Add vectorscan (same abi as hyperscan) for arm 64 #29881
Conversation
|
Hi @sambercovici, welcome and thank you for your contribution. We will try to review your Pull Request as quickly as possible. In the meantime, please take a look at the contribution guidelines if you have not done so already. |
repokitteh-read-only
bot
added
the
deps
|
CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to |
Signed-off-by: Samuel Bercovici <[email protected]>
this is now handled downstream Signed-off-by: Ryan Northey <[email protected]> Signed-off-by: Samuel Bercovici <[email protected]>
…y#29845) Signed-off-by: Ryan Northey <[email protected]> Signed-off-by: Samuel Bercovici <[email protected]>
Signed-off-by: Samuel Bercovici <[email protected]>
Signed-off-by: Samuel Bercovici <[email protected]>
Signed-off-by: Samuel Bercovici <[email protected]>
sambercovici
force-pushed
the
Add-Vectorscan-(same-ABI-as-Hyperscan)-for-Arm-64
branch
from
c909e2a
to
8b34041
Compare
Signed-off-by: Samuel Bercovici <[email protected]>
Signed-off-by: Samuel Bercovici <[email protected]>
Signed-off-by: Samuel Bercovici <[email protected]>
bazel/foreign_cc/vectorscan.patch
Outdated
| #define AARCH64_CPUID_INLINE_H_ | ||
|
|
||
| #if defined(__linux__) | ||
| +#include <asm/hwcap.h> |
There was a problem hiding this comment.
opened VectorCamp/vectorscan#176 waiting for response on ISSUE-1 there
There was a problem hiding this comment.
There was a problem hiding this comment.
Will this be fixed before we merge?
There was a problem hiding this comment.
You may want to wait a few days, it will be included yes, but I'm fixing clang 15/16 issues right now as they are higher priority and ironing out a few issues with the new CI. I'll post an update here when that happens.
| @@ -484,6 +484,24 @@ REPOSITORY_LOCATIONS_SPEC = dict( | |||
| license = "BSD-3-Clause", | |||
| license_url = "https:/intel/hyperscan/blob/v{version}/LICENSE", | |||
| ), | |||
| io_vectorscan = dict( | |||
| project_name = "Vectorscan", | |||
There was a problem hiding this comment.
Can you run through https:/envoyproxy/envoy/blob/main/DEPENDENCY_POLICY.md?
Given regex processing can in many paces be considered security sensitive (correctness of rule matching, CPU/memory DoS for example), I'd like to weigh up the win we're getting from this dependency, which seems to be a community fork.
There was a problem hiding this comment.
Hi @htuch
The vectorscan is a company (https://www.vectorcamp.gr/) and community led fork (under paid contract: https://www.vectorcamp.gr/2020/05/09/we-are-thrilled-to-announce-our-first-customer/) to support hyperscan ABI in Arm CPUs and additional CPUs with the same license, same tests, scans and fixes.
see: #29276 (comment) for additional information on CI builds, tests, etc.
Let me know if you want me to fill the items as described in: https:/envoyproxy/envoy/blob/main/DEPENDENCY_POLICY.md
-Sam.
There was a problem hiding this comment.
Thanks - yeah, please fill in the table so we can evaluate this new dep.
There was a problem hiding this comment.
Adding VectorCamp/vectorscan#177 as reference.
-
Cloud Native Computing Foundation (CNCF) approved license - BSD License - https:/VectorCamp/vectorscan/blob/vectorscan/5.4.10.1/LICENSE
-
Dependencies must not substantially increase the binary size unless they are optional (i.e. confined to specific extensions) - same as hyperscan which is approved.
-
No duplication of existing dependencies - Hyperscan does not cover Arm CPUs, Vectorscan is used instead.
