Merge branch 'main' into hongshi/mac_sw_inventory

guohdd · web-flow · commit e73b9055bd3f · 2026-01-27T14:36:32.000-08:00
diff --git a/MODULE.bazel b/MODULE.bazel
@@ -233,6 +233,9 @@ include("//deps/freetds:freetds.MODULE.bazel")
 # buildifier: leave-alone
 include("//deps/gstatus:gstatus.MODULE.bazel")
 
+# buildifier: leave-alone
+include("//deps/nfsiostat:nfsiostat.MODULE.bazel")
+
 # buildifier: leave-alone
 include("//deps/openscap:openscap.MODULE.bazel")
 
diff --git a/comp/netflow/flowaggregator/aggregator.go b/comp/netflow/flowaggregator/aggregator.go
@@ -95,7 +95,9 @@ func NewFlowAggregator(sender sender.Sender, epForwarder eventplatform.Forwarder
 	}
 
 	var topNFilter FlowFlushFilter = topn.NoopFilter{}
-	var flowScheduler FlowScheduler = ImmediateFlowScheduler{}
+	var flowScheduler FlowScheduler = ImmediateFlowScheduler{
+		flushConfig: flushConfig,
+	}
 	if config.AggregatorMaxFlowsPerPeriod > 0 {
 		topNFilter = topn.NewPerFlushFilter(int64(config.AggregatorMaxFlowsPerPeriod), flushConfig, sender, logger)
 		flowScheduler = JitterFlowScheduler{flushConfig: flushConfig}
diff --git a/deps/nfsiostat/BUILD.bazel b/deps/nfsiostat/BUILD.bazel
@@ -0,0 +1,37 @@
+"""nfsiostat"""
+
+load("@rules_pkg//pkg:install.bzl", "pkg_install")
+load("@rules_pkg//pkg:mappings.bzl", "pkg_attributes", "pkg_filegroup", "pkg_files")
+
+package(default_visibility = [
+    "//compliance:__pkg__",
+    "//packages:__subpackages__",
+])
+
+genrule(
+    name = "fix_shebang",
+    srcs = ["@nfsiostat//:nfsiostat_py"],
+    outs = ["nfsiosat"],
+    cmd = "sed 's@#!/usr/bin/python@#!/opt/datadog-agent/embedded/bin/python@' $(location  @nfsiostat//:nfsiostat_py) >$@",
+)
+
+pkg_files(
+    name = "bin_files",
+    srcs = [":fix_shebang"],
+    attributes = pkg_attributes(mode = "0755"),
+    prefix = "embedded/sbin",
+)
+
+pkg_filegroup(
+    name = "all_files",
+    srcs = [
+        ":bin_files",
+    ],
+)
+
+pkg_install(
+    name = "install",
+    srcs = [
+        ":all_files",
+    ],
+)
diff --git a/deps/nfsiostat/nfsiostat.BUILD.bazel b/deps/nfsiostat/nfsiostat.BUILD.bazel
@@ -0,0 +1,35 @@
+"""nfsiostat - remote repo side build file"""
+
+load("@@//compliance/rules:purl.bzl", "purl_for_generic")
+load("@package_metadata//rules:package_metadata.bzl", "package_metadata")
+load("@rules_license//rules:license.bzl", "license")
+
+package(default_package_metadata = [":package_metadata"])
+
+VERSION = "2.1.1"
+
+package_metadata(
+    name = "package_metadata",
+    attributes = [
+        ":license",
+    ],
+    purl = purl_for_generic(
+        package = "nfsiostat",
+        version = VERSION,
+        download_url = "https://mirrors.edge.kernel.org/pub/linux/utils/nfs-utils/{version}/nfs-utils-{version}.tar.gz",
+    ),
+)
+
+license(
+    name = "license",
+    license_kinds = ["@rules_license//licenses/spdx:GPL-2.0"],
+    license_text = "COPYING",
+    visibility = ["//visibility:public"],
+)
+
+# Use filegroup rather than exports_files so we pick up the package metadata.
+filegroup(
+    name = "nfsiostat_py",
+    srcs = ["tools/nfs-iostat/nfs-iostat.py"],
+    visibility = ["@@//deps/nfsiostat:__pkg__"],
+)
diff --git a/deps/nfsiostat/nfsiostat.MODULE.bazel b/deps/nfsiostat/nfsiostat.MODULE.bazel
@@ -0,0 +1,15 @@
+http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+
+VERSION = "2.1.1"
+
+http_archive(
+    name = "nfsiostat",
+    files = {
+        "BUILD.bazel": "//deps/nfsiostat:nfsiostat.BUILD.bazel",
+    },
+    sha256 = "381bb3f6aa4b314538db0bcfb242da855c2eb36e2059cf61aa498c0220684363",
+    strip_prefix = "nfs-utils-{version}".format(version = VERSION),
+    url = "https://mirrors.edge.kernel.org/pub/linux/utils/nfs-utils/{version}/nfs-utils-{version}.tar.gz".format(
+        version = VERSION,
+    ),
+)
