introduce in_init_tree flag for process events #3209
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Define a new field in the Container message to mark whether a containerized process is in the container's "init" process tree. In other words, this field is true if and only if the process exists in the container's PID namespace and has a direct lineage traceable to PID=1 in that PID namespace. This is useful for example to filter for process events that come from a kubectl exec or an nsenter. Signed-off-by: William Findlay <[email protected]>
will-isovalent
added
area/bpf
will-isovalent
changed the title
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
Whoops, bad find and replace messed up some field names. Fixing. |
will-isovalent
force-pushed
the
pr/will/is_init_tree
branch
2 times, most recently
from
c2a9df0 to
21aa867
Compare
Set the EVENT_IN_INIT_TREE on a new child process on clone if it meets the criteria. We'll later us this to set the corresponding flag in the process's container field in userspace. Signed-off-by: William Findlay <[email protected]>
will-isovalent
force-pushed
the
pr/will/is_init_tree
branch
from
21aa867 to
7d4698f
Compare
There were two flags missing from the flags array in pkg/reader. Add them here. Signed-off-by: William Findlay <[email protected]>
Set Process.Pod.Container.InInitTree when a process has been marked as being in its container's init process tree on the BPF side. Signed-off-by: William Findlay <[email protected]>
will-isovalent
force-pushed
the
pr/will/is_init_tree
branch
from
7d4698f to
fa325f8
Compare
michi-covalent
approved these changes
Dec 11, 2024
mtardy
approved these changes
Dec 11, 2024
|
|
||
| readyWG.Wait() | ||
| observertesthelper.DockerStart(t, "in-init-tree-test") | ||
| time.Sleep(1 * time.Second) |
There was a problem hiding this comment.
I admit sleeping is easier. If this is one day flaky (because downloading the image took long on creation), with docker ps -a you can check that the container was created (image was downloaded) or that it was started with docker ps.
There was a problem hiding this comment.
hm yeah, we're already sleeping in other docker tests. I'm gonna go through and refactor them all at some point so let's just fix that up then.
Implement a container_id filter, primarily to support its use in docker-based unit testing. Signed-off-by: William Findlay <[email protected]>
will-isovalent
force-pushed
the
pr/will/is_init_tree
branch
from
fa325f8 to
e9bfc4d
Compare
Write a unit test for in_init_tree. The test makes sure that processes descending from the entrypoint are in_init_tree and that a docker exec'd process is not in_init_tree. Signed-off-by: William Findlay <[email protected]>
Implement a new export filter for the process.in_init_tree field. Signed-off-by: William Findlay <[email protected]>
will-isovalent
force-pushed
the
pr/will/is_init_tree
branch
from
e9bfc4d to
50ba9b5
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces a new flag for process events,
in_init_tree, which is propagated from BPF via the execve map. The flag indicates whether a process is a member of its container's initial process tree, or whether it was spawned externally. For instance:in_init_treevalue is always false.in_init_treevalue of true.docker execorkubectl execornsenter) has anin_init_treevalue of falseTo support unit testing this feature, we also introduce a new export filter for container IDs and use it to match container IDs in the unit test. This avoids flooding the unit test output with spurious events from the host system.
Changelog