This call is what is used to implement `dmesg` to get kernel messages
about the host. This can leak substantial information about the host.
It is normally available to unprivileged users on the host, unless
the sysctl `kernel.dmesg_restrict = 1` is set, but this is not set
by standard on the majority of distributions. Blocking this to restrict
leaks about the configuration seems correct.
Relates to docker/docker#37897 "docker exposes dmesg to containers by default"
See also https://googleprojectzero.blogspot.com/2018/09/a-cache-invalidation-bug-in-linux.html
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This prevents packages with no Go included files due to build constraints
being included in the package list. These packages cause the test command
to fail with "can't load package build constraints exclude all Go files".
Signed-off-by: Derek McGowan <derek@mcg.dev>
This allows development with container to be done for NRI without the need for
custom builds.
This is an experimental feature and is not enabled unless a user has a global
`/etc/nri/conf.json` config setup with plugins on the system. No NRI code will
be executed if this config file does not exist.
Signed-off-by: Michael Crosby <michael@thepasture.io>
When containerd is restarted, only v1 tasks are monitored again. This
leads to the lack of existing v2 task metrics.
Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>
The rollback mechanism is implemented by calling deleteDevice() and
RemoveDevice(). But RemoveDevice() is internally calling
deleteDevice() as well.
Since a device will be deleted by first deleteDevice(),
RemoveDevice() always will see ENODATA. The specific error must be
ignored to remove the device's metadata correctly.
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
According to the systemd documentation, `infinity` can be used for all limits;
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Process%20Properties
> Resource limits may be specified in two formats: either as single value to set a
> specific soft and hard limit to the same value, or as colon-separated pair soft:hard
> (...) Use the string infinity to configure no limit on a specific resource.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* `-linkmode external` is required since Go 1.15 for static builds: https://github.com/golang/go/issues/40711
* Clarify the meaning of "loading plugins"
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Add installation scripts needed to generate CRI + CNI tar package on
release.
Update Github action release script to generate CRI release tarballs for
Linux and Windows.
Signed-off-by: Derek McGowan <derek@mcg.dev>
