diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock index 05af246104..34e8eaa31e 100644 --- a/src/agent/Cargo.lock +++ b/src/agent/Cargo.lock @@ -163,6 +163,12 @@ version = "0.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "904dfeac50f3cdaba28fc6f57fdcddb75f49ed61346676a78c4ffe55877802fd" +[[package]] +name = "base64" +version = "0.21.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "604178f6c5c21f02dc555784810edfb88d34ac2c73b2eae109655649ee73ce3d" + [[package]] name = "bincode" version = "1.3.3" @@ -258,9 +264,12 @@ dependencies = [ [[package]] name = "cc" -version = "1.0.73" +version = "1.0.81" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2fff2a6927b3bb87f9595d67196a70493f627687a71d87a0d692242c33f58c11" +checksum = "6c6b2562119bf28c3439f7f02db99faf0aa1a8cdfe5772a2ee155d32227239f0" +dependencies = [ + "libc", +] [[package]] name = "cfg-if" @@ -356,6 +365,16 @@ dependencies = [ "cache-padded", ] +[[package]] +name = "core-foundation" +version = "0.9.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "194a7a9e6de53fa55116934067c844d9d749312f75c6f6d0980e8c252f8c2146" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "core-foundation-sys" version = "0.8.3" @@ -460,6 +479,15 @@ version = "1.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457" +[[package]] +name = "encoding_rs" +version = "0.8.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "071a31f4ee85403370b58aca746f01041ede6f0da2730960ad001edc2b71b394" +dependencies = [ + "cfg-if 1.0.0", +] + [[package]] name = "enumflags2" version = "0.7.5" @@ -550,6 +578,31 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +[[package]] +name = "foreign-types" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" +dependencies = [ + "foreign-types-shared", +] + +[[package]] +name = "foreign-types-shared" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" + +[[package]] +name = "form_urlencoded" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5fc25a87fa4fd2094bffb06925852034d90a17f0d1e05197d4956d3555752191" +dependencies = [ + "matches", + "percent-encoding", +] + [[package]] name = "futures" version = "0.3.21" @@ -671,6 +724,25 @@ version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9b919933a397b79c37e33b77bb2aa3dc8eb6e165ad809e58ff75bc7db2e34574" +[[package]] +name = "h2" +version = "0.3.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "97ec8491ebaf99c8eaa73058b045fe58073cd6be7f596ac993ced0b0a0c01049" +dependencies = [ + "bytes 1.1.0", + "fnv", + "futures-core", + "futures-sink", + "futures-util", + "http", + "indexmap", + "slab", + "tokio", + "tokio-util 0.7.8", + "tracing", +] + [[package]] name = "hashbrown" version = "0.12.1" @@ -707,6 +779,77 @@ version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" +[[package]] +name = "http" +version = "0.2.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bd6effc99afb63425aff9b05836f029929e345a6148a14b7ecd5ab67af944482" +dependencies = [ + "bytes 1.1.0", + "fnv", + "itoa", +] + +[[package]] +name = "http-body" +version = "0.4.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d5f38f16d184e36f2408a55281cd658ecbd3ca05cce6d6510a176eca393e26d1" +dependencies = [ + "bytes 1.1.0", + "http", + "pin-project-lite", +] + +[[package]] +name = "httparse" +version = "1.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d897f394bad6a705d5f4104762e116a75639e470d80901eed05a860a95cb1904" + +[[package]] +name = "httpdate" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c4a1e36c821dbe04574f602848a19f742f4fb3c98d40449f11bcad18d6b17421" + +[[package]] +name = "hyper" +version = "0.14.27" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ffb1cfd654a8219eaef89881fdb3bb3b1cdc5fa75ded05d6933b2b382e395468" +dependencies = [ + "bytes 1.1.0", + "futures-channel", + "futures-core", + "futures-util", + "h2", + "http", + "http-body", + "httparse", + "httpdate", + "itoa", + "pin-project-lite", + "socket2", + "tokio", + "tower-service", + "tracing", + "want", +] + +[[package]] +name = "hyper-tls" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d6183ddfa99b85da61a140bea0efc93fdf56ceaa041b37d553518030827f9905" +dependencies = [ + "bytes 1.1.0", + "hyper", + "native-tls", + "tokio", + "tokio-native-tls", +] + [[package]] name = "iana-time-zone" version = "0.1.46" @@ -720,6 +863,17 @@ dependencies = [ "winapi", ] +[[package]] +name = "idna" +version = "0.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "418a0a6fab821475f634efe3ccc45c013f742efe03d853e8d3355d5cb850ecf8" +dependencies = [ + "matches", + "unicode-bidi", + "unicode-normalization", +] + [[package]] name = "indexmap" version = "1.9.1" @@ -770,6 +924,12 @@ dependencies = [ "libc", ] +[[package]] +name = "ipnet" +version = "2.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "28b29a3cd74f0f4598934efe3aeba42bae0eb4680554128851ebbecb02af14e6" + [[package]] name = "ipnetwork" version = "0.17.0" @@ -815,6 +975,7 @@ dependencies = [ "cgroups-rs", "clap", "futures", + "http", "ipnetwork", "kata-sys-util", "kata-types", @@ -826,12 +987,14 @@ dependencies = [ "netlink-sys", "nix 0.24.2", "oci", + "openssl", "opentelemetry", "procfs", "prometheus", "protobuf 3.2.0", "protocols", "regex", + "reqwest", "rtnetlink", "rustjail", "scan_fmt", @@ -886,7 +1049,7 @@ name = "kata-types" version = "0.1.0" dependencies = [ "anyhow", - "base64", + "base64 0.13.0", "bitmask-enum", "byte-unit", "glob", @@ -973,6 +1136,12 @@ dependencies = [ "regex-automata", ] +[[package]] +name = "matches" +version = "0.1.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2532096657941c2fea9c289d370a250971c689d4f143798ff67113ec042024a5" + [[package]] name = "memchr" version = "2.5.0" @@ -988,6 +1157,12 @@ dependencies = [ "autocfg", ] +[[package]] +name = "mime" +version = "0.3.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a" + [[package]] name = "miniz_oxide" version = "0.5.3" @@ -1015,6 +1190,24 @@ version = "0.8.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e5ce46fe64a9d73be07dcbe690a38ce1b293be448fd8ce1e6c1b8062c9f72c6a" +[[package]] +name = "native-tls" +version = "0.2.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "07226173c32f2926027b63cce4bcd8076c3552846cbe7925f3aaffeac0a3b92e" +dependencies = [ + "lazy_static", + "libc", + "log", + "openssl", + "openssl-probe", + "openssl-sys", + "schannel", + "security-framework", + "security-framework-sys", + "tempfile", +] + [[package]] name = "netlink-packet-core" version = "0.2.4" @@ -1065,7 +1258,7 @@ dependencies = [ "netlink-packet-core", "netlink-sys", "tokio", - "tokio-util", + "tokio-util 0.6.10", ] [[package]] @@ -1184,6 +1377,60 @@ version = "1.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e82dad04139b71a90c080c8463fe0dc7902db5192d939bd0950f074d014339e1" +[[package]] +name = "openssl" +version = "0.10.55" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "345df152bc43501c5eb9e4654ff05f794effb78d4efe3d53abc158baddc0703d" +dependencies = [ + "bitflags", + "cfg-if 1.0.0", + "foreign-types", + "libc", + "once_cell", + "openssl-macros", + "openssl-sys", +] + +[[package]] +name = "openssl-macros" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.16", +] + +[[package]] +name = "openssl-probe" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" + +[[package]] +name = "openssl-src" +version = "111.27.0+1.1.1v" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "06e8f197c82d7511c5b014030c9b1efeda40d7d5f99d23b4ceed3524a5e63f02" +dependencies = [ + "cc", +] + +[[package]] +name = "openssl-sys" +version = "0.9.90" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "374533b0e45f3a7ced10fcaeccca020e66656bc03dac384f852e4e5a7a8104a6" +dependencies = [ + "cc", + "libc", + "openssl-src", + "pkg-config", + "vcpkg", +] + [[package]] name = "opentelemetry" version = "0.14.0" @@ -1573,6 +1820,8 @@ dependencies = [ "async-trait", "oci", "protobuf 3.2.0", + "serde", + "serde_json", "ttrpc", "ttrpc-codegen", ] @@ -1671,6 +1920,43 @@ dependencies = [ "winapi", ] +[[package]] +name = "reqwest" +version = "0.11.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cde824a14b7c14f85caff81225f411faacc04a2013f41670f41443742b1c1c55" +dependencies = [ + "base64 0.21.2", + "bytes 1.1.0", + "encoding_rs", + "futures-core", + "futures-util", + "h2", + "http", + "http-body", + "hyper", + "hyper-tls", + "ipnet", + "js-sys", + "log", + "mime", + "native-tls", + "once_cell", + "percent-encoding", + "pin-project-lite", + "serde", + "serde_json", + "serde_urlencoded", + "tokio", + "tokio-native-tls", + "tower-service", + "url", + "wasm-bindgen", + "wasm-bindgen-futures", + "web-sys", + "winreg", +] + [[package]] name = "rlimit" version = "0.5.4" @@ -1762,12 +2048,44 @@ dependencies = [ "regex", ] +[[package]] +name = "schannel" +version = "0.1.22" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0c3733bf4cf7ea0880754e19cb5a462007c4a8c1914bff372ccc95b464f1df88" +dependencies = [ + "windows-sys 0.48.0", +] + [[package]] name = "scopeguard" version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" +[[package]] +name = "security-framework" +version = "2.9.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "05b64fb303737d99b81884b2c63433e9ae28abebe5eb5045dcdd175dc2ecf4de" +dependencies = [ + "bitflags", + "core-foundation", + "core-foundation-sys", + "libc", + "security-framework-sys", +] + +[[package]] +name = "security-framework-sys" +version = "2.9.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e932934257d3b408ed8f30db49d85ea163bfe74961f017f405b025af298f0c7a" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "serde" version = "1.0.137" @@ -1810,6 +2128,18 @@ dependencies = [ "syn 1.0.98", ] +[[package]] +name = "serde_urlencoded" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd" +dependencies = [ + "form_urlencoded", + "itoa", + "ryu", + "serde", +] + [[package]] name = "serial_test" version = "0.5.1" @@ -2113,6 +2443,21 @@ version = "0.2.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "42657b1a6f4d817cda8e7a0ace261fe0cc946cf3a80314390b22cc61ae080792" +[[package]] +name = "tinyvec" +version = "1.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50" +dependencies = [ + "tinyvec_macros", +] + +[[package]] +name = "tinyvec_macros" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" + [[package]] name = "tokio" version = "1.28.1" @@ -2143,6 +2488,16 @@ dependencies = [ "syn 2.0.16", ] +[[package]] +name = "tokio-native-tls" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2" +dependencies = [ + "native-tls", + "tokio", +] + [[package]] name = "tokio-stream" version = "0.1.9" @@ -2168,6 +2523,20 @@ dependencies = [ "tokio", ] +[[package]] +name = "tokio-util" +version = "0.7.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "806fe8c2c87eccc8b3267cbae29ed3ab2d0bd37fca70ab622e46aaa9375ddb7d" +dependencies = [ + "bytes 1.1.0", + "futures-core", + "futures-sink", + "pin-project-lite", + "tokio", + "tracing", +] + [[package]] name = "tokio-vsock" version = "0.3.1" @@ -2190,6 +2559,12 @@ dependencies = [ "serde", ] +[[package]] +name = "tower-service" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6bc1c9ce2b5135ac7f93c72918fc37feb872bdc6a5533a8b85eb4b86bfdae52" + [[package]] name = "tracing" version = "0.1.35" @@ -2279,6 +2654,12 @@ dependencies = [ "tracing-serde", ] +[[package]] +name = "try-lock" +version = "0.2.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3528ecfd12c466c6f163363caf2d02a71161dd5e1cc6ae7b34207ea2d42d81ed" + [[package]] name = "ttrpc" version = "0.7.1" @@ -2335,24 +2716,56 @@ dependencies = [ "winapi", ] +[[package]] +name = "unicode-bidi" +version = "0.3.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460" + [[package]] name = "unicode-ident" version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5bd2fe26506023ed7b5e1e315add59d6f584c621d037f9368fea9cfb988f368c" +[[package]] +name = "unicode-normalization" +version = "0.1.22" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921" +dependencies = [ + "tinyvec", +] + [[package]] name = "unicode-segmentation" version = "1.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7e8820f5d777f6224dc4be3632222971ac30164d4a258d595640799554ebfd99" +[[package]] +name = "url" +version = "2.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "22fe195a4f217c25b25cb5058ced57059824a678474874038dc88d211bf508d3" +dependencies = [ + "form_urlencoded", + "idna", + "percent-encoding", +] + [[package]] name = "valuable" version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d" +[[package]] +name = "vcpkg" +version = "0.2.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" + [[package]] name = "version_check" version = "0.9.4" @@ -2392,6 +2805,15 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9d5b2c62b4012a3e1eca5a7e077d13b3bf498c4073e33ccd58626607748ceeca" +[[package]] +name = "want" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bfa7760aed19e106de2c7c0b581b509f2f25d3dacaf737cb82ac61bc6d760b0e" +dependencies = [ + "try-lock", +] + [[package]] name = "wasi" version = "0.10.0+wasi-snapshot-preview1" @@ -2429,6 +2851,18 @@ dependencies = [ "wasm-bindgen-shared", ] +[[package]] +name = "wasm-bindgen-futures" +version = "0.4.31" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "de9a9cec1733468a8c657e57fa2413d2ae2c0129b95e87c5b72b8ace4d13f31f" +dependencies = [ + "cfg-if 1.0.0", + "js-sys", + "wasm-bindgen", + "web-sys", +] + [[package]] name = "wasm-bindgen-macro" version = "0.2.81" @@ -2458,6 +2892,16 @@ version = "0.2.81" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6a89911bd99e5f3659ec4acf9c4d93b0a90fe4a2a11f15328472058edc5261be" +[[package]] +name = "web-sys" +version = "0.3.58" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2fed94beee57daf8dd7d51f2b15dc2bcde92d7a72304cdf662a4371008b71b90" +dependencies = [ + "js-sys", + "wasm-bindgen", +] + [[package]] name = "wepoll-ffi" version = "0.1.2" @@ -2618,6 +3062,15 @@ version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1a515f5799fe4961cb532f983ce2b23082366b898e52ffbce459c86f67c8378a" +[[package]] +name = "winreg" +version = "0.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "80d0f4e272c85def139476380b12f9ac60926689dd2e01d4923222f40580869d" +dependencies = [ + "winapi", +] + [[package]] name = "xattr" version = "0.2.3" diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml index 7e9445265c..47e1d378bc 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml @@ -8,7 +8,7 @@ license = "Apache-2.0" [dependencies] oci = { path = "../libs/oci" } rustjail = { path = "rustjail" } -protocols = { path = "../libs/protocols", features = ["async"] } +protocols = { path = "../libs/protocols", features = ["async", "with-serde"] } lazy_static = "1.3.0" ttrpc = { version = "0.7.1", features = ["async"], default-features = false } protobuf = "3.2.0" @@ -67,6 +67,12 @@ serde = { version = "1.0.129", features = ["derive"] } toml = "0.5.8" clap = { version = "3.0.1", features = ["derive"] } +# Communication with the OPA service +http = { version = "0.2.8", optional = true } +reqwest = { version = "0.11.14", optional = true } +# The "vendored" feature for openssl is required for musl build +openssl = { version = "0.10.54", features = ["vendored"], optional = true } + [dev-dependencies] tempfile = "3.1.0" test-utils = { path = "../libs/test-utils" } @@ -83,6 +89,7 @@ lto = true [features] seccomp = ["rustjail/seccomp"] standard-oci-runtime = ["rustjail/standard-oci-runtime"] +agent-policy = ["http", "openssl", "reqwest"] [[bin]] name = "kata-agent" diff --git a/src/agent/Makefile b/src/agent/Makefile index ba065b4d04..d058caf64c 100644 --- a/src/agent/Makefile +++ b/src/agent/Makefile @@ -33,6 +33,14 @@ ifeq ($(SECCOMP),yes) override EXTRA_RUSTFEATURES += seccomp endif +##VAR AGENT_POLICY=yes|no define if agent enables the policy feature +AGENT_POLICY := no + +# Enable the policy feature of rust build +ifeq ($(AGENT_POLICY),yes) + override EXTRA_RUSTFEATURES += agent-policy +endif + include ../../utils.mk ifeq ($(ARCH), ppc64le) diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs index 58c406fe17..f73e10eedc 100644 --- a/src/agent/src/main.rs +++ b/src/agent/src/main.rs @@ -73,6 +73,9 @@ use tokio::{ mod rpc; mod tracer; +#[cfg(feature = "agent-policy")] +mod policy; + cfg_if! { if #[cfg(target_arch = "s390x")] { mod ap; @@ -90,6 +93,11 @@ lazy_static! { AgentConfig::from_cmdline("/proc/cmdline", env::args().collect()).unwrap(); } +#[cfg(feature = "agent-policy")] +lazy_static! { + static ref AGENT_POLICY: Mutex = Mutex::new(AgentPolicy::new()); +} + #[derive(Parser)] // The default clap version info doesn't match our form, so we need to override it #[clap(global_setting(AppSettings::DisableVersionFlag))] @@ -221,6 +229,27 @@ async fn real_main() -> std::result::Result<(), Box> { let root_span = span!