Spurious cctrace errors with long command lines

[phsmenon]

For long command lines cctrace appears to see/check only the first 4095 characters or so. This seems to be causing bogus "missing argument" errors. For example, see the error on line 978 in the attached log file; the command line appears to be cut-off towards the end.

When I build with fewer flags (which causes the command line to shrink somewhat), the error seems to go away.

I built the variant set based on the latest VGT and the postgres ATD included with it. For reference, I have attached the cctrace policy file I used as well as the build and command logs.

cctrace-postgres-with-long-line-error.log

variant-21-logs-and-policy.zip

[thedataking]

Thanks for the detailed bug report @phsmenon! It seems like you are building with -j32 so it is possible that the sysdig kernel ring buffer can't keep up or maybe we're not processing them fast enough in userland. As far as I understand, sysdig is geared toward production use meaning that they will drop events rather than slowing down the system being monitored.

Would it be easy for you to try a build with the full set of flags but with less parallelism?

[phsmenon]

I tried the build with no parallelism. But it seems to exhibit the same behavior. I have attached the cctrace logs as well as the build logs.

Let me know if I you want me to try anything else.

cctrace-postgres-with-long-line-error-2.log

variant-21-logs-and-policy.zip

[thedataking]

I can reproduce the issue using a small, single-threaded test script. It looks like we're hitting a sysdig limitation. According to this issue, sysdig does not handle arguments longer than one page size.