/opencontainers/runtime-spec/specs-go" + + "github.com/juan-leon/fetter/pkg/log" + "github.com/juan-leon/fetter/pkg/settings" +) + +func TestEmptySpec(t *testing.T) { + log.InitLoggerForTests() + spec := createSpec(&settings.Group{}) + if !reflect.DeepEqual(spec, &specs.LinuxResources{}) { + t.Error("Should be an empty spec:", spec) + } +} + +func TestFullSpec(t *testing.T) { + log.InitLoggerForTests() + spec := createSpec(&settings.Group{CPU: 20, RAM: 4, Pids: 789}) + expected := &specs.LinuxPids{Limit: 789} + if !reflect.DeepEqual(spec.Pids, expected) { + t.Error("Pid spec", spec.Pids, "should be", expected) + } + if *spec.Memory.Limit != int64(4*1024*1024) { + t.Error("Bad memory limit") + } + if *spec.CPU.Period != uint64(1000000) { + t.Error("Bad cpu period") + } + if *spec.CPU.Quota != int64(200000) { + t.Error("Bad cpu quota") + } +} diff --git a/pkg/log/log.go b/pkg/log/log.go new file mode 100644 index 0000000..dec53db --- /dev/null +++ b/pkg/log/log.go @@ -0,0 +1,58 @@ +package log + +import ( + "os" + + "go.uber.org/zap" + "go.uber.org/zap/zapcore" + + "github.com/juan-leon/fetter/pkg/settings" +) + +// Console writes to stderr, in human format. Direct usage of it is intended +// for errors initializing stuff from cli arguments, or reading the config. In +// non daemon mode, logs will be forked to this logger. +var Console zap.SugaredLogger + +// Logger is the general logger. In daemon mode, the only logger. +var Logger zap.SugaredLogger + +func InitConsoleLogger() { + cfg := zap.NewProductionEncoderConfig() + cfg.EncodeLevel = zapcore.CapitalColorLevelEncoder + cfg.EncodeTime = zapcore.ISO8601TimeEncoder + core := zapcore.NewCore( + zapcore.NewConsoleEncoder(cfg), + zapcore.Lock(os.Stderr), + zap.DebugLevel, + ) + Console = *zap.New(core).Sugar() +} + +func InitFileLogger(config settings.Logging) { + level := zap.NewAtomicLevel() + if err := level.UnmarshalText([]byte(config.Level)); err != nil { + Console.Errorf("Setting log level to INFO -> %s", err) + level.SetLevel(zap.InfoLevel) + } + cfg := zap.NewProductionEncoderConfig() + cfg.EncodeTime = zapcore.ISO8601TimeEncoder + cfg.TimeKey = "@timestamp" + jsonLog, _, _ := zap.Open(config.File) + jsonCore := zapcore.NewCore( + zapcore.NewJSONEncoder(cfg), + zapcore.Lock(jsonLog), + level, + ) + core := zapcore.NewTee( + jsonCore, + Console.Desugar().Core(), + ) + Logger = *zap.New(core).Sugar() +} + +func InitLoggerForTests() { + cfg := zap.NewDevelopmentConfig() + logger, _ := cfg.Build() + Logger = *logger.Sugar() +} diff --git a/pkg/log/log_test.go b/pkg/log/log_test.go new file mode 100644 index 0000000..3039c43 --- /dev/null +++ b/pkg/log/log_test.go @@ -0,0 +1,14 @@ +package log + +import ( + "testing" + + "github.com/juan-leon/fetter/pkg/settings" +) + +func TestInitLog(t *testing.T) { + InitConsoleLogger() + Console.Sync() + InitFileLogger(settings.Logging{File: "/dev/null", Level: "none"}) + InitLoggerForTests() +} diff --git a/pkg/scanner/scan.go b/pkg/scanner/scan.go new file mode 100644 index 0000000..a1d368b --- /dev/null +++ b/pkg/scanner/scan.go @@ -0,0 +1,61 @@ +package scanner + +import ( + "time" + + "github.com/shirou/gopsutil/process" + + "github.com/juan-leon/fetter/pkg/cgroups" + "github.com/juan-leon/fetter/pkg/log" + "github.com/juan-leon/fetter/pkg/settings" +) + +type ProcessScanner struct { + config *settings.Settings + ruleMap