Merge branch 'main' into aiuto/curl

Author: aiuto

comp/privateactionrunner/impl/privateactionrunner.go

@@ -48,7 +48,7 @@ type Provides struct {
 	Comp privateactionrunner.Component
 }
 
-type privateactionrunnerImpl struct {
+type PrivateActionRunner struct {
 	workflowRunner *runners.WorkflowRunner
 	commonRunner   *runners.CommonRunner
 	drain          func()
@@ -61,60 +61,73 @@ func NewComponent(reqs Requires) (Provides, error) {
 		reqs.Log.Info("private-action-runner is not enabled. Set privateactionrunner.enabled: true in your datadog.yaml file or set the environment variable DD_PRIVATEACTIONRUNNER_ENABLED=true.")
 		return Provides{}, privateactionrunner.ErrNotEnabled
 	}
-	persistedIdentity, err := enrollment.GetIdentityFromPreviousEnrollment(reqs.Config)
+
+	runner, err := NewPrivateActionRunner(ctx, reqs.Config, reqs.Hostname, reqs.RcClient, reqs.Log)
+	if err != nil {
+		return Provides{}, err
+	}
+	reqs.Lifecycle.Append(compdef.Hook{
+		OnStart: runner.Start,
+		OnStop:  runner.Stop,
+	})
+	return Provides{Comp: runner}, nil
+}
+
+func NewPrivateActionRunner(
+	ctx context.Context,
+	coreConfig model.ReaderWriter,
+	hostnameGetter hostnameinterface.Component,
+	rcClient rcclient.Component,
+	logger log.Component,
+) (*PrivateActionRunner, error) {
+	persistedIdentity, err := enrollment.GetIdentityFromPreviousEnrollment(coreConfig)
 	if err != nil {
-		return Provides{}, fmt.Errorf("self-enrollment failed: %w", err)
+		return nil, fmt.Errorf("self-enrollment failed: %w", err)
 	}
 	if persistedIdentity != nil {
-		reqs.Config.Set("privateactionrunner.private_key", persistedIdentity.PrivateKey, model.SourceAgentRuntime)
-		reqs.Config.Set("privateactionrunner.urn", persistedIdentity.URN, model.SourceAgentRuntime)
+		coreConfig.Set("privateactionrunner.private_key", persistedIdentity.PrivateKey, model.SourceAgentRuntime)
+		coreConfig.Set("privateactionrunner.urn", persistedIdentity.URN, model.SourceAgentRuntime)
 	}
 
-	cfg, err := parconfig.FromDDConfig(reqs.Config)
+	cfg, err := parconfig.FromDDConfig(coreConfig)
 	if err != nil {
-		return Provides{}, err
+		return nil, err
 	}
 
-	canSelfEnroll := reqs.Config.GetBool("privateactionrunner.self_enroll")
+	canSelfEnroll := coreConfig.GetBool("privateactionrunner.self_enroll")
 	if cfg.IdentityIsIncomplete() && canSelfEnroll {
-		reqs.Log.Info("Identity not found and self-enrollment enabled. Self-enrolling private action runner")
-		updatedCfg, err := performSelfEnrollment(ctx, reqs.Log, reqs.Config, reqs.Hostname, cfg)
+		logger.Info("Identity not found and self-enrollment enabled. Self-enrolling private action runner")
+		updatedCfg, err := performSelfEnrollment(ctx, logger, coreConfig, hostnameGetter, cfg)
 		if err != nil {
-			return Provides{}, fmt.Errorf("self-enrollment failed: %w", err)
+			return nil, fmt.Errorf("self-enrollment failed: %w", err)
 		}
-		reqs.Config.Set("privateactionrunner.private_key", updatedCfg.PrivateKey, model.SourceAgentRuntime)
-		reqs.Config.Set("privateactionrunner.urn", updatedCfg.Urn, model.SourceAgentRuntime)
+		coreConfig.Set("privateactionrunner.private_key", updatedCfg.PrivateKey, model.SourceAgentRuntime)
+		coreConfig.Set("privateactionrunner.urn", updatedCfg.Urn, model.SourceAgentRuntime)
 		cfg = updatedCfg
 	} else if cfg.IdentityIsIncomplete() {
-		return Provides{}, errors.New("identity not found and self-enrollment disabled. Please provide a valid URN and private key")
+		return nil, errors.New("identity not found and self-enrollment disabled. Please provide a valid URN and private key")
 	}
-	reqs.Log.Info("Private action runner starting")
-	reqs.Log.Info("==> Version : " + parversion.RunnerVersion)
-	reqs.Log.Info("==> Site : " + cfg.DatadogSite)
-	reqs.Log.Info("==> URN : " + cfg.Urn)
+	logger.Info("Private action runner starting")
+	logger.Info("==> Version : " + parversion.RunnerVersion)
+	logger.Info("==> Site : " + cfg.DatadogSite)
+	logger.Info("==> URN : " + cfg.Urn)
 