(tracing::Level::TRACE, "root-span"); + #[cfg(feature = "agent-policy")] + { + let debug_policy = + config.log_level == slog::Level::Debug || config.log_level == slog::Level::Trace; + if let Err(e) = AGENT_POLICY + .lock() + .await + .initialize( + debug_policy, + "http://localhost:8181/v1", + "/agent_policy", + "/etc/kata-opa/default-policy.rego", + ) + .await + { + error!(logger, "Failed to initialize agent policy: {:?}", e); + // Continuing execution without a security policy could be dangerous. + std::process::abort(); + } + } + // XXX: Start the root trace transaction. // // XXX: Note that *ALL* spans needs to start after this point!! @@ -401,6 +430,9 @@ fn reset_sigpipe() { use crate::config::AgentConfig; use std::os::unix::io::{FromRawFd, RawFd}; +#[cfg(feature = "agent-policy")] +use crate::policy::AgentPolicy; + #[cfg(test)] mod tests { use super::*; diff --git a/src/agent/src/policy.rs b/src/agent/src/policy.rs new file mode 100644 index 0000000000..7dca6ffe5e --- /dev/null +++ b/src/agent/src/policy.rs @@ -0,0 +1,240 @@ +// Copyright (c) 2023 Microsoft Corporation +// +// SPDX-License-Identifier: Apache-2.0 +// + +use anyhow::{bail, Result}; +use serde::{Deserialize, Serialize}; +use tokio::io::AsyncWriteExt; +use tokio::time::{sleep, Duration}; + +static EMPTY_JSON_INPUT: &str = "{\"input\":{}}"; + +static OPA_DATA_PATH: &str = "/data"; +static OPA_POLICIES_PATH: &str = "/policies"; + +static POLICY_LOG_FILE: &str = "/tmp/policy.txt"; + +/// Convenience macro to obtain the scope logger +macro_rules! sl { + () => { + slog_scope::logger() + }; +} + +/// Example of HTTP response from OPA: {"result":true} +#[derive(Debug, Serialize, Deserialize)] +struct AllowResponse { + result: bool, +} + +/// Singleton policy object. +#[derive(Debug, Default)] +pub struct AgentPolicy { + /// When true policy errors are ignored, for debug purposes. + allow_failures: bool, + + /// OPA path used to query if an Agent gRPC request should be allowed. + /// The request name (e.g., CreateContainerRequest) must be added to + /// this path. + query_path: String, + + /// OPA path used to add or delete a rego format Policy. + policy_path: String, + + /// Client used to connect a single time to the OPA service and reused + /// for all the future communication with OPA. + opa_client: Option, + + /// "/tmp/policy.txt" log file for policy activity. + log_file: Option, +} + +impl AgentPolicy { + /// Create AgentPolicy object. + pub fn new() -> Self { + Self { + allow_failures: false, + ..Default::default() + } + } + + /// Wait for OPA to start and connect to it. + pub async fn initialize( + &mut self, + debug_enabled: bool, + opa_uri: &str, + policy_name: &str, + default_policy: &str, + ) -> Result<()> { + if debug_enabled { + self.log_file = Some( + tokio::fs::OpenOptions::new() + .write(true) + .truncate(true) + .create(true) + .open(POLICY_LOG_FILE) + .await?, + ); + debug!(sl!(), "policy: log file: {}", POLICY_LOG_FILE); + } + + self.query_path = format!("{opa_uri}{OPA_DATA_PATH}{policy_name}/"); + self.policy_path = format!("{opa_uri}{OPA_POLICIES_PATH}{policy_name}"); + let opa_client = reqwest::Client::builder().http1_only().build()?; + let policy = tokio::fs::read_to_string(default_policy).await?; + + // This loop is necessary to get the opa_client connected to the + // OPA service while that service is starting. Future requests to + // OPA are expected to work without retrying, after connecting + // successfully for the first time. + for i in 0..50 { + if i > 0 { + sleep(Duration::from_millis(100)).await; + debug!(sl!(), "policy initialize: PUT failed, retrying"); + } + + // Set-up the default policy. + if opa_client + .put(&self.policy_path) + .body(policy.clone()) + .send() + .await + .is_ok() + { + // Check if requests causing policy errors should actually + // be allowed. That is an insecure configuration but is + // useful for allowing insecure pods to start, then connect to + // them and inspect Guest logs for the root cause of a failure. + if let Ok(allow_failures) = self + .post_query("AllowRequestsFailingPolicy", EMPTY_JSON_INPUT) + .await + { + self.allow_failures = allow_failures; + } else { + // post_query failed so the the default, secure, value + // allow_failures: false will be used. + } + + self.opa_client = Some(opa_client); + return Ok(()); + } + } + bail!("Failed to connect to OPA") + } + + /// Ask OPA to check if an API call should be allowed or not. + pub async fn is_allowed_endpoint(&mut self, ep: &str, request: &str) -> bool { + let post_input = format!("{{\"input\":{request}}}"); + self.log_opa_input(ep, &post_input).await; + match self.post_query(ep, &post_input).await { + Err(e) => { + debug!( + sl!(), + "policy: failed to query endpoint {}: {:?}. Returning false.", ep, e + ); + false + } + Ok(allowed) => allowed, + } + } + + /// Replace the Policy in OPA. + pub async fn set_policy(&mut self, policy: &str) -> Result<()> { + if let Some(opa_client) = &mut self.opa_client { + // Delete the old rules. + opa_client.delete(&self.policy_path).send().await?; + + // Put the new rules. + opa_client + .put(&self.policy_path) + .body(policy.to_string()) + .send() + .await?; + + // Check if requests causing policy errors should actually be allowed. + // That is an insecure configuration but is useful for allowing insecure + // pods to start, then connect to them and inspect Guest logs for the + // root cause of a failure. + self.allow_failures = self + .post_query("AllowRequestsFailingPolicy", EMPTY_JSON_INPUT) + .await?; + + Ok(()) + } else { + bail!("Agent Policy is not initialized") + } + } + + // Post query to OPA. + async fn post_query(&mut self, ep: &str, post_input: &str) -> Result { + debug!(sl!(), "policy check: {ep}"); + + if let Some(opa_client) = &mut self.opa_client { + let uri = format!("{}{ep}", &self.query_path); + let response = opa_client + .post(uri) + .body(post_input.to_string()) + .send() + .await?; + + if response.status() != http::StatusCode::OK { + bail!("policy: POST {} response status {}", ep, response.status()); + } + + let http_response = response.text().await?; + let opa_response: serde_json::Result = + serde_json::from_str(&http_response); + + match opa_response { + Ok(resp) => { + if !resp.result { + if self.allow_failures { + warn!( + sl!(), + "policy: POST {} response <{}>. Ignoring error!", ep, http_response + ); + return Ok(true); + } else { + error!(sl!(), "policy: POST {} response <{}>", ep, http_response); + } + } + Ok(resp.result) + } + Err(_) => { + warn!( + sl!(), + "policy: endpoint {} not found in policy. Returning false.", ep, + ); + Ok(false) + } + } + } else { + bail!("Agent Policy is not initialized") + } + } + + async fn log_opa_input(&mut self, ep: &str, input: &str) { + if let Some(log_file) = &mut self.log_file { + match ep { + "StatsContainerRequest" | "ReadStreamRequest" | "SetPolicyRequest" => { + // - StatsContainerRequest and ReadStreamRequest are called + // relatively often, so we're not logging them, to avoid + // growing this log file too much. + // - Confidential Containers Policy documents are relatively + // large, so we're not logging them here, for SetPolicyRequest. + // The Policy text can be obtained directly from the pod YAML. + } + _ => { + let log_entry = format!("[\"ep\":\"{ep}\",{input}],\n\n"); + + if let Err(e) = log_file.write_all(log_entry.as_bytes()).await { + warn!(sl!(), "policy: log_opa_input: write_all failed: {}", e); + } else if let Err(e) = log_file.flush().await { + warn!(sl!(), "policy: log_opa_input: flush failed: {}", e); + } + } + } + } + } +} diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs index b162d23bfe..301daf55d5 100644 --- a/src/agent/src/rpc.rs +++ b/src/agent/src/rpc.rs @@ -67,6 +67,10 @@ use crate::AGENT_CONFIG; use crate::trace_rpc_call; use crate::tracer::extract_carrier_from_ttrpc; + +#[cfg(feature = "agent-policy")] +use crate::AGENT_POLICY; + use opentelemetry::global; use tracing::span; use tracing_opentelemetry::OpenTelemetrySpanExt; @@ -121,7 +125,7 @@ fn ttrpc_error(code: ttrpc::Code, err: impl std::fmt::Debug) -> ttrpc::Error { get_rpc_status(code, format!("{:?}", err)) } -fn is_allowed(req: &impl MessageDyn) -> ttrpc::Result<()> { +fn config_allows(req: &impl MessageDyn) -> ttrpc::Result<()> { if !AGENT_CONFIG.is_allowed_endpoint(req.descriptor_dyn().name()) { Err(ttrpc_error( ttrpc::Code::UNIMPLEMENTED, @@ -132,6 +136,35 @@ fn is_allowed(req: &impl MessageDyn) -> ttrpc::Result<()> { } } +#[cfg(feature = "agent-policy")] +async fn policy_allows(req: &(impl MessageDyn + serde::Serialize)) -> ttrpc::Result<()> { + let request = serde_json::to_string(req).unwrap(); + let mut policy = AGENT_POLICY.lock().await; + if !policy + .is_allowed_endpoint(req.descriptor_dyn().name(), &request) + .await + { + warn!(sl(), "{} is blocked by policy", req.descriptor_dyn().name()); + Err(ttrpc_error( + ttrpc::Code::PERMISSION_DENIED, + format!("{} is blocked by policy", req.descriptor_dyn().name()), + )) + } else { + Ok(()) + } +} + +async fn is_allowed(req: &(impl MessageDyn + serde::Serialize)) -> ttrpc::Result<()> { + let res = config_allows(req); + + #[cfg(feature = "agent-policy")] + if res.is_ok() { + return policy_allows(req).await; + } + + res +} + #[derive(Clone, Debug)] pub struct AgentService { sandbox: Arc>, @@ -608,7 +641,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::CreateContainerRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "create_container", req); - is_allowed(&req)?; + is_allowed(&req).await?; match self.do_create_container(req).await { Err(e) => Err(ttrpc_error(ttrpc::Code::INTERNAL, e)), Ok(_) => Ok(Empty::new()), @@ -621,7 +654,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::StartContainerRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "start_container", req); - is_allowed(&req)?; + is_allowed(&req).await?; match self.do_start_container(req).await { Err(e) => Err(ttrpc_error(ttrpc::Code::INTERNAL, e)), Ok(_) => Ok(Empty::new()), @@ -634,7 +667,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::RemoveContainerRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "remove_container", req); - is_allowed(&req)?; + is_allowed(&req).await?; match self.do_remove_container(req).await { Err(e) => Err(ttrpc_error(ttrpc::Code::INTERNAL, e)), Ok(_) => Ok(Empty::new()), @@ -647,7 +680,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::ExecProcessRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "exec_process", req); - is_allowed(&req)?; + is_allowed(&req).await?; match self.do_exec_process(req).await { Err(e) => Err(ttrpc_error(ttrpc::Code::INTERNAL, e)), Ok(_) => Ok(Empty::new()), @@ -660,7 +693,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::SignalProcessRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "signal_process", req); - is_allowed(&req)?; + is_allowed(&req).await?; match self.do_signal_process(req).await { Err(e) => Err(ttrpc_error(ttrpc::Code::INTERNAL, e)), Ok(_) => Ok(Empty::new()), @@ -673,7 +706,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::WaitProcessRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "wait_process", req); - is_allowed(&req)?; + is_allowed(&req).await?; self.do_wait_process(req) .await .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e)) @@ -685,7 +718,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::UpdateContainerRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "update_container", req); - is_allowed(&req)?; + is_allowed(&req).await?; let mut sandbox = self.sandbox.lock().await; let ctr = sandbox.get_container(&req.container_id).ok_or_else(|| { @@ -711,7 +744,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::StatsContainerRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "stats_container", req); - is_allowed(&req)?; + is_allowed(&req).await?; let mut sandbox = self.sandbox.lock().await; let ctr = sandbox.get_container(&req.container_id).ok_or_else(|| { @@ -731,7 +764,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::PauseContainerRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "pause_container", req); - is_allowed(&req)?; + is_allowed(&req).await?; let mut sandbox = self.sandbox.lock().await; let ctr = sandbox.get_container(req.container_id()).ok_or_else(|| { @@ -753,7 +786,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::ResumeContainerRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "resume_container", req); - is_allowed(&req)?; + is_allowed(&req).await?; let mut sandbox = self.sandbox.lock().await; let ctr = sandbox.get_container(req.container_id()).ok_or_else(|| { @@ -775,7 +808,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::RemoveStaleVirtiofsShareMountsRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "remove_stale_virtiofs_share_mounts", req); - is_allowed(&req)?; + is_allowed(&req).await?; let mount_infos = parse_mount_table("/proc/self/mountinfo") .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e))?; for m in &mount_infos { @@ -797,7 +830,7 @@ impl agent_ttrpc::AgentService for AgentService { _ctx: &TtrpcContext, req: protocols::agent::WriteStreamRequest, ) -> ttrpc::Result { - is_allowed(&req)?; + is_allowed(&req).await?; self.do_write_stream(req) .await .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e)) @@ -808,7 +841,7 @@ impl agent_ttrpc::AgentService for AgentService { _ctx: &TtrpcContext, req: protocols::agent::ReadStreamRequest, ) -> ttrpc::Result { - is_allowed(&req)?; + is_allowed(&req).await?; self.do_read_stream(req, true) .await .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e)) @@ -819,7 +852,7 @@ impl agent_ttrpc::AgentService for AgentService { _ctx: &TtrpcContext, req: protocols::agent::ReadStreamRequest, ) -> ttrpc::Result { - is_allowed(&req)?; + is_allowed(&req).await?; self.do_read_stream(req, false) .await .