Merging to falco-master for 0.6.0 #797
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* mac build (not tested) * linux build and run * Done - add blocking connect/init mode to k8s - sysdig connect and init are blocking now (faster startup) - move k8s http to 1.1 to utilize keepalive - fixed chunk purging bug - reuse state socket for watch (no diconnect after state fetch) Todo - improve handler receive error handling - test https - blocking resolve * watch redirection fix * fix watch transition; detect http 1.1 watch emission end and reconnect promptly; fix jq filter order bug * fix mac build * fix linux compile error; add docker flag to handler * windows build * fix race condition when no data on first attempt; make k8s default http 1.1 * fix blocking read
* Update ppm.h Added support for s390x * Update ppm.h re committing changes related to s390x
This reverts commit bf7ae5a.
* Update ppm.h Added support for s390x * Update ppm.h re committing changes related to s390x
Otherwise, with cmake -DCMAKE_BUILD_TYPE=Debug -DUSE_BUNDLED_OPENSSL=OFF .. one gets ``` [ 96%] Linking CXX executable csysdig [ 97%] Linking CXX executable sysdig /usr/bin/ld: ../libsinsp/libsinsp.a(k8s_handler.cpp.o): undefined reference to symbol 'SSL_CTX_use_PrivateKey_file' /usr/lib/libssl.so.1.0.0: error adding symbols: DSO missing from command line collect2: error: ld returned 1 exit status make[2]: *** [userspace/sysdig/CMakeFiles/csysdig.dir/build.make:131: userspace/sysdig/csysdig] Error 1 make[1]: *** [CMakeFiles/Makefile2:275: userspace/sysdig/CMakeFiles/csysdig.dir/all] Error 2 make[1]: *** Waiting for unfinished jobs.... /usr/bin/ld: ../libsinsp/libsinsp.a(k8s_handler.cpp.o): undefined reference to symbol 'SSL_CTX_use_PrivateKey_file' /usr/lib/libssl.so.1.0.0: error adding symbols: DSO missing from command line collect2: error: ld returned 1 exit status make[2]: *** [userspace/sysdig/CMakeFiles/sysdig.dir/build.make:129: userspace/sysdig/sysdig] Error 1 make[1]: *** [CMakeFiles/Makefile2:323: userspace/sysdig/CMakeFiles/sysdig.dir/all] Error 2 make: *** [Makefile:139: all] Error 2 ``` This is because linking to libssl and libcrypto is not done (after find_package in CMakeLists.txt) when using the system libraries. Also, fix the curl ssl dependency. sysdig-CLA-1.0-signed-off-by: Raghavendra Prabhu <me@rdprabhu.com>
- fix transition from non-chunked to chunked k8s handler - change active k8s handler filter from reference to pointer - remove unnecessary socket handler docker flag - early terminate k8s blocking request loop on JSON end detect - increase k8s blocking loop sleep to 10ms - fix some logs
added checks for unused macros on s390x sysdig-CLA-1.0-signed-off-by: Ketan Kunde ketan22584@gmail.com
When parsing clone exit events, specifically for the child half of a clone and when in a container, detect and potentially remove stale threadinfo state for the child thread. Generally the client have of a clone is responsible for creating the thread state for the new thread, as long as the parent is in a container. See the parent half of the "if(childtid == 0)" statement. We simply need to verify in the child half that the parent really was in a container. You can find the parent thread id from the syscall return information, which is moved up from below. Look up the parent thread and see if its vtid/vpid differs from tid/pid. If so, any existing thread state must be stale and remove it. Note that you can't use evt->m_tinfo->get_parent_thread() directly, as that comes from the existing potentially stale threadinfo. This fixes #664.
…ble in 4.8 (torvalds/linux@47be618). When forking a new process, inherit the cwd from the parent.
Support DC/OS token auth and HTTPS on Mesos
* add timeout to urlopen operations * add timeout to download operations * retry download max 10 times
Signed-off-by: Riccardo Schirone <sirmy15@gmail.com>
This reverts commit a5a89eb.
* Whitespace diffs. Committing separate from other changes. * Add a caching event formatter. New object sinsp_evt_formatter_cache manages a set of sinsp_evt_formatter objects. It avoids the overhead of recreating sinsp_evt_formatter objects for each event. We'll use this initially in falco, and probably other places later.
On reset(), delete m_callbaks if it exists.
…log level for not found deleted entities to debug
userspace/libsinsp: allow copy elision of temporary objects userspace/libsinsp: do not use arrays as pointers userspace/libsinsp: remove unused field userspace/libscap: remove unused function warning
Add <functional> so references to std::function have a definition.
This reverts commit 91da239.
This reverts commit 2bfb57b.
This reverts commit ec4eba7.
…or due to overwritten completed flag (#791)
* minor friendliness changes * minor refactories * few more event listeners * listener callback for clone() * merge dev * some inlining * small interface change * the set_output_format chisel API call now supports base64 and jsonbase64 * calculate a simple hash for each process that falco can use * minor typo * save container IP with the right endianess * improve local address detection by matching against the full list of container addresses * falco process hash includes the arguments if the process is a scripting language * extract the image ID from the docker API * save/load the container ID from trace files * fix a merge issue * Add container image id filtercheck. (#661) Add support for displaying container image ids via the filtercheck container.image.id. Only supported for docker containers right now. * minor changes required by the agent * compile error * some logging for debugging purposes * a bit more debug info * a bit more debug info * a bit more debug info * a bit more debug info * a bit more debug info * a bit more debug info * more debug info * more debug info * debug info fix * decrease container verbosity * more debug info * dump to memory functionality implemented * proper support for tracers in memory dumps * bugfix: potential buffer underrun * fixed a bug when converting sinsp IPv6 FDs to scap * compression experiments * cleanups * cleanups * fix a comment * a couple of helper functions for memory dumps * don't restart event numbering when reading merged captures + FD initialization bugfix * remove some logging * small changes to support memory dumping * dump a circular capture file when a command is run in the cassandra container * cleanups * a bit on infrastructure for a notification event * notification event type * apply the filter in the successive segments of a merged capture only if there actually is a filter * temporarily enable dump of any execve * some debug info * less aggressive logging * Restore scap_savefile * heuristic to determine if a thread is part of a shell pipe * fixes to the pipe detection heuristic * propagate bash pipe flags in the execve parser * a coule of helper functions * make sure the analyzer thread info is accessed only if available * EOLs * cleanups * cleanups * removed an unused variable
* Start building standalone falco kernel modules. falcosecurity/falco#215 pointed out a problem with compatibility between latest sysdig kernel module and falco 0.5.0. The (newer) driver had different events than falco was expecting, causing a crash. To fix this, I'm changing falco to package its own driver. It was already building its own driver, but the remaining changes are to change the device name from sysdig to falco, module falco-probe, etc. These changes will allow for automatically building the falco-probe kernel module on a variety of kernel platforms and running sysdig-probe-loader (under the name falco-probe-loader) to get a module as needed. While doing this, merge the nearly identical build_{falco,sysdig,sysdigcloud} functions into build_probe. It now does the work of checking out the right code based on the PROBE_* variables, runs make driver from the main code repository, and verifies it can be loaded. * Add autoconf for falco builds. The falco builds need autoconf so add it to the set of installed yum packages.
* Extract tty from /proc + kernel * typo * Proper include for 2.6.32 * A couple more initializations
Should only be a bunch of whitespace changes.
sysdig-CLA-1.0-signed-off-by: Jan Bölsche <jan@lagomorph.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Merging dev to falco-master for 0.6.0