Reduce boiler plate for Go container image C++ headers (pixie-io#2307)

ddelnano · k8sstormcenter-buildbot · commit b2ef3ef2dc51 · 2026-04-08T15:36:49.000Z
Summary: Reduce boiler plate for Go container image C++ headers Previously, adding a new Go version required: 1. Creating new header files for each container type (grpc_server, grpc_client, tls_server, tls_client) 2. Adding BUILD.bazel entries for each new library 3. Updating test files with new #include statements These header files account for ~100-200 lines of boilerplate code per Go version (~50 lines for each grpc and tls client/server pair) and add overhead when upgrading our Go version. This PR reduces this boilerplate by generating these files with a new Bazel macro `go_container_libraries`. This macro generates: - Individual C++ headers for each version (e.g., `go_1_24_grpc_server_container.h`) - Aggregate headers that include all versions for a given container type (e.g., `go_grpc_server_containers.h`, `go_tls_client_containers.h`) Relevant Issues: N/A Type of change: /kind cleanup Test Plan: Build should succeed Signed-off-by: Dom Del Nano <ddelnano@gmail.com> GitOrigin-RevId: ce714e6
diff --git a/src/api/python/BUILD.bazel b/src/api/python/BUILD.bazel
@@ -37,13 +37,13 @@ py_wheel(
     python_requires = ">=3.12, < 3.14",
     python_tag = "py3",
     requires = [
-        "Authlib>=1.6.0,<1.7.0",
+        "Authlib==1.5.1",
         "grpcio==1.76.0",
         "grpcio-tools==1.76.0",
         "protobuf==6.33.1",
     ],
     strip_path_prefixes = ["src/api/python/"],
-    version = "0.9.1",
+    version = "0.9.0",
     deps = [
         "//src/api/python/pxapi:pxapi_library",
         "//src/api/python/pxapi/proto:pxapi_py_proto_library",
diff --git a/src/api/python/requirements.bazel.txt b/src/api/python/requirements.bazel.txt
@@ -4,9 +4,9 @@
 #
 #    pip-compile --allow-unsafe --generate-hashes --output-file=requirements.bazel.txt requirements.txt
 #
-authlib==1.6.9 \
-    --hash=sha256:d8f2421e7e5980cc1ddb4e32d3f5fa659cfaf60d8eaf3281ebed192e4ab74f04 \
-    --hash=sha256:f08b4c14e08f0861dc18a32357b33fbcfd2ea86cfe3fe149484b4d764c4a0ac3
+authlib==1.5.1 \
+    --hash=sha256:5cbc85ecb0667312c1cdc2f9095680bb735883b123fb509fde1e65b1c5df972e \
+    --hash=sha256:8408861cbd9b4ea2ff759b00b6f02fd7d81ac5a56d0b2b22c08606c6049aae11
     # via -r requirements.txt
 cffi==2.0.0 \
     --hash=sha256:00bdf7acc5f795150faa6957054fbbca2439db2f775ce831222b66f192f03beb \
diff --git a/src/api/python/requirements.txt b/src/api/python/requirements.txt
@@ -1,4 +1,4 @@
-Authlib>=1.6.0,<1.7.0
+Authlib==1.5.1
 grpcio==1.76.0
 grpcio-tools==1.76.0
 protobuf==6.33.1
diff --git a/src/shared/metadata/cgroup_path_resolver.cc b/src/shared/metadata/cgroup_path_resolver.cc
@@ -70,24 +70,13 @@ StatusOr<std::vector<std::string>> CGroupBasePaths(std::string_view sysfs_path)
 
 StatusOr<std::string> FindSelfCGroupProcs(std::string_view base_path) {
   int pid = getpid();
-  std::error_code ec;
 
-  auto it = std::filesystem::recursive_directory_iterator(
-      base_path, std::filesystem::directory_options::skip_permission_denied, ec);
-  if (ec) {
-    return error::Internal("Failed to iterate cgroup path: $0", ec.message());
-  }
-
-  for (auto end = std::filesystem::recursive_directory_iterator(); it != end; it.increment(ec)) {
-    if (ec) {
-      ec.clear();
-      continue;
-    }
-    if (it->path().filename() == "cgroup.procs") {
-      std::string contents = ReadFileToString(it->path().string()).ValueOr("");
+  for (auto& p : std::filesystem::recursive_directory_iterator(base_path)) {
+    if (p.path().filename() == "cgroup.procs") {
+      std::string contents = ReadFileToString(p.path().string()).ValueOr("");
       int contents_pid;
       if (absl::SimpleAtoi(contents, &contents_pid) && pid == contents_pid) {
-        return it->path().string();
+        return p.path().string();
       }
     }
   }
diff --git a/src/shared/metadata/cgroup_path_resolver_test.cc b/src/shared/metadata/cgroup_path_resolver_test.cc
@@ -16,16 +16,11 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-#include <sys/stat.h>
-#include <unistd.h>
-
 #include <gtest/gtest.h>
 
