From ab829d10383ed0246fc228ad59440777f68a2047 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Fri, 11 Aug 2023 15:32:25 +0000 Subject: [PATCH] agent: runtime: add the Agent Policy feature Fixes: #7573 To enable this feature, build your rootfs using AGENT_POLICY=yes. The default is AGENT_POLICY=no. Building rootfs using AGENT_POLICY=yes has the following effects: 1. The kata-opa service gets included in the Guest image. 2. The agent gets built using AGENT_POLICY=yes. After this patch, the shim calls SetPolicy if and only if a Policy annotation is attached to the sandbox/pod. When creating a sandbox/pod that doesn't have an attached Policy annotation: 1. If the agent was built using AGENT_POLICY=yes, the new sandbox uses the default agent settings, that might include a default Policy too. 2. If the agent was built using AGENT_POLICY=no, the new sandbox is executed the same way as before this patch. Any SetPolicy calls from the shim to the agent fail if the agent was built using AGENT_POLICY=no. If the agent was built using AGENT_POLICY=yes: 1. The agent reads the contents of a default policy file during sandbox start-up. 2. The agent then connects to the OPA service on localhost and sends the default policy to OPA. 3. If the shim calls SetPolicy: a. The agent checks if SetPolicy is allowed by the current policy (the current policy is typically the default policy mentioned above). b. If SetPolicy is allowed, the agent deletes the current policy from OPA and replaces it with the new policy it received from the shim. A typical new policy from the shim doesn't allow any future SetPolicy calls. 4. For every agent rpc API call, the agent asks OPA if that call should be allowed. OPA allows or not a call based on the current policy, the name of the agent API, and the API call's inputs. The agent rejects any calls that are rejected by OPA. When building using AGENT_POLICY_DEBUG=yes, additional Policy logging gets enabled in the agent. In particular, information about the inputs for agent rpc API calls is logged in /tmp/policy.txt, on the Guest VM. These inputs can be useful for investigating API calls that might have been rejected by the Policy. Examples: 1. Load a failing policy file test1.rego on a different machine: opa run --server --addr 127.0.0.1:8181 test1.rego 2. Collect the API inputs from Guest's /tmp/policy.txt and test on the machine where the failing policy has been loaded: curl -X POST http://localhost:8181/v1/data/agent_policy/CreateContainerRequest \ --data-binary @test1-inputs.json Signed-off-by: Dan Mihai --- src/agent/Cargo.lock | 461 ++++++++++- src/agent/Cargo.toml | 9 +- src/agent/Makefile | 8 + src/agent/src/main.rs | 32 + src/agent/src/policy.rs | 240 ++++++ src/agent/src/rpc.rs | 126 ++- src/kata-opa/allow-all.rego | 38 + src/kata-opa/kata-opa.service.in | 29 + src/libs/protocols/protos/agent.proto | 5 + src/runtime/pkg/katautils/create.go | 8 + src/runtime/pkg/oci/utils.go | 15 + src/runtime/virtcontainers/agent.go | 3 + src/runtime/virtcontainers/kata_agent.go | 17 + src/runtime/virtcontainers/mock_agent.go | 4 + .../pkg/agent/protocols/grpc/agent.pb.go | 753 +++++++++++------- .../pkg/annotations/annotations.go | 3 + src/runtime/virtcontainers/pkg/mock/mock.go | 4 + .../rootfs-builder/cbl-mariner/config.sh | 1 + tools/osbuilder/rootfs-builder/rootfs.sh | 74 +- versions.yaml | 16 + 20 files changed, 1529 insertions(+), 317 deletions(-) create mode 100644 src/agent/src/policy.rs create mode 100644 src/kata-opa/allow-all.rego create mode 100644 src/kata-opa/kata-opa.service.in diff --git a/src/agent/Cargo.lock b/src/agent/Cargo.lock index 05af246104..34e8eaa31e 100644 --- a/src/agent/Cargo.lock +++ b/src/agent/Cargo.lock @@ -163,6 +163,12 @@ version = "0.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "904dfeac50f3cdaba28fc6f57fdcddb75f49ed61346676a78c4ffe55877802fd" +[[package]] +name = "base64" +version = "0.21.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "604178f6c5c21f02dc555784810edfb88d34ac2c73b2eae109655649ee73ce3d" + [[package]] name = "bincode" version = "1.3.3" @@ -258,9 +264,12 @@ dependencies = [ [[package]] name = "cc" -version = "1.0.73" +version = "1.0.81" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2fff2a6927b3bb87f9595d67196a70493f627687a71d87a0d692242c33f58c11" +checksum = "6c6b2562119bf28c3439f7f02db99faf0aa1a8cdfe5772a2ee155d32227239f0" +dependencies = [ + "libc", +] [[package]] name = "cfg-if" @@ -356,6 +365,16 @@ dependencies = [ "cache-padded", ] +[[package]] +name = "core-foundation" +version = "0.9.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "194a7a9e6de53fa55116934067c844d9d749312f75c6f6d0980e8c252f8c2146" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "core-foundation-sys" version = "0.8.3" @@ -460,6 +479,15 @@ version = "1.6.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e78d4f1cc4ae33bbfc157ed5d5a5ef3bc29227303d595861deb238fcec4e9457" +[[package]] +name = "encoding_rs" +version = "0.8.32" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "071a31f4ee85403370b58aca746f01041ede6f0da2730960ad001edc2b71b394" +dependencies = [ + "cfg-if 1.0.0", +] + [[package]] name = "enumflags2" version = "0.7.5" @@ -550,6 +578,31 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +[[package]] +name = "foreign-types" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1" +dependencies = [ + "foreign-types-shared", +] + +[[package]] +name = "foreign-types-shared" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" + +[[package]] +name = "form_urlencoded" +version = "1.0.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5fc25a87fa4fd2094bffb06925852034d90a17f0d1e05197d4956d3555752191" +dependencies = [ + "matches", + "percent-encoding", +] + [[package]] name = "futures" version = "0.3.21" @@ -671,6 +724,25 @@ version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9b919933a397b79c37e33b77bb2aa3dc8eb6e165ad809e58ff75bc7db2e34574" +[[package]] +name = "h2" +version = "0.3.20" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "97ec8491ebaf99c8eaa73058b045fe58073cd6be7f596ac993ced0b0a0c01049" +dependencies = [ + "bytes 1.1.0", + "fnv", + "futures-core", + "futures-sink", + "futures-util", + "http", + "indexmap", + "slab", + "tokio", + "tokio-util 0.7.8", + "tracing", +] + [[package]] name = "hashbrown" version = "0.12.1" @@ -707,6 +779,77 @@ version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70" +[[package]] +name = "http" +version = "0.2.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bd6effc99afb63425aff9b05836f029929e345a6148a14b7ecd5ab67af944482" +dependencies = [ + "bytes 1.1.0", + "fnv", + "itoa", +] + +[[package]] +name = "http-body" +version = "0.4.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d5f38f16d184e36f2408a55281cd658ecbd3ca05cce6d6510a176eca393e26d1" +dependencies = [ + "bytes 1.1.0", + "http", + "pin-project-lite", +] + +[[package]] +name = "httparse" +version = "1.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d897f394bad6a705d5f4104762e116a75639e470d80901eed05a860a95cb1904" + +[[package]] +name = "httpdate" +version = "1.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c4a1e36c821dbe04574f602848a19f742f4fb3c98d40449f11bcad18d6b17421" + +[[package]] +name = "hyper" +version = "0.14.27" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ffb1cfd654a8219eaef89881fdb3bb3b1cdc5fa75ded05d6933b2b382e395468" +dependencies = [ + "bytes 1.1.0", + "futures-channel", + "futures-core", + "futures-util", + "h2", + "http", + "http-body", + "httparse", + "httpdate", + "itoa", + "pin-project-lite", + "socket2", + "tokio", + "tower-service", + "tracing", + "want", +] + +[[package]] +name = "hyper-tls" +version = "0.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d6183ddfa99b85da61a140bea0efc93fdf56ceaa041b37d553518030827f9905" +dependencies = [ + "bytes 1.1.0", + "hyper", + "native-tls", + "tokio", + "tokio-native-tls", +] + [[package]] name = "iana-time-zone" version = "0.1.46" @@ -720,6 +863,17 @@ dependencies = [ "winapi", ] +[[package]] +name = "idna" +version = "0.2.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "418a0a6fab821475f634efe3ccc45c013f742efe03d853e8d3355d5cb850ecf8" +dependencies = [ + "matches", + "unicode-bidi", + "unicode-normalization", +] + [[package]] name = "indexmap" version = "1.9.1" @@ -770,6 +924,12 @@ dependencies = [ "libc", ] +[[package]] +name = "ipnet" +version = "2.8.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "28b29a3cd74f0f4598934efe3aeba42bae0eb4680554128851ebbecb02af14e6" + [[package]] name = "ipnetwork" version = "0.17.0" @@ -815,6 +975,7 @@ dependencies = [ "cgroups-rs", "clap", "futures", + "http", "ipnetwork", "kata-sys-util", "kata-types", @@ -826,12 +987,14 @@ dependencies = [ "netlink-sys", "nix 0.24.2", "oci", + "openssl", "opentelemetry", "procfs", "prometheus", "protobuf 3.2.0", "protocols", "regex", + "reqwest", "rtnetlink", "rustjail", "scan_fmt", @@ -886,7 +1049,7 @@ name = "kata-types" version = "0.1.0" dependencies = [ "anyhow", - "base64", + "base64 0.13.0", "bitmask-enum", "byte-unit", "glob", @@ -973,6 +1136,12 @@ dependencies = [ "regex-automata", ] +[[package]] +name = "matches" +version = "0.1.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2532096657941c2fea9c289d370a250971c689d4f143798ff67113ec042024a5" + [[package]] name = "memchr" version = "2.5.0" @@ -988,6 +1157,12 @@ dependencies = [ "autocfg", ] +[[package]] +name = "mime" +version = "0.3.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a" + [[package]] name = "miniz_oxide" version = "0.5.3" @@ -1015,6 +1190,24 @@ version = "0.8.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e5ce46fe64a9d73be07dcbe690a38ce1b293be448fd8ce1e6c1b8062c9f72c6a" +[[package]] +name = "native-tls" +version = "0.2.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "07226173c32f2926027b63cce4bcd8076c3552846cbe7925f3aaffeac0a3b92e" +dependencies = [ + "lazy_static", + "libc", + "log", + "openssl", + "openssl-probe", + "openssl-sys", + "schannel", + "security-framework", + "security-framework-sys", + "tempfile", +] + [[package]] name = "netlink-packet-core" version = "0.2.4" @@ -1065,7 +1258,7 @@ dependencies = [ "netlink-packet-core", "netlink-sys", "tokio", - "tokio-util", + "tokio-util 0.6.10", ] [[package]] @@ -1184,6 +1377,60 @@ version = "1.15.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e82dad04139b71a90c080c8463fe0dc7902db5192d939bd0950f074d014339e1" +[[package]] +name = "openssl" +version = "0.10.55" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "345df152bc43501c5eb9e4654ff05f794effb78d4efe3d53abc158baddc0703d" +dependencies = [ + "bitflags", + "cfg-if 1.0.0", + "foreign-types", + "libc", + "once_cell", + "openssl-macros", + "openssl-sys", +] + +[[package]] +name = "openssl-macros" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.16", +] + +[[package]] +name = "openssl-probe" +version = "0.1.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf" + +[[package]] +name = "openssl-src" +version = "111.27.0+1.1.1v" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "06e8f197c82d7511c5b014030c9b1efeda40d7d5f99d23b4ceed3524a5e63f02" +dependencies = [ + "cc", +] + +[[package]] +name = "openssl-sys" +version = "0.9.90" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "374533b0e45f3a7ced10fcaeccca020e66656bc03dac384f852e4e5a7a8104a6" +dependencies = [ + "cc", + "libc", + "openssl-src", + "pkg-config", + "vcpkg", +] + [[package]] name = "opentelemetry" version = "0.14.0" @@ -1573,6 +1820,8 @@ dependencies = [ "async-trait", "oci", "protobuf 3.2.0", + "serde", + "serde_json", "ttrpc", "ttrpc-codegen", ] @@ -1671,6 +1920,43 @@ dependencies = [ "winapi", ] +[[package]] +name = "reqwest" +version = "0.11.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cde824a14b7c14f85caff81225f411faacc04a2013f41670f41443742b1c1c55" +dependencies = [ + "base64 0.21.2", + "bytes 1.1.0", + "encoding_rs", + "futures-core", + "futures-util", + "h2", + "http", + "http-body", + "hyper", + "hyper-tls", + "ipnet", + "js-sys", + "log", + "mime", + "native-tls", + "once_cell", + "percent-encoding", + "pin-project-lite", + "serde", + "serde_json", + "serde_urlencoded", + "tokio", + "tokio-native-tls", + "tower-service", + "url", + "wasm-bindgen", + "wasm-bindgen-futures", + "web-sys", + "winreg", +] + [[package]] name = "rlimit" version = "0.5.4" @@ -1762,12 +2048,44 @@ dependencies = [ "regex", ] +[[package]] +name = "schannel" +version = "0.1.22" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0c3733bf4cf7ea0880754e19cb5a462007c4a8c1914bff372ccc95b464f1df88" +dependencies = [ + "windows-sys 0.48.0", +] + [[package]] name = "scopeguard" version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd" +[[package]] +name = "security-framework" +version = "2.9.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "05b64fb303737d99b81884b2c63433e9ae28abebe5eb5045dcdd175dc2ecf4de" +dependencies = [ + "bitflags", + "core-foundation", + "core-foundation-sys", + "libc", + "security-framework-sys", +] + +[[package]] +name = "security-framework-sys" +version = "2.9.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e932934257d3b408ed8f30db49d85ea163bfe74961f017f405b025af298f0c7a" +dependencies = [ + "core-foundation-sys", + "libc", +] + [[package]] name = "serde" version = "1.0.137" @@ -1810,6 +2128,18 @@ dependencies = [ "syn 1.0.98", ] +[[package]] +name = "serde_urlencoded" +version = "0.7.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d3491c14715ca2294c4d6a88f15e84739788c1d030eed8c110436aafdaa2f3fd" +dependencies = [ + "form_urlencoded", + "itoa", + "ryu", + "serde", +] + [[package]] name = "serial_test" version = "0.5.1" @@ -2113,6 +2443,21 @@ version = "0.2.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "42657b1a6f4d817cda8e7a0ace261fe0cc946cf3a80314390b22cc61ae080792" +[[package]] +name = "tinyvec" +version = "1.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50" +dependencies = [ + "tinyvec_macros", +] + +[[package]] +name = "tinyvec_macros" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" + [[package]] name = "tokio" version = "1.28.1" @@ -2143,6 +2488,16 @@ dependencies = [ "syn 2.0.16", ] +[[package]] +name = "tokio-native-tls" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bbae76ab933c85776efabc971569dd6119c580d8f5d448769dec1764bf796ef2" +dependencies = [ + "native-tls", + "tokio", +] + [[package]] name = "tokio-stream" version = "0.1.9" @@ -2168,6 +2523,20 @@ dependencies = [ "tokio", ] +[[package]] +name = "tokio-util" +version = "0.7.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "806fe8c2c87eccc8b3267cbae29ed3ab2d0bd37fca70ab622e46aaa9375ddb7d" +dependencies = [ + "bytes 1.1.0", + "futures-core", + "futures-sink", + "pin-project-lite", + "tokio", + "tracing", +] + [[package]] name = "tokio-vsock" version = "0.3.1" @@ -2190,6 +2559,12 @@ dependencies = [ "serde", ] +[[package]] +name = "tower-service" +version = "0.3.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6bc1c9ce2b5135ac7f93c72918fc37feb872bdc6a5533a8b85eb4b86bfdae52" + [[package]] name = "tracing" version = "0.1.35" @@ -2279,6 +2654,12 @@ dependencies = [ "tracing-serde", ] +[[package]] +name = "try-lock" +version = "0.2.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3528ecfd12c466c6f163363caf2d02a71161dd5e1cc6ae7b34207ea2d42d81ed" + [[package]] name = "ttrpc" version = "0.7.1" @@ -2335,24 +2716,56 @@ dependencies = [ "winapi", ] +[[package]] +name = "unicode-bidi" +version = "0.3.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460" + [[package]] name = "unicode-ident" version = "1.0.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5bd2fe26506023ed7b5e1e315add59d6f584c621d037f9368fea9cfb988f368c" +[[package]] +name = "unicode-normalization" +version = "0.1.22" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921" +dependencies = [ + "tinyvec", +] + [[package]] name = "unicode-segmentation" version = "1.9.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7e8820f5d777f6224dc4be3632222971ac30164d4a258d595640799554ebfd99" +[[package]] +name = "url" +version = "2.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "22fe195a4f217c25b25cb5058ced57059824a678474874038dc88d211bf508d3" +dependencies = [ + "form_urlencoded", + "idna", + "percent-encoding", +] + [[package]] name = "valuable" version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "830b7e5d4d90034032940e4ace0d9a9a057e7a45cd94e6c007832e39edb82f6d" +[[package]] +name = "vcpkg" +version = "0.2.15" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426" + [[package]] name = "version_check" version = "0.9.4" @@ -2392,6 +2805,15 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9d5b2c62b4012a3e1eca5a7e077d13b3bf498c4073e33ccd58626607748ceeca" +[[package]] +name = "want" +version = "0.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "bfa7760aed19e106de2c7c0b581b509f2f25d3dacaf737cb82ac61bc6d760b0e" +dependencies = [ + "try-lock", +] + [[package]] name = "wasi" version = "0.10.0+wasi-snapshot-preview1" @@ -2429,6 +2851,18 @@ dependencies = [ "wasm-bindgen-shared", ] +[[package]] +name = "wasm-bindgen-futures" +version = "0.4.31" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "de9a9cec1733468a8c657e57fa2413d2ae2c0129b95e87c5b72b8ace4d13f31f" +dependencies = [ + "cfg-if 1.0.0", + "js-sys", + "wasm-bindgen", + "web-sys", +] + [[package]] name = "wasm-bindgen-macro" version = "0.2.81" @@ -2458,6 +2892,16 @@ version = "0.2.81" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6a89911bd99e5f3659ec4acf9c4d93b0a90fe4a2a11f15328472058edc5261be" +[[package]] +name = "web-sys" +version = "0.3.58" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2fed94beee57daf8dd7d51f2b15dc2bcde92d7a72304cdf662a4371008b71b90" +dependencies = [ + "js-sys", + "wasm-bindgen", +] + [[package]] name = "wepoll-ffi" version = "0.1.2" @@ -2618,6 +3062,15 @@ version = "0.48.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1a515f5799fe4961cb532f983ce2b23082366b898e52ffbce459c86f67c8378a" +[[package]] +name = "winreg" +version = "0.10.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "80d0f4e272c85def139476380b12f9ac60926689dd2e01d4923222f40580869d" +dependencies = [ + "winapi", +] + [[package]] name = "xattr" version = "0.2.3" diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml index 7e9445265c..47e1d378bc 100644 --- a/src/agent/Cargo.toml +++ b/src/agent/Cargo.toml @@ -8,7 +8,7 @@ license = "Apache-2.0" [dependencies] oci = { path = "../libs/oci" } rustjail = { path = "rustjail" } -protocols = { path = "../libs/protocols", features = ["async"] } +protocols = { path = "../libs/protocols", features = ["async", "with-serde"] } lazy_static = "1.3.0" ttrpc = { version = "0.7.1", features = ["async"], default-features = false } protobuf = "3.2.0" @@ -67,6 +67,12 @@ serde = { version = "1.0.129", features = ["derive"] } toml = "0.5.8" clap = { version = "3.0.1", features = ["derive"] } +# Communication with the OPA service +http = { version = "0.2.8", optional = true } +reqwest = { version = "0.11.14", optional = true } +# The "vendored" feature for openssl is required for musl build +openssl = { version = "0.10.54", features = ["vendored"], optional = true } + [dev-dependencies] tempfile = "3.1.0" test-utils = { path = "../libs/test-utils" } @@ -83,6 +89,7 @@ lto = true [features] seccomp = ["rustjail/seccomp"] standard-oci-runtime = ["rustjail/standard-oci-runtime"] +agent-policy = ["http", "openssl", "reqwest"] [[bin]] name = "kata-agent" diff --git a/src/agent/Makefile b/src/agent/Makefile index ba065b4d04..d058caf64c 100644 --- a/src/agent/Makefile +++ b/src/agent/Makefile @@ -33,6 +33,14 @@ ifeq ($(SECCOMP),yes) override EXTRA_RUSTFEATURES += seccomp endif +##VAR AGENT_POLICY=yes|no define if agent enables the policy feature +AGENT_POLICY := no + +# Enable the policy feature of rust build +ifeq ($(AGENT_POLICY),yes) + override EXTRA_RUSTFEATURES += agent-policy +endif + include ../../utils.mk ifeq ($(ARCH), ppc64le) diff --git a/src/agent/src/main.rs b/src/agent/src/main.rs index 58c406fe17..f73e10eedc 100644 --- a/src/agent/src/main.rs +++ b/src/agent/src/main.rs @@ -73,6 +73,9 @@ use tokio::{ mod rpc; mod tracer; +#[cfg(feature = "agent-policy")] +mod policy; + cfg_if! { if #[cfg(target_arch = "s390x")] { mod ap; @@ -90,6 +93,11 @@ lazy_static! { AgentConfig::from_cmdline("/proc/cmdline", env::args().collect()).unwrap(); } +#[cfg(feature = "agent-policy")] +lazy_static! { + static ref AGENT_POLICY: Mutex = Mutex::new(AgentPolicy::new()); +} + #[derive(Parser)] // The default clap version info doesn't match our form, so we need to override it #[clap(global_setting(AppSettings::DisableVersionFlag))] @@ -221,6 +229,27 @@ async fn real_main() -> std::result::Result<(), Box> { let root_span = span!(tracing::Level::TRACE, "root-span"); + #[cfg(feature = "agent-policy")] + { + let debug_policy = + config.log_level == slog::Level::Debug || config.log_level == slog::Level::Trace; + if let Err(e) = AGENT_POLICY + .lock() + .await + .initialize( + debug_policy, + "http://localhost:8181/v1", + "/agent_policy", + "/etc/kata-opa/default-policy.rego", + ) + .await + { + error!(logger, "Failed to initialize agent policy: {:?}", e); + // Continuing execution without a security policy could be dangerous. + std::process::abort(); + } + } + // XXX: Start the root trace transaction. // // XXX: Note that *ALL* spans needs to start after this point!! @@ -401,6 +430,9 @@ fn reset_sigpipe() { use crate::config::AgentConfig; use std::os::unix::io::{FromRawFd, RawFd}; +#[cfg(feature = "agent-policy")] +use crate::policy::AgentPolicy; + #[cfg(test)] mod tests { use super::*; diff --git a/src/agent/src/policy.rs b/src/agent/src/policy.rs new file mode 100644 index 0000000000..7dca6ffe5e --- /dev/null +++ b/src/agent/src/policy.rs @@ -0,0 +1,240 @@ +// Copyright (c) 2023 Microsoft Corporation +// +// SPDX-License-Identifier: Apache-2.0 +// + +use anyhow::{bail, Result}; +use serde::{Deserialize, Serialize}; +use tokio::io::AsyncWriteExt; +use tokio::time::{sleep, Duration}; + +static EMPTY_JSON_INPUT: &str = "{\"input\":{}}"; + +static OPA_DATA_PATH: &str = "/data"; +static OPA_POLICIES_PATH: &str = "/policies"; + +static POLICY_LOG_FILE: &str = "/tmp/policy.txt"; + +/// Convenience macro to obtain the scope logger +macro_rules! sl { + () => { + slog_scope::logger() + }; +} + +/// Example of HTTP response from OPA: {"result":true} +#[derive(Debug, Serialize, Deserialize)] +struct AllowResponse { + result: bool, +} + +/// Singleton policy object. +#[derive(Debug, Default)] +pub struct AgentPolicy { + /// When true policy errors are ignored, for debug purposes. + allow_failures: bool, + + /// OPA path used to query if an Agent gRPC request should be allowed. + /// The request name (e.g., CreateContainerRequest) must be added to + /// this path. + query_path: String, + + /// OPA path used to add or delete a rego format Policy. + policy_path: String, + + /// Client used to connect a single time to the OPA service and reused + /// for all the future communication with OPA. + opa_client: Option, + + /// "/tmp/policy.txt" log file for policy activity. + log_file: Option, +} + +impl AgentPolicy { + /// Create AgentPolicy object. + pub fn new() -> Self { + Self { + allow_failures: false, + ..Default::default() + } + } + + /// Wait for OPA to start and connect to it. + pub async fn initialize( + &mut self, + debug_enabled: bool, + opa_uri: &str, + policy_name: &str, + default_policy: &str, + ) -> Result<()> { + if debug_enabled { + self.log_file = Some( + tokio::fs::OpenOptions::new() + .write(true) + .truncate(true) + .create(true) + .open(POLICY_LOG_FILE) + .await?, + ); + debug!(sl!(), "policy: log file: {}", POLICY_LOG_FILE); + } + + self.query_path = format!("{opa_uri}{OPA_DATA_PATH}{policy_name}/"); + self.policy_path = format!("{opa_uri}{OPA_POLICIES_PATH}{policy_name}"); + let opa_client = reqwest::Client::builder().http1_only().build()?; + let policy = tokio::fs::read_to_string(default_policy).await?; + + // This loop is necessary to get the opa_client connected to the + // OPA service while that service is starting. Future requests to + // OPA are expected to work without retrying, after connecting + // successfully for the first time. + for i in 0..50 { + if i > 0 { + sleep(Duration::from_millis(100)).await; + debug!(sl!(), "policy initialize: PUT failed, retrying"); + } + + // Set-up the default policy. + if opa_client + .put(&self.policy_path) + .body(policy.clone()) + .send() + .await + .is_ok() + { + // Check if requests causing policy errors should actually + // be allowed. That is an insecure configuration but is + // useful for allowing insecure pods to start, then connect to + // them and inspect Guest logs for the root cause of a failure. + if let Ok(allow_failures) = self + .post_query("AllowRequestsFailingPolicy", EMPTY_JSON_INPUT) + .await + { + self.allow_failures = allow_failures; + } else { + // post_query failed so the the default, secure, value + // allow_failures: false will be used. + } + + self.opa_client = Some(opa_client); + return Ok(()); + } + } + bail!("Failed to connect to OPA") + } + + /// Ask OPA to check if an API call should be allowed or not. + pub async fn is_allowed_endpoint(&mut self, ep: &str, request: &str) -> bool { + let post_input = format!("{{\"input\":{request}}}"); + self.log_opa_input(ep, &post_input).await; + match self.post_query(ep, &post_input).await { + Err(e) => { + debug!( + sl!(), + "policy: failed to query endpoint {}: {:?}. Returning false.", ep, e + ); + false + } + Ok(allowed) => allowed, + } + } + + /// Replace the Policy in OPA. + pub async fn set_policy(&mut self, policy: &str) -> Result<()> { + if let Some(opa_client) = &mut self.opa_client { + // Delete the old rules. + opa_client.delete(&self.policy_path).send().await?; + + // Put the new rules. + opa_client + .put(&self.policy_path) + .body(policy.to_string()) + .send() + .await?; + + // Check if requests causing policy errors should actually be allowed. + // That is an insecure configuration but is useful for allowing insecure + // pods to start, then connect to them and inspect Guest logs for the + // root cause of a failure. + self.allow_failures = self + .post_query("AllowRequestsFailingPolicy", EMPTY_JSON_INPUT) + .await?; + + Ok(()) + } else { + bail!("Agent Policy is not initialized") + } + } + + // Post query to OPA. + async fn post_query(&mut self, ep: &str, post_input: &str) -> Result { + debug!(sl!(), "policy check: {ep}"); + + if let Some(opa_client) = &mut self.opa_client { + let uri = format!("{}{ep}", &self.query_path); + let response = opa_client + .post(uri) + .body(post_input.to_string()) + .send() + .await?; + + if response.status() != http::StatusCode::OK { + bail!("policy: POST {} response status {}", ep, response.status()); + } + + let http_response = response.text().await?; + let opa_response: serde_json::Result = + serde_json::from_str(&http_response); + + match opa_response { + Ok(resp) => { + if !resp.result { + if self.allow_failures { + warn!( + sl!(), + "policy: POST {} response <{}>. Ignoring error!", ep, http_response + ); + return Ok(true); + } else { + error!(sl!(), "policy: POST {} response <{}>", ep, http_response); + } + } + Ok(resp.result) + } + Err(_) => { + warn!( + sl!(), + "policy: endpoint {} not found in policy. Returning false.", ep, + ); + Ok(false) + } + } + } else { + bail!("Agent Policy is not initialized") + } + } + + async fn log_opa_input(&mut self, ep: &str, input: &str) { + if let Some(log_file) = &mut self.log_file { + match ep { + "StatsContainerRequest" | "ReadStreamRequest" | "SetPolicyRequest" => { + // - StatsContainerRequest and ReadStreamRequest are called + // relatively often, so we're not logging them, to avoid + // growing this log file too much. + // - Confidential Containers Policy documents are relatively + // large, so we're not logging them here, for SetPolicyRequest. + // The Policy text can be obtained directly from the pod YAML. + } + _ => { + let log_entry = format!("[\"ep\":\"{ep}\",{input}],\n\n"); + + if let Err(e) = log_file.write_all(log_entry.as_bytes()).await { + warn!(sl!(), "policy: log_opa_input: write_all failed: {}", e); + } else if let Err(e) = log_file.flush().await { + warn!(sl!(), "policy: log_opa_input: flush failed: {}", e); + } + } + } + } + } +} diff --git a/src/agent/src/rpc.rs b/src/agent/src/rpc.rs index 30d14d559d..5016fdefdb 100644 --- a/src/agent/src/rpc.rs +++ b/src/agent/src/rpc.rs @@ -66,6 +66,10 @@ use crate::AGENT_CONFIG; use crate::trace_rpc_call; use crate::tracer::extract_carrier_from_ttrpc; + +#[cfg(feature = "agent-policy")] +use crate::AGENT_POLICY; + use opentelemetry::global; use tracing::span; use tracing_opentelemetry::OpenTelemetrySpanExt; @@ -120,7 +124,7 @@ fn ttrpc_error(code: ttrpc::Code, err: impl std::fmt::Debug) -> ttrpc::Error { get_rpc_status(code, format!("{:?}", err)) } -fn is_allowed(req: &impl MessageDyn) -> ttrpc::Result<()> { +fn config_allows(req: &impl MessageDyn) -> ttrpc::Result<()> { if !AGENT_CONFIG.is_allowed_endpoint(req.descriptor_dyn().name()) { Err(ttrpc_error( ttrpc::Code::UNIMPLEMENTED, @@ -131,6 +135,35 @@ fn is_allowed(req: &impl MessageDyn) -> ttrpc::Result<()> { } } +#[cfg(feature = "agent-policy")] +async fn policy_allows(req: &(impl MessageDyn + serde::Serialize)) -> ttrpc::Result<()> { + let request = serde_json::to_string(req).unwrap(); + let mut policy = AGENT_POLICY.lock().await; + if !policy + .is_allowed_endpoint(req.descriptor_dyn().name(), &request) + .await + { + warn!(sl(), "{} is blocked by policy", req.descriptor_dyn().name()); + Err(ttrpc_error( + ttrpc::Code::PERMISSION_DENIED, + format!("{} is blocked by policy", req.descriptor_dyn().name()), + )) + } else { + Ok(()) + } +} + +async fn is_allowed(req: &(impl MessageDyn + serde::Serialize)) -> ttrpc::Result<()> { + let res = config_allows(req); + + #[cfg(feature = "agent-policy")] + if res.is_ok() { + return policy_allows(req).await; + } + + res +} + #[derive(Clone, Debug)] pub struct AgentService { sandbox: Arc>, @@ -607,7 +640,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::CreateContainerRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "create_container", req); - is_allowed(&req)?; + is_allowed(&req).await?; match self.do_create_container(req).await { Err(e) => Err(ttrpc_error(ttrpc::Code::INTERNAL, e)), Ok(_) => Ok(Empty::new()), @@ -620,7 +653,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::StartContainerRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "start_container", req); - is_allowed(&req)?; + is_allowed(&req).await?; match self.do_start_container(req).await { Err(e) => Err(ttrpc_error(ttrpc::Code::INTERNAL, e)), Ok(_) => Ok(Empty::new()), @@ -633,7 +666,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::RemoveContainerRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "remove_container", req); - is_allowed(&req)?; + is_allowed(&req).await?; match self.do_remove_container(req).await { Err(e) => Err(ttrpc_error(ttrpc::Code::INTERNAL, e)), Ok(_) => Ok(Empty::new()), @@ -646,7 +679,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::ExecProcessRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "exec_process", req); - is_allowed(&req)?; + is_allowed(&req).await?; match self.do_exec_process(req).await { Err(e) => Err(ttrpc_error(ttrpc::Code::INTERNAL, e)), Ok(_) => Ok(Empty::new()), @@ -659,7 +692,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::SignalProcessRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "signal_process", req); - is_allowed(&req)?; + is_allowed(&req).await?; match self.do_signal_process(req).await { Err(e) => Err(ttrpc_error(ttrpc::Code::INTERNAL, e)), Ok(_) => Ok(Empty::new()), @@ -672,7 +705,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::WaitProcessRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "wait_process", req); - is_allowed(&req)?; + is_allowed(&req).await?; self.do_wait_process(req) .await .