From f0185a60eb24d8d503e0b23428f95a571e180f0b Mon Sep 17 00:00:00 2001 From: Gaius Date: Thu, 18 Jul 2024 18:01:27 +0800 Subject: [PATCH] feat: add Dragonfly self-assessment Signed-off-by: Gaius --- .../projects/dragonfly/images/arch.png | Bin 0 -> 22240 bytes .../projects/dragonfly/self-assessment.md | 367 ++++++++++++++++++ 2 files changed, 367 insertions(+) create mode 100644 community/assessments/projects/dragonfly/images/arch.png create mode 100644 community/assessments/projects/dragonfly/self-assessment.md diff --git a/community/assessments/projects/dragonfly/images/arch.png b/community/assessments/projects/dragonfly/images/arch.png new file mode 100644 index 0000000000000000000000000000000000000000..57f9617bec283a579f3ae49c008f435d551b3200 GIT binary patch literal 22240 zcmb@tWmFtN*DZ_$3m)9vW^gBHu;3Eh-F*m7aQ6U%ySux)3;_ZJcfugS!eAlTCC@8= z@BP;L=Fe20Q)kycyQFJ%bw{hIe8hZ9`W6lj4pUxE`V$-+A`}h|!5J0t)v`;WK?DZ} zKc}XoDf9C3LOOEx?c29kySTWxf`Y=z$_fby2_hn*g@r{ z5EBy3SbFfj1&@ML6U$jQmMxw&a+X-`j28yXr22ncFxYptxTP*70H%gZk>FWcMOsi>$V zBqXk`t~@h^Rd?Xz>s;sPh zLl2yvpKoev+S}VB?$~BzWF#mVzqz>?8X6iI89`GvB5GNCmrza8^Rv3T8pGW4=g*(W z+@gqNG}zu>F>M2I!wcVPSYbJbqXcA5}e`pfa)kbJT56dfUIQRcj9IwlL;>8_- zC(pkGau@M`_#jg8PL-21PGAe9OQ4QZY+CzO*P%vEA2^Sf1tvB5I}i$bY@LZiw!KE0 zXBhp)l&jo)-y6V_z3GK3C&b z1VGQE?(W`JpMbjm)cWl8{6W#VKd=I-PN=Rx#(Nt8Gb2_3028^$D>s(rW7GZdB1+bg zq1E{xC8^L#xyDppy5?i~qFpgo4MrWN)SetW!Tlaa-F0*Tm#x=|0`UK%_Vkly| zA(U)Zo05)^Df$Dy{z%4Gni@T!SX_Ascbd&JbJQ`e6(dD|5a+G2c-cTcq?@LKn)EkZXe4hPx``?T59i`OGoxA6i~#S2Gygj$&u;_vTQVB4_g< zc;}gLXJ?dsH_^9+2iy776YNss#vG>iRwLrnpE2bxX(O2jJ%BFElD!#!T1tgbehS~) zmtjva32iXv^CM!Ub6!c8n2vTp*p3y~imxv39PaT;l#nVft85 zj3gG@T5VBVcM1Z#5F7ZUp%(f~%*YgI8XEaf#%zJ0W<4%Aing(Jp#0#Oa;K6=f-iJ* zwMz|rRhvINb>W=`x=f8)^Yl4tavzL!w4a~h)+P)2pF6e?mPgih0rhreuzZOvO)<1s z*mxDBIHvNbs8Xc%Vr)=R(wGrFTu7&LRzlanlMA zt(tDo-H7p&5|jnWO2db;uY9N)peiXzs05|NKV27SUbIn@e}&M7*e#)$SLxjI2zD9t zglae)wqeCM#grXTD|e4BK0nua=$vo$EplsgVhr|F_P`yt7*ByuWaK{R9W;n!MrN4n zcR{{rtIz13C>DIs3|7gSv-#p$NAdU0i$x_`_&b-jYJ<-vxSPYS^_zBHIkPhKl6a&{ zy%GxH8Hjt9&qN#LHdEl%kCE^l)H)Y1P=Q{yBdcR_4EVD9QdjJ>2x0(G6Gyv%UghQi zjV@mOY@=@EN&U*1VQ90`B%Bc2$LZc5rD0!?%|l(&d5^~ zafXbdNm)Ur_33Q!w^uiP!0wv_h+fN!-2!Y*Ad>IF_GmthPMS>wGKX`o}fB z`;q+u>xkyXJOZ)0z0?_9&H39JYiC82k1ZaXgG3q%RP9|0U3S$|rQuwdaYsk&#|qLM zUW!clwm+=F@$$k&@2zpq;uX4*mZmclTJhe-1N9@7?AHD(fk)E|rR@2MB2ND?uOL~q z2x~mlC^D&zl8RHfSvVNzk7AUqaJ*95OC;9yL z`dC|^U1KXEf2PrG{~;h;zG)EeGmFhBv(cie_RLBx=hQF`_YdqVI7j@!0X`fu$yCov zn@00a^2@PyNn}R|dP~#~#=gBgL8T*pv+gKu{eX@B1Q6-4l`v~v^$pz8L|Q+h1CF69;WBIq(SbVbkD z*cfDLBikr)KMeB1-CdiEfj+q=5gn!Q8xQK(_~6UDG7%XW`n{?-)%wcA)0;y{`*U`K zk@OT>-~hSPUuz9i6;0M{RD@NT(;q5jr6wGmY_y~!I;0_-!Q5X4m2#nU;xjAm#uaJf zW^~QwK63FLY>{>-#XaFb;D6Cbiwqn1z>DL)x6XB-IYmM2g9stPw`WQre%_Nvh;l|C z?jF7D;Kh}xn}H#%;05_nwTn%|WHPjeiK*cq?(C(7l!PZtWB*GX)FAz^53MR=qVl|P1P4>YeH%Rr}c!RxcBsruoTaLzx%s(SbTJi93IXu>@sW+6x6FX>I)}V7e&;V7q%8DT zTt_7ti0wZp+OsX7h zU8`jt^p_$#Gzx!rgGd%kiOUbC6Qn~r%o+X5!phA@R-b9J+MW?yBen5fpxJK-afd*x5Nh{y|DmZZ%M8y_dg2BPhK)bhSAE#CeQ zKogRZdHyRv#ry1#lvjWu(66_wPK_Iph?83xcxVn$no|pFo9$u{)9xi$Rvs?F)FL6C zJ&pi@t zIJJpHF}o4Z1w)NMMq68fq*7P2_KB!fIN7wdxMBRoH*vP~_|+Pyj-0Na@F^PS6J|U5bI3+JczlEWv^t)3w31z8V{9RH4M6yzf54?c z&VOyuNpeI7D^La2d#WOISTWcA=v&sUeljkj#ud{U{{crZ3|AI7Gayyd0ngFi(`wl$ z^)JW=*;UgZAgVl`IqkUD)@n7rb&WNR;}lWG=UQSSp`ZbUc#$M>wdZo1wcT~fAQ(3g zClXUsx2`0Rusb+R*Xo`WdE)KttilOb{};yR&zG{+FY1i%y;C_Y7Xr}F?zdY2j-9N2 zkQ`K^vC8dzR;KirGJJavK~90vD{<4#A;8QNv$mdCjGz@&1OU8bHP9K# zy^2E|Zu)k(Xp?lQssVbTY*8M!$dCae-g4Hi-fRdi@Xh+m%eX^WAMbhQ>_5Udp{Bk@J{RlNJFAVuhw%IneNlM=qM~Ms7H~M zX&9Ab$k=@}0b11#r+uc1U{J5SKHSc=^Bc7nUAF)|2XOP#9#gQrCmf$k@-;*APGVVp z6caF%Q7P%DtFEd=EQ0kS6?2k!rwZTNKJ;l!ARF{gsvD98Xm zP(-m9M~u=J%+~K2T?O@NzAt=D5BzkAKty6VqTV1XM1i|O)bK$J!~W*y08T%<3xiY# z0~VQYgQ3a`B{jpqah2|K7=7(fnU;S4EQn}_z~ZNiYo0K!{XY#0!zli0h+6ckP*)m- zZ%g5@gfv4ue4wxTrHu#mLZR_wr)yWw;zh$nh-8)$_1f;pHCKM8wIy%FUj+<>QWtR$ z&se^3)M33d%`DrU1Jq{g_NjcepJIu-Cn6_umGBJvH$)sKhJ;$n^;P;Uq}+WCgTBgE zU-W79A~o0tenQ=PNMk`{O@vRe9Od3LS8p_|g+EMdPty5@8;RMgOBpQlT-$Gc4;VuC ztkDM4lCcE_ZRS)pZiJFx&sdutp*a5sALrv&G~2WX*NQlZ*s3*km_6I_7J_c8_&707 zK{`zBykA*^wAe3Xp<4HK1h`KbOzk=+U#z4a8t9o|AM^o^!!U&DD+da{@EBNM>~{czdVR7D_E6;!TC`_Q2E_j+JDAC zq8q+SWcp0dDS8rpI-)BUAhwnCcQktsJ5jrFJo{g&j8XdkEFIJH+r1u}E%W+xpLOyL z6S-)81Mst#Uni0``?rqr#(RO?P|es|!h!c~zlQt{WvYtEE*kp{;pBL$<<{Otpj44zHlNuDbZxLA}nE6@_AGj(Zj0-7VVtbs!Y~_dEF9&pd z18gtt`$6t=2&^yjF#kjXZ*$aMR75x8-L#jG#4G>Kga$aFEGi14f|YMFzxbJA104kj z%%z#!hugq0P#`@cb;qyt8);hk&;^dd(Rua>{#dBpgec#AM$ViB$QA`ZevX|0wV<4{mjo}TvP*qN2 z^$1y7F2cigd&w^K>v)%2QO(%j3@}o`Z?S~iA1~k}4}+}Ia4Jq|rLBL&Z2r-3ioas( zX;CjhuKnJnlXA;%KB6)Eym31x$1pZh!W20}Pft&14FLjt*SsC%^uDH#J>5>%bM1QE zA#{c5-+by>zYjy1F2+Y+3nrkJjzv5sHZ5Hl7x%liOF6`& zY;oU-qYV10weulvFGq>EPz<$DhB}{Z*V?7f7GQCXU`!;>r?jgvWT_V$)Y+K!Dd}Sncb+NT|;=OHipp zWzPmUPVz`6$=C!U6z@Dhdq8ydITReBblXzqY~NGeeJXiey2e!1C3!XL%8I*fjc%UK zVO7cb=YFfd#>Oa1iB()L&6~fSH|PH1(a@fp|Cl8~K!mctI`f6e25V zE*iBhz97!!K_%WSJM=y3-03n5n&uTF>Q6Vr!S(*lgdh{qb58jkPrk9P;s;sgZ&$Bw zfl)Xt9%OqOuQWLNqQi1$^Knr#z7MoF%8tnmB23qz!S4|TO(XRq*HI)UIHIpzaG92n z;3$cnFyUs=C_d!EAMJ7?sGY2!G&q;Mj77r_=$^2?