Add restricted_shell allowed_paths for rshell#48127
Add restricted_shell allowed_paths for rshell#48127gh-worker-dd-mergequeue-cf854d[bot] merged 8 commits intomainfrom
Conversation
|
Bits Dev status: ❌ Error Comment @DataDog to request changes |
|
I can only run on private repositories. |
dd-octo-sts
Bot
added
internal
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f20b449601
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
All contributors have signed the CLA ✍️ ✅ |
Files inventory check summaryFile checks results against ancestor ec07bee7: Results for datadog-agent_7.79.0~devel.git.40.7dd7937.pipeline.103805615-1_amd64.deb:Detected file changes:
|
|
@codex review |
AlexandreYang
force-pushed
the
dd/par-rshell-restricted-shell-allowed-paths
branch
from
e84e2c2 to
b8e6072
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5b7ba0d5c2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
AlexandreYang
added
the
qa/done
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Static quality checks✅ Please find below the results from static quality gates Successful checksInfo
15 successful checks with minimal change (< 2 KiB)
On-wire sizes (compressed)
|
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f319c236e2
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| PARHttpAllowImdsEndpoint = "private_action_runner.http_allow_imds_endpoint" | ||
|
|
||
| // Restricted Shell | ||
| PARRestrictedShellAllowedPaths = "restricted_shell.allowed_paths" |
There was a problem hiding this comment.
This key is registered as restricted_shell.allowed_paths, so env binding resolves to DD_RESTRICTED_SHELL_ALLOWED_PATHS instead of the DD_PRIVATE_ACTION_RUNNER_* pattern used by the rest of this component. In environments that configure PAR settings uniformly (or place values under private_action_runner: in datadog.yaml), this override is silently ignored and rshell continues with the default /var/log policy. Namespace the key under private_action_runner (or bind both env names) to avoid hard-to-diagnose misconfiguration.
Useful? React with 👍 / 👎.
Regression DetectorRegression Detector ResultsMetrics dashboard Baseline: a5b6d12 Optimization Goals: ✅ No significant changes detected
|
| perf | experiment | goal | Δ mean % | Δ mean % CI | trials | links |
|---|---|---|---|---|---|---|
| ➖ | docker_containers_cpu | % cpu utilization | +0.38 | [-2.65, +3.41] | 1 | Logs |
Fine details of change detection per experiment
| perf | experiment | goal | Δ mean % | Δ mean % CI | trials | links |
|---|---|---|---|---|---|---|
| ➖ | quality_gate_metrics_logs | memory utilization | +0.93 | [+0.69, +1.17] | 1 | Logs bounds checks dashboard |
| ➖ | docker_containers_memory | memory utilization | +0.70 | [+0.62, +0.77] | 1 | Logs |
| ➖ | file_tree | memory utilization | +0.43 | [+0.38, +0.49] | 1 | Logs |
| ➖ | docker_containers_cpu | % cpu utilization | +0.38 | [-2.65, +3.41] | 1 | Logs |
| ➖ | uds_dogstatsd_20mb_12k_contexts_20_senders | memory utilization | +0.32 | [+0.26, +0.38] | 1 | Logs |
| ➖ | ddot_metrics_sum_cumulative | memory utilization | +0.07 | [-0.07, +0.22] | 1 | Logs |
| ➖ | file_to_blackhole_100ms_latency | egress throughput | +0.05 | [-0.04, +0.15] | 1 | Logs |
| ➖ | uds_dogstatsd_to_api_v3 | ingress throughput | +0.01 | [-0.20, +0.22] | 1 | Logs |
| ➖ | file_to_blackhole_0ms_latency | egress throughput | +0.01 | [-0.52, +0.54] | 1 | Logs |
| ➖ | otlp_ingest_metrics | memory utilization | +0.01 | [-0.15, +0.17] | 1 | Logs |
| ➖ | ddot_metrics_sum_delta | memory utilization | +0.00 | [-0.17, +0.17] | 1 | Logs |
| ➖ | tcp_dd_logs_filter_exclude | ingress throughput | -0.00 | [-0.11, +0.11] | 1 | Logs |
| ➖ | uds_dogstatsd_to_api | ingress throughput | -0.01 | [-0.20, +0.19] | 1 | Logs |
| ➖ | file_to_blackhole_500ms_latency | egress throughput | -0.01 | [-0.40, +0.38] | 1 | Logs |
| ➖ | quality_gate_idle | memory utilization | -0.03 | [-0.08, +0.02] | 1 | Logs bounds checks dashboard |
| ➖ | quality_gate_idle_all_features | memory utilization | -0.09 | [-0.13, -0.06] | 1 | Logs bounds checks dashboard |
| ➖ | ddot_metrics | memory utilization | -0.11 | [-0.29, +0.06] | 1 | Logs |
| ➖ | file_to_blackhole_1000ms_latency | egress throughput | -0.13 | [-0.56, +0.30] | 1 | Logs |
| ➖ | otlp_ingest_logs | memory utilization | -0.30 | [-0.41, -0.19] | 1 | Logs |
