Filter ebpf events earlier (#357)

stackrox · Sep 10, 2020 · 8658383 · 8658383
1 parent 7ba7565
commit 8658383
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 3 deletions.
diff --git a/.circleci/envbuilder.sh b/.circleci/envbuilder.sh
@@ -65,6 +65,7 @@ installDockerOnRHELViaGCPSSH() {
   local GCP_SSH_KEY_FILE="$1"
   shift
 
+  ssh-keygen -f "/home/circleci/.ssh/google_compute_known_hosts" -R "compute.$(gcloud compute instances describe $GCP_VM_NAME --format='get(id)')"
   gcloud compute ssh --ssh-key-file="${GCP_SSH_KEY_FILE}" "$GCP_VM_NAME" --command "sudo yum install -y yum-utils device-mapper-persistent-data lvm2"
   gcloud compute ssh --ssh-key-file="${GCP_SSH_KEY_FILE}" "$GCP_VM_NAME" --command "sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo"
   # using skip-broken and nobest for rhel-8 (https://linuxconfig.org/how-to-install-docker-in-rhel-8)
@@ -88,10 +89,10 @@ gcpSSHReady() {
   local GCP_SSH_KEY_FILE="$1"
   shift
 
-  local retryCount=5
+  local retryCount=6
   for _ in $(seq 1 $retryCount ); do
-    gcloud compute ssh --ssh-key-file="${GCP_SSH_KEY_FILE}" "${GCP_VM_USER}@${GCP_VM_NAME}" --command "whoami" \
-      && exitCode=0 && break || exitCode=$? && sleep 10
+    gcloud compute ssh --strict-host-key-checking=no --ssh-key-file="${GCP_SSH_KEY_FILE}" "${GCP_VM_USER}@${GCP_VM_NAME}" --command "whoami" \
+      && exitCode=0 && break || exitCode=$? && sleep 15
   done
   return $exitCode
 }

diff --git a/collector/lib/SysdigService.cpp b/collector/lib/SysdigService.cpp
@@ -131,6 +131,9 @@ sinsp_evt* SysdigService::GetNext() {
 
   if (event->get_category() & EC_INTERNAL) return nullptr;
 
+  // TODO (rc) not needed when syscall filtering implemented in the eBPF probe
+  if (useEbpf && !global_event_filter_[event->get_type()]) return nullptr;
+
   userspace_stats_.event_parse_micros[event->get_type()] += (NowMicros() - parse_start);
   ++userspace_stats_.nUserspaceEvents[event->get_type()];
 
@@ -268,6 +271,7 @@ void SysdigService::AddSignalHandler(std::unique_ptr<SignalHandler> signal_handl
     for (const auto& event_name : relevant_events) {
       for (ppm_event_type event_id : event_names.GetEventIDs(event_name)) {
         event_filter.set(event_id);
+        global_event_filter_.set(event_id);
       }
     }
   }

diff --git a/collector/lib/SysdigService.h b/collector/lib/SysdigService.h
@@ -87,6 +87,7 @@ class SysdigService : public Sysdig {
   std::unique_ptr<sinsp_chisel> chisel_;
   std::vector<SignalHandlerEntry> signal_handlers_;
   SysdigStats userspace_stats_;
+  std::bitset<PPM_EVENT_MAX> global_event_filter_;
 
   std::unordered_map<string, ChiselCacheStatus> chisel_cache_;
   bool use_chisel_cache_;