#9sxz&K?Q4AKWo;e~ ztR|GyR6n2J=D&=93e`wb6N|oum(KpioOIXx?!2jb??IqUBsF3Q@!_8A?`BW_g=c}s zg#>f|4H^{B7I(!(LZ36O-W6iJ3V1Q>d@9Ksr(RvG&e*(m=)|^2XbAamTy|IaA0|v{ zBou80)Y|I~^cum|Zxzh^Tq2#I;9K{l&Gl2cXC!My!12U1fXUZ=NzF9%h!-+l3}xu5 zD}@?18){e)v*fjUN&i;@5;7UYQ$KZ)=;?EvI!o!9zfrp|# zn%^usDrDGrDTN^hx94s<9S++7VM>9wRSYq^^KGN5()6jSQj+&?UHs?>Zsy?bmB~pEdJbUJ013iL%q#{9sE~Kf61)thBrxBQF3KHU5 zn(PLb^#t3T@*zaPaBee2(4fmqsj3dISwQq~-^=7xCJ86a(k1yBx)ZTvYw2;NKBzar z3l$o^rfMVnF6ns)Tps)-O_6q#?_vuDUzjI#mPO9sI}t=i@;TDRO@X?w~>v_b{m;sV8O;plunOCm(g*SWp zL(!i(#jZL5po1G}{7Wg(tA<-5HyNoD1OufYC3#F1f z_xZLD%bKbP3Td)_Z_?Go_@P3-S=qYS#dCC&C7AOUWmAWhcJl!OLhqt_de+OU4U%hu zX;~#ZmoNe8T}X0bg@)H3AwXjpjeru!WS)V>IqG_49iu{I7YtQYijC+Tx0|l@Fe>Lv zI)en=7z@_zUF%uoLQJ$gPne=6rVS;8F}lglEH`xx4PpL@Xg?OrX$?O+zRoE#6ff$K zPsY|p!NY;rv`;})=PVwFFI3DmhDdduDJR=cypKK{W`o3I{I?%)*57@@fPEn+MyGxM zMlw=*EFxge>BBq8`wZ{`1+Nzk0kskJUuVQ7;V=)PntHRj)RT{W9mo);m`MQ!~dbcCgYZQNszSsHiXg*)*azyknk)pv&)egh)8db zU1p?Copq*zh$GH+z+^fm%2-razur32Nl^CRCBt}9D@g1`rP5g|j?if#d+_)8j>lww zN0BDZ>(s=op>9auf&sbaPDBHRZ+QPfzCCbX@vi)D86Jv`+@TH)BC50leEB76E|Rsh z(&?$=wR5?eym-ULMCD^4QEB)ql1bu6WPfE$5WHUdPZtb~$G>Hcy-w4@%9AeaS%+Im z0{xU5t42&k{_pfZzva<6*C@nqnB_~s!w$`3R$$x9#DJ~^Al#$+JO#DbvbOvpoOo_^ zDgQf40aQ_c2N|y*_qOe#u186-kT&~VfikLCdI5 z-#22Y-9c~fZmZ- zi)i5^@Zt70RT>|~)qnP0zs`Q;vZW6 zmZvIM)XHymt=EU;v?p3v?a(dwH4{7dr-ASuBf#wRJiMQJ6=)bRGQz7=4tUY1?fL>( zRsajcdsBP|-o^FT8KUIo#ATi4g8e=$59U>EaAH=QvymF%7w=ZkbvSB@5#5Z-hU?~{ zjp#6jp?<+=38#TsSz8-_oBh_q1IU-FaWNpE<;OEf&}aM`sC%zGkmfP=9!v#pBISlo zuw@%>2{Br|ESTE_gw}8{Pke@A@aG>jwf>M_^=j|vFjasEBe892&HUtp1#$rc)2dlk zRaJT&`vVp`I*zX5ee6kNer$+=3ZJjP7lzuWg=150Oo(vT9cAzC}hb^~mG}>TFJLXdogMMS;3v#n|`C17YHG$IR-*oZuoa zGQRgyK+Ypg%|xf_N3PGd`t9pavcj2jyMjykwV0_b^!zW$`nBEk)r()GtAP!r?JW-a zPf`YdbDQOjedJKSK&x?ZqrN08lmYUyBN=e%-*>{9h<$Kf>TibmWKhI6mn=ODUk%Yp zkj^moDgT6I>~Z~I#w;@~o!7MSE=16 zs4KY##B~CvOPU*+6g6606hF{_`kfzbcdnjO7`>Xdrx_-rOJ+n{2Qa})8++G;atezPm$@!#*;e}t#D^&0vhGthN*Z^;7{5SjDm-|pt|!*R502WTyT zZ0G9I%i1Mx4^a;GMH`br14s6|7iZ&1ZVbM2sNC$Y%LN;1;G!OF)tVz{`G3Z({zP zN^l`ZC(tD1PV$YZI_9qT?~hPC96UU9bcd-1fH@hMBLht47iekbk*~A$L&vg|=T`Pe z9J?0AevWMW6|=R~Y8@b6tU)_InD+(@?AFd(UT|0FevkTOPqs`MVb;g&j&P#@WHh)xqwDL*lKr~oL8Ly z$9C<4A#P00$Chfob7XB=?27Vt1d`g^IsvnSDgD?w&Ju~*=x1Yu&g&JAjr!j;v=(dZ z#r^h1ZuaXQfjDrq#qbDj8S6D7$RBds&AEeUnvjn&z=2phi9^dz2KOrybm(Fa+H4Mm zE%*vhH^H*LESLHo+>Q6XR;Wd`-wzI2Lo>hc z5BRvj8Dhawo>a1MF1D3Xhu2hJl+nN7KwND+?&|*eNKKN0`(ngY8&2Kr2mD-i;hyzP zIFJNk*l-=>vn!*uLT_r4~Rk+JMT}Q?)T0@D=seQdav$xEPe|ZN`->` z-k5xq(DgZL0EK}gv49`{Q*0qA9b#eDKIf<*clz|Bs&QCp{gsSuh==(YNubSY0;Y6qoZCLXCQVUumQAf3Z+qO zW}wlNmEY!8jJ{%;nj!qjW#kcOPz)^73bfATjo^s|KOh6KSMjmXkS63zFifI(5QBCd z_25c?w9CovZ4M7#HKuED*isOHcNp4~P1E366|9{w6~@%ZMAFLar3Qs-e)Ji8f#k$j zYCO6=6YPK&A;n~l{)wKAgz-9R@N@RJtL@2rvZdc=)bd7uO^>{1X5Z+u@kz zACu?w-iO}`fVg47=P9OL$pq?w55x3791AiPzGj|z6y;(%&26nVDO;sxdOO}N-x{+Y zppto3`yJoss33<;pl`c#^raI$m_hGrh)9So#2>%MuHU(K9jb4)Dto(9dSBug8F~Aw z*Ngbg*lqZ|z24ul(D98xc}O{9c~02$)b$ZN8QslJ)PzQFF_CT=Wrq&m)ms^-+W`9A zNsX3oAkBv&W8-hW^ZZ?J|Iqq@3RqY+y{>_#?JQ6uk{{p0elbkZx*&E|WdG#4=K%F8 zH?+u)(BZ>*#Y+Y4QtufRq?L_|opi_TU(gHs zavh0D-knnR#%A9vm7Cw^wNtHx;&qhR2))j;1`z2SI_A-Ip0`kv=6JhGNkX)IGicom zdc8QF?X{hFo?RV(Kk{uMRL1508T6`os==O9;4fubVdZB=C#8A<%@-S+(odno(IeS|`x03WqboST@(atlv`BeudJQSW$>(+{76KuiuqHYQrDhae7Heh% zh~9nw9mtzA^HZR4uM#%F4U>k;g5lkC8XT80#_!Yg?e=0)TPrAGk{mWReJt`1=Z9*` zPi$DDixg*QI1Ap(@OkF-k9jF4)xmf}5Vk@l(Hu>@Ls6+nr5JwDy<4;V#CyY#4B%D*3 z4CAhojs7C7+0cK77C>5*3vb>P0_M2{6XtF8^jsaS8nJnNb*?Aw+58F^2REP3 zK&L6p;?{coBcmEXWTsGlgo*s`pL$wxg}z;e|B~txnkeKyH>Qc11TW;%TJO+hrF@~R z>55p5O%K16(*N0aJA>#^lwsmSb2Q70&+{91dejqJ+w^6K59MwQ=s+s9sK{v^&Gf^& zh`Y~A^>XzI{$4&P32kjH45PMIvg}G=QEQR!-iloN*=zKtB>CG|b7)!AAAejLqlIJ! zWy!Q5i1IG-#;e2Op94Xi#z=EP5T9@uGW{K)R7TDcDfRWHHUybgLnxJ&vqVlM`FEwf z;}kZ3L;#B@3=_it2k|`uLnSk|g*H^<;NKlm(t6UDaazY~K4WO^NP-_Z(uW8;XB_-R>3Ad_QoleWQa?(j>Kg2tHD z`U>yE1NvZ5!@Dc2c$yR|G%12@MMHnqNUM`;-j2JGFu`sNd?~Q%mGlPw>@xB#oZy1lf?kw9dU!|NX}Y?6tXTC!sL;b_O^M-7tmZu;`s)UDX6|;G z5WH%Tz`#pid9Q}uaeavmub38N#$-Jy7_0W)I+H!K37L6@jXRSYKQ{TK4Op1UcYGIi zikuV&T>+%ej3w|DxndEfA)fFWR=!EgmDIg0+CqF27ElH{9K`FO{&~tQ1c-=sfvv~; z@MUn|CTeeCloLZ<454|VQ#)u%m9U{A`)}HJVdIVKSkxpkuF>37@t+WMgcPjcA&KxF zSGZ|sf~}$87e^@HJVK5`Or%tuv)}xc+ln%jqm^aPMe0uK$#WuXN|=9*gf%jYVjw zivQW$UfaEIqY7?Putewljzc=KL%qyJ$vR&9TzXJm`}qnyE7i*?+k)&@C$WzFP2-_c zcqi7OHT{O6EiU#zQfLVclT7*+5$xMO)#xO!Wa(A9rY4TQ-m4N8G|%ON&pVTE59OvH z^BQc%$TP@rZ$cDvVOUcrqzKli-{@d22pBuFo!Pjxg<9Ea-;J0gcAz96{2??oxg9}D z4d==S2bx_N2WCa=3C6wb4VTagdRaKXC*Ik}z>-EnB9IQA=$Q^C!oVFR=92wl@%TXD zbcm$h?gNBA__&LRW|*%t@z*%QBOSb#9OC{y-s6T?_wZqGAlk)EKhQY9#FB+ZgPiEy{n@TM`TZ~Yxv<_wL z6GCW<5C$*cF8vePvimoV?uT2TSMm)5+5SH9@C|V!o?