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e)) @@ -684,7 +717,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::UpdateContainerRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "update_container", req); - is_allowed(&req)?; + is_allowed(&req).await?; let mut sandbox = self.sandbox.lock().await; let ctr = sandbox.get_container(&req.container_id).ok_or_else(|| { @@ -710,7 +743,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::StatsContainerRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "stats_container", req); - is_allowed(&req)?; + is_allowed(&req).await?; let mut sandbox = self.sandbox.lock().await; let ctr = sandbox.get_container(&req.container_id).ok_or_else(|| { @@ -730,7 +763,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::PauseContainerRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "pause_container", req); - is_allowed(&req)?; + is_allowed(&req).await?; let mut sandbox = self.sandbox.lock().await; let ctr = sandbox.get_container(req.container_id()).ok_or_else(|| { @@ -752,7 +785,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::ResumeContainerRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "resume_container", req); - is_allowed(&req)?; + is_allowed(&req).await?; let mut sandbox = self.sandbox.lock().await; let ctr = sandbox.get_container(req.container_id()).ok_or_else(|| { @@ -774,7 +807,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::RemoveStaleVirtiofsShareMountsRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "remove_stale_virtiofs_share_mounts", req); - is_allowed(&req)?; + is_allowed(&req).await?; let mount_infos = parse_mount_table("/proc/self/mountinfo") .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e))?; for m in &mount_infos { @@ -796,7 +829,7 @@ impl agent_ttrpc::AgentService for AgentService { _ctx: &TtrpcContext, req: protocols::agent::WriteStreamRequest, ) -> ttrpc::Result { - is_allowed(&req)?; + is_allowed(&req).await?; self.do_write_stream(req) .await .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e)) @@ -807,7 +840,7 @@ impl agent_ttrpc::AgentService for AgentService { _ctx: &TtrpcContext, req: protocols::agent::ReadStreamRequest, ) -> ttrpc::Result { - is_allowed(&req)?; + is_allowed(&req).await?; self.do_read_stream(req, true) .await .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e)) @@ -818,7 +851,7 @@ impl agent_ttrpc::AgentService for AgentService { _ctx: &TtrpcContext, req: protocols::agent::ReadStreamRequest, ) -> ttrpc::Result { - is_allowed(&req)?; + is_allowed(&req).await?; self.do_read_stream(req, false) .await .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e)) @@ -830,7 +863,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::CloseStdinRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "close_stdin", req); - is_allowed(&req)?; + is_allowed(&req).await?; let cid = req.container_id; let eid = req.exec_id; @@ -856,7 +889,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::TtyWinResizeRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "tty_win_resize", req); - is_allowed(&req)?; + is_allowed(&req).await?; let mut sandbox = self.sandbox.lock().await; let p = sandbox @@ -895,7 +928,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::UpdateInterfaceRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "update_interface", req); - is_allowed(&req)?; + is_allowed(&req).await?; let interface = req.interface.into_option().ok_or_else(|| { ttrpc_error( @@ -923,7 +956,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::UpdateRoutesRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "update_routes", req); - is_allowed(&req)?; + is_allowed(&req).await?; let new_routes = req.routes.into_option().map(|r| r.Routes).ok_or_else(|| { ttrpc_error( @@ -960,7 +993,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::UpdateEphemeralMountsRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "update_mounts", req); - is_allowed(&req)?; + is_allowed(&req).await?; match update_ephemeral_mounts(sl(), &req.storages, &self.sandbox).await { Ok(_) => Ok(Empty::new()), @@ -977,7 +1010,7 @@ impl agent_ttrpc::AgentService for AgentService { req: GetIPTablesRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "get_iptables", req); - is_allowed(&req)?; + is_allowed(&req).await?; info!(sl(), "get_ip_tables: request received"); @@ -1016,7 +1049,7 @@ impl agent_ttrpc::AgentService for AgentService { req: SetIPTablesRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "set_iptables", req); - is_allowed(&req)?; + is_allowed(&req).await?; info!(sl(), "set_ip_tables request received"); @@ -1131,7 +1164,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::ListInterfacesRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "list_interfaces", req); - is_allowed(&req)?; + is_allowed(&req).await?; let list = self .sandbox @@ -1159,7 +1192,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::ListRoutesRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "list_routes", req); - is_allowed(&req)?; + is_allowed(&req).await?; let list = self .sandbox @@ -1182,7 +1215,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::CreateSandboxRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "create_sandbox", req); - is_allowed(&req)?; + is_allowed(&req).await?; { let mut s = self.sandbox.lock().await; @@ -1241,7 +1274,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::DestroySandboxRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "destroy_sandbox", req); - is_allowed(&req)?; + is_allowed(&req).await?; let mut sandbox = self.sandbox.lock().await; // destroy all containers, clean up, notify agent to exit etc. @@ -1274,7 +1307,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::AddARPNeighborsRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "add_arp_neighbors", req); - is_allowed(&req)?; + is_allowed(&req).await?; let neighs = req .neighbors @@ -1309,7 +1342,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::OnlineCPUMemRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "online_cpu_mem", req); - is_allowed(&req)?; + is_allowed(&req).await?; let sandbox = self.sandbox.lock().await; sandbox @@ -1325,7 +1358,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::ReseedRandomDevRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "reseed_random_dev", req); - is_allowed(&req)?; + is_allowed(&req).await?; random::reseed_rng(req.data.as_slice()) .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e))?; @@ -1339,7 +1372,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::GuestDetailsRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "get_guest_details", req); - is_allowed(&req)?; + is_allowed(&req).await?; info!(sl(), "get guest details!"); let mut resp = GuestDetailsResponse::new(); @@ -1373,7 +1406,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::MemHotplugByProbeRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "mem_hotplug_by_probe", req); - is_allowed(&req)?; + is_allowed(&req).await?; do_mem_hotplug_by_probe(&req.memHotplugProbeAddr) .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e))?; @@ -1387,7 +1420,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::SetGuestDateTimeRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "set_guest_date_time", req); - is_allowed(&req)?; + is_allowed(&req).await?; do_set_guest_date_time(req.Sec, req.Usec) .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e))?; @@ -1401,7 +1434,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::CopyFileRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "copy_file", req); - is_allowed(&req)?; + is_allowed(&req).await?; do_copy_file(&req).map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e))?; @@ -1414,7 +1447,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::GetMetricsRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "get_metrics", req); - is_allowed(&req)?; + is_allowed(&req).await?; match get_metrics(&req) { Err(e) => Err(ttrpc_error(ttrpc::Code::INTERNAL, e)), @@ -1431,7 +1464,7 @@ impl agent_ttrpc::AgentService for AgentService { _ctx: &TtrpcContext, req: protocols::agent::GetOOMEventRequest, ) -> ttrpc::Result { - is_allowed(&req)?; + is_allowed(&req).await?; let s = self.sandbox.lock().await; let event_rx = &s.event_rx.clone(); let mut event_rx = event_rx.lock().await; @@ -1455,7 +1488,7 @@ impl agent_ttrpc::AgentService for AgentService { req: VolumeStatsRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "get_volume_stats", req); - is_allowed(&req)?; + is_allowed(&req).await?; info!(sl(), "get volume stats!"); let mut resp = VolumeStatsResponse::new(); @@ -1495,7 +1528,7 @@ impl agent_ttrpc::AgentService for AgentService { req: protocols::agent::AddSwapRequest, ) -> ttrpc::Result { trace_rpc_call!(ctx, "add_swap", req); - is_allowed(&req)?; + is_allowed(&req).await?; do_add_swap(&self.sandbox, &req) .await @@ -1503,6 +1536,25 @@ impl agent_ttrpc::AgentService for AgentService { Ok(Empty::new()) } + + #[cfg(feature = "agent-policy")] + async fn set_policy( + &self, + ctx: &TtrpcContext, + req: protocols::agent::SetPolicyRequest, + ) -> ttrpc::Result { + trace_rpc_call!(ctx, "set_policy", req); + is_allowed(&req).await?; + + AGENT_POLICY + .lock() + .await + .set_policy(&req.policy) + .await + .map_err(|e| ttrpc_error(ttrpc::Code::INTERNAL, e))?; + + Ok(Empty::new()) + } } #[derive(Clone)] diff --git a/src/kata-opa/allow-all.rego b/src/kata-opa/allow-all.rego new file mode 100644 index 0000000000..0a974ff6e6 --- /dev/null +++ b/src/kata-opa/allow-all.rego @@ -0,0 +1,38 @@ +package agent_policy + +default AddARPNeighborsRequest := true +default AddSwapRequest := true +default CloseStdinRequest := true +default CopyFileRequest := true +default CreateContainerRequest := true +default CreateSandboxRequest := true +default DestroySandboxRequest := true +default ExecProcessRequest = true +default GetMetricsRequest := true +default GetOOMEventRequest := true +default GuestDetailsRequest := true +default ListInterfacesRequest := true +default ListRoutesRequest := true +default MemHotplugByProbeRequest := true +default OnlineCPUMemRequest := true +default PauseContainerRequest := true +default PullImageRequest := true +default ReadStreamRequest := true +default RemoveContainerRequest := true +default RemoveStaleVirtiofsShareMountsRequest := true +default ReseedRandomDevRequest := false +default ResumeContainerRequest := true +default SetGuestDateTimeRequest := true +default SetPolicyRequest := true +default SignalProcessRequest := true +default StartContainerRequest := true +default StartTracingRequest := true +default StatsContainerRequest := true +default StopTracingRequest := true +default TtyWinResizeRequest := true +default UpdateContainerRequest := true +default UpdateEphemeralMountsRequest := true +default UpdateInterfaceRequest := true +default UpdateRoutesRequest := true +default WaitProcessRequest := true +default WriteStreamRequest := true diff --git a/src/kata-opa/kata-opa.service.in b/src/kata-opa/kata-opa.service.in new file mode 100644 index 0000000000..acb24d941a --- /dev/null +++ b/src/kata-opa/kata-opa.service.in @@ -0,0 +1,29 @@ +# +# Copyright (c) 2023 Microsoft Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# + +[Unit] +Description=Open Policy Agent for Kata Containers +Documentation=https://github.com/kata-containers +ConditionPathExists=@SETTINGSDIR@/default-policy.rego + +# kata-agent connects to OPA while starting up. +Before=kata-agent.service + +[Service] +Type=simple +ExecStart=@BINDIR@/opa run --server --disable-telemetry --addr 127.0.0.1:8181 --log-level info +DynamicUser=yes +RuntimeDirectory=kata-opa +LimitNOFILE=1048576 + +# Don't restart because there may be an active policy that would be lost. +Restart=no + +# Send log output to tty to allow capturing debug logs from a VM vsock port. +StandardError=tty + +# Discourage OOM-killer from touching the policy service. +OOMScoreAdjust=-997 diff --git a/src/libs/protocols/protos/agent.proto b/src/libs/protocols/protos/agent.proto index 9ed7c0a049..039630d306 100644 --- a/src/libs/protocols/protos/agent.proto +++ b/src/libs/protocols/protos/agent.proto @@ -72,6 +72,7 @@ service AgentService { rpc AddSwap(AddSwapRequest) returns (google.protobuf.Empty); rpc GetVolumeStats(VolumeStatsRequest) returns (VolumeStatsResponse); rpc ResizeVolume(ResizeVolumeRequest) returns (google.protobuf.Empty); + rpc SetPolicy(SetPolicyRequest) returns (google.protobuf.Empty); } message CreateContainerRequest { @@ -566,3 +567,7 @@ message ResizeVolumeRequest { string volume_guest_path = 1; uint64 size = 2; } + +message SetPolicyRequest { + string policy = 1; +} diff --git a/src/runtime/pkg/katautils/create.go b/src/runtime/pkg/katautils/create.go index 3c3bf05c8d..bd5808deba 100644 --- a/src/runtime/pkg/katautils/create.go +++ b/src/runtime/pkg/katautils/create.go @@ -18,6 +18,7 @@ import ( "github.com/kata-containers/kata-containers/src/runtime/pkg/oci" vc "github.com/kata-containers/kata-containers/src/runtime/virtcontainers" vf "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/factory" + vcAnnotations "github.com/kata-containers/kata-containers/src/runtime/virtcontainers/pkg/annotations" specs "github.com/opencontainers/runtime-spec/specs-go" ) @@ -162,6 +163,10 @@ func CreateSandbox(ctx context.Context, vci vc.VC, ociSpec specs.Spec, runtimeCo ociSpec.Annotations["nerdctl/network-namespace"] = sandboxConfig.NetworkConfig.NetworkID sandboxConfig.Annotations["nerdctl/network-namespace"] = ociSpec.Annotations["nerdctl/network-namespace"] + // The value of this annotation is sent to the sandbox using SetPolicy. + delete(ociSpec.Annotations, vcAnnotations.Policy) + delete(sandboxConfig.Annotations, vcAnnotations.Policy) + sandbox, err := vci.CreateSandbox(ctx, sandboxConfig, func(ctx context.Context) error { // Run pre-start OCI hooks, in the runtime namespace. if err := PreStartHooks(ctx, ociSpec, containerID, bundlePath); err != nil { @@ -228,6 +233,9 @@ func CreateContainer(ctx context.Context, sandbox vc.VCSandbox, ociSpec specs.Sp katatrace.AddTags(span, "container_id", containerID) defer span.End() + // The value of this annotation is sent to the sandbox using SetPolicy. + delete(ociSpec.Annotations, vcAnnotations.Policy) + ociSpec = SetEphemeralStorageType(ociSpec, disableGuestEmptyDir) contConfig, err := oci.ContainerConfig(ociSpec, bundlePath, containerID, disableOutput) diff --git a/src/runtime/pkg/oci/utils.go b/src/runtime/pkg/oci/utils.go index 1ec4fc5bf9..21864d94bd 100644 --- a/src/runtime/pkg/oci/utils.go +++ b/src/runtime/pkg/oci/utils.go @@ -8,6 +8,7 @@ package oci import ( "context" + "encoding/base64" "encoding/json" "errors" "fmt" @@ -908,10 +909,24 @@ func addRuntimeConfigOverrides(ocispec specs.Spec, sbConfig *vc.SandboxConfig, r func addAgentConfigOverrides(ocispec specs.Spec, config *vc.SandboxConfig) error { c := config.AgentConfig + updateConfig := false if value, ok := ocispec.Annotations[vcAnnotations.KernelModules]; ok { modules := strings.Split(value, KernelModulesSeparator) c.KernelModules = modules + updateConfig = true + } + + if value, ok := ocispec.Annotations[vcAnnotations.Policy]; ok { + if decoded_rules, err := base64.StdEncoding.DecodeString(value); err == nil { + c.Policy = string(decoded_rules) + updateConfig = true + } else { + return err + } + } + + if updateConfig { config.AgentConfig = c } diff --git a/src/runtime/virtcontainers/agent.go b/src/runtime/virtcontainers/agent.go index 8f0aca26ee..2596ea7181 100644 --- a/src/runtime/virtcontainers/agent.go +++ b/src/runtime/virtcontainers/agent.go @@ -208,4 +208,7 @@ type agent interface { // setIPTables sets the iptables from the guest setIPTables(ctx context.Context, isIPv6 bool, data []byte) error + + // setPolicy sends a new policy to the guest agent + setPolicy(ctx context.Context, policy string) error } diff --git a/src/runtime/virtcontainers/kata_agent.go b/src/runtime/virtcontainers/kata_agent.go index 810deeee54..ec830facd5 100644 --- a/src/runtime/virtcontainers/kata_agent.go +++ b/src/runtime/virtcontainers/kata_agent.go @@ -150,6 +150,7 @@ const ( grpcResizeVolumeRequest = "grpc.ResizeVolumeRequest" grpcGetIPTablesRequest = "grpc.GetIPTablesRequest" grpcSetIPTablesRequest = "grpc.SetIPTablesRequest" + grpcSetPolicyRequest = "grpc.SetPolicyRequest" ) // newKataAgent returns an agent from an agent type. @@ -275,6 +276,7 @@ type KataAgentConfig struct { Debug bool Trace bool EnableDebugConsole bool + Policy string } // KataAgentState is the structure describing the data stored from this @@ -747,6 +749,13 @@ func (k *kataAgent) startSandbox(ctx context.Context, sandbox *Sandbox) error { return err } + // If a Policy has been specified, send it to the agent. + if len(sandbox.config.AgentConfig.Policy) > 0 { + if err := sandbox.agent.setPolicy(ctx, sandbox.config.AgentConfig.Policy); err != nil { + return err + } + } + // Setup network interfaces and routes interfaces, routes, neighs, err := generateVCNetworkStructures(ctx, sandbox.network) if err != nil { @@ -2081,6 +2090,9 @@ func (k *kataAgent) installReqFunc(c *kataclient.AgentClient) { k.reqHandlers[grpcRemoveStaleVirtiofsShareMountsRequest] = func(ctx context.Context, req interface{}) (interface{}, error) { return k.client.AgentServiceClient.RemoveStaleVirtiofsShareMounts(ctx, req.