Fixing telegraf vulnerability (#716)

microsoft · Mar 1, 2022 · ec3d2ef · ec3d2ef
1 parent 7389a1b
commit ec3d2ef
Show file tree

Hide file tree

Showing 5 changed files with 70 additions and 67 deletions.
diff --git a/kubernetes/linux/setup.sh b/kubernetes/linux/setup.sh
@@ -35,7 +35,7 @@ tar -zxvf telegraf-1.20.3_linux_amd64.tar.gz
 
 mv /opt/telegraf-1.20.3/usr/bin/telegraf /opt/telegraf
 
-chmod 777 /opt/telegraf
+chmod 544 /opt/telegraf
 
 # Use wildcard version so that it doesnt require to touch this file
 /$TMPDIR/docker-cimprov-*.*.*-*.x86_64.sh --install

diff --git a/kubernetes/omsagent.yaml b/kubernetes/omsagent.yaml
@@ -453,65 +453,65 @@ spec:
             periodSeconds: 60
             timeoutSeconds: 15
 #Only in sidecar scraping mode
-        # - name: omsagent-prometheus
-        #   image: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:ciprod01312022"
-        #   imagePullPolicy: IfNotPresent
-        #   resources:
-        #     limits:
-        #       cpu: 500m
-        #       memory: 1Gi
-        #     requests:
-        #       cpu: 75m
-        #       memory: 225Mi
-        #   env:
-        #     # azure devops pipeline uses AKS_RESOURCE_ID and AKS_REGION hence ensure to uncomment these
-        #     - name: AKS_CLUSTER_NAME
-        #       value: "VALUE_AKS_CLUSTER_NAME"
-        #     - name: AKS_RESOURCE_ID
-        #       value: "VALUE_AKS_RESOURCE_ID_VALUE"
-        #     - name: AKS_REGION
-        #       value: "VALUE_AKS_RESOURCE_REGION_VALUE"
-        #     - name: AKS_NODE_RESOURCE_GROUP
-        #       value: "VALUE_AKS_NODE_RESOURCE_GROUP"
-        #     #Uncomment below two lines for ACS clusters and set the cluster names manually. Also comment out the above two lines for ACS clusters
-        #     #- name: ACS_RESOURCE_NAME
-        #     #  value: "my_acs_cluster_name"
-        #     - name: CONTAINER_TYPE
-        #       value: "PrometheusSidecar"
-        #     - name: CONTROLLER_TYPE
-        #       value: "DaemonSet"
-        #     - name: NODE_IP
-        #       valueFrom:
-        #         fieldRef:
-        #           fieldPath: status.hostIP
-        #     # Update this with the user assigned msi client id for omsagent
-        #     - name: USER_ASSIGNED_IDENTITY_CLIENT_ID
-        #       value: "VALUE_USER_ASSIGNED_IDENTITY_CLIENT_ID_VALUE"
-        #     - name: USING_AAD_MSI_AUTH
-        #       value: "false"
-        #    securityContext:
-        #     privileged: true
-        #   volumeMounts:
-        #     - mountPath: /etc/kubernetes/host
-        #       name: azure-json-path
-        #     - mountPath: /etc/omsagent-secret
-        #       name: omsagent-secret
-        #       readOnly: true
-        #     - mountPath: /etc/config/settings
-        #       name: settings-vol-config
-        #       readOnly: true
-        #     - mountPath: /etc/config/osm-settings
-        #       name: osm-settings-vol-config
-        #       readOnly: true
-        #   livenessProbe:
-        #     exec:
-        #       command:
-        #         - /bin/bash
-        #         - -c
-        #         - /opt/livenessprobe.sh
-        #     initialDelaySeconds: 60
-        #     periodSeconds: 60
-        #     timeoutSeconds: 15
+        - name: omsagent-prometheus
+          image: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:ciprod01312022"
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits:
+              cpu: 500m
+              memory: 1Gi
+            requests:
+              cpu: 75m
+              memory: 225Mi
+          env:
+            # azure devops pipeline uses AKS_RESOURCE_ID and AKS_REGION hence ensure to uncomment these
+            - name: AKS_CLUSTER_NAME
+              value: "VALUE_AKS_CLUSTER_NAME"
+            - name: AKS_RESOURCE_ID
+              value: "VALUE_AKS_RESOURCE_ID_VALUE"
+            - name: AKS_REGION
+              value: "VALUE_AKS_RESOURCE_REGION_VALUE"
+            - name: AKS_NODE_RESOURCE_GROUP
+              value: "VALUE_AKS_NODE_RESOURCE_GROUP"
+            #Uncomment below two lines for ACS clusters and set the cluster names manually. Also comment out the above two lines for ACS clusters
+            #- name: ACS_RESOURCE_NAME
+            #  value: "my_acs_cluster_name"
+            - name: CONTAINER_TYPE
+              value: "PrometheusSidecar"
+            - name: CONTROLLER_TYPE
+              value: "DaemonSet"
+            - name: NODE_IP
+              valueFrom:
+                fieldRef:
+                  fieldPath: status.hostIP
+            # Update this with the user assigned msi client id for omsagent
+            - name: USER_ASSIGNED_IDENTITY_CLIENT_ID
+              value: "VALUE_USER_ASSIGNED_IDENTITY_CLIENT_ID_VALUE"
+            - name: USING_AAD_MSI_AUTH
+              value: "false"
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - mountPath: /etc/kubernetes/host
+              name: azure-json-path
+            - mountPath: /etc/omsagent-secret
+              name: omsagent-secret
+              readOnly: true
+            - mountPath: /etc/config/settings
+              name: settings-vol-config
+              readOnly: true
+            - mountPath: /etc/config/osm-settings
+              name: osm-settings-vol-config
+              readOnly: true
+          livenessProbe:
+            exec:
+              command:
+                - /bin/bash
+                - -c
+                - /opt/livenessprobe.sh
+            initialDelaySeconds: 60
+            periodSeconds: 60
+            timeoutSeconds: 15
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
@@ -634,7 +634,7 @@ spec:
               value: "VALUE_USER_ASSIGNED_IDENTITY_CLIENT_ID_VALUE"
             # Add the below environment variable to true only in sidecar enabled regions, else set it to false
             - name: SIDECAR_SCRAPING_ENABLED
-              value: "false"
+              value: "true"
             - name: USING_AAD_MSI_AUTH
               value: "false"
           securityContext:
@@ -811,7 +811,7 @@ spec:
                fieldRef:
                  fieldPath: status.hostIP
           - name: SIDECAR_SCRAPING_ENABLED
-            value: "false"
+            value: "true"
           # Update this with the user assigned msi client id for omsagent
           - name: USER_ASSIGNED_IDENTITY_CLIENT_ID
             value: "VALUE_USER_ASSIGNED_IDENTITY_CLIENT_ID_VALUE"