-LhLg*H~GW(OU*XakO1K+%# z-x#sSQfde~nu=j0=2lu;e<>ccl7G6|czT+Fg#)0ToM&nQYZX1)25U1*v_E7?tj+DO zdvhbWCPoy0KJTi!fARFZWsq6_^D587l?qUN#xw*e_Pcu=JLOf-Wc@3ZcNSD*09lWLqUKL#Q))T9j(0d9~a*S#5c5RrsJL)*J<&gF>tbV|fya zb>{VJMX>MRBGxxG16jusyTIaA0mRG=B4a&1iq23xM?C_2i=3wCx5acy{Xc^P|6I6z zdv{EedV%c0KYkL%g)Pq|u-$pjklVvKG`JC$Xjl}CUJq>@x#8V!vAnb+oo-L_E!J`Ns zWX0a&^456=6+Ib|h$dR+91MDX0}NiiiCj7D+7O1N?GmPjm>c9xK}y7y|)=sNPcho`i4Bpbb|YOo|^n>=`8p`(TiHLu=65f z;t*2nk`axUrXc0`BmV~gXFB7Jh9Y=8a!I9!$L>OK>r|jyxAtZ^x5sHpwf|YVOr`FHDN~F3u>2q;mGv?*^LXmm=XEq(iaCP_8`=jM9T;OLulS{b*7i zra#r=TqZQ~OVVq_kWf@d9jbIJlet8;Qll!7sL$j#f%K59{V zcD;YWcy5epEvR>xCY7D_;CpNqAJ_ExUI7!Q8xpr>JBoQqgmnK^3XuU{$QSt8s6%(l zATr>{TmaE)bb+c6t`?>9fB(IADw<+A{k$ffuDEjC63w38uwaL0#BPT2_l)yj-15}_ z238qr`m9uf)S+hO|3S;M_y^~kVDxG}ZkaUcGdxGwcjm}w0ic#E-?BBdVeaa2+o|KI zWS<&PX!m&+5N&0&F#q$_Vgd7;y-Ap~vJC4Tjkz2Ws+s)KV?HW*79OsYdVHwtAv^S^ z0C8r)KE^s@d%c>Mr%FA7D|-IgBRe~O*uF^KpX|9AVBwHbOYB>RelLjSLwheuqQwh`GE$?^w8 zpMhR(_iJvzZPSFM^SI{55w9gmf>P%1#T(!MYSo>oPpp6Z=?edzS?#{xs$#Bq>ASCX z-KF}(_{X2Ai6cL*)GaJXzKDSbyi9%+N+nuLy}YjO{v!r{WHOlXy|tGjzPwlu89rvV zJEIt49@`W*NB5@8CbPUk)go8ShDZ2TpN-W7>-CsT$G#6?{1O`|lUIeP_4NtgFo20% z2RVNIHu)}4Pj$$Q#;2+^7W)RWHLq66u+}x0I7(toWtf5(`s0#UhQ0>puTa;|@@yMPAG43l*^DNHPcz#qRvnVoZhrk{W2M$5i^-Z z(#BV}=fxv8pbqkcJp|5OwfvEZ%?nH3a|5zG(&_%>%W8^O8*}LmYXqsfV~WD^PY;7E z$7}tSbA*@cKkhnYdDN1_8evAD1d4g@vL^GXr2fvmm9&ZBr?0j1cs|VIiKE%b`y;s$ zB~V*}V9&`IgZni>uR7yIgHCQSW1oi5{L-|t-W*{h0yTYwMtlw5)GYHZKeQaK>T@p* zb)cRb(1h%8X7S{e;Mhmt-Du^t0%k6@?Rtz&MNHrIh||wx{7=$e6`g_yl#Rlpo$hy0 zPum?};i?`7j?3Z?9e)vZ+UHpPxbc=%cJ)$F;O*N+H{1(M@LqD-0`?S8s5PH|GQr?J>oql#S!>~xw0bbn92-%^jamz~JNETcf{P+WDU;xm z!m8By8CRbEDH&G}}o_Nlg3PES(o8%BLC?KQh!0RdbH$*BDVDhc0>P zv1S8C5lU%K65xN;o3*YMq0$+Bl(LayH7_*(D{Ve(&ZC*zb3W0#A8w|H*bZxTJvZ#l zo7V39%YnDw&r+r-M%E6Bw9GlIrECXT1w9I2j{8BIUlWrX^V$0Ks&2%V=z_@DS`Ev> zPwhI4UcWM*xK=%lvhi9&65l(eD`JP{GNpf=CLt|pT;HzIq;X!GzWBpW_=$+aIK9Sy z+5!V6r#gU)b+`*Iy) z*=@T7MUrk+_Ymip4uJ3OS+mtjk5_N`La~uPhcq zq`=wCt3}_O3g7G?Aq&3x@iE2?$V;LY*IhjV-*O4*!0Fa6qDu)StmR$w!zxh4rIKO; zF+#Tt?dK_iUm^3UnXk+!f2*;4VeFsheRK2LQ^HkQ${M4YEpDIUNT$B)`kdzo*NYU} zqghjtRr{bP!U|wBXX}ZvhTC0V9@O&cT;sJQC^DWFOIDI=9wQ8cOhC`IK>raAJvpZs ztypCXCGCcj>(C29>V%0eP^OES%-^6@@L#}esrw<=MswO!h4fzE2mN#G55yZE{d-l{ z(S8E`Y8vj}P81`_V3Saa0KR-}mZF&wInc!A?UxVbU~#@Uqzs;OcC4&fLRrk8i%NT| z^BtGY*4F3Bd;23JlY@=om_IMGrT31FhP}D3ECW1$PgV?*Pzvf&lYJQLyn^slS-<1t zG5eN?A*P>|`Iq{1Q9i>+KN8X_`mg~>Zzc#xrqj}zUQ}ZQ;lzv}wgaNDqFP$C-YAgr z_kmu#(!Dm*4d+n^bbKjv#Nagq^39q}dl2wsPk~Ozc#{rP7AeF6D#`oUOg!XbxWVkJ zsN6HTI(h2h(;L8K)&QKep1*o^KuXV*&VY24u!Q=f}fk-5dusu>PG%;Xf9ilTyY|n^UfSJ0r+$B@WC#ge^W| zgmMs>Zq+@`S?E5Vl2AG`CxjT?N9^^$;;M+4qWdU~!p1Ec{(M+@&}sNhTMmBU$g2yz zsTNtn`qLIB9Rmmwy_q-58vo*7+zqNnvvzxlgglsKd&2=FX{W!hV~@LQc5a({|M`1k z$|=Z;|2F)5)1jrJz8;&YvMqXbqk)-&BR{Y2OZUQF)U+9yOT@m+!(Wxy^@W9{>Dqq$ z=E^p-b={X150txey*obqmJTry$Frd($Y4vt#_P918xb^%;=sX;H%cVv zzn9+neV1#n-S+<0mDFKp^!`4RN5r)OXW|9oq&0?tHtaoC!-W=0V%8a8bbeO(W~mwG z8I{#wbQ??(iNyl{-MG^b9j;}$9B>iNRtfQ;29fvG`TUTl9Oip|;&RAnndfdeZnMy*G|~ zgnjq~{Cxc3@&KoRhDwF`#YK<9nb(0)f4<>!nBYOOk=_ny&BI1UfNEv-itah;p9u?W+n?04hr^I@XV1n}i?kiF({UMKHm+ z*AK;(ozZsi?n%zm2WW1p&7CnY4Da$oZCUkv5Df{j9oNzOW4)(>x-R10M&<7a60ZPcbVxXM2b*8=~a1lm3}VK+nFdr`fJE8W%V z=fOU=j^wxC0jV2sxygWZsmCp_j*0+IdF8X?XE(Je)zDDcG zA-5dywtmVQCO6T$XKfas8ZK6XW?yc$w^V6DV>!iZhqar;HEn=eLNaO2WL62)MDHwy1xg$H@luEv^M z*nff|>_3sGYC?$$VdR<~gXi@Ppz&&RS@?G@2esny0}~qGCbJdMGQPA|!6vy(U56%K zTc|ew*8=$RN8Lt-un@PvMDpc_jK++VD=0}1$}&{+7QW*56kA0!1@jSJy*xEB!%q4^ zT^*f|dZ&mZ!rKRWj2#C6`1-x4U5MhS#LmuGeT-gwGFQM;`PYN>{@UXi_XxhyKlArh}Us_y?#6# zfiWY!!`qvbgxSXz$iGId|7g2dZ29*+nsk6&1pn<>npXp2!v1n-T;$nNS~xAG9{+#X z(OjQr9&jyLD`!%+!}?c++w&NQs4=irz(}fRZy76s>TvZn5*JAuN13yBDy2(hm2tij zhem_wc2SakcRLCByoqH!y`>06eSTF<8|N^wR@;We`aL+%2lQp zdJInrt0hJpFjs0uUO?pCXA^*9{ZAzcsV&g|yV=e!<$z7qGR|(v)OWs(;OGCAmq6Pw z^8amL0zD>9{tt;Q5b;LJSBrnm{$z{%UvB?*b4pt+abQZ?1o1-6;58iPy>=YD>HlPs zMg~V{k;RumSy1TNA~K&$&0qSI6R-dFj^L z)#F@Cdh}jn-bc`vAG5R)YH$Zg1d+xsOQ^0XwqDA)n}knIIvdeN8P}rc=;o_b_y%#K6O^mW(hZ7}>h^sTs6n5ZdwhbNLAc?@% z8ZY52q?;X;mvv{&T@*pLDIIiM%-$#I>n4KA3_*_2+>+a!tR_O*)d3ArBJROl> zX+PN|Eb}-!NN$!-*u34w3?dKFT^Wa=o&z7)-#!3*`Qqdg5ylai zuL6m$Ip(fwF#@{RjNVH>d7w zTarG*l+v;q?PHtg;=c#K2_Z`RuAJWB6X)VSxy{60%Ibq_ufZRGH})Ps9g>b9ItFsG81ipD<1V2*G{`r2=K#?fR=?9B%d!e}CBj`mpEtE!Fj zDCDK|tATaF+`P9Dut*lb636b>1UF)zpcMQaDZ0dL7lgcM+TB*n(eoF)l%E(w z49z%xR;P1?gSi5V*Kb8)2PNqjPbAV@i3}1<49QRDeSiB{^GFZAImOL`==C+d>Ljt3 zc>$b*)E_*npLG3$Kfp7&ytAV z!47uwb}Z+g(!{^K79o-N78ObK+DaRCkA{}9n<{~tavE$gAn({~(K{Btb#Y!0)5SS* zH2(!Iw|lJPDBEvbcSY@q6%1mdyO)f~;l!9b@M{8HzuWGXNVg{MgT@cRbWwZNCs)}@ z@rmA$u9e#g{)rk!tZajp0IvLvY;n;VSH44pm7*)laxlROjZANyhrA0Yt>Z?OepTw62zV6J?VXs8O;F?_Y0GWjZSn+<>L`*Q zQE!Fn%6)!SIG*`5a-(d^gLmLcs)mePE!L23Ady?wwcQvveGS`-!w_;8#wYuhM+XpT zsL>=9Zx9(e#!SIf65LrPjMQmP)0S*sYc>%CZ$e3i*C^0K7JXGhVsiQpD|M}v{sdun zN3Uf#OxzI4_kWHhI~(0kJhkj=h+|g#OwcQX{ns}9PRh<&wQV-x{hh;$sGUILW&)OM z3oY6a_HRYAQH^bq(^dni0-^~B>p>p`JXa&vVy3E2a_pBwiOIqJy;tk9K6>(tRd!YJ z!lQzqsX=lm_k5sR5Z4e-wXE9Y`2BYaiOneD<$G?U8JY2q6US(qG?