fix(CI): add permissions to login-to-amazon-ecr job

Signed-off-by: Aldo Lacuku <aldo@lacuku.eu>

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,6 +1,6 @@
 <!--  Thanks for sending a pull request!  Here are some tips for you:
 
-1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](https://github.com/falcosecurity/falco/blob/dev/CONTRIBUTING.md) file in the Falco repository.
+1. If this is your first time, please read our contributor guidelines in the [CONTRIBUTING.md](https://github.com/falcosecurity/.github/blob/main/CONTRIBUTING.md) file in the Falco `.github` repository.
 2. Please label this pull request according to what type of issue you are addressing.
 3. Please add a release note!
 4. If the PR is unfinished while opening it specify a wip in the title before the actual title, for example, "wip: my awesome feature"

.github/workflows/docker-image.yaml

@@ -21,38 +21,55 @@ on:
         description: The digest of the pushed image.
         value: ${{ jobs.docker-image.outputs.digest }}
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   docker-image:
     runs-on: ubuntu-22.04
     outputs:
-        image: ${{ steps.build-and-push.outputs.image }}
-        digest: ${{ steps.build-and-push.outputs.digest }}
+      image: ${{ steps.build-and-push.outputs.image }}
+      digest: ${{ steps.build-and-push.outputs.digest }}
     steps:
       - name: Checkout
-        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
 
       - name: Set up Docker Buildx
         id: Buildx
-        uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
 
       - name: Login to Docker Hub
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_SECRET }}
-      
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: arn:aws:iam::292999226676:role/github_actions-falcoctl-ecr
+          aws-region: us-east-1
+
+      - name: Login to Amazon ECR
+        id: login-ecr-public
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+        with:
+          registry-type: public
+
       - name: Docker Meta
         id: meta_falcoctl
-        uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
         with:
           # list of Docker images to use as base name for tags
           images: |
             docker.io/falcosecurity/falcoctl
+            public.ecr.aws/falcosecurity/falcoctl
           tags: |
             type=ref,event=branch
             type=semver,pattern={{ version }}
@@ -61,7 +78,7 @@ jobs:
 
       - name: Build and push
         id: build-and-push
-        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
         with:
           context: .
           platforms: linux/amd64,linux/arm64
@@ -75,7 +92,7 @@ jobs:
 
       - name: Install Cosign
         if: ${{ inputs.sign }}
-        uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0
+        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
 
       - name: Sign the images with GitHub OIDC Token
         if: ${{ inputs.sign }}

.github/workflows/integration.yaml

@@ -80,10 +80,74 @@ jobs:
     needs: docker-configure
     uses: ./.github/workflows/docker-image.yaml
     secrets: inherit
+    permissions:
+      contents: read
+      id-token: write
     with:
       release: ${{ needs.docker-configure.outputs.release }}
       commit: ${{ needs.docker-configure.outputs.commit }}
       build_date: ${{ needs.docker-configure.outputs.build_date }}
+      sign: true
+
+  provenance-for-images-docker:
+    if: ${{ github.event_name == 'push' }}
+    needs: [docker-configure, docker-image]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    with:
+      image: docker.io/falcosecurity/falcoctl
+      # The image digest is used to prevent TOCTOU issues.
+      # This is an output of the docker/build-push-action
+      # See: https://github.com/slsa-framework/slsa-verifier#toctou-attacks
+      digest: ${{ needs.docker-image.outputs.digest }}
+    secrets:
+      registry-username: ${{ secrets.DOCKERHUB_USER }}
+      registry-password: ${{ secrets.DOCKERHUB_SECRET }}
+
+  login-to-amazon-ecr:
+    if: ${{ github.event_name == 'push' }}
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: arn:aws:iam::292999226676:role/github_actions-falcoctl-ecr
+          aws-region: us-east-1
+
+      - name: Login to Amazon ECR
+        id: login-ecr-public
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+        with:
+          registry-type: public
+          mask-password: 'false'
+    outputs:
+      registry: ${{ steps.login-ecr-public.outputs.registry }}
+      docker_username: ${{ steps.login-ecr-public.outputs.docker_username_public_ecr_aws }}
+      docker_password: ${{ steps.login-ecr-public.outputs.docker_password_public_ecr_aws }}
+
+  provenance-for-images-aws-ecr:
+    if: ${{ github.event_name == 'push' }}
+    needs: [docker-configure, docker-image, login-to-amazon-ecr]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    with:
+      image: public.ecr.aws/falcosecurity/falcoctl
+      # The image digest is used to prevent TOCTOU issues.
+      # This is an output of the docker/build-push-action
+      # See: https://github.com/slsa-framework/slsa-verifier#toctou-attacks
+      digest: ${{ needs.docker-image.outputs.digest }}
+    secrets:
+      registry-username: ${{ needs.login-to-amazon-ecr.outputs.docker_username }}
+      registry-password: ${{ needs.login-to-amazon-ecr.outputs.docker_password }}
 