(*grpc.RemoveStaleVirtiofsShareMountsRequest)) } + k.reqHandlers[grpcSetPolicyRequest] = func(ctx context.Context, req interface{}) (interface{}, error) { + return k.client.AgentServiceClient.SetPolicy(ctx, req.(*grpc.SetPolicyRequest)) + } } func (k *kataAgent) getReqContext(ctx context.Context, reqName string) (newCtx context.Context, cancel context.CancelFunc) { @@ -2339,3 +2351,8 @@ func (k *kataAgent) resizeGuestVolume(ctx context.Context, volumeGuestPath strin _, err := k.sendReq(ctx, &grpc.ResizeVolumeRequest{VolumeGuestPath: volumeGuestPath, Size_: size}) return err } + +func (k *kataAgent) setPolicy(ctx context.Context, policy string) error { + _, err := k.sendReq(ctx, &grpc.SetPolicyRequest{Policy: policy}) + return err +} diff --git a/src/runtime/virtcontainers/mock_agent.go b/src/runtime/virtcontainers/mock_agent.go index 5d6b0f9d62..4fdd2b1ae4 100644 --- a/src/runtime/virtcontainers/mock_agent.go +++ b/src/runtime/virtcontainers/mock_agent.go @@ -267,3 +267,7 @@ func (k *mockAgent) getIPTables(ctx context.Context, isIPv6 bool) ([]byte, error func (k *mockAgent) setIPTables(ctx context.Context, isIPv6 bool, data []byte) error { return nil } + +func (k *mockAgent) setPolicy(ctx context.Context, policy string) error { + return nil +} diff --git a/src/runtime/virtcontainers/pkg/agent/protocols/grpc/agent.pb.go b/src/runtime/virtcontainers/pkg/agent/protocols/grpc/agent.pb.go index 3a1b7c607f..e6d8be46f7 100644 --- a/src/runtime/virtcontainers/pkg/agent/protocols/grpc/agent.pb.go +++ b/src/runtime/virtcontainers/pkg/agent/protocols/grpc/agent.pb.go @@ -1,5 +1,5 @@ // Code generated by protoc-gen-gogo. DO NOT EDIT. -// source: agent.proto +// source: github.com/kata-containers/kata-containers/src/libs/protocols/protos/agent.proto package grpc @@ -50,7 +50,7 @@ type CreateContainerRequest struct { func (m *CreateContainerRequest) Reset() { *m = CreateContainerRequest{} } func (*CreateContainerRequest) ProtoMessage() {} func (*CreateContainerRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{0} + return fileDescriptor_712ce9a559fda969, []int{0} } func (m *CreateContainerRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -89,7 +89,7 @@ type StartContainerRequest struct { func (m *StartContainerRequest) Reset() { *m = StartContainerRequest{} } func (*StartContainerRequest) ProtoMessage() {} func (*StartContainerRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{1} + return fileDescriptor_712ce9a559fda969, []int{1} } func (m *StartContainerRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -134,7 +134,7 @@ type RemoveContainerRequest struct { func (m *RemoveContainerRequest) Reset() { *m = RemoveContainerRequest{} } func (*RemoveContainerRequest) ProtoMessage() {} func (*RemoveContainerRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{2} + return fileDescriptor_712ce9a559fda969, []int{2} } func (m *RemoveContainerRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -176,7 +176,7 @@ type ExecProcessRequest struct { func (m *ExecProcessRequest) Reset() { *m = ExecProcessRequest{} } func (*ExecProcessRequest) ProtoMessage() {} func (*ExecProcessRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{3} + return fileDescriptor_712ce9a559fda969, []int{3} } func (m *ExecProcessRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -220,7 +220,7 @@ type SignalProcessRequest struct { func (m *SignalProcessRequest) Reset() { *m = SignalProcessRequest{} } func (*SignalProcessRequest) ProtoMessage() {} func (*SignalProcessRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{4} + return fileDescriptor_712ce9a559fda969, []int{4} } func (m *SignalProcessRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -260,7 +260,7 @@ type WaitProcessRequest struct { func (m *WaitProcessRequest) Reset() { *m = WaitProcessRequest{} } func (*WaitProcessRequest) ProtoMessage() {} func (*WaitProcessRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{5} + return fileDescriptor_712ce9a559fda969, []int{5} } func (m *WaitProcessRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -299,7 +299,7 @@ type WaitProcessResponse struct { func (m *WaitProcessResponse) Reset() { *m = WaitProcessResponse{} } func (*WaitProcessResponse) ProtoMessage() {} func (*WaitProcessResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{6} + return fileDescriptor_712ce9a559fda969, []int{6} } func (m *WaitProcessResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -339,7 +339,7 @@ type UpdateContainerRequest struct { func (m *UpdateContainerRequest) Reset() { *m = UpdateContainerRequest{} } func (*UpdateContainerRequest) ProtoMessage() {} func (*UpdateContainerRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{7} + return fileDescriptor_712ce9a559fda969, []int{7} } func (m *UpdateContainerRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -378,7 +378,7 @@ type StatsContainerRequest struct { func (m *StatsContainerRequest) Reset() { *m = StatsContainerRequest{} } func (*StatsContainerRequest) ProtoMessage() {} func (*StatsContainerRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{8} + return fileDescriptor_712ce9a559fda969, []int{8} } func (m *StatsContainerRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -417,7 +417,7 @@ type PauseContainerRequest struct { func (m *PauseContainerRequest) Reset() { *m = PauseContainerRequest{} } func (*PauseContainerRequest) ProtoMessage() {} func (*PauseContainerRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{9} + return fileDescriptor_712ce9a559fda969, []int{9} } func (m *PauseContainerRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -456,7 +456,7 @@ type ResumeContainerRequest struct { func (m *ResumeContainerRequest) Reset() { *m = ResumeContainerRequest{} } func (*ResumeContainerRequest) ProtoMessage() {} func (*ResumeContainerRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{10} + return fileDescriptor_712ce9a559fda969, []int{10} } func (m *ResumeContainerRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -498,7 +498,7 @@ type CpuUsage struct { func (m *CpuUsage) Reset() { *m = CpuUsage{} } func (*CpuUsage) ProtoMessage() {} func (*CpuUsage) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{11} + return fileDescriptor_712ce9a559fda969, []int{11} } func (m *CpuUsage) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -539,7 +539,7 @@ type ThrottlingData struct { func (m *ThrottlingData) Reset() { *m = ThrottlingData{} } func (*ThrottlingData) ProtoMessage() {} func (*ThrottlingData) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{12} + return fileDescriptor_712ce9a559fda969, []int{12} } func (m *ThrottlingData) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -579,7 +579,7 @@ type CpuStats struct { func (m *CpuStats) Reset() { *m = CpuStats{} } func (*CpuStats) ProtoMessage() {} func (*CpuStats) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{13} + return fileDescriptor_712ce9a559fda969, []int{13} } func (m *CpuStats) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -619,7 +619,7 @@ type PidsStats struct { func (m *PidsStats) Reset() { *m = PidsStats{} } func (*PidsStats) ProtoMessage() {} func (*PidsStats) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{14} + return fileDescriptor_712ce9a559fda969, []int{14} } func (m *PidsStats) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -661,7 +661,7 @@ type MemoryData struct { func (m *MemoryData) Reset() { *m = MemoryData{} } func (*MemoryData) ProtoMessage() {} func (*MemoryData) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{15} + return fileDescriptor_712ce9a559fda969, []int{15} } func (m *MemoryData) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -705,7 +705,7 @@ type MemoryStats struct { func (m *MemoryStats) Reset() { *m = MemoryStats{} } func (*MemoryStats) ProtoMessage() {} func (*MemoryStats) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{16} + return fileDescriptor_712ce9a559fda969, []int{16} } func (m *MemoryStats) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -747,7 +747,7 @@ type BlkioStatsEntry struct { func (m *BlkioStatsEntry) Reset() { *m = BlkioStatsEntry{} } func (*BlkioStatsEntry) ProtoMessage() {} func (*BlkioStatsEntry) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{17} + return fileDescriptor_712ce9a559fda969, []int{17} } func (m *BlkioStatsEntry) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -793,7 +793,7 @@ type BlkioStats struct { func (m *BlkioStats) Reset() { *m = BlkioStats{} } func (*BlkioStats) ProtoMessage() {} func (*BlkioStats) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{18} + return fileDescriptor_712ce9a559fda969, []int{18} } func (m *BlkioStats) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -834,7 +834,7 @@ type HugetlbStats struct { func (m *HugetlbStats) Reset() { *m = HugetlbStats{} } func (*HugetlbStats) ProtoMessage() {} func (*HugetlbStats) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{19} + return fileDescriptor_712ce9a559fda969, []int{19} } func (m *HugetlbStats) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -877,7 +877,7 @@ type CgroupStats struct { func (m *CgroupStats) Reset() { *m = CgroupStats{} } func (*CgroupStats) ProtoMessage() {} func (*CgroupStats) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{20} + return fileDescriptor_712ce9a559fda969, []int{20} } func (m *CgroupStats) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -924,7 +924,7 @@ type NetworkStats struct { func (m *NetworkStats) Reset() { *m = NetworkStats{} } func (*NetworkStats) ProtoMessage() {} func (*NetworkStats) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{21} + return fileDescriptor_712ce9a559fda969, []int{21} } func (m *NetworkStats) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -964,7 +964,7 @@ type StatsContainerResponse struct { func (m *StatsContainerResponse) Reset() { *m = StatsContainerResponse{} } func (*StatsContainerResponse) ProtoMessage() {} func (*StatsContainerResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{22} + return fileDescriptor_712ce9a559fda969, []int{22} } func (m *StatsContainerResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1005,7 +1005,7 @@ type WriteStreamRequest struct { func (m *WriteStreamRequest) Reset() { *m = WriteStreamRequest{} } func (*WriteStreamRequest) ProtoMessage() {} func (*WriteStreamRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{23} + return fileDescriptor_712ce9a559fda969, []int{23} } func (m *WriteStreamRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1044,7 +1044,7 @@ type WriteStreamResponse struct { func (m *WriteStreamResponse) Reset() { *m = WriteStreamResponse{} } func (*WriteStreamResponse) ProtoMessage() {} func (*WriteStreamResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{24} + return fileDescriptor_712ce9a559fda969, []int{24} } func (m *WriteStreamResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1085,7 +1085,7 @@ type ReadStreamRequest struct { func (m *ReadStreamRequest) Reset() { *m = ReadStreamRequest{} } func (*ReadStreamRequest) ProtoMessage() {} func (*ReadStreamRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{25} + return fileDescriptor_712ce9a559fda969, []int{25} } func (m *ReadStreamRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1124,7 +1124,7 @@ type ReadStreamResponse struct { func (m *ReadStreamResponse) Reset() { *m = ReadStreamResponse{} } func (*ReadStreamResponse) ProtoMessage() {} func (*ReadStreamResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{26} + return fileDescriptor_712ce9a559fda969, []int{26} } func (m *ReadStreamResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1164,7 +1164,7 @@ type CloseStdinRequest struct { func (m *CloseStdinRequest) Reset() { *m = CloseStdinRequest{} } func (*CloseStdinRequest) ProtoMessage() {} func (*CloseStdinRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{27} + return fileDescriptor_712ce9a559fda969, []int{27} } func (m *CloseStdinRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1206,7 +1206,7 @@ type TtyWinResizeRequest struct { func (m *TtyWinResizeRequest) Reset() { *m = TtyWinResizeRequest{} } func (*TtyWinResizeRequest) ProtoMessage() {} func (*TtyWinResizeRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{28} + return fileDescriptor_712ce9a559fda969, []int{28} } func (m *TtyWinResizeRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1249,7 +1249,7 @@ type KernelModule struct { func (m *KernelModule) Reset() { *m = KernelModule{} } func (*KernelModule) ProtoMessage() {} func (*KernelModule) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{29} + return fileDescriptor_712ce9a559fda969, []int{29} } func (m *KernelModule) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1304,7 +1304,7 @@ type CreateSandboxRequest struct { func (m *CreateSandboxRequest) Reset() { *m = CreateSandboxRequest{} } func (*CreateSandboxRequest) ProtoMessage() {} func (*CreateSandboxRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{30} + return fileDescriptor_712ce9a559fda969, []int{30} } func (m *CreateSandboxRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1342,7 +1342,7 @@ type DestroySandboxRequest struct { func (m *DestroySandboxRequest) Reset() { *m = DestroySandboxRequest{} } func (*DestroySandboxRequest) ProtoMessage() {} func (*DestroySandboxRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{31} + return fileDescriptor_712ce9a559fda969, []int{31} } func (m *DestroySandboxRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1380,7 +1380,7 @@ type RemoveStaleVirtiofsShareMountsRequest struct { func (m *RemoveStaleVirtiofsShareMountsRequest) Reset() { *m = RemoveStaleVirtiofsShareMountsRequest{} } func (*RemoveStaleVirtiofsShareMountsRequest) ProtoMessage() {} func (*RemoveStaleVirtiofsShareMountsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{32} + return fileDescriptor_712ce9a559fda969, []int{32} } func (m *RemoveStaleVirtiofsShareMountsRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1419,7 +1419,7 @@ type Interfaces struct { func (m *Interfaces) Reset() { *m = Interfaces{} } func (*Interfaces) ProtoMessage() {} func (*Interfaces) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{33} + return fileDescriptor_712ce9a559fda969, []int{33} } func (m *Interfaces) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1458,7 +1458,7 @@ type Routes struct { func (m *Routes) Reset() { *m = Routes{} } func (*Routes) ProtoMessage() {} func (*Routes) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{34} + return fileDescriptor_712ce9a559fda969, []int{34} } func (m *Routes) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1497,7 +1497,7 @@ type UpdateInterfaceRequest struct { func (m *UpdateInterfaceRequest) Reset() { *m = UpdateInterfaceRequest{} } func (*UpdateInterfaceRequest) ProtoMessage() {} func (*UpdateInterfaceRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{35} + return fileDescriptor_712ce9a559fda969, []int{35} } func (m *UpdateInterfaceRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1536,7 +1536,7 @@ type UpdateRoutesRequest struct { func (m *UpdateRoutesRequest) Reset() { *m = UpdateRoutesRequest{} } func (*UpdateRoutesRequest) ProtoMessage() {} func (*UpdateRoutesRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{36} + return fileDescriptor_712ce9a559fda969, []int{36} } func (m *UpdateRoutesRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1575,7 +1575,7 @@ type UpdateEphemeralMountsRequest struct { func (m *UpdateEphemeralMountsRequest) Reset() { *m = UpdateEphemeralMountsRequest{} } func (*UpdateEphemeralMountsRequest) ProtoMessage() {} func (*UpdateEphemeralMountsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{37} + return fileDescriptor_712ce9a559fda969, []int{37} } func (m *UpdateEphemeralMountsRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1613,7 +1613,7 @@ type ListInterfacesRequest struct { func (m *ListInterfacesRequest) Reset() { *m = ListInterfacesRequest{} } func (*ListInterfacesRequest) ProtoMessage() {} func (*ListInterfacesRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{38} + return fileDescriptor_712ce9a559fda969, []int{38} } func (m *ListInterfacesRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1651,7 +1651,7 @@ type ListRoutesRequest struct { func (m *ListRoutesRequest) Reset() { *m = ListRoutesRequest{} } func (*ListRoutesRequest) ProtoMessage() {} func (*ListRoutesRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{39} + return fileDescriptor_712ce9a559fda969, []int{39} } func (m *ListRoutesRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1690,7 +1690,7 @@ type ARPNeighbors struct { func (m *ARPNeighbors) Reset() { *m = ARPNeighbors{} } func (*ARPNeighbors) ProtoMessage() {} func (*ARPNeighbors) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{40} + return fileDescriptor_712ce9a559fda969, []int{40} } func (m *ARPNeighbors) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1729,7 +1729,7 @@ type AddARPNeighborsRequest struct { func (m *AddARPNeighborsRequest) Reset() { *m = AddARPNeighborsRequest{} } func (*AddARPNeighborsRequest) ProtoMessage() {} func (*AddARPNeighborsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{41} + return fileDescriptor_712ce9a559fda969, []int{41} } func (m *AddARPNeighborsRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1768,7 +1768,7 @@ type GetIPTablesRequest struct { func (m *GetIPTablesRequest) Reset() { *m = GetIPTablesRequest{} } func (*GetIPTablesRequest) ProtoMessage() {} func (*GetIPTablesRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{42} + return fileDescriptor_712ce9a559fda969, []int{42} } func (m *GetIPTablesRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1808,7 +1808,7 @@ type GetIPTablesResponse struct { func (m *GetIPTablesResponse) Reset() { *m = GetIPTablesResponse{} } func (*GetIPTablesResponse) ProtoMessage() {} func (*GetIPTablesResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{43} + return fileDescriptor_712ce9a559fda969, []int{43} } func (m *GetIPTablesResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1850,7 +1850,7 @@ type SetIPTablesRequest struct { func (m *SetIPTablesRequest) Reset() { *m = SetIPTablesRequest{} } func (*SetIPTablesRequest) ProtoMessage() {} func (*SetIPTablesRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{44} + return fileDescriptor_712ce9a559fda969, []int{44} } func (m *SetIPTablesRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1890,7 +1890,7 @@ type SetIPTablesResponse struct { func (m *SetIPTablesResponse) Reset() { *m = SetIPTablesResponse{} } func (*SetIPTablesResponse) ProtoMessage() {} func (*SetIPTablesResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{45} + return fileDescriptor_712ce9a559fda969, []int{45} } func (m *SetIPTablesResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1937,7 +1937,7 @@ type OnlineCPUMemRequest struct { func (m *OnlineCPUMemRequest) Reset() { *m = OnlineCPUMemRequest{} } func (*OnlineCPUMemRequest) ProtoMessage() {} func (*OnlineCPUMemRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{46} + return fileDescriptor_712ce9a559fda969, []int{46} } func (m *OnlineCPUMemRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -1977,7 +1977,7 @@ type ReseedRandomDevRequest struct { func (m *ReseedRandomDevRequest) Reset() { *m = ReseedRandomDevRequest{} } func (*ReseedRandomDevRequest) ProtoMessage() {} func (*ReseedRandomDevRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{47} + return fileDescriptor_712ce9a559fda969, []int{47} } func (m *ReseedRandomDevRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2027,7 +2027,7 @@ type AgentDetails struct { func (m *AgentDetails) Reset() { *m = AgentDetails{} } func (*AgentDetails) ProtoMessage() {} func (*AgentDetails) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{48} + return fileDescriptor_712ce9a559fda969, []int{48} } func (m *AgentDetails) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2073,7 +2073,7 @@ type GuestDetailsRequest struct { func (m *GuestDetailsRequest) Reset() { *m = GuestDetailsRequest{} } func (*GuestDetailsRequest) ProtoMessage() {} func (*GuestDetailsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{49} + return fileDescriptor_712ce9a559fda969, []int{49} } func (m *GuestDetailsRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2115,7 +2115,7 @@ type GuestDetailsResponse struct { func (m *GuestDetailsResponse) Reset() { *m = GuestDetailsResponse{} } func (*GuestDetailsResponse) ProtoMessage() {} func (*GuestDetailsResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{50} + return fileDescriptor_712ce9a559fda969, []int{50} } func (m *GuestDetailsResponse) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2156,7 +2156,7 @@ type MemHotplugByProbeRequest struct { func (m *MemHotplugByProbeRequest) Reset() { *m = MemHotplugByProbeRequest{} } func (*MemHotplugByProbeRequest) ProtoMessage() {} func (*MemHotplugByProbeRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{51} + return fileDescriptor_712ce9a559fda969, []int{51} } func (m *MemHotplugByProbeRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2198,7 +2198,7 @@ type SetGuestDateTimeRequest struct { func (m *SetGuestDateTimeRequest) Reset() { *m = SetGuestDateTimeRequest{} } func (*SetGuestDateTimeRequest) ProtoMessage() {} func (*SetGuestDateTimeRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{52} + return fileDescriptor_712ce9a559fda969, []int{52} } func (m *SetGuestDateTimeRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2244,7 +2244,7 @@ type FSGroup struct { func (m *FSGroup) Reset() { *m = FSGroup{} } func (*FSGroup) ProtoMessage() {} func (*FSGroup) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{53} + return fileDescriptor_712ce9a559fda969, []int{53} } func (m *FSGroup) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2312,7 +2312,7 @@ type Storage struct { func (m *Storage) Reset() { *m = Storage{} } func (*Storage) ProtoMessage() {} func (*Storage) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{54} + return fileDescriptor_712ce9a559fda969, []int{54} } func (m *Storage) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2383,7 +2383,7 @@ type Device struct { func (m *Device) Reset() { *m = Device{} } func (*Device) ProtoMessage() {} func (*Device) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{55} + return fileDescriptor_712ce9a559fda969, []int{55} } func (m *Device) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2424,7 +2424,7 @@ type StringUser struct { func (m *StringUser) Reset() { *m = StringUser{} } func (*StringUser) ProtoMessage() {} func (*StringUser) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{56} + return fileDescriptor_712ce9a559fda969, []int{56} } func (m *StringUser) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2481,7 +2481,7 @@ type CopyFileRequest struct { func (m *CopyFileRequest) Reset() { *m = CopyFileRequest{} } func (*CopyFileRequest) ProtoMessage() {} func (*CopyFileRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{57} + return fileDescriptor_712ce9a559fda969, []int{57} } func (m *CopyFileRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2519,7 +2519,7 @@ type GetOOMEventRequest struct { func (m *GetOOMEventRequest) Reset() { *m = GetOOMEventRequest{} } func (*GetOOMEventRequest) ProtoMessage() {} func (*GetOOMEventRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{58} + return fileDescriptor_712ce9a559fda969, []int{58} } func (m *GetOOMEventRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2558,7 +2558,7 @@ type OOMEvent struct { func (m *OOMEvent) Reset() { *m = OOMEvent{} } func (*OOMEvent) ProtoMessage() {} func (*OOMEvent) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{59} + return fileDescriptor_712ce9a559fda969, []int{59} } func (m *OOMEvent) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2597,7 +2597,7 @@ type AddSwapRequest struct { func (m *AddSwapRequest) Reset() { *m = AddSwapRequest{} } func (*AddSwapRequest) ProtoMessage() {} func (*AddSwapRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{60} + return fileDescriptor_712ce9a559fda969, []int{60} } func (m *AddSwapRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2635,7 +2635,7 @@ type GetMetricsRequest struct { func (m *GetMetricsRequest) Reset() { *m = GetMetricsRequest{} } func (*GetMetricsRequest) ProtoMessage() {} func (*GetMetricsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{61} + return fileDescriptor_712ce9a559fda969, []int{61} } func (m *GetMetricsRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2674,7 +2674,7 @@ type Metrics struct { func (m *Metrics) Reset() { *m = Metrics{} } func (*Metrics) ProtoMessage() {} func (*Metrics) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{62} + return fileDescriptor_712ce9a559fda969, []int{62} } func (m *Metrics) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2714,7 +2714,7 @@ type VolumeStatsRequest struct { func (m *VolumeStatsRequest) Reset() { *m = VolumeStatsRequest{} } func (*VolumeStatsRequest) ProtoMessage() {} func (*VolumeStatsRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{63} + return fileDescriptor_712ce9a559fda969, []int{63} } func (m *VolumeStatsRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2755,7 +2755,7 @@ type ResizeVolumeRequest struct { func (m *ResizeVolumeRequest) Reset() { *m = ResizeVolumeRequest{} } func (*ResizeVolumeRequest) ProtoMessage() {} func (*ResizeVolumeRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_56ede974c0020f77, []int{64} + return fileDescriptor_712ce9a559fda969, []int{64} } func (m *ResizeVolumeRequest) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) @@ -2784,6 +2784,45 @@ func (m *ResizeVolumeRequest) XXX_DiscardUnknown() { var xxx_messageInfo_ResizeVolumeRequest proto.InternalMessageInfo +type SetPolicyRequest struct { + Policy string `protobuf:"bytes,1,opt,name=policy,proto3" json:"policy,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *SetPolicyRequest) Reset() { *m = SetPolicyRequest{} } +func (*SetPolicyRequest) ProtoMessage() {} +func (*SetPolicyRequest) Descriptor() ([]byte, []int) { + return fileDescriptor_712ce9a559fda969, []int{65} +} +func (m *SetPolicyRequest) XXX_Unmarshal(b []byte) error { + return m.Unmarshal(b) +} +func (m *SetPolicyRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + if deterministic { + return xxx_messageInfo_SetPolicyRequest.Marshal(b, m, deterministic) + } else { + b = b[:cap(b)] + n, err := m.MarshalToSizedBuffer(b) + if err != nil { + return nil, err + } + return b[:n], nil + } +} +func (m *SetPolicyRequest) XXX_Merge(src proto.Message) { + xxx_messageInfo_SetPolicyRequest.Merge(m, src) +} +func (m *SetPolicyRequest) XXX_Size() int { + return m.Size() +} +func (m *SetPolicyRequest) XXX_DiscardUnknown() { + xxx_messageInfo_SetPolicyRequest.DiscardUnknown(m) +} + +var xxx_messageInfo_SetPolicyRequest proto.InternalMessageInfo + func init() { proto.RegisterType((*CreateContainerRequest)(nil), "grpc.CreateContainerRequest") proto.RegisterType((*StartContainerRequest)(nil), "grpc.StartContainerRequest") @@ -2852,217 +2891,223 @@ func init() { proto.RegisterType((*Metrics)(nil), "grpc.Metrics") proto.RegisterType((*VolumeStatsRequest)(nil), "grpc.VolumeStatsRequest") proto.RegisterType((*ResizeVolumeRequest)(nil), "grpc.ResizeVolumeRequest") + proto.RegisterType((*SetPolicyRequest)(nil), "grpc.SetPolicyRequest") } -func init() { proto.RegisterFile("agent.proto", fileDescriptor_56ede974c0020f77) } +func init() { + proto.RegisterFile("github.com/kata-containers/kata-containers/src/libs/protocols/protos/agent.proto", fileDescriptor_712ce9a559fda969) +} -var fileDescriptor_56ede974c0020f77 = []byte{ - // 3275 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xc4, 0x3a, 0x4b, 0x6f, 0x1c, 0x47, - 0x73, 0xdf, 0x3e, 0xc8, 0xdd, 0xad, 0x7d, 0x71, 0x87, 0x14, 0xb5, 0x5a, 0xeb, 0xa3, 0xe5, 0x91, - 0x25, 0x51, 0x76, 0x44, 0xda, 0xb2, 0x61, 0xf9, 0x01, 0x47, 0x21, 0x29, 0x9a, 0xa4, 0x6d, 0x5a, - 0x9b, 0x59, 0xd1, 0x0e, 0x12, 0x24, 0x83, 0xe1, 0x4c, 0x73, 0xb7, 0xcd, 0x9d, 0xe9, 0x71, 0x4f, - 0x0f, 0x45, 0x3a, 0x40, 0x90, 0x43, 0x90, 0xdc, 0x72, 0xcc, 0x2d, 0x7f, 0x20, 0xc8, 0x3f, 0xc8, - 0x35, 0x07, 0x23, 0xa7, 0x1c, 0x73, 0x49, 0x10, 0xeb, 0x27, 0xe4, 0x17, 0x04, 0xfd, 0x9a, 0xc7, - 0xbe, 0x64, 0x10, 0x02, 0xbe, 0xcb, 0x62, 0xba, 0xba, 0xba, 0x5e, 0x5d, 0x5d, 0x5d, 0x55, 0xbd, - 0x50, 0x77, 0x86, 0x28, 0x60, 0x5b, 0x21, 0x25, 0x8c, 0x18, 0xe5, 0x21, 0x0d, 0xdd, 0x5e, 0x8d, - 0xb8, 0x58, 0x02, 0x7a, 0x35, 0x37, 0xd2, 0x9f, 0x75, 0x76, 0x15, 0xa2, 0x48, 0x0d, 0xde, 0x1a, - 0x12, 0x32, 0x1c, 0xa3, 0x6d, 0x31, 0x3a, 0x8d, 0xcf, 0xb6, 0x91, 0x1f, 0xb2, 0x2b, 0x39, 0x69, - 0xfe, 0x73, 0x11, 0xd6, 0xf7, 0x28, 0x72, 0x18, 0xda, 0x23, 0x01, 0x73, 0x70, 0x80, 0xa8, 0x85, - 0x7e, 0x8a, 0x51, 0xc4, 0x8c, 0x77, 0xa0, 0xe1, 0x6a, 0x98, 0x8d, 0xbd, 0x6e, 0xe1, 0x4e, 0x61, - 0xb3, 0x66, 0xd5, 0x13, 0xd8, 0x91, 0x67, 0xdc, 0x84, 0x0a, 0xba, 0x44, 0x2e, 0x9f, 0x2d, 0x8a, - 0xd9, 0x65, 0x3e, 0x3c, 0xf2, 0x8c, 0x0f, 0xa1, 0x1e, 0x31, 0x8a, 0x83, 0xa1, 0x1d, 0x47, 0x88, - 0x76, 0x4b, 0x77, 0x0a, 0x9b, 0xf5, 0xc7, 0x2b, 0x5b, 0x5c, 0xe4, 0xad, 0x81, 0x98, 0x38, 0x89, - 0x10, 0xb5, 0x20, 0x4a, 0xbe, 0x8d, 0xfb, 0x50, 0xf1, 0xd0, 0x05, 0x76, 0x51, 0xd4, 0x2d, 0xdf, - 0x29, 0x6d, 0xd6, 0x1f, 0x37, 0x24, 0xfa, 0x33, 0x01, 0xb4, 0xf4, 0xa4, 0xf1, 0x10, 0xaa, 0x11, - 0x23, 0xd4, 0x19, 0xa2, 0xa8, 0xbb, 0x24, 0x10, 0x9b, 0x9a, 0xae, 0x80, 0x5a, 0xc9, 0xb4, 0x71, - 0x1b, 0x4a, 0xcf, 0xf7, 0x8e, 0xba, 0xcb, 0x82, 0x3b, 0x28, 0xac, 0x10, 0xb9, 0x16, 0x07, 0x1b, - 0x77, 0xa1, 0x19, 0x39, 0x81, 0x77, 0x4a, 0x2e, 0xed, 0x10, 0x7b, 0x41, 0xd4, 0xad, 0xdc, 0x29, - 0x6c, 0x56, 0xad, 0x86, 0x02, 0xf6, 0x39, 0xcc, 0xfc, 0x1c, 0x6e, 0x0c, 0x98, 0x43, 0xd9, 0x35, - 0xac, 0x63, 0x9e, 0xc0, 0xba, 0x85, 0x7c, 0x72, 0x71, 0x2d, 0xd3, 0x76, 0xa1, 0xc2, 0xb0, 0x8f, - 0x48, 0xcc, 0x84, 0x69, 0x9b, 0x96, 0x1e, 0x9a, 0xff, 0x5a, 0x00, 0x63, 0xff, 0x12, 0xb9, 0x7d, - 0x4a, 0x5c, 0x14, 0x45, 0x7f, 0xa0, 0xed, 0x7a, 0x00, 0x95, 0x50, 0x0a, 0xd0, 0x2d, 0x0b, 0x74, - 0xb5, 0x0b, 0x5a, 0x2a, 0x3d, 0x6b, 0xfe, 0x08, 0x6b, 0x03, 0x3c, 0x0c, 0x9c, 0xf1, 0x1b, 0x94, - 0x77, 0x1d, 0x96, 0x23, 0x41, 0x53, 0x88, 0xda, 0xb4, 0xd4, 0xc8, 0xec, 0x83, 0xf1, 0x83, 0x83, - 0xd9, 0x9b, 0xe3, 0x64, 0x3e, 0x82, 0xd5, 0x1c, 0xc5, 0x28, 0x24, 0x41, 0x84, 0x84, 0x00, 0xcc, - 0x61, 0x71, 0x24, 0x88, 0x2d, 0x59, 0x6a, 0x64, 0x12, 0x58, 0x3f, 0x09, 0xbd, 0x6b, 0x9e, 0xa6, - 0xc7, 0x50, 0xa3, 0x28, 0x22, 0x31, 0xe5, 0x67, 0xa0, 0x28, 0x8c, 0xba, 0x26, 0x8d, 0xfa, 0x2d, - 0x0e, 0xe2, 0x4b, 0x4b, 0xcf, 0x59, 0x29, 0x9a, 0xf2, 0x4f, 0x16, 0x5d, 0xc7, 0x3f, 0x3f, 0x87, - 0x1b, 0x7d, 0x27, 0x8e, 0xae, 0x23, 0xab, 0xf9, 0x05, 0xf7, 0xed, 0x28, 0xf6, 0xaf, 0xb5, 0xf8, - 0x5f, 0x0a, 0x50, 0xdd, 0x0b, 0xe3, 0x93, 0xc8, 0x19, 0x22, 0xe3, 0x6d, 0xa8, 0x33, 0xc2, 0x9c, - 0xb1, 0x1d, 0xf3, 0xa1, 0x40, 0x2f, 0x5b, 0x20, 0x40, 0x12, 0xe1, 0x1d, 0x68, 0x84, 0x88, 0xba, - 0x61, 0xac, 0x30, 0x8a, 0x77, 0x4a, 0x9b, 0x65, 0xab, 0x2e, 0x61, 0x12, 0x65, 0x0b, 0x56, 0xc5, - 0x9c, 0x8d, 0x03, 0xfb, 0x1c, 0xd1, 0x00, 0x8d, 0x7d, 0xe2, 0x21, 0xe1, 0x1c, 0x65, 0xab, 0x23, - 0xa6, 0x8e, 0x82, 0x6f, 0x92, 0x09, 0xe3, 0x3d, 0xe8, 0x24, 0xf8, 0xdc, 0xe3, 0x05, 0x76, 0x59, - 0x60, 0xb7, 0x15, 0xf6, 0x89, 0x02, 0x9b, 0x7f, 0x03, 0xad, 0x17, 0x23, 0x4a, 0x18, 0x1b, 0xe3, - 0x60, 0xf8, 0xcc, 0x61, 0x0e, 0x3f, 0x9a, 0x21, 0xa2, 0x98, 0x78, 0x91, 0x92, 0x56, 0x0f, 0x8d, - 0xf7, 0xa1, 0xc3, 0x24, 0x2e, 0xf2, 0x6c, 0x8d, 0x53, 0x14, 0x38, 0x2b, 0xc9, 0x44, 0x5f, 0x21, - 0xdf, 0x83, 0x56, 0x8a, 0xcc, 0x0f, 0xb7, 0x92, 0xb7, 0x99, 0x40, 0x5f, 0x60, 0x1f, 0x99, 0x17, - 0xc2, 0x56, 0x62, 0x93, 0x8d, 0xf7, 0xa1, 0x96, 0xda, 0xa1, 0x20, 0x3c, 0xa4, 0x25, 0x3d, 0x44, - 0x9b, 0xd3, 0xaa, 0x26, 0x46, 0xf9, 0x12, 0xda, 0x2c, 0x11, 0xdc, 0xf6, 0x1c, 0xe6, 0xe4, 0x9d, - 0x2a, 0xaf, 0x95, 0xd5, 0x62, 0xb9, 0xb1, 