&u@xwEc+?RWF0 z1EUyL=czRAjLLU@5MH#+C%6ul|I`&|e#AJo7GLs*^&9ac1E&c!B@zZjDV^wM%q5)- zg=H&?Xqh#`49^?Q_P7Ii^6veg#&RVNwhsnQVLMcUApI6bf?NCL=!W2qT#E`+O@lg% z_7pRuP^e3;W|`YJwv|b@w`!bNtg2@znRvJ*6+=jJxq4^T`p_$%Ku_@;^P; zz!;xS%Z^Uj$jG%ry47hdPcc|c< z@F_n&^y0`B46K&e?`Lw+w5Yo*9DuSxP|lA|npb+ZjS1nt%+N_Mi$_6hH(pzYPY7*=wl6T}wl zLNlt;WXEkw%4p@|b1+fN_KH$QdfATTH3G!l;4HQx=4-ybuvpiXNihkxiJEKbOsf;o zp{X~%jjGIc`F>T!nc0d&Hu^|k&O)|Dp^i1=+T?De4AX^E-~I|;YGksvKO#3UwMc(N zW0pOQyOFt*tee&`o#8wmSi8NnuWSF#$ym{~>G0NBjZqfJ@Z$s*@pvF~Hr!XH$m zooIB#f3pstvD90oglY#z$*AbdCUrj#7UvW;Cpw|-8d{@>^jLVHz!5oahSrIFnxFv1 zzQgExka}n(O!Kq5WLV8R>$uz3=QfkUcKMzFxq)oa-q#h&lkg)kDrvy@$bvUKnx&Ow~SAmmf<6fr?#YBmMvd0_x zW0@f^PXv5I>Up!?k>4iohDA=h<_+1WMX1G2e0c=Ca|G!OJmo) z==TM7GGYTOfRqY2Lo~aiJ1_x3Y|{sJ=||p2)8Ektl;IW40 z@57XWvtS^E$46_@hW2mg`vS6^;G66*vv26 zK`ON1@EXhZ2`!Ql>k6oQy_7M|uW+JYj(k~%Uqp6+`!38*(gG0Cp*}B&pO1iOP_1*Z z9b6FQ@?1t_N+7<|N8vYR5aF=0=G9}xDzebiI1t8q1Jx+R4??k7GuDmsS=`%dk+IV9*AE|P2*j@E;3Kw z^gn65R^9aT-L}s)l^~! z-e5D{wPM$JJ%sR7;L*iDki61VgYoHe7$CiNdMC!j)p#xLr2zI8pT)M+V7w3r=YfMx zJnF`4u^&|6VVm*6Z}na{l^TpPsK+Xm3LFl^dk_DmRX}D*d*KS)3Y@A=y0!p2^eoLT zmGcH><8|Y90qH*GBAfdSG+pA%X)kgkzrfJ=5;u3Nv-8R zUIi3%HSgaWV-Odn@;Lho48Bpd8Rw<*GI9wGoy4AA$g1c7pO(=XUKS>yw^)69@a&5C z8_@RQM7a;|`U-mW&yG?*`>m|h@5_bZkMTM|6!&pb?V&f){1Lxkt*kufPhS;2ErKte zV+fzDcvmPJy_jG1&=A#Otzw?^ai46DFGN$S$2S^WN-;MK?|lYuE83$$(7*HeF1kW^ zR{p7a1Rl>GgB~G*aqGOM3yl`wLQ&d(OIxzL z><4+{wS$9al`;(8^@x}X61Q%(E4noM0+ znhv$yrCT#PeB+{{^I#tKB%YOPx?&O@{WxCsB&TK?mxM$C{f*qx;rISi5<~bVbE|I5 zlf}?wj)ULRsKRy_j1? z5hS-RQrB|+y)irJfDRNf34-cy>m$DyuEt%P?+dF%p1bZ3%v`J%-p=Uv@G>6U zk064W>etA=1vxC0Onua~EKMlBR<((3DYb?EL!+L)O0#wJJ@1kq#W^ zx#}C%L7YYQtd4rjQGpn5wqeoiqBtxo#E?DkAsZ2|qx#g+B?_vwndC@3@S)Pun-D|s zr2=w*0+~~_F7dbZphBLZfFzV6!TBVb(Qj!`K>ophpG8u?-Swr!obca?v3Z1X8$#Fu zGUhiS1o8`nWClZfheUi%iT7QcA-R6zRJnO|er=$Lw8uK*(2CY`S8Fb4-s7doX&jSW z7^+~6mD~Bjy0XxQ-ZyFb0QJBV>4DJwT;)TDQUjn{_r5#kF8{qlZN1NSY>+de9bX6 zi~x8_gO5sS@VYA{1~b6OeapgZsv{|=>qm5iAgOt-94Gnz98e4>wxQCf!7k|;Hn0T78yBgixp%j6Vr1k=+mjW757UyT`?7lR_`?tnv-ZzP|`zs zJ_TAK-t!juNTUB?YNI&RVb;C$u3q=e1n4ZkT99mPRl8w=5gCDQHX+SA5rZzb>UmIb zOCG)Z-cUtA88igWdQ|2^W_d$)v75GPo??QrcFugNo_M2bZF)J2Jf%woY?>jOZ*elK ze3x;L!6j1&Pj)8*>1^y*n$Cre5Gh&sRVPJmo95f#MEH&_ZgiERBr(D|+_F-aw$j?i z7BL1_Djy3bfw8OU33+KZuoA+m%_VC6mV^sFRja?Y2X~}mrpvRy%D@f37qvSdN?YqT zDSb$`LIvn*I5;PS1VY=sipqfmO zStK`p=t8_RO6bnk%8Inp2-3C#czJH9!;^4PVMW)ZqTlgUf%04CL|#;rz*_9E zEyA&?B(dwB?~j8fMA(A%SuU%CNkD-FU^1uLDepLJ7awM}9mE;)${Jowidf6{G{aZM zFzW6FBqRx5k1vvr-}9Dur+UAZj{zV*2a#^Jw``Aeq& zlC!C3mBu3sG5!rty`O(KO34iqDli0D5&gTN{%&zKKJAHxzfAlKKa5wf_M#N5m!H&P z+p8krJ2+yI2me{|**_pRfNJSN9T*@6Tx+Q_=W8xI&~Hw!dq@kfpat+->!43&a3DCK zd0qv5TR5HQk#nr=qmJC%m@@F^^O#+PPnMC4a^Wz}ke zt-_4fr2`VjqHcKUsIptH0pOm3}FE|<2FInrieh%}rCF}HIBB#v9?pKKpoQ0caVV3I3Bx~d|-$pjU zsp&y-;Xp*3R5w`_pNN`_PS1aAj!0*B=&8Hwv*62rYetk5-a8t#LL4IUPt%KBF+Fc) zVCyysbL$V#7mTiFukI>@$7ZWIYVD6iU5!<7(EsfsN`SSyMeP*9qKOFmKQEB}|1PD@ Z9mH*#e**VQR1^Q240KGjt2CWo{~tBds*wNy literal 0 HcmV?d00001 diff --git a/community/assessments/projects/dragonfly/self-assessment.md b/community/assessments/projects/dragonfly/self-assessment.md new file mode 100644 index 000000000..e59a19939 --- /dev/null +++ b/community/assessments/projects/dragonfly/self-assessment.md @@ -0,0 +1,367 @@ +# Dragonfly Security Self-Assessment + +The Self-assessment is the initial document for Dragonfly to begin thinking +about the security of the project, determining gaps in its security, and preparing +any security documentation for their users. + +Authors: Wenbo Qi(@gaius-qi) + +Security reviewers: Tao Peng(@bergwolf), Wenbo Qi(@gaius-qi), Song Yan(@imeoer), Akash HR(akashhr), Xiongxiong Yuan(@yxxhero), Yiyang Huang(@hyy0322) + +## Table of contents + +- [Metadata](#metadata) + - [Security links](#security-links) +- [Overview](#overview) + - [Actors](#actors) + - [Actions](#actions) + - [Background](#background) + - [Goals](#goals) + - [Non-goals](#non-goals) +- [Self-assessment use](#self-assessment-use) +- [Security functions and features](#security-functions-and-features) +- [Project compliance](#project-compliance) +- [Secure development practices](#secure-development-practices) +- [Security issue resolution](#security-issue-resolution) +- [Appendix](#appendix) + +## Metadata + +| | | +| ----------------- | ----------------------------------------------------------------------------------------------------------- | +| Assessment Stage | Complete | +| Software | [Dragonfly](https://github.com/dragonflyoss/Dragonfly2) | +| Website | https://d7y.io | +| Security Provider | No | +| Languages | Go, Rust | +| SBOM | [FOSSA Scan](https://app.fossa.com/projects/git%2Bgithub.com%2Fdragonflyoss%2FDragonfly2/refs/branch/main/) | + +### Security links + +| Doc | url | +| ---------------------------- | ------------------------------------------------------------------ | +| Security file | | +| Default