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e)) @@ -831,7 +864,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::CloseStdinRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "close_stdin", req); - is_allowed(&req)?; + is_allowed(&req).await?; let cid = req.container_id; let eid = req.exec_id; @@ -857,7 +890,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::TtyWinResizeRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "tty_win_resize", req); - is_allowed(&req)?; + is_allowed(&req).await?; let mut sandbox = self.sandbox.lock().await; let p = sandbox @@ -896,7 +929,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::UpdateInterfaceRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "update_interface", req); - is_allowed(&req)?; + is_allowed(&req).await?; let interface = req.interface.into_option().ok_or_else(|| { ttrpc_error( @@ -924,7 +957,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::UpdateRoutesRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "update_routes", req); - is_allowed(&req)?; + is_allowed(&req).await?; let new_routes = req.routes.into_option().map(|r| r.Routes).ok_or_else(|| { ttrpc_error( @@ -961,7 +994,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::UpdateEphemeralMountsRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "update_mounts", req); - is_allowed(&req)?; + is_allowed(&req).await?; match update_ephemeral_mounts(sl(), &req.storages, &self.sandbox).await { Ok(_) => Ok(Empty::new()), @@ -978,7 +1011,7 @@ impl agent_ttrpc::AgentService for AgentService { req: GetIPTablesRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "get_iptables", req); - is_allowed(&req)?; + is_allowed(&req).await?; info!(sl(), "get_ip_tables: request received"); @@ -1017,7 +1050,7 @@ impl agent_ttrpc::AgentService for AgentService { req: SetIPTablesRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "set_iptables", req); - is_allowed(&req)?; + is_allowed(&req).await?; info!(sl(), "set_ip_tables request received"); @@ -1132,7 +1165,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::ListInterfacesRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "list_interfaces", req); - is_allowed(&req)?; + is_allowed(&req).await?; let list = self .sandbox @@ -1160,7 +1193,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::ListRoutesRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "list_routes", req); - is_allowed(&req)?; + is_allowed(&req).await?; let list = self .sandbox @@ -1183,7 +1216,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::CreateSandboxRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "create_sandbox", req); - is_allowed(&req)?; + is_allowed(&req).await?; { let mut s = self.sandbox.lock().await; @@ -1242,7 +1275,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::DestroySandboxRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "destroy_sandbox", req); - is_allowed(&req)?; + is_allowed(&req).await?; let mut sandbox = self.sandbox.lock().await; // destroy all containers, clean up, notify agent to exit etc. @@ -1275,7 +1308,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::AddARPNeighborsRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "add_arp_neighbors", req); - is_allowed(&req)?; + is_allowed(&req).await?; let neighs = req .neighbors @@ -1310,7 +1343,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::OnlineCPUMemRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "online_cpu_mem", req); - is_allowed(&req)?; + is_allowed(&req).await?; let sandbox = self.sandbox.lock().await; sandbox @@ -1326,7 +1359,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::ReseedRandomDevRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "reseed_random_dev", req); - is_allowed(&req)?; + is_allowed(&req).await?; random::reseed_rng(req.data.as_slice()) .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e))?; @@ -1340,7 +1373,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::GuestDetailsRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "get_guest_details", req); - is_allowed(&req)?; + is_allowed(&req).await?; info!(sl(), "get guest details!"); let mut resp = GuestDetailsResponse::new(); @@ -1374,7 +1407,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::MemHotplugByProbeRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "mem_hotplug_by_probe", req); - is_allowed(&req)?; + is_allowed(&req).await?; do_mem_hotplug_by_probe(&req.memHotplugProbeAddr) .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e))?; @@ -1388,7 +1421,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::SetGuestDateTimeRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "set_guest_date_time", req); - is_allowed(&req)?; + is_allowed(&req).await?; do_set_guest_date_time(req.Sec, req.Usec) .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e))?; @@ -1402,7 +1435,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::CopyFileRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "copy_file", req); - is_allowed(&req)?; + is_allowed(&req).await?; do_copy_file(&req).map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e))?; @@ -1415,7 +1448,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::GetMetricsRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "get_metrics", req); - is_allowed(&req)?; + is_allowed(&req).await?; match get_metrics(&req) { Err(e) => Err(ttrpc_error(ttrpc::Code::INTERNAL, e)), @@ -1432,7 +1465,7 @@ impl agent_ttrpc::AgentService for AgentService { _ctx: &TtrpcContext, req: protocols::agent::GetOOMEventRequest, ) -> ttrpc::Result { - is_allowed(&req)?; + is_allowed(&req).await?; let s = self.sandbox.lock().await; let event_rx = &s.event_rx.clone(); let mut event_rx = event_rx.lock().await; @@ -1456,7 +1489,7 @@ impl agent_ttrpc::AgentService for AgentService { req: VolumeStatsRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "get_volume_stats", req); - is_allowed(&req)?; + is_allowed(&req).await?; info!(sl(), "get volume stats!"); let mut resp = VolumeStatsResponse::new(); @@ -1496,7 +1529,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::AddSwapRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "add_swap", req); - is_allowed(&req)?; + is_allowed(&req).await?; do_add_swap(&self.sandbox, &req) .await @@ -1504,6 +1537,25 @@ impl agent_ttrpc::AgentService for AgentService { Ok(Empty::new()) } + + #[cfg(feature = "agent-policy")] + async fn set_policy( + &self, + ctx: &TtrpcContext, + req: protocols::agent::SetPolicyRequest, + ) -> ttrpc::Result { + trace_rpc_call!(ctx, "set_policy", req); + is_allowed(&req).await?; + + AGENT_POLICY + .lock() + .await + .set_policy(&req.policy) + .await + .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e))?; + + Ok(Empty::new()) + } } #[derive(Clone)] diff --git a/src/kata-opa/allow-all.rego b/src/kata-opa/allow-all.rego new file mode 100644 index 0000000000..0a974ff6e6 --- /dev/null +++ b/src/kata-opa/allow-all.rego @@ -0,0 +1,38 @@ +package agent_policy + +default AddARPNeighborsRequest := true +default AddSwapRequest := true +default CloseStdinRequest := true +default CopyFileRequest := true +default CreateContainerRequest := true +default CreateSandboxRequest := true +default DestroySandboxRequest := true +default ExecProcessRequest = true +default GetMetricsRequest := true +default GetOOMEventRequest := true +default GuestDetailsRequest := true +default ListInterfacesRequest := true +default ListRoutesRequest := true +default MemHotplugByProbeRequest := true +default OnlineCPUMemRequest := true +default PauseContainerRequest := true +default PullImageRequest := true +default ReadStreamRequest := true +default RemoveContainerRequest := true +default RemoveStaleVirtiofsShareMountsRequest := true +default ReseedRandomDevRequest := false +default ResumeContainerRequest := true +default SetGuestDateTimeRequest := true +default SetPolicyRequest := true +default SignalProcessRequest := true +default StartContainerRequest := true +default StartTracingRequest := true +default StatsContainerRequest := true +default StopTracingRequest := true +default TtyWinResizeRequest := true +default UpdateContainerRequest := true +default UpdateEphemeralMountsRequest := true +default UpdateInterfaceRequest := true +default UpdateRoutesRequest := true +default WaitProcessRequest := true +default WriteStreamRequest := true diff --git a/src/kata-opa/kata-opa.service.in b/src/kata-opa/kata-opa.service.in new file mode 100644 index 0000000000..acb24d941a --- /dev/null +++ b/src/kata-opa/kata-opa.service.in @@ -0,0 +1,29 @@ +# +# Copyright (c) 2023 Microsoft Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# + +[Unit] +Description=Open Policy Agent for Kata Containers +Documentation=https://github.com/kata-containers +ConditionPathExists=@SETTINGSDIR@/default-policy.rego + +# kata-agent connects to OPA while starting up. +Before=kata-agent.service + +[Service] +Type=simple +ExecStart=@BINDIR@/opa run --server --disable-telemetry --addr 127.0.0.1:8181 --log-level info +DynamicUser=yes +RuntimeDirectory=kata-opa +LimitNOFILE=1048576 + +# Don't restart because there may be an active policy that would be lost. +Restart=no + +# Send log output to tty to allow capturing debug logs from a VM vsock port. +StandardError=tty + +# Discourage OOM-killer from touching the policy service. +OOMScoreAdjust=-997 diff --git a/src/libs/protocols/protos/agent.proto b/src/libs/protocols/protos/agent.proto index 9ed7c0a049..039630d306 100644 --- a/src/libs/protocols/protos/agent.proto +++ b/src/libs/protocols/protos/agent.proto @@ -72,6 +72,7 @@ service AgentService { rpc AddSwap(AddSwapRequest) returns (google.protobuf.Empty); rpc GetVolumeStats(VolumeStatsRequest) returns (VolumeStatsResponse); rpc ResizeVolume(ResizeVolumeRequest) returns (google.protobuf.Empty); + rpc SetPolicy(SetPolicyRequest) returns (google.protobuf.Empty); } message CreateContainerRequest { @@ -566,3 +567,7 @@ message ResizeVolumeRequest { string volume_guest_path = 1; uint64 size = 2; } + +message SetPolicyRequest { + string policy = 1; +} diff --git a/src/runtime/pkg/katautils/create.go b/src/runtime/pkg/katautils/create.go index 3c3bf05c8d..bd5808deba 100644 --- a/src/runtime/pkg/katautils/create.go +++ b/src/runtime/pkg/katautils/create.go @@ -18,6 +18,7 @@ import ( "github.com/kata-containers/kata-containers/src/runtime/pkg/oci" vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers" vf "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/factory" + vcAnnotations "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/annotations" specs "github.com/opencontainers/runtime-spec/specs-go" ) @@ -162,6 +163,10 @@ func CreateSandbox(ctx context.Context, vci vc.VC, ociSpec specs.Spec, runtimeCo ociSpec.Annotations["nerdctl/network-namespace"] = sandboxConfig.NetworkConfig.NetworkID sandboxConfig.Annotations["nerdctl/network-namespace"] = ociSpec.Annotations["nerdctl/network-namespace"] + // The value of this annotation is sent to the sandbox using SetPolicy. + delete(ociSpec.Annotations, vcAnnotations.Policy) + delete(sandboxConfig.Annotations, vcAnnotations.Policy) + sandbox, err := vci.CreateSandbox(ctx, sandboxConfig, func(ctx context.Context) error { // Run pre-start OCI hooks, in the runtime namespace. if err := PreStartHooks(ctx, ociSpec, containerID, bundlePath); err != nil { @@ -228,6 +233,9 @@ func CreateContainer(ctx context.Context, sandbox vc.VCSandbox, ociSpec specs.Sp katatrace.AddTags(span, "container_id", containerID) defer span.End() + // The value of this annotation is sent to the sandbox using SetPolicy. + delete(ociSpec.Annotations, vcAnnotations.Policy) + ociSpec = SetEphemeralStorageType(ociSpec, disableGuestEmptyDir) contConfig, err := oci.ContainerConfig(ociSpec, bundlePath, containerID, disableOutput) diff --git a/src/runtime/pkg/oci/utils.go b/src/runtime/pkg/oci/utils.go index 1ec4fc5bf9..21864d94bd 100644 --- a/src/runtime/pkg/oci/utils.go +++ b/src/runtime/pkg/oci/utils.go @@ -8,6 +8,7 @@ package oci import ( "context" + "encoding/base64" "encoding/json" "errors" "fmt" @@ -908,10 +909,24 @@ func addRuntimeConfigOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConfig, r func addAgentConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig) error { c := config.AgentConfig + updateConfig := false if value, ok := ocispec.Annotations[vcAnnotations.KernelModules]; ok { modules := strings.Split(value, KernelModulesSeparator) c.KernelModules = modules + updateConfig = true + } + + if value, ok := ocispec.Annotations[vcAnnotations.Policy]; ok { + if decoded_rules, err := base64.StdEncoding.DecodeString(value); err == nil { + c.Policy = string(decoded_rules) + updateConfig = true + } else { + return err + } + } + + if updateConfig { config.AgentConfig = c } diff --git a/src/runtime/virtcontainers/agent.go b/src/runtime/virtcontainers/agent.go index 8f0aca26ee..2596ea7181 100644 --- a/src/runtime/virtcontainers/agent.go +++ b/src/runtime/virtcontainers/agent.go @@ -208,4 +208,7 @@ type agent interface { // setIPTables sets the iptables from the guest setIPTables(ctx context.Context, isIPv6 bool, data []byte) error + + // setPolicy sends a new policy to the guest agent + setPolicy(ctx context.Context, policy string) error } diff --git a/src/runtime/virtcontainers/kata_agent.go b/src/runtime/virtcontainers/kata_agent.go index a214de5da6..476b3d3be9 100644 --- a/src/runtime/virtcontainers/kata_agent.go +++ b/src/runtime/virtcontainers/kata_agent.go @@ -150,6 +150,7 @@ const ( grpcResizeVolumeRequest = "grpc.ResizeVolumeRequest" grpcGetIPTablesRequest = "grpc.GetIPTablesRequest" grpcSetIPTablesRequest = "grpc.SetIPTablesRequest" + grpcSetPolicyRequest = "grpc.SetPolicyRequest" ) // newKataAgent returns an agent from an agent type. @@ -275,6 +276,7 @@ type KataAgentConfig struct { Debug bool Trace bool EnableDebugConsole bool + Policy string } // KataAgentState is the structure describing the data stored from this @@ -747,6 +749,13 @@ func (k *kataAgent) startSandbox(ctx context.Context, sandbox *Sandbox) error { return err } + // If a Policy has been specified, send it to the agent. + if len(sandbox.config.AgentConfig.Policy) > 0 { + if err := sandbox.agent.setPolicy(ctx, sandbox.config.AgentConfig.Policy); err != nil { + return err + } + } + // Setup network interfaces and routes interfaces, routes, neighs, err := generateVCNetworkStructures(ctx, sandbox.network) if err != nil { @@ -2081,6 +2090,9 @@ func (k *kataAgent) installReqFunc(c *kataclient.AgentClient) { k.reqHandlers[grpcRemoveStaleVirtiofsShareMountsRequest] = func(ctx context.Context, req interface{}) (interface{}, error) { return k.client.AgentServiceClient.RemoveStaleVirtiofsShareMounts(ctx, req.(*grpc.RemoveStaleVirtiofsShareMountsRequest)) } + k.reqHandlers[grpcSetPolicyRequest] = func(ctx context.Context, req interface{}) (interface{}, error) { + return k.client.AgentServiceClient.SetPolicy(ctx, req.