llbsolver: add systemusage samples to provenance attestation

Signed-off-by: Tonis Tiigi <[email protected]>

Author: tonistiigi

executor/resources/monitor.go

@@ -31,6 +31,7 @@ type cgroupRecord struct {
 	once         sync.Once
 	ns           string
 	sampler      *Sub[*types.Sample]
+	closeSampler func() error
 	samples      []*types.Sample
 	err          error
 	done         chan struct{}
@@ -52,6 +53,7 @@ func (r *cgroupRecord) Start() {
 	}
 	s := NewSampler(2*time.Second, r.sample)
 	r.sampler = s.Record()
+	r.closeSampler = s.Close
 }
 
 func (r *cgroupRecord) CloseAsync(next func(context.Context) error) error {
@@ -79,6 +81,7 @@ func (r *cgroupRecord) close() {
 		} else {
 			r.samples = s
 		}
+		r.closeSampler()
 
 		if r.startCPUStat != nil {
 			stat, err := r.monitor.proc.Stat()
@@ -98,7 +101,6 @@ func (r *cgroupRecord) close() {
 				r.sysCPUStat = cpu
 			}
 		}
-
 	})
 }
 

executor/resources/sampler.go

@@ -84,7 +84,7 @@ func (s *Sampler[T]) Record() *Sub[T] {
 }
 
 func (s *Sampler[T]) run() {
-	ticker := time.NewTicker(s.minInterval)
+	ticker := time.NewTimer(s.minInterval)
 	for {
 		select {
 		case <-s.done:
@@ -102,6 +102,10 @@ func (s *Sampler[T]) run() {
 				active = append(active, ss)
 			}
 			s.mu.RUnlock()
+			ticker = time.NewTimer(s.minInterval)
+			if len(active) == 0 {
+				continue
+			}
 			value, err := s.callback(tm)
 			for _, ss := range active {
 				if err != nil {
@@ -111,7 +115,7 @@ func (s *Sampler[T]) run() {
 					ss.err = nil
 				}
 				dur := ss.last.Sub(ss.first)
-				if time.Duration(ss.interval)*10 >= dur {
+				if time.Duration(ss.interval)*10 <= dur {
 					ss.interval *= 2
 				}
 			}

executor/resources/sys.go

@@ -0,0 +1,95 @@
+package resources
+
+import (
+	"os"
+	"time"
+
+	"github.com/moby/buildkit/executor/resources/types"
+	"github.com/prometheus/procfs"
+)
+
+type SysSampler = Sub[*types.SysSample]
+
+func NewSysSampler() (*Sampler[*types.SysSample], error) {
+	procfs, err := procfs.NewDefaultFS()
+	if err != nil {
+		return nil, err
+	}
+
+	return NewSampler(2*time.Second, func(tm time.Time) (*types.SysSample, error) {
+		return sampleSys(procfs, tm)
+	}), nil
+}
+
+func sampleSys(proc procfs.FS, tm time.Time) (*types.SysSample, error) {
+	stat, err := proc.Stat()
+	if err != nil {
+		return nil, err
+	}
+
+	s := &types.SysSample{
+		Timestamp_: tm,
+	}
+
+	s.CPUStat = &types.SysCPUStat{
+		User:      stat.CPUTotal.User,
+		Nice:      stat.CPUTotal.Nice,
+		System:    stat.CPUTotal.System,
+		Idle:      stat.CPUTotal.Idle,
+		Iowait:    stat.CPUTotal.Iowait,
+		IRQ:       stat.CPUTotal.IRQ,
+		SoftIRQ:   stat.CPUTotal.SoftIRQ,
+		Steal:     stat.CPUTotal.Steal,
+		Guest:     stat.CPUTotal.Guest,
+		GuestNice: stat.CPUTotal.GuestNice,
+	}
+
+	s.ProcStat = &types.ProcStat{
+		ContextSwitches:  stat.ContextSwitches,
+		ProcessCreated:   stat.ProcessCreated,
+		ProcessesRunning: stat.ProcessesRunning,
+	}
+
+	mem, err := proc.Meminfo()
+	if err != nil {
+		return nil, err
+	}
+
+	s.MemoryStat = &types.SysMemoryStat{
+		Total:     mem.MemTotal,
+		Free:      mem.MemFree,
+		Buffers:   mem.Buffers,
+		Cached:    mem.Cached,
+		Active:    mem.Active,
+		Inactive:  mem.Inactive,
+		Swap:      mem.SwapTotal,
+		Available: mem.MemAvailable,
+		Dirty:     mem.Dirty,
+		Writeback: mem.Writeback,
+		Slab:      mem.Slab,
+	}
+
+	if _, err := os.Lstat("/proc/pressure"); err != nil {
+		return s, nil
+	}
+
+	cp, err := parsePressureFile("/proc/pressure/cpu")
+	if err != nil {
+		return nil, err
+	}
+	s.CPUPressure = cp
+
+	mp, err := parsePressureFile("/proc/pressure/memory")
+	if err != nil {
+		return nil, err
+	}
+	s.MemoryPressure = mp
+
+	ip, err := parsePressureFile("/proc/pressure/io")
+	if err != nil {
+		return nil, err
+	}
+	s.IOPressure = ip
+
+	return s, nil
+}

