microsoft · pfrcks · Jul 22, 2022 · Apr 28, 2022 · Apr 28, 2022 · May 2, 2022
@@ -1,19 +1,9 @@
-# related to telegraf
-#[vishwa] - Fix telegraf & test all for next release - see work item #https://msazure.visualstudio.com/InfrastructureInsights/_workitems/edit/13322134
-# Unfixed as of 4/28/2022
+# telegraf vulnerabilities
 CVE-2019-3826
-CVE-2022-1996
 CVE-2022-29190
 CVE-2022-29222
 CVE-2022-29189
-
-# ruby in /usr/lib
-CVE-2020-36327
-CVE-2021-43809
-CVE-2021-41816
-CVE-2021-41819
-CVE-2021-31799
-CVE-2021-28965
+CVE-2022-1996
 
 #dpkg vulnerability in ubuntu
 CVE-2022-1304
@@ -90,7 +90,6 @@ The general directory structure is:
 │   │   |   ├── health/                       - code for health feature
 │   │   |   ├── lib/                          - lib for app insights ruby and this code of application_insights gem
 │   │   |   ...                               - plugins in, out and filters code in ruby
-│   ├── toml-parser/                          - code for parsing of toml configuration files
 ├── test/                                     - source code for tests
 │   ├── e2e/                                  - e2e tests to validate agent and e2e workflow(s)
 │   ├── unit-tests/                           - unit tests code

@@ -2,11 +2,7 @@
 
 #this should be require relative in Linux and require in windows, since it is a gem install on windows
 @os_type = ENV["OS_TYPE"]
-if !@os_type.nil? && !@os_type.empty? && @os_type.strip.casecmp("windows") == 0
-  require "tomlrb"
-else
-  require_relative "tomlrb"
-end
+require "tomlrb"
 
 require_relative "ConfigParseErrorLogger"
 

@@ -3,11 +3,7 @@
 
 #this should be require relative in Linux and require in windows, since it is a gem install on windows
 @os_type = ENV["OS_TYPE"]
-if !@os_type.nil? && !@os_type.empty? && @os_type.strip.casecmp("windows") == 0
-  require "tomlrb"
-else
-  require_relative "tomlrb"
-end
+require "tomlrb"
 
 require_relative "/etc/fluent/plugin/constants"
 require_relative "ConfigParseErrorLogger"

@@ -2,11 +2,7 @@
 
 #this should be require relative in Linux and require in windows, since it is a gem install on windows
 @os_type = ENV["OS_TYPE"]
-if !@os_type.nil? && !@os_type.empty? && @os_type.strip.casecmp("windows") == 0
-  require "tomlrb"
-else
-  require_relative "tomlrb"
-end
+require "tomlrb"
 
 require_relative "ConfigParseErrorLogger"
 

@@ -2,12 +2,8 @@
 
 #this should be require relative in Linux and require in windows, since it is a gem install on windows
 @os_type = ENV["OS_TYPE"]
-if !@os_type.nil? && !@os_type.empty? && @os_type.strip.casecmp("windows") == 0
-  require "tomlrb"
-else
-  require_relative "tomlrb"
-end
-# require_relative "tomlrb"
+require "tomlrb"
+
 require_relative "ConfigParseErrorLogger"
 require "fileutils"
 

@@ -2,11 +2,7 @@
 
 #this should be require relative in Linux and require in windows, since it is a gem install on windows
 @os_type = ENV["OS_TYPE"]
-if !@os_type.nil? && !@os_type.empty? && @os_type.strip.casecmp("windows") == 0
-  require "tomlrb"
-else
-  require_relative "tomlrb"
-end
+require "tomlrb"
 
 require_relative "ConfigParseErrorLogger"
 

@@ -20,15 +20,6 @@ MAINTAINER:              'Microsoft Corporation'
 
 /etc/opt/microsoft/docker-cimprov/container.conf;			    build/linux/installer/conf/container.conf;                      644; root; root
 