-	keysManager := taskverifier.NewKeyManager(reqs.RcClient)
+	keysManager := taskverifier.NewKeyManager(rcClient)
 	taskVerifier := taskverifier.NewTaskVerifier(keysManager, cfg)
 	opmsClient := opms.NewClient(cfg)
 
 	r, err := runners.NewWorkflowRunner(cfg, keysManager, taskVerifier, opmsClient)
 	if err != nil {
-		return Provides{}, err
+		return nil, err
 	}
-	runner := &privateactionrunnerImpl{
+	runner := &PrivateActionRunner{
 		workflowRunner: r,
 		commonRunner:   runners.NewCommonRunner(cfg),
 	}
-	reqs.Lifecycle.Append(compdef.Hook{
-		OnStart: runner.Start,
-		OnStop:  runner.Stop,
-	})
-	return Provides{
-		Comp: runner,
-	}, nil
+	return runner, nil
 }
 
-func (p *privateactionrunnerImpl) Start(_ context.Context) error {
+func (p *PrivateActionRunner) Start(_ context.Context) error {
 	// Use background context to avoid inheriting any deadlines from component lifecycle which stop the PAR loop
 	ctx, cancel := context.WithCancel(context.Background())
 	p.drain = cancel
@@ -125,7 +138,7 @@ func (p *privateactionrunnerImpl) Start(_ context.Context) error {
 	return p.workflowRunner.Start(ctx)
 }
 
-func (p *privateactionrunnerImpl) Stop(ctx context.Context) error {
+func (p *PrivateActionRunner) Stop(ctx context.Context) error {
 	err := p.workflowRunner.Stop(ctx)
 	if err != nil {
 		return err

omnibus/config/software/curl.rb

@@ -20,7 +20,6 @@
 
 dependency "zlib"
 dependency "openssl3"
-dependency "nghttp2"
 source url:    "https://curl.haxx.se/download/curl-#{version}.tar.gz",
        sha256: "e9274a5f8ab5271c0e0e6762d2fce194d5f98acc568e4ce816845b2dcc0cf88f"
 
@@ -31,6 +30,10 @@
   license_file "https://raw.githubusercontent.com/bagder/curl/master/COPYING"
   env = with_standard_compiler_flags(with_embedded_path)
 
+  command_on_repo_root "bazelisk run -- @nghttp2//:install --verbose --destdir='#{install_dir}'"
+  command_on_repo_root "bazelisk run -- @nghttp2//:install_pc --destdir='/'"
+  # nghttp2 is at the bottom. It does not need rpath rewriting.
+
   configure_options = [
            "--disable-manual",
            "--disable-debug",

