Fix CVE-2022-32149, just need recompile

Signed-off-by: Alexandre Peixoto Ferreira <alexandref75@gmail.com>

.github/workflows/smarter-org-docker-buildx.yml

@@ -0,0 +1,21 @@
+name: Docker Image BuildX CI and Publish
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+on:
+  schedule:
+    - cron: "19 16 * * *"
+  push:
+    branches: ["main"]
+    # Publish semver tags as releases.
+    tags: ["v*.*.*"]
+  pull_request:
+    branches: ["main"]
+  workflow_dispatch:
+
+jobs:
+  build:
+    uses: smarter-project/reusable-workflows/.github/workflows/smarter-org-docker-buildx.yml@main

.github/workflows/smarter-org-helm.yml

@@ -0,0 +1,14 @@
+# release.yaml
+name: Release Charts
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  release:
+    uses: smarter-project/reusable-workflows/.github/workflows/smarter-org-helm.yml@main
+    secrets:
+      GPG_KEYRING_BASE64: ${{ secrets.GPG_KEYRING_BASE64 }}
+      GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

.gitlab-ci.yml

@@ -1,6 +0,0 @@
-include:
-  - project: 'ericvh/gitlab-ci-arm-template'
-    file: '/.gitlab-ci.yml'
-
-variables:
-  CI_BUILDX_ARCHS: "linux/amd64,linux/arm64,linux/arm"

Dockerfile

@@ -10,15 +10,13 @@ COPY . .
 
 RUN echo $PATH;export CGO_LDFLAGS_ALLOW='-Wl,--unresolved-symbols=ignore-in-object-files' && \
     go mod init arm.com/smarter-device-management && go mod tidy && go mod vendor && \
-    go build -ldflags="-s -w" .
+    CGO_ENABLED=0 go build -ldflags='-s -w -extldflags="-static"' .
 
-FROM alpine
-
-RUN apk update && apk upgrade
+FROM scratch
 
 WORKDIR /root
 
 COPY conf.yaml /root/config/conf.yaml
 COPY --from=build /arm.com/smarter-device-management/smarter-device-management /usr/bin/smarter-device-management
 
-CMD ["smarter-device-management","-logtostderr=true","-v=0"]
+CMD ["/usr/bin/smarter-device-management","-logtostderr=true","-v=0"]

README.md

@@ -154,3 +154,10 @@ kubectl describe node pike5
 ## k3s 
 
 K3s < 1.18 stores the plugin interface in a different directory than k8s and so it needs a different yaml file to enable smarter-device-manager to communicate correctly with k3s agent. So use the smart-device-manager-k3s yaml files on this reposistor for k3s < 1.18.
+
+## Using helm
+
+A helm chart that install smarter-device-manager configured for SMARTER is available at chart directory
+```
+helm install smarter-device-manager chart
+```

charts/smarter-device-manager/.helmignore

@@ -0,0 +1,26 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
+# OWNERS file for Kubernetes
+OWNERS
+# helm-docs templates
+*.gotmpl

charts/smarter-device-manager/Chart.yaml

@@ -0,0 +1,26 @@
+apiVersion: v2
+name: smarter-device-manager
+description: smarter-device-manager chart for SMARTER edge devices
+home: https://getsmarter.io
+version: 0.0.9
+appVersion: v1.20.12
+kubeVersion: ">=1.16.0-0"
+keywords:
+  - kubernetes
+  - device
+  - hardware
+sources:
+  - https://github.com/smarter-project/smarter-device-manager
+icon: https://github.com/smarter-project/documentation/raw/main/ARM1636_Project_Logo_ST2_RGB_V1.png
+annotations:
+  artifacthub.io/changes: |
+    - Fix template
+    - Add annotations
+  artifacthub.io/license: Apache-2.0
+  artifacthub.io/maintainers: |
+    - name: Alexandre Ferreira
+      email: alexandref75@gmail.com
+  artifacthub.io/prerelease: "false"
+  artifacthub.io/signKey: |
+    fingerprint: 71EDA4E3D652DC73EB09E3A5387D298C169CF24E
+    url: https://smarter-project.github.io/documentation/pgp_keys.asc