executor/resources/types/systypes.go

@@ -0,0 +1,72 @@
+package types
+
+import (
+	"encoding/json"
+	"math"
+	"time"
+)
+
+type SysCPUStat struct {
+	User      float64 `json:"user"`
+	Nice      float64 `json:"nice"`
+	System    float64 `json:"system"`
+	Idle      float64 `json:"idle"`
+	Iowait    float64 `json:"iowait"`
+	IRQ       float64 `json:"irq"`
+	SoftIRQ   float64 `json:"softirq"`
+	Steal     float64 `json:"steal"`
+	Guest     float64 `json:"guest"`
+	GuestNice float64 `json:"guestNice"`
+}
+
+type sysCPUStatAlias SysCPUStat // avoid recursion of MarshalJSON
+
+func (s SysCPUStat) MarshalJSON() ([]byte, error) {
+	return json.Marshal(sysCPUStatAlias{
+		User:      math.Round(s.User*1000) / 1000,
+		Nice:      math.Round(s.Nice*1000) / 1000,
+		System:    math.Round(s.System*1000) / 1000,
+		Idle:      math.Round(s.Idle*1000) / 1000,
+		Iowait:    math.Round(s.Iowait*1000) / 1000,
+		IRQ:       math.Round(s.IRQ*1000) / 1000,
+		SoftIRQ:   math.Round(s.SoftIRQ*1000) / 1000,
+		Steal:     math.Round(s.Steal*1000) / 1000,
+		Guest:     math.Round(s.Guest*1000) / 1000,
+		GuestNice: math.Round(s.GuestNice*1000) / 1000,
+	})
+}
+
+type ProcStat struct {
+	ContextSwitches  uint64 `json:"contextSwitches"`
+	ProcessCreated   uint64 `json:"processCreated"`
+	ProcessesRunning uint64 `json:"processesRunning"`
+}
+
+type SysMemoryStat struct {
+	Total     *uint64 `json:"total"`
+	Free      *uint64 `json:"free"`
+	Available *uint64 `json:"available"`
+	Buffers   *uint64 `json:"buffers"`
+	Cached    *uint64 `json:"cached"`
+	Active    *uint64 `json:"active"`
+	Inactive  *uint64 `json:"inactive"`
+	Swap      *uint64 `json:"swap"`
+	Dirty     *uint64 `json:"dirty"`
+	Writeback *uint64 `json:"writeback"`
+	Slab      *uint64 `json:"slab"`
+}
+
+type SysSample struct {
+	//nolint
+	Timestamp_     time.Time      `json:"timestamp"`
+	CPUStat        *SysCPUStat    `json:"cpuStat,omitempty"`
+	ProcStat       *ProcStat      `json:"procStat,omitempty"`
+	MemoryStat     *SysMemoryStat `json:"memoryStat,omitempty"`
+	CPUPressure    *Pressure      `json:"cpuPressure,omitempty"`
+	MemoryPressure *Pressure      `json:"memoryPressure,omitempty"`
+	IOPressure     *Pressure      `json:"ioPressure,omitempty"`
+}
+
+func (s *SysSample) Timestamp() time.Time {
+	return s.Timestamp_
+}