   test:
     needs: build

.github/workflows/release.yaml

@@ -120,7 +120,7 @@ jobs:
       build_date: ${{ needs.docker-configure.outputs.build_date }}
       sign: true
 
-  provenance-for-images:
+  provenance-for-images-docker:
     needs: [docker-configure, docker-image]
     permissions:
       actions: read # for detecting the Github Actions environment.
@@ -136,3 +136,43 @@ jobs:
     secrets:
       registry-username: ${{ secrets.DOCKERHUB_USER }}
       registry-password: ${{ secrets.DOCKERHUB_SECRET }}
+
+  login-to-amazon-ecr:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: arn:aws:iam::292999226676:role/github_actions-falcoctl-ecr
+          aws-region: us-east-1
+
+      - name: Login to Amazon ECR
+        id: login-ecr-public
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+        with:
+          registry-type: public
+          mask-password: 'false'
+    outputs:
+      registry: ${{ steps.login-ecr-public.outputs.registry }}
+      docker_username: ${{ steps.login-ecr-public.outputs.docker_username_public_ecr_aws }}
+      docker_password: ${{ steps.login-ecr-public.outputs.docker_password_public_ecr_aws }}
+
+  provenance-for-images-aws-ecr:
+    needs: [docker-configure, docker-image, login-to-amazon-ecr]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+    with:
+      image: public.ecr.aws/falcosecurity/falcoctl
+      # The image digest is used to prevent TOCTOU issues.
+      # This is an output of the docker/build-push-action
+      # See: https://github.com/slsa-framework/slsa-verifier#toctou-attacks
+      digest: ${{ needs.docker-image.outputs.digest }}
+    secrets:
+      registry-username: ${{ needs.login-to-amazon-ecr.outputs.docker_username }}
+      registry-password: ${{ needs.login-to-amazon-ecr.outputs.docker_password }}

cmd/driver/cleanup/cleanup.go

@@ -66,7 +66,7 @@ func (o *driverCleanupOptions) RunDriverCleanup(_ context.Context) error {
 	if o.Printer.Logger.Formatter == pterm.LogFormatterJSON {
 		// Only print formatted text if we are formatting to json
 		out := strings.ReplaceAll(buf.String(), "\n", ";")
-		o.Printer.Logger.Info("Driver build", o.Printer.Logger.Args("output", out))
+		o.Printer.Logger.Info("Driver cleanup", o.Printer.Logger.Args("output", out))
 	} else {
 		// Print much more readable output as-is
 		o.Printer.DefaultText.Print(buf.String())

cmd/driver/install/install.go

@@ -36,6 +36,7 @@ import (
 type driverDownloadOptions struct {
 	InsecureDownload bool
 	HTTPTimeout      time.Duration
+	HTTPHeaders      string
 }
 
 type driverInstallOptions struct {
@@ -92,6 +93,10 @@ func NewDriverInstallCmd(ctx context.Context, opt *options.Common, driver *optio
 			"(e.g. '#1 SMP PREEMPT_DYNAMIC Debian 6.1.38-2 (2023-07-27)')")
 	cmd.Flags().BoolVar(&o.InsecureDownload, "http-insecure", false, "Whether you want to allow insecure downloads or not")
 	cmd.Flags().DurationVar(&o.HTTPTimeout, "http-timeout", 60*time.Second, "Timeout for each http try")
+	cmd.Flags().StringVar(&o.HTTPHeaders, "http-headers",
+		"",
+		"Optional comma-separated list of headers for the http GET request "+
+			"(e.g. --http-headers='x-emc-namespace: default,Proxy-Authenticate: Basic'). Not necessary if default repo is used")
 	return cmd
 }
 
