Update k8sstormcenter fork with upstream changes#28
Draft
Conversation
Summary: Use gha oracle runners for build and test job This PR supersedes pixie-io#2261. Relevant Issues: N/A Type of change: /kind cleanup Test Plan: Adhoc build from latest commit passes ([build link](https://github.com/pixie-io/pixie/actions/runs/19958776211)) --------- Signed-off-by: Koray Oksay <koray.oksay@gmail.com> Signed-off-by: Dom Del Nano <ddelnano@gmail.com> Co-authored-by: Koray Oksay <koray.oksay@gmail.com>
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.35.0 to 0.45.0. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/golang/crypto/commit/4e0068c0098be10d7025c99ab7c50ce454c1f0f9"><code>4e0068c</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/crypto/commit/e79546e28b85ea53dd37afe1c4102746ef553b9c"><code>e79546e</code></a> ssh: curb GSSAPI DoS risk by limiting number of specified OIDs</li> <li><a href="https://github.com/golang/crypto/commit/f91f7a7c31bf90b39c1de895ad116a2bacc88748"><code>f91f7a7</code></a> ssh/agent: prevent panic on malformed constraint</li> <li><a href="https://github.com/golang/crypto/commit/2df4153a0311bdfea44376e0eb6ef2faefb0275b"><code>2df4153</code></a> acme/autocert: let automatic renewal work with short lifetime certs</li> <li><a href="https://github.com/golang/crypto/commit/bcf6a849efcf4702fa5172cb0998b46c3da1e989"><code>bcf6a84</code></a> acme: pass context to request</li> <li><a href="https://github.com/golang/crypto/commit/b4f2b62076abeee4e43fb59544dac565715fbf1e"><code>b4f2b62</code></a> ssh: fix error message on unsupported cipher</li> <li><a href="https://github.com/golang/crypto/commit/79ec3a51fcc7fbd2691d56155d578225ccc542e2"><code>79ec3a5</code></a> ssh: allow to bind to a hostname in remote forwarding</li> <li><a href="https://github.com/golang/crypto/commit/122a78f140d9d3303ed3261bc374bbbca149140f"><code>122a78f</code></a> go.mod: update golang.org/x dependencies</li> <li><a href="https://github.com/golang/crypto/commit/c0531f9c34514ad5c5551e2d6ce569ca673a8afd"><code>c0531f9</code></a> all: eliminate vet diagnostics</li> <li><a href="https://github.com/golang/crypto/commit/0997000b45e3a40598272081bcad03ffd21b8adb"><code>0997000</code></a> all: fix some comments</li> <li>Additional commits viewable in <a href="https://github.com/golang/crypto/compare/v0.35.0...v0.45.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/pixie-io/pixie/network/alerts). </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Dom Del Nano <ddelnano@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Dom Del Nano <ddelnano@gmail.com>
… upgrade (pixie-io#2283) Summary: Replace `GUARDED_BY` with `ABSL_GUARDED_BY` in preparation for abseil upgrade In order to upgrade to bazel 7, many of our dependencies (bazel repos) need to be upgraded. In a branch that builds the pixie repo with bazel 7, this was a supporting change I needed to get the build working. abseil/abseil-cpp@ba7a9e2 is where abseil removed the versions of the macro pixie used previously. Relevant Issues: pixie-io#2282 Type of change: /kind cleanup Test Plan: Build should succeed --------- Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
…change (pixie-io#2287) Summary: Remove use of protobuf debug APIs in test assertions to fix breaking change Protobuf v30 and later intentionally malform the `DebugString` string output to prevent it from being parsed as a protobuf message ([announcement details](https://protobuf.dev/news/2024-12-04/)). This breaks our protobuf test assertions and is something we need to fix ahead of migrating to bazel 7. Relevant Issues: pixie-io#2282 Type of change: /kind cleanup Test Plan: Build should pass Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
