Add hotreload.sh (#2110)

Molter73 · web-flow · commit b1458317d555 · 2025-06-17T14:46:56.000+02:00
* Add hotreload.sh

This script is inspired by the hotreload mode in the main repo.

When using a k8s cluster with access to the local filesystem (like kind,
k3s, minikube, etc.), it configures the collector container in the
collector daemonset to execute a locally built binary, which is useful
for iterating fast or running with sanitizers enabled.

The script also provides a --revert option for dropping the
configuration changes once they are no longer needed.

* Add THREAD_SANITIZER build configuration

This new option will compile the collector binary with thread sanitizer
support. libtsan is added to the image-dev in order for collector to be
able to use it at runtime. libubsan is also added since it was missing.

* Add some docs

* Fix inconsistent flag handle and check collector is deployed
diff --git a/collector/CMakeLists.txt b/collector/CMakeLists.txt
@@ -16,7 +16,13 @@ set(CMAKE_CXX_FLAGS_RELEASE "-O3 -fno-strict-aliasing -DNDEBUG")
 if(ADDRESS_SANITIZER)
 	set(DISABLE_PROFILING ON)
 	set(USE_VALGRIND OFF)
-	set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fsanitize=undefined -DGRPC_ASAN_SUPRESSED")
+	set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fsanitize=undefined -DGRPC_ASAN_SUPPRESSED")
+endif()
+
+if(THREAD_SANITIZER)
+	set(DISABLE_PROFILING ON)
+	set(USE_VALGRIND OFF)
+	set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=thread -DGRPC_TSAN_SUPPRESSED")
 endif()
 
 if(USE_VALGRIND)
diff --git a/collector/Makefile b/collector/Makefile
@@ -24,6 +24,7 @@ cmake-configure/collector:
 			-DDISABLE_PROFILING=$(DISABLE_PROFILING) \
 			-DUSE_VALGRIND=$(USE_VALGRIND) \
 			-DADDRESS_SANITIZER=$(ADDRESS_SANITIZER) \
+			-DTHREAD_SANITIZER=$(THREAD_SANITIZER) \
 			-DTRACE_SINSP_EVENTS=$(TRACE_SINSP_EVENTS) \
 			-DBPF_DEBUG_MODE=$(BPF_DEBUG_MODE) \
 			-DCOLLECTOR_VERSION=$(COLLECTOR_VERSION)
diff --git a/collector/container/devel/install.sh b/collector/container/devel/install.sh
@@ -2,4 +2,4 @@
 set -eo pipefail
 