executor/resources/types/types.go

@@ -14,26 +14,14 @@ type Recorder interface {
 	Samples() (*Samples, error)
 }
 
-type SysCPUStat struct {
-	User      float64 `json:"user"`
-	Nice      float64 `json:"nice"`
-	System    float64 `json:"system"`
-	Idle      float64 `json:"idle"`
-	Iowait    float64 `json:"iowait"`
-	IRQ       float64 `json:"irq"`
-	SoftIRQ   float64 `json:"softirq"`
-	Steal     float64 `json:"steal"`
-	Guest     float64 `json:"guest"`
-	GuestNice float64 `json:"guestNice"`
-}
-
 type Samples struct {
 	Samples    []*Sample   `json:"samples,omitempty"`
 	SysCPUStat *SysCPUStat `json:"sysCPUStat,omitempty"`
 }
 
 // Sample represents a wrapper for sampled data of cgroupv2 controllers
 type Sample struct {
+	//nolint
 	Timestamp_ time.Time       `json:"timestamp"`
 	CPUStat    *CPUStat        `json:"cpuStat,omitempty"`
 	MemoryStat *MemoryStat     `json:"memoryStat,omitempty"`

go.mod

@@ -57,6 +57,7 @@ require (
 	github.com/pelletier/go-toml v1.9.5
 	github.com/pkg/errors v0.9.1
 	github.com/pkg/profile v1.5.0
+	github.com/prometheus/procfs v0.9.0
 	github.com/serialx/hashring v0.0.0-20190422032157-8b2912629002
 	github.com/sirupsen/logrus v1.9.0
 	github.com/spdx/tools-golang v0.5.1
@@ -146,7 +147,6 @@ require (
 	github.com/prometheus/client_golang v1.14.0 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
 	github.com/prometheus/common v0.42.0 // indirect
-	github.com/prometheus/procfs v0.9.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect

solver/llbsolver/proc/provenance.go

@@ -6,6 +6,7 @@ import (
 	"strconv"
 
 	slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+	"github.com/moby/buildkit/executor/resources"
 	"github.com/moby/buildkit/exporter/containerimage/exptypes"
 	gatewaypb "github.com/moby/buildkit/frontend/gateway/pb"
 	"github.com/moby/buildkit/solver"
@@ -15,7 +16,7 @@ import (
 )
 
 func ProvenanceProcessor(attrs map[string]string) llbsolver.Processor {
-	return func(ctx context.Context, res *llbsolver.Result, s *llbsolver.Solver, j *solver.Job) (*llbsolver.Result, error) {
+	return func(ctx context.Context, res *llbsolver.Result, s *llbsolver.Solver, j *solver.Job, usage *resources.SysSampler) (*llbsolver.Result, error) {
 		ps, err := exptypes.ParsePlatforms(res.Metadata)
 		if err != nil {
 			return nil, err
@@ -41,7 +42,7 @@ func ProvenanceProcessor(attrs map[string]string) llbsolver.Processor {
 				return nil, errors.Errorf("could not find ref %s", p.ID)
 			}
 
-			pc, err := llbsolver.NewProvenanceCreator(ctx, cp, ref, attrs, j)
+			pc, err := llbsolver.NewProvenanceCreator(ctx, cp, ref, attrs, j, usage)
 			if err != nil {
 				return nil, err
 			}

solver/llbsolver/proc/sbom.go

@@ -4,6 +4,7 @@ import (
 	"context"
 