@@ -158,7 +163,7 @@ func (o *driverInstallOptions) RunDriverInstall(ctx context.Context) (string, er
 	if o.Printer.Logger.Formatter == pterm.LogFormatterJSON {
 		// Only print formatted text if we are formatting to json
 		out := strings.ReplaceAll(buf.String(), "\n", ";")
-		o.Printer.Logger.Info("Driver build", o.Printer.Logger.Args("output", out))
+		o.Printer.Logger.Info("Driver cleanup", o.Printer.Logger.Args("output", out))
 	} else {
 		// Print much more readable output as-is
 		o.Printer.DefaultText.Print(buf.String())
@@ -173,14 +178,15 @@ func (o *driverInstallOptions) RunDriverInstall(ctx context.Context) (string, er
 		if !o.Printer.DisableStyling {
 			o.Printer.Spinner, _ = o.Printer.Spinner.Start("Trying to download the driver")
 		}
-		dest, err = driverdistro.Download(ctx, d, o.Printer.WithWriter(&buf), kr, o.Driver.Name, o.Driver.Type, o.Driver.Version, o.Driver.Repos)
+		dest, err = driverdistro.Download(ctx, d, o.Printer.WithWriter(&buf), kr, o.Driver.Name,
+			o.Driver.Type, o.Driver.Version, o.Driver.Repos, o.HTTPHeaders)
 		if o.Printer.Spinner != nil {
 			_ = o.Printer.Spinner.Stop()
 		}
 		if o.Printer.Logger.Formatter == pterm.LogFormatterJSON {
 			// Only print formatted text if we are formatting to json
 			out := strings.ReplaceAll(buf.String(), "\n", ";")
-			o.Printer.Logger.Info("Driver build", o.Printer.Logger.Args("output", out))
+			o.Printer.Logger.Info("Driver download", o.Printer.Logger.Args("output", out))
 		} else {
 			// Print much more readable output as-is
 			o.Printer.DefaultText.Print(buf.String())

cmd/driver/install/install_test.go

@@ -36,6 +36,7 @@ Flags:
       --compile                 Whether to enable local compilation of drivers (default true)
       --download                Whether to enable download of prebuilt drivers (default true)
   -h, --help                    help for install
+      --http-headers string     Optional comma-separated list of headers for the http GET request (e.g. --http-headers='x-emc-namespace: default,Proxy-Authenticate: Basic'). Not necessary if default repo is used
       --http-insecure           Whether you want to allow insecure downloads or not
       --http-timeout duration   Timeout for each http try (default 1m0s)
       --kernelrelease string    Specify the kernel release for which to download/build the driver in the same format used by 'uname -r' (e.g. '6.1.0-10-cloud-amd64')

pkg/driver/distro/distro.go

@@ -203,6 +203,7 @@ func Download(ctx context.Context,
 	driverName string,
 	driverType drivertype.DriverType,
 	driverVer string, repos []string,
+	httpHeaders string,
 ) (string, error) {
 	driverFileName := toFilename(d, &kr, driverName, driverType)
 	// Skip if existent
@@ -222,6 +223,17 @@ func Download(ctx context.Context,
 			printer.Logger.Warn("Error creating http request.", printer.Logger.Args("err", err))
 			continue
 		}
+		if httpHeaders != "" {
+			header := http.Header{}
+			for _, h := range strings.Split(httpHeaders, ",") {
+				key, value := func() (string, string) {
+					x := strings.Split(h, ":")
+					return x[0], x[1]
+				}()
+				header.Add(key, value)
+			}
+			req.Header = header
+		}
 		resp, err := http.DefaultClient.Do(req)
 		if err != nil || resp.StatusCode != 200 {
 			if err == nil {

