Bkpr: backport dependencies required for unsafe sysctls (WIFI-5420)

Signed-off-by: Leonid Mirsky <leonid@opsfleet.com>

helm/templates/deployment.yaml

@@ -24,6 +24,9 @@ spec:
     metadata:
       annotations:
         checksum/config: {{ include "owgw.config" . | sha256sum }}
+        {{- if .Values.podSecurityPolicy.enabled }}
+        kubernetes.io/psp: {{ include "owgw.fullname" . }}-{{ .Release.Namespace }}-owgw-unsafe-sysctl
+        {{- end }}
         {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}

helm/templates/psp.yaml

@@ -0,0 +1,28 @@
+{{- if .Values.podSecurityPolicy.enabled }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ include "owgw.fullname" . }}-{{ .Release.Namespace }}-owgw-unsafe-sysctl
+  labels:
+    app.kubernetes.io/name: {{ include "owgw.name" . }}
+    helm.sh/chart: {{ include "owgw.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  allowedUnsafeSysctls:
+  {{- range $unsafeSysctl := .Values.securityContext.sysctls }}
+  - {{ $unsafeSysctl.name }}
+  {{- end }}
+  privileged: false
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  fsGroup:
+    rule: RunAsAny
+  volumes:
+  - '*'
+{{- end }}

helm/templates/role.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.podSecurityPolicy.enabled }}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "owgw.fullname" . }}-owgw-use-unsafe-sysctl
+rules:
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+  resourceNames:
+  - {{ include "owgw.fullname" . }}-{{ .Release.Namespace }}-owgw-unsafe-sysctl
+{{- end }}

helm/templates/rolebinding.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.podSecurityPolicy.enabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "owgw.fullname" . }}-owgw-use-unsafe-sysctl-to-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "owgw.fullname" . }}-owgw-use-unsafe-sysctl
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: {{ .Release.Namespace }}
+{{- end }}

helm/values.yaml

@@ -8,7 +8,7 @@ fullnameOverride: ""
 images:
   owgw:
     repository: tip-tip-wlan-cloud-ucentral.jfrog.io/owgw
-    tag: master
+    tag: v2.4.0-RC2
     pullPolicy: Always
 #    regcred:
 #      registry: tip-tip-wlan-cloud-ucentral.jfrog.io
@@ -112,6 +112,17 @@ resources: {}
 
 securityContext:
   fsGroup: 101
+  # Usage of unsafe sysctls requires multiple things:
+  # - allow these unsafe sysctls on kubelet level (by adding --allowed-unsafe-sysctls flag)
+  # - enabling addition of PodSecurityContext setting podSecurityPolicy.enabled to "true" below
+  # - uncommenting parameters below
+  #sysctls:
+  #- name: net.ipv4.tcp_keepalive_intvl
+  #  value: "5"
+  #- name: net.ipv4.tcp_keepalive_probes
+  #  value: "2"
+  #- name: net.ipv4.tcp_keepalive_time
+  #  value: "45"
 
 nodeSelector: {}
 
@@ -121,6 +132,9 @@ affinity: {}
 
 podAnnotations: {}
 
+podSecurityPolicy:
+  enabled: false
+
 persistence:
   enabled: true
   # storageClassName: "-"

src/framework/MicroService.h

@@ -1900,7 +1900,7 @@ namespace OpenWifi {
 	            QB_.SerialNumber = GetParameter(RESTAPI::Protocol::SERIALNUMBER, "");
 	            QB_.StartDate = GetParameter(RESTAPI::Protocol::STARTDATE, 0);
 	            QB_.EndDate = GetParameter(RESTAPI::Protocol::ENDDATE, 0);
-	            QB_.Offset = GetParameter(RESTAPI::Protocol::OFFSET, 1);
+	            QB_.Offset = GetParameter(RESTAPI::Protocol::OFFSET, 0);
 	            QB_.Limit = GetParameter(RESTAPI::Protocol::LIMIT, 100);
 	            QB_.Filter = GetParameter(RESTAPI::Protocol::FILTER, "");
 	            QB_.Select = GetParameter(RESTAPI::Protocol::SELECT, "");
@@ -1912,7 +1912,7 @@ namespace OpenWifi {
 	            QB_.AdditionalInfo = GetBoolParameter(RESTAPI::Protocol::WITHEXTENDEDINFO,false);
 
 	            if(QB_.Offset<1)
-	                QB_.Offset=1;
+	                QB_.Offset=0;
 	            return true;
 	        }
 

src/framework/StorageClass.h

@@ -2,8 +2,7 @@
 // Created by stephane bourque on 2021-10-06.
 //
 
-#ifndef OPENWIFI_STORAGE_H
-#define OPENWIFI_STORAGE_H
+#pragma once
 
 #include "Poco/Data/Session.h"
 #include "Poco/Data/SessionPool.h"
@@ -54,13 +53,13 @@ namespace OpenWifi {
 