diff --git a/pkg/networkconfigmanagement/profile/default_profiles/fortios.json b/pkg/networkconfigmanagement/profile/default_profiles/fortios.json
@@ -0,0 +1,52 @@
+{
+  "commands": [
+    {
+      "type": "running",
+      "values": [
+        "show full-configuration"
+      ],
+      "processing_rules": {
+        "validation": [
+          {
+            "type": "valid_output",
+            "pattern": "config (system|global|vdom)"
+          }
+        ],
+        "redaction": [
+          {
+            "regex": "^(#private-encryption-key=).+",
+            "replacement": "$1 <secret hidden>"
+          },
+          {
+            "regex": "(set .+ ENC) .+",
+            "replacement": "$1 <secret hidden>"
+          },
+          {
+            "regex": "(set (?:passwd|password|key|group-password|auth-password-l1|auth-password-l2|rsso|history0|history1))\\s*( ENC)? .+",
+            "replacement": "$1$2 <secret hidden>"
+          },
+          {
+            "regex": "(set md5-key [0-9]+) .+",
+            "replacement": "$1 <secret hidden>"
+          },
+          {
+            "regex": "(?s)(set private-key ).*?-+END (ENCRYPTED|RSA|OPENSSH) PRIVATE KEY-+\\n?\"$",
+            "replacement": "$1<secret hidden>"
+          },
+          {
+            "regex": "(?s)(set privatekey ).*?-+END (ENCRYPTED|RSA|OPENSSH) PRIVATE KEY-+\\n?\"$",
+            "replacement": "$1<secret hidden>"
+          },
+          {
+            "regex": "(?s)(set ca )\"-+BEGIN.*?-+END CERTIFICATE-+\"$",
+            "replacement": "$1<secret hidden>"
+          },
+          {
+            "regex": "(?s)(set csr ).*?-+END CERTIFICATE REQUEST-+\"$",
+            "replacement": "$1<secret hidden>"
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/pkg/networkconfigmanagement/profile/default_profiles_test.go b/pkg/networkconfigmanagement/profile/default_profiles_test.go
@@ -78,6 +78,12 @@ func Test_DefaultProfiles_Running(t *testing.T) {
 			fixture:                   loadFixture("eos", Running),
 			expectedExtractedMetadata: &ExtractedMetadata{},
 		},
+		{
+			name:                      "fortios",
+			profile:                   DefaultProfile("fortios"),
+			fixture:                   loadFixture("fortios", Running),
+			expectedExtractedMetadata: &ExtractedMetadata{},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/pkg/networkconfigmanagement/profile/fixtures/fortios/running/expected.txt b/pkg/networkconfigmanagement/profile/fixtures/fortios/running/expected.txt
@@ -0,0 +1,71 @@
+config system global
+    set admin-restrict-local enable
+    set alias "FortiGate-91G"
+    set hostname "TEST-FW1234"
+    set lldp-reception enable
+    set lldp-transmission enable
+    set switch-controller enable
+    set timezone "Europe/Berlin"
+    set virtual-switch-vlan enable
+end
+config system interface
+    edit "wan1"
+        set vdom "root"
+        set ip 192.0.2.2 255.255.255.240
+        set allowaccess ping https ssh snmp http fgfm ftm
+        set type physical
+        set alias "outside"
+        set monitor-bandwidth enable
+        set role wan
+        set snmp-index 1
+        set speed 10000auto
+    next
+end
+config system admin
+    edit "oxidized"
+        set trusthost1 192.0.2.0 255.255.255.0
+        set accprofile "super_admin"
+        set vdom "root"
+        set password ENC <secret hidden>
+    next
+end
+config system snmp user
+    edit "snmpuser"
+        set notify-hosts 192.0.2.10 192.0.2.11
+        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ips-signature av-virus av-oversize av-pattern av-fragmented fm-if-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open temperature-high voltage-alert faz-disconnect device-new per-cpu-high
+        set security-level auth-priv
+        set auth-pwd ENC <secret hidden>
+        set priv-pwd ENC <secret hidden>
+    next
+end
