Add foundations for FIPS flavor #31004
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Nicolas Guerguadj <nicolas.guerguadj@datadoghq.com>
Signed-off-by: Nicolas Guerguadj <nicolas.guerguadj@datadoghq.com>
…uild FIPS package Signed-off-by: Nicolas Guerguadj <nicolas.guerguadj@datadoghq.com>
Signed-off-by: Nicolas Guerguadj <nicolas.guerguadj@datadoghq.com>
Signed-off-by: Nicolas Guerguadj <nicolas.guerguadj@datadoghq.com>
Signed-off-by: Nicolas Guerguadj <nicolas.guerguadj@datadoghq.com>
…lling package Signed-off-by: Nicolas Guerguadj <nicolas.guerguadj@datadoghq.com>
Signed-off-by: Nicolas Guerguadj <nicolas.guerguadj@datadoghq.com>
Signed-off-by: Nicolas Guerguadj <nicolas.guerguadj@datadoghq.com>
Signed-off-by: Nicolas Guerguadj <nicolas.guerguadj@datadoghq.com>
Signed-off-by: Nicolas Guerguadj <nicolas.guerguadj@datadoghq.com>
github-actions
bot
added
component/system-probe
team/agent-delivery
long review
Kaderinho
force-pushed
the
nicolas.guerguadj/fips-agent-new-package
branch
from
bb61eb5 to
7d943b0
Compare
Gitlab CI Configuration ChangesModified Jobsvariables (configuration) variables:
AGENT_API_KEY_ORG2: agent-api-key-org-2
AGENT_APP_KEY_ORG2: agent-ci-app-key-org-2
AGENT_BINARIES_DIR: bin/agent
AGENT_GITHUB_APP: agent-github-app
AGENT_QA_E2E: agent-qa-e2e
API_KEY_ORG2: ci.datadog-agent.datadog_api_key_org2
ARTIFACT_DOWNLOAD_ATTEMPTS: 2
ATLASSIAN_WRITE: atlassian-write
BTFHUB_ARCHIVE_BRANCH: main
BUCKET_BRANCH: dev
CHANGELOG_COMMIT_SHA: ci.datadog-agent.gitlab_changelog_commit_sha
CHOCOLATEY_API_KEY: ci.datadog-agent.chocolatey_api_key
- CI_IMAGE_BTF_GEN: v48372186-ff395e52
+ CI_IMAGE_BTF_GEN: v48815877-9bfad02c
CI_IMAGE_BTF_GEN_SUFFIX: ''
- CI_IMAGE_DD_AGENT_TESTING: v48372186-ff395e52
+ CI_IMAGE_DD_AGENT_TESTING: v48815877-9bfad02c
CI_IMAGE_DD_AGENT_TESTING_SUFFIX: ''
- CI_IMAGE_DEB_ARM64: v48372186-ff395e52
+ CI_IMAGE_DEB_ARM64: v48815877-9bfad02c
CI_IMAGE_DEB_ARM64_SUFFIX: ''
- CI_IMAGE_DEB_ARMHF: v48372186-ff395e52
+ CI_IMAGE_DEB_ARMHF: v48815877-9bfad02c
CI_IMAGE_DEB_ARMHF_SUFFIX: ''
- CI_IMAGE_DEB_X64: v48372186-ff395e52
+ CI_IMAGE_DEB_X64: v48815877-9bfad02c
CI_IMAGE_DEB_X64_SUFFIX: ''
- CI_IMAGE_DOCKER_ARM64: v48372186-ff395e52
+ CI_IMAGE_DOCKER_ARM64: v48815877-9bfad02c
CI_IMAGE_DOCKER_ARM64_SUFFIX: ''
- CI_IMAGE_DOCKER_X64: v48372186-ff395e52
+ CI_IMAGE_DOCKER_X64: v48815877-9bfad02c
CI_IMAGE_DOCKER_X64_SUFFIX: ''
- CI_IMAGE_GITLAB_AGENT_DEPLOY: v48372186-ff395e52
+ CI_IMAGE_GITLAB_AGENT_DEPLOY: v48815877-9bfad02c
CI_IMAGE_GITLAB_AGENT_DEPLOY_SUFFIX: ''
- CI_IMAGE_LINUX_GLIBC_2_17_X64: v48372186-ff395e52
+ CI_IMAGE_LINUX_GLIBC_2_17_X64: v48815877-9bfad02c
CI_IMAGE_LINUX_GLIBC_2_17_X64_SUFFIX: ''
- CI_IMAGE_LINUX_GLIBC_2_23_ARM64: v48372186-ff395e52