map[string]string + cgroups *cgroups.GroupHierarchy +} + +func NewProcessScanner(config *settings.Settings, cgroups *cgroups.GroupHierarchy) *ProcessScanner { + ruleMap := make(map[string]string) + for _, r := range config.Rules { + if r.Action == "execute" { + ruleMap[r.Path] = r.Group + } + } + return &ProcessScanner{ + config: config, + ruleMap: ruleMap, + cgroups: cgroups, + } +} + +func (pc *ProcessScanner) Scan() { + processes, err := process.Processes() + if err != nil { + log.Logger.Fatalf("Cannot scan processes %s", err) + } + for _, p := range processes { + exe, err := p.Exe() + if err != nil { + // Typically, condition races related to short lived processes + continue + } + if group, ok := pc.ruleMap[exe]; ok { + log.Logger.Debugf("Adding %s (pid %d) to cgroup %s", exe, p.Pid, group) + pc.cgroups.Add(int(p.Pid), group) + } + } +} + +func (pc *ProcessScanner) Loop() { + for { + pc.Scan() + // Scanning processes use some CPU in heavily loaded machines, but long + // delays between scans will increase the likelihood of processes + // spawning children that are left out the control group (for instance, + // a rule could be good to catch an IDE, but not its LSP subprocesses). + // That is a problem better solved with the audit alternative. + time.Sleep(time.Second) + } +} diff --git a/pkg/settings/loader.go b/pkg/settings/loader.go new file mode 100644 index 0000000..e71cb1d --- /dev/null +++ b/pkg/settings/loader.go @@ -0,0 +1,41 @@ +package settings + +import ( + "context" + "fmt" + "os" + + "github.com/heetch/confita" + "github.com/heetch/confita/backend/file" +) + +func Load(path string) (settings *Settings, err error) { + settings = &Settings{ + Name: "fetter", + Mode: RUN_MODE_AUDIT, + Logging: Logging{ + File: "/tmp/fetter.log", + Level: "info", + }, + Audit: Audit{Mode: RUN_MODE_AUDIT}, + } + if _, err = os.Stat(path); err != nil { + return nil, err + } + loader := confita.NewLoader(file.NewBackend(path)) + err = loader.Load(context.Background(), settings) + if err == nil { + err = assertConfigOk(settings) + } + return +} + +func assertConfigOk(settings *Settings) error { + switch settings.Mode { + case + RUN_MODE_AUDIT, RUN_MODE_SCANNER: + return nil + default: + return fmt.Errorf("run mode not supported: %s", settings.Mode) + } +} diff --git a/pkg/settings/loader_test.go b/pkg/settings/loader_test.go new file mode 100644 index 0000000..abc1524 --- /dev/null +++ b/pkg/settings/loader_test.go @@ -0,0 +1,77 @@ +package settings + +import ( + "path" + "reflect" + "strings" + "testing" +) + +func load(file string) (settings *Settings, err error) { + return Load(path.Join("../../tests/configs", file)) +} + +func TestNotAFile(t *testing.T) { + _, err := load("not-a-file.yaml") + if err == nil { + t.Error("shoul fail if no file", err) + } +} + +func TestConfigFile(t *testing.T) { + s, err := load("config-ok.yaml") + if err != nil { + t.Error("could not load settings file", err) + return + } + expected := &Settings{ + Logging: Logging{File: "foo.log", Level: "debug"}, + Name: "testing-fetter", + Mode: "scanner", + Audit: Audit{Mode: "reuse"}, + Rules: []Rule{ + {Path: "/usr/bin/make", Action: "execute", Group: "compilation"}, + {Path: "/usr/bin/make2", Action: "read", Group: "compilation"}, + }, + Groups: []Group{ + {Name: "g1", RAM: 100, CPU: 10, Pids: 1, Freeze: false}, + {Name: "g2", RAM: 200, CPU: 20, Pids: 