charts/smarter-device-manager/README.md

@@ -0,0 +1,57 @@
+# SMARTER Device Manager
+
+Enables k8s containers to access devices (linux device drivers) available on nodes.
+
+For more information check out https://getsmarter.io
+
+## TL;DR
+
+Assumes that this repository was cloned.
+
+```console
+helm install --nsmespace=smarter --create-namespace my-smarter-device-manager charts/smarter-device-manager
+```
+
+## Overview
+
+In the IoT world, interaction with the external environment is the reason of existence.
+This interaction is done by acquiring data about the environment and, possibly, actuating to achieve the desired objective, with complexity ranging from a simple thermostat to a very complex industrial process control (e.g. chemical plant). In more practical terms, the main CPU interacts directly with those sensors and actuators and the OS (Linux in our case) provides an abstract view in the form of device drivers.
+Even though the container runtime allows direct access to device drivers, containers running on Kubernetes in the cloud are not expected to do so since hardware independence is a very useful characteristic to enhance mobility.
+Kubernetes primarily manages CPU, memory, storage, and network, while leaving other resources unmanaged.
+In IoT environments, applications can have direct access to sensors and actuators, either directly by interfacing with a device driver on the kernel (e.g. digital I/O pins, temperature sensors, analog inputs, microphones, audio output, video cameras) or indirectly through hardware interfaces (like serial ports, I2C, SPI, bluetooth, LoRa, USB and others).
+Controlled access to these devices is essential to enable a container-based IoT solution. Smarter-device-manager allows containers to have direct access to host devices in a secure way.
+
+## Values
+
+The configuration.nodeSelector value allows the nodeSelector to be changed in a higher level chart simplyfyng deploying multiple services at the same time; CNI, DNS and device-manager with a single label for example.
+
+## Pre-requisites
+
+- k8s > 1.18 (before this the plugin interface used a different directory which requires a different configuration)
+- by default, smarter-device manager uses a node-select to choose which nodes to deploy to, so label your nodes appropriately in order to deploy:
+```
+kubectl label node mynode01 smarter-device-manager=enabled
+```
+
+## Usage Model
+
+The smarter-device-manager starts by reading a YAML configuration file. This configuration file describes, using regular expressions, the files that identify each device that is to be exported and how many access can be done simultaneously. For example, the configuration below finds every V4L device (cameras, video tuners, etc...) available on the host node (/dev/video0, /dev/video1, etc), and adds them as resources (smarter-devices/video0, smarter-devices/video1, etc) that allow up to 10 simulatenous accesses (up to 10 containers can request access to those devices simultaneously). 
+```
+- devicematch: ^video[0-9]*$
+  nummaxdevices: 10
+```
+
+If the config value is provided a configMap is generated and smarter-device-manager will use it. The values.yaml file contains two examples, the first is replicated the config that exists on the container and the second enables nitro-enclaves (AWS nitro).
+
+Devices in subdirectories have the slash replaced with underscore in the
+resource name, due to kubernetes naming restrictions: e.g. `/dev/net/tun`
+becomes `smarter-devices/net_tun`.
+
+The default config file provided will enable most of the devices available on a Raspberry Pi (vers 1-4) or equivalent boards. I2C, SPI, video devices, sound and others would be enabled. The config file can be replaced using a configmap to enable or disable access to different devices, like accelerators, GPUs, etc.
+
+# Uninstalling the Chart
+
+```
+helm delete my-smarter-device-manager
+
+```

