[translation] flux is safe. Gain more confidence through fuzzy processing

The project article was originally published in Flux Blog , author Daniel Holbach

Before we talk about Flux Safe blog series , Next is how we are Flux And its controller to realize fuzzy processing , And how to make things safer for you .

Wikipedia It's like this explain Fuzzing Of .

Fuzzing or Fuzz test It is an automatic software testing technology , Including providing invalid to computer program 、 Unexpected or random data as input . Then monitor the abnormal conditions of the program , Like a crash 、 Built in code assertion failure or potential memory leak . Usually , Fuzzers are used to test programs that accept structured input . This structure is specified , for example , In file format or protocol , And distinguish between valid and invalid inputs . An effective fuzzer will produce a semi effective input , These inputs " Effective enough ", Because they will not be directly rejected by the parser , But it does produce unexpected behavior deeper in the program , also " Invalid enough ", Exposed corner cases that were not handled correctly .

We have quite good coverage of unit and end-to-end testing in the whole controller . Add fuzzy tests to this combination , The scope of the test will be further expanded , Make it cover scenes and payloads that have not been covered before . Plus already in Kubernetes Fuzzy testing in the warehouse , for example kubernetes、client-go and apimachinery, We have more confidence in our code .

We are happy to share with you , since Flux Of 0.27 Since the release , be-all Flux The controller and library have now passed Google's continuous fuzzy testing of open source software .

How do we do that

When we're in 11 month Announce the results of the safety audit when , We have shared ADA Logics The team has helped for some Flux A preliminary fuzzy test of the controller is carried out . In this initial idea , Three problems have been found （1 A cross-border partition ,2 Zero delay ）, And immediately repaired . natural , We are very interested in the integration of merge fuzzy processing .

In order to enable us to fully land on the fumble , We need to make some architectural changes to the construction process , Especially for those dependencies C Language and libgit2 Bound controller , Such as source-controller and image-automation-controller, They are now statically built . in addition to , We also greatly expand the scope of the fuzzer . If you look at it notification-controller Of relevant Pull request , You will have a good understanding of all this , For example, blur all notifiers .

Now? ,Fuzzers For each fall Flux Both controller and library submissions will run .

Thank you again for ADA Logics The contribution of , We also thank other people who helped integrate, and we are also very grateful Google and OpenSSF, They provide and maintain the required infrastructure .

next step

because Go Will be in 1.18 See the built-in Fuzz Support , We very much hope to organize everything closely according to the new format , So that dvyukov/go-fuzz（ Currently in use ） Smooth transition .( We can recommend Jay Conrod 's blog post , About Go The internal situation of the new fuzzy system , If you are curious ！)

stay This problem On , We are following Flux To the original fuzzy transformation . We also hope to add a new blur as soon as possible , So if you want to make a contribution in this area ： succeed in inviting sb. Slack Come to us on ！ This is a very simple method . This is an understanding and expansion Flux Simple method of code base .

This is just another measure we have taken to ensure your safety .

Talk to us

We like feedback 、 Questions and ideas , So please let us know your personal use case today . If you have any questions , Please ask us , And please

• Join us Upcoming development meetings
• stay CNCF Slack Of #flux Find us on the channel .
• If you haven't joined , Please add yourself For adopters .

bye !