and optional configs | | + +## Overview + +Dragonfly provides efficient, stable, secure file distribution and image acceleration based on p2p technology +to be the best practice and standard solution in cloud native architectures. It is hosted by +the Cloud Native Computing Foundation(CNCF) as an Incubating Level Project. + +### Background + +Dragonfly 1.x has been open source in November 2017 and used in production environments by many companies. And joined +the CNCF as a sandbox project in October 2018. In April 2020, The CNCF Technical Oversight Committee (TOC) voted to +accept Dragonfly as an Incubating Project. In April 2021, Dragonfly 2.0 was released after architectural optimization and +code refactoring. + +Dragonfly provides efficient, stable and secure file distribution and image acceleration based on P2P technology +to be the best practice and standard solution in cloud native architectures. +It is designed to improve the efficiency and speed of large-scale file distribution and used in the fields of file distribution, +AI model distribution, cache distribution, log distribution and image distribution. + +With the production practice, Dragonfly based on P2P technology to accelerate the image is insufficient to support +faster container launching, such as the Function as a Service (FaaS). +Therefore, we created Nydus as a sub-project of Dragonfly to address this need +and [Nydus Snapshotter](https://github.com/containerd/nydus-snapshotter) become a sub-project of containerd +which is an external plugin of containerd for Nydus. +Nydus implements a content-addressable file system that enhances the current OCI image format with +faster container launch speed, better image space and network bandwidth efficiency, and end-to-end data integrity. + +### Actors + +Dragonfly services could be divided into four categories: Manager, Scheduler, Seed Peer and Peer. + +![arch](./images/arch.png) + +#### Manager + +- Stores dynamic configuration for consumption by seed peer cluster, scheduler cluster and client. +- Maintain the relationship between seed peer cluster and scheduler cluster. +- Provide async task management features for image preheat combined with harbor. +- Keepalive with scheduler instance and seed peer instance. +- Filter the optimal scheduler cluster for client. +- Provides a visual console, which is helpful for users to manage the P2P cluster. +- Clearing P2P task cache. + +#### Scheduler + +- Based on the multi-feature intelligent scheduling system selects the optimal parent peer. +- Build a scheduling directed acyclic graph for the P2P cluster. +- Remove abnormal peer based on peer multi-feature evaluation results. +- In the case of scheduling failure, notice peer back-to-source download. +- Provide metadata storage to support file writing and seeding. + +#### Client + +- Serve gRPC for `dfget` with downloading feature, + and provide adaptation to different source protocols. +- It can be used as seed peer. Turning on the Seed Peer mode can be used as + a back-to-source download peer in a P2P cluster, + which is the root peer for download in the entire cluster. +- Serve proxy for container registry mirror and any other http backend. +- Download object like via `http`, `https` and other custom protocol. +- Supports RDMA for faster network transmission in the P2P network. + It can better support the loading of AI inference models into memory. + +### Actions + +#### Download Task + +- Actors: Scheduler, Seed Peer, Peer +- Description: When downloading a task , the download request is proxied to Dragonfly via the Peer HTTP Proxy. + Peer will first register the Task with the Scheduler, and the Scheduler will check the Task metadata to + determine whether the Task is downloaded for the first time in the P2P cluster. If this is the first + time downloading, the Seed Peer will be triggered to download back-to-source, and the Task will be divided based + on the piece level. After successful registration, The peer establishes a connection to the scheduler based on + this task, and then schedule the Seed Peer to the Peer for streaming based on piece level. when a piece is successfully + downloaded, the piece metadata will be reported to the Scheduler for next scheduling. If this is not the first time + downloading, the Scheduler will schedule other Peers for the download. The Peer will download pieces from different Peers, + splices and returns the entire file, then the P2P download is completed. +- Security Checks: Peer HTTP Proxy should be protected from basic authentication and authorization. + Each piece of the task should be verified by the hash algorithm to ensure the integrity of the data. + The data transmission between the Peers has been encrypted to ensure the security of the + data when enable the