From cc61703fef7f2e2b20bd73f146f994551465656a Mon Sep 17 00:00:00 2001 From: Jakub Jarosz <99677300+jjngx@users.noreply.github.com> Date: Mon, 20 Mar 2023 11:04:07 +0000 Subject: [PATCH] Remove app protect agent (#3646) * Setup AppProtect logLevel --------- Co-authored-by: Venktesh Shivam Patel --- cmd/nginx-ingress/main.go | 20 ++++++-------------- internal/nginx/fake_manager.go | 12 +----------- internal/nginx/manager.go | 32 +++----------------------------- 3 files changed, 10 insertions(+), 54 deletions(-) diff --git a/cmd/nginx-ingress/main.go b/cmd/nginx-ingress/main.go index c2022230cc..f846b00801 100644 --- a/cmd/nginx-ingress/main.go +++ b/cmd/nginx-ingress/main.go @@ -75,7 +75,7 @@ func main() { templateExecutor, templateExecutorV2 := createTemplateExecutors() - aPPluginDone, aPAgentDone, aPPDosAgentDone := startApAgentsAndPlugins(nginxManager) + aPPluginDone, aPPDosAgentDone := startApAgentsAndPlugins(nginxManager) sslRejectHandshake := processDefaultServerSecret(kubeClient, nginxManager) @@ -185,7 +185,7 @@ func main() { } if *appProtect || *appProtectDos { - go handleTerminationWithAppProtect(lbc, nginxManager, syslogListener, nginxDone, aPAgentDone, aPPluginDone, aPPDosAgentDone, *appProtect, *appProtectDos) + go handleTerminationWithAppProtect(lbc, nginxManager, syslogListener, nginxDone, aPPluginDone, aPPDosAgentDone, *appProtect, *appProtectDos) } else { go handleTermination(lbc, nginxManager, syslogListener, nginxDone) } @@ -387,16 +387,12 @@ func getNginxVersionInfo(nginxManager nginx.Manager) string { return nginxVersion } -func startApAgentsAndPlugins(nginxManager nginx.Manager) (chan error, chan error, chan error) { +func startApAgentsAndPlugins(nginxManager nginx.Manager) (chan error, chan error) { var aPPluginDone chan error - var aPAgentDone chan error if *appProtect { aPPluginDone = make(chan error, 1) - aPAgentDone = make(chan error, 1) - - nginxManager.AppProtectAgentStart(aPAgentDone, *appProtectLogLevel) - nginxManager.AppProtectPluginStart(aPPluginDone) + nginxManager.AppProtectPluginStart(aPPluginDone, *appProtectLogLevel) } var aPPDosAgentDone chan error @@ -405,7 +401,7 @@ func startApAgentsAndPlugins(nginxManager nginx.Manager) (chan error, chan error aPPDosAgentDone = make(chan error, 1) nginxManager.AppProtectDosAgentStart(aPPDosAgentDone, *appProtectDosDebug, *appProtectDosMaxDaemons, *appProtectDosMaxWorkers, *appProtectDosMemory) } - return aPPluginDone, aPAgentDone, aPPDosAgentDone + return aPPluginDone, aPPDosAgentDone } func processDefaultServerSecret(kubeClient *kubernetes.Clientset, nginxManager nginx.Manager) bool { @@ -548,7 +544,7 @@ func getAndValidateSecret(kubeClient *kubernetes.Clientset, secretNsName string) return secret, nil } -func handleTerminationWithAppProtect(lbc *k8s.LoadBalancerController, nginxManager nginx.Manager, listener metrics.SyslogListener, nginxDone, agentDone, pluginDone, agentDosDone chan error, appProtectEnabled, appProtectDosEnabled bool) { +func handleTerminationWithAppProtect(lbc *k8s.LoadBalancerController, nginxManager nginx.Manager, listener metrics.SyslogListener, nginxDone, pluginDone, agentDosDone chan error, appProtectEnabled, appProtectDosEnabled bool) { signalChan := make(chan os.Signal, 1) signal.Notify(signalChan, syscall.SIGTERM) @@ -557,8 +553,6 @@ func handleTerminationWithAppProtect(lbc *k8s.LoadBalancerController, nginxManag glog.Fatalf("nginx command exited unexpectedly with status: %v", err) case err := <-pluginDone: glog.Fatalf("AppProtectPlugin command exited unexpectedly with status: %v", err) - case err := <-agentDone: - glog.Fatalf("AppProtectAgent command exited unexpectedly with status: %v", err) case err := <-agentDosDone: glog.Fatalf("AppProtectDosAgent command exited unexpectedly with status: %v", err) case <-signalChan: @@ -569,8 +563,6 @@ func handleTerminationWithAppProtect(lbc *k8s.LoadBalancerController, nginxManag if appProtectEnabled { nginxManager.AppProtectPluginQuit() <-pluginDone - nginxManager.AppProtectAgentQuit() - <-agentDone } if appProtectDosEnabled { nginxManager.AppProtectDosAgentQuit() diff --git a/internal/nginx/fake_manager.go b/internal/nginx/fake_manager.go index 063017eebf..ad3da7505d 100644 --- a/internal/nginx/fake_manager.go +++ b/internal/nginx/fake_manager.go @@ -150,18 +150,8 @@ func (*FakeManager) CreateOpenTracingTracerConfig(_ string) error { func (*FakeManager) SetOpenTracing(_ bool) { } -// AppProtectAgentStart is a fake implementation of AppProtectAgentStart -func (*FakeManager) AppProtectAgentStart(_ chan error, _ string) { - glog.V(3).Infof("Starting FakeAppProtectAgent") -} - -// AppProtectAgentQuit is a fake implementation AppProtectAgentQuit -func (*FakeManager) AppProtectAgentQuit() { - glog.V(3).Infof("Quitting FakeAppProtectAgent") -} - // AppProtectPluginStart is a fake implementation AppProtectPluginStart -func (*FakeManager) AppProtectPluginStart(_ chan error) { +func (*FakeManager) AppProtectPluginStart(_ chan error, _ string) { glog.V(3).Infof("Starting FakeAppProtectPlugin") } diff --git a/internal/nginx/manager.go b/internal/nginx/manager.go index 561a7c2f75..7f3348b1ca 100644 --- a/internal/nginx/manager.go +++ b/internal/nginx/manager.go @@ -35,7 +35,6 @@ const ( nginxBinaryPathDebug = "/usr/sbin/nginx-debug" appProtectPluginStartCmd = "/usr/share/ts/bin/bd-socket-plugin" - appProtectAgentStartCmd = "/opt/app_protect/bin/bd_agent" appProtectLogLevelCmd = "/opt/app_protect/bin/set_log_level" // appPluginParams is the configuration of App-Protect plugin @@ -80,9 +79,7 @@ type Manager interface { UpdateServersInPlus(upstream string, servers []string, config ServerConfig) error UpdateStreamServersInPlus(upstream string, servers []string) error SetOpenTracing(openTracing bool) - AppProtectAgentStart(apaDone chan error, logLevel string) - AppProtectAgentQuit() - AppProtectPluginStart(appDone chan error) + AppProtectPluginStart(appDone chan error, logLevel string) AppProtectPluginQuit() AppProtectDosAgentStart(apdaDone chan error, debug bool, maxDaemon int, maxWorkers int, memory int) AppProtectDosAgentQuit() @@ -107,7 +104,6 @@ type LocalManager struct { metricsCollector collectors.ManagerCollector OpenTracing bool appProtectPluginPid int - appProtectAgentPid int appProtectDosAgentPid int } @@ -462,8 +458,8 @@ func (lm *LocalManager) SetOpenTracing(openTracing bool) { lm.OpenTracing = openTracing } -// AppProtectAgentStart starts the AppProtect agent -func (lm *LocalManager) AppProtectAgentStart(apaDone chan error, logLevel string) { +// AppProtectPluginStart starts the AppProtect plugin and sets AppProtect log level. +func (lm *LocalManager) AppProtectPluginStart(appDone chan error, logLevel string) { glog.V(3).Info("Setting log level for App Protect - ", logLevel) appProtectLogLevelCmdfull := fmt.Sprintf("%v %v", appProtectLogLevelCmd, logLevel) logLevelCmd := exec.Command("sh", "-c", appProtectLogLevelCmdfull) // #nosec G204 @@ -471,28 +467,6 @@ func (lm *LocalManager) AppProtectAgentStart(apaDone chan error, logLevel string glog.Fatalf("Failed to set log level for AppProtect: %v", err) } - glog.V(3).Info("Starting AppProtect Agent") - cmd := exec.Command(appProtectAgentStartCmd) - if err := cmd.Start(); err != nil { - glog.Fatalf("Failed to start AppProtect Agent: %v", err) - } - lm.appProtectAgentPid = cmd.Process.Pid - go func() { - apaDone <- cmd.Wait() - }() -} - -// AppProtectAgentQuit gracefully ends AppProtect Agent. -func (lm *LocalManager) AppProtectAgentQuit() { - glog.V(3).Info("Quitting AppProtect Agent") - killcmd := fmt.Sprintf("kill %d", lm.appProtectAgentPid) - if err := shellOut(killcmd); err != nil { - glog.Fatalf("Failed to quit AppProtect Agent: %v", err) - } -} - -// AppProtectPluginStart starts the AppProtect plugin. -func (lm *LocalManager) AppProtectPluginStart(appDone chan error) { glog.V(3).Info("Starting AppProtect Plugin") startupParams := strings.Fields(appPluginParams) cmd := exec.Command(appProtectPluginStartCmd, startupParams...)