-/opt/tomlrb.rb;                                                 source/toml-parser/tomlrb.rb; 644; root; root
-/opt/tomlrb/generated_parser.rb;                                source/toml-parser/tomlrb/generated_parser.rb; 644; root; root
-/opt/tomlrb/handler.rb;                                         source/toml-parser/tomlrb/handler.rb; 644; root; root
-/opt/tomlrb/parser.rb;                                          source/toml-parser/tomlrb/parser.rb; 644; root; root
-/opt/tomlrb/parser.y;                                           source/toml-parser/tomlrb/parser.y; 644; root; root
-/opt/tomlrb/scanner.rb;                                         source/toml-parser/tomlrb/scanner.rb; 644; root; root
-/opt/tomlrb/string_utils.rb;                                    source/toml-parser/tomlrb/string_utils.rb; 644; root; root
-/opt/tomlrb/version.rb;                                         source/toml-parser/tomlrb/version.rb; 644; root; root
-
 /opt/td-agent-bit/bin/out_oms.so;                                       intermediate/${{BUILD_CONFIGURATION}}/out_oms.so;  	755; root; root
 /etc/opt/microsoft/docker-cimprov/prometheus-side-car.conf;		         build/linux/installer/conf/prometheus-side-car.conf;                    644; root; root
 /etc/opt/microsoft/docker-cimprov/td-agent-bit.conf;			            build/linux/installer/conf/td-agent-bit.conf;                    644; root; root

@@ -1,7 +1,7 @@
 #!/usr/local/bin/ruby
 # frozen_string_literal: true
 
-require_relative "tomlrb"
+require "tomlrb"
 require_relative "ConfigParseErrorLogger"
 require_relative "/etc/fluent/plugin/constants"
 

@@ -2,11 +2,7 @@
 
 #this should be require relative in Linux and require in windows, since it is a gem install on windows
 @os_type = ENV["OS_TYPE"]
-if !@os_type.nil? && !@os_type.empty? && @os_type.strip.casecmp("windows") == 0
-  require "tomlrb"
-else
-  require_relative "tomlrb"
-end
+require "tomlrb"
 
 require_relative "ConfigParseErrorLogger"
 

@@ -1,6 +1,6 @@
 #!/usr/local/bin/ruby
 
-require_relative "tomlrb"
+require "tomlrb"
 require "fileutils"
 require_relative "ConfigParseErrorLogger"
 

@@ -1,5 +1,5 @@
 <source>
-  type heartbeat_request
+  @type heartbeat_request
   run_interval 30m
   @log_level info
 </source>

@@ -88,6 +88,8 @@ checkAgentOnboardingStatus() {
       fi
 }
 
+# setup paths for ruby
+[ -f /etc/profile.d/rvm.sh ] && source /etc/profile.d/rvm.sh
 setReplicaSetSpecificConfig() {
       echo "num of fluentd workers:${NUM_OF_FLUENTD_WORKERS}"
       export FLUENTD_FLUSH_INTERVAL="20s"
@@ -453,7 +455,7 @@ source ~/.bashrc
 
 if [ "${CONTAINER_TYPE}" != "PrometheusSidecar" ]; then
       #Parse the configmap to set the right environment variables.
-      /usr/bin/ruby2.7 tomlparser.rb
+      ruby tomlparser.rb
 
       cat config_env_var | while read line; do
             echo $line >>~/.bashrc
@@ -464,15 +466,15 @@ fi
 #Parse the configmap to set the right environment variables for agent config.
 #Note > tomlparser-agent-config.rb has to be parsed first before td-agent-bit-conf-customizer.rb for fbit agent settings
 if [ "${CONTAINER_TYPE}" != "PrometheusSidecar" ]; then
-      /usr/bin/ruby2.7 tomlparser-agent-config.rb
+      ruby tomlparser-agent-config.rb
 
       cat agent_config_env_var | while read line; do
             echo $line >> ~/.bashrc
       done
       source agent_config_env_var
 