charts/smarter-device-manager/templates/common.yaml

@@ -0,0 +1,77 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ .Values.application.appName }}
+  labels:
+    name: {{ .Values.application.appName }}
+    role: agent
+spec:
+  selector:
+    matchLabels:
+      name: {{ .Values.application.appName }}
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels: 
+        name: {{ .Values.application.appName }}
+      annotations:
+        node.kubernetes.io/bootstrap-checkpoint: "true"
+    spec: 
+      nodeSelector:
+        {{- if .Values.nodeSelector }}
+        {{- toYaml .Values.nodeSelector | nindent 8 }}
+        {{- else }}
+        smarter.device-manager: enabled
+        {{- end }}
+      tolerations:
+      - key: "smarter.type"
+        operator: "Equal"
+        value: "edge"
+        effect: "NoSchedule"
+      priorityClassName: "system-node-critical"
+      hostname: {{ .Values.application.appName }}
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      containers:
+      - name: {{ .Values.application.appName }}
+        image: {{ .Values.image.repository }}:{{ default .Chart.AppVersion .Values.image.tag }}
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
+        resources:
+          limits:
+            cpu: 200m
+            memory: 15Mi
+          requests:
+            cpu: 10m
+            memory: 15Mi
+        volumeMounts:
+          - name: device-plugin
+            mountPath: /var/lib/kubelet/device-plugins
+          - name: dev-dir
+            mountPath: /dev
+          - name: sys-dir
+            mountPath: /sys
+          {{- if .Values.config }}
+          - name: config
+            mountPath: /root/config
+          {{- end }}
+      volumes:
+        - name: device-plugin
+          hostPath:
+            path: /var/lib/kubelet/device-plugins
+        - name: dev-dir
+          hostPath:
+            path: /dev
+        - name: sys-dir
+          hostPath:
+            path: /sys
+        {{- if .Values.config }}
+        - name: config
+          configMap:
+            name: {{ .Values.application.appName }}
+        {{- end }}
+      terminationGracePeriodSeconds: 30

charts/smarter-device-manager/templates/configmap.yaml

@@ -0,0 +1,9 @@
+{{- if .Values.config }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.application.appName }}
+data:
+  conf.yaml: |
+  {{- toYaml .Values.config | nindent 4 }}
+{{- end }}

charts/smarter-device-manager/values.yaml

@@ -0,0 +1,57 @@
+#
+
+application:
+  appName: smarter-device-manager
+
+image:
+  repository: ghcr.io/smarter-project/smarter-device-manager
+  # @default -- chart.appVersion
+  tag: ""
+  pullPolicy: IfNotPresent
+
+# If a specific configurations is used it can be provided by uncommenting this lines
+# config:
+#   - devicematch: ^snd$
+#     nummaxdevices: 20
+#   - devicematch: ^gpiomem$
+#     nummaxdevices: 40
+#   - devicematch: ^gpiochip[0-9]*$
+#     nummaxdevices: 20
+#   - devicematch: ^hci[0-9]*$
+#     nummaxdevices: 1
+#   - devicematch: ^i2c-[0-9]*$
+#     nummaxdevices: 1
+#   - devicematch: ^rtc0$
+#     nummaxdevices: 20
+#   - devicematch: ^video[0-9]*$
+#     nummaxdevices: 20
+#   - devicematch: ^vchiq$
+#     nummaxdevices: 20
+#   - devicematch: ^vcsm.*$
+#     nummaxdevices: 20
+#   - devicematch: ^ttyUSB[0-9]*$
+#     nummaxdevices: 1
+#   - devicematch: ^ttyACM[0-9]*$
+#     nummaxdevices: 1
+#   - devicematch: ^ttyTHS[0-9]*$
+#     nummaxdevices: 1
+#   - devicematch: ^ttyS[0-9]*$
+#     nummaxdevices: 1
+#
+
+# This example of configmap allows nitro enclaves to be allocated in a pod
+# config:
+#   - devicematch: ^nitro_enclaves$
+#     nummaxdevices: 1
+#   - devicematch: ^vsock$
+#     nummaxdevices: 1
+#   - devicematch: ^rtc0$
+#     nummaxdevices: 20
+#   - devicematch: ^ttyUSB[0-9]*$
+#     nummaxdevices: 1
+#   - devicematch: ^ttyACM[0-9]*$
+#     nummaxdevices: 1
+#   - devicematch: ^ttyTHS[0-9]*$
+#     nummaxdevices: 1
+#   - devicematch: ^ttyS[0-9]*$
+#     nummaxdevices: 1