-
Hosted on a git repository and the archive fetch must directly reference this repository. We will NOT support intermediate artifacts built by-hand located on GCS, S3, etc. - YES - https:/VectorCamp/vectorscan
-
CVE history appears reasonable, no pathological CVE arcs - Should be similar to Hyperscan
-
Code review (ideally PRs) before merge - YES - see: Add Vectorscan (same ABI as Hyperscan) for Arm 64 #29276 (comment)
-
Security vulnerability process exists, with contact details and reporting/disclosure process - YES - see: Governance Questions VectorCamp/vectorscan#177 (comment)
-
1 contributor responsible for a non-trivial number of commits - YES - see: https:/VectorCamp/vectorscan/graphs/contributors
-
Tests run in CI - YES - see: Add Vectorscan (same ABI as Hyperscan) for Arm 64 #29276 (comment) and Governance Questions VectorCamp/vectorscan#177 (comment)
-
High test coverage (also static/dynamic analysis, fuzzing) - YES - see: Add Vectorscan (same ABI as Hyperscan) for Arm 64 #29276 (comment)
-
Envoy can obtain advanced notification of vulnerabilities or of security releases - Not sure
-
Do other significant projects have shared fate by using this dependency? - ClickHouse
-
Releases (with release notes) - YES
-
Commits/releases in last 90 days - YES - see: https:/VectorCamp/vectorscan/graphs/commit-activity
There was a problem hiding this comment.
OSSF Scorecard result is low. Security policy and code review would help.
scorecard --repo=https:/VectorCamp/vectorscan/
RESULTS
-------
Aggregate score: 4.1 / 10
Check scores:
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| SCORE | NAME | REASON | DOCUMENTATION/REMEDIATION |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts | no binaries found in the repo | https:/ossf/scorecard/blob/7a94273ba14c1c702688f9efb57754d9fe112519/docs/checks.md#binary-artifacts |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 1 / 10 | Branch-Protection | branch protection is not | https:/ossf/scorecard/blob/7a94273ba14c1c702688f9efb57754d9fe112519/docs/checks.md#branch-protection |
| | | maximal on development and all | |
| | | release branches | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CI-Tests | 0 out of 6 merged PRs | https:/ossf/scorecard/blob/7a94273ba14c1c702688f9efb57754d9fe112519/docs/checks.md#ci-tests |
| | | checked by a CI test -- score | |
| | | normalized to 0 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | CII-Best-Practices | no effort to earn an OpenSSF | https:/ossf/scorecard/blob/7a94273ba14c1c702688f9efb57754d9fe112519/docs/checks.md#cii-best-practices |
| | | best practices badge detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 1 / 10 | Code-Review | found 6 unreviewed changesets | https:/ossf/scorecard/blob/7a94273ba14c1c702688f9efb57754d9fe112519/docs/checks.md#code-review |
| | | out of 7 -- score normalized | |
| | | to 1 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Contributors | 6 different organizations | https:/ossf/scorecard/blob/7a94273ba14c1c702688f9efb57754d9fe112519/docs/checks.md#contributors |
| | | found -- score normalized to | |
| | | 10 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Dangerous-Workflow | no workflows found | https:/ossf/scorecard/blob/7a94273ba14c1c702688f9efb57754d9fe112519/docs/checks.md#dangerous-workflow |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Dependency-Update-Tool | no update tool detected | https:/ossf/scorecard/blob/7a94273ba14c1c702688f9efb57754d9fe112519/docs/checks.md#dependency-update-tool |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Fuzzing | project is not fuzzed | https:/ossf/scorecard/blob/7a94273ba14c1c702688f9efb57754d9fe112519/docs/checks.md#fuzzing |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10 | License | license file detected | https:/ossf/scorecard/blob/7a94273ba14c1c702688f9efb57754d9fe112519/docs/checks.md#license |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Maintained | 30 commit(s) out of 30 and 0 | https:/ossf/scorecard/blob/7a94273ba14c1c702688f9efb57754d9fe112519/docs/checks.md#maintained |
| | | issue activity out of 30 found | |
| | | in the last 90 days -- score | |
| | | normalized to 10 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Packaging | no published package detected | https:/ossf/scorecard/blob/7a94273ba14c1c702688f9efb57754d9fe112519/docs/checks.md#packaging |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Pinned-Dependencies | no dependencies found | https:/ossf/scorecard/blob/7a94273ba14c1c702688f9efb57754d9fe112519/docs/checks.md#pinned-dependencies |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | SAST | SAST tool is not run on all | https:/ossf/scorecard/blob/7a94273ba14c1c702688f9efb57754d9fe112519/docs/checks.md#sast |
| | | commits -- score normalized to | |
| | | 0 | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 0 / 10 | Security-Policy | security policy file not | https:/ossf/scorecard/blob/7a94273ba14c1c702688f9efb57754d9fe112519/docs/checks.md#security-policy |
| | | detected | |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Signed-Releases | no releases found | https:/ossf/scorecard/blob/7a94273ba14c1c702688f9efb57754d9fe112519/docs/checks.md#signed-releases |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| ? | Token-Permissions | no github tokens found | https:/ossf/scorecard/blob/7a94273ba14c1c702688f9efb57754d9fe112519/docs/checks.md#token-permissions |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Vulnerabilities | no vulnerabilities detected | https:/ossf/scorecard/blob/7a94273ba14c1c702688f9efb57754d9fe112519/docs/checks.md#vulnerabilities |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------------------|
There was a problem hiding this comment.
