-
Notifications
You must be signed in to change notification settings - Fork 376
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
introduce in_init_tree flag for process events #3209
Conversation
Define a new field in the Container message to mark whether a containerized process is in the container's "init" process tree. In other words, this field is true if and only if the process exists in the container's PID namespace and has a direct lineage traceable to PID=1 in that PID namespace. This is useful for example to filter for process events that come from a kubectl exec or an nsenter. Signed-off-by: William Findlay <[email protected]>
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Whoops, bad find and replace messed up some field names. Fixing. |
c2a9df0
to
21aa867
Compare
Set the EVENT_IN_INIT_TREE on a new child process on clone if it meets the criteria. We'll later us this to set the corresponding flag in the process's container field in userspace. Signed-off-by: William Findlay <[email protected]>
21aa867
to
7d4698f
Compare
There were two flags missing from the flags array in pkg/reader. Add them here. Signed-off-by: William Findlay <[email protected]>
Set Process.Pod.Container.InInitTree when a process has been marked as being in its container's init process tree on the BPF side. Signed-off-by: William Findlay <[email protected]>
7d4698f
to
fa325f8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
api change looks good ✅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm!
|
||
readyWG.Wait() | ||
observertesthelper.DockerStart(t, "in-init-tree-test") | ||
time.Sleep(1 * time.Second) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I admit sleeping is easier. If this is one day flaky (because downloading the image took long on creation), with docker ps -a
you can check that the container was created (image was downloaded) or that it was started with docker ps
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hm yeah, we're already sleeping in other docker tests. I'm gonna go through and refactor them all at some point so let's just fix that up then.
Implement a container_id filter, primarily to support its use in docker-based unit testing. Signed-off-by: William Findlay <[email protected]>
fa325f8
to
e9bfc4d
Compare
Write a unit test for in_init_tree. The test makes sure that processes descending from the entrypoint are in_init_tree and that a docker exec'd process is not in_init_tree. Signed-off-by: William Findlay <[email protected]>
Implement a new export filter for the process.in_init_tree field. Signed-off-by: William Findlay <[email protected]>
e9bfc4d
to
50ba9b5
Compare
This PR introduces a new flag for process events,
in_init_tree
, which is propagated from BPF via the execve map. The flag indicates whether a process is a member of its container's initial process tree, or whether it was spawned externally. For instance:in_init_tree
value is always false.in_init_tree
value of true.docker exec
orkubectl exec
ornsenter
) has anin_init_tree
value of falseTo support unit testing this feature, we also introduce a new export filter for container IDs and use it to match container IDs in the unit test. This avoids flooding the unit test output with spurious events from the host system.
Changelog