0xf9, 0x05, 0xd4, 0xfa, 0xd8, 0x8b, 0x24, 0xe3, 0x2e, - 0x54, 0xdc, 0x98, 0x52, 0x14, 0x30, 0xad, 0xb2, 0x1a, 0x1a, 0x6b, 0xb0, 0x34, 0xc6, 0x3e, 0x66, - 0x4a, 0x4d, 0x39, 0x30, 0x09, 0xc0, 0x31, 0xf2, 0x09, 0xbd, 0x12, 0x06, 0x5b, 0x83, 0xa5, 0xec, - 0xe6, 0xca, 0x81, 0xf1, 0x16, 0xd4, 0x7c, 0xe7, 0x32, 0xd9, 0x54, 0x3e, 0x53, 0xf5, 0x9d, 0x4b, - 0x29, 0x7c, 0x17, 0x2a, 0x67, 0x0e, 0x1e, 0xbb, 0x01, 0x53, 0x56, 0xd1, 0xc3, 0x94, 0x61, 0x39, - 0xcb, 0xf0, 0xdf, 0x8b, 0x50, 0x97, 0x1c, 0xa5, 0xc0, 0x6b, 0xb0, 0xe4, 0x3a, 0xee, 0x28, 0x61, - 0x29, 0x06, 0xc6, 0x7d, 0x2d, 0x48, 0x31, 0x1b, 0xe1, 0x52, 0x49, 0xb5, 0x68, 0xdb, 0x00, 0xd1, - 0x4b, 0x27, 0x54, 0xb2, 0x95, 0xe6, 0x20, 0xd7, 0x38, 0x8e, 0x14, 0xf7, 0x23, 0x68, 0x48, 0xbf, - 0x53, 0x4b, 0xca, 0x73, 0x96, 0xd4, 0x25, 0x96, 0x5c, 0x74, 0x17, 0x9a, 0x71, 0x84, 0xec, 0x11, - 0x46, 0xd4, 0xa1, 0xee, 0xe8, 0xaa, 0xbb, 0x24, 0x2f, 0xa0, 0x38, 0x42, 0x87, 0x1a, 0x66, 0x3c, - 0x86, 0x25, 0x1e, 0x5b, 0xa2, 0xee, 0xb2, 0xb8, 0xeb, 0x6e, 0x67, 0x49, 0x0a, 0x55, 0xb7, 0xc4, - 0xef, 0x7e, 0xc0, 0xe8, 0x95, 0x25, 0x51, 0x7b, 0x9f, 0x02, 0xa4, 0x40, 0x63, 0x05, 0x4a, 0xe7, - 0xe8, 0x4a, 0x9d, 0x43, 0xfe, 0xc9, 0x8d, 0x73, 0xe1, 0x8c, 0x63, 0x6d, 0x75, 0x39, 0xf8, 0xbc, - 0xf8, 0x69, 0xc1, 0x74, 0xa1, 0xbd, 0x3b, 0x3e, 0xc7, 0x24, 0xb3, 0x7c, 0x0d, 0x96, 0x7c, 0xe7, - 0x47, 0x42, 0xb5, 0x25, 0xc5, 0x40, 0x40, 0x71, 0x40, 0xa8, 0x26, 0x21, 0x06, 0x46, 0x0b, 0x8a, - 0x24, 0x14, 0xf6, 0xaa, 0x59, 0x45, 0x12, 0xa6, 0x8c, 0xca, 0x19, 0x46, 0xe6, 0xff, 0x94, 0x01, - 0x52, 0x2e, 0x86, 0x05, 0x3d, 0x4c, 0xec, 0x08, 0x51, 0x7e, 0xbf, 0xdb, 0xa7, 0x57, 0x0c, 0x45, - 0x36, 0x45, 0x6e, 0x4c, 0x23, 0x7c, 0xc1, 0xf7, 0x8f, 0xab, 0x7d, 0x43, 0xaa, 0x3d, 0x21, 0x9b, - 0x75, 0x13, 0x93, 0x81, 0x5c, 0xb7, 0xcb, 0x97, 0x59, 0x7a, 0x95, 0x71, 0x04, 0x37, 0x52, 0x9a, - 0x5e, 0x86, 0x5c, 0x71, 0x11, 0xb9, 0xd5, 0x84, 0x9c, 0x97, 0x92, 0xda, 0x87, 0x55, 0x4c, 0xec, - 0x9f, 0x62, 0x14, 0xe7, 0x08, 0x95, 0x16, 0x11, 0xea, 0x60, 0xf2, 0xa7, 0x62, 0x41, 0x4a, 0xa6, - 0x0f, 0xb7, 0x32, 0x5a, 0xf2, 0xe3, 0x9e, 0x21, 0x56, 0x5e, 0x44, 0x6c, 0x3d, 0x91, 0x8a, 0xc7, - 0x83, 0x94, 0xe2, 0xd7, 0xb0, 0x8e, 0x89, 0xfd, 0xd2, 0xc1, 0x6c, 0x92, 0xdc, 0xd2, 0x6b, 0x94, - 0xe4, 0x37, 0x5a, 0x9e, 0x96, 0x54, 0xd2, 0x47, 0x74, 0x98, 0x53, 0x72, 0xf9, 0x35, 0x4a, 0x1e, - 0x8b, 0x05, 0x29, 0x99, 0x1d, 0xe8, 0x60, 0x32, 0x29, 0x4d, 0x65, 0x11, 0x91, 0x36, 0x26, 0x79, - 0x49, 0x76, 0xa1, 0x13, 0x21, 0x97, 0x11, 0x9a, 0x75, 0x82, 0xea, 0x22, 0x12, 0x2b, 0x0a, 0x3f, - 0xa1, 0x61, 0xfe, 0x05, 0x34, 0x0e, 0xe3, 0x21, 0x62, 0xe3, 0xd3, 0x24, 0x18, 0xbc, 0xb1, 0xf8, - 0x63, 0xfe, 0x5f, 0x11, 0xea, 0x7b, 0x43, 0x4a, 0xe2, 0x30, 0x17, 0x93, 0xe5, 0x21, 0x9d, 0x8c, - 0xc9, 0x02, 0x45, 0xc4, 0x64, 0x89, 0xfc, 0x31, 0x34, 0x7c, 0x71, 0x74, 0x15, 0xbe, 0x8c, 0x43, - 0x9d, 0xa9, 0x43, 0x6d, 0xd5, 0xfd, 0x4c, 0x30, 0xdb, 0x02, 0x08, 0xb1, 0x17, 0xa9, 0x35, 0x32, - 0x1c, 0xb5, 0x55, 0xba, 0xa5, 0x43, 0xb4, 0x55, 0x0b, 0x93, 0x68, 0xfd, 0x21, 0xd4, 0x4f, 0xb9, - 0x91, 0xd4, 0x82, 0x5c, 0x30, 0x4a, 0xad, 0x67, 0xc1, 0x69, 0x7a, 0x08, 0x0f, 0xa1, 0x39, 0x92, - 0x26, 0x53, 0x8b, 0xa4, 0x0f, 0xdd, 0x55, 0x9a, 0xa4, 0xfa, 0x6e, 0x65, 0x2d, 0x2b, 0x37, 0xa0, - 0x31, 0xca, 0x80, 0x7a, 0x03, 0xe8, 0x4c, 0xa1, 0xcc, 0x88, 0x41, 0x9b, 0xd9, 0x18, 0x54, 0x7f, - 0x6c, 0x48, 0x46, 0xd9, 0x95, 0xd9, 0xb8, 0xf4, 0x8f, 0x45, 0x68, 0x7c, 0x87, 0xd8, 0x4b, 0x42, - 0xcf, 0xa5, 0xbc, 0x06, 0x94, 0x03, 0xc7, 0x47, 0x8a, 0xa2, 0xf8, 0x36, 0x6e, 0x41, 0x95, 0x5e, - 0xca, 0x00, 0xa2, 0xf6, 0xb3, 0x42, 0x2f, 0x45, 0x60, 0x30, 0x7e, 0x0f, 0x40, 0x2f, 0xed, 0xd0, - 0x71, 0xcf, 0x91, 0xb2, 0x60, 0xd9, 0xaa, 0xd1, 0xcb, 0xbe, 0x04, 0x70, 0x57, 0xa0, 0x97, 0x36, - 0xa2, 0x94, 0xd0, 0x48, 0xc5, 0xaa, 0x2a, 0xbd, 0xdc, 0x17, 0x63, 0xb5, 0xd6, 0xa3, 0x24, 0x0c, - 0x91, 0x27, 0x62, 0xb4, 0x58, 0xfb, 0x4c, 0x02, 0x38, 0x57, 0xa6, 0xb9, 0x2e, 0x4b, 0xae, 0x2c, - 0xe5, 0xca, 0x52, 0xae, 0x15, 0xb9, 0x92, 0x65, 0xb9, 0xb2, 0x84, 0x6b, 0x55, 0x72, 0x65, 0x19, - 0xae, 0x2c, 0xe5, 0x5a, 0xd3, 0x6b, 0x15, 0x57, 0xf3, 0x1f, 0x0a, 0xb0, 0x3e, 0x99, 0xf8, 0xa9, - 0xdc, 0xf4, 0x63, 0x68, 0xb8, 0x62, 0xbf, 0x72, 0x3e, 0xd9, 0x99, 0xda, 0x49, 0xab, 0xee, 0x66, - 0xdc, 0xf8, 0x09, 0x34, 0x03, 0x69, 0xe0, 0xc4, 0x35, 0x4b, 0xe9, 0xbe, 0x64, 0x6d, 0x6f, 0x35, - 0x82, 0xcc, 0xc8, 0xf4, 0xc0, 0xf8, 0x81, 0x62, 0x86, 0x06, 0x8c, 0x22, 0xc7, 0x7f, 0x13, 0xd9, - 0xbd, 0x01, 0x65, 0x91, 0xad, 0xf0, 0x6d, 0x6a, 0x58, 0xe2, 0xdb, 0x7c, 0x00, 0xab, 0x39, 0x2e, - 0x4a, 0xd7, 0x15, 0x28, 0x8d, 0x51, 0x20, 0xa8, 0x37, 0x2d, 0xfe, 0x69, 0x3a, 0xd0, 0xb1, 0x90, - 0xe3, 0xbd, 0x39, 0x69, 0x14, 0x8b, 0x52, 0xca, 0x62, 0x13, 0x8c, 0x2c, 0x0b, 0x25, 0x8a, 0x96, - 0xba, 0x90, 0x91, 0xfa, 0x39, 0x74, 0xf6, 0xc6, 0x24, 0x42, 0x03, 0xe6, 0xe1, 0xe0, 0x4d, 0x94, - 0x23, 0x7f, 0x0d, 0xab, 0x2f, 0xd8, 0xd5, 0x0f, 0x9c, 0x58, 0x84, 0x7f, 0x46, 0x6f, 0x48, 0x3f, - 0x4a, 0x5e, 0x6a, 0xfd, 0x28, 0x79, 0xc9, 0x8b, 0x1b, 0x97, 0x8c, 0x63, 0x3f, 0x10, 0x47, 0xa1, - 0x69, 0xa9, 0x91, 0xb9, 0x0b, 0x0d, 0x99, 0x43, 0x1f, 0x13, 0x2f, 0x1e, 0xa3, 0x99, 0x67, 0x70, - 0x03, 0x20, 0x74, 0xa8, 0xe3, 0x23, 0x86, 0xa8, 0xf4, 0xa1, 0x9a, 0x95, 0x81, 0x98, 0xff, 0x54, - 0x84, 0x35, 0xd9, 0x6f, 0x18, 0xc8, 0x32, 0x5b, 0xab, 0xd0, 0x83, 0xea, 0x88, 0x44, 0x2c, 0x43, - 0x30, 0x19, 0x73, 0x11, 0x79, 0x7d, 0x2e, 0xa9, 0xf1, 0xcf, 0x5c, 0x13, 0xa0, 0xb4, 0xb8, 0x09, - 0x30, 0x55, 0xe6, 0x97, 0xa7, 0xcb, 0x7c, 0x7e, 0xda, 0x34, 0x12, 0x96, 0x67, 0xbc, 0x66, 0xd5, - 0x14, 0xe4, 0xc8, 0x33, 0xee, 0x43, 0x7b, 0xc8, 0xa5, 0xb4, 0x47, 0x84, 0x9c, 0xdb, 0xa1, 0xc3, - 0x46, 0xe2, 0xa8, 0xd7, 0xac, 0xa6, 0x00, 0x1f, 0x12, 0x72, 0xde, 0x77, 0xd8, 0xc8, 0xf8, 0x0c, - 0x5a, 0x2a, 0x0d, 0xf4, 0x85, 0x89, 0x22, 0x75, 0xf9, 0xa9, 0x53, 0x94, 0xb5, 0x9e, 0xd5, 0x3c, - 0xcf, 0x8c, 0x22, 0xf3, 0x26, 0xdc, 0x78, 0x86, 0x22, 0x46, 0xc9, 0x55, 0xde, 0x30, 0xe6, 0x03, - 0xb8, 0x27, 0xbb, 0x08, 0x03, 0xe6, 0x8c, 0xd1, 0xf7, 0x98, 0x32, 0x4c, 0xce, 0xa2, 0xc1, 0xc8, - 0xa1, 0xe8, 0x98, 0xc4, 0x01, 0xd3, 0x65, 0xae, 0xf9, 0xc7, 0x00, 0x47, 0x01, 0x43, 0xf4, 0xcc, - 0x71, 0x51, 0x64, 0x7c, 0x90, 0x1d, 0xa9, 0x2c, 0x6a, 0x65, 0x4b, 0xf6, 0x85, 0x92, 0x09, 0x2b, - 0x83, 0x63, 0x6e, 0xc1, 0xb2, 0x45, 0x62, 0x1e, 0xb7, 0xde, 0xd5, 0x5f, 0x6a, 0x5d, 0x43, 0xad, - 0x13, 0x40, 0x4b, 0xcd, 0x99, 0x87, 0xba, 0xd6, 0x4d, 0xc9, 0xa9, 0xbd, 0xdc, 0x82, 0x1a, 0xd6, - 0x30, 0x15, 0x7e, 0xa6, 0x59, 0xa7, 0x28, 0xe6, 0x17, 0xb0, 0x2a, 0x29, 0x49, 0xca, 0x9a, 0xcc, - 0xbb, 0xb0, 0x4c, 0xb5, 0x18, 0x85, 0xb4, 0x21, 0xa4, 0x90, 0xd4, 0x9c, 0x79, 0x04, 0xb7, 0xe5, - 0xe2, 0xfd, 0x70, 0x84, 0x7c, 0x44, 0x9d, 0x71, 0xce, 0x2c, 0x39, 0x57, 0x29, 0x2c, 0x74, 0x15, - 0xbe, 0x07, 0xdf, 0xe2, 0x88, 0xa5, 0x36, 0xd1, 0xa6, 0x5d, 0x85, 0x0e, 0x9f, 0xc8, 0x89, 0x67, - 0x7e, 0x05, 0x8d, 0x1d, 0xab, 0xff, 0x1d, 0xc2, 0xc3, 0xd1, 0x29, 0x8f, 0xd8, 0x9f, 0xe4, 0xc7, - 0x8a, 0x99, 0xa1, 0x14, 0xcf, 0x4c, 0x59, 0x39, 0x3c, 0xf3, 0x6b, 0x58, 0xdf, 0xf1, 0xbc, 0x2c, - 0x48, 0x8b, 0xfe, 0x01, 0xd4, 0x82, 0x0c, 0xb9, 0xcc, 0x3d, 0x99, 0xc3, 0x4e, 0x91, 0xcc, 0x47, - 0x60, 0x1c, 0x20, 0x76, 0xd4, 0x7f, 0xe1, 0x9c, 0x8e, 0x53, 0x43, 0xde, 0x84, 0x0a, 0x8e, 0x6c, - 0x1c, 0x5e, 0x7c, 0x22, 0xa8, 0x54, 0xad, 0x65, 0x1c, 0x1d, 0x85, 0x17, 0x9f, 0x98, 0x0f, 0x61, - 0x35, 0x87, 0xbe, 0x20, 0x94, 0xed, 0x80, 0x31, 0xf8, 0xed, 0x94, 0x13, 0x12, 0xc5, 0x0c, 0x89, - 0x87, 0xb0, 0x3a, 0xf8, 0x8d, 0xdc, 0xfe, 0x12, 0x56, 0x9f, 0x07, 0x63, 0x1c, 0xa0, 0xbd, 0xfe, - 0xc9, 0x31, 0x4a, 0xe2, 0xb8, 0x01, 0x65, 0x9e, 0xef, 0x2a, 0x5e, 0xe2, 0x9b, 0x8b, 0x10, 0x9c, - 0xda, 0x6e, 0x18, 0x47, 0xaa, 0x51, 0xb6, 0x1c, 0x9c, 0xee, 0x85, 0x71, 0xc4, 0x2f, 0x66, 0x9e, - 0x98, 0x91, 0x60, 0x7c, 0x25, 0xa2, 0x5b, 0xd5, 0xaa, 0xb8, 0x61, 0xfc, 0x3c, 0x18, 0x5f, 0x99, - 0x7f, 0x24, 0xba, 0x17, 0x08, 0x79, 0x96, 0x13, 0x78, 0xc4, 0x7f, 0x86, 0x2e, 0x32, 0x1c, 0xa6, - 0xe4, 0xfe, 0xa5, 0x00, 0x8d, 0x9d, 0x21, 0x0a, 0xd8, 0x33, 0xc4, 0x1c, 0x3c, 0x16, 0xd5, 0xf0, - 0x05, 0xa2, 0x11, 0x26, 0x81, 0x0a, 0x55, 0x7a, 0x68, 0xbc, 0x0d, 0x75, 0x1c, 0x60, 0x66, 0x7b, - 0x0e, 0xf2, 0x49, 0x20, 0xa8, 0x54, 0x2d, 0xe0, 0xa0, 0x67, 0x02, 0x62, 0x3c, 0x80, 0xb6, 0x6c, - 0x64, 0xda, 0x23, 0x27, 0xf0, 0xc6, 0x3c, 0x48, 0x96, 0x44, 0x58, 0x6b, 0x49, 0xf0, 0xa1, 0x82, - 0x1a, 0x0f, 0x61, 0x45, 0xf9, 0x65, 0x8a, 0x59, 0x16, 0x98, 0x6d, 0x05, 0xcf, 0xa1, 0xc6, 0x61, - 0x48, 0x28, 0x8b, 0xec, 0x08, 0xb9, 0x2e, 0xf1, 0x43, 0x55, 0x4a, 0xb6, 0x35, 0x7c, 0x20, 0xc1, - 0xe6, 0x10, 0x56, 0x0f, 0xb8, 0x9e, 0x4a, 0x93, 0xf4, 0xa4, 0xb5, 0x7c, 0xe4, 0xdb, 0xa7, 0x63, - 0xe2, 0x9e, 0xdb, 0xfc, 0x62, 0x51, 0x16, 0xe6, 0xc9, 0xea, 0x2e, 0x07, 0x0e, 0xf0, 0xcf, 0xa2, - 0x6b, 0xc2, 0xb1, 0x46, 0x84, 0x85, 0xe3, 0x78, 0x68, 0x87, 0x94, 0x9c, 0x22, 0xa5, 0x62, 0xdb, - 0x47, 0xfe, 0xa1, 0x84, 0xf7, 0x39, 0xd8, 0xfc, 0xb7, 0x02, 0xac, 0xe5, 0x39, 0xa9, 0xdd, 0xde, - 0x86, 0xb5, 0x3c, 0x2b, 0x95, 0x3a, 0xc9, 0xd4, 0xbc, 0x93, 0x65, 0x28, 0x93, 0xa8, 0x27, 0xd0, - 0x14, 0x6d, 0x6f, 0xdb, 0x93, 0x94, 0xf2, 0x09, 0x63, 0x76, 0x5f, 0xac, 0x86, 0x93, 0xdd, 0xa5, - 0xcf, 0xe0, 0x96, 0x52, 0xdf, 0x9e, 0x16, 0x5b, 0x3a, 0xc4, 0xba, 0x42, 0x38, 0x9e, 0x90, 0xfe, - 0x5b, 0xe8, 0xa6, 0xa0, 0xdd, 0x2b, 0x01, 0x4c, 0x0f, 0xe5, 0xea, 0x84, 0xb2, 0x3b, 0x9e, 0x47, - 0xc5, 0x69, 0x2f, 0x5b, 0xb3, 0xa6, 0xcc, 0xa7, 0x70, 0x73, 0x80, 0x98, 0xb4, 0x86, 0xc3, 0x54, - 0x15, 0x27, 0x89, 0xad, 0x40, 0x69, 0x80, 0x5c, 0xa1, 0x7c, 0xc9, 0xe2, 0x9f, 0xdc, 0x01, 0x4f, - 0x22, 0xe4, 0x0a, 0x2d, 0x4b, 0x96, 0xf8, 0x36, 0x43, 0xa8, 0x7c, 0x35, 0x38, 0xe0, 0xb9, 0x1a, - 0x77, 0x6a, 0x99, 0xdb, 0xa9, 0x7b, 0xbc, 0x69, 0x55, 0xc4, 0xf8, 0xc8, 0x33, 0xbe, 0x86, 0x55, - 0x39, 0xe5, 0x8e, 0x9c, 0x60, 0x88, 0xec, 0x90, 0x8c, 0xb1, 0x2b, 0x5d, 0xbf, 0xf5, 0xb8, 0xa7, - 0xc2, 0x90, 0xa2, 0xb3, 0x27, 0x50, 0xfa, 0x02, 0xc3, 0xea, 0x0c, 0x27, 0x41, 0xe6, 0x7f, 0x17, - 0xa0, 0xa2, 0xe2, 0x23, 0x4f, 0x07, 0x3c, 0x8a, 0x2f, 0x10, 0x55, 0xce, 0xae, 0x46, 0xc6, 0x3d, - 0x68, 0xc9, 0x2f, 0x9b, 0x84, 0x0c, 0x93, 0xe4, 0x82, 0x6e, 0x4a, 0xe8, 0x73, 0x09, 0x14, 0xad, - 0x52, 0xd1, 0xac, 0x54, 0x7d, 0x01, 0x35, 0xe2, 0xf0, 0xb3, 0x88, 0x0b, 0x25, 0x2e, 0xe4, 0x9a, - 0xa5, 0x46, 0xfc, 0x70, 0x69, 0x7a, 0x4b, 0x82, 0x9e, 0x1e, 0xf2, 0xc3, 0xe5, 0xf3, 0xd0, 0x6e, - 0x87, 0x04, 0x07, 0x4c, 0xdd, 0xc0, 0x20, 0x40, 0x7d, 0x0e, 0x31, 0x36, 0xa1, 0x7a, 0x16, 0xd9, - 0x42, 0x1b, 0x91, 0x6d, 0x27, 0xa1, 0x5e, 0x69, 0x6d, 0x55, 0xce, 0x22, 0xf1, 0x61, 0xfe, 0x7d, - 0x01, 0x96, 0xe5, 0xc3, 0x82, 0xd1, 0x82, 0x62, 0x92, 0x31, 0x15, 0xb1, 0xc8, 0x3e, 0x85, 0x54, - 0x32, 0x4b, 0x12, 0xdf, 0x3c, 0xc6, 0x5c, 0xf8, 0xf2, 0xde, 0x57, 0x4a, 0x5c, 0xf8, 0xe2, 0xc2, - 0xbf, 0x07, 0xad, 0x34, 0xf1, 0x12, 0xf3, 0x52, 0x99, 0x66, 0x02, 0x15, 0x68, 0x73, 0x75, 0x32, - 0xff, 0x0c, 0x20, 0x6d, 0xb0, 0x73, 0x77, 0x88, 0x13, 0x61, 0xf8, 0x27, 0x87, 0x0c, 0x93, 0x94, - 0x8d, 0x7f, 0x1a, 0xf7, 0xa1, 0xe5, 0x78, 0x1e, 0xe6, 0xcb, 0x9d, 0xf1, 0x01, 0xf6, 0x92, 0x00, - 0x92, 0x87, 0x9a, 0xff, 0x51, 0x80, 0xf6, 0x1e, 0x09, 0xaf, 0xbe, 0xc2, 0x63, 0x94, 0x89, 0x6e, - 0x42, 0x48, 0x95, 0xb1, 0xf1, 0x6f, 0x5e, 0x85, 0x9c, 0xe1, 0x31, 0x92, 0xc7, 0x5e, 0x7a, 0x5d, - 0x95, 0x03, 0xc4, 0x91, 0xd7, 0x93, 0x49, 0x3b, 0xb5, 0x29, 0x27, 0x8f, 0x89, 0x27, 0xea, 0x2d, - 0x0f, 0x53, 0x3b, 0x69, 0x9e, 0x36, 0xad, 0x8a, 0x87, 0xa9, 0x98, 0x52, 0x8a, 0x2c, 0x89, 0xe6, - 0x78, 0x56, 0x91, 0x65, 0x09, 0xe1, 0x8a, 0xac, 0xc3, 0x32, 0x39, 0x3b, 0x8b, 0x10, 0x13, 0x7b, - 0x55, 0xb2, 0xd4, 0x28, 0x09, 0xc1, 0xd5, 0x4c, 0x08, 0x5e, 0x13, 0xf7, 0xda, 0xf3, 0xe7, 0xc7, - 0xfb, 0x17, 0x28, 0x60, 0xfa, 0x06, 0x7e, 0x04, 0x55, 0x0d, 0xfa, 0x2d, 0x6d, 0xe7, 0xf7, 0xa0, - 0xb5, 0xe3, 0x79, 0x83, 0x97, 0x4e, 0xa8, 0xed, 0xd1, 0x85, 0x4a, 0x7f, 0xef, 0xa8, 0x2f, 0x4d, - 0x52, 0xe2, 0x0a, 0xa8, 0x21, 0xbf, 0xf1, 0x0f, 0x10, 0x3b, 0x46, 0x8c, 0x62, 0x37, 0xb9, 0xf1, - 0xef, 0x42, 0x45, 0x41, 0xf8, 0x4a, 0x5f, 0x7e, 0xea, 0x2b, 0x40, 0x0d, 0xcd, 0x3f, 0x01, 0xe3, - 0x7b, 0x9e, 0x2f, 0x23, 0x59, 0x2c, 0x29, 0x4e, 0xef, 0x41, 0xe7, 0x42, 0x40, 0x6d, 0x99, 0x48, - 0x66, 0xb6, 0xa1, 0x2d, 0x27, 0x44, 0x7c, 0x10, 0xbc, 0x4f, 0x60, 0x55, 0xa6, 0xf7, 0x92, 0xce, - 0x35, 0x48, 0x70, 0x1b, 0x26, 0xfb, 0x59, 0xb6, 0xc4, 0xf7, 0xe3, 0xbf, 0x5b, 0x53, 0xd7, 0x98, - 0xea, 0x26, 0x19, 0x07, 0xd0, 0x9e, 0x78, 0xfa, 0x33, 0x54, 0x7b, 0x71, 0xf6, 0x8b, 0x60, 0x6f, - 0x7d, 0x4b, 0x3e, 0x25, 0x6e, 0xe9, 0xa7, 0xc4, 0xad, 0x7d, 0x3f, 0x64, 0x57, 0xc6, 0x3e, 0xb4, - 0xf2, 0x8f, 0x64, 0xc6, 0x5b, 0x3a, 0xc5, 0x9a, 0xf1, 0x74, 0x36, 0x97, 0xcc, 0x01, 0xb4, 0x27, - 0xde, 0xcb, 0xb4, 0x3c, 0xb3, 0x9f, 0xd1, 0xe6, 0x12, 0x7a, 0x0a, 0xf5, 0xcc, 0x03, 0x99, 0xd1, - 0x95, 0x44, 0xa6, 0xdf, 0xcc, 0xe6, 0x12, 0xd8, 0x83, 0x66, 0xee, 0xcd, 0xca, 0xe8, 0x29, 0x7d, - 0x66, 0x3c, 0x64, 0xcd, 0x25, 0xb2, 0x0b, 0xf5, 0xcc, 0xd3, 0x91, 0x96, 0x62, 0xfa, 0x7d, 0xaa, - 0x77, 0x6b, 0xc6, 0x8c, 0xba, 0x2d, 0x0f, 0xa0, 0x3d, 0xf1, 0x9e, 0xa4, 0x4d, 0x32, 0xfb, 0x99, - 0x69, 0xae, 0x30, 0x03, 0xb8, 0x31, 0x33, 0x4b, 0x36, 0xcc, 0x2c, 0xb9, 0xd9, 0x29, 0xf4, 0x5c, - 0xa2, 0xdf, 0x88, 0x7d, 0xcf, 0xf4, 0x20, 0x32, 0xfb, 0x3e, 0xfd, 0x24, 0xd5, 0xbb, 0x3d, 0x7b, - 0x52, 0xa9, 0xba, 0x0f, 0xad, 0xfc, 0x6b, 0x94, 0x26, 0x36, 0xf3, 0x8d, 0x6a, 0xb1, 0x13, 0xe5, - 0x1e, 0xa6, 0x52, 0x27, 0x9a, 0xf5, 0x5e, 0x35, 0x97, 0x10, 0x82, 0x8d, 0xc5, 0x75, 0x97, 0xf1, - 0x7e, 0xd6, 0x39, 0x5f, 0x53, 0x9d, 0xcd, 0x65, 0xb3, 0x03, 0xa0, 0x1a, 0x1b, 0x1e, 0x0e, 0x12, - 0x27, 0x99, 0x6a, 0xa8, 0x24, 0x4e, 0x32, 0xa3, 0x09, 0xf2, 0x14, 0x40, 0xf6, 0x23, 0x3c, 0x12, - 0x33, 0xe3, 0xa6, 0x96, 0x6a, 0xa2, 0x09, 0xd2, 0xeb, 0x4e, 0x4f, 0x4c, 0x11, 0x40, 0x94, 0x5e, - 0x87, 0xc0, 0x97, 0x00, 0x69, 0x9f, 0x43, 0x13, 0x98, 0xea, 0x7c, 0x2c, 0xb0, 0x41, 0x23, 0xdb, - 0xd5, 0x30, 0x94, 0xae, 0x33, 0x3a, 0x1d, 0x0b, 0x48, 0xb4, 0x27, 0x8a, 0xd1, 0xfc, 0x41, 0x99, - 0xac, 0x51, 0x7b, 0x53, 0x05, 0xa9, 0xf1, 0x04, 0x1a, 0xd9, 0x2a, 0x54, 0x4b, 0x31, 0xa3, 0x32, - 0xed, 0xe5, 0x2a, 0x51, 0xe3, 0x29, 0xb4, 0xf2, 0x65, 0xa3, 0xf6, 0xdc, 0x99, 0xc5, 0x64, 0x4f, - 0x35, 0x62, 0x33, 0xe8, 0x1f, 0x01, 0xa4, 0xe5, 0xa5, 0x36, 0xdf, 0x54, 0xc1, 0x39, 0xc1, 0xf5, - 0x00, 0xda, 0x13, 0x65, 0xa3, 0xd6, 0x78, 0x76, 0x35, 0xb9, 0x28, 0x4e, 0x65, 0x8a, 0x40, 0xed, - 0x82, 0xd3, 0x65, 0xa4, 0x76, 0xc1, 0x59, 0x15, 0xe3, 0x2e, 0xd4, 0x07, 0xd3, 0x34, 0x06, 0x73, - 0x69, 0xcc, 0xaa, 0x03, 0x3f, 0x06, 0x48, 0xaf, 0x5c, 0x6d, 0x85, 0xa9, 0x4b, 0xb8, 0xd7, 0xd4, - 0xcd, 0x72, 0x89, 0xb7, 0x07, 0xcd, 0x5c, 0x3f, 0x49, 0x87, 0xea, 0x59, 0x4d, 0xa6, 0x45, 0x17, - 0x58, 0xbe, 0xf9, 0xa2, 0x77, 0x70, 0x66, 0x4b, 0x66, 0x91, 0x1f, 0x67, 0xab, 0x56, 0xed, 0x41, - 0x33, 0x2a, 0xd9, 0xd7, 0x84, 0xaf, 0x6c, 0x65, 0x9a, 0x09, 0x5f, 0x33, 0x0a, 0xd6, 0xb9, 0x84, - 0x0e, 0xa1, 0x7d, 0xa0, 0x8b, 0x0e, 0x55, 0x10, 0xe9, 0xfd, 0x9b, 0x2e, 0x00, 0x7b, 0xbd, 0x59, - 0x53, 0x6a, 0x5f, 0xbe, 0x81, 0xce, 0x54, 0x31, 0x64, 0x6c, 0x24, 0x4f, 0x16, 0x33, 0xab, 0xa4, - 0xb9, 0x62, 0x1d, 0xc1, 0xca, 0x64, 0x2d, 0x64, 0xfc, 0x3e, 0xf1, 0x89, 0x59, 0x35, 0xd2, 0x5c, - 0x52, 0x9f, 0x41, 0x55, 0xe7, 0xb7, 0x86, 0x7a, 0x1a, 0x9a, 0xc8, 0x77, 0xe7, 0x2e, 0x7d, 0x22, - 0x5c, 0x3e, 0xc9, 0x1d, 0x53, 0x97, 0x9f, 0xc8, 0x30, 0x7b, 0xea, 0x25, 0x27, 0xc1, 0x7c, 0x02, - 0x15, 0x95, 0x42, 0x1a, 0x6b, 0xc9, 0x61, 0xcb, 0x64, 0x94, 0x8b, 0x3c, 0xec, 0x00, 0xb1, 0x4c, - 0x62, 0xa8, 0x99, 0x4e, 0xe7, 0x8a, 0xfa, 0x8c, 0xe4, 0x66, 0xd4, 0x5e, 0xec, 0x40, 0x23, 0x9b, - 0x1a, 0xea, 0x2d, 0x9d, 0x91, 0x2e, 0xce, 0x93, 0x64, 0xf7, 0xf2, 0x97, 0x5f, 0x37, 0x7e, 0xf7, - 0x5f, 0xbf, 0x6e, 0xfc, 0xee, 0x6f, 0x5f, 0x6d, 0x14, 0x7e, 0x79, 0xb5, 0x51, 0xf8, 0xcf, 0x57, - 0x1b, 0x85, 0xff, 0x7d, 0xb5, 0x51, 0xf8, 0xf3, 0xbf, 0x1a, 0x62, 0x36, 0x8a, 0x4f, 0xb7, 0x5c, - 0xe2, 0x6f, 0x9f, 0x3b, 0xcc, 0x79, 0x94, 0x24, 0xcf, 0xd1, 0xd4, 0x38, 0xa2, 0xee, 0x36, 0x8d, - 0x03, 0x86, 0x7d, 0xb4, 0x7d, 0x81, 0x29, 0xcb, 0x4c, 0x85, 0xe7, 0xc3, 0x6d, 0x51, 0x88, 0xcb, - 0x7f, 0x9c, 0xb9, 0x64, 0x1c, 0x6d, 0x73, 0x29, 0x4f, 0x97, 0xc5, 0xf8, 0xa3, 0xff, 0x0f, 0x00, - 0x00, 0xff, 0xff, 0x76, 0x47, 0x9c, 0x5b, 0xc7, 0x26, 0x00, 0x00, +var fileDescriptor_712ce9a559fda969 = []byte{ + // 3320 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xc4, 0x3a, 0xcb, 0x6e, 0x1c, 0xc7, + 0x76, 0x77, 0x1e, 0xe4, 0xcc, 0x9c, 0x79, 0x71, 0x9a, 0x14, 0x35, 0x1a, 0xeb, 0xf2, 0xea, 0xb6, + 0xae, 0x24, 0x4a, 