chrooted bash executor

Signed-off-by: Mikhail Scherba <mikhail.scherba@flant.com>

go.mod

@@ -9,8 +9,8 @@ require (
 	github.com/dominikbraun/graph v0.23.0
 	github.com/ettle/strcase v0.2.0
 	github.com/flant/kube-client v1.2.2
-	github.com/flant/shell-operator v1.5.4-0.20250205135215-f632bb655900
-	github.com/go-chi/chi/v5 v5.2.0
+	github.com/flant/shell-operator v1.5.4-0.20250220090051-5657f1fec5bf
+	github.com/go-chi/chi/v5 v5.2.1
 	github.com/go-openapi/loads v0.19.5
 	github.com/go-openapi/spec v0.19.8
 	github.com/go-openapi/strfmt v0.19.5
@@ -85,7 +85,7 @@ require (
 	github.com/go-stack/stack v1.8.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/gojuno/minimock/v3 v3.4.3 // indirect
+	github.com/gojuno/minimock/v3 v3.4.5 // indirect
 	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.0.1 // indirect
@@ -163,7 +163,7 @@ require (
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/term v0.27.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
-	golang.org/x/time v0.9.0 // indirect
+	golang.org/x/time v0.10.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
 	google.golang.org/grpc v1.59.0 // indirect
 	google.golang.org/protobuf v1.36.1 // indirect

go.sum

@@ -138,8 +138,8 @@ github.com/flant/kube-client v1.2.2 h1:27LBs+PKJEFnkQXjPU9eIps7a7iyI13AKcSYj897D
 github.com/flant/kube-client v1.2.2/go.mod h1:eMa3aJ6V1PRWSQ/RCROkObDpY4S74uM84SJS4G/LINg=
 github.com/flant/libjq-go v1.6.3-0.20201126171326-c46a40ff22ee h1:evii83J+/6QGNvyf6tjQ/p27DPY9iftxIBb37ALJRTg=
 github.com/flant/libjq-go v1.6.3-0.20201126171326-c46a40ff22ee/go.mod h1:f+REaGl/+pZR97rbTcwHEka/MAipoQQ2Mc0iQUj4ak0=
-github.com/flant/shell-operator v1.5.4-0.20250205135215-f632bb655900 h1:CLG+boH2YkiJykuXZEGUncGjGYk7WgFMJHe1gq9Jdbk=
-github.com/flant/shell-operator v1.5.4-0.20250205135215-f632bb655900/go.mod h1:pyR9mte3tgcocQJPgyTH2wTzm6JsQQOuRElrd92O2Ks=
+github.com/flant/shell-operator v1.5.4-0.20250220090051-5657f1fec5bf h1:ksykOf308A8vgmL7Xe8GIEFq09JHwTNMB0o/JkVCogs=
+github.com/flant/shell-operator v1.5.4-0.20250220090051-5657f1fec5bf/go.mod h1:vfhZxDVSb/v+e8+roBtz+oe8mqahvizfIPCzhFq/7HE=
 github.com/fogleman/gg v1.3.0 h1:/7zJX8F6AaYQc57WQCyN9cAIz+4bCJGO9B+dyW29am8=
 github.com/fogleman/gg v1.3.0/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
 github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI=
@@ -149,8 +149,8 @@ github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUork
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
-github.com/go-chi/chi/v5 v5.2.0 h1:Aj1EtB0qR2Rdo2dG4O94RIU35w2lvQSj6BRA4+qwFL0=
-github.com/go-chi/chi/v5 v5.2.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=
+github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs=
@@ -246,8 +246,8 @@ github.com/gofrs/uuid/v5 v5.3.0/go.mod h1:CDOjlDMVAtN56jqyRUZh58JT31Tiw7/oQyEXZV
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/gojuno/minimock/v3 v3.4.3 h1:CGH14iGxTd6kW6ZetOA/teusRN710VQ2nq8SdEuI3OQ=
-github.com/gojuno/minimock/v3 v3.4.3/go.mod h1:b+hbQhEU0Csi1eyzpvi0LhlmjDHyCDPzwhXbDaKTSrQ=
+github.com/gojuno/minimock/v3 v3.4.5 h1:Jcb0tEYZvVlQNtAAYpg3jCOoSwss2c1/rNugYTzj304=
+github.com/gojuno/minimock/v3 v3.4.5/go.mod h1:o9F8i2IT8v3yirA7mmdpNGzh1WNesm6iQakMtQV6KiE=
 github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 h1:DACJavvAHhabrF08vX0COfcOBJRhZ8lUbR+ZWIs0Y5g=
 github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -701,8 +701,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
-golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.10.0 h1:3usCWA8tQn0L8+hFJQNgzpWbd89begxN66o1Ojdn5L4=
+golang.org/x/time v0.10.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