(*grpc.SetPolicyRequest)) + } } func (k *kataAgent) getReqContext(ctx context.Context, reqName string) (newCtx context.Context, cancel context.CancelFunc) { @@ -2356,3 +2368,8 @@ func (k *kataAgent) resizeGuestVolume(ctx context.Context, volumeGuestPath strin _, err := k.sendReq(ctx, &grpc.ResizeVolumeRequest{VolumeGuestPath: volumeGuestPath, Size_: size}) return err } + +func (k *kataAgent) setPolicy(ctx context.Context, policy string) error { + _, err := k.sendReq(ctx, &grpc.SetPolicyRequest{Policy: policy}) + return err +} diff --git a/src/runtime/virtcontainers/mock_agent.go b/src/runtime/virtcontainers/mock_agent.go index 5d6b0f9d62..4fdd2b1ae4 100644 --- a/src/runtime/virtcontainers/mock_agent.go +++ b/src/runtime/virtcontainers/mock_agent.go @@ -267,3 +267,7 @@ func (k *mockAgent) getIPTables(ctx context.Context, isIPv6 bool) ([]byte, error func (k *mockAgent) setIPTables(ctx context.Context, isIPv6 bool, data []byte) error { return nil } + +func (k *mockAgent) setPolicy(ctx context.Context, policy string) error { + return nil +} diff --git a/src/runtime/virtcontainers/pkg/agent/protocols/grpc/agent.pb.go b/src/runtime/virtcontainers/pkg/agent/protocols/grpc/agent.pb.go index 3a1b7c607f..e6d8be46f7 100644 --- a/src/runtime/virtcontainers/pkg/agent/protocols/grpc/agent.pb.go +++ b/src/runtime/virtcontainers/pkg/agent/protocols/grpc/agent.pb.go @@ -1,5 +1,5 @@ // Code generated by protoc-gen-gogo. DO NOT EDIT. -// source: agent.proto +// source: github.com/kata-containers/kata-containers/src/libs/protocols/protos/agent.proto package grpc @@ -50,7 +50,7 @@ type CreateContainerRequest struct { func (m *CreateContainerRequest) Reset() { *m = CreateContainerRequest{} } func (*CreateContainerRequest) ProtoMessage() {} func (*CreateContainerRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{0} + return fileDescriptor_712ce9a559fda969, []int{0} } func (m *CreateContainerRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -89,7 +89,7 @@ type StartContainerRequest struct { func (m *StartContainerRequest) Reset() { *m = StartContainerRequest{} } func (*StartContainerRequest) ProtoMessage() {} func (*StartContainerRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{1} + return fileDescriptor_712ce9a559fda969, []int{1} } func (m *StartContainerRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -134,7 +134,7 @@ type RemoveContainerRequest struct { func (m *RemoveContainerRequest) Reset() { *m = RemoveContainerRequest{} } func (*RemoveContainerRequest) ProtoMessage() {} func (*RemoveContainerRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{2} + return fileDescriptor_712ce9a559fda969, []int{2} } func (m *RemoveContainerRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -176,7 +176,7 @@ type ExecProcessRequest struct { func (m *ExecProcessRequest) Reset() { *m = ExecProcessRequest{} } func (*ExecProcessRequest) ProtoMessage() {} func (*ExecProcessRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{3} + return fileDescriptor_712ce9a559fda969, []int{3} } func (m *ExecProcessRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -220,7 +220,7 @@ type SignalProcessRequest struct { func (m *SignalProcessRequest) Reset() { *m = SignalProcessRequest{} } func (*SignalProcessRequest) ProtoMessage() {} func (*SignalProcessRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{4} + return fileDescriptor_712ce9a559fda969, []int{4} } func (m *SignalProcessRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -260,7 +260,7 @@ type WaitProcessRequest struct { func (m *WaitProcessRequest) Reset() { *m = WaitProcessRequest{} } func (*WaitProcessRequest) ProtoMessage() {} func (*WaitProcessRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{5} + return fileDescriptor_712ce9a559fda969, []int{5} } func (m *WaitProcessRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -299,7 +299,7 @@ type WaitProcessResponse struct { func (m *WaitProcessResponse) Reset() { *m = WaitProcessResponse{} } func (*WaitProcessResponse) ProtoMessage() {} func (*WaitProcessResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{6} + return fileDescriptor_712ce9a559fda969, []int{6} } func (m *WaitProcessResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -339,7 +339,7 @@ type UpdateContainerRequest struct { func (m *UpdateContainerRequest) Reset() { *m = UpdateContainerRequest{} } func (*UpdateContainerRequest) ProtoMessage() {} func (*UpdateContainerRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{7} + return fileDescriptor_712ce9a559fda969, []int{7} } func (m *UpdateContainerRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -378,7 +378,7 @@ type StatsContainerRequest struct { func (m *StatsContainerRequest) Reset() { *m = StatsContainerRequest{} } func (*StatsContainerRequest) ProtoMessage() {} func (*StatsContainerRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{8} + return fileDescriptor_712ce9a559fda969, []int{8} } func (m *StatsContainerRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -417,7 +417,7 @@ type PauseContainerRequest struct { func (m *PauseContainerRequest) Reset() { *m = PauseContainerRequest{} } func (*PauseContainerRequest) ProtoMessage() {} func (*PauseContainerRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{9} + return fileDescriptor_712ce9a559fda969, []int{9} } func (m *PauseContainerRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -456,7 +456,7 @@ type ResumeContainerRequest struct { func (m *ResumeContainerRequest) Reset() { *m = ResumeContainerRequest{} } func (*ResumeContainerRequest) ProtoMessage() {} func (*ResumeContainerRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{10} + return fileDescriptor_712ce9a559fda969, []int{10} } func (m *ResumeContainerRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -498,7 +498,7 @@ type CpuUsage struct { func (m *CpuUsage) Reset() { *m = CpuUsage{} } func (*CpuUsage) ProtoMessage() {} func (*CpuUsage) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{11} + return fileDescriptor_712ce9a559fda969, []int{11} } func (m *CpuUsage) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -539,7 +539,7 @@ type ThrottlingData struct { func (m *ThrottlingData) Reset() { *m = ThrottlingData{} } func (*ThrottlingData) ProtoMessage() {} func (*ThrottlingData) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{12} + return fileDescriptor_712ce9a559fda969, []int{12} } func (m *ThrottlingData) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -579,7 +579,7 @@ type CpuStats struct { func (m *CpuStats) Reset() { *m = CpuStats{} } func (*CpuStats) ProtoMessage() {} func (*CpuStats) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{13} + return fileDescriptor_712ce9a559fda969, []int{13} } func (m *CpuStats) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -619,7 +619,7 @@ type PidsStats struct { func (m *PidsStats) Reset() { *m = PidsStats{} } func (*PidsStats) ProtoMessage() {} func (*PidsStats) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{14} + return fileDescriptor_712ce9a559fda969, []int{14} } func (m *PidsStats) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -661,7 +661,7 @@ type MemoryData struct { func (m *MemoryData) Reset() { *m = MemoryData{} } func (*MemoryData) ProtoMessage() {} func (*MemoryData) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{15} + return fileDescriptor_712ce9a559fda969, []int{15} } func (m *MemoryData) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -705,7 +705,7 @@ type MemoryStats struct { func (m *MemoryStats) Reset() { *m = MemoryStats{} } func (*MemoryStats) ProtoMessage() {} func (*MemoryStats) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{16} + return fileDescriptor_712ce9a559fda969, []int{16} } func (m *MemoryStats) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -747,7 +747,7 @@ type BlkioStatsEntry struct { func (m *BlkioStatsEntry) Reset() { *m = BlkioStatsEntry{} } func (*BlkioStatsEntry) ProtoMessage() {} func (*BlkioStatsEntry) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{17} + return fileDescriptor_712ce9a559fda969, []int{17} } func (m *BlkioStatsEntry) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -793,7 +793,7 @@ type BlkioStats struct { func (m *BlkioStats) Reset() { *m = BlkioStats{} } func (*BlkioStats) ProtoMessage() {} func (*BlkioStats) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{18} + return fileDescriptor_712ce9a559fda969, []int{18} } func (m *BlkioStats) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -834,7 +834,7 @@ type HugetlbStats struct { func (m *HugetlbStats) Reset() { *m = HugetlbStats{} } func (*HugetlbStats) ProtoMessage() {} func (*HugetlbStats) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{19} + return fileDescriptor_712ce9a559fda969, []int{19} } func (m *HugetlbStats) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -877,7 +877,7 @@ type CgroupStats struct { func (m *CgroupStats) Reset() { *m = CgroupStats{} } func (*CgroupStats) ProtoMessage() {} func (*CgroupStats) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{20} + return fileDescriptor_712ce9a559fda969, []int{20} } func (m *CgroupStats) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -924,7 +924,7 @@ type NetworkStats struct { func (m *NetworkStats) Reset() { *m = NetworkStats{} } func (*NetworkStats) ProtoMessage() {} func (*NetworkStats) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{21} + return fileDescriptor_712ce9a559fda969, []int{21} } func (m *NetworkStats) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -964,7 +964,7 @@ type StatsContainerResponse struct { func (m *StatsContainerResponse) Reset() { *m = StatsContainerResponse{} } func (*StatsContainerResponse) ProtoMessage() {} func (*StatsContainerResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{22} + return fileDescriptor_712ce9a559fda969, []int{22} } func (m *StatsContainerResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1005,7 +1005,7 @@ type WriteStreamRequest struct { func (m *WriteStreamRequest) Reset() { *m = WriteStreamRequest{} } func (*WriteStreamRequest) ProtoMessage() {} func (*WriteStreamRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{23} + return fileDescriptor_712ce9a559fda969, []int{23} } func (m *WriteStreamRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1044,7 +1044,7 @@ type WriteStreamResponse struct { func (m *WriteStreamResponse) Reset() { *m = WriteStreamResponse{} } func (*WriteStreamResponse) ProtoMessage() {} func (*WriteStreamResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{24} + return fileDescriptor_712ce9a559fda969, []int{24} } func (m *WriteStreamResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1085,7 +1085,7 @@ type ReadStreamRequest struct { func (m *ReadStreamRequest) Reset() { *m = ReadStreamRequest{} } func (*ReadStreamRequest) ProtoMessage() {} func (*ReadStreamRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{25} + return fileDescriptor_712ce9a559fda969, []int{25} } func (m *ReadStreamRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1124,7 +1124,7 @@ type ReadStreamResponse struct { func (m *ReadStreamResponse) Reset() { *m = ReadStreamResponse{} } func (*ReadStreamResponse) ProtoMessage() {} func (*ReadStreamResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{26} + return fileDescriptor_712ce9a559fda969, []int{26} } func (m *ReadStreamResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1164,7 +1164,7 @@ type CloseStdinRequest struct { func (m *CloseStdinRequest) Reset() { *m = CloseStdinRequest{} } func (*CloseStdinRequest) ProtoMessage() {} func (*CloseStdinRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{27} + return fileDescriptor_712ce9a559fda969, []int{27} } func (m *CloseStdinRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1206,7 +1206,7 @@ type TtyWinResizeRequest struct { func (m *TtyWinResizeRequest) Reset() { *m = TtyWinResizeRequest{} } func (*TtyWinResizeRequest) ProtoMessage() {} func (*TtyWinResizeRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{28} + return fileDescriptor_712ce9a559fda969, []int{28} } func (m *TtyWinResizeRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1249,7 +1249,7 @@ type KernelModule struct { func (m *KernelModule) Reset() { *m = KernelModule{} } func (*KernelModule) ProtoMessage() {} func (*KernelModule) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{29} + return fileDescriptor_712ce9a559fda969, []int{29} } func (m *KernelModule) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1304,7 +1304,7 @@ type CreateSandboxRequest struct { func (m *CreateSandboxRequest) Reset() { *m = CreateSandboxRequest{} } func (*CreateSandboxRequest) ProtoMessage() {} func (*CreateSandboxRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{30} + return fileDescriptor_712ce9a559fda969, []int{30} } func (m *CreateSandboxRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1342,7 +1342,7 @@ type DestroySandboxRequest struct { func (m *DestroySandboxRequest) Reset() { *m = DestroySandboxRequest{} } func (*DestroySandboxRequest) ProtoMessage() {} func (*DestroySandboxRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{31} + return fileDescriptor_712ce9a559fda969, []int{31} } func (m *DestroySandboxRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1380,7 +1380,7 @@ type RemoveStaleVirtiofsShareMountsRequest struct { func (m *RemoveStaleVirtiofsShareMountsRequest) Reset() { *m = RemoveStaleVirtiofsShareMountsRequest{} } func (*RemoveStaleVirtiofsShareMountsRequest) ProtoMessage() {} func (*RemoveStaleVirtiofsShareMountsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{32} + return fileDescriptor_712ce9a559fda969, []int{32} } func (m *RemoveStaleVirtiofsShareMountsRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1419,7 +1419,7 @@ type Interfaces struct { func (m *Interfaces) Reset() { *m = Interfaces{} } func (*Interfaces) ProtoMessage() {} func (*Interfaces) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{33} + return fileDescriptor_712ce9a559fda969, []int{33} } func (m *Interfaces) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1458,7 +1458,7 @@ type Routes struct { func (m *Routes) Reset() { *m = Routes{} } func (*Routes) ProtoMessage() {} func (*Routes) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{34} + return fileDescriptor_712ce9a559fda969, []int{34} } func (m *Routes) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1497,7 +1497,7 @@ type UpdateInterfaceRequest struct { func (m *UpdateInterfaceRequest) Reset() { *m = UpdateInterfaceRequest{} } func (*UpdateInterfaceRequest) ProtoMessage() {} func (*UpdateInterfaceRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{35} + return fileDescriptor_712ce9a559fda969, []int{35} } func (m *UpdateInterfaceRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1536,7 +1536,7 @@ type UpdateRoutesRequest struct { func (m *UpdateRoutesRequest) Reset() { *m = UpdateRoutesRequest{} } func (*UpdateRoutesRequest) ProtoMessage() {} func (*UpdateRoutesRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{36} + return fileDescriptor_712ce9a559fda969, []int{36} } func (m *UpdateRoutesRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1575,7 +1575,7 @@ type UpdateEphemeralMountsRequest struct { func (m *UpdateEphemeralMountsRequest) Reset() { *m = UpdateEphemeralMountsRequest{} } func (*UpdateEphemeralMountsRequest) ProtoMessage() {} func (*UpdateEphemeralMountsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{37} + return fileDescriptor_712ce9a559fda969, []int{37} } func (m *UpdateEphemeralMountsRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1613,7 +1613,7 @@ type ListInterfacesRequest struct { func (m *ListInterfacesRequest) Reset() { *m = ListInterfacesRequest{} } func (*ListInterfacesRequest) ProtoMessage() {} func (*ListInterfacesRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{38} + return fileDescriptor_712ce9a559fda969, []int{38} } func (m *ListInterfacesRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1651,7 +1651,7 @@ type ListRoutesRequest struct { func (m *ListRoutesRequest) Reset() { *m = ListRoutesRequest{} } func (*ListRoutesRequest) ProtoMessage() {} func (*ListRoutesRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{39} + return fileDescriptor_712ce9a559fda969, []int{39} } func (m *ListRoutesRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1690,7 +1690,7 @@ type ARPNeighbors struct { func (m *ARPNeighbors) Reset() { *m = ARPNeighbors{} } func (*ARPNeighbors) ProtoMessage() {} func (*ARPNeighbors) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{40} + return fileDescriptor_712ce9a559fda969, []int{40} } func (m *ARPNeighbors) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1729,7 +1729,7 @@ type AddARPNeighborsRequest struct { func (m *AddARPNeighborsRequest) Reset() { *m = AddARPNeighborsRequest{} } func (*AddARPNeighborsRequest) ProtoMessage() {} func (*AddARPNeighborsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{41} + return fileDescriptor_712ce9a559fda969, []int{41} } func (m *AddARPNeighborsRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1768,7 +1768,7 @@ type GetIPTablesRequest struct { func (m *GetIPTablesRequest) Reset() { *m = GetIPTablesRequest{} } func (*GetIPTablesRequest) ProtoMessage() {} func (*GetIPTablesRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{42} + return fileDescriptor_712ce9a559fda969, []int{42} } func (m *GetIPTablesRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1808,7 +1808,7 @@ type GetIPTablesResponse struct { func (m *GetIPTablesResponse) Reset() { *m = GetIPTablesResponse{} } func (*GetIPTablesResponse) ProtoMessage() {} func (*GetIPTablesResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{43} + return fileDescriptor_712ce9a559fda969, []int{43} } func (m *GetIPTablesResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1850,7 +1850,7 @@ type SetIPTablesRequest struct { func (m *SetIPTablesRequest) Reset() { *m = SetIPTablesRequest{} } func (*SetIPTablesRequest) ProtoMessage() {} func (*SetIPTablesRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{44} + return fileDescriptor_712ce9a559fda969, []int{44} } func (m *SetIPTablesRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1890,7 +1890,7 @@ type SetIPTablesResponse struct { func (m *SetIPTablesResponse) Reset() { *m = SetIPTablesResponse{} } func (*SetIPTablesResponse) ProtoMessage() {} func (*SetIPTablesResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{45} + return fileDescriptor_712ce9a559fda969, []int{45} } func (m *SetIPTablesResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1937,7 +1937,7 @@ type OnlineCPUMemRequest struct { func (m *OnlineCPUMemRequest) Reset() { *m = OnlineCPUMemRequest{} } func (*OnlineCPUMemRequest) ProtoMessage() {} func (*OnlineCPUMemRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{46} + return fileDescriptor_712ce9a559fda969, []int{46} } func (m *OnlineCPUMemRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1977,7 +1977,7 @@ type ReseedRandomDevRequest struct { func (m *ReseedRandomDevRequest) Reset() { *m = ReseedRandomDevRequest{} } func (*ReseedRandomDevRequest) ProtoMessage() {} func (*ReseedRandomDevRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{47} + return fileDescriptor_712ce9a559fda969, []int{47} } func (m *ReseedRandomDevRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2027,7 +2027,7 @@ type AgentDetails struct { func (m *AgentDetails) Reset() { *m = AgentDetails{} } func (*AgentDetails) ProtoMessage() {} func (*AgentDetails) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{48} + return fileDescriptor_712ce9a559fda969, []int{48} } func (m *AgentDetails) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2073,7 +2073,7 @@ type GuestDetailsRequest struct { func (m *GuestDetailsRequest) Reset() { *m = GuestDetailsRequest{} } func (*GuestDetailsRequest) ProtoMessage() {} func (*GuestDetailsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{49} + return fileDescriptor_712ce9a559fda969, []int{49} } func (m *GuestDetailsRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2115,7 +2115,7 @@ type GuestDetailsResponse struct { func (m *GuestDetailsResponse) Reset() { *m = GuestDetailsResponse{} } func (*GuestDetailsResponse) ProtoMessage() {} func (*GuestDetailsResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{50} + return fileDescriptor_712ce9a559fda969, []int{50} } func (m *GuestDetailsResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2156,7 +2156,7 @@ type MemHotplugByProbeRequest struct { func (m *MemHotplugByProbeRequest) Reset() { *m = MemHotplugByProbeRequest{} } func (*MemHotplugByProbeRequest) ProtoMessage() {} func (*MemHotplugByProbeRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{51} + return fileDescriptor_712ce9a559fda969, []int{51} } func (m *MemHotplugByProbeRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2198,7 +2198,7 @@ type SetGuestDateTimeRequest struct { func (m *SetGuestDateTimeRequest) Reset() { *m = SetGuestDateTimeRequest{} } func (*SetGuestDateTimeRequest) ProtoMessage() {} func (*SetGuestDateTimeRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{52} + return fileDescriptor_712ce9a559fda969, []int{52} } func (m *SetGuestDateTimeRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2244,7 +2244,7 @@ type FSGroup struct { func (m *FSGroup) Reset() { *m = FSGroup{} } func (*FSGroup) ProtoMessage() {} func (*FSGroup) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{53} + return fileDescriptor_712ce9a559fda969, []int{53} } func (m *FSGroup) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2312,7 +2312,7 @@ type Storage struct { func (m *Storage) Reset() { *m = Storage{} } func (*Storage) ProtoMessage() {} func (*Storage) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{54} + return fileDescriptor_712ce9a559fda969, []int{54} } func (m *Storage) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2383,7 +2383,7 @@ type Device struct { func (m *Device) Reset() { *m = Device{} } func (*Device) ProtoMessage() {} func (*Device) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{55} + return fileDescriptor_712ce9a559fda969, []int{55} } func (m *Device) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2424,7 +2424,7 @@ type StringUser struct { func (m *StringUser) Reset() { *m = StringUser{} } func (*StringUser) ProtoMessage() {} func (*StringUser) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{56} + return fileDescriptor_712ce9a559fda969, []int{56} } func (m *StringUser) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2481,7 +2481,7 @@ type CopyFileRequest struct { func (m *CopyFileRequest) Reset() { *m = CopyFileRequest{} } func (*CopyFileRequest) ProtoMessage() {} func (*CopyFileRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{57} + return fileDescriptor_712ce9a559fda969, []int{57} } func (m *CopyFileRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2519,7 +2519,7 @@ type GetOOMEventRequest struct { func (m *GetOOMEventRequest) Reset() { *m = GetOOMEventRequest{} } func (*GetOOMEventRequest) ProtoMessage() {} func (*GetOOMEventRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{58} + return fileDescriptor_712ce9a559fda969, []int{58} } func (m *GetOOMEventRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2558,7 +2558,7 @@ type OOMEvent struct { func (m *OOMEvent) Reset() { *m = OOMEvent{} } func (*OOMEvent) ProtoMessage() {} func (*OOMEvent) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{59} + return fileDescriptor_712ce9a559fda969, []int{59} } func (m *OOMEvent) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2597,7 +2597,7 @@ type AddSwapRequest struct { func (m *AddSwapRequest) Reset() { *m = AddSwapRequest{} } func (*AddSwapRequest) ProtoMessage() {} func (*AddSwapRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{60} + return fileDescriptor_712ce9a559fda969, []int{60} } func (m *AddSwapRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2635,7 +2635,7 @@ type GetMetricsRequest struct { func (m *GetMetricsRequest) Reset() { *m = GetMetricsRequest{} } func (*GetMetricsRequest) ProtoMessage() {} func (*GetMetricsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{61} + return fileDescriptor_712ce9a559fda969, []int{61} } func (m *GetMetricsRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2674,7 +2674,7 @@ type Metrics struct { func (m *Metrics) Reset() { *m = Metrics{} } func (*Metrics) ProtoMessage() {} func (*Metrics) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{62} + return fileDescriptor_712ce9a559fda969, []int{62} } func (m *Metrics) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2714,7 +2714,7 @@ type VolumeStatsRequest struct { func (m *VolumeStatsRequest) Reset() { *m = VolumeStatsRequest{} } func (*VolumeStatsRequest) ProtoMessage() {} func (*VolumeStatsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{63} + return fileDescriptor_712ce9a559fda969, []int{63} } func (m *VolumeStatsRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2755,7 +2755,7 @@ type ResizeVolumeRequest struct { func (m *ResizeVolumeRequest) Reset() { *m = ResizeVolumeRequest{} } func (*ResizeVolumeRequest) ProtoMessage() {} func (*ResizeVolumeRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{64} + return fileDescriptor_712ce9a559fda969, []int{64} } func (m *ResizeVolumeRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2784,6 +2784,45 @@ func (m *ResizeVolumeRequest) XXX_DiscardUnknown() { var xxx_messageInfo_ResizeVolumeRequest proto.InternalMessageInfo +type SetPolicyRequest struct { + Policy string `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *SetPolicyRequest) Reset() { *m = SetPolicyRequest{} } +func (*SetPolicyRequest) ProtoMessage() {} +func (*SetPolicyRequest) Descriptor() ([]byte, []int) { + return fileDescriptor_712ce9a559fda969, []int{65} +} +func (m *SetPolicyRequest) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *SetPolicyRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_SetPolicyRequest.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *SetPolicyRequest) XXX_Merge(src proto.Message) { + xxx_messageInfo_SetPolicyRequest.Merge(m, src) +} +func (m *SetPolicyRequest) XXX_Size() int { + return m.Size() +} +func (m *SetPolicyRequest) XXX_DiscardUnknown() { + xxx_messageInfo_SetPolicyRequest.DiscardUnknown(m) +} + +var xxx_messageInfo_SetPolicyRequest proto.InternalMessageInfo + func init() { proto.RegisterType((*CreateContainerRequest)(nil), "grpc.CreateContainerRequest") proto.RegisterType((*StartContainerRequest)(nil), "grpc.StartContainerRequest") @@ -2852,217 +2891,223 @@ func init() { proto.RegisterType((*Metrics)(nil), "grpc.Metrics") proto.RegisterType((*VolumeStatsRequest)(nil), "grpc.VolumeStatsRequest") proto.RegisterType((*ResizeVolumeRequest)(nil), "grpc.ResizeVolumeRequest") + proto.RegisterType((*SetPolicyRequest)(nil), "grpc.SetPolicyRequest") } -func init() { proto.RegisterFile("agent.proto", fileDescriptor_56ede974c0020f77) } +func init() { + proto.RegisterFile("github.com/kata-containers/kata-containers/src/libs/protocols/protos/agent.proto", fileDescriptor_712ce9a559fda969) +} -var fileDescriptor_56ede974c0020f77 = []byte{ - // 3275 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xc4, 0x3a, 0x4b, 0x6f, 0x1c, 0x47, - 0x73, 0xdf, 0x3e, 0xc8, 0xdd, 0xad, 0x7d, 0x71, 0x87, 0x14, 0xb5, 0x5a, 0xeb, 0xa3, 0xe5, 0x91, - 0x25, 0x51, 0x76, 0x44, 0xda, 0xb2, 0x61, 0xf9, 0x01, 0x47, 0x21, 0x29, 0x9a, 0xa4, 0x6d, 0x5a, - 0x9b, 0x59, 0xd1, 0x0e, 0x12, 0x24, 0x83, 0xe1, 0x4c, 0x73, 0xb7, 0xcd, 0x9d, 0xe9, 0x71, 0x4f, - 0x0f, 0x45, 0x3a, 0x40, 0x90, 0x43, 0x90, 0xdc, 0x72, 0xcc, 0x2d, 0x7f, 0x20, 0xc8, 0x3f, 0xc8, - 0x35, 0x07, 0x23, 0xa7, 0x1c, 0x73, 0x49, 0x10, 0xeb, 0x27, 0xe4, 0x17, 0x04, 0xfd, 0x9a, 0xc7, - 0xbe, 0x64, 0x10, 0x02, 0xbe, 0xcb, 0x62, 0xba, 0xba, 0xba, 0x5e, 0x5d, 0x5d, 0x5d, 0x55, 0xbd, - 0x50, 0x77, 0x86, 0x28, 0x60, 0x5b, 0x21, 0x25, 0x8c, 0x18, 0xe5, 0x21, 0x0d, 0xdd, 0x5e, 0x8d, - 0xb8, 0x58, 0x02, 0x7a, 0x35, 0x37, 0xd2, 0x9f, 0x75, 0x76, 0x15, 0xa2, 0x48, 0x0d, 0xde, 0x1a, - 0x12, 0x32, 0x1c, 0xa3, 0x6d, 0x31, 0x3a, 0x8d, 0xcf, 0xb6, 0x91, 0x1f, 0xb2, 0x2b, 0x39, 0x69, - 0xfe, 0x73, 0x11, 0xd6, 0xf7, 0x28, 0x72, 0x18, 0xda, 0x23, 0x01, 0x73, 0x70, 0x80, 0xa8, 0x85, - 0x7e, 0x8a, 0x51, 0xc4, 0x8c, 0x77, 0xa0, 0xe1, 0x6a, 0x98, 0x8d, 0xbd, 0x6e, 0xe1, 0x4e, 0x61, - 0xb3, 0x66, 0xd5, 0x13, 0xd8, 0x91, 0x67, 0xdc, 0x84, 0x0a, 0xba, 0x44, 0x2e, 0x9f, 0x2d, 0x8a, - 0xd9, 0x65, 0x3e, 0x3c, 0xf2, 0x8c, 0x0f, 0xa1, 0x1e, 0x31, 0x8a, 0x83, 0xa1, 0x1d, 0x47, 0x88, - 0x76, 0x4b, 0x77, 0x0a, 0x9b, 0xf5, 0xc7, 0x2b, 0x5b, 0x5c, 0xe4, 0xad, 0x81, 0x98, 0x38, 0x89, - 0x10, 0xb5, 0x20, 0x4a, 0xbe, 0x8d, 0xfb, 0x50, 0xf1, 0xd0, 0x05, 0x76, 0x51, 0xd4, 0x2d, 0xdf, - 0x29, 0x6d, 0xd6, 0x1f, 0x37, 0x24, 0xfa, 0x33, 0x01, 0xb4, 0xf4, 0xa4, 0xf1, 0x10, 0xaa, 0x11, - 0x23, 0xd4, 0x19, 0xa2, 0xa8, 0xbb, 0x24, 0x10, 0x9b, 0x9a, 0xae, 0x80, 0x5a, 0xc9, 0xb4, 0x71, - 0x1b, 0x4a, 0xcf, 0xf7, 0x8e, 0xba, 0xcb, 0x82, 0x3b, 0x28, 0xac, 0x10, 0xb9, 0x16, 0x07, 0x1b, - 0x77, 0xa1, 0x19, 0x39, 0x81, 0x77, 0x4a, 0x2e, 0xed, 0x10, 0x7b, 0x41, 0xd4, 0xad, 0xdc, 0x29, - 0x6c, 0x56, 0xad, 0x86, 0x02, 0xf6, 0x39, 0xcc, 0xfc, 0x1c, 0x6e, 0x0c, 0x98, 0x43, 0xd9, 0x35, - 0xac, 0x63, 0x9e, 0xc0, 0xba, 0x85, 0x7c, 0x72, 0x71, 0x2d, 0xd3, 0x76, 0xa1, 0xc2, 0xb0, 0x8f, - 0x48, 0xcc, 0x84, 0x69, 0x9b, 0x96, 0x1e, 0x9a, 0xff, 0x5a, 0x00, 0x63, 0xff, 0x12, 0xb9, 0x7d, - 0x4a, 0x5c, 0x14, 0x45, 0x7f, 0xa0, 0xed, 0x7a, 0x00, 0x95, 0x50, 0x0a, 0xd0, 0x2d, 0x0b, 0x74, - 0xb5, 0x0b, 0x5a, 0x2a, 0x3d, 0x6b, 0xfe, 0x08, 0x6b, 0x03, 0x3c, 0x0c, 0x9c, 0xf1, 0x1b, 0x94, - 0x77, 0x1d, 0x96, 0x23, 0x41, 0x53, 0x88, 0xda, 0xb4, 0xd4, 0xc8, 0xec, 0x83, 0xf1, 0x83, 0x83, - 0xd9, 0x9b, 0xe3, 0x64, 0x3e, 0x82, 0xd5, 0x1c, 0xc5, 0x28, 0x24, 0x41, 0x84, 0x84, 0x00, 0xcc, - 0x61, 0x71, 0x24, 0x88, 0x2d, 0x59, 0x6a, 0x64, 0x12, 0x58, 0x3f, 0x09, 0xbd, 0x6b, 0x9e, 0xa6, - 0xc7, 0x50, 0xa3, 0x28, 0x22, 0x31, 0xe5, 0x67, 0xa0, 0x28, 0x8c, 0xba, 0x26, 0x8d, 0xfa, 0x2d, - 0x0e, 0xe2, 0x4b, 0x4b, 0xcf, 0x59, 0x29, 0x9a, 0xf2, 0x4f, 0x16, 0x5d, 0xc7, 0x3f, 0x3f, 0x87, - 0x1b, 0x7d, 0x27, 0x8e, 0xae, 0x23, 0xab, 0xf9, 0x05, 0xf7, 0xed, 0x28, 0xf6, 0xaf, 0xb5, 0xf8, - 0x5f, 0x0a, 0x50, 0xdd, 0x0b, 0xe3, 0x93, 0xc8, 0x19, 0x22, 0xe3, 0x6d, 0xa8, 0x33, 0xc2, 0x9c, - 0xb1, 0x1d, 0xf3, 0xa1, 0x40, 0x2f, 0x5b, 0x20, 0x40, 0x12, 0xe1, 0x1d, 0x68, 0x84, 0x88, 0xba, - 0x61, 0xac, 0x30, 0x8a, 0x77, 0x4a, 0x9b, 0x65, 0xab, 0x2e, 0x61, 0x12, 0x65, 0x0b, 0x56, 0xc5, - 0x9c, 0x8d, 0x03, 0xfb, 0x1c, 0xd1, 0x00, 0x8d, 0x7d, 0xe2, 0x21, 0xe1, 0x1c, 0x65, 0xab, 0x23, - 0xa6, 0x8e, 0x82, 0x6f, 0x92, 0x09, 0xe3, 0x3d, 0xe8, 0x24, 0xf8, 0xdc, 0xe3, 0x05, 0x76, 0x59, - 0x60, 0xb7, 0x15, 0xf6, 0x89, 0x02, 0x9b, 0x7f, 0x03, 0xad, 0x17, 0x23, 0x4a, 0x18, 0x1b, 0xe3, - 0x60, 0xf8, 0xcc, 0x61, 0x0e, 0x3f, 0x9a, 0x21, 0xa2, 0x98, 0x78, 0x91, 0x92, 0x56, 0x0f, 0x8d, - 0xf7, 0xa1, 0xc3, 0x24, 0x2e, 0xf2, 0x6c, 0x8d, 0x53, 0x14, 0x38, 0x2b, 0xc9, 0x44, 0x5f, 0x21, - 0xdf, 0x83, 0x56, 0x8a, 0xcc, 0x0f, 0xb7, 0x92, 0xb7, 0x99, 0x40, 0x5f, 0x60, 0x1f, 0x99, 0x17, - 0xc2, 0x56, 0x62, 0x93, 0x8d, 0xf7, 0xa1, 0x96, 0xda, 0xa1, 0x20, 0x3c, 0xa4, 0x25, 0x3d, 0x44, - 0x9b, 0xd3, 0xaa, 0x26, 0x46, 0xf9, 0x12, 0xda, 0x2c, 0x11, 0xdc, 0xf6, 0x1c, 0xe6, 0xe4, 0x9d, - 0x2a, 0xaf, 0x95, 0xd5, 0x62, 0xb9, 0xb1, 0xf9, 0x05, 0xd4, 0xfa, 0xd8, 0x8b, 0x24, 0xe3, 0x2e, - 0x54, 0xdc, 0x98, 0x52, 0x14, 0x30, 0xad, 0xb2, 0x1a, 0x1a, 0x6b, 0xb0, 0x34, 0xc6, 0x3e, 0x66, - 0x4a, 0x4d, 0x39, 0x30, 0x09, 0xc0, 0x31, 0xf2, 0x09, 0xbd, 0x12, 0x06, 0x5b, 0x83, 0xa5, 0xec, - 0xe6, 0xca, 0x81, 0xf1, 0x16, 0xd4, 0x7c, 0xe7, 0x32, 0xd9, 0x54, 0x3e, 0x53, 0xf5, 0x9d, 0x4b, - 0x29, 0x7c, 0x17, 0x2a, 0x67, 0x0e, 0x1e, 0xbb, 0x01, 0x53, 0x56, 0xd1, 0xc3, 0x94, 0x61, 0x39, - 0xcb, 0xf0, 0xdf, 0x8b, 0x50, 0x97, 0x1c, 0xa5, 0xc0, 0x6b, 0xb0, 0xe4, 0x3a, 0xee, 0x28, 0x61, - 0x29, 0x06, 0xc6, 0x7d, 0x2d, 0x48, 0x31, 0x1b, 0xe1, 0x52, 0x49, 0xb5, 0x68, 0xdb, 0x00, 0xd1, - 0x4b, 0x27, 0x54, 0xb2, 0x95, 0xe6, 0x20, 0xd7, 0x38, 0x8e, 0x14, 0xf7, 0x23, 0x68, 0x48, 0xbf, - 0x53, 0x4b, 0xca, 0x73, 0x96, 0xd4, 0x25, 0x96, 0x5c, 0x74, 0x17, 0x9a, 0x71, 0x84, 0xec, 0x11, - 0x46, 0xd4, 0xa1, 0xee, 0xe8, 0xaa, 0xbb, 0x24, 0x2f, 0xa0, 0x38, 0x42, 0x87, 0x1a, 0x66, 0x3c, - 0x86, 0x25, 0x1e, 0x5b, 0xa2, 