0x8e, 0xc8, 0x6b, 0xd9, 0xb0, 0x6c, 0x0b, 0x8e, 0x42, 0x52, 0x34, 0x49, 0xdb, + 0xb4, 0x26, 0x3d, 0xa2, 0x1d, 0x24, 0x48, 0x1a, 0xcd, 0xee, 0xe2, 0x4c, 0x99, 0xd3, 0x5d, 0xed, + 0xea, 0x6a, 0x8a, 0x74, 0x80, 0x20, 0xab, 0x64, 0x97, 0x65, 0x76, 0xf9, 0x81, 0x20, 0x7f, 0x90, + 0x55, 0x80, 0x2c, 0x8c, 0xac, 0xb2, 0xcc, 0x26, 0x41, 0xac, 0x4f, 0xc8, 0x17, 0x04, 0xf5, 0xea, + 0xc7, 0xbc, 0xe4, 0x10, 0x02, 0xb2, 0x19, 0x74, 0x9d, 0x3a, 0x75, 0x5e, 0x75, 0xea, 0xd4, 0x39, + 0xa7, 0x06, 0xfa, 0x43, 0xcc, 0x46, 0xf1, 0xe9, 0x96, 0x4b, 0xfc, 0xed, 0x73, 0x87, 0x39, 0x8f, + 0x5d, 0x12, 0x30, 0x07, 0x07, 0x88, 0x46, 0x53, 0xe3, 0x88, 0xba, 0xdb, 0x63, 0x7c, 0x1a, 0x6d, + 0x87, 0x94, 0x30, 0xe2, 0x92, 0xb1, 0xfa, 0x8a, 0xb6, 0x9d, 0x21, 0x0a, 0xd8, 0x96, 0x18, 0x18, + 0xe5, 0x21, 0x0d, 0xdd, 0x5e, 0x8d, 0xb8, 0x58, 0x02, 0x7a, 0x35, 0x37, 0xd2, 0x9f, 0x75, 0x76, + 0x15, 0xa2, 0x48, 0x0d, 0xde, 0x1b, 0x12, 0x32, 0x1c, 0x23, 0x49, 0xe3, 0x34, 0x3e, 0xdb, 0x46, + 0x7e, 0xc8, 0xae, 0xe4, 0xa4, 0xf9, 0x0f, 0x45, 0x58, 0xdf, 0xa3, 0xc8, 0x61, 0x68, 0x4f, 0x0b, + 0x60, 0xa1, 0x1f, 0x62, 0x14, 0x31, 0xe3, 0xb7, 0xd0, 0x48, 0x84, 0xb2, 0xb1, 0xd7, 0x2d, 0xdc, + 0x29, 0x6c, 0xd6, 0xac, 0x7a, 0x02, 0x3b, 0xf2, 0x8c, 0x9b, 0x50, 0x41, 0x97, 0xc8, 0xe5, 0xb3, + 0x45, 0x31, 0xbb, 0xcc, 0x87, 0x47, 0x9e, 0xf1, 0x01, 0xd4, 0x23, 0x46, 0x71, 0x30, 0xb4, 0xe3, + 0x08, 0xd1, 0x6e, 0xe9, 0x4e, 0x61, 0xb3, 0xfe, 0x64, 0x65, 0x8b, 0x8b, 0xbc, 0x35, 0x10, 0x13, + 0x27, 0x11, 0xa2, 0x16, 0x44, 0xc9, 0xb7, 0x71, 0x1f, 0x2a, 0x1e, 0xba, 0xc0, 0x2e, 0x8a, 0xba, + 0xe5, 0x3b, 0xa5, 0xcd, 0xfa, 0x93, 0x86, 0x44, 0x7f, 0x21, 0x80, 0x96, 0x9e, 0x34, 0x1e, 0x42, + 0x35, 0x62, 0x84, 0x3a, 0x43, 0x14, 0x75, 0x97, 0x04, 0x62, 0x53, 0xd3, 0x15, 0x50, 0x2b, 0x99, + 0x36, 0x6e, 0x43, 0xe9, 0xe5, 0xde, 0x51, 0x77, 0x59, 0x70, 0x07, 0x85, 0x15, 0x22, 0xd7, 0xe2, + 0x60, 0xe3, 0x2e, 0x34, 0x23, 0x27, 0xf0, 0x4e, 0xc9, 0xa5, 0x1d, 0x62, 0x2f, 0x88, 0xba, 0x95, + 0x3b, 0x85, 0xcd, 0xaa, 0xd5, 0x50, 0xc0, 0x3e, 0x87, 0x99, 0x9f, 0xc1, 0x8d, 0x01, 0x73, 0x28, + 0xbb, 0x86, 0x75, 0xcc, 0x13, 0x58, 0xb7, 0x90, 0x4f, 0x2e, 0xae, 0x65, 0xda, 0x2e, 0x54, 0x18, + 0xf6, 0x11, 0x89, 0x99, 0x30, 0x6d, 0xd3, 0xd2, 0x43, 0xf3, 0x9f, 0x0a, 0x60, 0xec, 0x5f, 0x22, + 0xb7, 0x4f, 0x89, 0x8b, 0xa2, 0xe8, 0xff, 0x69, 0xbb, 0x1e, 0x40, 0x25, 0x94, 0x02, 0x74, 0xcb, + 0x02, 0x5d, 0xed, 0x82, 0x96, 0x4a, 0xcf, 0x9a, 0xdf, 0xc3, 0xda, 0x00, 0x0f, 0x03, 0x67, 0xfc, + 0x0e, 0xe5, 0x5d, 0x87, 0xe5, 0x48, 0xd0, 0x14, 0xa2, 0x36, 0x2d, 0x35, 0x32, 0xfb, 0x60, 0x7c, + 0xe7, 0x60, 0xf6, 0xee, 0x38, 0x99, 0x8f, 0x61, 0x35, 0x47, 0x31, 0x0a, 0x49, 0x10, 0x21, 0x21, + 0x00, 0x73, 0x58, 0x1c, 0x09, 0x62, 0x4b, 0x96, 0x1a, 0x99, 0x04, 0xd6, 0x4f, 0x42, 0xef, 0x9a, + 0xa7, 0xe9, 0x09, 0xd4, 0x28, 0x8a, 0x48, 0x4c, 0xf9, 0x19, 0x28, 0x0a, 0xa3, 0xae, 0x49, 0xa3, + 0x7e, 0x8d, 0x83, 0xf8, 0xd2, 0xd2, 0x73, 0x56, 0x8a, 0xa6, 0xfc, 0x93, 0x45, 0xd7, 0xf1, 0xcf, + 0xcf, 0xe0, 0x46, 0xdf, 0x89, 0xa3, 0xeb, 0xc8, 0x6a, 0x3e, 0xe3, 0xbe, 0x1d, 0xc5, 0xfe, 0xb5, + 0x16, 0xff, 0x63, 0x01, 0xaa, 0x7b, 0x61, 0x7c, 0x12, 0x39, 0x43, 0x64, 0xfc, 0x06, 0xea, 0x8c, + 0x30, 0x67, 0x6c, 0xc7, 0x7c, 0x28, 0xd0, 0xcb, 0x16, 0x08, 0x90, 0x44, 0xf8, 0x2d, 0x34, 0x42, + 0x44, 0xdd, 0x30, 0x56, 0x18, 0xc5, 0x3b, 0xa5, 0xcd, 0xb2, 0x55, 0x97, 0x30, 0x89, 0xb2, 0x05, + 0xab, 0x62, 0xce, 0xc6, 0x81, 0x7d, 0x8e, 0x68, 0x80, 0xc6, 0x3e, 0xf1, 0x90, 0x70, 0x8e, 0xb2, + 0xd5, 0x11, 0x53, 0x47, 0xc1, 0x57, 0xc9, 0x84, 0xf1, 0x08, 0x3a, 0x09, 0x3e, 0xf7, 0x78, 0x81, + 0x5d, 0x16, 0xd8, 0x6d, 0x85, 0x7d, 0xa2, 0xc0, 0xe6, 0x5f, 0x41, 0xeb, 0xd5, 0x88, 0x12, 0xc6, + 0xc6, 0x38, 0x18, 0xbe, 0x70, 0x98, 0xc3, 0x8f, 0x66, 0x88, 0x28, 0x26, 0x5e, 0xa4, 0xa4, 0xd5, + 0x43, 0xe3, 0x7d, 0xe8, 0x30, 0x89, 0x8b, 0x3c, 0x5b, 0xe3, 0x14, 0x05, 0xce, 0x4a, 0x32, 0xd1, + 0x57, 0xc8, 0xf7, 0xa0, 0x95, 0x22, 0xf3, 0xc3, 0xad, 0xe4, 0x6d, 0x26, 0xd0, 0x57, 0xd8, 0x47, + 0xe6, 0x85, 0xb0, 0x95, 0xd8, 0x64, 0xe3, 0x7d, 0xa8, 0xa5, 0x76, 0x28, 0x08, 0x0f, 0x69, 0x49, + 0x0f, 0xd1, 0xe6, 0xb4, 0xaa, 0x89, 0x51, 0x3e, 0x87, 0x36, 0x4b, 0x04, 0xb7, 0x3d, 0x87, 0x39, + 0x79, 0xa7, 0xca, 0x6b, 0x65, 0xb5, 0x58, 0x6e, 0x6c, 0x3e, 0x83, 0x5a, 0x1f, 0x7b, 0x91, 0x64, + 0xdc, 0x85, 0x8a, 0x1b, 0x53, 0x8a, 0x02, 0xa6, 0x55, 0x56, 0x43, 0x63, 0x0d, 0x96, 0xc6, 0xd8, + 0xc7, 0x4c, 0xa9, 0x29, 0x07, 0x26, 0x01, 0x38, 0x46, 0x3e, 0xa1, 0x57, 0xc2, 0x60, 0x6b, 0xb0, + 0x94, 0xdd, 0x5c, 0x39, 0x30, 0xde, 0x83, 0x9a, 0xef, 0x5c, 0x26, 0x9b, 0xca, 0x67, 0xaa, 0xbe, + 0x73, 0x29, 0x85, 0xef, 0x42, 0xe5, 0xcc, 0xc1, 0x63, 0x37, 0x60, 0xca, 0x2a, 0x7a, 0x98, 0x32, + 0x2c, 0x67, 0x19, 0xfe, 0x6b, 0x11, 0xea, 0x92, 0xa3, 0x14, 0x78, 0x0d, 0x96, 0x5c, 0xc7, 0x1d, + 0x25, 0x2c, 0xc5, 0xc0, 0xb8, 0xaf, 0x05, 0x29, 0x66, 0x23, 0x5c, 0x2a, 0xa9, 0x16, 0x6d, 0x1b, + 0x20, 0x7a, 0xed, 0x84, 0x4a, 0xb6, 0xd2, 0x1c, 0xe4, 0x1a, 0xc7, 0x91, 0xe2, 0x7e, 0x08, 0x0d, + 0xe9, 0x77, 0x6a, 0x49, 0x79, 0xce, 0x92, 0xba, 0xc4, 0x92, 0x8b, 0xee, 0x42, 0x33, 0x8e, 0x90, + 0x3d, 0xc2, 0x88, 0x3a, 0xd4, 0x1d, 0x5d, 0x75, 0x97, 0xe4, 0x05, 0x14, 0x47, 0xe8, 0x50, 0xc3, + 0x8c, 0x27, 0xb0, 0xc4, 0x63, 0x4b, 0xd4, 0x5d, 0x16, 0x77, 0xdd, 0xed, 0x2c, 0x49, 0xa1, 0xea, + 0x96, 0xf8, 0xdd, 0x0f, 0x18, 0xbd, 0xb2, 0x24, 0x6a, 0xef, 0x13, 0x80, 0x14, 0x68, 0xac, 0x40, + 0xe9, 0x1c, 0x5d, 0xa9, 0x73, 0xc8, 0x3f, 0xb9, 0x71, 0x2e, 0x9c, 0x71, 0xac, 0xad, 0x2e, 0x07, + 0x9f, 0x15, 0x3f, 0x29, 0x98, 0x2e, 0xb4, 0x77, 0xc7, 0xe7, 0x98, 0x64, 0x96, 0xaf, 0xc1, 0x92, + 0xef, 0x7c, 0x4f, 0xa8, 0xb6, 0xa4, 0x18, 0x08, 0x28, 0x0e, 0x08, 0xd5, 0x24, 0xc4, 0xc0, 0x68, + 0x41, 0x91, 0x84, 0xc2, 0x5e, 0x35, 0xab, 0x48, 0xc2, 0x94, 0x51, 0x39, 0xc3, 0xc8, 0xfc, 0xaf, + 0x32, 0x40, 0xca, 0xc5, 0xb0, 0xa0, 0x87, 0x89, 0x1d, 0x21, 0xca, 0xef, 0x77, 0xfb, 0xf4, 0x8a, + 0xa1, 0xc8, 0xa6, 0xc8, 0x8d, 0x69, 0x84, 0x2f, 0xf8, 0xfe, 0x71, 0xb5, 0x6f, 0x48, 0xb5, 0x27, + 0x64, 0xb3, 0x6e, 0x62, 0x32, 0x90, 0xeb, 0x76, 0xf9, 0x32, 0x4b, 0xaf, 0x32, 0x8e, 0xe0, 0x46, + 0x4a, 0xd3, 0xcb, 0x90, 0x2b, 0x2e, 0x22, 0xb7, 0x9a, 0x90, 0xf3, 0x52, 0x52, 0xfb, 0xb0, 0x8a, + 0x89, 0xfd, 0x43, 0x8c, 0xe2, 0x1c, 0xa1, 0xd2, 0x22, 0x42, 0x1d, 0x4c, 0xfe, 0x58, 0x2c, 0x48, + 0xc9, 0xf4, 0xe1, 0x56, 0x46, 0x4b, 0x7e, 0xdc, 0x33, 0xc4, 0xca, 0x8b, 0x88, 0xad, 0x27, 0x52, + 0xf1, 0x78, 0x90, 0x52, 0xfc, 0x12, 0xd6, 0x31, 0xb1, 0x5f, 0x3b, 0x98, 0x4d, 0x92, 0x5b, 0x7a, + 0x8b, 0x92, 0xfc, 0x46, 0xcb, 0xd3, 0x92, 0x4a, 0xfa, 0x88, 0x0e, 0x73, 0x4a, 0x2e, 0xbf, 0x45, + 0xc9, 0x63, 0xb1, 0x20, 0x25, 0xb3, 0x03, 0x1d, 0x4c, 0x26, 0xa5, 0xa9, 0x2c, 0x22, 0xd2, 0xc6, + 0x24, 0x2f, 0xc9, 0x2e, 0x74, 0x22, 0xe4, 0x32, 0x42, 0xb3, 0x4e, 0x50, 0x5d, 0x44, 0x62, 0x45, + 0xe1, 0x27, 0x34, 0xcc, 0x3f, 0x83, 0xc6, 0x61, 0x3c, 0x44, 0x6c, 0x7c, 0x9a, 0x04, 0x83, 0x77, + 0x16, 0x7f, 0xcc, 0xff, 0x29, 0x42, 0x7d, 0x6f, 0x48, 0x49, 0x1c, 0xe6, 0x62, 0xb2, 0x3c, 0xa4, + 0x93, 0x31, 0x59, 0xa0, 0x88, 0x98, 0x2c, 0x91, 0x3f, 0x82, 0x86, 0x2f, 0x8e, 0xae, 0xc2, 0x97, + 0x71, 0xa8, 0x33, 0x75, 0xa8, 0xad, 0xba, 0x9f, 0x09, 0x66, 0x5b, 0x00, 0x21, 0xf6, 0x22, 0xb5, + 0x46, 0x86, 0xa3, 0xb6, 0x4a, 0xb7, 0x74, 0x88, 0xb6, 0x6a, 0x61, 0x12, 0xad, 0x3f, 0x80, 0xfa, + 0x29, 0x37, 0x92, 0x5a, 0x90, 0x0b, 0x46, 0xa9, 0xf5, 0x2c, 0x38, 0x4d, 0x0f, 0xe1, 0x21, 0x34, + 0x47, 0xd2, 0x64, 0x6a, 0x91, 0xf4, 0xa1, 0xbb, 0x4a, 0x93, 0x54, 0xdf, 0xad, 0xac, 0x65, 0xe5, + 0x06, 0x34, 0x46, 0x19, 0x50, 0x6f, 0x00, 0x9d, 0x29, 0x94, 0x19, 0x31, 0x68, 0x33, 0x1b, 0x83, + 0xea, 0x4f, 0x0c, 0xc9, 0x28, 0xbb, 0x32, 0x1b, 0x97, 0xfe, 0xae, 0x08, 0x8d, 0x6f, 0x10, 0x7b, + 0x4d, 0xe8, 0xb9, 0x94, 0xd7, 0x80, 0x72, 0xe0, 0xf8, 0x48, 0x51, 0x14, 0xdf, 0xc6, 0x2d, 0xa8, + 0xd2, 0x4b, 0x19, 0x40, 0xd4, 0x7e, 0x56, 0xe8, 0xa5, 0x08, 0x0c, 0xc6, 0xaf, 0x01, 0xe8, 0xa5, + 0x1d, 0x3a, 0xee, 0x39, 0x52, 0x16, 0x2c, 0x5b, 0x35, 0x7a, 0xd9, 0x97, 0x00, 0xee, 0x0a, 0xf4, + 0xd2, 0x46, 0x94, 0x12, 0x1a, 0xa9, 0x58, 0x55, 0xa5, 0x97, 0xfb, 0x62, 0xac, 0xd6, 0x7a, 0x94, + 0x84, 0x21, 0xf2, 0x44, 0x8c, 0x16, 0x6b, 0x5f, 0x48, 0x00, 0xe7, 0xca, 0x34, 0xd7, 0x65, 0xc9, + 0x95, 0xa5, 0x5c, 0x59, 0xca, 0xb5, 0x22, 0x57, 0xb2, 0x2c, 0x57, 0x96, 0x70, 0xad, 0x4a, 0xae, + 0x2c, 0xc3, 0x95, 0xa5, 0x5c, 0x6b, 0x7a, 0xad, 0xe2, 0x6a, 0xfe, 0x6d, 0x01, 0xd6, 0x27, 0x13, + 0x3f, 0x95, 0x9b, 0x7e, 0x04, 0x0d, 0x57, 0xec, 0x57, 0xce, 0x27, 0x3b, 0x53, 0x3b, 0x69, 0xd5, + 0xdd, 0x8c, 0x1b, 0x3f, 0x85, 0x66, 0x20, 0x0d, 0x9c, 0xb8, 0x66, 0x29, 0xdd, 0x97, 0xac, 0xed, + 0xad, 0x46, 0x90, 0x19, 0x99, 0x1e, 0x18, 0xdf, 0x51, 0xcc, 0xd0, 0x80, 0x51, 0xe4, 0xf8, 0xef, + 0x22, 0xbb, 0x37, 0xa0, 0x2c, 0xb2, 0x15, 0xbe, 0x4d, 0x0d, 0x4b, 0x7c, 0x9b, 0x0f, 0x60, 0x35, + 0xc7, 0x45, 0xe9, 0xba, 0x02, 0xa5, 0x31, 0x0a, 0x04, 0xf5, 0xa6, 0xc5, 0x3f, 0x4d, 0x07, 0x3a, + 0x16, 0x72, 0xbc, 0x77, 0x27, 0x8d, 0x62, 0x51, 0x4a, 0x59, 0x6c, 0x82, 0x91, 0x65, 0xa1, 0x44, + 0xd1, 0x52, 0x17, 0x32, 0x52, 0xbf, 0x84, 0xce, 0xde, 0x98, 0x44, 0x68, 0xc0, 0x3c, 0x1c, 0xbc, + 0x8b, 0x72, 0xe4, 0x2f, 0x61, 0xf5, 0x15, 0xbb, 0xfa, 0x8e, 0x13, 0x8b, 0xf0, 0x8f, 0xe8, 0x1d, + 0xe9, 0x47, 0xc9, 0x6b, 0xad, 0x1f, 0x25, 0xaf, 0x79, 0x71, 0xe3, 0x92, 0x71, 0xec, 0x07, 0xe2, + 0x28, 0x34, 0x2d, 0x35, 0x32, 0x77, 0xa1, 0x21, 0x73, 0xe8, 0x63, 0xe2, 0xc5, 0x63, 0x34, 0xf3, + 0x0c, 0x6e, 0x00, 0x84, 0x0e, 0x75, 0x7c, 0xc4, 0x10, 0x95, 0x3e, 0x54, 0xb3, 0x32, 0x10, 0xf3, + 0xef, 0x8b, 0xb0, 0x26, 0xfb, 0x0d, 0x03, 0x59, 0x66, 0x6b, 0x15, 0x7a, 0x50, 0x1d, 0x91, 0x88, + 0x65, 0x08, 0x26, 0x63, 0x2e, 0x22, 0xaf, 0xcf, 0x25, 0x35, 0xfe, 0x99, 0x6b, 0x02, 0x94, 0x16, + 0x37, 0x01, 0xa6, 0xca, 0xfc, 0xf2, 0x74, 0x99, 0xcf, 0x4f, 0x9b, 0x46, 0xc2, 0xf2, 0x8c, 0xd7, + 0xac, 0x9a, 0x82, 0x1c, 0x79, 0xc6, 0x7d, 0x68, 0x0f, 0xb9, 0x94, 0xf6, 0x88, 0x90, 0x73, 0x3b, + 0x74, 0xd8, 0x48, 0x1c, 0xf5, 0x9a, 0xd5, 0x14, 0xe0, 0x43, 0x42, 0xce, 0xfb, 0x0e, 0x1b, 0x19, + 0x9f, 0x42, 0x4b, 0xa5, 0x81, 0xbe, 0x30, 0x51, 0xa4, 0x2e, 0x3f, 0x75, 0x8a, 0xb2, 0xd6, 0xb3, + 0x9a, 0xe7, 0x99, 0x51, 0x64, 0xde, 0x84, 0x1b, 0x2f, 0x50, 0xc4, 0x28, 0xb9, 0xca, 0x1b, 0xc6, + 0x7c, 0x00, 0xf7, 0x64, 0x17, 0x61, 0xc0, 0x9c, 0x31, 0xfa, 0x16, 0x53, 0x86, 0xc9, 0x59, 0x34, + 0x18, 0x39, 0x14, 0x1d, 0x93, 0x38, 0x60, 0xba, 0xcc, 0x35, 0xff, 0x10, 0xe0, 0x28, 0x60, 0x88, + 0x9e, 0x39, 0x2e, 0x8a, 0x8c, 0xdf, 0x67, 0x47, 0x2a, 0x8b, 0x5a, 0xd9, 0x92, 0x7d, 0xa1, 0x64, + 0xc2, 0xca, 0xe0, 0x98, 0x5b, 0xb0, 0x6c, 0x91, 0x98, 0xc7, 0xad, 0xdf, 0xe9, 0x2f, 0xb5, 0xae, + 0xa1, 0xd6, 0x09, 0xa0, 0xa5, 0xe6, 0xcc, 0x43, 0x5d, 0xeb, 0xa6, 0xe4, 0xd4, 0x5e, 0x6e, 0x41, + 0x0d, 0x6b, 0x98, 0x0a, 0x3f, 0xd3, 0xac, 0x53, 0x14, 0xf3, 0x19, 0xac, 0x4a, 0x4a, 0x92, 0xb2, + 0x26, 0xf3, 0x3b, 0x58, 0xa6, 0x5a, 0x8c, 0x42, 0xda, 0x10, 0x52, 0x48, 0x6a, 0xce, 0x3c, 0x82, + 0xdb, 0x72, 0xf1, 0x7e, 0x38, 0x42, 0x3e, 0xa2, 0xce, 0x38, 0x67, 0x96, 0x9c, 0xab, 0x14, 0x16, + 0xba, 0x0a, 0xdf, 0x83, 0xaf, 0x71, 0xc4, 0x52, 0x9b, 0x68, 0xd3, 0xae, 0x42, 0x87, 0x4f, 0xe4, + 0xc4, 0x33, 0xbf, 0x80, 0xc6, 0x8e, 0xd5, 0xff, 0x06, 0xe1, 0xe1, 0xe8, 0x94, 0x47, 0xec, 0x8f, + 0xf3, 0x63, 0xc5, 0xcc, 0x50, 0x8a, 0x67, 0xa6, 0xac, 0x1c, 0x9e, 0xf9, 0x25, 0xac, 0xef, 0x78, + 0x5e, 0x16, 0xa4, 0x45, 0xff, 0x3d, 0xd4, 0x82, 0x0c, 0xb9, 0xcc, 0x3d, 0x99, 0xc3, 0x4e, 0x91, + 0xcc, 0xc7, 0x60, 0x1c, 0x20, 0x76, 0xd4, 0x7f, 0xe5, 0x9c, 0x8e, 0x53, 0x43, 0xde, 0x84, 0x0a, + 0x8e, 0x6c, 0x1c, 0x5e, 0x7c, 0x2c, 0xa8, 0x54, 0xad, 0x65, 0x1c, 0x1d, 0x85, 0x17, 0x1f, 0x9b, + 0x0f, 0x61, 0x35, 0x87, 0xbe, 0x20, 0x94, 0xed, 0x80, 0x31, 0xf8, 0xe5, 0x94, 0x13, 0x12, 0xc5, + 0x0c, 0x89, 0x87, 0xb0, 0x3a, 0xf8, 0x85, 0xdc, 0xfe, 0x1c, 0x56, 0x5f, 0x06, 0x63, 0x1c, 0xa0, + 0xbd, 0xfe, 0xc9, 0x31, 0x4a, 0xe2, 0xb8, 0x01, 0x65, 0x9e, 0xef, 0x2a, 0x5e, 0xe2, 0x9b, 0x8b, + 0x10, 0x9c, 0xda, 0x6e, 0x18, 0x47, 0xaa, 0x51, 0xb6, 0x1c, 0x9c, 0xee, 0x85, 0x71, 0xc4, 0x2f, + 0x66, 0x9e, 0x98, 0x91, 0x60, 0x7c, 0x25, 0xa2, 0x5b, 0xd5, 0xaa, 0xb8, 0x61, 0xfc, 0x32, 0x18, + 0x5f, 0x99, 0x7f, 0x20, 0xba, 0x17, 0x08, 0x79, 0x96, 0x13, 0x78, 0xc4, 0x7f, 0x81, 0x2e, 0x32, + 0x1c, 0xa6, 0xe4, 0xfe, 0xa9, 0x00, 0x8d, 0x9d, 0x21, 0x0a, 0xd8, 0x0b, 0xc4, 0x1c, 0x3c, 0x16, + 0xd5, 0xf0, 0x05, 0xa2, 0x11, 0x26, 0x81, 0x0a, 0x55, 0x7a, 0x68, 0xfc, 0x06, 0xea, 0x38, 0xc0, + 0xcc, 0xf6, 0x1c, 0xe4, 0x93, 0x40, 0x50, 0xa9, 0x5a, 0xc0, 0x41, 0x2f, 0x04, 0xc4, 0x78, 0x00, + 0x6d, 0xd9, 0xc8, 0xb4, 0x47, 0x4e, 0xe0, 0x8d, 0x79, 0x90, 0x2c, 0x89, 0xb0, 0xd6, 0x92, 0xe0, + 0x43, 0x05, 0x35, 0x1e, 0xc2, 0x8a, 0xf2, 0xcb, 0x14, 0xb3, 0x2c, 0x30, 0xdb, 0x0a, 0x9e, 0x43, + 0x8d, 0xc3, 0x90, 0x50, 0x16, 0xd9, 0x11, 0x72, 0x5d, 0xe2, 0x87, 0xaa, 0x94, 0x6c, 0x6b, 0xf8, + 0x40, 0x82, 0xcd, 0x21, 0xac, 0x1e, 0x70, 0x3d, 0x95, 0x26, 0xe9, 0x49, 0x6b, 0xf9, 0xc8, 0xb7, + 0x4f, 0xc7, 0xc4, 0x3d, 0xb7, 0xf9, 0xc5, 0xa2, 0x2c, 0xcc, 0x93, 0xd5, 0x5d, 0x0e, 0x1c, 0xe0, + 0x1f, 0x45, 0xd7, 0x84, 0x63, 0x8d, 0x08, 0x0b, 0xc7, 0xf1, 0xd0, 0x0e, 0x29, 0x39, 0x45, 0x4a, + 0xc5, 0xb6, 0x8f, 0xfc, 0x43, 0x09, 0xef, 0x73, 0xb0, 0xf9, 0xcf, 0x05, 0x58, 0xcb, 0x73, 0x52, + 0xbb, 0xbd, 0x0d, 0x6b, 0x79, 0x56, 0x2a, 0x75, 0x92, 0xa9, 0x79, 0x27, 0xcb, 0x50, 0x26, 0x51, + 0x4f, 0xa1, 0x29, 0xda, 0xde, 0xb6, 0x27, 0x29, 0xe5, 0x13, 0xc6, 0xec, 0xbe, 0x58, 0x0d, 0x27, + 0xbb, 0x4b, 0x9f, 0xc2, 0x2d, 0xa5, 0xbe, 0x3d, 0x2d, 0xb6, 0x74, 0x88, 0x75, 0x85, 0x70, 0x3c, + 0x21, 0xfd, 0xd7, 0xd0, 0x4d, 0x41, 0xbb, 0x57, 0x02, 0x98, 0x1e, 0xca, 0xd5, 0x09, 0x65, 0x77, + 0x3c, 0x8f, 0x8a, 0xd3, 0x5e, 0xb6, 0x66, 0x4d, 0x99, 0xcf, 0xe1, 0xe6, 0x00, 0x31, 0x69, 0x0d, + 0x87, 0xa9, 0x2a, 0x4e, 0x12, 0x5b, 0x81, 0xd2, 0x00, 0xb9, 0x42, 0xf9, 0x92, 0xc5, 0x3f, 0xb9, + 0x03, 0x9e, 0x44, 0xc8, 0x15, 0x5a, 0x96, 0x2c, 0xf1, 0x6d, 0x86, 0x50, 0xf9, 0x62, 0x70, 0xc0, + 0x73, 0x35, 0xee, 0xd4, 0x32, 0xb7, 0x53, 0xf7, 0x78, 0xd3, 0xaa, 0x88, 0xf1, 0x91, 0x67, 0x7c, + 0x09, 0xab, 0x72, 0xca, 0x1d, 0x39, 0xc1, 0x10, 0xd9, 0x21, 0x19, 0x63, 0x57, 0xba, 0x7e, 0xeb, + 0x49, 0x4f, 0x85, 0x21, 0x45, 0x67, 0x4f, 0xa0, 0xf4, 0x05, 0x86, 0xd5, 0x19, 0x4e, 0x82, 0xcc, + 0xff, 0x2c, 0x40, 0x45, 0xc5, 0x47, 0x9e, 0x0e, 0x78, 0x14, 0x5f, 0x20, 0xaa, 0x9c, 0x5d, 0x8d, + 0x8c, 0x7b, 0xd0, 0x92, 0x5f, 0x36, 0x09, 0x19, 0x26, 0xc9, 0x05, 0xdd, 0x94, 0xd0, 0x97, 0x12, + 0x28, 0x5a, 0xa5, 0xa2, 0x59, 0xa9, 0xfa, 0x02, 0x6a, 0xc4, 0xe1, 0x67, 0x11, 0x17, 0x4a, 0x5c, + 0xc8, 0x35, 0x4b, 0x8d, 0xf8, 0xe1, 0xd2, 0xf4, 0x96, 0x04, 0x3d, 0x3d, 0xe4, 0x87, 0xcb, 0xe7, + 0xa1, 0xdd, 0x0e, 0x09, 0x0e, 0x98, 0xba, 0x81, 0x41, 0x80, 0xfa, 0x1c, 0x62, 0x6c, 0x42, 0xf5, + 0x2c, 0xb2, 0x85, 0x36, 0x22, 0xdb, 0x4e, 0x42, 0xbd, 0xd2, 0xda, 0xaa, 0x9c, 0x45, 0xe2, 0xc3, + 0xfc, 0x9b, 0x02, 0x2c, 0xcb, 0x87, 0x05, 0xa3, 0x05, 0xc5, 0x24, 0x63, 0x2a, 0x62, 0x91, 0x7d, + 0x0a, 0xa9, 0x64, 0x96, 0x24, 0xbe, 0x79, 0x8c, 0xb9, 0xf0, 0xe5, 0xbd, 0xaf, 0x94, 0xb8, 0xf0, + 0xc5, 0x85, 0x7f, 0x0f, 0x5a, 0x69, 0xe2, 0x25, 0xe6, 0xa5, 0x32, 0xcd, 0x04, 0x2a, 0xd0, 0xe6, + 0xea, 0x64, 0xfe, 0x09, 0x40, 0xda, 0x60, 0xe7, 0xee, 0x10, 0x27, 0xc2, 0xf0, 0x4f, 0x0e, 0x19, + 0x26, 0x29, 0x1b, 0xff, 0x34, 0xee, 0x43, 0xcb, 0xf1, 0x3c, 0xcc, 0x97, 0x3b, 0xe3, 0x03, 0xec, + 0x25, 0x01, 0x24, 0x0f, 0x35, 0xff, 0xad, 0x00, 0xed, 0x3d, 0x12, 0x5e, 0x7d, 0x81, 0xc7, 0x28, + 0x13, 0xdd, 0x84, 0x90, 0x2a, 0x63, 0xe3, 0xdf, 0xbc, 0x0a, 0x39, 0xc3, 0x63, 0x24, 0x8f, 0xbd, + 0xf4, 0xba, 0x2a, 0x07, 0x88, 0x23, 0xaf, 0x27, 0x93, 0x76, 0x6a, 0x53, 0x4e, 0x1e, 0x13, 0x4f, + 0xd4, 0x5b, 0x1e, 0xa6, 0x76, 0xd2, 0x3c, 0x6d, 0x5a, 0x15, 0x0f, 0x53, 0x31, 0xa5, 0x14, 0x59, + 0x12, 0xcd, 0xf1, 0xac, 0x22, 0xcb, 0x12, 0xc2, 0x15, 0x59, 0x87, 0x65, 0x72, 0x76, 0x16, 0x21, + 0x26, 0xf6, 0xaa, 0x64, 0xa9, 0x51, 0x12, 0x82, 0xab, 0x99, 0x10, 0xbc, 0x26, 0xee, 0xb5, 0x97, + 0x2f, 0x8f, 0xf7, 0x2f, 0x50, 0xc0, 0xf4, 0x0d, 0xfc, 0x18, 0xaa, 0x1a, 0xf4, 0x4b, 0xda, 0xce, + 0x8f, 0xa0, 0xb5, 0xe3, 0x79, 0x83, 0xd7, 0x4e, 0xa8, 0xed, 0xd1, 0x85, 0x4a, 0x7f, 0xef, 0xa8, + 0x2f, 0x4d, 0x52, 0xe2, 0x0a, 0xa8, 0x21, 0xbf, 0xf1, 0x0f, 0x10, 0x3b, 0x46, 0x8c, 0x62, 0x37, + 0xb9, 0xf1, 0xef, 0x42, 0x45, 0x41, 0xf8, 0x4a, 0x5f, 0x7e, 0xea, 0x2b, 0x40, 0x0d, 0xcd, 0x3f, + 0x02, 0xe3, 0x5b, 0x9e, 0x2f, 0x23, 0x59, 0x2c, 0x29, 0x4e, 0x8f, 0xa0, 0x73, 0x21, 0xa0, 0xb6, + 0x4c, 0x24, 0x33, 0xdb, 0xd0, 0x96, 0x13, 0x22, 0x3e, 0x08, 0xde, 0x27, 0xb0, 0x2a, 0xd3, 0x7b, + 0x49, 0xe7, 0x1a, 