security feature. + +#### Preheat Task + +- Actors: Manager, Scheduler, Seed Peer +- Description: Preheat task is a feature that allows users to preheat the task in the P2P cluster. The Manager + will first receive the preheat request from the client, and then the Manager will call scheduler to schedule + the Seed Peer to download the task back-to-source. After the task is downloaded, the Scheduler will record the + metadata of the task, and the Seed Peer will be scheduled to download the task to the Peer. +- Security Checks: The preheat task API in manager should be protected by the Personal Access Token (PAT) to + ensure the security. If user uses the console to preheat the task, user should login with the username and password + to access the console. The console integrated with the RBAC to control the user's access. + +#### Services Communication + +- Actors: Manager, Scheduler, Seed Peer, Peer +- Description: Services communication via gRPC. Peer and Seed Peer will call the Manager to update dynamic configuration. + Peer and Seed Peer will call the Scheduler to register the task and report the task status. Scheduler will call the + Seed Peer to download the task back-to-source. Peer exchange piece information with each other. +- Security Checks: The gRPC communication should be protected by the TLS to ensure the security of the data transmission. + +### Goals + +**General** + +- P2P technology: Based on P2P technology, use the idle bandwidth of Peer to improve download speed. +- Non-invasive: Non-intrusive support for multiple container runtimes, download tools, AI infrastructure, etc. +- Peer configuration: Load limit, concurrent limit, traffic limit, etc. can be configured. +- Consistency: Ensures downloaded files are consistent even if the user does not check for consistency. +- Exception isolation: Isolate exceptions based on Service level, Peer level and Task level to improve download stability. +- Ecosystem: Provides simple integration with AI infrastructure, container runtimes, container registry, + download tools, etc. + +**Security** + +- Data integrity: Ensure the integrity of the data by verifying the hash algorithm. +- Data transmission: Ensure the security of the data transmission by encrypting the data. +- Access control: Ensure the security of the access by the Personal Access Token (PAT). +- User authentication: Ensure the security of the user by the username and password. + +### Non-Goals + +**General** + +- Data Storage: Dragonfly does not store any data, it only caches the data temporarily. The data will be evicted after + the task reaches the expiration time. +- Data Visualization: Dragonfly does not provide data visualization, but provides a visual console to manage the P2P cluster. +- Container Runtime: Dragonfly does not provide container runtime, but provides a Nydus Snapshotter to + enhance the container launch speed. + +**Security** + +- Sensitivite Data: Dragonfly does not handle sensitive data, such as user's personal information, + user's password, etc. The data only caches the file data temporarily. +- Download Access Control: Dragonfly does not provide download access control, if you want to control the download + access, you need to control the access from the source side. + +## Self-Assessment Use + +This self-assessment is created by the Dragonfly team to perform an internal analysis of the project's security. +It is not intended to provide a security audit of Dragonfly or function as an independent assessment or +attestation of Dragonfly's security health. The document is intended to be used by the Dragonfly team to +identify areas of improvement in the project's security posture. + +## Security Functions and Features + +### Critical + +A listing critical security components of the project with a brief +description of their importance. It is recommended these be used for threat modeling. +These are considered critical design elements that make the product itself secure and +are not configurable. Projects are encouraged to track these as primary impact items +for changes to the project. + +- Transport-Layer Security (TLS): The services communication is encrypted by the TLS to ensure the security of the data transmission. + Dragonfly uses the OpenSSL library to provide the TLS support for the gRPC communication. +- Authentication and Authorization: The Peer HTTP Proxy should be protected from basic authentication and authorization. + The preheat task API in manager should be protected by the Personal Access Token (PAT) to ensure the security. + The console integrated with the RBAC to control the user's access. +- Data Verification: Each piece of the task should be verified by the hash algorithm(blake3) to ensure the + integrity of the data. +- Control Access: The console integrated