? ^ ^^^^^^^^^^^^
+ CI_IMAGE_LINUX_GLIBC_2_23_ARM64: v48815877-9bfad02c
? ^^^^ ++++++++ ^
CI_IMAGE_LINUX_GLIBC_2_23_ARM64_SUFFIX: ''
- CI_IMAGE_RPM_ARM64: v48372186-ff395e52
+ CI_IMAGE_RPM_ARM64: v48815877-9bfad02c
CI_IMAGE_RPM_ARM64_SUFFIX: ''
- CI_IMAGE_RPM_ARMHF: v48372186-ff395e52
+ CI_IMAGE_RPM_ARMHF: v48815877-9bfad02c
CI_IMAGE_RPM_ARMHF_SUFFIX: ''
- CI_IMAGE_RPM_X64: v48372186-ff395e52
+ CI_IMAGE_RPM_X64: v48815877-9bfad02c
CI_IMAGE_RPM_X64_SUFFIX: ''
- CI_IMAGE_SYSTEM_PROBE_ARM64: v48372186-ff395e52
+ CI_IMAGE_SYSTEM_PROBE_ARM64: v48815877-9bfad02c
CI_IMAGE_SYSTEM_PROBE_ARM64_SUFFIX: ''
- CI_IMAGE_SYSTEM_PROBE_X64: v48372186-ff395e52
+ CI_IMAGE_SYSTEM_PROBE_X64: v48815877-9bfad02c
CI_IMAGE_SYSTEM_PROBE_X64_SUFFIX: ''
- CI_IMAGE_WIN_1809_X64: v48372186-ff395e52
+ CI_IMAGE_WIN_1809_X64: v48815877-9bfad02c
CI_IMAGE_WIN_1809_X64_SUFFIX: ''
- CI_IMAGE_WIN_LTSC2022_X64: v48372186-ff395e52
+ CI_IMAGE_WIN_LTSC2022_X64: v48815877-9bfad02c
CI_IMAGE_WIN_LTSC2022_X64_SUFFIX: ''
CLANG_LLVM_VER: 12.0.1
CLUSTER_AGENT_BINARIES_DIR: bin/datadog-cluster-agent
CLUSTER_AGENT_CLOUDFOUNDRY_BINARIES_DIR: bin/datadog-cluster-agent-cloudfoundry
CODECOV: codecov
CODECOV_TOKEN: ci.datadog-agent.codecov_token
CWS_INSTRUMENTATION_BINARIES_DIR: bin/cws-instrumentation
- DATADOG_AGENT_ARMBUILDIMAGES: v48372186-ff395e52
+ DATADOG_AGENT_ARMBUILDIMAGES: v48815877-9bfad02c
DATADOG_AGENT_ARMBUILDIMAGES_SUFFIX: ''
- DATADOG_AGENT_BTF_GEN_BUILDIMAGES: v48372186-ff395e52
? ^ ^^^^^^^^^^^^
+ DATADOG_AGENT_BTF_GEN_BUILDIMAGES: v48815877-9bfad02c
? ^^^^ ++++++++ ^
DATADOG_AGENT_BTF_GEN_BUILDIMAGES_SUFFIX: ''
- DATADOG_AGENT_BUILDIMAGES: v48372186-ff395e52
+ DATADOG_AGENT_BUILDIMAGES: v48815877-9bfad02c
DATADOG_AGENT_BUILDIMAGES_SUFFIX: ''
DATADOG_AGENT_EMBEDDED_PATH: /opt/datadog-agent/embedded
- DATADOG_AGENT_SYSPROBE_BUILDIMAGES: v48372186-ff395e52
? ^ ^^^^^^^^^^^^
+ DATADOG_AGENT_SYSPROBE_BUILDIMAGES: v48815877-9bfad02c
? ^^^^ ++++++++ ^
DATADOG_AGENT_SYSPROBE_BUILDIMAGES_SUFFIX: ''
- DATADOG_AGENT_WINBUILDIMAGES: v48372186-ff395e52
+ DATADOG_AGENT_WINBUILDIMAGES: v48815877-9bfad02c
DATADOG_AGENT_WINBUILDIMAGES_SUFFIX: ''
DD_AGENT_TESTING_DIR: $CI_PROJECT_DIR/test/kitchen
DD_PKG_VERSION: latest
DEB_GPG_KEY: ci.datadog-agent.deb_signing_private_key_${DEB_GPG_KEY_ID}
DEB_GPG_KEY_ID: c0962c7d
DEB_GPG_KEY_NAME: Datadog, Inc. APT key
DEB_RPM_TESTING_BUCKET_BRANCH: testing
DEB_S3_BUCKET: apt.datad0g.com
DEB_SIGNING_PASSPHRASE: ci.datadog-agent.deb_signing_key_passphrase_${DEB_GPG_KEY_ID}
DEB_TESTING_S3_BUCKET: apttesting.datad0g.com
DOCKER_REGISTRY_LOGIN: ci.datadog-agent.docker_hub_login
DOCKER_REGISTRY_PWD: ci.datadog-agent.docker_hub_pwd
DOCKER_REGISTRY_RO: dockerhub-readonly
DOCKER_REGISTRY_URL: docker.io