omnibus/config/software/nghttp2.rb

@@ -1 +1 @@
-{"signed":{"_type":"root","spec_version":"1.0","version":1,"expires":"0001-01-01T00:00:00Z","keys":{"1bd43b99872bee114b2b1c33cff7afbdb8ccfc799751aaa11c2336f3540d1c10":{"keytype":"ecdsa","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUDdWZozMy6DojzrxkhevLhLzom0E\nnW0C7JWPXgnoL58OHhqDTHhkiUP5H3+fGdVKZ33Vca686aWWSwZUY6xSRQ==\n-----END PUBLIC KEY-----\n"}},"3360f9a30c063542b2d193fe01854ea3b7ae92c641812b97ce01180bf150c835":{"keytype":"ecdsa","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE/Evc+4Qx1yPwe0SyvP52C9z8inY\ncTH0eCXHRu+mzShDx7Ne8gyA/vU696i9jcc4pfsOwo1WpIkJsXuqP0jG6A==\n-----END PUBLIC KEY-----\n"}}},"roles":{"root":{"keyids":["1bd43b99872bee114b2b1c33cff7afbdb8ccfc799751aaa11c2336f3540d1c10","3360f9a30c063542b2d193fe01854ea3b7ae92c641812b97ce01180bf150c835"],"threshold":2},"snapshot":{"keyids":["1bd43b99872bee114b2b1c33cff7afbdb8ccfc799751aaa11c2336f3540d1c10","3360f9a30c063542b2d193fe01854ea3b7ae92c641812b97ce01180bf150c835"],"threshold":2},"targets":{"keyids":["1bd43b99872bee114b2b1c33cff7afbdb8ccfc799751aaa11c2336f3540d1c10","3360f9a30c063542b2d193fe01854ea3b7ae92c641812b97ce01180bf150c835"],"threshold":2},"timestamp":{"keyids":["1bd43b99872bee114b2b1c33cff7afbdb8ccfc799751aaa11c2336f3540d1c10","3360f9a30c063542b2d193fe01854ea3b7ae92c641812b97ce01180bf150c835"],"threshold":2}},"consistent_snapshot":true},"signatures":[{"keyid":"1bd43b99872bee114b2b1c33cff7afbdb8ccfc799751aaa11c2336f3540d1c10","sig":"3045022016088517105a41506c4465e636483b2eb782d03322da78273a28dd427f2acc78022100cfd965ae1e32c86761d6256a67708e5808f3f98413976373febe23bfefec8da1"},{"keyid":"3360f9a30c063542b2d193fe01854ea3b7ae92c641812b97ce01180bf150c835","sig":"3045022007f880ebf48676740f6cb9d216c91e0f51427ef9f44a73f4a7de8da6e4b4b53d022100b0f87441a0761422d7ac57582215d9570de78a0c30dd86479accedf7a00a6a1b"}]}
+{"signed":{"_type":"root","spec_version":"1.0","version":3,"expires":"2026-10-31T17:00:00Z","keys":{"1bd43b99872bee114b2b1c33cff7afbdb8ccfc799751aaa11c2336f3540d1c10":{"keytype":"ecdsa","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEUDdWZozMy6DojzrxkhevLhLzom0E\nnW0C7JWPXgnoL58OHhqDTHhkiUP5H3+fGdVKZ33Vca686aWWSwZUY6xSRQ==\n-----END PUBLIC KEY-----\n"}},"3360f9a30c063542b2d193fe01854ea3b7ae92c641812b97ce01180bf150c835":{"keytype":"ecdsa","scheme":"ecdsa-sha2-nistp256","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE/Evc+4Qx1yPwe0SyvP52C9z8inY\ncTH0eCXHRu+mzShDx7Ne8gyA/vU696i9jcc4pfsOwo1WpIkJsXuqP0jG6A==\n-----END PUBLIC KEY-----\n"}}},"roles":{"root":{"keyids":["1bd43b99872bee114b2b1c33cff7afbdb8ccfc799751aaa11c2336f3540d1c10","3360f9a30c063542b2d193fe01854ea3b7ae92c641812b97ce01180bf150c835"],"threshold":2},"snapshot":{"keyids":["1bd43b99872bee114b2b1c33cff7afbdb8ccfc799751aaa11c2336f3540d1c10","3360f9a30c063542b2d193fe01854ea3b7ae92c641812b97ce01180bf150c835"],"threshold":2},"targets":{"keyids":["1bd43b99872bee114b2b1c33cff7afbdb8ccfc799751aaa11c2336f3540d1c10","3360f9a30c063542b2d193fe01854ea3b7ae92c641812b97ce01180bf150c835"],"threshold":2},"timestamp":{"keyids":["1bd43b99872bee114b2b1c33cff7afbdb8ccfc799751aaa11c2336f3540d1c10","3360f9a30c063542b2d193fe01854ea3b7ae92c641812b97ce01180bf150c835"],"threshold":2}},"consistent_snapshot":true},"signatures":[{"keyid":"1bd43b99872bee114b2b1c33cff7afbdb8ccfc799751aaa11c2336f3540d1c10","sig":"3045022100d31c2a8767706ebe22b9bc2592e18fe4067ac430cf77dc92bca781b120338db1022050fe0ebb8a47abe9b4cc25384f288a046e33f959dd46acc449fe8eb3581d776e"},{"keyid":"3360f9a30c063542b2d193fe01854ea3b7ae92c641812b97ce01180bf150c835","sig":"304502205d9d39c9b04ee047addd2d72a06d129fda1a81c23e5044d8009e054f6cf2e7fa0221009586e2a872bb68fc508b0667a59ed110276f2cf7840de968ca9a9b3643dcdf81"}]}