pkg/driver/distro/flatcar.go

@@ -28,29 +28,57 @@ import (
 )
 
 const flatcarRelocateScript = `
-local -a tools=(
-		scripts/basic/fixdep
-		scripts/mod/modpost
-		tools/objtool/objtool
-	)
-local -r hostld=$(ls /host/usr/lib64/ld-linux-*.so.*)
-local -r kdir=/lib/modules/$(ls /lib/modules/)/build
-echo "** Found host dl interpreter: ${hostld}"
-for host_tool in ${tools[@]}; do
-	t=${host_tool}
-	tool=$(basename $t)
-	tool_dir=$(dirname $t)
-	host_tool=${kdir}/${host_tool}
-	if [ ! -f ${host_tool} ]; then
+set -euo pipefail
+
+shopt -s nullglob
+
+hostlds=( /host/usr/lib64/ld-linux-*.so.* )
+if [[ ${#hostlds[@]} -eq 0 ]]; then
+	echo "** no dynamic loaders found"
+	exit 1
+fi
+if [[ ${#hostlds[@]} -gt 1 ]]; then
+	echo "** more than one fitting dynamic loader found, picking first"
+fi
+hostld=${hostlds[0]}
+echo "** Found host dynamic loader: ${hostld}"
+
+kdirs=( /host/lib/modules/*/build )
+if [[ ${#kdirs[@]} -eq 0 ]]; then
+	echo "** no kernel module tools directories found"
+	exit 1
+fi
+if [[ ${#kdirs[@]} -gt 1 ]]; then
+	echo "** more than one fitting kernel module tools directory found, picking first"
+fi
+kdir=${kdirs[0]}
+echo "** Found kernel tools directory: ${kdir}"
+
+tools=(
+	scripts/basic/fixdep
+	scripts/mod/modpost
+	tools/objtool/objtool
+)
+
+tmp_dir=$(mktemp -d)
+for tool in "${tools[@]}"; do
+	host_tool=${kdir}/${tool}
+	if [[ ! -f ${host_tool} ]]; then
+		echo "${tool@Q} not found in ${kdir@Q}, not patching"
 		continue
 	fi
-	umount ${host_tool} 2>/dev/null || true
-	mkdir -p /tmp/${tool_dir}/
-	cp -a ${host_tool} /tmp/${tool_dir}/
-	echo "** Setting host dl interpreter for $host_tool"
-	patchelf --set-interpreter ${hostld} --set-rpath /host/usr/lib64 /tmp/${tool_dir}/${tool}
-	mount -o bind /tmp/${tool_dir}/${tool} ${host_tool}
+	umount "${host_tool}" 2>/dev/null || true
+	tmp_tool=${tmp_dir}/${tool}
+	mkdir -p "$(dirname "${tmp_tool}")"
+	cp -a "${host_tool}" "${tmp_tool}"
+	echo "** Setting host dynamic loader for ${tool@Q}"
+	patchelf \
+		--set-interpreter "${hostld}" \
+		--set-rpath /host/usr/lib64 \
+		"${tmp_tool}"
+	mount -o bind "${tmp_tool}" "${host_tool}"
 done
+rm -rf "${tmp_dir}"
 `
 
 func init() {
@@ -94,7 +122,7 @@ func (f *flatcar) customizeBuild(ctx context.Context,
 		return nil, nil
 	}
 	printer.Logger.Info("Flatcar detected; relocating kernel tools.", printer.Logger.Args("version", f.versionID))
-	out, err := exec.CommandContext(ctx, "/bin/bash", "-c", flatcarRelocateScript).Output()
+	out, err := exec.CommandContext(ctx, "/bin/bash", "-c", flatcarRelocateScript).CombinedOutput()
 	if err != nil {
 		printer.DefaultText.Print(string(out))
 	}

pkg/driver/distro/generic.go

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright (C) 2023 The Falco Authors
+// Copyright (C) 2024 The Falco Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -16,7 +16,7 @@
 package driverdistro
 
 import (
-	"strings"
+	"regexp"
 
