OpenVisualCloud
diff --git a/‎.github/workflows/codeql.yml
+3-3 b/‎.github/workflows/codeql.yml
+3-3
diff --git a/‎.github/workflows/scorecard.yml
+3-3 b/‎.github/workflows/scorecard.yml
+3-3
diff --git a/‎.github/workflows/trivy.yml
+63 b/‎.github/workflows/trivy.yml
+63
diff --git a/‎CMakeLists.txt
+3 b/‎CMakeLists.txt
+3
diff --git a/‎deployment/DaemonSet/media-proxy-rx.yaml
+85 b/‎deployment/DaemonSet/media-proxy-rx.yaml
+85
diff --git a/‎deployment/DaemonSet/media-proxy-tx.yaml
+85 b/‎deployment/DaemonSet/media-proxy-tx.yaml
+85
diff --git a/‎deployment/DaemonSet/media-proxy.yaml
+30-24 b/‎deployment/DaemonSet/media-proxy.yaml
+30-24
@@ -66,10 +66,10 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
+      uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
       with:
         languages: ${{ matrix.language }}
-        config-file: ./.github/codeql/codeql-config.yml
+        config-file: ${{github.workspace}}/.github/codeql/codeql-config.yml
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
@@ -118,6 +118,6 @@ jobs:
         ./build.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
+      uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
       with:
         category: "/language:${{matrix.language}}"
@@ -50,7 +50,7 @@ jobs:
           # - you want to enable the Branch-Protection check on a *public* repository, or
           # - you are installing Scorecard on a *private* repository
           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+          repo_token: ${{ secrets.SCORECARD_TOKEN }}
 
           # Public repositories:
           #   - Publish results to OpenSSF REST API for easy access by consumers
@@ -64,14 +64,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
+        uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
         with:
           sarif_file: results.sarif
@@ -0,0 +1,63 @@
+name: Trivy
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+permissions:
+  contents: read
+
+jobs:
+  checkout_code:
+      runs-on: ubuntu-20.04
+      name: Checkout code
+      steps:
+        - name: Harden Runner
+          uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+          with:
+            egress-policy: audit
+        - name: Checkout code
+          uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+  scan_fs:
+    runs-on: ubuntu-20.04
+    needs: checkout_code
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
+    name: Scan FS
+    steps:
+      - name: Run Trivy vulnerability scanner for 'fs'
+        uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 # master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results-fs.sarif'
+          severity: 'CRITICAL,HIGH,MEDIUM'
+      - name: Upload Trivy 'fs' scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
+        with:
+          sarif_file: 'trivy-results-fs.sarif'
+
+  scan_config:
+    runs-on: ubuntu-20.04
+    needs: checkout_code
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
+    name: Scan Config
+    steps:
+      - name: Run Trivy vulnerability scanner for 'config'
+        uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 # master
+        with:
+          scan-type: 'config'
+          hide-progress: false
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results-config.sarif'
+          severity: 'CRITICAL,HIGH,MEDIUM'
+      - name: Upload Trivy 'config' scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
+        with:
+          sarif_file: 'trivy-results-config.sarif'
@@ -15,6 +15,9 @@ set(CMAKE_CXX_EXTENSIONS NO)
 set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} -s")
 set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -s")
 
+# Disable RPATH
+set(CMAKE_SKIP_RPATH TRUE)
+
 # setup components folders
 set(MCM_DIR ${CMAKE_CURRENT_SOURCE_DIR})
 set(MP_DIR ${CMAKE_CURRENT_SOURCE_DIR}/media-proxy)
 
