Populate cmdline perf #223
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ailable If Linux kernel is built with CONFIG_AUDIT=n, /proc loginuid file is not available to provide the loginuid of the process. Instead of failing to add process into libscap thread table, record process loginuid=-1 instead.
- Support terminating scan after specified timeout - Support periodic log messages to report progress - API to specify timeout, log interval, and log function - Add last PID and total FDs processed, to /proc scan progress messages - Enhance scap_open args and logic to record debug_log_fn and parameters - Reworked /proc scan to reduce complexity and nesting depth - Pass through API to specify log/timeout parameters to libscap /proc scan
Changes to support tracking how a container was configured with an initial user and make that info available as user.name for CONTAINER_JSON events: 1. Add a "container user" field m_container_user to container_info. By default, the value is "<NA>". 2. In the docker and cri container engine resolvers, parse any configured user info out of the json response and set m_container_user. 3. Serialize the parsed username to the json blob that comprises a CONTAINER_JSON event, and parse it out of the json blob when parsing a CONTAINER_JSON event. 4. When creating the fake threadinfo that is attached to a container event, also set m_exe to "container:<id>". 5. For the proc.name filtercheck, if the event type is container_json, return not the thread uid but the container user. This ends up being more robust in the face of containers where the initial process might exec and then setuid than a different user. This tracks the configured user rather than the uids of processes in the container, which might change.
Since it's very similar to Docker (modulo some quirks handled by the previous commit), it inherits almos all the code from `docker_base`. The cgroup detection for non-root containers is done manually and due to the limitations of our driver (not easily bypassed), we have to fall back to parsing cgroups files manually.
When opening a capture based on a fd (e.g. sinsp::fdopen), we cannot reopen the capture by simply calling close/open_int, as gzclose() at the end of the call chain originating from close() closes the file descriptor and we cannot access it again. So when we're reopening a fd-based capture, dup() the original fd, lseek() it to the beginning and substitute it for the closed one.
If a container is started e.g. as `docker.io/library/httpd`, this is what ends up in container.m_image. Then we match m_image against the names on the container image list, but they always have a tag, e.g. `docker.io/library/httpd:latest` so they won't match the name without a tag. Fix it by: - defaulting to the `latest` tag a bit earlier (before fetching the image list) - using repo + ':' + tag as the string to match to always have the tag in the name to compare
While these two are apparently always the same, we check .Image for the '/' and then we parse .Config.Image. Switch to parsing .Image for somewhat reduced confusion.
…390x (zLinux) architectures - Fix Little-Endian byte-ordering assumptions in HTTP parsing and IP address validation code - Adjust set of LUA APIs used, to allow interoperability with the different LUA versions available for the different architectures [SMAGENT-3292] Fix unterminated comment block to re-enable RAW_BRAKPOINTS for x86
…map option from KBUILD_CPPFLAGS For some kernel versions, the kernel headers KBUILD_CPPFLAGS environment variable contains the -fmacro-prefix-map option. But this option is not supported by older versions of clang, including the clang version which is used by the Sysdig agent image.
Co-authored-by: Grzegorz Nosek <[email protected]>
…clean up the policy disabled/deleted entries
remove extra space Co-authored-by: Angelo Puglisi <[email protected]>
remove extra space Co-authored-by: Angelo Puglisi <[email protected]>
add parenthesis for readability Co-authored-by: Angelo Puglisi <[email protected]>
eBPF probe will not build on RHEL-8, due to an unsatisfied include file dependency.
Include linux/compat.h before net/compat.h
When doing the special handling for user.name and container events, also handle PPME_CONTAINER_JSON_2, which was added in falcosecurity/libs#118. That PR looked for all references to PPME_CONTAINER_JSON and updated them to also handle PPME_CONTAINER_JSON_2, but as this special handling is *only* in agent-libs, it was missed.
…t-user-name Handle CONTAINER_JSON_2 evts for special user.name handling
Sysdig agent containers use clang-7 to build the eBPF probe. That version of clang is too old to support some of the compiler attributes which appear in the source code for more modern kernel versions. So disable warnings associated with unknown attributes.
Compile eBPF probe with -Wno-unknown-attributes
Prefer += over + Tested with callgrind, ~2x improvement Signed-off-by: Angelo Puglisi <[email protected]>
poiana
added
release-note
kind/feature
|
Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits. 📝 Please follow instructions in the contributing guide to update your commits with the DCO Full details of the Developer Certificate of Origin can be found at developercertificate.org. The list of commits missing DCO signoff:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: deepskyblue86 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@deepskyblue86: Adding label Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Hi @deepskyblue86. Thanks for your PR. I'm waiting for a falcosecurity member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Sorry, closing. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Prefer += over +
Tested with callgrind, ~2x improvement
Signed-off-by: Angelo Puglisi [email protected]
What type of PR is this?
Performance enhancement
/kind feature
Any specific area of the project related to this PR?
/area libsinsp
What this PR does / why we need it:
About 60% of the load on
falco_engine::process_eventissinsp_threadinfo::populate_cmdline, improving it is definitely beneficial.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: