Merge pull request #96 from theaog/main

CG only act when LOAD goes UP

tools/cg/Makefile

@@ -26,5 +26,5 @@ release: build
 	tar czvf cg.tgz cg cg.sum
 	rm -f cg cg.sum
 	git add cg.tgz
-	git commit -m "cg: release"
-	git push
+	# git commit -m "cg: release"
+	# git push

tools/cg/go.mod

@@ -5,8 +5,8 @@ go 1.20
 require (
 	github.com/docker/docker v23.0.1+incompatible
 	github.com/sirupsen/logrus v1.9.0
-	golang.org/x/crypto v0.6.0
 	golang.org/x/sys v0.5.0
+	golang.org/x/term v0.5.0
 )
 
 require (
@@ -24,7 +24,6 @@ require (
 	github.com/stretchr/testify v1.8.1 // indirect
 	golang.org/x/mod v0.8.0 // indirect
 	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/term v0.5.0 // indirect
 	golang.org/x/time v0.1.0 // indirect
 	golang.org/x/tools v0.6.0 // indirect
 	gotest.tools/v3 v3.4.0 // indirect

tools/cg/go.sum

@@ -52,8 +52,6 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
-golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=

tools/cg/main.go

@@ -20,7 +20,7 @@ import (
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/client"
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/crypto/ssh/terminal"
+	"golang.org/x/term"
 )
 
 // set during compilation using ldflags
@@ -47,11 +47,6 @@ func main() {
 		ForceColors: true,
 	})
 
-	hostname, _ := os.Hostname()
-
-	log.Infof("ContainerGuard (CG) started protecting [%v]", hostname)
-	log.Infof("compiled on %v from commit %v", Buildtime, Version)
-
 	// number of virtual cores
 	var numCPU = runtime.NumCPU()
 	// MAX_LOAD defines the maximum amount of `strain` each CPU can have
@@ -60,33 +55,24 @@ func main() {
 	// last recorded loadavg after a trigger event
 	var LAST_LOAD float64 // default value 0.0
 
-	var count int
-	for range time.Tick(time.Second * time.Duration(*timerFlag)) {
+	hostname, _ := os.Hostname()
+	log.Infof("started protecting [%v] (%v load)", hostname, MAX_LOAD)
+	log.Infof("compiled on %v from commit %v", Buildtime, Version)
 
-		if sysLoad1mAvg() <= MAX_LOAD {
+	for range time.Tick(time.Second * time.Duration(*timerFlag)) {
+		CURRENT_LOAD := sysLoad1mAvg()
+
+		if CURRENT_LOAD <= MAX_LOAD {
 			continue
 		}
 
-		// protect legitimate users
-		if LAST_LOAD != 0.0 { // we got a trigger event
-			// after 60s stop protecting
-			if count > 60 / *timerFlag {
-				LAST_LOAD = 0.0
-				count = 0
-				continue
-			}
-
-			if sysLoad1mAvg() <= LAST_LOAD {
-				LAST_LOAD = sysLoad1mAvg()
-				count++
-				continue
-			}
-
-			// if load doesn't go down every `timerFlag``
-			LAST_LOAD = 0.0 // reset
+		// if load is going down don't trigger
+		if CURRENT_LOAD < LAST_LOAD {
+			LAST_LOAD = CURRENT_LOAD
+			continue
 		}
 
-		log.Warnf("[TRIGGER] load (%.2f) on cpu (%v) higher than max_load (%v)", sysLoad1mAvg(), numCPU, MAX_LOAD)
+		log.Warnf("[TRIGGER] load (%.2f) on cpu (%v) higher than max_load (%v)", CURRENT_LOAD, numCPU, MAX_LOAD)
 
 		// docker client
 		cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
@@ -100,7 +86,6 @@ func main() {
 			log.Error(err)
 		}
 
-		LAST_LOAD = sysLoad1mAvg()
 	}
 }
 
@@ -300,7 +285,7 @@ func _sendMessage(fd, message string) error {
 	// 	return fmt.Errorf("%v is NOT a socket! dodging attack...", file.Name())
 	// }
 
-	if !terminal.IsTerminal(int(file.Fd())) {
+	if !term.IsTerminal(int(file.Fd())) {
 		return fmt.Errorf("unable to write to %v: not a tty", file.Name())
 	}