0xee, 0xb2, 0xb8, 0xeb, 0x6e, 0x67, 0x49, 0x0a, 0x55, 0xb7, 0xc4, - 0xef, 0x7e, 0xc0, 0xe8, 0x95, 0x25, 0x51, 0x7b, 0x9f, 0x02, 0xa4, 0x40, 0x63, 0x05, 0x4a, 0xe7, - 0xe8, 0x4a, 0x9d, 0x43, 0xfe, 0xc9, 0x8d, 0x73, 0xe1, 0x8c, 0x63, 0x6d, 0x75, 0x39, 0xf8, 0xbc, - 0xf8, 0x69, 0xc1, 0x74, 0xa1, 0xbd, 0x3b, 0x3e, 0xc7, 0x24, 0xb3, 0x7c, 0x0d, 0x96, 0x7c, 0xe7, - 0x47, 0x42, 0xb5, 0x25, 0xc5, 0x40, 0x40, 0x71, 0x40, 0xa8, 0x26, 0x21, 0x06, 0x46, 0x0b, 0x8a, - 0x24, 0x14, 0xf6, 0xaa, 0x59, 0x45, 0x12, 0xa6, 0x8c, 0xca, 0x19, 0x46, 0xe6, 0xff, 0x94, 0x01, - 0x52, 0x2e, 0x86, 0x05, 0x3d, 0x4c, 0xec, 0x08, 0x51, 0x7e, 0xbf, 0xdb, 0xa7, 0x57, 0x0c, 0x45, - 0x36, 0x45, 0x6e, 0x4c, 0x23, 0x7c, 0xc1, 0xf7, 0x8f, 0xab, 0x7d, 0x43, 0xaa, 0x3d, 0x21, 0x9b, - 0x75, 0x13, 0x93, 0x81, 0x5c, 0xb7, 0xcb, 0x97, 0x59, 0x7a, 0x95, 0x71, 0x04, 0x37, 0x52, 0x9a, - 0x5e, 0x86, 0x5c, 0x71, 0x11, 0xb9, 0xd5, 0x84, 0x9c, 0x97, 0x92, 0xda, 0x87, 0x55, 0x4c, 0xec, - 0x9f, 0x62, 0x14, 0xe7, 0x08, 0x95, 0x16, 0x11, 0xea, 0x60, 0xf2, 0xa7, 0x62, 0x41, 0x4a, 0xa6, - 0x0f, 0xb7, 0x32, 0x5a, 0xf2, 0xe3, 0x9e, 0x21, 0x56, 0x5e, 0x44, 0x6c, 0x3d, 0x91, 0x8a, 0xc7, - 0x83, 0x94, 0xe2, 0xd7, 0xb0, 0x8e, 0x89, 0xfd, 0xd2, 0xc1, 0x6c, 0x92, 0xdc, 0xd2, 0x6b, 0x94, - 0xe4, 0x37, 0x5a, 0x9e, 0x96, 0x54, 0xd2, 0x47, 0x74, 0x98, 0x53, 0x72, 0xf9, 0x35, 0x4a, 0x1e, - 0x8b, 0x05, 0x29, 0x99, 0x1d, 0xe8, 0x60, 0x32, 0x29, 0x4d, 0x65, 0x11, 0x91, 0x36, 0x26, 0x79, - 0x49, 0x76, 0xa1, 0x13, 0x21, 0x97, 0x11, 0x9a, 0x75, 0x82, 0xea, 0x22, 0x12, 0x2b, 0x0a, 0x3f, - 0xa1, 0x61, 0xfe, 0x05, 0x34, 0x0e, 0xe3, 0x21, 0x62, 0xe3, 0xd3, 0x24, 0x18, 0xbc, 0xb1, 0xf8, - 0x63, 0xfe, 0x5f, 0x11, 0xea, 0x7b, 0x43, 0x4a, 0xe2, 0x30, 0x17, 0x93, 0xe5, 0x21, 0x9d, 0x8c, - 0xc9, 0x02, 0x45, 0xc4, 0x64, 0x89, 0xfc, 0x31, 0x34, 0x7c, 0x71, 0x74, 0x15, 0xbe, 0x8c, 0x43, - 0x9d, 0xa9, 0x43, 0x6d, 0xd5, 0xfd, 0x4c, 0x30, 0xdb, 0x02, 0x08, 0xb1, 0x17, 0xa9, 0x35, 0x32, - 0x1c, 0xb5, 0x55, 0xba, 0xa5, 0x43, 0xb4, 0x55, 0x0b, 0x93, 0x68, 0xfd, 0x21, 0xd4, 0x4f, 0xb9, - 0x91, 0xd4, 0x82, 0x5c, 0x30, 0x4a, 0xad, 0x67, 0xc1, 0x69, 0x7a, 0x08, 0x0f, 0xa1, 0x39, 0x92, - 0x26, 0x53, 0x8b, 0xa4, 0x0f, 0xdd, 0x55, 0x9a, 0xa4, 0xfa, 0x6e, 0x65, 0x2d, 0x2b, 0x37, 0xa0, - 0x31, 0xca, 0x80, 0x7a, 0x03, 0xe8, 0x4c, 0xa1, 0xcc, 0x88, 0x41, 0x9b, 0xd9, 0x18, 0x54, 0x7f, - 0x6c, 0x48, 0x46, 0xd9, 0x95, 0xd9, 0xb8, 0xf4, 0x8f, 0x45, 0x68, 0x7c, 0x87, 0xd8, 0x4b, 0x42, - 0xcf, 0xa5, 0xbc, 0x06, 0x94, 0x03, 0xc7, 0x47, 0x8a, 0xa2, 0xf8, 0x36, 0x6e, 0x41, 0x95, 0x5e, - 0xca, 0x00, 0xa2, 0xf6, 0xb3, 0x42, 0x2f, 0x45, 0x60, 0x30, 0x7e, 0x0f, 0x40, 0x2f, 0xed, 0xd0, - 0x71, 0xcf, 0x91, 0xb2, 0x60, 0xd9, 0xaa, 0xd1, 0xcb, 0xbe, 0x04, 0x70, 0x57, 0xa0, 0x97, 0x36, - 0xa2, 0x94, 0xd0, 0x48, 0xc5, 0xaa, 0x2a, 0xbd, 0xdc, 0x17, 0x63, 0xb5, 0xd6, 0xa3, 0x24, 0x0c, - 0x91, 0x27, 0x62, 0xb4, 0x58, 0xfb, 0x4c, 0x02, 0x38, 0x57, 0xa6, 0xb9, 0x2e, 0x4b, 0xae, 0x2c, - 0xe5, 0xca, 0x52, 0xae, 0x15, 0xb9, 0x92, 0x65, 0xb9, 0xb2, 0x84, 0x6b, 0x55, 0x72, 0x65, 0x19, - 0xae, 0x2c, 0xe5, 0x5a, 0xd3, 0x6b, 0x15, 0x57, 0xf3, 0x1f, 0x0a, 0xb0, 0x3e, 0x99, 0xf8, 0xa9, - 0xdc, 0xf4, 0x63, 0x68, 0xb8, 0x62, 0xbf, 0x72, 0x3e, 0xd9, 0x99, 0xda, 0x49, 0xab, 0xee, 0x66, - 0xdc, 0xf8, 0x09, 0x34, 0x03, 0x69, 0xe0, 0xc4, 0x35, 0x4b, 0xe9, 0xbe, 0x64, 0x6d, 0x6f, 0x35, - 0x82, 0xcc, 0xc8, 0xf4, 0xc0, 0xf8, 0x81, 0x62, 0x86, 0x06, 0x8c, 0x22, 0xc7, 0x7f, 0x13, 0xd9, - 0xbd, 0x01, 0x65, 0x91, 0xad, 0xf0, 0x6d, 0x6a, 0x58, 0xe2, 0xdb, 0x7c, 0x00, 0xab, 0x39, 0x2e, - 0x4a, 0xd7, 0x15, 0x28, 0x8d, 0x51, 0x20, 0xa8, 0x37, 0x2d, 0xfe, 0x69, 0x3a, 0xd0, 0xb1, 0x90, - 0xe3, 0xbd, 0x39, 0x69, 0x14, 0x8b, 0x52, 0xca, 0x62, 0x13, 0x8c, 0x2c, 0x0b, 0x25, 0x8a, 0x96, - 0xba, 0x90, 0x91, 0xfa, 0x39, 0x74, 0xf6, 0xc6, 0x24, 0x42, 0x03, 0xe6, 0xe1, 0xe0, 0x4d, 0x94, - 0x23, 0x7f, 0x0d, 0xab, 0x2f, 0xd8, 0xd5, 0x0f, 0x9c, 0x58, 0x84, 0x7f, 0x46, 0x6f, 0x48, 0x3f, - 0x4a, 0x5e, 0x6a, 0xfd, 0x28, 0x79, 0xc9, 0x8b, 0x1b, 0x97, 0x8c, 0x63, 0x3f, 0x10, 0x47, 0xa1, - 0x69, 0xa9, 0x91, 0xb9, 0x0b, 0x0d, 0x99, 0x43, 0x1f, 0x13, 0x2f, 0x1e, 0xa3, 0x99, 0x67, 0x70, - 0x03, 0x20, 0x74, 0xa8, 0xe3, 0x23, 0x86, 0xa8, 0xf4, 0xa1, 0x9a, 0x95, 0x81, 0x98, 0xff, 0x54, - 0x84, 0x35, 0xd9, 0x6f, 0x18, 0xc8, 0x32, 0x5b, 0xab, 0xd0, 0x83, 0xea, 0x88, 0x44, 0x2c, 0x43, - 0x30, 0x19, 0x73, 0x11, 0x79, 0x7d, 0x2e, 0xa9, 0xf1, 0xcf, 0x5c, 0x13, 0xa0, 0xb4, 0xb8, 0x09, - 0x30, 0x55, 0xe6, 0x97, 0xa7, 0xcb, 0x7c, 0x7e, 0xda, 0x34, 0x12, 0x96, 0x67, 0xbc, 0x66, 0xd5, - 0x14, 0xe4, 0xc8, 0x33, 0xee, 0x43, 0x7b, 0xc8, 0xa5, 0xb4, 0x47, 0x84, 0x9c, 0xdb, 0xa1, 0xc3, - 0x46, 0xe2, 0xa8, 0xd7, 0xac, 0xa6, 0x00, 0x1f, 0x12, 0x72, 0xde, 0x77, 0xd8, 0xc8, 0xf8, 0x0c, - 0x5a, 0x2a, 0x0d, 0xf4, 0x85, 0x89, 0x22, 0x75, 0xf9, 0xa9, 0x53, 0x94, 0xb5, 0x9e, 0xd5, 0x3c, - 0xcf, 0x8c, 0x22, 0xf3, 0x26, 0xdc, 0x78, 0x86, 0x22, 0x46, 0xc9, 0x55, 0xde, 0x30, 0xe6, 0x03, - 0xb8, 0x27, 0xbb, 0x08, 0x03, 0xe6, 0x8c, 0xd1, 0xf7, 0x98, 0x32, 0x4c, 0xce, 0xa2, 0xc1, 0xc8, - 0xa1, 0xe8, 0x98, 0xc4, 0x01, 0xd3, 0x65, 0xae, 0xf9, 0xc7, 0x00, 0x47, 0x01, 0x43, 0xf4, 0xcc, - 0x71, 0x51, 0x64, 0x7c, 0x90, 0x1d, 0xa9, 0x2c, 0x6a, 0x65, 0x4b, 0xf6, 0x85, 0x92, 0x09, 0x2b, - 0x83, 0x63, 0x6e, 0xc1, 0xb2, 0x45, 0x62, 0x1e, 0xb7, 0xde, 0xd5, 0x5f, 0x6a, 0x5d, 0x43, 0xad, - 0x13, 0x40, 0x4b, 0xcd, 0x99, 0x87, 0xba, 0xd6, 0x4d, 0xc9, 0xa9, 0xbd, 0xdc, 0x82, 0x1a, 0xd6, - 0x30, 0x15, 0x7e, 0xa6, 0x59, 0xa7, 0x28, 0xe6, 0x17, 0xb0, 0x2a, 0x29, 0x49, 0xca, 0x9a, 0xcc, - 0xbb, 0xb0, 0x4c, 0xb5, 0x18, 0x85, 0xb4, 0x21, 0xa4, 0x90, 0xd4, 0x9c, 0x79, 0x04, 0xb7, 0xe5, - 0xe2, 0xfd, 0x70, 0x84, 0x7c, 0x44, 0x9d, 0x71, 0xce, 0x2c, 0x39, 0x57, 0x29, 0x2c, 0x74, 0x15, - 0xbe, 0x07, 0xdf, 0xe2, 0x88, 0xa5, 0x36, 0xd1, 0xa6, 0x5d, 0x85, 0x0e, 0x9f, 0xc8, 0x89, 0x67, - 0x7e, 0x05, 0x8d, 0x1d, 0xab, 0xff, 0x1d, 0xc2, 0xc3, 0xd1, 0x29, 0x8f, 0xd8, 0x9f, 0xe4, 0xc7, - 0x8a, 0x99, 0xa1, 0x14, 0xcf, 0x4c, 0x59, 0x39, 0x3c, 0xf3, 0x6b, 0x58, 0xdf, 0xf1, 0xbc, 0x2c, - 0x48, 0x8b, 0xfe, 0x01, 0xd4, 0x82, 0x0c, 0xb9, 0xcc, 0x3d, 0x99, 0xc3, 0x4e, 0x91, 0xcc, 0x47, - 0x60, 0x1c, 0x20, 0x76, 0xd4, 0x7f, 0xe1, 0x9c, 0x8e, 0x53, 0x43, 0xde, 0x84, 0x0a, 0x8e, 0x6c, - 0x1c, 0x5e, 0x7c, 0x22, 0xa8, 0x54, 0xad, 0x65, 0x1c, 0x1d, 0x85, 0x17, 0x9f, 0x98, 0x0f, 0x61, - 0x35, 0x87, 0xbe, 0x20, 0x94, 0xed, 0x80, 0x31, 0xf8, 0xed, 0x94, 0x13, 0x12, 0xc5, 0x0c, 0x89, - 0x87, 0xb0, 0x3a, 0xf8, 0x8d, 0xdc, 0xfe, 0x12, 0x56, 0x9f, 0x07, 0x63, 0x1c, 0xa0, 0xbd, 0xfe, - 0xc9, 0x31, 0x4a, 0xe2, 0xb8, 0x01, 0x65, 0x9e, 0xef, 0x2a, 0x5e, 0xe2, 0x9b, 0x8b, 0x10, 0x9c, - 0xda, 0x6e, 0x18, 0x47, 0xaa, 0x51, 0xb6, 0x1c, 0x9c, 0xee, 0x85, 0x71, 0xc4, 0x2f, 0x66, 0x9e, - 0x98, 0x91, 0x60, 0x7c, 0x25, 0xa2, 0x5b, 0xd5, 0xaa, 0xb8, 0x61, 0xfc, 0x3c, 0x18, 0x5f, 0x99, - 0x7f, 0x24, 0xba, 0x17, 0x08, 0x79, 0x96, 0x13, 0x78, 0xc4, 0x7f, 0x86, 0x2e, 0x32, 0x1c, 0xa6, - 0xe4, 0xfe, 0xa5, 0x00, 0x8d, 0x9d, 0x21, 0x0a, 0xd8, 0x33, 0xc4, 0x1c, 0x3c, 0x16, 0xd5, 0xf0, - 0x05, 0xa2, 0x11, 0x26, 0x81, 0x0a, 0x55, 0x7a, 0x68, 0xbc, 0x0d, 0x75, 0x1c, 0x60, 0x66, 0x7b, - 0x0e, 0xf2, 0x49, 0x20, 0xa8, 0x54, 0x2d, 0xe0, 0xa0, 0x67, 0x02, 0x62, 0x3c, 0x80, 0xb6, 0x6c, - 0x64, 0xda, 0x23, 0x27, 0xf0, 0xc6, 0x3c, 0x48, 0x96, 0x44, 0x58, 0x6b, 0x49, 0xf0, 0xa1, 0x82, - 0x1a, 0x0f, 0x61, 0x45, 0xf9, 0x65, 0x8a, 0x59, 0x16, 0x98, 0x6d, 0x05, 0xcf, 0xa1, 0xc6, 0x61, - 0x48, 0x28, 0x8b, 0xec, 0x08, 0xb9, 0x2e, 0xf1, 0x43, 0x55, 0x4a, 0xb6, 0x35, 0x7c, 0x20, 0xc1, - 0xe6, 0x10, 0x56, 0x0f, 0xb8, 0x9e, 0x4a, 0x93, 0xf4, 0xa4, 0xb5, 0x7c, 0xe4, 0xdb, 0xa7, 0x63, - 0xe2, 0x9e, 0xdb, 0xfc, 0x62, 0x51, 0x16, 0xe6, 0xc9, 0xea, 0x2e, 0x07, 0x0e, 0xf0, 0xcf, 0xa2, - 0x6b, 0xc2, 0xb1, 0x46, 0x84, 0x85, 0xe3, 0x78, 0x68, 0x87, 0x94, 0x9c, 0x22, 0xa5, 0x62, 0xdb, - 0x47, 0xfe, 0xa1, 0x84, 0xf7, 0x39, 0xd8, 0xfc, 0xb7, 0x02, 0xac, 0xe5, 0x39, 0xa9, 0xdd, 0xde, - 0x86, 0xb5, 0x3c, 0x2b, 0x95, 0x3a, 0xc9, 0xd4, 0xbc, 0x93, 0x65, 0x28, 0x93, 0xa8, 0x27, 0xd0, - 0x14, 0x6d, 0x6f, 0xdb, 0x93, 0x94, 0xf2, 0x09, 0x63, 0x76, 0x5f, 0xac, 0x86, 0x93, 0xdd, 0xa5, - 0xcf, 0xe0, 0x96, 0x52, 0xdf, 0x9e, 0x16, 0x5b, 0x3a, 0xc4, 0xba, 0x42, 0x38, 0x9e, 0x90, 0xfe, - 0x5b, 0xe8, 0xa6, 0xa0, 0xdd, 0x2b, 0x01, 0x4c, 0x0f, 0xe5, 0xea, 0x84, 0xb2, 0x3b, 0x9e, 0x47, - 0xc5, 0x69, 0x2f, 0x5b, 0xb3, 0xa6, 0xcc, 0xa7, 0x70, 0x73, 0x80, 0x98, 0xb4, 0x86, 0xc3, 0x54, - 0x15, 0x27, 0x89, 0xad, 0x40, 0x69, 0x80, 0x5c, 0xa1, 0x7c, 0xc9, 0xe2, 0x9f, 0xdc, 0x01, 0x4f, - 0x22, 0xe4, 0x0a, 0x2d, 0x4b, 0x96, 0xf8, 0x36, 0x43, 0xa8, 0x7c, 0x35, 0x38, 0xe0, 0xb9, 0x1a, - 0x77, 0x6a, 0x99, 0xdb, 0xa9, 0x7b, 0xbc, 0x69, 0x55, 0xc4, 0xf8, 0xc8, 0x33, 0xbe, 0x86, 0x55, - 0x39, 0xe5, 0x8e, 0x9c, 0x60, 0x88, 0xec, 0x90, 0x8c, 0xb1, 0x2b, 0x5d, 0xbf, 0xf5, 0xb8, 0xa7, - 0xc2, 0x90, 0xa2, 0xb3, 0x27, 0x50, 0xfa, 0x02, 0xc3, 0xea, 0x0c, 0x27, 0x41, 0xe6, 0x7f, 0x17, - 0xa0, 0xa2, 0xe2, 0x23, 0x4f, 0x07, 0x3c, 0x8a, 0x2f, 0x10, 0x55, 0xce, 0xae, 0x46, 0xc6, 0x3d, - 0x68, 0xc9, 0x2f, 0x9b, 0x84, 0x0c, 0x93, 0xe4, 0x82, 0x6e, 0x4a, 0xe8, 0x73, 0x09, 0x14, 0xad, - 0x52, 0xd1, 0xac, 0x54, 0x7d, 0x01, 0x35, 0xe2, 0xf0, 0xb3, 0x88, 0x0b, 0x25, 0x2e, 0xe4, 0x9a, - 0xa5, 0x46, 0xfc, 0x70, 0x69, 0x7a, 0x4b, 0x82, 0x9e, 0x1e, 0xf2, 0xc3, 0xe5, 0xf3, 0xd0, 0x6e, - 0x87, 0x04, 0x07, 0x4c, 0xdd, 0xc0, 0x20, 0x40, 0x7d, 0x0e, 0x31, 0x36, 0xa1, 0x7a, 0x16, 0xd9, - 0x42, 0x1b, 0x91, 0x6d, 0x27, 0xa1, 0x5e, 0x69, 0x6d, 0x55, 0xce, 0x22, 0xf1, 0x61, 0xfe, 0x7d, - 0x01, 0x96, 0xe5, 0xc3, 0x82, 0xd1, 0x82, 0x62, 0x92, 0x31, 0x15, 0xb1, 0xc8, 0x3e, 0x85, 0x54, - 0x32, 0x4b, 0x12, 0xdf, 0x3c, 0xc6, 0x5c, 0xf8, 0xf2, 0xde, 0x57, 0x4a, 0x5c, 0xf8, 0xe2, 0xc2, - 0xbf, 0x07, 0xad, 0x34, 0xf1, 0x12, 0xf3, 0x52, 0x99, 0x66, 0x02, 0x15, 0x68, 0x73, 0x75, 0x32, - 0xff, 0x0c, 0x20, 0x6d, 0xb0, 0x73, 0x77, 0x88, 0x13, 0x61, 0xf8, 0x27, 0x87, 0x0c, 0x93, 0x94, - 0x8d, 0x7f, 0x1a, 0xf7, 0xa1, 0xe5, 0x78, 0x1e, 0xe6, 0xcb, 0x9d, 0xf1, 0x01, 0xf6, 0x92, 0x00, - 0x92, 0x87, 0x9a, 0xff, 0x51, 0x80, 0xf6, 0x1e, 0x09, 0xaf, 0xbe, 0xc2, 0x63, 0x94, 0x89, 0x6e, - 0x42, 0x48, 0x95, 0xb1, 0xf1, 0x6f, 0x5e, 0x85, 0x9c, 0xe1, 0x31, 0x92, 0xc7, 0x5e, 0x7a, 0x5d, - 0x95, 0x03, 0xc4, 0x91, 0xd7, 0x93, 0x49, 0x3b, 0xb5, 0x29, 0x27, 0x8f, 0x89, 0x27, 0xea, 0x2d, - 0x0f, 0x53, 0x3b, 0x69, 0x9e, 0x36, 0xad, 0x8a, 0x87, 0xa9, 0x98, 0x52, 0x8a, 0x2c, 0x89, 0xe6, - 0x78, 0x56, 0x91, 0x65, 0x09, 0xe1, 0x8a, 0xac, 0xc3, 0x32, 0x39, 0x3b, 0x8b, 0x10, 0x13, 0x7b, - 0x55, 0xb2, 0xd4, 0x28, 0x09, 0xc1, 0xd5, 0x4c, 0x08, 0x5e, 0x13, 0xf7, 0xda, 0xf3, 0xe7, 0xc7, - 0xfb, 0x17, 0x28, 0x60, 0xfa, 0x06, 0x7e, 0x04, 0x55, 0x0d, 0xfa, 0x2d, 0x6d, 0xe7, 0xf7, 0xa0, - 0xb5, 0xe3, 0x79, 0x83, 0x97, 0x4e, 0xa8, 0xed, 0xd1, 0x85, 0x4a, 0x7f, 0xef, 0xa8, 0x2f, 0x4d, - 0x52, 0xe2, 0x0a, 0xa8, 0x21, 0xbf, 0xf1, 0x0f, 0x10, 0x3b, 0x46, 0x8c, 0x62, 0x37, 0xb9, 0xf1, - 0xef, 0x42, 0x45, 0x41, 0xf8, 0x4a, 0x5f, 0x7e, 0xea, 0x2b, 0x40, 0x0d, 0xcd, 0x3f, 0x01, 0xe3, - 0x7b, 0x9e, 0x2f, 0x23, 0x59, 0x2c, 0x29, 0x4e, 0xef, 0x41, 0xe7, 0x42, 0x40, 0x6d, 0x99, 0x48, - 0x66, 0xb6, 0xa1, 0x2d, 0x27, 0x44, 0x7c, 0x10, 0xbc, 0x4f, 0x60, 0x55, 0xa6, 0xf7, 0x92, 0xce, - 0x35, 0x48, 0x70, 0x1b, 0x26, 0xfb, 0x59, 0xb6, 0xc4, 0xf7, 0xe3, 0xbf, 0x5b, 0x53, 0xd7, 0x98, - 0xea, 0x26, 0x19, 0x07, 0xd0, 0x9e, 0x78, 0xfa, 0x33, 0x54, 0x7b, 0x71, 0xf6, 0x8b, 0x60, 0x6f, - 0x7d, 0x4b, 0x3e, 0x25, 0x6e, 0xe9, 0xa7, 0xc4, 0xad, 0x7d, 0x3f, 0x64, 0x57, 0xc6, 0x3e, 0xb4, - 0xf2, 0x8f, 0x64, 0xc6, 0x5b, 0x3a, 0xc5, 0x9a, 0xf1, 0x74, 0x36, 0x97, 0xcc, 0x01, 0xb4, 0x27, - 0xde, 0xcb, 0xb4, 0x3c, 0xb3, 0x9f, 0xd1, 0xe6, 0x12, 0x7a, 0x0a, 0xf5, 0xcc, 0x03, 0x99, 0xd1, - 0x95, 0x44, 0xa6, 0xdf, 0xcc, 0xe6, 0x12, 0xd8, 0x83, 0x66, 0xee, 0xcd, 0xca, 0xe8, 0x29, 0x7d, - 0x66, 0x3c, 0x64, 0xcd, 0x25, 0xb2, 0x0b, 0xf5, 0xcc, 0xd3, 0x91, 0x96, 0x62, 0xfa, 0x7d, 0xaa, - 0x77, 0x6b, 0xc6, 0x8c, 0xba, 0x2d, 0x0f, 0xa0, 0x3d, 0xf1, 0x9e, 0xa4, 0x4d, 0x32, 0xfb, 0x99, - 0x69, 0xae, 0x30, 0x03, 0xb8, 0x31, 0x33, 0x4b, 0x36, 0xcc, 0x2c, 0xb9, 0xd9, 0x29, 0xf4, 0x5c, - 0xa2, 0xdf, 0x88, 0x7d, 0xcf, 0xf4, 0x20, 0x32, 0xfb, 0x3e, 0xfd, 0x24, 0xd5, 0xbb, 0x3d, 0x7b, - 0x52, 0xa9, 0xba, 0x0f, 0xad, 0xfc, 0x6b, 0x94, 0x26, 0x36, 0xf3, 0x8d, 0x6a, 0xb1, 0x13, 0xe5, - 0x1e, 0xa6, 0x52, 0x27, 0x9a, 0xf5, 0x5e, 0x35, 0x97, 0x10, 0x82, 0x8d, 0xc5, 0x75, 0x97, 0xf1, - 0x7e, 0xd6, 0x39, 0x5f, 0x53, 0x9d, 0xcd, 0x65, 0xb3, 0x03, 0xa0, 0x1a, 0x1b, 0x1e, 0x0e, 0x12, - 0x27, 0x99, 0x6a, 0xa8, 0x24, 0x4e, 0x32, 0xa3, 0x09, 0xf2, 0x14, 0x40, 0xf6, 0x23, 0x3c, 0x12, - 0x33, 0xe3, 0xa6, 0x96, 0x6a, 0xa2, 0x09, 0xd2, 0xeb, 0x4e, 0x4f, 0x4c, 0x11, 0x40, 0x94, 0x5e, - 0x87, 0xc0, 0x97, 0x00, 0x69, 0x9f, 0x43, 0x13, 0x98, 0xea, 0x7c, 0x2c, 0xb0, 0x41, 0x23, 0xdb, - 0xd5, 0x30, 0x94, 0xae, 0x33, 0x3a, 0x1d, 0x0b, 0x48, 0xb4, 0x27, 0x8a, 0xd1, 0xfc, 0x41, 0x99, - 0xac, 0x51, 0x7b, 0x53, 0x05, 0xa9, 0xf1, 0x04, 0x1a, 0xd9, 0x2a, 0x54, 0x4b, 0x31, 0xa3, 0x32, - 0xed, 0xe5, 0x2a, 0x51, 0xe3, 0x29, 0xb4, 0xf2, 0x65, 0xa3, 0xf6, 0xdc, 0x99, 0xc5, 0x64, 0x4f, - 0x35, 0x62, 0x33, 0xe8, 0x1f, 0x01, 0xa4, 0xe5, 0xa5, 0x36, 0xdf, 0x54, 0xc1, 0x39, 0xc1, 0xf5, - 0x00, 0xda, 0x13, 0x65, 0xa3, 0xd6, 0x78, 0x76, 0x35, 0xb9, 0x28, 0x4e, 0x65, 0x8a, 0x40, 0xed, - 0x82, 0xd3, 0x65, 0xa4, 0x76, 0xc1, 0x59, 0x15, 0xe3, 0x2e, 0xd4, 0x07, 0xd3, 0x34, 0x06, 0x73, - 0x69, 0xcc, 0xaa, 0x03, 0x3f, 0x06, 0x48, 0xaf, 0x5c, 0x6d, 0x85, 0xa9, 0x4b, 0xb8, 0xd7, 0xd4, - 0xcd, 0x72, 0x89, 0xb7, 0x07, 0xcd, 0x5c, 0x3f, 0x49, 0x87, 0xea, 0x59, 0x4d, 0xa6, 0x45, 0x17, - 0x58, 0xbe, 0xf9, 0xa2, 0x77, 0x70, 0x66, 0x4b, 0x66, 0x91, 0x1f, 0x67, 0xab, 0x56, 0xed, 0x41, - 0x33, 0x2a, 0xd9, 0xd7, 0x84, 0xaf, 0x6c, 0x65, 0x9a, 0x09, 0x5f, 0x33, 0x0a, 0xd6, 0xb9, 0x84, - 0x0e, 0xa1, 0x7d, 0xa0, 0x8b, 0x0e, 0x55, 0x10, 0xe9, 0xfd, 0x9b, 0x2e, 0x00, 0x7b, 0xbd, 0x59, - 0x53, 0x6a, 0x5f, 0xbe, 0x81, 0xce, 0x54, 0x31, 0x64, 0x6c, 0x24, 0x4f, 0x16, 0x33, 0xab, 0xa4, - 0xb9, 0x62, 0x1d, 0xc1, 0xca, 0x64, 0x2d, 0x64, 0xfc, 0x3e, 0xf1, 0x89, 0x59, 0x35, 0xd2, 0x5c, - 0x52, 0x9f, 0x41, 0x55, 0xe7, 0xb7, 0x86, 0x7a, 0x1a, 0x9a, 0xc8, 0x77, 0xe7, 0x2e, 0x7d, 0x22, - 0x5c, 0x3e, 0xc9, 0x1d, 0x53, 0x97, 0x9f, 0xc8, 0x30, 0x7b, 0xea, 0x25, 0x27, 0xc1, 0x7c, 0x02, - 0x15, 0x95, 0x42, 0x1a, 0x6b, 0xc9, 0x61, 0xcb, 0x64, 0x94, 0x8b, 0x3c, 0xec, 0x00, 0xb1, 0x4c, - 0x62, 0xa8, 0x99, 0x4e, 0xe7, 0x8a, 0xfa, 0x8c, 0xe4, 0x66, 0xd4, 0x5e, 0xec, 0x40, 0x23, 0x9b, - 0x1a, 0xea, 0x2d, 0x9d, 0x91, 0x2e, 0xce, 0x93, 0x64, 0xf7, 0xf2, 0x97, 0x5f, 0x37, 0x7e, 0xf7, - 0x5f, 0xbf, 0x6e, 0xfc, 0xee, 0x6f, 0x5f, 0x6d, 0x14, 0x7e, 0x79, 0xb5, 0x51, 0xf8, 0xcf, 0x57, - 0x1b, 0x85, 0xff, 0x7d, 0xb5, 0x51, 0xf8, 0xf3, 0xbf, 0x1a, 0x62, 0x36, 0x8a, 0x4f, 0xb7, 0x5c, - 0xe2, 0x6f, 0x9f, 0x3b, 0xcc, 0x79, 0x94, 0x24, 0xcf, 0xd1, 0xd4, 0x38, 0xa2, 0xee, 0x36, 0x8d, - 0x03, 0x86, 0x7d, 0xb4, 0x7d, 0x81, 0x29, 0xcb, 0x4c, 0x85, 0xe7, 0xc3, 0x6d, 0x51, 0x88, 0xcb, - 0x7f, 0x9c, 0xb9, 0x64, 0x1c, 0x6d, 0x73, 0x29, 0x4f, 0x97, 0xc5, 0xf8, 0xa3, 0xff, 0x0f, 0x00, - 0x00, 0xff, 0xff, 0x76, 0x47, 0x9c, 0x5b, 0xc7, 0x26, 0x00, 0x00, +var fileDescriptor_712ce9a559fda969 = []byte{ + // 3320 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xc4, 0x3a, 0xcb, 0x6e, 0x1c, 0xc7, + 0x76, 0x77, 0x1e, 0xe4, 0xcc, 0x9c, 0x79, 0x71, 0x9a, 0x14, 0x35, 0x1a, 0xeb, 0xf2, 0xea, 0xb6, + 0xae, 0x24, 0x4a, 0x8e, 0xc8, 0x6b, 0xd9, 0xb0, 0x6c, 0x0b, 0x8e, 0x42, 0x52, 0x34, 0x49, 0xdb, + 0xb4, 0x26, 0x3d, 0xa2, 0x1d, 0x24, 0x48, 0x1a, 0xcd, 0xee, 0xe2, 0x4c, 0x99, 0xd3, 0x5d, 0xed, + 0xea, 0x6a, 0x8a, 0x74, 0x80, 0x20, 0xab, 0x64, 0x97, 0x65, 0x76, 0xf9, 0x81, 0x20, 0x7f, 0x90, + 0x55, 0x80, 0x2c, 0x8c, 