DataDog · dd-mergequeue · Feb 7, 2025 · Feb 3, 2025
@@ -10,6 +10,7 @@ struct activity_dump_config {
     u16 events_rate;
     u16 padding;
     u32 paused;
+    u32 cgroup_flags;
 };
 
 #endif
@@ -161,7 +161,7 @@ func (e *Process) MarshalPidCache(data []byte, bootTime time.Time) (int, error)
 
 // MarshalBinary marshals a binary representation of itself
 func (adlc *ActivityDumpLoadConfig) MarshalBinary() ([]byte, error) {
-	raw := make([]byte, 48)
+	raw := make([]byte, 56)
 
 	var eventMask uint64
 	for _, evt := range adlc.TracedEventTypes {
@@ -175,6 +175,8 @@ func (adlc *ActivityDumpLoadConfig) MarshalBinary() ([]byte, error) {
 	binary.NativeEndian.PutUint16(raw[40:42], adlc.Rate)
 	binary.NativeEndian.PutUint16(raw[42:44], 0)
 	binary.NativeEndian.PutUint32(raw[44:48], adlc.Paused)
+	binary.NativeEndian.PutUint32(raw[48:52], uint32(adlc.CGroupFlags))
+	binary.NativeEndian.PutUint32(raw[52:56], 0) // padding
 
 	return raw, nil
 }

@@ -697,6 +697,7 @@ type ActivityDumpLoadConfig struct {
 	EndTimestampRaw      uint64
 	Rate                 uint16 // max number of events per sec
 	Paused               uint32
+	CGroupFlags          containerutils.CGroupFlags
 }
 
 // NetworkDeviceContext represents the network device context of a network event

@@ -1016,7 +1016,7 @@ func (e *CgroupWriteEvent) UnmarshalBinary(data []byte) (int, error) {
 
 // EventUnmarshalBinary unmarshals a binary representation of itself
 func (adlc *ActivityDumpLoadConfig) EventUnmarshalBinary(data []byte) (int, error) {
-	if len(data) < 48 {
+	if len(data) < 56 {
 		return 0, ErrNotEnoughData
 	}
 
@@ -1033,7 +1033,9 @@ func (adlc *ActivityDumpLoadConfig) EventUnmarshalBinary(data []byte) (int, erro
 	adlc.Rate = binary.NativeEndian.Uint16(data[40:42])
 	// 2 bytes of padding
 	adlc.Paused = binary.NativeEndian.Uint32(data[44:48])
-	return 48, nil
+	adlc.CGroupFlags = containerutils.CGroupFlags(binary.NativeEndian.Uint32(data[48:52]))
+	// +4 bytes of padding
+	return 56, nil
 }
 
 // UnmarshalBinary unmarshals a binary representation of itself

@@ -128,11 +128,12 @@ type SyscallPolicy struct {
 }
 
 // NewActivityDumpLoadConfig returns a new instance of ActivityDumpLoadConfig
-func NewActivityDumpLoadConfig(evt []model.EventType, timeout time.Duration, waitListTimeout time.Duration, rate uint16, start time.Time, resolver *stime.Resolver) *model.ActivityDumpLoadConfig {
+func NewActivityDumpLoadConfig(evt []model.EventType, timeout time.Duration, waitListTimeout time.Duration, rate uint16, start time.Time, flags containerutils.CGroupFlags, resolver *stime.Resolver) *model.ActivityDumpLoadConfig {
 	adlc := &model.ActivityDumpLoadConfig{
 		TracedEventTypes: evt,
 		Timeout:          timeout,
 		Rate:             uint16(rate),
+		CGroupFlags:      flags,
 	}
 	if resolver != nil {
 		adlc.StartTimestampRaw = uint64(resolver.ComputeMonotonicTimestamp(start))
@@ -158,7 +159,7 @@ func NewEmptyActivityDump(pathsReducer *activity_tree.PathsReducer) *ActivityDum
 type WithDumpOption func(ad *ActivityDump)
 
 // NewActivityDump returns a new instance of an ActivityDump
-func NewActivityDump(adm *ActivityDumpManager, options ...WithDumpOption) *ActivityDump {
+func NewActivityDump(adm *ActivityDumpManager, cgroupFlags containerutils.CGroupFlags, options ...WithDumpOption) *ActivityDump {
 	ad := NewEmptyActivityDump(adm.pathsReducer)
 	now := time.Now()
 	ad.Metadata = mtdt.Metadata{
@@ -183,6 +184,7 @@ func NewActivityDump(adm *ActivityDumpManager, options ...WithDumpOption) *Activ
 		adm.config.RuntimeSecurity.ActivityDumpCgroupWaitListTimeout,
 		adm.config.RuntimeSecurity.ActivityDumpRateLimiter,
 		now,
+		cgroupFlags,
 		adm.resolvers.TimeResolver,
 	)
 	ad.LoadConfigCookie = utils.NewCookie()
@@ -238,6 +240,7 @@ func NewActivityDumpFromMessage(msg *api.ActivityDumpMessage) (*ActivityDump, er
 		0,
 		0,
 		startTime,
+		0,
 		nil,
 	)
 	ad.DNSNames = utils.NewStringKeys(msg.GetDNSNames())

