Switch to GRPC sockets rather than using tcp ports

[saschagrunert]

What type of PR is this?

/kind feature

What this PR does / why we need it:

The enricher as well as the bpf recorder require host network for cgroup
determination. This means if we already serve something on the GRPC tcp
ports, then the operator will fail to deploy.

To work around this error-case, we now rely on unix domain sockets
rather than TCP ports.

Which issue(s) this PR fixes:

None

Does this PR have test?

None

Special notes for your reviewer:

Refers to #618 (comment)

Does this PR introduce a user-facing change?

Switched to unix domain sockets for the GRPC servers.

[codecov-commenter]

Codecov Report

Merging #631 (7fd255c) into master (73b1235) will increase coverage by 0.05%.
The diff coverage is 45.45%.

@@            Coverage Diff             @@
##           master     #631      +/-   ##
==========================================
+ Coverage   43.76%   43.82%   +0.05%     
==========================================
  Files          29       29              
  Lines        1565     1570       +5     
==========================================
+ Hits          685      688       +3     
- Misses        834      835       +1     
- Partials       46       47       +1     

[saschagrunert]

/test pull-security-profiles-operator-test-e2e

[saschagrunert]

@jhrozek @JAORMX PTAL

[JAORMX]

Lgtm. Is the e2e-fedora test working at all? Shall it be rekicked?

[saschagrunert]

Lgtm. Is the e2e-fedora test working at all? Shall it be rekicked?

I re-triggered the CI, let's see why it hung.

[jhrozek]

In general I think it's a nice improvement, just see one inline question about permissions

[saschagrunert]

/test pull-security-profiles-operator-test-e2e

[saschagrunert]

/test pull-security-profiles-operator-test-e2e

[saschagrunert]

/retest
e2e-fedora seems to hang and requires more debugging

[jhrozek]

On Thu, Nov 04, 2021 at 06:35:26AM -0700, Sascha Grunert wrote: @saschagrunert commented on this pull request. > - e.logf("removing policy") - e.kubectl("delete", "selinuxprofile", "errorlogger") - - e.logf("assert policy was removed") - e.assertSelinuxPolicyIsRemoved(nodes, rawPolicyName, maxNodeIterations, sleepBetweenIterations) This seems to block the fedora selinux e2e test and I have no idea how it is related to my code change. @jhrozek do you have any insight here?

Not off-bat, but I'll try running the tests locally in vagrant.

[saschagrunert]

/test pull-security-profiles-operator-test-e2e

[saschagrunert]

/retest

[jhrozek]

Here's what I'm seeing running the e2e tests locally. The SPO pod restarts (still trying to figure out why) and then:

$RUN kubectl logs spod-8hwd2 security-profiles-operator -nsecurity-profiles-operator
I1104 19:17:02.358924   60463 deleg.go:130] setup "msg"="starting component: spod"  "buildDate"="1980-01-01T00:00:00Z" "compiler"="gc" "gitCommit"="081a559d7cf38c42455fd8329501776b9221820a" "gitTreeState"="clean" "goVersion"="go1.16.9" "libseccomp"="2.5.1" "platform"="linux/amd64" "version"="0.4.0-dev"
I1104 19:17:03.067711   60463 deleg.go:130] controller-runtime/metrics "msg"="metrics server is starting to listen"  "addr"=":8080"
I1104 19:17:03.069201   60463 metrics.go:159] metrics "msg"="Registering metric: seccomp_profile_total"
I1104 19:17:03.069559   60463 metrics.go:159] metrics "msg"="Registering metric: seccomp_profile_audit_total"
I1104 19:17:03.069716   60463 metrics.go:159] metrics "msg"="Registering metric: seccomp_profile_error_total"
I1104 19:17:03.069861   60463 metrics.go:159] metrics "msg"="Registering metric: selinux_profile_total"
I1104 19:17:03.069999   60463 metrics.go:159] metrics "msg"="Registering metric: selinux_profile_audit_total"
I1104 19:17:03.070142   60463 metrics.go:159] metrics "msg"="Registering metric: selinux_profile_error_total"
E1104 19:17:03.070967   60463 deleg.go:144] setup "msg"="running security-profiles-operator" "error"="start metrics grpc server: create listener: listen unix /var/run/grpc/metrics.sock: bind: address already in use"

[jhrozek]

huh:

I1104 19:34:02.701789   57516 selinuxpolicy_controller.go:356] selinuxprofile "msg"="Removing policy file" "Request.Name"="errorlogger" "Request.Namespace"="default" "policyPath"="/etc/selinux.d/errorlogger_default.cil"
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x172683e]

goroutine 383 [running]:
github.com/crossplane/crossplane-runtime/pkg/event.Warning(0x1cbb0ef, 0x19, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        github.com/crossplane/crossplane-runtime@v0.14.1-0.20210713194031-85b19c28ea88/pkg/event/event.go:63 +0x5e
sigs.k8s.io/security-profiles-operator/internal/pkg/daemon/selinuxprofile.(*ReconcileSP).Reconcile(0xc000163540, 0x1f1e038, 0xc00002d860, 0xc0007a3639, 0x7, 0xc0007a3624, 0xb, 0xc00002d860, 0xc00002d830, 0xc00054fdb0, ...)
        sigs.k8s.io/security-profiles-operator/internal/pkg/daemon/selinuxprofile/selinuxpolicy_controller.go:185 +0x6be
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile(0xc000181540, 0x1f1e038, 0xc00002d830, 0xc0007a3639, 0x7, 0xc0007a3624, 0xb, 0xc00002d800, 0x0, 0x0, ...)
        sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:114 +0x247
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler(0xc000181540, 0x1f1df90, 0xc000162f00, 0x1adff00, 0xc000048220)
        sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:311 +0x305
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem(0xc000181540, 0x1f1df90, 0xc000162f00, 0x0)
        sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:266 +0x205
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2(0xc0004b1950, 0xc000181540, 0x1f1df90, 0xc000162f00)
        sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:227 +0x6b
created by sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2
        sigs.k8s.io/controller-runtime@v0.10.2/pkg/internal/controller/controller.go:223 +0x425
{"level":"info","ts":1636054442.7021089,"logger":"file-watcher","caller":"daemon/daemon.go:89","msg":"Removing policy","file":"/etc/selinux.d/errorlogger_default.cil"}
{"level":"info","ts":1636054442.8720913,"caller":"semanage/semanage.go:89","msg":"Removing last errorlogger_default module (no other errorlogger_default module exists at another priority)."}
{"level":"info","ts":1636054450.455779,"logger":"policy-installer","caller":"daemon/daemon.go:130","msg":"The operation was successful","operation":"remove - /etc/selinux.d/errorlogger_default.cil"}

[jhrozek]

Can you try if the tests work better if you include #640 in the PR?
(btw I am not working tomorrow, I might not be able to check any comments to that PR until Monday..)

[jhrozek]

oh and that PR definitely does not fix the issue related to container restart failing with address already in use, just the crash itself..

[saschagrunert]

oh and that PR definitely does not fix the issue related to container restart failing with address already in use, just the crash itself..

We have to remove the socket if the file already exists. Good catch!

[saschagrunert]

/test pull-security-profiles-operator-test-e2e

[saschagrunert]

/retest

[saschagrunert]

/retest

[saschagrunert]

@jhrozek tests are green now :)

[saschagrunert]

@JAORMX @pjbgf PTAL

[pjbgf]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pjbgf, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [pjbgf,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jhrozek]

/lgtm
thank you, great work on avoiding the 777 permissions