       #Parse the configmap to set the right environment variables for network policy manager (npm) integration.
-      /usr/bin/ruby2.7 tomlparser-npm-config.rb
+      ruby tomlparser-npm-config.rb
 
       cat integration_npm_config_env_var | while read line; do
             echo $line >> ~/.bashrc
@@ -482,11 +484,11 @@ fi
 
 #Replace the placeholders in td-agent-bit.conf file for fluentbit with custom/default values in daemonset
 if [ ! -e "/etc/config/kube.conf" ] && [ "${CONTAINER_TYPE}" != "PrometheusSidecar" ]; then
-      /usr/bin/ruby2.7 td-agent-bit-conf-customizer.rb
+      ruby td-agent-bit-conf-customizer.rb
 fi
 
 #Parse the prometheus configmap to create a file with new custom settings.
-/usr/bin/ruby2.7 tomlparser-prom-customconfig.rb
+ruby tomlparser-prom-customconfig.rb
 
 #Setting default environment variables to be used in any case of failure in the above steps
 if [ ! -e "/etc/config/kube.conf" ]; then
@@ -520,7 +522,7 @@ fi
 if [ ! -e "/etc/config/kube.conf" ]; then
       if [ "${CONTAINER_TYPE}" == "PrometheusSidecar" ]; then
             #Parse the agent configmap to create a file with new custom settings.
-            /usr/bin/ruby2.7 tomlparser-prom-agent-config.rb
+            ruby tomlparser-prom-agent-config.rb
             #Sourcing config environment variable file if it exists
             if [ -e "side_car_fbit_config_env_var" ]; then
                   cat side_car_fbit_config_env_var | while read line; do
@@ -533,15 +535,15 @@ fi
 
 #Parse the configmap to set the right environment variables for MDM metrics configuration for Alerting.
 if [ "${CONTAINER_TYPE}" != "PrometheusSidecar" ]; then
-      /usr/bin/ruby2.7 tomlparser-mdm-metrics-config.rb
+      ruby tomlparser-mdm-metrics-config.rb
 
       cat config_mdm_metrics_env_var | while read line; do
             echo $line >>~/.bashrc
       done
       source config_mdm_metrics_env_var
 
       #Parse the configmap to set the right environment variables for metric collection settings
-      /usr/bin/ruby2.7 tomlparser-metric-collection-config.rb
+      ruby tomlparser-metric-collection-config.rb
 
       cat config_metric_collection_env_var | while read line; do
             echo $line >>~/.bashrc
@@ -552,7 +554,7 @@ fi
 # OSM scraping to be done in replicaset if sidecar car scraping is disabled and always do the scraping from the sidecar (It will always be either one of the two)
 if [[ ( ( ! -e "/etc/config/kube.conf" ) && ( "${CONTAINER_TYPE}" == "PrometheusSidecar" ) ) ||
       ( ( -e "/etc/config/kube.conf" ) && ( "${SIDECAR_SCRAPING_ENABLED}" == "false" ) ) ]]; then
-      /usr/bin/ruby2.7 tomlparser-osm-config.rb
+      ruby tomlparser-osm-config.rb
 
       if [ -e "integration_osm_config_env_var" ]; then
             cat integration_osm_config_env_var | while read line; do
@@ -649,7 +651,8 @@ if [ "$CONTAINER_RUNTIME" != "docker" ]; then
 fi
 
 echo "set caps for ruby process to read container env from proc"
-sudo setcap cap_sys_ptrace,cap_dac_read_search+ep /usr/bin/ruby2.7
+RUBY_PATH=$(which ruby)
+sudo setcap cap_sys_ptrace,cap_dac_read_search+ep "$RUBY_PATH"
 echo "export KUBELET_RUNTIME_OPERATIONS_METRIC="$KUBELET_RUNTIME_OPERATIONS_METRIC >> ~/.bashrc
 echo "export KUBELET_RUNTIME_OPERATIONS_ERRORS_METRIC="$KUBELET_RUNTIME_OPERATIONS_ERRORS_METRIC >> ~/.bashrc
 