compile.sh

@@ -36,7 +36,7 @@ function printHelp() {
 }
 
 BUILD_TAG=$(date -u "+%Y%m%d%H%M%S")
-REPOSITORY_NAME="registry.gitlab.com/arm-research/smarter/smarter-device-manager/"
+REPOSITORY_NAME="ghcr.io/smarter-project/smarter-device-manager/"
 IMAGE_NAME="smarter-device-manager"
 DIRECTORY_TO_RUN=.
 

main.go

@@ -55,9 +55,18 @@ func init() {
 	flag.Parse()
 }
 
-func readDevDirectory(dirToList string) (files []string, err error) {
+func readDevDirectory(dirToList string, allowedRecursions uint8) (files []string, err error) {
         var foundFiles []string
 
+        fType, err := os.Stat(dirToList)
+        if err != nil {
+                return nil, err
+        }
+
+        if !fType.IsDir()  {
+                return nil, nil
+        }
+
         f, err := os.Open(dirToList)
         if err != nil {
                 return nil, err
@@ -70,10 +79,12 @@ func readDevDirectory(dirToList string) (files []string, err error) {
         f.Close()
         for _, subDir := range files {
                 foundFiles = append(foundFiles, subDir)
-                filesDir, err := readDevDirectory(dirToList+"/"+subDir)
-                if err == nil {
-                        for _, fileName := range filesDir {
-                                foundFiles = append(foundFiles, subDir+"/"+fileName)
+                if allowedRecursions > 0 {
+                        filesDir, err := readDevDirectory(dirToList+"/"+subDir,allowedRecursions-1)
+                        if err == nil {
+                                for _, fileName := range filesDir {
+                                        foundFiles = append(foundFiles, subDir+"/"+fileName)
+                                }
                         }
                 }
         }
@@ -82,7 +93,22 @@ func readDevDirectory(dirToList string) (files []string, err error) {
 }
 
 func sanitizeName(path string) string {
-        return strings.Replace(path, "/", "_" ,-1)
+        sanitizeChar := func(r rune) rune {
+		switch {
+		case r >= 'A' && r <= 'Z':
+			return r
+		case r >= 'a' && r <= 'z':
+			return r
+		case r >= '0' && r <= '9':
+			return r
+		case r == '_':
+			return r
+		case r == '-':
+			return r
+		}
+		return '_'
+	}
+        return strings.Map(sanitizeChar, path)
 }
 
 func findDevicesPattern(listDevices []string, pattern string) ([]string,error) {
@@ -118,13 +144,13 @@ func main() {
         }
 
 	glog.V(0).Info("Reading existing devices on /dev")
-	ExistingDevices, err := readDevDirectory("/dev")
+	ExistingDevices, err := readDevDirectory("/dev",10)
 	if err != nil {
 		glog.Errorf(err.Error())
 		os.Exit(1)
 	}
 
-	ExistingDevicesSys, err := readDevDirectory("/sys/devices")
+	ExistingDevicesSys, err := readDevDirectory("/sys/devices",0)
 	if err != nil {
 		glog.Errorf(err.Error())
 		os.Exit(1)

smarter-device-management-pod-k3s-test-xavier.yaml

@@ -15,7 +15,7 @@ spec:
   nodeName: smarter-jetson-xavier-4bcc2584
   containers:
   - name: smarter-device-manager
-    image: registry.gitlab.com/arm-research/smarter/smarter-device-manager:v1.20.5
+    image: ghcr.io/smarter-project/smarter-device-manager:v1.20.11
     imagePullPolicy: IfNotPresent
     securityContext:
       allowPrivilegeEscalation: false