 	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/executor/resources"
 	"github.com/moby/buildkit/exporter/containerimage/exptypes"
 	"github.com/moby/buildkit/frontend"
 	"github.com/moby/buildkit/frontend/attestations/sbom"
@@ -14,7 +15,7 @@ import (
 )
 
 func SBOMProcessor(scannerRef string, useCache bool) llbsolver.Processor {
-	return func(ctx context.Context, res *llbsolver.Result, s *llbsolver.Solver, j *solver.Job) (*llbsolver.Result, error) {
+	return func(ctx context.Context, res *llbsolver.Result, s *llbsolver.Solver, j *solver.Job, usage *resources.SysSampler) (*llbsolver.Result, error) {
 		// skip sbom generation if we already have an sbom
 		if sbom.HasSBOM(res.Result) {
 			return res, nil

solver/llbsolver/provenance.go

@@ -12,6 +12,7 @@ import (
 	"github.com/moby/buildkit/cache"
 	"github.com/moby/buildkit/cache/config"
 	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/executor/resources"
 	"github.com/moby/buildkit/exporter/containerimage"
 	"github.com/moby/buildkit/exporter/containerimage/exptypes"
 	"github.com/moby/buildkit/frontend"
@@ -378,10 +379,11 @@ func captureProvenance(ctx context.Context, res solver.CachedResultWithProvenanc
 type ProvenanceCreator struct {
 	pr        *provenance.ProvenancePredicate
 	j         *solver.Job
+	sampler   *resources.SysSampler
 	addLayers func() error
 }
 
-func NewProvenanceCreator(ctx context.Context, cp *provenance.Capture, res solver.ResultProxy, attrs map[string]string, j *solver.Job) (*ProvenanceCreator, error) {
+func NewProvenanceCreator(ctx context.Context, cp *provenance.Capture, res solver.ResultProxy, attrs map[string]string, j *solver.Job, usage *resources.SysSampler) (*ProvenanceCreator, error) {
 	var reproducible bool
 	if v, ok := attrs["reproducible"]; ok {
 		b, err := strconv.ParseBool(v)
@@ -493,11 +495,15 @@ func NewProvenanceCreator(ctx context.Context, cp *provenance.Capture, res solve
 		return nil, errors.Errorf("invalid mode %q", mode)
 	}
 
-	return &ProvenanceCreator{
+	pc := &ProvenanceCreator{
 		pr:        pr,
 		j:         j,
 		addLayers: addLayers,
-	}, nil
+	}
+	if withUsage {
+		pc.sampler = usage
+	}
+	return pc, nil
 }
 
 func (p *ProvenanceCreator) Predicate() (*provenance.ProvenancePredicate, error) {
@@ -510,6 +516,14 @@ func (p *ProvenanceCreator) Predicate() (*provenance.ProvenancePredicate, error)
 		}
 	}
 
+	if p.sampler != nil {
+		sysSamples, err := p.sampler.Close(true)
+		if err != nil {
+			return nil, err
+		}
+		p.pr.Metadata.BuildKitMetadata.SysUsage = sysSamples
+	}
+
 	return p.pr, nil
 }
 

solver/llbsolver/provenance/predicate.go

@@ -6,6 +6,7 @@ import (
 	"github.com/containerd/containerd/platforms"
 	slsa "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/common"
 	slsa02 "github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v0.2"
+	resourcetypes "github.com/moby/buildkit/executor/resources/types"
 	"github.com/moby/buildkit/util/purl"
 	"github.com/moby/buildkit/util/urlutil"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
@@ -50,9 +51,10 @@ type ProvenanceMetadata struct {
 }
 
 type BuildKitMetadata struct {
-	VCS    map[string]string                  `json:"vcs,omitempty"`
-	Source *Source                            `json:"source,omitempty"`
-	Layers map[string][][]ocispecs.Descriptor `json:"layers,omitempty"`
+	VCS      map[string]string                  `json:"vcs,omitempty"`
+	Source   *Source                            `json:"source,omitempty"`
+	Layers   map[string][][]ocispecs.Descriptor `json:"layers,omitempty"`
+	SysUsage []*resourcetypes.SysSample         `json:"sysUsage,omitempty"`
 }
 
 func slsaMaterials(srcs Sources) ([]slsa.ProvenanceMaterial, error) {