0x24, 0xb8, 0x0d, 0x93, 0xfd, 0x2c, 0x5b, 0xe2, 0xdb, 0x7c, 0x04, 0x2b, 0x03, + 0xc4, 0xd4, 0x99, 0x57, 0x34, 0xd7, 0x61, 0x59, 0x85, 0x09, 0x75, 0xb6, 0xe5, 0xe8, 0xc9, 0xbf, + 0xac, 0xa9, 0x2b, 0x4f, 0x75, 0x9e, 0x8c, 0x03, 0x68, 0x4f, 0x3c, 0x13, 0x1a, 0xaa, 0x15, 0x39, + 0xfb, 0xf5, 0xb0, 0xb7, 0xbe, 0x25, 0x9f, 0x1d, 0xb7, 0xf4, 0xb3, 0xe3, 0xd6, 0xbe, 0x1f, 0xb2, + 0x2b, 0x63, 0x1f, 0x5a, 0xf9, 0x07, 0x35, 0xe3, 0x3d, 0x9d, 0x8e, 0xcd, 0x78, 0x66, 0x9b, 0x4b, + 0xe6, 0x00, 0xda, 0x13, 0x6f, 0x6b, 0x5a, 0x9e, 0xd9, 0x4f, 0x6e, 0x73, 0x09, 0x3d, 0x87, 0x7a, + 0xe6, 0x31, 0xcd, 0xe8, 0x4a, 0x22, 0xd3, 0xef, 0x6b, 0x73, 0x09, 0xec, 0x41, 0x33, 0xf7, 0xbe, + 0x65, 0xf4, 0x94, 0x3e, 0x33, 0x1e, 0xbd, 0xe6, 0x12, 0xd9, 0x85, 0x7a, 0xe6, 0x99, 0x49, 0x4b, + 0x31, 0xfd, 0x96, 0xd5, 0xbb, 0x35, 0x63, 0x46, 0xdd, 0xac, 0x07, 0xd0, 0x9e, 0x78, 0x7b, 0xd2, + 0x26, 0x99, 0xfd, 0x24, 0x35, 0x57, 0x98, 0x01, 0xdc, 0x98, 0x99, 0x51, 0x1b, 0x66, 0x96, 0xdc, + 0xec, 0x74, 0x7b, 0x2e, 0xd1, 0xaf, 0xc4, 0xbe, 0x67, 0xfa, 0x15, 0x99, 0x7d, 0x9f, 0x7e, 0xbe, + 0xea, 0xdd, 0x9e, 0x3d, 0xa9, 0x54, 0xdd, 0x87, 0x56, 0xfe, 0xe5, 0x4a, 0x13, 0x9b, 0xf9, 0x9e, + 0xb5, 0xd8, 0x89, 0x72, 0x8f, 0x58, 0xa9, 0x13, 0xcd, 0x7a, 0xdb, 0x9a, 0x4b, 0x08, 0xc1, 0xc6, + 0xe2, 0x1a, 0xcd, 0x78, 0x3f, 0xeb, 0x9c, 0x6f, 0xa9, 0xe4, 0xe6, 0xb2, 0xd9, 0x01, 0x50, 0x4d, + 0x10, 0x0f, 0x07, 0x89, 0x93, 0x4c, 0x35, 0x5f, 0x12, 0x27, 0x99, 0xd1, 0x30, 0x79, 0x0e, 0x20, + 0x7b, 0x17, 0x1e, 0x89, 0x99, 0x71, 0x53, 0x4b, 0x35, 0xd1, 0x30, 0xe9, 0x75, 0xa7, 0x27, 0xa6, + 0x08, 0x20, 0x4a, 0xaf, 0x43, 0xe0, 0x73, 0x80, 0xb4, 0x27, 0xa2, 0x09, 0x4c, 0x75, 0x49, 0x16, + 0xd8, 0xa0, 0x91, 0xed, 0x80, 0x18, 0x4a, 0xd7, 0x19, 0x5d, 0x91, 0x05, 0x24, 0xda, 0x13, 0x85, + 0x6b, 0xfe, 0xa0, 0x4c, 0xd6, 0xb3, 0xbd, 0xa9, 0xe2, 0xd5, 0x78, 0x0a, 0x8d, 0x6c, 0xc5, 0xaa, + 0xa5, 0x98, 0x51, 0xc5, 0xf6, 0x72, 0x55, 0xab, 0xf1, 0x1c, 0x5a, 0xf9, 0x12, 0x53, 0x7b, 0xee, + 0xcc, 0xc2, 0xb3, 0xa7, 0x9a, 0xb6, 0x19, 0xf4, 0x0f, 0x01, 0xd2, 0x52, 0x54, 0x9b, 0x6f, 0xaa, + 0x38, 0x9d, 0xe0, 0x7a, 0x00, 0xed, 0x89, 0x12, 0x53, 0x6b, 0x3c, 0xbb, 0xf2, 0x5c, 0x14, 0xa7, + 0x32, 0x05, 0xa3, 0x76, 0xc1, 0xe9, 0x92, 0x53, 0xbb, 0xe0, 0xac, 0xea, 0x72, 0x17, 0xea, 0x83, + 0x69, 0x1a, 0x83, 0xb9, 0x34, 0x66, 0xd5, 0x8c, 0x1f, 0x01, 0xa4, 0xd7, 0xb3, 0xb6, 0xc2, 0xd4, + 0x85, 0xdd, 0x6b, 0xea, 0xc6, 0xba, 0xc4, 0xdb, 0x83, 0x66, 0xae, 0xf7, 0xa4, 0x43, 0xf5, 0xac, + 0x86, 0xd4, 0xa2, 0x0b, 0x2c, 0xdf, 0xa8, 0xd1, 0x3b, 0x38, 0xb3, 0x7d, 0xb3, 0xc8, 0x8f, 0xb3, + 0x15, 0xae, 0xf6, 0xa0, 0x19, 0x55, 0xef, 0x5b, 0xc2, 0x57, 0xb6, 0x8a, 0xcd, 0x84, 0xaf, 0x19, + 0xc5, 0xed, 0x5c, 0x42, 0x87, 0xd0, 0x3e, 0xd0, 0x05, 0x8a, 0x2a, 0x9e, 0xf4, 0xfe, 0x4d, 0x17, + 0x8b, 0xbd, 0xde, 0xac, 0x29, 0xb5, 0x2f, 0x5f, 0x41, 0x67, 0xaa, 0x70, 0x32, 0x36, 0x92, 0xe7, + 0x8d, 0x99, 0x15, 0xd5, 0x5c, 0xb1, 0x8e, 0x44, 0xc2, 0x92, 0xab, 0x9b, 0x8c, 0x5f, 0x27, 0x3e, + 0x31, 0xab, 0x9e, 0x9a, 0x4b, 0xea, 0x53, 0xa8, 0xea, 0x5c, 0xd8, 0x50, 0xcf, 0x48, 0x13, 0xb9, + 0xf1, 0xdc, 0xa5, 0x4f, 0x85, 0xcb, 0x27, 0x79, 0x66, 0xea, 0xf2, 0x13, 0xd9, 0x68, 0x4f, 0xbd, + 0xfa, 0x24, 0x98, 0x4f, 0xa1, 0xa2, 0xd2, 0x4d, 0x63, 0x2d, 0x39, 0x6c, 0x99, 0xec, 0x73, 0x91, + 0x87, 0x1d, 0x20, 0x96, 0x49, 0x22, 0x35, 0xd3, 0xe9, 0xbc, 0x52, 0x9f, 0x91, 0xdc, 0x8c, 0xda, + 0x8b, 0x1d, 0x68, 0x64, 0xd3, 0x48, 0xbd, 0xa5, 0x33, 0x52, 0xcb, 0xb9, 0x92, 0x3c, 0x83, 0x5a, + 0x92, 0x32, 0x1a, 0xeb, 0x89, 0xe9, 0x73, 0x39, 0xe4, 0xbc, 0xc5, 0xbb, 0x97, 0x3f, 0xfd, 0xbc, + 0xf1, 0xab, 0xff, 0xf8, 0x79, 0xe3, 0x57, 0x7f, 0xfd, 0x66, 0xa3, 0xf0, 0xd3, 0x9b, 0x8d, 0xc2, + 0xbf, 0xbf, 0xd9, 0x28, 0xfc, 0xf7, 0x9b, 0x8d, 0xc2, 0x9f, 0xfe, 0xc5, 0xff, 0xf1, 0xcf, 0x70, + 0x34, 0x0e, 0x18, 0xf6, 0xd1, 0xf6, 0x05, 0xa6, 0x2c, 0x33, 0x15, 0x9e, 0x0f, 0xe5, 0x3f, 0xe2, + 0x32, 0x7f, 0x94, 0xe3, 0x22, 0x9e, 0x2e, 0x8b, 0xf1, 0x87, 0xff, 0x1b, 0x00, 0x00, 0xff, 0xff, + 0xaf, 0xec, 0xb5, 0x21, 0x75, 0x27, 0x00, 0x00, } func (m *CreateContainerRequest) Marshal() (dAtA []byte, err error) { @@ -6179,6 +6224,40 @@ func (m *ResizeVolumeRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) { return len(dAtA) - i, nil } +func (m *SetPolicyRequest) Marshal() (dAtA []byte, err error) { + size := m.Size() + dAtA = make([]byte, size) + n, err := m.MarshalToSizedBuffer(dAtA[:size]) + if err != nil { + return nil, err + } + return dAtA[:n], nil +} + +func (m *SetPolicyRequest) MarshalTo(dAtA []byte) (int, error) { + size := m.Size() + return m.MarshalToSizedBuffer(dAtA[:size]) +} + +func (m *SetPolicyRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) { + i := len(dAtA) + _ = i + var l int + _ = l + if m.XXX_unrecognized != nil { + i -= len(m.XXX_unrecognized) + copy(dAtA[i:], m.XXX_unrecognized) + } + if len(m.Policy) > 0 { + i -= len(m.Policy) + copy(dAtA[i:], m.Policy) + i = encodeVarintAgent(dAtA, i, uint64(len(m.Policy))) + i-- + dAtA[i] = 0xa + } + return len(dAtA) - i, nil +} + func encodeVarintAgent(dAtA []byte, offset int, v uint64) int { offset -= sovAgent(v) base := offset @@ -7623,6 +7702,22 @@ func (m *ResizeVolumeRequest) Size() (n int) { return n } +func (m *SetPolicyRequest) Size() (n int) { + if m == nil { + return 0 + } + var l int + _ = l + l = len(m.Policy) + if l > 0 { + n += 1 + l + sovAgent(uint64(l)) + } + if m.XXX_unrecognized != nil { + n += len(m.XXX_unrecognized) + } + return n +} + func sovAgent(x uint64) (n int) { return (math_bits.Len64(x|1) + 6) / 7 } @@ -8544,6 +8639,17 @@ func (this *ResizeVolumeRequest) String() string { }, "") return s } +func (this *SetPolicyRequest) String() string { + if this == nil { + return "nil" + } + s := strings.Join([]string{`&SetPolicyRequest{`, + `Policy:` + fmt.Sprintf("%v", this.Policy) + `,`, + `XXX_unrecognized:` + fmt.Sprintf("%v", this.XXX_unrecognized) + `,`, + `}`, + }, "") + return s +} func valueToStringAgent(v interface{}) string { rv := reflect.ValueOf(v) if rv.IsNil() { @@ -8591,6 +8697,7 @@ type AgentServiceService interface { AddSwap(ctx context.Context, req *AddSwapRequest) (*types.Empty, error) GetVolumeStats(ctx context.Context, req *VolumeStatsRequest) (*VolumeStatsResponse, error) ResizeVolume(ctx context.Context, req *ResizeVolumeRequest) (*types.Empty, error) + SetPolicy(ctx context.Context, req *SetPolicyRequest) (*types.Empty, error) } func RegisterAgentServiceService(srv *github_com_containerd_ttrpc.Server, svc AgentServiceService) { @@ -8854,6 +8961,13 @@ func RegisterAgentServiceService(srv *github_com_containerd_ttrpc.Server, svc Ag } return svc.ResizeVolume(ctx, &req) }, + "SetPolicy": func(ctx context.Context, unmarshal func(interface{}) error) (interface{}, error) { + var req SetPolicyRequest + if err := unmarshal(&req); err != nil { + return nil, err + } + return svc.SetPolicy(ctx, &req) + }, }) } @@ -9162,6 +9276,14 @@ func (c *agentServiceClient) ResizeVolume(ctx context.Context, req *ResizeVolume } return &resp, nil } + +func (c *agentServiceClient) SetPolicy(ctx context.Context, req *SetPolicyRequest) (*types.Empty, error) { + var resp types.Empty + if err := c.client.Call(ctx, "grpc.AgentService", "SetPolicy", req, &resp); err != nil { + return nil, err + } + return &resp, nil +} func (m *CreateContainerRequest) Unmarshal(dAtA []byte) error { l := len(dAtA) iNdEx := 0 @@ -17280,6 +17402,89 @@ func (m *ResizeVolumeRequest) Unmarshal(dAtA []byte) error { } return nil } +func (m *SetPolicyRequest) Unmarshal(dAtA []byte) error { + l := len(dAtA) + iNdEx := 0 + for iNdEx < l { + preIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowAgent + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + wireType := int(wire & 0x7) + if wireType == 4 { + return fmt.Errorf("proto: SetPolicyRequest: wiretype end group for non-group") + } + if fieldNum <= 0 { + return fmt.Errorf("proto: SetPolicyRequest: illegal tag %d (wire type %d)", fieldNum, wire) + } + switch fieldNum { + case 1: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Policy", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowAgent + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLengthAgent + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLengthAgent + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.Policy = string(dAtA[iNdEx:postIndex]) + iNdEx = postIndex + default: + iNdEx = preIndex + skippy, err := skipAgent(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthAgent + } + if (iNdEx + skippy) > l { + return io.ErrUnexpectedEOF + } + m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) + iNdEx += skippy + } + } + + if iNdEx > l { + return io.ErrUnexpectedEOF + } + return nil +} func skipAgent(dAtA []byte) (n int, err error) { l := len(dAtA) iNdEx := 0 diff --git a/src/runtime/virtcontainers/pkg/annotations/annotations.go b/src/runtime/virtcontainers/pkg/annotations/annotations.go index d51447d73e..03498fef75 100644 --- a/src/runtime/virtcontainers/pkg/annotations/annotations.go +++ b/src/runtime/virtcontainers/pkg/annotations/annotations.go @@ -297,6 +297,9 @@ const ( AgentContainerPipeSize = kataAnnotAgentPrefix + ContainerPipeSizeOption ContainerPipeSizeOption = "container_pipe_size" ContainerPipeSizeKernelParam = "agent." + ContainerPipeSizeOption + + // Policy is an annotation containing the contents of an agent policy file, base64 encoded. + Policy = kataAnnotAgentPrefix + "policy" ) // Container resource related annotations diff --git a/src/runtime/virtcontainers/pkg/mock/mock.go b/src/runtime/virtcontainers/pkg/mock/mock.go index 562d4a7e36..193574bfad 100644 --- a/src/runtime/virtcontainers/pkg/mock/mock.go +++ b/src/runtime/virtcontainers/pkg/mock/mock.go @@ -256,3 +256,7 @@ func (p *HybridVSockTTRPCMockImp) GetIPTables(ctx context.Context, req *pb.GetIP func (p *HybridVSockTTRPCMockImp) SetIPTables(ctx context.Context, req *pb.SetIPTablesRequest) (*pb.SetIPTablesResponse, error) { return &pb.SetIPTablesResponse{}, nil } + +func (p *HybridVSockTTRPCMockImp) SetPolicy(ctx context.Context, req *pb.SetPolicyRequest) (*gpb.Empty, error) { + return &gpb.Empty{}, nil +} diff --git a/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh b/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh index 694124acd6..aeea90278a 100644 --- a/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh +++ b/tools/osbuilder/rootfs-builder/cbl-mariner/config.sh @@ -8,3 +8,4 @@ LIBC="gnu" PACKAGES="core-packages-base-image ca-certificates" [ "$AGENT_INIT" = no ] && PACKAGES+=" systemd" [ "$SECCOMP" = yes ] && PACKAGES+=" libseccomp" +[ "$AGENT_POLICY" = yes ] && PACKAGES+=" opa" || true diff --git a/tools/osbuilder/rootfs-builder/rootfs.sh b/tools/osbuilder/rootfs-builder/rootfs.sh index 89efd388b5..7bdeaaf381 100755 --- a/tools/osbuilder/rootfs-builder/rootfs.sh +++ b/tools/osbuilder/rootfs-builder/rootfs.sh @@ -27,6 +27,7 @@ LIBC=${LIBC:-musl} # However, it is not enforced by default: you need to enable that in the main configuration file. SECCOMP=${SECCOMP:-"yes"} SELINUX=${SELINUX:-"no"} +AGENT_POLICY=${AGENT_POLICY:-no} lib_file="${script_dir}/../scripts/lib.sh" source "$lib_file" @@ -315,6 +316,9 @@ check_env_variables() [ "$AGENT_INIT" == "yes" -o "$AGENT_INIT" == "no" ] || die "AGENT_INIT($AGENT_INIT) is invalid (must be yes or no)" + [ "$AGENT_POLICY" == "yes" -o "$AGENT_POLICY" == "no" ] || die "AGENT_POLICY($AGENT_POLICY) is invalid (must be yes or no)" + [ "$AGENT_POLICY" == "no" -o "$AGENT_INIT" == "no" ] || die "AGENT_POLICY($AGENT_POLICY) and AGENT_INIT($AGENT_INIT) is an invalid combination (at least one must be no)" + [ -n "${KERNEL_MODULES_DIR}" ] && [ ! -d "${KERNEL_MODULES_DIR}" ] && die "KERNEL_MODULES_DIR defined but is not an existing directory" [ -n "${OSBUILDER_VERSION}" ] || die "need osbuilder version" @@ -456,6 +460,7 @@ build_rootfs_distro() --env SELINUX="${SELINUX}" \ --env DEBUG="${DEBUG}" \ --env HOME="/root" \ + --env AGENT_POLICY="${AGENT_POLICY}" \ -v "${repo_dir}":"/kata-containers" \ -v "${ROOTFS_DIR}":"/rootfs" \ -v "${script_dir}/../scripts":"/scripts" \ @@ -614,7 +619,7 @@ EOF git checkout "${AGENT_VERSION}" && OK "git checkout successful" || die "checkout agent ${AGENT_VERSION} failed!" fi make clean - make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} + make LIBC=${LIBC} INIT=${AGENT_INIT} SECCOMP=${SECCOMP} AGENT_POLICY=${AGENT_POLICY} make install DESTDIR="${ROOTFS_DIR}" LIBC=${LIBC} INIT=${AGENT_INIT} if [ "${SECCOMP}" == "yes" ]; then rm -rf "${libseccomp_install_dir}" "${gperf_install_dir}" @@ -640,6 +645,55 @@ EOF chmod g+rx,o+x "${ROOTFS_DIR}" fi + if [ "${AGENT_POLICY}" == "yes" ]; then + # Setup systemd-based environment for kata-opa. + local opa_bin_dir="$(get_opa_bin_dir "${ROOTFS_DIR}")" + if [ -z "${opa_bin_dir}" ]; then + # OPA was not installed already, so download it here. + # + # TODO: if an OPA package is not available for the Guest image distro, + # Kata should cache the OPA source code, toolchain information, etc. + # OPA should be built from the cached source code instead of downloading + # this binary. + # + opa_bin_url="$(get_package_version_from_kata_yaml externals.open-policy-agent.meta.binary)" + info "Downloading OPA binary from ${opa_bin_url}" + curl --fail -L "${opa_bin_url}" -o opa || die "Failed to download OPA" + + # Install the OPA binary. + opa_bin_dir="/usr/local/bin" + local opa_bin="${ROOTFS_DIR}${opa_bin_dir}/opa" + info "Installing OPA binary to ${opa_bin}" + install -D -o root -g root -m 0755 opa -T "${opa_bin}" + else + info "OPA binary already exists in ${opa_bin_dir}" + fi + + # Install default settings for the kata-opa service. + local kata_opa_in_dir="${script_dir}/../../../src/kata-opa" + local opa_settings_dir="/etc/kata-opa" + local policy_file="allow-all.rego" + local policy_dir="${ROOTFS_DIR}/${opa_settings_dir}" + mkdir -p "${policy_dir}" + install -D -o root -g root -m 0644 "${kata_opa_in_dir}/${policy_file}" -T "${policy_dir}/${policy_file}" + ln -sf "${policy_file}" "${policy_dir}/default-policy.rego" + + # Install the unit file for the kata-opa service. + local kata_opa_unit="kata-opa.service" + local kata_opa_unit_path="${ROOTFS_DIR}/usr/lib/systemd/system/${kata_opa_unit}" + local kata_containers_wants="${ROOTFS_DIR}/etc/systemd/system/kata-containers.target.wants" + + opa_settings_dir="${opa_settings_dir//\//\\/}" + sed -e "s/@SETTINGSDIR@/${opa_settings_dir}/g" "${kata_opa_in_dir}/${kata_opa_unit}.in" > "${kata_opa_unit}" + + opa_bin_dir="${opa_bin_dir//\//\\/}" + sed -i -e "s/@BINDIR@/${opa_bin_dir}/g" "${kata_opa_unit}" + + install -D -o root -g root -m 0644 "${kata_opa_unit}" -T "${kata_opa_unit_path}" + mkdir -p "${kata_containers_wants}" + ln -sf "${kata_opa_unit_path}" "${kata_containers_wants}/${kata_opa_unit}" + fi + info "Check init is installed" [ -x "${init}" ] || [ -L "${init}" ] || die "/sbin/init is not installed in ${ROOTFS_DIR}" OK "init is installed" @@ -657,6 +711,24 @@ EOF create_summary_file "${ROOTFS_DIR}" } +get_opa_bin_dir() +{ + local rootfs_dir="$1" + local -a bin_dirs=( + "/bin" + "/usr/bin" + "/usr/local/bin" + ) + for bin_dir in "${bin_dirs[@]}" + do + local opa_bin="${rootfs_dir}${bin_dir}/opa" + if [ -f "${opa_bin}" ]; then + echo "${bin_dir}" + return 0 + fi + done +} + parse_arguments() { [ "$#" -eq 0 ] && usage && return 0 diff --git a/versions.yaml b/versions.yaml index f316be8659..35535d64dc 100644 --- a/versions.yaml +++ b/versions.yaml @@ -284,6 +284,22 @@ externals: url: "https://github.com/containerd/nydus-snapshotter" version: "v0.3.3" + open-policy-agent: + description: "Open Policy Agent" + url: "https://github.com/open-policy-agent/opa" + version: "v0.55.0" + meta: + # - If an OPA package is available for the Guest image distro, that + # package is used instead of the binary below. + # + # - TODO: if an OPA package is not available for the Guest image distro, + # Kata should cache the OPA source code, toolchain information, etc. + # OPA should be built from the cached source code instead of downloading + # this binary. + # + # yamllint disable-line rule:line-length + binary: "https://github.com/open-policy-agent/opa/releases/download/v0.55.0/opa_linux_amd64_static" + ovmf: description: "Firmware, implementation of UEFI for virtual machines." url: "https://github.com/tianocore/edk2"