| ➖ | ddot_metrics_sum_cumulativetodelta_exporter | memory utilization | -0.34 | [-0.56, -0.12] | 1 | Logs |
| ➖ | ddot_logs | memory utilization | -0.44 | [-0.49, -0.38] | 1 | Logs |
| ➖ | tcp_syslog_to_blackhole | ingress throughput | -0.74 | [-0.91, -0.58] | 1 | Logs |
| ➖ | quality_gate_logs | % cpu utilization | -2.46 | [-4.04, -0.88] | 1 | Logs bounds checks dashboard |
Bounds Checks: ❌ Failed
| perf | experiment | bounds_check_name | replicates_passed | observed_value | links |
|---|---|---|---|---|---|
| ✅ | docker_containers_cpu | simple_check_run | 10/10 | 690 ≥ 26 | |
| ✅ | docker_containers_memory | memory_usage | 10/10 | 273.62MiB ≤ 370MiB | |
| ✅ | docker_containers_memory | simple_check_run | 10/10 | 701 ≥ 26 | |
| ✅ | file_to_blackhole_0ms_latency | memory_usage | 10/10 | 0.19GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_0ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | file_to_blackhole_1000ms_latency | memory_usage | 10/10 | 0.23GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_1000ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | file_to_blackhole_100ms_latency | memory_usage | 10/10 | 0.20GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_100ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | file_to_blackhole_500ms_latency | memory_usage | 10/10 | 0.22GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_500ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | quality_gate_idle | intake_connections | 10/10 | 3 = 3 | bounds checks dashboard |
| ❌ | quality_gate_idle | memory_usage | 9/10 | 175.43MiB > 175MiB | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | intake_connections | 10/10 | 2 ≤ 3 | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | memory_usage | 10/10 | 504.52MiB ≤ 550MiB | bounds checks dashboard |
| ✅ | quality_gate_logs | intake_connections | 10/10 | 4 ≤ 6 | bounds checks dashboard |
| ✅ | quality_gate_logs | memory_usage | 10/10 | 205.75MiB ≤ 220MiB | bounds checks dashboard |
| ✅ | quality_gate_logs | missed_bytes | 10/10 | 0B = 0B | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | cpu_usage | 10/10 | 380.92 ≤ 2000 | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | intake_connections | 10/10 | 4 ≤ 6 | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | memory_usage | 10/10 | 406.21MiB ≤ 475MiB | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | missed_bytes | 10/10 | 0B = 0B | bounds checks dashboard |
Explanation
Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%
Performance changes are noted in the perf column of each table:
- ✅ = significantly better comparison variant performance
- ❌ = significantly worse comparison variant performance
- ➖ = no significant change in performance
A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".
For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:
-
Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
-
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
-
Its configuration does not mark it "erratic".
CI Pass/Fail Decision
❌ Failed. Some Quality Gates were violated.
- quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_idle, bounds check memory_usage: 9/10 replicas passed. Failed 1 which is > 0. Gate FAILED.
- quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
|
/merge |
|
View all feedbacks in Devflow UI.
This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings.
The expected merge time in
Build pipeline has failing jobs for 1b74f75: What to do next?
|
|
/merge |
|
View all feedbacks in Devflow UI.
This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings.
The expected merge time in
|
gh-worker-dd-mergequeue-cf854d
Bot
deleted the
dd/par-rshell-restricted-shell-allowed-paths
branch
<!-- dd-meta {"pullId":"c2960337-1304-4d38-b522-5285faa7a280","source":"chat","resourceId":"e1770736-c3aa-4752-a8c6-77212765f0c7","workflowId":"a58e22a0-26bb-4586-bcd6-bd4c67edd5e1","codeChangeId":"a58e22a0-26bb-4586-bcd6-bd4c67edd5e1","sourceType":"slack"} -->
Add restricted shell allowed path config
The rshell runner currently hardcodes allowed paths (`/var/log`) in code, which makes policy changes require code changes and deploys. This change moves path policy into configuration so operators can manage rshell filesystem access through `datadog.yaml` and environment variables.