@@ -0,0 +1,85 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: media-proxy-rx
+  namespace: mcm
+  labels:
+    app: media-proxy-rx
+spec:
+  selector:
+    matchLabels:
+      app: media-proxy-rx
+  template:
+    metadata:
+      labels:
+        app: media-proxy-rx
+    spec:
+      nodeSelector:
+        node-role.kubernetes.io/worker: "true"
+        mcm-type: rx
+      containers:
+        - name: media-proxy-rx
+          image: mcm/media-proxy:latest
+          imagePullPolicy: Never
+          command: [ "media_proxy" ]
+          args: [ "-d", "0000:31:11.5", "-i", "192.168.96.20" ]
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          resources:
+            requests:
+              cpu: 2
+              memory: 4Gi
+            limits:
+              cpu: 2
+              memory: 8Gi
+              hugepages-2Mi: 1Gi
+              hugepages-1Gi: 2Gi
+          securityContext:
+            privileged: true
+            runAsUser: 0
+            runAsGroup: 0
+          ports:
+            - containerPort: 8001
+              hostPort: 8001
+              protocol: TCP
+              name: grpc-port
+            - containerPort: 8002
+              hostPort: 8002
+              protocol: TCP
+              name: sdk-port
+          volumeMounts:
+            - name: memif-dir  # Using hostPath volume
+              mountPath: /run/mcm  # Mount path in the pod
+            - name: dev-vfio
+              mountPath: /dev/vfio
+            - mountPath: /hugepages-2Mi
+              name: hugepage-2mi
+            - mountPath: /hugepages-1Gi
+              name: hugepage-1gi
+            - mountPath: /dev/shm
+              name: cache-volume
+            - name: imtl-mgr  # Communicate with IMTL manager
+              mountPath: /var/run/imtl  # Mount path in the pod
+      volumes:
+        - name: memif-dir  # Using hostPath volume
+          hostPath:
+            path: /tmp/mcm/memif
+        - name: dev-vfio
+          hostPath:
+            path: /dev/vfio
+        - name: hugepage-2mi
+          emptyDir:
+            medium: HugePages-2Mi
+        - name: hugepage-1gi
+          emptyDir:
+            medium: HugePages-1Gi
+        - name: cache-volume
+          emptyDir:
+            medium: Memory
+            sizeLimit: 4Gi
+        - name: imtl-mgr
+          persistentVolumeClaim:
+            claimName: imtl-pvc
@@ -0,0 +1,85 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: media-proxy-tx
+  namespace: mcm
+  labels:
+    app: media-proxy-tx
+spec:
+  selector:
+    matchLabels:
+      app: media-proxy-tx
+  template:
+    metadata:
+      labels:
+        app: media-proxy-tx
+    spec:
+      nodeSelector:
+        node-role.kubernetes.io/worker: "true"
+        mcm-type: tx
+      containers:
+        - name: media-proxy-tx
+          image: mcm/media-proxy:latest
+          imagePullPolicy: Never
+          command: [ "media_proxy" ]
+          args: [ "-d", "0000:31:01.5", "-i", "192.168.96.10" ]
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          resources:
+            requests:
+              cpu: 2
+              memory: 4Gi
+            limits:
+              cpu: 2
+              memory: 8Gi
+              hugepages-2Mi: 1Gi
+              hugepages-1Gi: 2Gi
+          securityContext:
+            privileged: true
+            runAsUser: 0
+            runAsGroup: 0
+          ports:
+            - containerPort: 8001
+              hostPort: 8001
+              protocol: TCP
+              name: grpc-port
+            - containerPort: 8002
+              hostPort: 8002
+              protocol: TCP
+              name: sdk-port
+          volumeMounts:
+            - name: memif-dir  # Using hostPath volume
+              mountPath: /run/mcm  # Mount path in the pod
+            - name: dev-vfio
+              mountPath: /dev/vfio
+            - mountPath: /hugepages-2Mi
+              name: hugepage-2mi
+            - mountPath: /hugepages-1Gi
+              name: hugepage-1gi
+            - mountPath: /dev/shm
+              name: cache-volume
+            - name: imtl-mgr  # Communicate with IMTL manager
+              mountPath: /var/run/imtl  # Mount path in the pod
+      volumes:
+        - name: memif-dir  # Using hostPath volume
+          hostPath:
+            path: /tmp/mcm/memif
+        - name: dev-vfio
+          hostPath:
+            path: /dev/vfio
+        - name: hugepage-2mi
+          emptyDir:
+            medium: HugePages-2Mi
+        - name: hugepage-1gi
+          emptyDir:
+            medium: HugePages-1Gi
+        - name: cache-volume
+          emptyDir:
+            medium: Memory
+            sizeLimit: 4Gi
+        - name: imtl-mgr
+          persistentVolumeClaim:
+            claimName: imtl-pvc
@@ -1,20 +1,3 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: mcm
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: memif-socket-fs
-  namespace: mcm
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 64Mi
----
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
@@ -32,17 +15,26 @@ spec:
         app: media-proxy
     spec:
       nodeSelector:
-        node-role.mcm.intel.com/worker: "true"
+        node-role.kubernetes.io/worker: "true"
       containers:
         - name: media-proxy
           image: mcm/media-proxy:latest
           imagePullPolicy: Never
-          command: [ "media_proxy" ]
           env:
           - name: NODE_NAME
             valueFrom:
               fieldRef:
                 fieldPath: spec.nodeName
+          - name: NODE_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.hostIP
+          - name: POD_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.podIP
+          command: [ "media_proxy" ]
+          args: [ "-d", "kernel:eth0", "-i", $(POD_IP) ]
           resources:
             limits:
               cpu: 2
@@ -53,9 +45,18 @@ spec:
             privileged: true
             runAsUser: 0
             runAsGroup: 0
+          ports:
+            - containerPort: 8001
+              hostPort: 8001
+              protocol: TCP
+              name: grpc-port
+            - containerPort: 8002
+              hostPort: 8002
+              protocol: TCP
+              name: sdk-port
           volumeMounts:
-            - name: memif-socket
-              mountPath: /run/mcm
+            - name: memif-dir  # Using hostPath volume
+              mountPath: /run/mcm  # Mount path in the pod
             - name: dev-vfio
               mountPath: /dev/vfio
             - mountPath: /hugepages-2Mi
@@ -64,10 +65,12 @@ spec:
               name: hugepage-1gi
             - mountPath: /dev/shm
               name: cache-volume
+            - name: imtl-mgr  # Communicate with IMTL manager
+              mountPath: /var/run/imtl  # Mount path in the pod
       volumes:
-        - name: memif-socket
-          persistentVolumeClaim:
-            claimName: memif-socket-fs
+        - name: memif-dir  # Using hostPath volume
+          hostPath:
+            path: /tmp/mcm/memif
         - name: dev-vfio
           hostPath:
             # Do not mount the top-level /dev/ directory for security reasons.
@@ -83,3 +86,6 @@ spec:
           emptyDir:
             medium: Memory
             sizeLimit: 4Gi
+        - name: imtl-mgr
+          persistentVolumeClaim:
+            claimName: imtl-pvc