Skip to content

Commit

Permalink
Add support to exclude valid processes from dump processCache
Browse files Browse the repository at this point in the history 
When running ./tetra dump processcache we can get all processes in the
user-space process cache. Out of these, we can use --skip-zero-refcnt to
exclude processes with refCnt equals to 0. These are processes that will
be removed from the processCache soon.

Out of these processes with refCnt not equal to 0, most of them are
nornal running processes that also exist in the execve_map.

This patch adds another command line option
--exclude-execve-map-processes that excludes processes that exist in the
execve_map.

The remaining processes (if any) have possibly an error in the reference
counting.

Signed-off-by: Anastasios Papagiannis <[email protected]>
  • Loading branch information
@tpapagian
tpapagian committed Sep 24, 2024
1 parent 8ba0a0a commit 7e4b379
Show file tree
Hide file tree
Showing 10 changed files with 577 additions and 514 deletions.
1 change: 1 addition & 0 deletions api/v1/README.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

354 changes: 183 additions & 171 deletions api/v1/tetragon/sensors.pb.go
View file

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions api/v1/tetragon/sensors.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,7 @@ enum LogLevel {

message DumpProcessCacheReqArgs {
bool skip_zero_refcnt = 1;
bool exclude_execve_map_processes = 2;
}

message ProcessInternal {
Expand Down
5 changes: 4 additions & 1 deletion cmd/tetra/dump/dump.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,7 @@ func dumpExecveMap(fname string) {

func dumpProcessCache() *cobra.Command {
skipZeroRefcnt := false
excludeExecveMapProcesses := false
var maxCallRecvMsgSize int

ret := &cobra.Command{
Expand All @@ -125,7 +126,8 @@ func dumpProcessCache() *cobra.Command {
Flag: tetragon.ConfigFlag_CONFIG_FLAG_DUMP_PROCESS_CACHE,
Arg: &tetragon.GetDebugRequest_Dump{
Dump: &tetragon.DumpProcessCacheReqArgs{
SkipZeroRefcnt: skipZeroRefcnt,
SkipZeroRefcnt: skipZeroRefcnt,
ExcludeExecveMapProcesses: excludeExecveMapProcesses,
},
},
}
Expand All @@ -152,6 +154,7 @@ func dumpProcessCache() *cobra.Command {

flags := ret.Flags()
flags.BoolVar(&skipZeroRefcnt, "skip-zero-refcnt", skipZeroRefcnt, "skip entries with zero refcnt")
flags.BoolVar(&excludeExecveMapProcesses, "exclude-execve-map-processes", excludeExecveMapProcesses, "exclude processes that also exist in the execve_map")
flags.IntVar(&maxCallRecvMsgSize, "max-recv-size", 4194304, "The maximum message size in bytes the client can receive. Default is gRPC 4MB default.")

return ret
Expand Down
354 changes: 183 additions & 171 deletions contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/sensors.pb.go
View file

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions contrib/tetragon-rthooks/vendor/github.com/cilium/tetragon/api/v1/tetragon/sensors.proto
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions docs/content/en/docs/reference/grpc-api.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 19 additions & 0 deletions pkg/process/cache.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,15 @@ package process

import (
"fmt"
"path/filepath"
"sync/atomic"
"time"

"github.com/cilium/ebpf"
"github.com/cilium/tetragon/api/v1/tetragon"
"github.com/cilium/tetragon/pkg/defaults"
"github.com/cilium/tetragon/pkg/logger"
"github.com/cilium/tetragon/pkg/sensors/exec/execvemap"
lru "github.com/hashicorp/golang-lru/v2"
"google.golang.org/protobuf/types/known/wrapperspb"
)
Expand Down Expand Up @@ -196,11 +200,26 @@ func (pc *Cache) len() int {
}

func (pc *Cache) dump(opts *tetragon.DumpProcessCacheReqArgs) []*tetragon.ProcessInternal {
execveMapPath := filepath.Join(defaults.DefaultMapRoot, defaults.DefaultMapPrefix, "execve_map")
execveMap, err := ebpf.LoadPinnedMap(execveMapPath, &ebpf.LoadPinOptions{ReadOnly: true})
if err != nil {
logger.GetLogger().WithError(err).Warn("failed to open execve_map")
return []*tetragon.ProcessInternal{}
}
defer execveMap.Close()

var processes []*tetragon.ProcessInternal
for _, v := range pc.cache.Values() {
if opts.SkipZeroRefcnt && v.refcnt == 0 {
continue
}
if opts.ExcludeExecveMapProcesses {
var val execvemap.ExecveValue
if err := execveMap.Lookup(&execvemap.ExecveKey{Pid: v.process.Pid.Value}, &val); err == nil {
// pid exists in the execve_map, so skip this process
continue
}
}
processes = append(processes, &tetragon.ProcessInternal{
Process: v.process,
Refcnt: &wrapperspb.UInt32Value{Value: v.refcnt},
Expand Down
354 changes: 183 additions & 171 deletions vendor/github.com/cilium/tetragon/api/v1/tetragon/sensors.pb.go
View file

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions vendor/github.com/cilium/tetragon/api/v1/tetragon/sensors.proto
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 7e4b379

Please sign in to comment.