with the RBAC to control the user's access for operating the P2P cluster, + dynamic configuration, preheat task, etc. + +### Security Relevant + +A listing of security relevant components of the project with +brief description. These are considered important to enhance the overall security of +the project, such as deployment configurations, settings, etc. These should also be +included in threat modeling. + +- Logging and Monitoring: Dragonfly provides the log and metrics for monitoring the P2P cluster. + The log and metrics can be used to monitor the P2P cluster, detect the abnormal behavior, and + analyze the performance of the P2P cluster. +- Dynamic Configuration: Dragonfly provides dynamic configuration for consumption by Seed Peer, + Scheduler and Peer. The dynamic configuration can be used to configure the P2P cluster, + such as load limit, concurrent limit, traffic limit, etc. If DDoS attack occurs, the dynamic configuration + can be used to limit the traffic of the P2P cluster. +- Scan and Analysis: Dragonfly uses the FOSSA to scan the dependencies of the project to ensure the security of the dependencies. + The FOSSA can be used to detect the vulnerabilities of the dependencies and provide the solution to fix the vulnerabilities. + +## Project compliance + +Dragonfly does not document meeting particular compliance standards. + +## Secure Development Practices + +### Development Pipeline + +All code is maintained on [Github](https://github.com/dragonflyoss/Dragonfly2). + +- Contributions and Changes + - Code changes are submitted via Pull Requests (PRs) and must be signed and verified. + - Commits to the main branch directly are not allowed. +- Code Review + - Changes must be reviewed and merged by the project maintainers. + - The code is reviewed by multiple members from various teams and then approved by all of the reviewers before + passing the check. +- Automated Testing + - In each PR, the code has to pass through various security checks and vulnerability analysis, to find if the code is + secure and would not fail basic testing. + - Tools like CodeQL and GoSec have been adopted for security scanning. + - The project utilizes various vulnerability tests, unit tests and neutral tests to quantify whether the changes + would be safe in basic context, before the reviews done by the project maintainers. +- Dependency Management + - The project regularly updates its dependencies and check for vulnerabilities and keeps its github + updated at all times asynchronously. + +### Communication Channels + +- Internal + - The Dragonfly team mostly uses platforms like GitHub, Slack, or email lists for internal communications within the teams. +- Inbound + - Users and contributors to the Dragonfly project can communicate with the Dragonfly team via GitHub issues, mailing lists, + CNCF and through Slack channels as well. +- Outbound + - The updates and announcements from Dragonfly are made through Dragonfly Blog, GitHub, CNCF mailing lists, + and social media channels. + +### Ecosystem + +Dragonfly is integrated with various cloud-native projects and container runtimes, such as containerd, Docker, CRI-O, etc. +It is widely used in the fields of file distribution, AI model distribution, cache distribution, +log distribution and image distribution. + +Reference to the first integrations that offer-first party support for Dragonfly is present here in [Integrations](https://d7y.io/docs/next/operations/integrations/container-runtime/containerd/). + +#### Image Acceleration + +Dragonfly supports various container clients such as containerd, Docker, cri-o, ORAS, etc. +It provides three solutions for image acceleration. The first solution is to use Dragonfly to distribute +images based on P2P technology, which is suitable for large-scale cluster. The second solution is to use Dragonfly and +Nydus to distribute accelerated images, which is suitable for large-scale cluster and faster container launching. +The third solution is to use Nydus to distribute accelerated images, which is suitable for faster container launching. + +Production practice and statistical data can refer to: + +- [Dragonfly integrates nydus for image acceleration practice](https://www.cncf.io/blog/2022/11/21/dragonfly-integrates-nydus-for-image-acceleration-practice/) +- [The evolution of the Nydus Image Acceleration](https://www.cncf.io/blog/2022/11/15/the-evolution-of-the-nydus-image-acceleration/) +- [Volcano Engine: distributed image acceleration practice based on Dragonfly](https://www.cncf.io/blog/2023/04/13/volcano-engine-distributed-image-acceleration-practice-based-on-dragonfly/) +- [Ant Group security technology’s Nydus and Dragonfly image acceleration practices](https://www.cncf.io/blog/2023/05/01/ant-group-security-technologys-nydus-and-dragonfly-image-acceleration-practices/) +- [Stable