+config vpn certificate local
+    edit "Fortinet_CA_SSL"
+        set password ENC <secret hidden>
+        set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
+        set range global
+        set source factory
+    next
+  end
+config user tacacs+
+    edit "tacacs-server-name"
+        set server "192.0.2.19"
+        set secondary-server "192.0.2.20"
+        set key ENC <secret hidden>
+        set secondary-key ENC <secret hidden>
+        set authorization enable
+    next
+end
+config firewall ssh local-key
+    edit "Fortinet_SSH_RSA2048"
+        set password ENC <secret hidden>
+        set source built-in
+    next
+end
+config firewall ssh local-ca
+    edit "Fortinet_SSH_CA"
+        set password ENC <secret hidden>
+        set source built-in
+    next
+end
+config router multicast
+end
diff --git a/pkg/networkconfigmanagement/profile/fixtures/fortios/running/initial.txt b/pkg/networkconfigmanagement/profile/fixtures/fortios/running/initial.txt
@@ -0,0 +1,75 @@
+#config-version=FGT91G-7.4.7-FW-build2731-250120:opmode=1:vdom=0:user=TACACS-USER
+#conf_file_ver=<stripped>
+#buildno=2731
+#global_vdom=1
+config system global
+    set admin-restrict-local enable
+    set alias "FortiGate-91G"
+    set hostname "TEST-FW1234"
+    set lldp-reception enable
+    set lldp-transmission enable
+    set switch-controller enable
+    set timezone "Europe/Berlin"
+    set virtual-switch-vlan enable
+end
+config system interface
+    edit "wan1"
+        set vdom "root"
+        set ip 192.0.2.2 255.255.255.240
+        set allowaccess ping https ssh snmp http fgfm ftm
+        set type physical
+        set alias "outside"
+        set monitor-bandwidth enable
+        set role wan
+        set snmp-index 1
+        set speed 10000auto
+    next
+end
+config system admin
+    edit "oxidized"
+        set trusthost1 192.0.2.0 255.255.255.0
+        set accprofile "super_admin"
+        set vdom "root"
+        set password ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+    next
+end
+config system snmp user
+    edit "snmpuser"
+        set notify-hosts 192.0.2.10 192.0.2.11
+        set events cpu-high mem-low log-full intf-ip vpn-tun-up vpn-tun-down ips-signature av-virus av-oversize av-pattern av-fragmented fm-if-change av-conserve av-bypass av-oversize-passed av-oversize-blocked ips-pkg-update ips-fail-open temperature-high voltage-alert faz-disconnect device-new per-cpu-high
+        set security-level auth-priv
+        set auth-pwd ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+        set priv-pwd ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+    next
+end
+config vpn certificate local
+    edit "Fortinet_CA_SSL"
+        set password ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+        set comments "This is the default CA certificate the SSL Inspection will use when generating new server certificates."
+        set range global
+        set source factory
+    next
+  end
+config user tacacs+
+    edit "tacacs-server-name"
+        set server "192.0.2.19"
+        set secondary-server "192.0.2.20"
+        set key ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+        set secondary-key ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+        set authorization enable
+    next
+end
+config firewall ssh local-key
+    edit "Fortinet_SSH_RSA2048"
+        set password ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+        set source built-in
+    next
+end
+config firewall ssh local-ca
+    edit "Fortinet_SSH_CA"
+        set password ENC AAAAAAAAAABBBBBBBBBBCCCCCCCCCC
+        set source built-in
+    next
+end
+config router multicast
+end
diff --git a/pkg/serializer/internal/metrics/pipeline.go b/pkg/serializer/internal/metrics/pipeline.go
@@ -11,8 +11,6 @@ import (
 	"slices"
 	"strconv"
 