pkg/addon-operator/admission_http_server.go

@@ -2,6 +2,7 @@ package addon_operator
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"log/slog"
 	"net/http"
@@ -57,7 +58,11 @@ func (as *AdmissionServer) start(ctx context.Context) {
 		cert := path.Join(as.certsDir, "tls.crt")
 		key := path.Join(as.certsDir, "tls.key")
 		if err := srv.ListenAndServeTLS(cert, key); err != nil {
-			log.Fatal("admission server listen and serve tls", log.Err(err))
+			if errors.Is(err, http.ErrServerClosed) {
+				log.Info("admission server stopped")
+			} else {
+				log.Fatal("admission server listen and serve tls", log.Err(err))
+			}
 		}
 	}()
 

pkg/addon-operator/bootstrap.go

@@ -84,6 +84,7 @@ func (op *AddonOperator) SetupModuleManager(modulesDir string, globalHooksDir st
 		ModulesDir:     modulesDir,
 		GlobalHooksDir: globalHooksDir,
 		TempDir:        tempDir,
+		ChrootDir:      app.ShellChrootDir,
 	}
 	deps := module_manager.ModuleManagerDependencies{
 		KubeObjectPatcher:    op.engine.ObjectPatcher,

pkg/addon-operator/operator.go

@@ -82,9 +82,6 @@ type AddonOperator struct {
 	// HelmResourcesManager monitors absent resources created for modules.
 	HelmResourcesManager helm_resources_manager.HelmResourcesManager
 
-	// converge state
-	ConvergeState *converge.ConvergeState
-
 	// Initial KubeConfig to bypass initial loading from the ConfigMap.
 	InitialKubeConfig *config.KubeConfig
 
@@ -105,6 +102,10 @@ type AddonOperator struct {
 	discoveredGVKs map[string]struct{}
 
 	Logger *log.Logger
+
+	l sync.Mutex
+	// converge state
+	ConvergeState *converge.ConvergeState
 }
 
 type parallelQueueEvent struct {
@@ -832,14 +833,17 @@ func (op *AddonOperator) HandleConvergeModules(t sh_task.Task, logLabels map[str
 					enabledModules[enabledModule] = struct{}{}
 				}
 
-				for _, moduleName := range op.ModuleManager.GetModuleNames() {
-					if _, enabled := enabledModules[moduleName]; !enabled {
-						op.ModuleManager.SendModuleEvent(events.ModuleEvent{
-							ModuleName: moduleName,
-							EventType:  events.ModuleDisabled,
-						})
+				logEntry.Debug("ConvergeModules: send module disabled events")
+				go func() {
+					for _, moduleName := range op.ModuleManager.GetModuleNames() {
+						if _, enabled := enabledModules[moduleName]; !enabled {
+							op.ModuleManager.SendModuleEvent(events.ModuleEvent{
+								ModuleName: moduleName,
+								EventType:  events.ModuleDisabled,
+							})
+						}
 					}
-				}
+				}()
 			}
 			tasks := op.CreateConvergeModulesTasks(state, t.GetLogLabels(), string(taskEvent))
 
@@ -2685,6 +2689,7 @@ func (op *AddonOperator) CheckCRDsEnsured(t sh_task.Task) {
 func (op *AddonOperator) CheckConvergeStatus(t sh_task.Task) {
 	convergeTasks := ConvergeTasksInQueue(op.engine.TaskQueues.GetMain())
 
+	op.l.Lock()
 	// Converge state is 'Started'. Update StartedAt and
 	// Activation if the converge process is just started.
 	if convergeTasks > 0 && op.ConvergeState.StartedAt == 0 {
@@ -2704,6 +2709,7 @@ func (op *AddonOperator) CheckConvergeStatus(t sh_task.Task) {
 
 	// Update field for the first converge.
 	op.UpdateFirstConvergeStatus(convergeTasks)
+	op.l.Unlock()
 