pkg/config/remote/meta/gov.director.json

@@ -9,6 +9,7 @@ import (
 	"context"
 	"fmt"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"time"
 
@@ -525,6 +526,62 @@ func (s *BaseSuite) collectxperf() {
 	}
 }
 
+// startProcdump sets up procdump and starts it in the background.
+func (s *BaseSuite) startProcdump() *windowscommon.ProcdumpSession {
+	host := s.Env().RemoteHost
+
+	// Setup procdump on remote host
+	s.T().Log("Setting up procdump on remote host")
+	err := windowscommon.SetupProcdump(host)
+	s.Require().NoError(err, "should setup procdump")
+
+	// Start procdump
+	ps, err := windowscommon.StartProcdump(host, "agent.exe")
+	s.Require().NoError(err, "should start procdump")
+
+	return ps
+}
+
+// collectProcdumps stops procdump and downloads any captured dumps if the test failed.
+func (s *BaseSuite) collectProcdumps(ps *windowscommon.ProcdumpSession) {
+	// Only collect dumps if the test failed
+	if !s.T().Failed() {
+		ps.Close()
+		return
+	}
+
+	host := s.Env().RemoteHost
+
+	// Wait for procdump to finish writing dump files BEFORE closing the session.
+	// Procdump is configured to capture 5 dumps, so wait until all 5 are created.
+	expectedDumpCount := 5
+	s.T().Logf("Waiting for procdump to create %d dump files...", expectedDumpCount)
+	deadline := time.Now().Add(120 * time.Second)
+	for time.Now().Before(deadline) {
+		output, err := host.Execute(fmt.Sprintf(`(Get-ChildItem -Path '%s' -Filter '*.dmp' -ErrorAction SilentlyContinue | Measure-Object).Count`, windowscommon.ProcdumpsPath))
+		if err == nil {
+			countStr := strings.TrimSpace(output)
+			count, parseErr := strconv.Atoi(countStr)
+			if parseErr == nil && count >= expectedDumpCount {
+				s.T().Logf("All %d dump files ready", count)
+				break
+			}
+			s.T().Logf("Found %s dump files, waiting for %d...", countStr, expectedDumpCount)
+		}
+		time.Sleep(5 * time.Second)
+	}
+
+	ps.Close()
+
+	// Download all dump files
+	outDir := s.SessionOutputDir()
+	if err := host.GetFolder(windowscommon.ProcdumpsPath, outDir); err != nil {
+		s.T().Logf("Warning: failed to download dump %s: %v", windowscommon.ProcdumpsPath, err)
+	} else {
+		s.T().Logf("Downloaded procdumps to: %s", outDir)
+	}
+}
+
 // InstallWithXperf installs the MSI with xperf tracing to diagnose service startup issues.
 // This wraps the MSI installation with performance tracing and service status checking.
 //
@@ -553,6 +610,34 @@ func (s *BaseSuite) InstallWithXperf(opts ...MsiOption) {
 	s.T().Log("MSI installation and service startup completed successfully")
 }
 