0, Freeze: true}, + }, + } + if !reflect.DeepEqual(s, expected) { + t.Error("unexpected override names", s, expected) + } +} + +func TestUnsupportedMode(t *testing.T) { + _, err := load("config-bad-mode.yaml") + if err == nil { + t.Error("Loading config should fail") + return + } + expected := "run mode not supported: garbage" + if !strings.Contains(err.Error(), expected) { + t.Error("Should complain of invalid mode", err) + } +} + +func TestRequiredSections(t *testing.T) { + _, err := load("config-no-groups.yaml") + if err == nil { + t.Error("Loading config should fail") + } else { + expected := "required key 'groups'" + if !strings.Contains(err.Error(), expected) { + t.Error("Should complain of invalid mode", err) + } + } + _, err = load("config-no-rules.yaml") + if err == nil { + t.Error("Loading config should fail") + } else { + expected := "required key 'rules'" + if !strings.Contains(err.Error(), expected) { + t.Error("Should complain of invalid mode", err) + } + } +} diff --git a/pkg/settings/types.go b/pkg/settings/types.go new file mode 100644 index 0000000..6152f95 --- /dev/null +++ b/pkg/settings/types.go @@ -0,0 +1,38 @@ +package settings + +const ( + RUN_MODE_AUDIT string = "audit" + RUN_MODE_SCANNER string = "scanner" +) + +type Logging struct { + File string `config:"file"` + Level string `config:"level"` +} + +type Rule struct { + Path string `config:"path,required"` + Action string `config:"action,required"` + Group string `config:"group,required"` +} + +type Audit struct { + Mode string `config:"mode"` +} + +type Group struct { + Name string `config:"name,required"` + RAM int64 `config:"ram"` + CPU int `config:"cpu"` + Pids int64 `config:"pids"` + Freeze bool `group:"freeze"` +} + +type Settings struct { + Logging Logging `config:"logging,required"` + Rules []Rule `config:"rules,required"` + Groups []Group `config:"groups,required"` + Audit Audit `config:"audit"` + Name string `config:"name,required"` + Mode string `config:"mode,required"` +} diff --git a/tests/configs/config-bad-mode.yaml b/tests/configs/config-bad-mode.yaml new file mode 100644 index 0000000..77b6fb9 --- /dev/null +++ b/tests/configs/config-bad-mode.yaml @@ -0,0 +1,11 @@ +mode: garbage + +rules: + - path: /usr/bin/make + action: execute + group: compilation + +groups: + - name: g1 + ram: 100 + cpu: 10 diff --git a/tests/configs/config-no-groups.yaml b/tests/configs/config-no-groups.yaml new file mode 100644 index 0000000..3f91b9c --- /dev/null +++ b/tests/configs/config-no-groups.yaml @@ -0,0 +1,4 @@ +rules: + - path: /usr/bin/make + action: execute + group: compilation diff --git a/tests/configs/config-no-rules.yaml b/tests/configs/config-no-rules.yaml new file mode 100644 index 0000000..b7a4b7a --- /dev/null +++ b/tests/configs/config-no-rules.yaml @@ -0,0 +1,4 @@ +groups: + - name: g1 + ram: 100 + cpu: 10 diff --git a/tests/configs/config-ok.yaml b/tests/configs/config-ok.yaml new file mode 100644 index 0000000..f467961 --- /dev/null +++ b/tests/configs/config-ok.yaml @@ -0,0 +1,29 @@ +mode: scanner +audit: + mode: reuse + +rules: + - path: /usr/bin/make + action: execute + group: compilation + + - path: /usr/bin/make2 + action: read + group: compilation + +groups: + - name: g1 + ram: 100 + cpu: 10 + pids: 1 + + - name: g2 + ram: 200 + cpu: 20 + freeze: true + +logging: + file: foo.log + level: debug + +name: testing-fetter