fwiw, all PRs are CI tested (about 100 configurations), unfortunately there is a new CI in development now (buildbot-based) which is not yet integrated with Github. This was already in progress for weeks and it should be ready the next days. FTR, here is the new CI: https://buildbot-ci.vectorcamp.gr/
There was a problem hiding this comment.
Also, we do the Debian packaging ourselves, it's directly uploaded to Debian and Ubuntu, there is a debian branch for that purpose. We will not produce Binary releases, signed or unsigned within Github. For the same reason, dependency tracking is either done in the CMakeFile or the debian package.
There was a problem hiding this comment.
The score is artificially low. see: #29276 (comment)
|
Hi @htuch , how can we progress? |
|
I think that given we're in the same position as Hyperscan, this is |
|
@htuch what's the next step; are more changes required or should we add more review comments? Or is it time to close or merge this? I have no horse in this race and have not read the code; just trying to figure out how triage the PR as maintainer oncall. |
|
I was waiting for https:/envoyproxy/envoy/pull/29881/files#r1348331292 to be resolved, CC @markos who has the AI on that. LGTM when that is fixed, or if the fix is going to be substantively delayed, we can merge now if a followup issue is filed. |
|
/wait-any on the unresolved issues being resolved |
|
@htuch the new release of vectorscan with this fix, will happen the next days. In the meantime, I just learned myself about recent changes in hyperscan license: https://networkbuilders.intel.com/docs/networkbuilders/accelerate-snort-performance-with-hyperscan-and-intel-xeon-processors-on-public-clouds-1680176363.pdf (section 2.2) You might want to consider that for the future. |
|
Relevant passage is:
I think this means we will be unable to promote Hyperscan to a non-contrib extension, unless there is some LTS assurance on security releases. What will Vectorscan do going forward? CC @envoyproxy/dependency-shepherds |
|
@markos LMK when fixed and I can merge. /wait |
|
@htuch https:/VectorCamp/vectorscan/releases/tag/vectorscan%2F5.4.11 thanks for being patient. |
Signed-off-by: Samuel Bercovici <[email protected]>
repokitteh-read-only
bot
added
deps
|
@sambercovici @htuch I've already uploaded it to Debian: https://buildd.debian.org/status/package.php?p=vectorscan nothing else is left on my side. Thanks for supporting the project. |
Signed-off-by: Samuel Bercovici <[email protected]>
Head branch was pushed to by a user without write access
Signed-off-by: Samuel Bercovici <[email protected]>
Signed-off-by: Samuel Bercovici <[email protected]>
Signed-off-by: Samuel Bercovici <[email protected]>
Signed-off-by: Samuel Bercovici <[email protected]>
…ttps:/sambercovici/envoy into Add-Vectorscan-(same-ABI-as-Hyperscan)-for-Arm-64 Signed-off-by: Samuel Bercovici <[email protected]>
|
Hi @htuch , @markos added for vectorscan 5.4.11 mandatory dependencies on pkg-config and libsqlite3-dev. Envoy dev/build environment does not include those dependency. @markos , please consider making pkg-config optional and detect that sqlite3 does not exists, so I can remove that patches. -Sam. |
I have no objections making sqlite optional, but pkg-config will stay. I find no reason to duplicate its functionality in the cmakefiles and in the future other possible dependencies will also be able to use it. It's in every distro and it's a really small dependency. |
|
@htuch , I suggest we merge as is and when the build container(s) / dev instructions adds pkg-config, I will remove the patch part NOT mandating it, ok? |
repokitteh-read-only
bot
removed
the
deps
|
OK, this has lingered for super long so let's jut merge but I think we shouldn't need an sqlite dependency and I'm hoping there is some clean way to resolve the pkgconfig thing. |
Commit Message: Fix #29276
Additional Description: Use Vectorscan for Arm 64 CPUs
Risk Level: Low
Testing: Covered by original commit
Docs Changes:
Release Notes:
Platform Specific Features: aarch64