+// InstallWithDiagnostics installs the MSI with comprehensive diagnostics collection:
+// - xperf tracing for system-wide performance analysis
+// - procdump collection to capture agent memory dump if it crashes during startup
+func (s *BaseSuite) InstallWithDiagnostics(opts ...MsiOption) {
+	s.T().Helper()
+
+	// Start xperf tracing
+	s.T().Log("Starting xperf tracing")
+	s.startxperf()
+	defer s.collectxperf()
+
+	// Start procdump in background to capture crash dumps
+	s.T().Log("Starting procdump")
+	ps := s.startProcdump()
+	defer s.collectProcdumps(ps)
+
+	// Proceed with installation
+	s.T().Log("Installing MSI")
+	err := s.Installer().Install(opts...)
+	s.Require().NoError(err, "MSI installation failed")
+
+	// Wait for service to be running
+	s.T().Log("Checking agent service status after MSI installation")
+	err = s.WaitForAgentService("Running")
+	s.Require().NoError(err, "Agent service status check failed")
+	s.T().Log("MSI installation and service startup completed successfully")
+}
+
 // MustStartExperimentCurrentVersion start an experiment with current version of the Agent
 func (s *BaseSuite) MustStartExperimentCurrentVersion() {
 	s.T().Helper()

test/new-e2e/tests/installer/windows/base_suite.go

@@ -616,7 +616,7 @@ func (s *testAgentUpgradeSuite) installPreviousAgentVersion(opts ...installerwin
 		installerwindows.WithMSILogFile("install-previous-version.log"),
 	}
 	options = append(options, opts...)
-	s.InstallWithXperf(options...)
+	s.InstallWithDiagnostics(options...)
 
 	// sanity check: make sure we did indeed install the stable version
 	s.Require().Host(s.Env().RemoteHost).
@@ -635,7 +635,7 @@ func (s *testAgentUpgradeSuite) installCurrentAgentVersion(opts ...installerwind
 		installerwindows.WithMSILogFile("install-current-version.log"),
 	}
 	options = append(options, opts...)
-	s.InstallWithXperf(options...)
+	s.InstallWithDiagnostics(options...)
 
 	// sanity check: make sure we did indeed install the stable version
 	s.Require().Host(s.Env().RemoteHost).

test/new-e2e/tests/installer/windows/suites/agent-package/upgrade_test.go

@@ -26,7 +26,7 @@ func (s *baseInstallerPackageSuite) freshInstall() {
 	// Arrange
 
 	// Act
-	s.InstallWithXperf(
+	s.InstallWithDiagnostics(
 		installerwindows.WithMSILogFile("fresh-install.log"),
 	)
 

test/new-e2e/tests/installer/windows/suites/installer-package/base_installer_package_suite.go

@@ -101,7 +101,7 @@ func (s *testInstallerSuite) installWithExistingConfigFile(logFilename string) {
 	// Arrange
 
 	// Act
-	s.InstallWithXperf(
+	s.InstallWithDiagnostics(
 		installerwindows.WithMSILogFile(logFilename),
 	)
 
@@ -116,7 +116,7 @@ func (s *testInstallerSuite) repair() {
 	s.Require().NoError(s.Env().RemoteHost.Remove(consts.BinaryPath))
 
 	// Act
-	s.InstallWithXperf(
+	s.InstallWithDiagnostics(
 		installerwindows.WithMSILogFile("repair.log"),
 	)