 	// Report modules left to process.
 	if convergeTasks > 0 && (t.GetType() == task.ModuleRun || t.GetType() == task.ModuleDelete) {

pkg/app/app.go

@@ -33,6 +33,7 @@ var (
 
 	GlobalHooksDir = "global-hooks"
 	ModulesDir     = "modules"
+	ShellChrootDir = ""
 
 	UnnumberedModuleOrder = 1
 
@@ -166,6 +167,11 @@ func DefineStartCommandFlags(kpApp *kingpin.Application, cmd *kingpin.CmdClause)
 		Default(CRDsFilters).
 		StringVar(&CRDsFilters)
 
+	cmd.Flag("shell-chroot-dir", "Defines the path where shell scripts (shell hooks and enabled scripts) will be chrooted to.").
+		Envar("ADDON_OPERATOR_SHELL_CHROOT_DIR").
+		Default("").
+		StringVar(&ShellChrootDir)
+
 	shapp.DefineKubeClientFlags(cmd)
 	shapp.DefineJqFlags(cmd)
 	shapp.DefineLoggingFlags(cmd)

pkg/helm_resources_manager/helm_resources_manager.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"log/slog"
+	"sync"
 
 	"github.com/deckhouse/deckhouse/pkg/log"
 	"k8s.io/apimachinery/pkg/labels"
@@ -42,11 +43,12 @@ type helmResourcesManager struct {
 
 	kubeClient *klient.Client
 
-	monitors map[string]*ResourcesMonitor
-
 	eventCh chan ReleaseStatusEvent
 
 	logger *log.Logger
+
+	l        sync.RWMutex
+	monitors map[string]*ResourcesMonitor
 }
 
 var _ HelmResourcesManager = &helmResourcesManager{}
@@ -122,7 +124,9 @@ func (hm *helmResourcesManager) StartMonitor(moduleName string, manifests []mani
 
 	rm := NewResourcesMonitor(hm.ctx, cfg)
 
+	hm.l.Lock()
 	hm.monitors[moduleName] = rm
+	hm.l.Unlock()
 	rm.Start()
 }
 
@@ -143,55 +147,73 @@ func (hm *helmResourcesManager) absentResourcesCallback(moduleName string, unexp
 }
 
 func (hm *helmResourcesManager) StopMonitors() {
+	hm.l.RLock()
 	for moduleName := range hm.monitors {
 		hm.StopMonitor(moduleName)
 	}
+	hm.l.RUnlock()
 }
 
 func (hm *helmResourcesManager) PauseMonitors() {
+	hm.l.RLock()
 	for _, monitor := range hm.monitors {
 		monitor.Pause()
 	}
+	hm.l.RUnlock()
 }
 
 func (hm *helmResourcesManager) ResumeMonitors() {
+	hm.l.RLock()
 	for _, monitor := range hm.monitors {
 		monitor.Resume()
 	}
+	hm.l.RUnlock()
 }
 
 func (hm *helmResourcesManager) StopMonitor(moduleName string) {
+	hm.l.Lock()
 	if monitor, ok := hm.monitors[moduleName]; ok {
 		monitor.Stop()
 		delete(hm.monitors, moduleName)
 	}
+	hm.l.Unlock()
 }
 
 func (hm *helmResourcesManager) PauseMonitor(moduleName string) {
+	hm.l.RLock()
 	if monitor, ok := hm.monitors[moduleName]; ok {
 		monitor.Pause()
 	}
+	hm.l.RUnlock()
 }
 
 func (hm *helmResourcesManager) ResumeMonitor(moduleName string) {
+	hm.l.RLock()
 	if monitor, ok := hm.monitors[moduleName]; ok {
 		monitor.Resume()
 	}
+	hm.l.RUnlock()
 }
 
 func (hm *helmResourcesManager) HasMonitor(moduleName string) bool {
+	hm.l.RLock()
 	_, ok := hm.monitors[moduleName]
+	hm.l.RUnlock()
 	return ok
 }
 
 func (hm *helmResourcesManager) AbsentResources(moduleName string) ([]manifest.Manifest, error) {
+	hm.l.RLock()
+	defer hm.l.RUnlock()
 	if monitor, ok := hm.monitors[moduleName]; ok {
 		return monitor.AbsentResources()
 	}
 	return nil, nil
 }
 
 func (hm *helmResourcesManager) GetMonitor(moduleName string) *ResourcesMonitor {
+	hm.l.RLock()
+	defer hm.l.RUnlock()
 	return hm.monitors[moduleName]
 }