-#include <fstream>
 #include <string>
 #include <vector>
 
-#include "src/common/testing/temp_dir.h"
 #include "src/common/testing/testing.h"
 #include "src/shared/metadata/cgroup_path_resolver.h"
 
@@ -395,68 +390,5 @@ TEST(CGroupPathResolver, Cgroup2Format) {
  * 4. cgroup1+cgroup2 w/ cgroup1 succeeding
  */
 
-// Test that FindSelfCGroupProcs gracefully handles permission-denied directories
-// (e.g. CrowdStrike Falcon's sandbox.falcon) instead of crashing with an uncaught exception.
-TEST(FindSelfCGroupProcs, SkipsPermissionDeniedDirectories) {
-  // This test requires running as non-root, since root bypasses permission checks.
-  if (getuid() == 0) {
-    GTEST_SKIP() << "Test requires non-root user";
-  }
-
-  px::testing::TempDir tmp_dir;
-  auto base_path = tmp_dir.path();
-
-  // Create a directory structure with an accessible cgroup.procs containing our PID,
-  // and a restricted directory that simulates CrowdStrike Falcon's sandbox.
-  auto accessible_dir = base_path / "kubepods" / "pod1234";
-  std::filesystem::create_directories(accessible_dir);
-
-  // Write our PID to cgroup.procs so FindSelfCGroupProcs can find it.
-  {
-    std::ofstream ofs((accessible_dir / "cgroup.procs").string());
-    ofs << getpid();
-  }
-
-  // Create a restricted directory that the iterator cannot enter.
-  auto restricted_dir = base_path / "system.slice" / "falcon-sensor.service" / "sandbox.falcon";
-  std::filesystem::create_directories(restricted_dir);
-  // Remove all permissions on the sandbox directory.
-  chmod(restricted_dir.c_str(), 0000);
-
-  // FindSelfCGroupProcs should succeed and find our cgroup.procs,
-  // skipping the restricted directory instead of throwing.
-  ASSERT_OK_AND_ASSIGN(auto result, FindSelfCGroupProcs(base_path.string()));
-  EXPECT_EQ(result, (accessible_dir / "cgroup.procs").string());
-
-  // Restore permissions so TempDir cleanup can remove it.
-  chmod(restricted_dir.c_str(), 0755);
-}
-
-// Test that FindSelfCGroupProcs returns NotFound (not a crash) when the only
-// cgroup.procs is behind a restricted directory.
-TEST(FindSelfCGroupProcs, ReturnsNotFoundWhenAllPathsRestricted) {
-  if (getuid() == 0) {
-    GTEST_SKIP() << "Test requires non-root user";
-  }
-
-  px::testing::TempDir tmp_dir;
-  auto base_path = tmp_dir.path();
-
-  // Put cgroup.procs inside a restricted directory so it's unreachable.
-  auto restricted_dir = base_path / "restricted";
-  std::filesystem::create_directories(restricted_dir);
-  {
-    std::ofstream ofs((restricted_dir / "cgroup.procs").string());
-    ofs << getpid();
-  }
-  chmod(restricted_dir.c_str(), 0000);
-
-  // Should return NotFound, not crash.
-  auto result = FindSelfCGroupProcs(base_path.string());
-  EXPECT_NOT_OK(result);
-
-  chmod(restricted_dir.c_str(), 0755);
-}
-
 }  // namespace md
 }  // namespace px

Original file line number	Diff line number	Diff line change
`@@ -4,9 +4,9 @@`
`4`	`4`	`#`
`5`	`5`	`# pip-compile --allow-unsafe --generate-hashes --output-file=requirements.bazel.txt requirements.txt`
`6`	`6`	`#`
`7`		`-authlib==1.6.9 \`
`8`		`- --hash=sha256:d8f2421e7e5980cc1ddb4e32d3f5fa659cfaf60d8eaf3281ebed192e4ab74f04 \`
`9`		`- --hash=sha256:f08b4c14e08f0861dc18a32357b33fbcfd2ea86cfe3fe149484b4d764c4a0ac3`
	`7`	`+authlib==1.5.1 \`
	`8`	`+ --hash=sha256:5cbc85ecb0667312c1cdc2f9095680bb735883b123fb509fde1e65b1c5df972e \`
	`9`	`+ --hash=sha256:8408861cbd9b4ea2ff759b00b6f02fd7d81ac5a56d0b2b22c08606c6049aae11`
`10`	`10`	`# via -r requirements.txt`
`11`	`11`	`cffi==2.0.0 \`
`12`	`12`	`--hash=sha256:00bdf7acc5f795150faa6957054fbbca2439db2f775ce831222b66f192f03beb \`