0xac, 0xb2, 0xcc, 0x26, 0x41, 0xac, 0x4f, 0xc8, 0x17, 0x04, 0xf5, 0xea, + 0xc7, 0xbc, 0xe4, 0x10, 0x02, 0xb2, 0x19, 0x74, 0x9d, 0x3a, 0x75, 0x5e, 0x75, 0xea, 0xd4, 0x39, + 0xa7, 0x06, 0xfa, 0x43, 0xcc, 0x46, 0xf1, 0xe9, 0x96, 0x4b, 0xfc, 0xed, 0x73, 0x87, 0x39, 0x8f, + 0x5d, 0x12, 0x30, 0x07, 0x07, 0x88, 0x46, 0x53, 0xe3, 0x88, 0xba, 0xdb, 0x63, 0x7c, 0x1a, 0x6d, + 0x87, 0x94, 0x30, 0xe2, 0x92, 0xb1, 0xfa, 0x8a, 0xb6, 0x9d, 0x21, 0x0a, 0xd8, 0x96, 0x18, 0x18, + 0xe5, 0x21, 0x0d, 0xdd, 0x5e, 0x8d, 0xb8, 0x58, 0x02, 0x7a, 0x35, 0x37, 0xd2, 0x9f, 0x75, 0x76, + 0x15, 0xa2, 0x48, 0x0d, 0xde, 0x1b, 0x12, 0x32, 0x1c, 0x23, 0x49, 0xe3, 0x34, 0x3e, 0xdb, 0x46, + 0x7e, 0xc8, 0xae, 0xe4, 0xa4, 0xf9, 0x0f, 0x45, 0x58, 0xdf, 0xa3, 0xc8, 0x61, 0x68, 0x4f, 0x0b, + 0x60, 0xa1, 0x1f, 0x62, 0x14, 0x31, 0xe3, 0xb7, 0xd0, 0x48, 0x84, 0xb2, 0xb1, 0xd7, 0x2d, 0xdc, + 0x29, 0x6c, 0xd6, 0xac, 0x7a, 0x02, 0x3b, 0xf2, 0x8c, 0x9b, 0x50, 0x41, 0x97, 0xc8, 0xe5, 0xb3, + 0x45, 0x31, 0xbb, 0xcc, 0x87, 0x47, 0x9e, 0xf1, 0x01, 0xd4, 0x23, 0x46, 0x71, 0x30, 0xb4, 0xe3, + 0x08, 0xd1, 0x6e, 0xe9, 0x4e, 0x61, 0xb3, 0xfe, 0x64, 0x65, 0x8b, 0x8b, 0xbc, 0x35, 0x10, 0x13, + 0x27, 0x11, 0xa2, 0x16, 0x44, 0xc9, 0xb7, 0x71, 0x1f, 0x2a, 0x1e, 0xba, 0xc0, 0x2e, 0x8a, 0xba, + 0xe5, 0x3b, 0xa5, 0xcd, 0xfa, 0x93, 0x86, 0x44, 0x7f, 0x21, 0x80, 0x96, 0x9e, 0x34, 0x1e, 0x42, + 0x35, 0x62, 0x84, 0x3a, 0x43, 0x14, 0x75, 0x97, 0x04, 0x62, 0x53, 0xd3, 0x15, 0x50, 0x2b, 0x99, + 0x36, 0x6e, 0x43, 0xe9, 0xe5, 0xde, 0x51, 0x77, 0x59, 0x70, 0x07, 0x85, 0x15, 0x22, 0xd7, 0xe2, + 0x60, 0xe3, 0x2e, 0x34, 0x23, 0x27, 0xf0, 0x4e, 0xc9, 0xa5, 0x1d, 0x62, 0x2f, 0x88, 0xba, 0x95, + 0x3b, 0x85, 0xcd, 0xaa, 0xd5, 0x50, 0xc0, 0x3e, 0x87, 0x99, 0x9f, 0xc1, 0x8d, 0x01, 0x73, 0x28, + 0xbb, 0x86, 0x75, 0xcc, 0x13, 0x58, 0xb7, 0x90, 0x4f, 0x2e, 0xae, 0x65, 0xda, 0x2e, 0x54, 0x18, + 0xf6, 0x11, 0x89, 0x99, 0x30, 0x6d, 0xd3, 0xd2, 0x43, 0xf3, 0x9f, 0x0a, 0x60, 0xec, 0x5f, 0x22, + 0xb7, 0x4f, 0x89, 0x8b, 0xa2, 0xe8, 0xff, 0x69, 0xbb, 0x1e, 0x40, 0x25, 0x94, 0x02, 0x74, 0xcb, + 0x02, 0x5d, 0xed, 0x82, 0x96, 0x4a, 0xcf, 0x9a, 0xdf, 0xc3, 0xda, 0x00, 0x0f, 0x03, 0x67, 0xfc, + 0x0e, 0xe5, 0x5d, 0x87, 0xe5, 0x48, 0xd0, 0x14, 0xa2, 0x36, 0x2d, 0x35, 0x32, 0xfb, 0x60, 0x7c, + 0xe7, 0x60, 0xf6, 0xee, 0x38, 0x99, 0x8f, 0x61, 0x35, 0x47, 0x31, 0x0a, 0x49, 0x10, 0x21, 0x21, + 0x00, 0x73, 0x58, 0x1c, 0x09, 0x62, 0x4b, 0x96, 0x1a, 0x99, 0x04, 0xd6, 0x4f, 0x42, 0xef, 0x9a, + 0xa7, 0xe9, 0x09, 0xd4, 0x28, 0x8a, 0x48, 0x4c, 0xf9, 0x19, 0x28, 0x0a, 0xa3, 0xae, 0x49, 0xa3, + 0x7e, 0x8d, 0x83, 0xf8, 0xd2, 0xd2, 0x73, 0x56, 0x8a, 0xa6, 0xfc, 0x93, 0x45, 0xd7, 0xf1, 0xcf, + 0xcf, 0xe0, 0x46, 0xdf, 0x89, 0xa3, 0xeb, 0xc8, 0x6a, 0x3e, 0xe3, 0xbe, 0x1d, 0xc5, 0xfe, 0xb5, + 0x16, 0xff, 0x63, 0x01, 0xaa, 0x7b, 0x61, 0x7c, 0x12, 0x39, 0x43, 0x64, 0xfc, 0x06, 0xea, 0x8c, + 0x30, 0x67, 0x6c, 0xc7, 0x7c, 0x28, 0xd0, 0xcb, 0x16, 0x08, 0x90, 0x44, 0xf8, 0x2d, 0x34, 0x42, + 0x44, 0xdd, 0x30, 0x56, 0x18, 0xc5, 0x3b, 0xa5, 0xcd, 0xb2, 0x55, 0x97, 0x30, 0x89, 0xb2, 0x05, + 0xab, 0x62, 0xce, 0xc6, 0x81, 0x7d, 0x8e, 0x68, 0x80, 0xc6, 0x3e, 0xf1, 0x90, 0x70, 0x8e, 0xb2, + 0xd5, 0x11, 0x53, 0x47, 0xc1, 0x57, 0xc9, 0x84, 0xf1, 0x08, 0x3a, 0x09, 0x3e, 0xf7, 0x78, 0x81, + 0x5d, 0x16, 0xd8, 0x6d, 0x85, 0x7d, 0xa2, 0xc0, 0xe6, 0x5f, 0x41, 0xeb, 0xd5, 0x88, 0x12, 0xc6, + 0xc6, 0x38, 0x18, 0xbe, 0x70, 0x98, 0xc3, 0x8f, 0x66, 0x88, 0x28, 0x26, 0x5e, 0xa4, 0xa4, 0xd5, + 0x43, 0xe3, 0x7d, 0xe8, 0x30, 0x89, 0x8b, 0x3c, 0x5b, 0xe3, 0x14, 0x05, 0xce, 0x4a, 0x32, 0xd1, + 0x57, 0xc8, 0xf7, 0xa0, 0x95, 0x22, 0xf3, 0xc3, 0xad, 0xe4, 0x6d, 0x26, 0xd0, 0x57, 0xd8, 0x47, + 0xe6, 0x85, 0xb0, 0x95, 0xd8, 0x64, 0xe3, 0x7d, 0xa8, 0xa5, 0x76, 0x28, 0x08, 0x0f, 0x69, 0x49, + 0x0f, 0xd1, 0xe6, 0xb4, 0xaa, 0x89, 0x51, 0x3e, 0x87, 0x36, 0x4b, 0x04, 0xb7, 0x3d, 0x87, 0x39, + 0x79, 0xa7, 0xca, 0x6b, 0x65, 0xb5, 0x58, 0x6e, 0x6c, 0x3e, 0x83, 0x5a, 0x1f, 0x7b, 0x91, 0x64, + 0xdc, 0x85, 0x8a, 0x1b, 0x53, 0x8a, 0x02, 0xa6, 0x55, 0x56, 0x43, 0x63, 0x0d, 0x96, 0xc6, 0xd8, + 0xc7, 0x4c, 0xa9, 0x29, 0x07, 0x26, 0x01, 0x38, 0x46, 0x3e, 0xa1, 0x57, 0xc2, 0x60, 0x6b, 0xb0, + 0x94, 0xdd, 0x5c, 0x39, 0x30, 0xde, 0x83, 0x9a, 0xef, 0x5c, 0x26, 0x9b, 0xca, 0x67, 0xaa, 0xbe, + 0x73, 0x29, 0x85, 0xef, 0x42, 0xe5, 0xcc, 0xc1, 0x63, 0x37, 0x60, 0xca, 0x2a, 0x7a, 0x98, 0x32, + 0x2c, 0x67, 0x19, 0xfe, 0x6b, 0x11, 0xea, 0x92, 0xa3, 0x14, 0x78, 0x0d, 0x96, 0x5c, 0xc7, 0x1d, + 0x25, 0x2c, 0xc5, 0xc0, 0xb8, 0xaf, 0x05, 0x29, 0x66, 0x23, 0x5c, 0x2a, 0xa9, 0x16, 0x6d, 0x1b, + 0x20, 0x7a, 0xed, 0x84, 0x4a, 0xb6, 0xd2, 0x1c, 0xe4, 0x1a, 0xc7, 0x91, 0xe2, 0x7e, 0x08, 0x0d, + 0xe9, 0x77, 0x6a, 0x49, 0x79, 0xce, 0x92, 0xba, 0xc4, 0x92, 0x8b, 0xee, 0x42, 0x33, 0x8e, 0x90, + 0x3d, 0xc2, 0x88, 0x3a, 0xd4, 0x1d, 0x5d, 0x75, 0x97, 0xe4, 0x05, 0x14, 0x47, 0xe8, 0x50, 0xc3, + 0x8c, 0x27, 0xb0, 0xc4, 0x63, 0x4b, 0xd4, 0x5d, 0x16, 0x77, 0xdd, 0xed, 0x2c, 0x49, 0xa1, 0xea, + 0x96, 0xf8, 0xdd, 0x0f, 0x18, 0xbd, 0xb2, 0x24, 0x6a, 0xef, 0x13, 0x80, 0x14, 0x68, 0xac, 0x40, + 0xe9, 0x1c, 0x5d, 0xa9, 0x73, 0xc8, 0x3f, 0xb9, 0x71, 0x2e, 0x9c, 0x71, 0xac, 0xad, 0x2e, 0x07, + 0x9f, 0x15, 0x3f, 0x29, 0x98, 0x2e, 0xb4, 0x77, 0xc7, 0xe7, 0x98, 0x64, 0x96, 0xaf, 0xc1, 0x92, + 0xef, 0x7c, 0x4f, 0xa8, 0xb6, 0xa4, 0x18, 0x08, 0x28, 0x0e, 0x08, 0xd5, 0x24, 0xc4, 0xc0, 0x68, + 0x41, 0x91, 0x84, 0xc2, 0x5e, 0x35, 0xab, 0x48, 0xc2, 0x94, 0x51, 0x39, 0xc3, 0xc8, 0xfc, 0xaf, + 0x32, 0x40, 0xca, 0xc5, 0xb0, 0xa0, 0x87, 0x89, 0x1d, 0x21, 0xca, 0xef, 0x77, 0xfb, 0xf4, 0x8a, + 0xa1, 0xc8, 0xa6, 0xc8, 0x8d, 0x69, 0x84, 0x2f, 0xf8, 0xfe, 0x71, 0xb5, 0x6f, 0x48, 0xb5, 0x27, + 0x64, 0xb3, 0x6e, 0x62, 0x32, 0x90, 0xeb, 0x76, 0xf9, 0x32, 0x4b, 0xaf, 0x32, 0x8e, 0xe0, 0x46, + 0x4a, 0xd3, 0xcb, 0x90, 0x2b, 0x2e, 0x22, 0xb7, 0x9a, 0x90, 0xf3, 0x52, 0x52, 0xfb, 0xb0, 0x8a, + 0x89, 0xfd, 0x43, 0x8c, 0xe2, 0x1c, 0xa1, 0xd2, 0x22, 0x42, 0x1d, 0x4c, 0xfe, 0x58, 0x2c, 0x48, + 0xc9, 0xf4, 0xe1, 0x56, 0x46, 0x4b, 0x7e, 0xdc, 0x33, 0xc4, 0xca, 0x8b, 0x88, 0xad, 0x27, 0x52, + 0xf1, 0x78, 0x90, 0x52, 0xfc, 0x12, 0xd6, 0x31, 0xb1, 0x5f, 0x3b, 0x98, 0x4d, 0x92, 0x5b, 0x7a, + 0x8b, 0x92, 0xfc, 0x46, 0xcb, 0xd3, 0x92, 0x4a, 0xfa, 0x88, 0x0e, 0x73, 0x4a, 0x2e, 0xbf, 0x45, + 0xc9, 0x63, 0xb1, 0x20, 0x25, 0xb3, 0x03, 0x1d, 0x4c, 0x26, 0xa5, 0xa9, 0x2c, 0x22, 0xd2, 0xc6, + 0x24, 0x2f, 0xc9, 0x2e, 0x74, 0x22, 0xe4, 0x32, 0x42, 0xb3, 0x4e, 0x50, 0x5d, 0x44, 0x62, 0x45, + 0xe1, 0x27, 0x34, 0xcc, 0x3f, 0x83, 0xc6, 0x61, 0x3c, 0x44, 0x6c, 0x7c, 0x9a, 0x04, 0x83, 0x77, + 0x16, 0x7f, 0xcc, 0xff, 0x29, 0x42, 0x7d, 0x6f, 0x48, 0x49, 0x1c, 0xe6, 0x62, 0xb2, 0x3c, 0xa4, + 0x93, 0x31, 0x59, 0xa0, 0x88, 0x98, 0x2c, 0x91, 0x3f, 0x82, 0x86, 0x2f, 0x8e, 0xae, 0xc2, 0x97, + 0x71, 0xa8, 0x33, 0x75, 0xa8, 0xad, 0xba, 0x9f, 0x09, 0x66, 0x5b, 0x00, 0x21, 0xf6, 0x22, 0xb5, + 0x46, 0x86, 0xa3, 0xb6, 0x4a, 0xb7, 0x74, 0x88, 0xb6, 0x6a, 0x61, 0x12, 0xad, 0x3f, 0x80, 0xfa, + 0x29, 0x37, 0x92, 0x5a, 0x90, 0x0b, 0x46, 0xa9, 0xf5, 0x2c, 0x38, 0x4d, 0x0f, 0xe1, 0x21, 0x34, + 0x47, 0xd2, 0x64, 0x6a, 0x91, 0xf4, 0xa1, 0xbb, 0x4a, 0x93, 0x54, 0xdf, 0xad, 0xac, 0x65, 0xe5, + 0x06, 0x34, 0x46, 0x19, 0x50, 0x6f, 0x00, 0x9d, 0x29, 0x94, 0x19, 0x31, 0x68, 0x33, 0x1b, 0x83, + 0xea, 0x4f, 0x0c, 0xc9, 0x28, 0xbb, 0x32, 0x1b, 0x97, 0xfe, 0xae, 0x08, 0x8d, 0x6f, 0x10, 0x7b, + 0x4d, 0xe8, 0xb9, 0x94, 0xd7, 0x80, 0x72, 0xe0, 0xf8, 0x48, 0x51, 0x14, 0xdf, 0xc6, 0x2d, 0xa8, + 0xd2, 0x4b, 0x19, 0x40, 0xd4, 0x7e, 0x56, 0xe8, 0xa5, 0x08, 0x0c, 0xc6, 0xaf, 0x01, 0xe8, 0xa5, + 0x1d, 0x3a, 0xee, 0x39, 0x52, 0x16, 0x2c, 0x5b, 0x35, 0x7a, 0xd9, 0x97, 0x00, 0xee, 0x0a, 0xf4, + 0xd2, 0x46, 0x94, 0x12, 0x1a, 0xa9, 0x58, 0x55, 0xa5, 0x97, 0xfb, 0x62, 0xac, 0xd6, 0x7a, 0x94, + 0x84, 0x21, 0xf2, 0x44, 0x8c, 0x16, 0x6b, 0x5f, 0x48, 0x00, 0xe7, 0xca, 0x34, 0xd7, 0x65, 0xc9, + 0x95, 0xa5, 0x5c, 0x59, 0xca, 0xb5, 0x22, 0x57, 0xb2, 0x2c, 0x57, 0x96, 0x70, 0xad, 0x4a, 0xae, + 0x2c, 0xc3, 0x95, 0xa5, 0x5c, 0x6b, 0x7a, 0xad, 0xe2, 0x6a, 0xfe, 0x6d, 0x01, 0xd6, 0x27, 0x13, + 0x3f, 0x95, 0x9b, 0x7e, 0x04, 0x0d, 0x57, 0xec, 0x57, 0xce, 0x27, 0x3b, 0x53, 0x3b, 0x69, 0xd5, + 0xdd, 0x8c, 0x1b, 0x3f, 0x85, 0x66, 0x20, 0x0d, 0x9c, 0xb8, 0x66, 0x29, 0xdd, 0x97, 0xac, 0xed, + 0xad, 0x46, 0x90, 0x19, 0x99, 0x1e, 0x18, 0xdf, 0x51, 0xcc, 0xd0, 0x80, 0x51, 0xe4, 0xf8, 0xef, + 0x22, 0xbb, 0x37, 0xa0, 0x2c, 0xb2, 0x15, 0xbe, 0x4d, 0x0d, 0x4b, 0x7c, 0x9b, 0x0f, 0x60, 0x35, + 0xc7, 0x45, 0xe9, 0xba, 0x02, 0xa5, 0x31, 0x0a, 0x04, 0xf5, 0xa6, 0xc5, 0x3f, 0x4d, 0x07, 0x3a, + 0x16, 0x72, 0xbc, 0x77, 0x27, 0x8d, 0x62, 0x51, 0x4a, 0x59, 0x6c, 0x82, 0x91, 0x65, 0xa1, 0x44, + 0xd1, 0x52, 0x17, 0x32, 0x52, 0xbf, 0x84, 0xce, 0xde, 0x98, 0x44, 0x68, 0xc0, 0x3c, 0x1c, 0xbc, + 0x8b, 0x72, 0xe4, 0x2f, 0x61, 0xf5, 0x15, 0xbb, 0xfa, 0x8e, 0x13, 0x8b, 0xf0, 0x8f, 0xe8, 0x1d, + 0xe9, 0x47, 0xc9, 0x6b, 0xad, 0x1f, 0x25, 0xaf, 0x79, 0x71, 0xe3, 0x92, 0x71, 0xec, 0x07, 0xe2, + 0x28, 0x34, 0x2d, 0x35, 0x32, 0x77, 0xa1, 0x21, 0x73, 0xe8, 0x63, 0xe2, 0xc5, 0x63, 0x34, 0xf3, + 0x0c, 0x6e, 0x00, 0x84, 0x0e, 0x75, 0x7c, 0xc4, 0x10, 0x95, 0x3e, 0x54, 0xb3, 0x32, 0x10, 0xf3, + 0xef, 0x8b, 0xb0, 0x26, 0xfb, 0x0d, 0x03, 0x59, 0x66, 0x6b, 0x15, 0x7a, 0x50, 0x1d, 0x91, 0x88, + 0x65, 0x08, 0x26, 0x63, 0x2e, 0x22, 0xaf, 0xcf, 0x25, 0x35, 0xfe, 0x99, 0x6b, 0x02, 0x94, 0x16, + 0x37, 0x01, 0xa6, 0xca, 0xfc, 0xf2, 0x74, 0x99, 0xcf, 0x4f, 0x9b, 0x46, 0xc2, 0xf2, 0x8c, 0xd7, + 0xac, 0x9a, 0x82, 0x1c, 0x79, 0xc6, 0x7d, 0x68, 0x0f, 0xb9, 0x94, 0xf6, 0x88, 0x90, 0x73, 0x3b, + 0x74, 0xd8, 0x48, 0x1c, 0xf5, 0x9a, 0xd5, 0x14, 0xe0, 0x43, 0x42, 0xce, 0xfb, 0x0e, 0x1b, 0x19, + 0x9f, 0x42, 0x4b, 0xa5, 0x81, 0xbe, 0x30, 0x51, 0xa4, 0x2e, 0x3f, 0x75, 0x8a, 0xb2, 0xd6, 0xb3, + 0x9a, 0xe7, 0x99, 0x51, 0x64, 0xde, 0x84, 0x1b, 0x2f, 0x50, 0xc4, 0x28, 0xb9, 0xca, 0x1b, 0xc6, + 0x7c, 0x00, 0xf7, 0x64, 0x17, 0x61, 0xc0, 0x9c, 0x31, 0xfa, 0x16, 0x53, 0x86, 0xc9, 0x59, 0x34, + 0x18, 0x39, 0x14, 0x1d, 0x93, 0x38, 0x60, 0xba, 0xcc, 0x35, 0xff, 0x10, 0xe0, 0x28, 0x60, 0x88, + 0x9e, 0x39, 0x2e, 0x8a, 0x8c, 0xdf, 0x67, 0x47, 0x2a, 0x8b, 0x5a, 0xd9, 0x92, 0x7d, 0xa1, 0x64, + 0xc2, 0xca, 0xe0, 0x98, 0x5b, 0xb0, 0x6c, 0x91, 0x98, 0xc7, 0xad, 0xdf, 0xe9, 0x2f, 0xb5, 0xae, + 0xa1, 0xd6, 0x09, 0xa0, 0xa5, 0xe6, 0xcc, 0x43, 0x5d, 0xeb, 0xa6, 0xe4, 0xd4, 0x5e, 0x6e, 0x41, + 0x0d, 0x6b, 0x98, 0x0a, 0x3f, 0xd3, 0xac, 0x53, 0x14, 0xf3, 0x19, 0xac, 0x4a, 0x4a, 0x92, 0xb2, + 0x26, 0xf3, 0x3b, 0x58, 0xa6, 0x5a, 0x8c, 0x42, 0xda, 0x10, 0x52, 0x48, 0x6a, 0xce, 0x3c, 0x82, + 0xdb, 0x72, 0xf1, 0x7e, 0x38, 0x42, 0x3e, 0xa2, 0xce, 0x38, 0x67, 0x96, 0x9c, 0xab, 0x14, 0x16, + 0xba, 0x0a, 0xdf, 0x83, 0xaf, 0x71, 0xc4, 0x52, 0x9b, 0x68, 0xd3, 0xae, 0x42, 0x87, 0x4f, 0xe4, + 0xc4, 0x33, 0xbf, 0x80, 0xc6, 0x8e, 0xd5, 0xff, 0x06, 0xe1, 0xe1, 0xe8, 0x94, 0x47, 0xec, 0x8f, + 0xf3, 0x63, 0xc5, 0xcc, 0x50, 0x8a, 0x67, 0xa6, 0xac, 0x1c, 0x9e, 0xf9, 0x25, 0xac, 0xef, 0x78, + 0x5e, 0x16, 0xa4, 0x45, 0xff, 0x3d, 0xd4, 0x82, 0x0c, 0xb9, 0xcc, 0x3d, 0x99, 0xc3, 0x4e, 0x91, + 0xcc, 0xc7, 0x60, 0x1c, 0x20, 0x76, 0xd4, 0x7f, 0xe5, 0x9c, 0x8e, 0x53, 0x43, 0xde, 0x84, 0x0a, + 0x8e, 0x6c, 0x1c, 0x5e, 0x7c, 0x2c, 0xa8, 0x54, 0xad, 0x65, 0x1c, 0x1d, 0x85, 0x17, 0x1f, 0x9b, + 0x0f, 0x61, 0x35, 0x87, 0xbe, 0x20, 0x94, 0xed, 0x80, 0x31, 0xf8, 0xe5, 0x94, 0x13, 0x12, 0xc5, + 0x0c, 0x89, 0x87, 0xb0, 0x3a, 0xf8, 0x85, 0xdc, 0xfe, 0x1c, 0x56, 0x5f, 0x06, 0x63, 0x1c, 0xa0, + 0xbd, 0xfe, 0xc9, 0x31, 0x4a, 0xe2, 0xb8, 0x01, 0x65, 0x9e, 0xef, 0x2a, 0x5e, 0xe2, 0x9b, 0x8b, + 0x10, 0x9c, 0xda, 0x6e, 0x18, 0x47, 0xaa, 0x51, 0xb6, 0x1c, 0x9c, 0xee, 0x85, 0x71, 0xc4, 0x2f, + 0x66, 0x9e, 0x98, 0x91, 0x60, 0x7c, 0x25, 0xa2, 0x5b, 0xd5, 0xaa, 0xb8, 0x61, 0xfc, 0x32, 0x18, + 0x5f, 0x99, 0x7f, 0x20, 0xba, 0x17, 0x08, 0x79, 0x96, 0x13, 0x78, 0xc4, 0x7f, 0x81, 0x2e, 0x32, + 0x1c, 0xa6, 0xe4, 0xfe, 0xa9, 0x00, 0x8d, 0x9d, 0x21, 0x0a, 0xd8, 0x0b, 0xc4, 0x1c, 0x3c, 0x16, + 0xd5, 0xf0, 0x05, 0xa2, 0x11, 0x26, 0x81, 0x0a, 0x55, 0x7a, 0x68, 0xfc, 0x06, 0xea, 0x38, 0xc0, + 0xcc, 0xf6, 0x1c, 0xe4, 0x93, 0x40, 0x50, 0xa9, 0x5a, 0xc0, 0x41, 0x2f, 0x04, 0xc4, 0x78, 0x00, + 0x6d, 0xd9, 0xc8, 0xb4, 0x47, 0x4e, 0xe0, 0x8d, 0x79, 0x90, 0x2c, 0x89, 0xb0, 0xd6, 0x92, 0xe0, + 0x43, 0x05, 0x35, 0x1e, 0xc2, 0x8a, 0xf2, 0xcb, 0x14, 0xb3, 0x2c, 0x30, 0xdb, 0x0a, 0x9e, 0x43, + 0x8d, 0xc3, 0x90, 0x50, 0x16, 0xd9, 0x11, 0x72, 0x5d, 0xe2, 0x87, 0xaa, 0x94, 0x6c, 0x6b, 0xf8, + 0x40, 0x82, 0xcd, 0x21, 0xac, 0x1e, 0x70, 0x3d, 0x95, 0x26, 0xe9, 0x49, 0x6b, 0xf9, 0xc8, 0xb7, + 0x4f, 0xc7, 0xc4, 0x3d, 0xb7, 0xf9, 0xc5, 0xa2, 0x2c, 0xcc, 0x93, 0xd5, 0x5d, 0x0e, 0x1c, 0xe0, + 0x1f, 0x45, 0xd7, 0x84, 0x63, 0x8d, 0x08, 0x0b, 0xc7, 0xf1, 0xd0, 0x0e, 0x29, 0x39, 0x45, 0x4a, + 0xc5, 0xb6, 0x8f, 0xfc, 0x43, 0x09, 0xef, 0x73, 0xb0, 0xf9, 0xcf, 0x05, 0x58, 0xcb, 0x73, 0x52, + 0xbb, 0xbd, 0x0d, 0x6b, 0x79, 0x56, 0x2a, 0x75, 0x92, 0xa9, 0x79, 0x27, 0xcb, 0x50, 0x26, 0x51, + 0x4f, 0xa1, 0x29, 0xda, 0xde, 0xb6, 0x27, 0x29, 0xe5, 0x13, 0xc6, 0xec, 0xbe, 0x58, 0x0d, 0x27, + 0xbb, 0x4b, 0x9f, 0xc2, 0x2d, 0xa5, 0xbe, 0x3d, 0x2d, 0xb6, 0x74, 0x88, 0x75, 0x85, 0x70, 0x3c, + 0x21, 0xfd, 0xd7, 0xd0, 0x4d, 0x41, 0xbb, 0x57, 0x02, 0x98, 0x1e, 0xca, 0xd5, 0x09, 0x65, 0x77, + 0x3c, 0x8f, 0x8a, 0xd3, 0x5e, 0xb6, 0x66, 0x4d, 0x99, 0xcf, 0xe1, 0xe6, 0x00, 0x31, 0x69, 0x0d, + 0x87, 0xa9, 0x2a, 0x4e, 0x12, 0x5b, 0x81, 0xd2, 0x00, 0xb9, 0x42, 0xf9, 0x92, 0xc5, 0x3f, 0xb9, + 0x03, 0x9e, 0x44, 0xc8, 0x15, 0x5a, 0x96, 0x2c, 0xf1, 0x6d, 0x86, 0x50, 0xf9, 0x62, 0x70, 0xc0, + 0x73, 0x35, 0xee, 0xd4, 0x32, 0xb7, 0x53, 0xf7, 0x78, 0xd3, 0xaa, 0x88, 0xf1, 0x91, 0x67, 0x7c, + 0x09, 0xab, 0x72, 0xca, 0x1d, 0x39, 0xc1, 0x10, 0xd9, 0x21, 0x19, 0x63, 0x57, 0xba, 0x7e, 0xeb, + 0x49, 0x4f, 0x85, 0x21, 0x45, 0x67, 0x4f, 0xa0, 0xf4, 0x05, 0x86, 0xd5, 0x19, 0x4e, 0x82, 0xcc, + 0xff, 0x2c, 0x40, 0x45, 0xc5, 0x47, 0x9e, 0x0e, 0x78, 0x14, 0x5f, 0x20, 0xaa, 0x9c, 0x5d, 0x8d, + 0x8c, 0x7b, 0xd0, 0x92, 0x5f, 0x36, 0x09, 0x19, 0x26, 0xc9, 0x05, 0xdd, 0x94, 0xd0, 0x97, 0x12, + 0x28, 0x5a, 0xa5, 0xa2, 0x59, 0xa9, 0xfa, 0x02, 0x6a, 0xc4, 0xe1, 0x67, 0x11, 0x17, 0x4a, 0x5c, + 0xc8, 0x35, 0x4b, 0x8d, 0xf8, 0xe1, 0xd2, 0xf4, 0x96, 0x04, 0x3d, 0x3d, 0xe4, 0x87, 0xcb, 0xe7, + 0xa1, 0xdd, 0x0e, 0x09, 0x0e, 0x98, 0xba, 0x81, 0x41, 0x80, 0xfa, 0x1c, 0x62, 0x6c, 0x42, 0xf5, + 0x2c, 0xb2, 0x85, 0x36, 0x22, 0xdb, 0x4e, 0x42, 0xbd, 0xd2, 0xda, 0xaa, 0x9c, 0x45, 0xe2, 0xc3, + 0xfc, 0x9b, 0x02, 0x2c, 0xcb, 0x87, 0x05, 0xa3, 0x05, 0xc5, 0x24, 0x63, 0x2a, 0x62, 0x91, 0x7d, + 0x0a, 0xa9, 0x64, 0x96, 0x24, 0xbe, 0x79, 0x8c, 0xb9, 0xf0, 0xe5, 0xbd, 0xaf, 0x94, 0xb8, 0xf0, + 0xc5, 0x85, 0x7f, 0x0f, 0x5a, 0x69, 0xe2, 0x25, 0xe6, 0xa5, 0x32, 0xcd, 0x04, 0x2a, 0xd0, 0xe6, + 0xea, 0x64, 0xfe, 0x09, 0x40, 0xda, 0x60, 0xe7, 0xee, 0x10, 0x27, 0xc2, 0xf0, 0x4f, 0x0e, 0x19, + 0x26, 0x29, 0x1b, 0xff, 0x34, 0xee, 0x43, 0xcb, 0xf1, 0x3c, 0xcc, 0x97, 0x3b, 0xe3, 0x03, 0xec, + 0x25, 0x01, 0x24, 0x0f, 0x35, 0xff, 0xad, 0x00, 0xed, 0x3d, 0x12, 0x5e, 0x7d, 0x81, 0xc7, 0x28, + 0x13, 0xdd, 0x84, 0x90, 0x2a, 0x63, 0xe3, 0xdf, 0xbc, 0x0a, 0x39, 0xc3, 0x63, 0x24, 0x8f, 0xbd, + 0xf4, 0xba, 0x2a, 0x07, 0x88, 0x23, 0xaf, 0x27, 0x93, 0x76, 0x6a, 0x53, 0x4e, 0x1e, 0x13, 0x4f, + 0xd4, 0x5b, 0x1e, 0xa6, 0x76, 0xd2, 0x3c, 0x6d, 0x5a, 0x15, 0x0f, 0x53, 0x31, 0xa5, 0x14, 0x59, + 0x12, 0xcd, 0xf1, 0xac, 0x22, 0xcb, 0x12, 0xc2, 0x15, 0x59, 0x87, 0x65, 0x72, 0x76, 0x16, 0x21, + 0x26, 0xf6, 0xaa, 0x64, 0xa9, 0x51, 0x12, 0x82, 0xab, 0x99, 0x10, 0xbc, 0x26, 0xee, 0xb5, 0x97, + 0x2f, 0x8f, 0xf7, 0x2f, 0x50, 0xc0, 0xf4, 0x0d, 0xfc, 0x18, 0xaa, 0x1a, 0xf4, 0x4b, 0xda, 0xce, + 0x8f, 0xa0, 0xb5, 0xe3, 0x79, 0x83, 0xd7, 0x4e, 0xa8, 0xed, 0xd1, 0x85, 0x4a, 0x7f, 0xef, 0xa8, + 0x2f, 0x4d, 0x52, 0xe2, 0x0a, 0xa8, 