corgid: add upload application-inventory#910
corgid: add upload application-inventory#910sky1122 wants to merge 1 commit intobottlerocket-os:developfrom
Conversation
|
force pushed to fix the clippy |
sky1122
force-pushed
the
peach-test
branch
4 times, most recently
from
1a6e780 to
abbf248
Compare
|
force pushed to add user cannot manual start the corgid systemd service and systemd retry. |
| # Retry on failure since manual restart is refused. This covers transient issues | ||
| # such as IMDS warmup, network not fully settled, or temporary API errors that | ||
| # outlast the in-binary retry window (~7s of exponential backoff per attempt). | ||
| # 3 attempts at 30s intervals covers a ~90s window, sufficient for transient | ||
| # infrastructure issues. After 3 failures within 5 minutes, systemd stops | ||
| # retrying to avoid hammering on persistent errors (e.g. missing IAM role). |
There was a problem hiding this comment.
| # Retry on failure since manual restart is refused. This covers transient issues | |
| # such as IMDS warmup, network not fully settled, or temporary API errors that | |
| # outlast the in-binary retry window (~7s of exponential backoff per attempt). | |
| # 3 attempts at 30s intervals covers a ~90s window, sufficient for transient | |
| # infrastructure issues. After 3 failures within 5 minutes, systemd stops | |
| # retrying to avoid hammering on persistent errors (e.g. missing IAM role). | |
| # Retry transient issues on failure since manual restart is refused. |
nit but I don't think this level of detail is needed
| Source123: pluto.service | ||
| Source124: bootstrap-commands.service | ||
| Source125: whippet.service | ||
| Source127: corgid.service |
|
|
||
| const BASE64_CHARS: &[u8] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; | ||
|
|
||
| fn base64_encode(data: &[u8]) -> String { |
There was a problem hiding this comment.
Why are we handrolling b64 encode/decode instead of using https://crates.io/crates/base64 ?
| Requires: (%{_cross_os}pluto if %{_cross_os}variant-family(aws-k8s)) | ||
| Requires: (%{_cross_os}shibaken if %{_cross_os}variant-platform(aws)) | ||
| Requires: (%{_cross_os}cfsignal if %{_cross_os}variant-platform(aws)) | ||
|
|
There was a problem hiding this comment.
We can't install this on vmware variants, you need to add
Requires: (%{_cross_os}corgid if %{_cross_os}variant-platform(aws))
There was a problem hiding this comment.
will add this package in the variant package
There was a problem hiding this comment.
I have been told to add into variant package than here. But I think you are right if the reason is don't install on vmware this line should be better than into variant definition. Thanks!
| use std::fs; | ||
| use uuid::Uuid; | ||
|
|
||
| /// Host and IMDS metadata for SBOM properties |
There was a problem hiding this comment.
This is the only doc comment in the added corgid package. There are almost 0 additional comments in actual logic for corgid. Please add more comments and doc comments to this change.
Add the corgid agent for collecting and sending host vulnerability scan telemetry to the inspector2-telemetry service. This includes SIGv4-signed API calls for session management and SBOM submission, IMDS-based credential retrieval, package inventory collection, and a systemd service unit for integration with the OS. Signed-off-by: Jingwei Wang <jweiw@amazon.com>
sky1122
changed the title
sky1122
changed the title
3 participants
Description of changes:
Add corgid, a new Rust binary that runs as a oneshot systemd service on boot to send Bottlerocket's package inventory
to the Amazon Inspector telemetry API as a CycloneDX 1.5 SBOM.
Testing done:
build variant and check the corgid service
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.