diff --git a/scripts/build/linux/install-build-pre-requisites.sh b/scripts/build/linux/install-build-pre-requisites.sh
@@ -16,7 +16,7 @@ install_go_lang()
     sudo tar -xvf go1.15.14.linux-amd64.tar.gz
     sudo mv -f go /usr/local
     echo "set file permission for go bin"
-    sudo chmod 777 /usr/local/go/bin
+    sudo chmod 744 /usr/local/go/bin
     echo "installation of go 1.15.14 completed."
     echo "installation of go 1.15.14 completed."
   fi

diff --git a/source/plugins/go/src/go.mod b/source/plugins/go/src/go.mod
@@ -7,8 +7,8 @@ require (
 	github.com/Azure/go-autorest/autorest/azure/auth v0.5.11
 	github.com/fluent/fluent-bit-go v0.0.0-20171103221316-c4a158a6e3a7
 	github.com/golang/mock v1.4.1
-	github.com/google/uuid v1.2.0
-	github.com/microsoft/ApplicationInsights-Go v0.4.3
+	github.com/google/uuid v1.3.0
+	github.com/microsoft/ApplicationInsights-Go v0.4.4
 	github.com/philhofer/fwd v1.1.1 // indirect
 	github.com/tinylib/msgp v1.1.2
 	github.com/ugorji/go v1.1.2-0.20180813092308-00b869d2f4a5

diff --git a/source/plugins/go/src/go.sum b/source/plugins/go/src/go.sum
@@ -106,6 +106,7 @@ github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL9
 github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
 github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
 github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/gofrs/uuid v3.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gofrs/uuid v4.2.0+incompatible h1:yyYWMnhkhrKwwr8gAOcOCYxOOscHgDS9yZgBrnJfGa0=
 github.com/gofrs/uuid v4.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
@@ -162,6 +163,8 @@ github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs=
 github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/googleapis/gnostic v0.4.1 h1:DLJCy1n/vrD4HPjOvYcT8aYQXpPIzoRZONaYwyycI+I=
@@ -198,6 +201,8 @@ github.com/mattn/go-ieproxy v0.0.1 h1:qiyop7gCflfhwCzGyeT0gro3sF9AIg9HU98JORTkqf
 github.com/mattn/go-ieproxy v0.0.1/go.mod h1:pYabZ6IHcRpFh7vIaLfK7rdcWgFEb3SFJ6/gNWuh88E=
 github.com/microsoft/ApplicationInsights-Go v0.4.3 h1:gBuy5rM3o6Zo69QTkq1Ens8wx6sVf+mpgMjjfayiRcw=
 github.com/microsoft/ApplicationInsights-Go v0.4.3/go.mod h1:ih0t3h84PdzV1qGeUs89o9wL8eCuwf24M7TZp/nyqXk=
+github.com/microsoft/ApplicationInsights-Go v0.4.4 h1:G4+H9WNs6ygSCe6sUyxRc2U81TI5Es90b2t/MwX5KqY=
+github.com/microsoft/ApplicationInsights-Go v0.4.4/go.mod h1:fKRUseBqkw6bDiXTs3ESTiU/4YTIHsQS4W3fP2ieF4U=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
@@ -232,8 +237,6 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
-github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=