DOGSTATSD_BINARIES_DIR: bin/dogstatsd
E2E_AZURE: e2e-azure
E2E_GCP: e2e-gcp
EXECUTOR_JOB_SECTION_ATTEMPTS: 2
FF_KUBERNETES_HONOR_ENTRYPOINT: true
FF_SCRIPT_SECTIONS: 1
GENERAL_ARTIFACTS_CACHE_BUCKET_URL: https://dd-agent-omnibus.s3.amazonaws.com
GET_SOURCES_ATTEMPTS: 2
GITLAB_TOKEN: gitlab-token
GO_TEST_SKIP_FLAKE: 'true'
INSTALL_SCRIPT_API_KEY_ORG2: install-script-api-key-org-2
INTEGRATION_WHEELS_CACHE_BUCKET: dd-agent-omnibus
KERNEL_MATRIX_TESTING_ARM_AMI_ID: ami-0b5f838a19d37fc61
KERNEL_MATRIX_TESTING_X86_AMI_ID: ami-05b3973acf5422348
KITCHEN_AWS: kitchen-aws
KITCHEN_AZURE: kitchen-azure
KITCHEN_INFRASTRUCTURE_FLAKES_RETRY: 2
MACOS_GITHUB_APP_1: macos-github-app-one
MACOS_GITHUB_APP_2: macos-github-app-two
MACOS_S3_BUCKET: dd-agent-macostesting
OMNIBUS_BASE_DIR: /omnibus
OMNIBUS_GIT_CACHE_DIR: /tmp/omnibus-git-cache
OMNIBUS_PACKAGE_DIR: $CI_PROJECT_DIR/omnibus/pkg/
OMNIBUS_PACKAGE_DIR_SUSE: $CI_PROJECT_DIR/omnibus/suse/pkg
PROCESS_S3_BUCKET: datad0g-process-agent
RELEASE_VERSION_6: nightly
RELEASE_VERSION_7: nightly-a7
RESTORE_CACHE_ATTEMPTS: 2
RPM_GPG_KEY: ci.datadog-agent.rpm_signing_private_key_${RPM_GPG_KEY_ID}
RPM_GPG_KEY_ID: b01082d3
RPM_GPG_KEY_NAME: Datadog, Inc. RPM key
RPM_S3_BUCKET: yum.datad0g.com
RPM_SIGNING_PASSPHRASE: ci.datadog-agent.rpm_signing_key_passphrase_${RPM_GPG_KEY_ID}
RPM_TESTING_S3_BUCKET: yumtesting.datad0g.com
RUN_E2E_TESTS: auto
RUN_KMT_TESTS: auto
RUN_UNIT_TESTS: auto
S3_ARTIFACTS_URI: s3://dd-ci-artefacts-build-stable/$CI_PROJECT_NAME/$CI_PIPELINE_ID
S3_CP_CMD: aws s3 cp $S3_CP_OPTIONS
S3_CP_OPTIONS: --no-progress --region us-east-1 --sse AES256
S3_DD_AGENT_OMNIBUS_BTFS_URI: s3://dd-agent-omnibus/btfs
S3_DD_AGENT_OMNIBUS_JAVA_URI: s3://dd-agent-omnibus/openjdk
S3_DD_AGENT_OMNIBUS_LLVM_URI: s3://dd-agent-omnibus/llvm
S3_DSD6_URI: s3://dsd6-staging
S3_OMNIBUS_CACHE_BUCKET: dd-ci-datadog-agent-omnibus-cache-build-stable
S3_PERMANENT_ARTIFACTS_URI: s3://dd-ci-persistent-artefacts-build-stable/$CI_PROJECT_NAME
S3_PROJECT_ARTIFACTS_URI: s3://dd-ci-artefacts-build-stable/$CI_PROJECT_NAME
S3_RELEASE_ARTIFACTS_URI: s3://dd-release-artifacts/$CI_PROJECT_NAME/$CI_PIPELINE_ID
S3_RELEASE_INSTALLER_ARTIFACTS_URI: s3://dd-release-artifacts/datadog-installer/$CI_PIPELINE_ID
S3_SBOM_STORAGE_URI: s3://sbom-root-us1-ddbuild-io/$CI_PROJECT_NAME/$CI_PIPELINE_ID
SLACK_AGENT: slack-agent-ci
SMP_ACCOUNT: smp
STATIC_BINARIES_DIR: bin/static
SYSTEM_PROBE_BINARIES_DIR: bin/system-probe
USE_S3_CACHING: --omnibus-s3-cache
VCPKG_BLOB_SAS_URL: ci.datadog-agent-buildimages.vcpkg_blob_sas_url
WINDOWS_BUILDS_S3_BUCKET: $WIN_S3_BUCKET/builds
WINDOWS_POWERSHELL_DIR: $CI_PROJECT_DIR/signed_scripts
WINDOWS_TESTING_S3_BUCKET_A6: pipelines/A6/$CI_PIPELINE_ID
