-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update the host of docs in logs #1565
Conversation
…ailable If Linux kernel is built with CONFIG_AUDIT=n, /proc loginuid file is not available to provide the loginuid of the process. Instead of failing to add process into libscap thread table, record process loginuid=-1 instead.
Changes to support tracking how a container was configured with an initial user and make that info available as user.name for CONTAINER_JSON events: 1. Add a "container user" field m_container_user to container_info. By default, the value is "<NA>". 2. In the docker and cri container engine resolvers, parse any configured user info out of the json response and set m_container_user. 3. Serialize the parsed username to the json blob that comprises a CONTAINER_JSON event, and parse it out of the json blob when parsing a CONTAINER_JSON event. 4. When creating the fake threadinfo that is attached to a container event, also set m_exe to "container:<id>". 5. For the proc.name filtercheck, if the event type is container_json, return not the thread uid but the container user. This ends up being more robust in the face of containers where the initial process might exec and then setuid than a different user. This tracks the configured user rather than the uids of processes in the container, which might change.
- Support terminating scan after specified timeout - Support periodic log messages to report progress - API to specify timeout, log interval, and log function - Add last PID and total FDs processed, to /proc scan progress messages - Enhance scap_open args and logic to record debug_log_fn and parameters - Reworked /proc scan to reduce complexity and nesting depth - Pass through API to specify log/timeout parameters to libscap /proc scan
This should explain the purpose of this class better
Rootless podman containers have multiple sockets (one per user account), and we don't really want to spawn a separate thread for each user. This means that we can no longer use a single CURL handle but need to create a new one for each individual request.
All the platform-specific code from docker_async_source is moved to a new docker_connection class. The interface is almost identical, so keep a single header file with two separate implementation files (one for Linux, one for Windows).
This is a private implementation detail of the connection class. Also, this fixes a but where (on Windows) we appended `?size=true` to the wrong place in the request (to the Host header, not the URL).
We need full control over the request to make this method suitable for putting in a base class.
All the code after the initial docker container detection is platform-agnostic and can be moved to a base class.
Now we're ready to make clean OS-specific subclasses.
They have different interfaces and different implementations, keeping both under the same name doesn't really avoid any duplication
Since it's very similar to Docker (modulo some quirks handled by the previous commit), it inherits almos all the code from `docker_base`. The cgroup detection for non-root containers is done manually and due to the limitations of our driver (not easily bypassed), we have to fall back to parsing cgroups files manually.
When opening a capture based on a fd (e.g. sinsp::fdopen), we cannot reopen the capture by simply calling close/open_int, as gzclose() at the end of the call chain originating from close() closes the file descriptor and we cannot access it again. So when we're reopening a fd-based capture, dup() the original fd, lseek() it to the beginning and substitute it for the closed one.
If a container is started e.g. as `docker.io/library/httpd`, this is what ends up in container.m_image. Then we match m_image against the names on the container image list, but they always have a tag, e.g. `docker.io/library/httpd:latest` so they won't match the name without a tag. Fix it by: - defaulting to the `latest` tag a bit earlier (before fetching the image list) - using repo + ':' + tag as the string to match to always have the tag in the name to compare
support low kernel versions which do not support raw tracepoints
Signed-off-by: jundizhou <[email protected]>
* fix wrong cpu runqueue latency Signed-off-by: sanyangji <[email protected]> * fix wrong logic for focus events Signed-off-by: sanyangji <[email protected]> * remove useless codes and add comments Signed-off-by: sanyangji <[email protected]> * remove useless codes Signed-off-by: sanyangji <[email protected]> * update comments Signed-off-by: sanyangji <[email protected]> * refactor codes for cpu analysis Signed-off-by: sanyangji <[email protected]> * fix wrong time Signed-off-by: sanyangji <[email protected]> * refactor Signed-off-by: sanyangji <[email protected]> --------- Signed-off-by: sanyangji <[email protected]>
* add sendmmsg eBPF support Signed-off-by: sanyangji <[email protected]> * add sendmmsg kernel module support Signed-off-by: sanyangji <[email protected]> * fix Signed-off-by: sanyangji <[email protected]> * ignore incompatible-pointer-types-discards-qualifiers Signed-off-by: sanyangji <[email protected]> * fix data overwrite Signed-off-by: sanyangji <[email protected]> --------- Signed-off-by: sanyangji <[email protected]>
Signed-off-by: sanyangji <[email protected]>
* init workflow of driver build * add workflow for drivers build Signed-off-by: sanyangji <[email protected]> * support workflow_dispatch trigger Signed-off-by: sanyangji <[email protected]> * refactor by action Signed-off-by: sanyangji <[email protected]> * add build mode to avoid race Signed-off-by: sanyangji <[email protected]> * remove directory prefix Signed-off-by: sanyangji <[email protected]> * separate package and check part from action.yml Signed-off-by: sanyangji <[email protected]> * add checklist for test Signed-off-by: sanyangji <[email protected]> * optimize build test Signed-off-by: sanyangji <[email protected]> --------- Signed-off-by: sanyangji <[email protected]>
Signed-off-by: jundizhou <[email protected]>
* test Signed-off-by: jundizhou <[email protected]> * add delete Signed-off-by: jundizhou <[email protected]> --------- Signed-off-by: jundizhou <[email protected]>
Signed-off-by: jundizhou <[email protected]>
Signed-off-by: jundizhou <[email protected]>
Signed-off-by: jundizhou <[email protected]>
Signed-off-by: Daxin Wang <[email protected]>
Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dxsup The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits. 📝 Please follow instructions in the contributing guide to update your commits with the DCO Full details of the Developer Certificate of Origin can be found at developercertificate.org. The list of commits missing DCO signoff:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Welcome @dxsup! It looks like this is your first PR to falcosecurity/libs 🎉 |
Adding label Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Please double check driver/API_VERSION file. See versioning. /hold |
No description provided.