-	"github.com/google/uuid"
-
 	"github.com/DataDog/datadog-agent/comp/forwarder/defaultforwarder/resolver"
 	"github.com/DataDog/datadog-agent/comp/forwarder/defaultforwarder/transaction"
 )
@@ -75,21 +73,16 @@ type PipelineConfig struct {
 
 // PipelineDestination describes how to deliver a payload to the intake.
 type PipelineDestination struct {
-	Resolver             resolver.DomainResolver
-	Endpoint             transaction.Endpoint
-	AddValidationHeaders bool
+	Resolver          resolver.DomainResolver
+	Endpoint          transaction.Endpoint
+	ValidationBatchID string
 }
 
 type forwarder interface {
 	SubmitTransaction(*transaction.HTTPTransaction) error
 }
 
 func (dest *PipelineDestination) send(payloads transaction.BytesPayloads, forwarder forwarder, headers http.Header) error {
-	batchID, err := dest.maybeMakeBatchID()
-	if err != nil {
-		return err
-	}
-
 	domain := dest.Resolver.Resolve(dest.Endpoint)
 	for _, auth := range dest.Resolver.GetAuthorizers() {
 		for seq, payload := range payloads {
@@ -100,8 +93,8 @@ func (dest *PipelineDestination) send(payloads transaction.BytesPayloads, forwar
 			for key := range headers {
 				txn.Headers.Set(key, headers.Get(key))
 			}
-			if dest.AddValidationHeaders {
-				txn.Headers.Set("X-Metrics-Request-ID", batchID)
+			if dest.ValidationBatchID != "" {
+				txn.Headers.Set("X-Metrics-Request-ID", dest.ValidationBatchID)
 				txn.Headers.Set("X-Metrics-Request-Seq", strconv.Itoa(seq))
 				txn.Headers.Set("X-Metrics-Request-Len", strconv.Itoa(len(payloads)))
 			}
@@ -116,17 +109,6 @@ func (dest *PipelineDestination) send(payloads transaction.BytesPayloads, forwar
 	return nil
 }
 
-func (dest *PipelineDestination) maybeMakeBatchID() (string, error) {
-	if dest.AddValidationHeaders {
-		uuid, err := uuid.NewV7()
-		if err != nil {
-			return "", err
-		}
-		return uuid.String(), nil
-	}
-	return "", nil
-}
-
 // PipelineContext holds information needed during and after pipeline execution.
 type PipelineContext struct {
 	Destinations []PipelineDestination
diff --git a/pkg/serializer/internal/metrics/pipeline_test.go b/pkg/serializer/internal/metrics/pipeline_test.go
diff --git a/pkg/serializer/metrics.go b/pkg/serializer/metrics.go
diff --git a/pkg/serializer/metrics_test.go b/pkg/serializer/metrics_test.go
diff --git a/releasenotes/notes/netflow-hotfix-event-submissions-431aca71ec50928e.yaml b/releasenotes/notes/netflow-hotfix-event-submissions-431aca71ec50928e.yaml