0x21, 0xbf, 0xf1, 0x0f, 0x10, 0x3b, 0x46, 0x8c, 0x62, 0x37, + 0xb9, 0xf1, 0xef, 0x42, 0x45, 0x41, 0xf8, 0x4a, 0x5f, 0x7e, 0xea, 0x2b, 0x40, 0x0d, 0xcd, 0x3f, + 0x02, 0xe3, 0x5b, 0x9e, 0x2f, 0x23, 0x59, 0x2c, 0x29, 0x4e, 0x8f, 0xa0, 0x73, 0x21, 0xa0, 0xb6, + 0x4c, 0x24, 0x33, 0xdb, 0xd0, 0x96, 0x13, 0x22, 0x3e, 0x08, 0xde, 0x27, 0xb0, 0x2a, 0xd3, 0x7b, + 0x49, 0xe7, 0x1a, 0x24, 0xb8, 0x0d, 0x93, 0xfd, 0x2c, 0x5b, 0xe2, 0xdb, 0x7c, 0x04, 0x2b, 0x03, + 0xc4, 0xd4, 0x99, 0x57, 0x34, 0xd7, 0x61, 0x59, 0x85, 0x09, 0x75, 0xb6, 0xe5, 0xe8, 0xc9, 0xbf, + 0xac, 0xa9, 0x2b, 0x4f, 0x75, 0x9e, 0x8c, 0x03, 0x68, 0x4f, 0x3c, 0x13, 0x1a, 0xaa, 0x15, 0x39, + 0xfb, 0xf5, 0xb0, 0xb7, 0xbe, 0x25, 0x9f, 0x1d, 0xb7, 0xf4, 0xb3, 0xe3, 0xd6, 0xbe, 0x1f, 0xb2, + 0x2b, 0x63, 0x1f, 0x5a, 0xf9, 0x07, 0x35, 0xe3, 0x3d, 0x9d, 0x8e, 0xcd, 0x78, 0x66, 0x9b, 0x4b, + 0xe6, 0x00, 0xda, 0x13, 0x6f, 0x6b, 0x5a, 0x9e, 0xd9, 0x4f, 0x6e, 0x73, 0x09, 0x3d, 0x87, 0x7a, + 0xe6, 0x31, 0xcd, 0xe8, 0x4a, 0x22, 0xd3, 0xef, 0x6b, 0x73, 0x09, 0xec, 0x41, 0x33, 0xf7, 0xbe, + 0x65, 0xf4, 0x94, 0x3e, 0x33, 0x1e, 0xbd, 0xe6, 0x12, 0xd9, 0x85, 0x7a, 0xe6, 0x99, 0x49, 0x4b, + 0x31, 0xfd, 0x96, 0xd5, 0xbb, 0x35, 0x63, 0x46, 0xdd, 0xac, 0x07, 0xd0, 0x9e, 0x78, 0x7b, 0xd2, + 0x26, 0x99, 0xfd, 0x24, 0x35, 0x57, 0x98, 0x01, 0xdc, 0x98, 0x99, 0x51, 0x1b, 0x66, 0x96, 0xdc, + 0xec, 0x74, 0x7b, 0x2e, 0xd1, 0xaf, 0xc4, 0xbe, 0x67, 0xfa, 0x15, 0x99, 0x7d, 0x9f, 0x7e, 0xbe, + 0xea, 0xdd, 0x9e, 0x3d, 0xa9, 0x54, 0xdd, 0x87, 0x56, 0xfe, 0xe5, 0x4a, 0x13, 0x9b, 0xf9, 0x9e, + 0xb5, 0xd8, 0x89, 0x72, 0x8f, 0x58, 0xa9, 0x13, 0xcd, 0x7a, 0xdb, 0x9a, 0x4b, 0x08, 0xc1, 0xc6, + 0xe2, 0x1a, 0xcd, 0x78, 0x3f, 0xeb, 0x9c, 0x6f, 0xa9, 0xe4, 0xe6, 0xb2, 0xd9, 0x01, 0x50, 0x4d, + 0x10, 0x0f, 0x07, 0x89, 0x93, 0x4c, 0x35, 0x5f, 0x12, 0x27, 0x99, 0xd1, 0x30, 0x79, 0x0e, 0x20, + 0x7b, 0x17, 0x1e, 0x89, 0x99, 0x71, 0x53, 0x4b, 0x35, 0xd1, 0x30, 0xe9, 0x75, 0xa7, 0x27, 0xa6, + 0x08, 0x20, 0x4a, 0xaf, 0x43, 0xe0, 0x73, 0x80, 0xb4, 0x27, 0xa2, 0x09, 0x4c, 0x75, 0x49, 0x16, + 0xd8, 0xa0, 0x91, 0xed, 0x80, 0x18, 0x4a, 0xd7, 0x19, 0x5d, 0x91, 0x05, 0x24, 0xda, 0x13, 0x85, + 0x6b, 0xfe, 0xa0, 0x4c, 0xd6, 0xb3, 0xbd, 0xa9, 0xe2, 0xd5, 0x78, 0x0a, 0x8d, 0x6c, 0xc5, 0xaa, + 0xa5, 0x98, 0x51, 0xc5, 0xf6, 0x72, 0x55, 0xab, 0xf1, 0x1c, 0x5a, 0xf9, 0x12, 0x53, 0x7b, 0xee, + 0xcc, 0xc2, 0xb3, 0xa7, 0x9a, 0xb6, 0x19, 0xf4, 0x0f, 0x01, 0xd2, 0x52, 0x54, 0x9b, 0x6f, 0xaa, + 0x38, 0x9d, 0xe0, 0x7a, 0x00, 0xed, 0x89, 0x12, 0x53, 0x6b, 0x3c, 0xbb, 0xf2, 0x5c, 0x14, 0xa7, + 0x32, 0x05, 0xa3, 0x76, 0xc1, 0xe9, 0x92, 0x53, 0xbb, 0xe0, 0xac, 0xea, 0x72, 0x17, 0xea, 0x83, + 0x69, 0x1a, 0x83, 0xb9, 0x34, 0x66, 0xd5, 0x8c, 0x1f, 0x01, 0xa4, 0xd7, 0xb3, 0xb6, 0xc2, 0xd4, + 0x85, 0xdd, 0x6b, 0xea, 0xc6, 0xba, 0xc4, 0xdb, 0x83, 0x66, 0xae, 0xf7, 0xa4, 0x43, 0xf5, 0xac, + 0x86, 0xd4, 0xa2, 0x0b, 0x2c, 0xdf, 0xa8, 0xd1, 0x3b, 0x38, 0xb3, 0x7d, 0xb3, 0xc8, 0x8f, 0xb3, + 0x15, 0xae, 0xf6, 0xa0, 0x19, 0x55, 0xef, 0x5b, 0xc2, 0x57, 0xb6, 0x8a, 0xcd, 0x84, 0xaf, 0x19, + 0xc5, 0xed, 0x5c, 0x42, 0x87, 0xd0, 0x3e, 0xd0, 0x05, 0x8a, 0x2a, 0x9e, 0xf4, 0xfe, 0x4d, 0x17, + 0x8b, 0xbd, 0xde, 0xac, 0x29, 0xb5, 0x2f, 0x5f, 0x41, 0x67, 0xaa, 0x70, 0x32, 0x36, 0x92, 0xe7, + 0x8d, 0x99, 0x15, 0xd5, 0x5c, 0xb1, 0x8e, 0x44, 0xc2, 0x92, 0xab, 0x9b, 0x8c, 0x5f, 0x27, 0x3e, + 0x31, 0xab, 0x9e, 0x9a, 0x4b, 0xea, 0x53, 0xa8, 0xea, 0x5c, 0xd8, 0x50, 0xcf, 0x48, 0x13, 0xb9, + 0xf1, 0xdc, 0xa5, 0x4f, 0x85, 0xcb, 0x27, 0x79, 0x66, 0xea, 0xf2, 0x13, 0xd9, 0x68, 0x4f, 0xbd, + 0xfa, 0x24, 0x98, 0x4f, 0xa1, 0xa2, 0xd2, 0x4d, 0x63, 0x2d, 0x39, 0x6c, 0x99, 0xec, 0x73, 0x91, + 0x87, 0x1d, 0x20, 0x96, 0x49, 0x22, 0x35, 0xd3, 0xe9, 0xbc, 0x52, 0x9f, 0x91, 0xdc, 0x8c, 0xda, + 0x8b, 0x1d, 0x68, 0x64, 0xd3, 0x48, 0xbd, 0xa5, 0x33, 0x52, 0xcb, 0xb9, 0x92, 0x3c, 0x83, 0x5a, + 0x92, 0x32, 0x1a, 0xeb, 0x89, 0xe9, 0x73, 0x39, 0xe4, 0xbc, 0xc5, 0xbb, 0x97, 0x3f, 0xfd, 0xbc, + 0xf1, 0xab, 0xff, 0xf8, 0x79, 0xe3, 0x57, 0x7f, 0xfd, 0x66, 0xa3, 0xf0, 0xd3, 0x9b, 0x8d, 0xc2, + 0xbf, 0xbf, 0xd9, 0x28, 0xfc, 0xf7, 0x9b, 0x8d, 0xc2, 0x9f, 0xfe, 0xc5, 0xff, 0xf1, 0xcf, 0x70, + 0x34, 0x0e, 0x18, 0xf6, 0xd1, 0xf6, 0x05, 0xa6, 0x2c, 0x33, 0x15, 0x9e, 0x0f, 0xe5, 0x3f, 0xe2, + 0x32, 0x7f, 0x94, 0xe3, 0x22, 0x9e, 0x2e, 0x8b, 0xf1, 0x87, 0xff, 0x1b, 0x00, 0x00, 0xff, 0xff, + 0xaf, 0xec, 0xb5, 0x21, 0x75, 0x27, 0x00, 0x00, } func (m *CreateContainerRequest) Marshal() (dAtA []byte, err error) { @@ -6179,6 +6224,40 @@ func (m *ResizeVolumeRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) { return len(dAtA) - i, nil } +func (m *SetPolicyRequest) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *SetPolicyRequest) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *SetPolicyRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if len(m.Policy) > 0 { + i -= len(m.Policy) + copy(dAtA[i:], m.Policy) + i = encodeVarintAgent(dAtA, i, uint64(len(m.Policy))) + i-- + dAtA[i] = 0xa + } + return len(dAtA) - i, nil +} + func encodeVarintAgent(dAtA []byte, offset int, v uint64) int { offset -= sovAgent(v) base := offset @@ -7623,6 +7702,22 @@ func (m *ResizeVolumeRequest) Size() (n int) { return n } +func (m *SetPolicyRequest) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.Policy) + if l > 0 { + n += 1 + l + sovAgent(uint64(l)) + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n +} + func sovAgent(x uint64) (n int) { return (math_bits.Len64(x|1) + 6) / 7 } @@ -8544,6 +8639,17 @@ func (this *ResizeVolumeRequest) String() string { }, "") return s } +func (this *SetPolicyRequest) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&SetPolicyRequest{`, + `Policy:` + fmt.Sprintf("%v", this.Policy) + `,`, + `XXX_unrecognized:` + fmt.Sprintf("%v", this.XXX_unrecognized) + `,`, + `}`, + }, "") + return s +} func valueToStringAgent(v interface{}) string { rv := reflect.ValueOf(v) if rv.IsNil() { @@ -8591,6 +8697,7 @@ type AgentServiceService interface { AddSwap(ctx context.Context, req *AddSwapRequest) (*types.Empty, error) GetVolumeStats(ctx context.Context, req *VolumeStatsRequest) (*VolumeStatsResponse, error) ResizeVolume(ctx context.Context, req *ResizeVolumeRequest) (*types.Empty, error) + SetPolicy(ctx context.Context, req *SetPolicyRequest) (*types.Empty, error) } func RegisterAgentServiceService(srv *github_com_containerd_ttrpc.Server, svc AgentServiceService) { @@ -8854,6 +8961,13 @@ func RegisterAgentServiceService(srv *github_com_containerd_ttrpc.Server, svc Ag } return svc.ResizeVolume(ctx, &req) }, + "SetPolicy": func(ctx context.Context, unmarshal func(interface{}) error) (interface{}, error) { + var req SetPolicyRequest + if err := unmarshal(&req); err != nil { + return nil, err + } + return svc.SetPolicy(ctx, &req) + }, }) } @@ -9162,6 +9276,14 @@ func (c *agentServiceClient) ResizeVolume(ctx context.Context, req *ResizeVolume } return &resp, nil } + +func (c *agentServiceClient) SetPolicy(ctx context.Context, req *SetPolicyRequest) (*types.Empty, error) { + var resp types.Empty + if err := c.client.Call(ctx, "grpc.AgentService", "SetPolicy", req, &resp); err != nil { + return nil, err + } + return &resp, nil +} func (m *CreateContainerRequest) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 @@ -17280,6 +17402,89 @@ func (m *ResizeVolumeRequest) Unmarshal(dAtA []byte) error { } return nil } +func (m *SetPolicyRequest) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowAgent + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: SetPolicyRequest: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: SetPolicyRequest: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Policy", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowAgent + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthAgent + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthAgent + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Policy = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipAgent(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthAgent + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func skipAgent(dAtA []byte) (n int, err error) { l := len(dAtA) iNdEx := 0 diff --git a/src/runtime/virtcontainers/pkg/annotations/annotations.go b/src/runtime/virtcontainers/pkg/annotations/annotations.go index d51447d73e..03498fef75 100644 --- a/src/runtime/virtcontainers/pkg/annotations/annotations.go +++ b/src/runtime/virtcontainers/pkg/annotations/annotations.go @@ -297,6 +297,9 @@ const ( AgentContainerPipeSize = kataAnnotAgentPrefix + ContainerPipeSizeOption ContainerPipeSizeOption = "container_pipe_size" ContainerPipeSizeKernelParam = "agent." + ContainerPipeSizeOption + + // Policy is an annotation containing the contents of an agent policy file, base64 encoded. + Policy = kataAnnotAgentPrefix + "policy" ) // Container resource related annotations diff --git a/src/runtime/virtcontainers/pkg/mock/mock.go b/src/runtime/virtcontainers/pkg/mock/mock.go index 562d4a7e36..193574bfad 100644 --- a/src/runtime/virtcontainers/pkg/mock/mock.go +++ b/src/runtime/virtcontainers/pkg/mock/mock.go @@ -256,3 +256,7 @@ func (p *HybridVSockTTRPCMockImp) GetIPTables(ctx context.Context, req *pb.GetIP func (p *HybridVSockTTRPCMockImp) SetIPTables(ctx context.Context, req *pb.SetIPTablesRequest) (*pb.SetIPTablesResponse, error) { return &pb.SetIPTablesResponse{}, nil } + +func (p *HybridVSockTTRPCMockImp) SetPolicy(ctx context.Context, req *pb.SetPolicyRequest) (*gpb.Empty, error) { + return &gpb.Empty{}, nil +} diff --git a/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh b/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh index 694124acd6..aeea90278a 100644 --- a/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh +++ b/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh @@ -8,3 +8,4 @@ LIBC="gnu" PACKAGES="core-packages-base-image ca-certificates" [ "$AGENT_INIT" = no ] && PACKAGES+=" systemd" [ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp" +[ "$AGENT_POLICY" = yes ] && PACKAGES+=" opa" || true diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index 89efd388b5..7bdeaaf381 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -27,6 +27,7 @@ LIBC=${LIBC:-musl} # However, it is not enforced by default: you need to enable that in the main configuration file. SECCOMP=${SECCOMP:-"yes"} SELINUX=${SELINUX:-"no"} +AGENT_POLICY=${AGENT_POLICY:-no} lib_file="${script_dir}/../scripts/lib.sh" source "$lib_file" @@ -315,6 +316,9 @@ check_env_variables() [ "$AGENT_INIT" == "yes" -o "$AGENT_INIT" == "no" ] || die "AGENT_INIT($AGENT_INIT) is invalid (must be yes or no)" + [ "$AGENT_POLICY" == "yes" -o "$AGENT_POLICY" == "no" ] || die "AGENT_POLICY($AGENT_POLICY) is invalid (must be yes or no)" + [ "$AGENT_POLICY" == "no" -o "$AGENT_INIT" == "no" ] || die "AGENT_POLICY($AGENT_POLICY) and AGENT_INIT($AGENT_INIT) is an invalid combination (at least one must be no)" + [ -n "${KERNEL_MODULES_DIR}" ] && [ ! -d "${KERNEL_MODULES_DIR}" ] && die "KERNEL_MODULES_DIR defined but is not an existing directory" [ -n "${OSBUILDER_VERSION}" ] || die "need osbuilder version" @@ -456,6 +460,7 @@ build_rootfs_distro() --env SELINUX="${SELINUX}" \ --env DEBUG="${DEBUG}" \ --env HOME="/root" \ + --env AGENT_POLICY="${AGENT_POLICY}" \ -v "${repo_dir}":"/kata-containers" \ -v "${ROOTFS_DIR}":"/rootfs" \ -v "${script_dir}/../scripts":"/scripts" \ @@ -614,7 +619,7 @@ EOF git checkout "${AGENT_VERSION}" && OK "git checkout successful" || die "checkout agent ${AGENT_VERSION} failed!" fi make clean - make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} + make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} AGENT_POLICY=${AGENT_POLICY} make install DESTDIR="${ROOTFS_DIR}" LIBC=${LIBC} INIT=${AGENT_INIT} if [ "${SECCOMP}" == "yes" ]; then rm -rf "${libseccomp_install_dir}" "${gperf_install_dir}" @@ -640,6 +645,55 @@ EOF chmod g+rx,o+x "${ROOTFS_DIR}" fi + if [ "${AGENT_POLICY}" == "yes" ]; then + # Setup systemd-based environment for kata-opa. + local opa_bin_dir="$(get_opa_bin_dir "${ROOTFS_DIR}")" + if [ -z "${opa_bin_dir}" ]; then + # OPA was not installed already, so download it here. + # + # TODO: if an OPA package is not available for the Guest image distro, + # Kata should cache the OPA source code, toolchain information, etc. + # OPA should be built from the cached source code instead of downloading + # this binary. + # + opa_bin_url="$(get_package_version_from_kata_yaml externals.open-policy-agent.meta.binary)" + info "Downloading OPA binary from ${opa_bin_url}" + curl --fail -L "${opa_bin_url}" -o opa || die "Failed to download OPA" + + # Install the OPA binary. + opa_bin_dir="/usr/local/bin" + local opa_bin="${ROOTFS_DIR}${opa_bin_dir}/opa" + info "Installing OPA binary to ${opa_bin}" + install -D -o root -g root -m 0755 opa -T "${opa_bin}" + else + info "OPA binary already exists in ${opa_bin_dir}" + fi + + # Install default settings for the kata-opa service. + local kata_opa_in_dir="${script_dir}/../../../src/kata-opa" + local opa_settings_dir="/etc/kata-opa" + local policy_file="allow-all.rego" + local policy_dir="${ROOTFS_DIR}/${opa_settings_dir}" + mkdir -p "${policy_dir}" + install -D -o root -g root -m 0644 "${kata_opa_in_dir}/${policy_file}" -T "${policy_dir}/${policy_file}" + ln -sf "${policy_file}" "${policy_dir}/default-policy.rego" + + # Install the unit file for the kata-opa service. + local kata_opa_unit="kata-opa.service" + local kata_opa_unit_path="${ROOTFS_DIR}/usr/lib/systemd/system/${kata_opa_unit}" + local kata_containers_wants="${ROOTFS_DIR}/etc/systemd/system/kata-containers.target.wants" + + opa_settings_dir="${opa_settings_dir//\//\\/}" + sed -e "s/@SETTINGSDIR@/${opa_settings_dir}/g" "${kata_opa_in_dir}/${kata_opa_unit}.in" > "${kata_opa_unit}" + + opa_bin_dir="${opa_bin_dir//\//\\/}" + sed -i -e "s/@BINDIR@/${opa_bin_dir}/g" "${kata_opa_unit}" + + install -D -o root -g root -m 0644 "${kata_opa_unit}" -T "${kata_opa_unit_path}" + mkdir -p "${kata_containers_wants}" + ln -sf "${kata_opa_unit_path}" "${kata_containers_wants}/${kata_opa_unit}" + fi + info "Check init is installed" [ -x "${init}" ] || [ -L "${init}" ] || die "/sbin/init is not installed in ${ROOTFS_DIR}" OK "init is installed" @@ -657,6 +711,24 @@ EOF create_summary_file "${ROOTFS_DIR}" } +get_opa_bin_dir() +{ + local rootfs_dir="$1" + local -a bin_dirs=( + "/bin" + "/usr/bin" + "/usr/local/bin" + ) + for bin_dir in "${bin_dirs[@]}" + do + local opa_bin="${rootfs_dir}${bin_dir}/opa" + if [ -f "${opa_bin}" ]; then + echo "${bin_dir}" + return 0 + fi + done +} + parse_arguments() { [ "$#" -eq 0 ] && usage && return 0 diff --git a/versions.yaml b/versions.yaml index a81ba5d837..a058ebb881 100644 --- a/versions.yaml +++ b/versions.yaml @@ -284,6 +284,22 @@ externals: url: "https://github.com/containerd/nydus-snapshotter" version: "v0.3.3" + open-policy-agent: + description: "Open Policy Agent" + url: "https://github.com/open-policy-agent/opa" + version: "v0.55.0" + meta: + # - If an OPA package is available for the Guest image distro, that + # package is used instead of the binary below. + # + # - TODO: if an OPA package is not available for the Guest image distro, + # Kata should cache the OPA source code, toolchain information, etc. + # OPA should be built from the cached source code instead of downloading + # this binary. + # + # yamllint disable-line rule:line-length + binary: "https://github.com/open-policy-agent/opa/releases/download/v0.55.0/opa_linux_amd64_static" + ovmf: description: "Firmware, implementation of UEFI for virtual machines." url: "https://github.com/tianocore/edk2"