@@ -1,3 +1,5 @@
+#!/bin/bash
+
 TMPDIR="/opt"
 cd $TMPDIR
 
@@ -11,6 +13,20 @@ fi
 #upgrade apt to latest version
 apt-get update && apt-get install -y apt && DEBIAN_FRONTEND=noninteractive apt-get install -y locales
 
+
+curl -sSL https://rvm.io/mpapis.asc | gpg --import -
+curl -sSL https://rvm.io/pkuczynski.asc | gpg --import -
+curl -sSL https://get.rvm.io | bash -s stable
+
+# setup paths for ruby and rvm
+if [ -f /etc/profile.d/rvm.sh ]; then
+    source /etc/profile.d/rvm.sh
+    echo "[ -f /etc/profile.d/rvm.sh ] && source /etc/profile.d/rvm.sh" >> ~/.bashrc
+fi
+
+rvm install 3.1.1
+rvm --default use 3.1.1
+
 sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
     dpkg-reconfigure --frontend=noninteractive locales && \
     update-locale LANG=en_US.UTF-8
@@ -57,15 +73,11 @@ sudo echo "deb https://packages.fluentbit.io/ubuntu/bionic bionic main" >> /etc/
 sudo apt-get update
 sudo apt-get install td-agent-bit=1.7.8 -y
 
-# install ruby2.7
-sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys F5DA5F09C3173AA6
-sudo echo "deb http://ppa.launchpad.net/brightbox/ruby-ng/ubuntu bionic main" >> /etc/apt/sources.list
-sudo apt-get update
-sudo apt-get install ruby2.7 ruby2.7-dev gcc make -y
 # fluentd v1 gem
-gem install fluentd -v "1.14.2" --no-document
+gem install fluentd -v "1.14.6" --no-document
 fluentd --setup ./fluent
 gem install gyoku iso8601 --no-doc
+gem install tomlrb -v "2.0.1" --no-document
 
 
 rm -f $TMPDIR/docker-cimprov*.sh
@@ -75,7 +87,8 @@ rm -f $TMPDIR/envmdsd
 rm -f $TMPDIR/telegraf-*.tar.gz
 
 # remove build dependencies
-sudo apt-get remove ruby2.7-dev gcc make -y
+sudo apt-get remove gcc make -y
+sudo apt autoremove -y
 
 # Remove settings for cron.daily that conflict with the node's cron.daily. Since both are trying to rotate the same files
 # in /var/log at the same time, the rotation doesn't happen correctly and then the *.1 file is forever logged to.

@@ -11,28 +11,27 @@ ARG IMAGE_TAG=win-ciprod06142022
 # Docker creates a layer for every RUN-Statement
 RUN powershell -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
 # Fluentd depends on cool.io whose fat gem is only available for Ruby < 2.5, so need to specify --platform ruby when install Ruby > 2.5 and install msys2 to get dev tools
-RUN choco install -y ruby --version 2.7.5.1 --params "'/InstallDir:C:\ruby27'" \
-&& choco install -y msys2 --version 20211130.0.0 --params "'/NoPath /NoUpdate /InstallDir:C:\ruby27\msys64'" \
+RUN choco install -y ruby --version 3.1.1.1 --params "'/InstallDir:C:\ruby31'" \
+&& choco install -y msys2 --version 20211130.0.0 --params "'/NoPath /NoUpdate /InstallDir:C:\ruby31\msys64'" \
 && choco install -y vim
 