 dnf upgrade -y
-dnf install -y libasan elfutils-libelf
+dnf install -y libasan libubsan libtsan elfutils-libelf
diff --git a/docs/how-to-start.md b/docs/how-to-start.md
@@ -164,6 +164,24 @@ Or similarly via a CLI parameter:
 $ collector --grpc-server=
 ```
 
+## Hotreload on local k8s cluster
+
+If using some sort of local k8s cluster for development (KinD, k3s, minikube)
+that has access to your local filesystem, you can use the
+[hotreload.sh](../utilities/hotreload.sh) script to run the collector binary in
+the cluster without rebuilding the entire image.
+
+Start by deploying stackrox to your cluster using the `deploy-local.sh` script
+from the main repo, the run `hotreload.sh` to have the collector repository
+mounted into the collector container and its command changed to run the binary
+in `cmake-build/collector/collector`. Once that is done, you can recompile the
+binary by using the `make -C collector container/bin/collector` command or by
+exec'ing into the builder container directly and compiling from there with
+cmake.
+
+This is also an easy way to run collector under thread or address sanitizer, but
+you will need to deploy an image built with the `image-dev` make target.
+
 ### Development with an IDE (CLion)
 
 #### Setup
diff --git a/utilities/hotreload.sh b/utilities/hotreload.sh
@@ -0,0 +1,194 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+NAMESPACE="${NAMESPACE:-stackrox}"
+REVERT=0
+
+# The following line allows to symlink the script somewhere in PATH for
+# easier use, has no effect if run directly.
+REAL_SCRIPT="$(realpath "${BASH_SOURCE[0]}")"
+SCRIPT_DIR="$(cd -- "$( dirname -- "${REAL_SCRIPT}")" &> /dev/null && pwd)"
+COLLECTOR_PATH="$(realpath "${SCRIPT_DIR:-}/..")"
+
+function usage() {
+    cat << EOF
+$(basename "$0") [OPTIONS]
+
+Configure a running collector pod to use a local binary.
+
+OPTIONS:
+    -h, --help
+        Show this help.
+    -r, --revert
+        Remove any configuration added by this script.
+    -p, --path
+        Override the path to the collector repo.
+    -n, --namespace
+        Set the namespace the collector daemonset is deployed to.
+        Default: stackrox
+EOF
+}
+
+function die() {
+    echo >&2 "$1"
+    exit 1
+}
+
+function check_command() {
+    if ! command -v "$1" &> /dev/null; then
+        die "$1 not found. Make sure it is in your path"
+    fi
+}
+
+function krox() {
+    kubectl -n "${NAMESPACE}" "$@"
+}
+
+function patch_hotreload() {
+    cat << EOF | jq -Mc \
+        --arg hostPath "$COLLECTOR_PATH" \
+        '.spec.template.spec.volumes.[0].hostPath.path |= $hostPath'
+{
+  "spec": {
+    "template": {
+      "spec": {
+        "containers": [
+          {
+            "name": "collector",
+            "command": ["/host/src/cmake-build/collector/collector"],
+            "volumeMounts": [
+              {
+                "mountPath": "/host/src",
+                "name": "collector-src",
+                "readOnly": true
+              }
+            ]
+          }
+        ],
+        "volumes": [
+          {
+            "hostPath": {
+              "path": "\$hostPath",
+              "type": ""
+            },
+            "name": "collector-src"
+          }
+        ]
+      }
+    }
+  }
+}
+EOF
+}
+
+function revert_command() {
+    cat << EOF | jq -Mc
+{
+  "spec": {
+    "template": {
+      "spec": {
+        "containers": [
+          {
+            "name": "collector",
+            "command": ["collector"]
+          }
+        ]
+      }
+    }
+  }
+}
+EOF
+}
+
+function remove_mount() {
+     jq -Mcn \
+        --arg container "$1" \
+        --arg volume "$2" \
+        '[{"op":"remove","path":"/spec/template/spec/containers/\($container)/volumeMounts/\($volume)"}]'
+}
+
+function remove_volume() {
+     jq -Mcn \
+         --arg volume "$1" \
+         '[{"op":"remove","path":"/spec/template/spec/volumes/\($volume)"}]'
+}
+
+function find_index() {
+    local element="$1"
+    local filter="$2"
+    ret="$(krox get -o json ds/collector | jq "$element | map($filter) | index(true)")"
+    if [[ "$ret" == "null" ]]; then
+        die "Filter failed for '$filter'"
+    fi
+    echo "$ret"
+}
+
+function add_hotreload() {
+    krox patch ds collector -p "$(patch_hotreload)"
+}
+
+function revert_config() {
+    local collector_idx
+    collector_idx="$(find_index ".spec.template.spec.containers" '.name == "collector"')"
+    local mount_idx
+    mount_idx="$(find_index ".spec.template.spec.containers.[$collector_idx].volumeMounts" '.name == "collector-src"')"
+    local volume_idx
+    volume_idx="$(find_index ".spec.template.spec.volumes" '.name == "collector-src"')"
+
+    krox patch ds collector -p "$(revert_command)"
+    krox patch ds collector --type=json -p "$(remove_mount "$collector_idx" "$mount_idx")"
+    krox patch ds collector --type=json -p "$(remove_volume "$volume_idx")"
+}
+
+check_command jq
+check_command kubectl
+
+if ! krox get ds/collector &> /dev/null; then
+    die "collector daemonset not found (did you forget to deploy stackrox?)"
+fi
+
+TEMP=$(getopt -o 'hrp:n:' -l 'help,revert,path:,namespace:' -n "$0" -- "$@")
+
+# shellcheck disable=SC2181
+if [ $? -ne 0 ]; then
+    exit 1
+fi
+
+eval set -- "$TEMP"
+unset TEMP
+
+while true; do
+    case "${1:-}" in
+        '-h' | '--help')
+            usage
+            exit 0
+            ;;
+
+        '-r' | '--revert')
+            REVERT=1
+            shift
+            ;;
+
+        '-p' | '--path')
+            COLLECTOR_PATH="$2"
+            shift 2
+            ;;
+
+        '-n' | '--namespace')
+            NAMESPACE="$2"
+            shift 2
+            ;;
+
+        '--')
+            shift
+            break
+            ;;
+    esac
+done
+
+if ((REVERT)); then
+    revert_config
+else
+    add_hotreload
+fi