WINDOWS_TESTING_S3_BUCKET_A7: pipelines/A7/$CI_PIPELINE_ID
WINGET_PAT: ci.datadog-agent.winget_pat
WIN_S3_BUCKET: dd-agent-mstesting
|
| Removed | Modified | Added | Renamed |
|---|---|---|---|
| 0 | 1 | 21 | 0 |
ℹ️ Diff available in the job log.
Regression DetectorRegression Detector ResultsMetrics dashboard Baseline: 199e77a Optimization Goals: ✅ No significant changes detected
|
| perf | experiment | goal | Δ mean % | Δ mean % CI | trials | links |
|---|---|---|---|---|---|---|
| ➖ | basic_py_check | % cpu utilization | +1.51 | [-2.39, +5.42] | 1 | Logs |
| ➖ | quality_gate_idle | memory utilization | +0.32 | [+0.28, +0.36] | 1 | Logs bounds checks dashboard |
| ➖ | file_tree | memory utilization | +0.22 | [+0.09, +0.36] | 1 | Logs |
| ➖ | file_to_blackhole_1000ms_latency | egress throughput | +0.14 | [-0.63, +0.92] | 1 | Logs |
| ➖ | file_to_blackhole_1000ms_latency_linear_load | egress throughput | +0.13 | [-0.33, +0.59] | 1 | Logs |
| ➖ | uds_dogstatsd_to_api_cpu | % cpu utilization | +0.07 | [-0.66, +0.80] | 1 | Logs |
| ➖ | file_to_blackhole_500ms_latency | egress throughput | +0.01 | [-0.77, +0.79] | 1 | Logs |
| ➖ | tcp_dd_logs_filter_exclude | ingress throughput | +0.00 | [-0.01, +0.01] | 1 | Logs |
| ➖ | file_to_blackhole_100ms_latency | egress throughput | -0.00 | [-0.76, +0.76] | 1 | Logs |
| ➖ | file_to_blackhole_0ms_latency | egress throughput | -0.01 | [-0.75, +0.72] | 1 | Logs |
| ➖ | uds_dogstatsd_to_api | ingress throughput | -0.02 | [-0.13, +0.09] | 1 | Logs |
| ➖ | file_to_blackhole_300ms_latency | egress throughput | -0.02 | [-0.65, +0.60] | 1 | Logs |
| ➖ | tcp_syslog_to_blackhole | ingress throughput | -0.55 | [-0.61, -0.49] | 1 | Logs |
| ➖ | quality_gate_idle_all_features | memory utilization | -0.58 | [-0.73, -0.43] | 1 | Logs bounds checks dashboard |
| ➖ | otel_to_otel_logs | ingress throughput | -1.07 | [-1.76, -0.37] | 1 | Logs |
| ➖ | pycheck_lots_of_tags | % cpu utilization | -3.05 | [-6.46, +0.36] | 1 | Logs |
Bounds Checks: ✅ Passed
| perf | experiment | bounds_check_name | replicates_passed | links |
|---|---|---|---|---|
| ✅ | file_to_blackhole_0ms_latency | lost_bytes | 10/10 | |
| ✅ | file_to_blackhole_0ms_latency | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_1000ms_latency | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_1000ms_latency_linear_load | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_100ms_latency | lost_bytes | 10/10 | |
| ✅ | file_to_blackhole_100ms_latency | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_300ms_latency | lost_bytes | 10/10 | |
| ✅ | file_to_blackhole_300ms_latency | memory_usage | 10/10 | |
| ✅ | file_to_blackhole_500ms_latency | lost_bytes | 10/10 | |