Summary: Update python toolchain to 3.12 and upgrade pip deps This upgrades our Python targets to a newer protobuf version in preparation for the Bazel 7 upgrade. The Bazel 7 migration requires a protobuf upgrade, and performing the Python/pip dependency updates first ensures compatibility when the protobuf upgrade lands in the next step. Relevant Issues: pixie-io#2282 Type of change: /kind cleanup Test Plan: Successful build will validate mongo and `src/api/python` changes and verified the following - [x] Followed [amqp_code_generation steps](https://github.com/pixie-io/pixie/tree/68b196b9c2c6f6beed4a6a4c09ace98683bbc936/src/stirling/source_connectors/socket_tracer/protocols/amqp/amqp_code_generator) and verified generated code is noop - [x] Followed [protocol_inference](https://github.com/pixie-io/pixie/tree/68b196b9c2c6f6beed4a6a4c09ace98683bbc936/src/stirling/protocol_inference) data generation and eval steps. --------- Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
Summary: Replace raw use of bazel with bazelisk Using bazelisk makes it possible to trigger builds against new bazel versions. This will be leveraged as part of migrating to bazel 6.5.0 and later to bazel 7. Relevant Issues: pixie-io#2282 Type of change: /kind cleanup Test Plan: Build should pass --------- Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
Summary: Upgrade googletest and benchmark Many of our dependencies use googletest and google benchmark. This preemptively upgrades them to a known good version prior to one of the larger bazel 7 dependency updates. Relevant Issues: pixie-io#2282 Type of change: /kind cleanup Test Plan: Build should pass --------- Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
Summary: Increase ASAN short test timeout to address flaky tests The following tests are frequently hitting the 2-minute Bazel timeout on ASAN builds: - `//src/vizier/services/agent/shared/manager:heartbeat_test` - `//src/vizier/services/agent/shared/manager:registration_test` - `//src/carnot/builtins:collections_test` BuildBuddy history from the main branch shows these tests are running up against the timeout threshold (see screenshot below). I believe BuildBuddy is under reporting the issues seen since builds are also seeing BEP API timeouts. <img width="912" height="512" alt="Screenshot 2025-12-10 at 12 05 55 PM" src="https://github.com/user-attachments/assets/3a7632b9-ef1d-407b-81aa-1f9babdbaea3" /> ``` //src/vizier/services/agent/shared/manager:heartbeat_test TIMEOUT in 120.5s /github/home/.cache/bazel/_bazel_root/56ec069a32c4abebc78228236a835895/execroot/px/bazel-out/k8-dbg/testlogs/src/vizier/services/agent/shared/manager/heartbeat_test/test.log //src/vizier/services/agent/shared/manager:registration_test TIMEOUT in 120.5s /github/home/.cache/bazel/_bazel_root/56ec069a32c4abebc78228236a835895/execroot/px/bazel-out/k8-dbg/testlogs/src/vizier/services/agent/shared/manager/registration_test/test.log [ ... ] ERROR: The Build Event Protocol upload timed out. com.google.common.util.concurrent.TimeoutFuture$TimeoutFutureException: Timed out: NonCancellationPropagatingFuture@6ce6bba6[status=PENDING, info=[delegate=[SettableFuture@29e4285e[status=PENDING]]]] Bazel returned code 38, ignoring... ``` This PR increases the short test timeout to unblock ongoing Bazel 7 upgrade work and prevent unrelated PRs from failing due to these timeouts. Relevant Issues: pixie-io#2295 Type of change: /kind bugfix Test Plan: Build succeeds --------- Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
…2300) Summary: Fix build issues with missing `rules_docker` loader binary The `rules_docker` repository moved its image pulling binaries from storage.googleapis.com to mirror.bazel.build. Last week, the storage.googleapis.com binaries were removed causing existing builds to break. This upgrades `rules_docker` to a version that includes the [new URLs](bazelbuild/rules_docker#2291 (comment)) for the loader binaries. Relevant Issues: N/A Type of change: /kind bugfix Test Plan: Build succeeds Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