         [[nodiscard]] inline std::string ComputeRange(uint64_t From, uint64_t HowMany) {
             if(dbType_==sqlite) {
-                return " LIMIT " + std::to_string(From-1) + ", " + std::to_string(HowMany) + " ";
+                return " LIMIT " + std::to_string(From) + ", " + std::to_string(HowMany) + " ";
             } else if(dbType_==pgsql) {
-                return " LIMIT " + std::to_string(HowMany) + " OFFSET " + std::to_string(From-1) + " ";
+                return " LIMIT " + std::to_string(HowMany) + " OFFSET " + std::to_string(From) + " ";
             } else if(dbType_==mysql) {
-                return " LIMIT " + std::to_string(HowMany) + " OFFSET " + std::to_string(From-1) + " ";
+                return " LIMIT " + std::to_string(HowMany) + " OFFSET " + std::to_string(From) + " ";
             }
-            return " LIMIT " + std::to_string(HowMany) + " OFFSET " + std::to_string(From-1) + " ";
+            return " LIMIT " + std::to_string(HowMany) + " OFFSET " + std::to_string(From) + " ";
         }
 
         inline std::string ConvertParams(const std::string & S) const {
@@ -165,5 +164,3 @@ namespace OpenWifi {
 #endif
 
 }
-
-#endif //OPENWIFI_STORAGE_H

src/storage/storage_command.cpp

@@ -360,11 +360,9 @@ typedef Poco::Tuple<
 			std::string st{"SELECT " +
 							   DB_Command_SelectFields +
 							   " FROM CommandList WHERE SerialNumber=? ORDER BY Submitted DESC " + ComputeRange(0, HowMany)};
-
 			Select << 	ConvertParams(st),
 						Poco::Data::Keywords::into(Records),
-						Poco::Data::Keywords::use(SerialNumber),
-						Poco::Data::Keywords::limit(HowMany);
+						Poco::Data::Keywords::use(SerialNumber);
 			Select.execute();
 
 			for (auto i : Records) {
@@ -681,7 +679,7 @@ typedef Poco::Tuple<
 			while(More) {
 				auto Command = RSet[0].convert<std::string>();
 				if(!Command.empty())
-					Types::UpdateCountedMap(R,Command);
+					OpenWifi::Types::UpdateCountedMap(R,Command);
 				More = RSet.moveNext();
 			}
 			return true;
@@ -691,4 +689,4 @@ typedef Poco::Tuple<
 		return false;
 	}
 
-}
+}

src/storage/storage_healthcheck.cpp

@@ -114,7 +114,7 @@ namespace OpenWifi {
 
 			std::string st{"SELECT " + DB_HealthCheckSelectFields + " FROM HealthChecks WHERE SerialNumber=? ORDER BY Recorded DESC "};
 
-			Select << 	ConvertParams(st) + ComputeRange(1,HowMany),
+			Select << 	ConvertParams(st) + ComputeRange(0,HowMany),
 						Poco::Data::Keywords::into(Records),
 						Poco::Data::Keywords::use(SerialNumber);
 			Select.execute();

src/storage/storage_logs.cpp

@@ -161,7 +161,7 @@ namespace OpenWifi {
 			Poco::Data::Statement   Select(Sess);
 
 
-			std::string st{"SELECT " + DB_LogsSelectFields + " FROM DeviceLogs WHERE SerialNumber=? AND LogType=? ORDER BY Recorded DESC " + ComputeRange(1, HowMany)};
+			std::string st{"SELECT " + DB_LogsSelectFields + " FROM DeviceLogs WHERE SerialNumber=? AND LogType=? ORDER BY Recorded DESC " + ComputeRange(0, HowMany)};
 			Select << 	ConvertParams(st),
 						Poco::Data::Keywords::into(Records),
 						Poco::Data::Keywords::use(SerialNumber),

src/storage/storage_statistics.cpp

@@ -112,7 +112,7 @@ namespace OpenWifi {
 			std::string St{"SELECT " +
 						   		DB_StatsSelectFields +
 						   		" FROM Statistics WHERE SerialNumber=? ORDER BY Recorded DESC "};
-			Select << 	ConvertParams(St) + ComputeRange(1, HowMany),
+			Select << 	ConvertParams(St) + ComputeRange(0, HowMany),
 						Poco::Data::Keywords::into(Records),
 						Poco::Data::Keywords::use(SerialNumber);
 			Select.execute();