smarter-device-management-pod-k3s.yaml

@@ -15,7 +15,7 @@ spec:
   nodeName: <replace with node to run>
   containers:
   - name: smarter-device-manager
-    image: registry.gitlab.com/arm-research/smarter/smarter-device-manager:v1.20.5
+    image: ghcr.io/smarter-project/smarter-device-manager:v1.20.11
     imagePullPolicy: IfNotPresent
     securityContext:
       allowPrivilegeEscalation: false

smarter-device-management-pod.yaml

@@ -15,7 +15,7 @@ spec:
   nodeName: <replace with node to run>
   containers:
   - name: smarter-device-manager
-    image: registry.gitlab.com/arm-research/smarter/smarter-device-manager:v1.20.5
+    image: ghcr.io/smarter-project/smarter-device-manager:v1.20.11
     imagePullPolicy: IfNotPresent
     securityContext:
       allowPrivilegeEscalation: false

smarter-device-manager-ds-k3s.yaml

@@ -34,7 +34,7 @@ spec:
       dnsPolicy: ClusterFirstWithHostNet
       containers:
       - name: smarter-device-manager
-        image: registry.gitlab.com/arm-research/smarter/smarter-device-manager:v1.20.5
+        image: ghcr.io/smarter-project/smarter-device-manager:v1.20.11
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false

smarter-device-manager-ds-with-configmap-rpi-k3s.yaml

@@ -34,7 +34,7 @@ spec:
       dnsPolicy: ClusterFirstWithHostNet
       containers:
       - name: smarter-device-manager
-        image: registry.gitlab.com/arm-research/smarter/smarter-device-manager:v1.20.5
+        image: ghcr.io/smarter-project/smarter-device-manager:v1.20.11
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false
@@ -69,7 +69,4 @@ spec:
         - name: config
           configMap:
              name: smarter-device-manager-rpi
-        - name: config
-          hostPath:
-            path: /var/lib/rancher/k3s/agent/kubelet/device-plugins
       terminationGracePeriodSeconds: 30

smarter-device-manager-ds-with-configmap-rpi.yaml

@@ -34,7 +34,7 @@ spec:
       dnsPolicy: ClusterFirstWithHostNet
       containers:
       - name: smarter-device-manager
-        image: registry.gitlab.com/arm-research/smarter/smarter-device-manager:v1.20.5
+        image: ghcr.io/smarter-project/smarter-device-manager:v1.20.11
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false

smarter-device-manager-ds-with-configmap-xavier-k3s.yaml

@@ -34,7 +34,7 @@ spec:
       dnsPolicy: ClusterFirstWithHostNet
       containers:
       - name: smarter-device-manager
-        image: registry.gitlab.com/arm-research/smarter/smarter-device-manager:v1.20.5
+        image: ghcr.io/smarter-project/smarter-device-manager:v1.20.11
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false

smarter-device-manager-ds-with-configmap-xavier.yaml

@@ -34,7 +34,7 @@ spec:
       dnsPolicy: ClusterFirstWithHostNet
       containers:
       - name: smarter-device-manager
-        image: registry.gitlab.com/arm-research/smarter/smarter-device-manager:v1.20.5
+        image: ghcr.io/smarter-project/smarter-device-manager:v1.20.11
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false

smarter-device-manager-ds.yaml

@@ -34,7 +34,7 @@ spec:
       dnsPolicy: ClusterFirstWithHostNet
       containers:
       - name: smarter-device-manager
-        image: registry.gitlab.com/arm-research/smarter/smarter-device-manager:v1.20.5
+        image: ghcr.io/smarter-project/smarter-device-manager:v1.20.11
         imagePullPolicy: IfNotPresent
         securityContext:
           allowPrivilegeEscalation: false