…eps (pixie-io#2290) Summary: Upgrade Bazel from 6.2.0 to 6.5.0 along with protobuf, tensorflow, and related dependencies. This is a coordinated upgrade since these dependencies have hard interdependencies that make incremental upgrades difficult. Key changes - Upgrade Bazel from 6.2.0 to 6.5.0 (required by these new dependencies) - Protobuf upgrade with compatibility patches for text format handling and JavaScript generation - TensorFlow upgrade with patches to disable GPU/LLVM/Python features. The GPU disable patch will not be necessary as TensorFlow's fallback logic will work with Bazel 7 - gRPC-web upgrade to 2.0.2 and replacement of the vendored `protoc-gen-grpc-web` with a Bazel repository - Flatbuffers patched to remove rules_js dependency (this upgrade is required by TensorFlow v2.20.0) - absl upgrade (causes transitive header changes) - Regenerated TypeScript protobuf bindings for the UI I attempted to split this into a smaller change in pixie-io#2296. TensorFlow has a tight dependency on protobuf, which prevented that attempt from working. I'm open to other ideas on how to split this up, but so far this seemed like the best balance with pixie-io#2293 and pixie-io#2297 to follow to complete the Bazel 7 migration. Relevant Issues: pixie-io#2282 Type of change: /kind cleanup Test Plan: Build passes --------- Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
Summary: Upgrade magic_enum to fix builds for clang v16 and later This upgrades to a magic_enum version that includes this fix (Neargye/magic_enum#204). Relevant Issues: pixie-io#2298 Type of change: /kind cleanup Test Plan: Build succeeds Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
Summary: Upgrade rules scala and rules_meta Relevant Issues: pixie-io#2282 Type of change: /kind cleanup Test Plan: Build succeeds --------- Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
Summary: Upgrade bcc to version that's clang 21 compatible This upgrades bcc to a commit from the [pixie10 branch](https://github.com/pixie-io/bcc/commits/pixie10). This most recent rebase includes the following changes: * Rebased the 9 Pixie-specific commits on top of [v0.35.0](https://github.com/iovisor/bcc/tree/v0.35.0) plus 31 additional upstream commits through 8c5c96ad (commit log seen below) * Removes pixie-io/bcc@41b2fbe from our fork as it's available upstream (iovisor/bcc#4442) <details><summary>Commits included on top of v0.35.0</summary> ``` git log v0.35.0...8c5c96ad3beeed2fa827017f451a952306826974 --oneline 8c5c96ad Fix a build failure with clang21 (#5369) b8b76e9a add descriptions for using pid in attach_uprobe and attach_uretprobe. (#5367) 36305815 tools/{biolatency,biosnoop,biotop}: use TRACEPOINT_PROBE() for tracepoints (#5366) c8ad35aa Cleanup CODEOWNERS file (#5368) 78423e16 Add support for executing a program and tracing it (#5362) 21143df6 libbpf-tools/ksnoop: Remove useless and white lines (#5365) a9c6650e syscall_helpers.c / syscall.py: update syscall list (#5363) 56409526 Fix potential verification failure for opensnoop.py (#5364) 0ae562c8 libbpf-tools: ksnoop: Fix two invalid access to map value (#5361) 789e923f libbpf-tools/klockstat: Allows kprobe fallback to work with lock debugging (#5359) 5f7bcb36 libbpf-tools/memleak: fix typo (#5358) 6bd2760a bcc: Fix for test tools_memleak.py (#5355) af21da6f libbpf-tools/filelife: Fix wrong full-path (#5347) ac3eda96 net_monitor: fix typos in comments (#5360) 673911cf libbpf-tools: runqslower: add -c option to filter by process name prefix 2f3361c6 libbpf-tools: Fix the license for newly added path* files (#5346) 137bd5fb tools/filetop: Add directory filter (#5300) 9adce7ad libbpf-tools/syscall_helpers: Modify syscall_name to return error code (#5314) 939828c4 tools/runqlat: Dynamically size pid/pidns histogram map (#5342) 74bddcbe libbpf-tools/filelife: support full-path ab8e0616 libbpf-tools: Introduce path helpers d1faaf3d tools/opensnoop: support mount full-path (#5339) 8e3a1d33 tools/opensnoop: one event is enough for full-path (#5334) 7c4cf388 Bcc: mptcpify: add the NULL check for variable 'mode' (#5336) 6291ff52 libbpf-tools/opensnoop: support mount full-path (#5333) 2f77081d fix typo in README.md (#5335) ee3ba780 libbpf-tools/offcputime: fix min or max_block_ns unit (#5327) 26eaf13b removing luajit options to ensure no errors will be thrown when running (#5326) b1c5548d libbpf-tools: opensnoop: add full-path argument -F (#5323) bbb8df98 Added functionality to detach all uprobes for a binary (#5325) 4bc48581 Doc/dead links (#5322) ``` </details> Relevant Issues: pixie-io#2298 Type of change: /kind cleanup Test Plan: `#ci:bpf-build-all-kernels` build should pass - [x] Socket tracer is functional on COS GKE cluster - [x] Socket tracer is functional on Amazon Linux 2023 EKS cluster - [x] Socket tracer is functional on Bottlerocket EKS cluster Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
Summary: Replace `u8string` method to keep return value consistent In c++ 20, the `u8string` method uses a different return type. This PR removes the use of this function to keep the code compatible with c++17 and c++20 in preparation for the clang 21 upgrade. Relevant Issues: pixie-io#2298 Type of change: /kind cleanup Test Plan: Build should succeed Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
…uplicate symbol errors introduced by rules_go v0.58.1 (pixie-io#2311) Summary: Consolidate `all_scripts_test.go` to use a single CGO target to fix duplicate symbol errors introduced by rules_go v0.58.1 bazel-contrib/rules_go#4438, included in `rules_go` v0.58.1, causes certain statically linked CGO binaries to fail with duplicate symbol errors. This occurs when a binary depends on more than one CGO library that transitively depends on a common set of object files. `all_scripts_test.go` previously depended on two CGO targets: - `//src/carnot/planner` - `//src/e2e_test/vizier/planner/dump_schemas/godumpschemas` This PR solves this issue by removing the src/e2e_test/vizier/planner/dump_schemas/godumpschemas CGO library and instead generate the protobuf export directly in C++, loading it in the main application. This approach mirrors the existing pattern used in [src/vizier/funcs](https://github.com/pixie-io/pixie/blob/a6349a90b1e4b30f0bb13872ad03dff83a53f363/src/vizier/funcs/BUILD.bazel#L50-L66). **Why not fix `rules_go`?** The `rules_go` change that causes the issue explains that it doesn't include the necessary deduplication logic to avoid these duplicate symbol errors (bazel-contrib/rules_go#4438 (comment)). This tradeoff was [deemed acceptable](bazel-contrib/rules_go#4438 (comment)) since it solved the c++ initialization problem with minimal complexity. Relevant Issues: N/A Type of change: /kind cleanup Test Plan: Build should pass Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
Summary: Remove accidental stamp Relevant Issues: N/A Type of change: /kind cleanup Test Plan: Build should pass Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
ddelnano
temporarily deployed
to
pr-actions-approval
GitHub Actions
Inactive
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| protobuf==5.29.3 | ||
| grpcio==1.76.0 | ||
| grpcio-tools==1.76.0 | ||
| protobuf==6.33.1 |
Check failure
Code scanning / trivy-fs
python: protobuf: Protobuf: Denial of Service due to recursion depth bypass Error
Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary: Update k8sstormcenter fork with upstream changes
In preparation for adding copybara, we should update the fork with the latest changes.
Relevant Issues: N/A
Type of change: /kind cleanup
Test Plan: Build should pass