and efficient image distribution for 1 billion monthly users with Dragonfly](https://www.cncf.io/case-studies/kuaishou-technology/) + +#### File Distribution + +Dragonfly supports large-scale file distribution and uses P2P technology to eliminate the impact of +origin bandwidth limitations. It supports file distribution of protocols including HTTP, HDFS, etc. +Additionally, it also supports different object storage protocols includes S3, OSS, OBS, etc. + +Add [Dfstore](https://d7y.io/docs/concepts/terminology/dfstore) to expand the file distribution capability, +it can depend on different types of object storage, such as S3, OSS, OBS, etc. to provide stable object storage capabilities. +Dfstore uses the entire P2P network as a cache when storing objects. Depend on object storage as +the backend to ensure storage reliability. In the process of object storage, P2P cache is effectively +used for fast read and write storage. + +#### AI Infrastructure + +Dragonfly supports distributing data during AI training and AI inference. +In the AI inference, Dragonfly supports [Triton Server](https://github.com/triton-inference-server/server) and [TorchServe](https://github.com/pytorch/serve) +to use Dragonfly distribution model. In the AI training, [Fluid](https://github.com/fluid-cloudnative/fluid) downloads +dataset through Dragonfly when running based on [JuiceFS](https://github.com/juicedata/juicefs). + +There are many use cases in the community, using Dragonfly to distribute data based on P2P technology. +In the inference, the concurrent download model of the inference service can effectively relieve the bandwidth pressure of +the model registry through Dragonfly, and improving the download speed. Users can embed the model into the +accelerated image and use Dragonfly and Nydus for faster container launching. + +Production practice and statistical data can refer to: + +- [Dragonfly: Intro, Updates and AI Model Distribution in the Practice of Kuaishou - Wenbo Qi, Ant Group & Zekun Liu, Kuaishou Technology](https://sched.co/1PTJb) +- [Dragonfly helps Volcano Engine AIGC inference to accelerate image through p2p technology](https://mp.weixin.qq.com/s/kY6DxRFspAgOO23Na4dvTQ) +- [Get faster pull times with Nydus on CoreWeave](https://docs.coreweave.com/cloud-tools/nydus) + +## Security Issue Resolution + +### Responsible Disclosure Process + +Dragonfly has a security policy and process in place for responsible disclosure of security vulnerabilities, refer to the +[SECURITY.md](https://github.com/dragonflyoss/Dragonfly2/blob/main/SECURITY.md). + +- Security researchers can report vulnerabilities confidentially by emailing the Dragonfly maintainers at . +- Report the security issue with the detailed information, such as the description of the vulnerability, + the steps to reproduce the vulnerability through the . +- The Dragonfly maintainers will acknowledge the report within 48 hours and provide an estimated timeline for a fix. +- Patch releases are made available as soon as possible after the vulnerability is confirmed and a fix is available. + +### Incident Response + +The Dragonfly maintainers will respond to security incidents within 48 hours of being notified. In practice, +the response time is usually much faster. The Dragonfly maintainers will work with the reporter to understand +the issue and develop a fix. + +## Appendix + +### Known Issues Over Time + +There haven't been any known security issues in the project. If you find any security issues, +please report them tools like GitHub issues, mailing lists, CNCF and through Slack channels. + +### CII Best Practices + +Dragonfly has attained the Open Source Security Foundation(OpenSSF) Best Practices Badge, +refer to . + +### Case Studies + +- Volcano Engine - +- KuaiShou - +- Ant Group - +- CoreWeave - + +### Related Projects/Vendors + +- **Harbor** provides a registry for storing and distributing container images. It can be integrated with Dragonfly to + accelerate image distribution. Dragonfly will help Harbor to distribute images based on P2P technology in + a large-scale cluster. +- **Containerd** is a container runtime. Dragonfly integrates with containerd to provide + image acceleration and container launching based on P2P technology. Dragonfly will become an mirror for containerd + to intercept the image download traffic to accelerate the image download. If user uses Nydus Snapshotter, the containerd will + download image on-demand and launch container faster. +- **Docker** is a container runtime. Dragonfly integrates with Docker to provide image acceleration and + container launching based on P2P technology. Dragonfly will intercept the Docker image download traffic by HTTP Proxy + to accelerate the image download.