 	"github.com/blang/semver"
 	"github.com/falcosecurity/driverkit/pkg/kernelrelease"
@@ -27,6 +27,14 @@ import (
 	"github.com/falcosecurity/falcoctl/pkg/output"
 )
 
+// Parse start of string as "#NUMBER":
+// eg1: "#1 SMP PREEMPT_DYNAMIC Tue, 10 Oct 2023 21:10:21 +0000" -> "1".
+// eg2: #1-photon -> "1"
+// Old falco-driver-loader method did:
+// echo "${DRIVER_KERNEL_VERSION}" | sed 's/#\([[:digit:]]\+\).*/\1/'
+// The regex does the same thing.
+var genericKernelVersionRegex = regexp.MustCompile(`#(\d+).*`)
+
 type generic struct {
 	targetID string
 }
@@ -43,10 +51,10 @@ func (g *generic) String() string {
 
 //nolint:gocritic // the method shall not be able to modify kr
 func (g *generic) FixupKernel(kr kernelrelease.KernelRelease) kernelrelease.KernelRelease {
-	// Take eg: "#1 SMP PREEMPT_DYNAMIC Tue, 10 Oct 2023 21:10:21 +0000" and return "1".
-	kv := strings.TrimLeft(kr.KernelVersion, "#")
-	kv = strings.Split(kv, " ")[0]
-	kr.KernelVersion = kv
+	matches := genericKernelVersionRegex.FindStringSubmatch(kr.KernelVersion)
+	if len(matches) == 2 {
+		kr.KernelVersion = matches[1]
+	}
 	return kr
 }
 

pkg/driver/distro/generic_test.go

@@ -0,0 +1,61 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (C) 2024 The Falco Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package driverdistro
+
+import (
+	"testing"
+
+	"github.com/falcosecurity/driverkit/pkg/kernelrelease"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestDistroGeneric(t *testing.T) {
+	type testCase struct {
+		krInput    string
+		kvInput    string
+		kvExpected string
+	}
+	testCases := []testCase{
+		{
+			krInput:    "4.19.283-3.ph3",
+			kvInput:    "#1-photon SMP Fri Jun 16 02:25:27 UTC 2023",
+			kvExpected: "1",
+		},
+		{
+			krInput:    "6.7.2-arch1-2",
+			kvInput:    "#1 SMP PREEMPT_DYNAMIC Wed, 31 Jan 2024 09:22:15 +0000",
+			kvExpected: "1",
+		},
+		{
+			krInput:    "6.7.2-arch1-2",
+			kvInput:    "#231asfa #rf3f",
+			kvExpected: "231",
+		},
+		{
+			krInput:    "6.7.2-arch1-2",
+			kvInput:    "#231asfa234",
+			kvExpected: "231",
+		},
+	}
+
+	g := &generic{}
+	for _, tCase := range testCases {
+		kr := kernelrelease.FromString(tCase.krInput)
+		kr.KernelVersion = tCase.kvInput
+		fixedKr := g.FixupKernel(kr)
+		assert.Equal(t, tCase.kvExpected, fixedKr.KernelVersion)
+	}
+}

pkg/driver/distro/ubuntu.go

@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright (C) 2023 The Falco Authors
+// Copyright (C) 2024 The Falco Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -59,7 +59,8 @@ func (u *ubuntu) FixupKernel(kr kernelrelease.KernelRelease) kernelrelease.Kerne
 	// so that eg: we receive "26~22.04.1-Ubuntu",
 	// therefore we only need to drop "-Ubuntu" suffix
 	// Take eg: "#1 SMP PREEMPT_DYNAMIC Tue, 10 Oct 2023 21:10:21 +0000" and return "1".
-	kr = u.generic.FixupKernel(kr)
-	kr.KernelVersion = strings.TrimSuffix(kr.KernelVersion, "-Ubuntu")
+	kv := strings.TrimLeft(kr.KernelVersion, "#")
+	kv = strings.Split(kv, " ")[0]
+	kr.KernelVersion = strings.TrimSuffix(kv, "-Ubuntu")
 	return kr
 }