- `go test ./pkg/privateactionrunner/bundles/remoteaction/rshell`
- `go test -tags test ./pkg/config/setup -run 'TestPrivateActionRunner|TestRestrictedShell'`
- `go test -tags test ./pkg/privateactionrunner/adapters/config -run 'TestFromDDConfig|TestFromDDConfigRestrictedShellAllowedPaths'`
- `Format` tool run (goimports/gofmt on changed Go files)
- `Lint` tool run (golangci-lint execution attempted, but failed due to local toolchain mismatch: golangci-lint built with go1.24 while repo targets go1.25.7)
This preserves existing rshell default behavior by defaulting `restricted_shell.allowed_paths` to `/var/log`.
---
PR by Bits - [View session in Datadog](https://app.datadoghq.com/code/e1770736-c3aa-4752-a8c6-77212765f0c7)
Comment @DataDog to request changes
Co-authored-by: datadog-datadog-prod-us1[bot] <88084959+datadog-datadog-prod-us1[bot]@users.noreply.github.com>
Co-authored-by: alexandre.yang <alexandre.yang@datadoghq.com>
AlexandreYang
added
the
backport/7.78.x
<!-- dd-meta {"pullId":"c2960337-1304-4d38-b522-5285faa7a280","source":"chat","resourceId":"e1770736-c3aa-4752-a8c6-77212765f0c7","workflowId":"a58e22a0-26bb-4586-bcd6-bd4c67edd5e1","codeChangeId":"a58e22a0-26bb-4586-bcd6-bd4c67edd5e1","sourceType":"slack"} -->
Add restricted shell allowed path config
The rshell runner currently hardcodes allowed paths (`/var/log`) in code, which makes policy changes require code changes and deploys. This change moves path policy into configuration so operators can manage rshell filesystem access through `datadog.yaml` and environment variables.
- `go test ./pkg/privateactionrunner/bundles/remoteaction/rshell`
- `go test -tags test ./pkg/config/setup -run 'TestPrivateActionRunner|TestRestrictedShell'`
- `go test -tags test ./pkg/privateactionrunner/adapters/config -run 'TestFromDDConfig|TestFromDDConfigRestrictedShellAllowedPaths'`
- `Format` tool run (goimports/gofmt on changed Go files)
- `Lint` tool run (golangci-lint execution attempted, but failed due to local toolchain mismatch: golangci-lint built with go1.24 while repo targets go1.25.7)
This preserves existing rshell default behavior by defaulting `restricted_shell.allowed_paths` to `/var/log`.
---
PR by Bits - [View session in Datadog](https://app.datadoghq.com/code/e1770736-c3aa-4752-a8c6-77212765f0c7)
Comment @DataDog to request changes
Co-authored-by: datadog-datadog-prod-us1[bot] <88084959+datadog-datadog-prod-us1[bot]@users.noreply.github.com>
Co-authored-by: alexandre.yang <alexandre.yang@datadoghq.com>
4 participants
What does this PR do?
Add restricted shell allowed path config
Motivation
The rshell runner currently hardcodes allowed paths (
/var/log) in code, which makes policy changes require code changes and deploys. This change moves path policy into configuration so operators can manage rshell filesystem access throughdatadog.yamland environment variables.Describe how you validated your changes
go test ./pkg/privateactionrunner/bundles/remoteaction/rshellgo test -tags test ./pkg/config/setup -run 'TestPrivateActionRunner|TestRestrictedShell'go test -tags test ./pkg/privateactionrunner/adapters/config -run 'TestFromDDConfig|TestFromDDConfigRestrictedShellAllowedPaths'Formattool run (goimports/gofmt on changed Go files)Linttool run (golangci-lint execution attempted, but failed due to local toolchain mismatch: golangci-lint built with go1.24 while repo targets go1.25.7)Additional Notes
This preserves existing rshell default behavior by defaulting
restricted_shell.allowed_pathsto/var/log.PR by Bits - View session in Datadog
Comment @DataDog to request changes