@@ -71,6 +71,7 @@ func (lc *ActivityDumpLoadController) getDefaultLoadConfigs() (map[containerutil
 		0,
 		lc.adm.config.RuntimeSecurity.ActivityDumpRateLimiter,
 		time.Now(),
+		0, // cgroup flags will be set per cgroup manager
 		lc.adm.resolvers.TimeResolver,
 	)
 	defaults.WaitListTimestampRaw = uint64(lc.adm.config.RuntimeSecurity.ActivityDumpCgroupWaitListTimeout)
@@ -88,7 +89,9 @@ func (lc *ActivityDumpLoadController) getDefaultLoadConfigs() (map[containerutil
 		if !found {
 			return nil, fmt.Errorf("unsupported cgroup manager '%s'", cgroupManager)
 		}
-		defaultConfigs[cgroupManager] = defaults
+		cgroupManagerLoadConfig := *defaults
+		cgroupManagerLoadConfig.CGroupFlags = containerutils.CGroupFlags(cgroupManager)
+		defaultConfigs[cgroupManager] = &cgroupManagerLoadConfig
 	}
 	lc.activityDumpLoadConfig = defaultConfigs
 	return defaultConfigs, nil
@@ -113,7 +116,7 @@ func (lc *ActivityDumpLoadController) PushDefaultCurrentConfigs() error {
 // NextPartialDump returns a new dump with the same parameters as the current one, or with reduced load config parameters
 // when applicable
 func (lc *ActivityDumpLoadController) NextPartialDump(ad *ActivityDump) *ActivityDump {
-	newDump := NewActivityDump(ad.adm)
+	newDump := NewActivityDump(ad.adm, ad.LoadConfig.CGroupFlags)
 	newDump.Metadata.ContainerID = ad.Metadata.ContainerID
 	newDump.Metadata.CGroupContext = ad.Metadata.CGroupContext
 	newDump.Metadata.DifferentiateArgs = ad.Metadata.DifferentiateArgs
@@ -141,6 +144,7 @@ func (lc *ActivityDumpLoadController) NextPartialDump(ad *ActivityDump) *Activit
 	copy(newDump.LoadConfig.TracedEventTypes, ad.LoadConfig.TracedEventTypes)
 	newDump.LoadConfig.Rate = ad.LoadConfig.Rate
 	newDump.LoadConfigCookie = ad.LoadConfigCookie
+	newDump.LoadConfig.CGroupFlags = ad.LoadConfig.CGroupFlags
 
 	if timeToThreshold < lc.minDumpTimeout {
 		if err := lc.reduceDumpRate(ad, newDump); err != nil {

@@ -411,7 +411,7 @@ func (adm *ActivityDumpManager) insertActivityDump(newDump *ActivityDump) error
 
 // handleDefaultDumpRequest starts dumping a new workload with the provided load configuration and the default dump configuration
 func (adm *ActivityDumpManager) startDumpWithConfig(containerID containerutils.ContainerID, cgroupContext model.CGroupContext, cookie uint64, loadConfig model.ActivityDumpLoadConfig) error {
-	newDump := NewActivityDump(adm, func(ad *ActivityDump) {
+	newDump := NewActivityDump(adm, loadConfig.CGroupFlags, func(ad *ActivityDump) {
 		ad.Metadata.ContainerID = containerID
 		ad.Metadata.CGroupContext = cgroupContext
 		ad.SetLoadConfig(cookie, loadConfig)
@@ -576,7 +576,7 @@ func (adm *ActivityDumpManager) DumpActivity(params *api.ActivityDumpParams) (*a
 		params.Storage.LocalStorageDirectory = adm.config.RuntimeSecurity.ActivityDumpLocalStorageDirectory
 	}
 
-	newDump := NewActivityDump(adm, func(ad *ActivityDump) {
+	newDump := NewActivityDump(adm, 0, func(ad *ActivityDump) {
 		ad.Metadata.ContainerID = containerutils.ContainerID(params.GetContainerID())
 		ad.Metadata.CGroupContext.CGroupID = containerutils.CGroupID(params.GetCGroupID())
 
@@ -771,7 +771,7 @@ func (pces *processCacheEntrySearcher) SearchTracedProcessCacheEntry(entry *mode
 func (adm *ActivityDumpManager) TranscodingRequest(params *api.TranscodingRequestParams) (*api.TranscodingRequestMessage, error) {
 	adm.Lock()
 	defer adm.Unlock()
-	ad := NewActivityDump(adm)
+	ad := NewActivityDump(adm, 0)
 
 	// open and parse input file
 	if err := ad.Decode(params.GetActivityDumpFile()); err != nil {
@@ -860,6 +860,14 @@ func (adm *ActivityDumpManager) SnapshotTracedCgroups() {
 			continue
 		}
 
+		cgroupContext, err := adm.resolvers.ResolveCGroupContext(cgroupFile, event.Config.CGroupFlags)
+		if err != nil {
+			seclog.Warnf("couldn't resolve cgroup context for (%v): %v", cgroupFile, err)
+			continue
+		}
+
+		event.CGroupContext = *cgroupContext
+
 		adm.HandleCGroupTracingEvent(&event)
 	}
 

@@ -1215,7 +1215,7 @@ func (tm *testModule) DecodeActivityDump(path string) (*dump.ActivityDump, error
 		return nil, errors.New("No activity dump manager")
 	}
 
-	ad := dump.NewActivityDump(adm)
+	ad := dump.NewActivityDump(adm, 0)
 	if ad == nil {
 		return nil, errors.New("Creation of new activity dump fails")
 	}