| ✅ | file_to_blackhole_500ms_latency | memory_usage | 10/10 | |
| ✅ | quality_gate_idle | memory_usage | 10/10 | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | memory_usage | 10/10 | bounds checks dashboard |
Explanation
Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%
Performance changes are noted in the perf column of each table:
- ✅ = significantly better comparison variant performance
- ❌ = significantly worse comparison variant performance
- ➖ = no significant change in performance
A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".
For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:
-
Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
-
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
-
Its configuration does not mark it "erratic".
CI Pass/Fail Decision
✅ Passed. All Quality Gates passed.
- quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
Signed-off-by: Nicolas Guerguadj <nicolas.guerguadj@datadoghq.com>
Kaderinho
force-pushed
the
nicolas.guerguadj/fips-agent-new-package
branch
from
9b446b3 to
6172db5
Compare
safchain
approved these changes
Nov 22, 2024
…avor not flag now
chouquette
requested changes
Nov 27, 2024
chouquette
approved these changes
Nov 28, 2024
|
/merge |
Devflow running:
|
alopezz
approved these changes
Nov 28, 2024
dd-mergequeue
bot
deleted the
nicolas.guerguadj/fips-agent-new-package
branch
clarkb7
added a commit
that referenced
this pull request
Dec 2, 2024
clarkb7
added a commit
that referenced
this pull request
Dec 2, 2024
clarkb7
added a commit
that referenced
this pull request
Dec 4, 2024
fix unknown tag error fix fips-mode build option set omnibus flavor option select msgo via DD_GO_TOOLCHAIN add fips flavor to MSI build fix GOROOT vs GOPATH mixup set winbuildimages to version that includes msgo new guid readability refactor fix batch syntax front of path update buildimage fix system-probe via d5f4f83 remove major-version arg #31004 (comment) move DD_GO_TOOLCHAIN into omnibus #31004 (comment) #31004 (comment) use released winbuildimage sanity check for go.exe provide AgentVersion to AgentFlavoryFactory static AgentFlavorFactory whitespace .go-version full path try forwardslash move msgo root logic to python comment check var
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This PR adds jobs to create a new Agent package with FIPS support.
Motivation
Merge foundations to be able to work in parallel on different features
Describe how to test/QA your changes
This will be thoroughly tested in future PR where we're gonna
Possible Drawbacks / Trade-offs
Additional Notes
We don't release the package publicly for now and this work should not impact the main Agent so the temporary lack of testing should not be a problem here.