 # gangams - optional MSYS2 update via ridk failing in merged docker file so skipping that since we dont need optional update
 RUN refreshenv \
 && ridk install 3 \
 && echo gem: --no-document >> C:\ProgramData\gemrc \
-&& gem install cool.io -v 1.5.4 --platform ruby \
+&& gem install cool.io -v 1.7.1 --platform ruby \
 && gem install oj -v 3.3.10 \
-&& gem install json -v 2.2.0 \
-&& gem install fluentd -v 1.14.2 \
+&& gem install fluentd -v 1.14.6 \
 && gem install win32-service -v 1.0.1 \
 && gem install win32-ipc -v 0.7.0 \
 && gem install win32-event -v 0.6.3 \
 && gem install windows-pr -v 1.2.6 \
-&& gem install tomlrb -v 1.3.0 \
+&& gem install tomlrb -v 2.0.1 \
 && gem install gyoku -v 1.3.1 \
 && gem sources --clear-all
 
 # Remove gem cache and chocolatey
-RUN powershell -Command "Remove-Item -Force C:\ruby27\lib\ruby\gems\2.7.0\cache\*.gem; Remove-Item -Recurse -Force 'C:\ProgramData\chocolatey'"
+RUN powershell -Command "Remove-Item -Force C:\ruby31\lib\ruby\gems\3.1.0\cache\*.gem; Remove-Item -Recurse -Force 'C:\ProgramData\chocolatey'"
 
 SHELL ["powershell"]
 

@@ -8,8 +8,8 @@ LABEL vendor=Microsoft\ Corp \
 # Docker creates a layer for every RUN-Statement
 RUN powershell -Command "Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))"
 # Fluentd depends on cool.io whose fat gem is only available for Ruby < 2.5, so need to specify --platform ruby when install Ruby > 2.5 and install msys2 to get dev tools
-RUN choco install -y ruby --version 2.7.5.1 --params "'/InstallDir:C:\ruby27'" \
-&& choco install -y msys2 --version 20210604.0.0 --params "'/NoPath /NoUpdate /InstallDir:C:\ruby27\msys64'" \
+RUN choco install -y ruby --version 3.1.1.1 --params "'/InstallDir:C:\ruby31'" \
+&& choco install -y msys2 --version 20210604.0.0 --params "'/NoPath /NoUpdate /InstallDir:C:\ruby31\msys64'" \
 && choco install -y vim
 
 # gangams - optional MSYS2 update via ridk failing in merged docker file so skipping that since we dont need optional update
@@ -29,7 +29,7 @@ RUN refreshenv \
 && gem sources --clear-all
 
 # Remove gem cache and chocolatey
-RUN powershell -Command "Remove-Item -Force C:\ruby27\lib\ruby\gems\2.7.0\cache\*.gem; Remove-Item -Recurse -Force 'C:\ProgramData\chocolatey'"
+RUN powershell -Command "Remove-Item -Force C:\ruby31\lib\ruby\gems\3.1.0\cache\*.gem; Remove-Item -Recurse -Force 'C:\ProgramData\chocolatey'"
 
 SHELL ["powershell"]
 

@@ -7,7 +7,7 @@ class ApplicationInsightsUtility
   require_relative "DockerApiClient"
   require_relative "oms_common"
   require_relative "proxy_utils"
-  require "yajl/json_gem"
+  require "json"
   require "base64"
 
   @@HeartBeat = "HeartBeatEvent"

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 class CAdvisorMetricsAPIClient
-  require "yajl/json_gem"
+  require "json"
   require "logger"
   require "net/http"
   require "net/https"

@@ -2,7 +2,7 @@
 # frozen_string_literal: true
 
 class ContainerInventoryState
-    require 'yajl/json_gem'
+    require 'json'
     require_relative 'omslog'
     @@InventoryDirectory = "/var/opt/microsoft/docker-cimprov/state/ContainerInventory/"
 

@@ -3,7 +3,7 @@
 
 class DockerApiClient
   require "socket"
-  require "yajl/json_gem"
+  require "json"
   require "timeout"
   require_relative "omslog"
   require_relative "DockerApiRestHelper"