Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: include ancestors in process events #2938

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: include ancestors in process events #2938

wants to merge 3 commits into from

Conversation

t0x01
Copy link

@t0x01 t0x01 commented Sep 19, 2024

Fixes 2420

Description

Reason: Option to include all ancestors of the process in process events can be very useful for observability and filtering purposes. E.g. to apply complex correlation rules later in data processing pipeline, or to filter out extra events.

Changes made:

  • Read and set option enable-process-ancestors from the config file. Turn option enable-process-ancestors off by default.
  • If option enable-process-ancestors is set, try to include ancestors (up to PID 1/PID 2) of the process beyond the immediate parent in process_exec, process_exit, process_uprobe, process_kprobe, process_lsm, process_tracepoint events in a respective protobuf message for the given process.
  • If option enable-process-ancestors is set and there was an error when trying to include process' ancestors in the protobuf message, add the event to eventcache for reprocessing.
  • When trying to reprocess events from eventcache, if option enable-process-ancestors is set and Ancestors is nil, try to include process' ancestors again.
  • Implement a new export filter that can filter over ancestor binary names using RE2 regular expressions.
  • Add a new test for the new export filter.
  • Add information about new features to documentation.

@t0x01 t0x01 requested review from a team and mtardy as code owners September 19, 2024 14:51
@netlify Netlify
Copy link

netlify bot commented Sep 19, 2024
edited
Loading

Deploy Preview for tetragon ready!

Name Link
🔨 Latest commit 558ee86
🔍 Latest deploy log https://app.netlify.com/sites/tetragon/deploys/6707a122b8747a000801963b
😎 Deploy Preview https://deploy-preview-2938--tetragon.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@mtardy mtardy added the release-note/major This PR introduces major new functionality label Sep 23, 2024
@t0x01
Copy link
Author

t0x01 commented Sep 26, 2024
edited
Loading

Hello.

Upd: found even more problems, converting back to draft for now.

@jrfastab
Copy link
Contributor

I'll look shortly sorry was travelling and then catching up. Should be able to get to this today or tomorrow thanks!

@t0x01 t0x01 marked this pull request as draft October 7, 2024 13:15
@t0x01
feat: Allow to include process' ancestors in events
b37d983 
Allow to include ancestors of the process beyond the immediate parent (up to PID 1 / PID 2) in process_exec, process_exit, process_uprobe, process_kprobe, process_lsm, process_tracepoint events via `--enable-process-ancestors` option. Turn `--enable-process-ancestors` option off by default.

Signed-off-by: t0x01 <[email protected]>
@t0x01
filters: Implement ancestor binary export filter
08d0e22 
Implement a new export filter that can filter over ancestor binary names using RE2 regular expressions.

Signed-off-by: t0x01 <[email protected]>
@t0x01
docs: Add ancestors and ancestor filter information
558ee86 
Add information about ancestors, ancestor filter and ancestors related metrics to documentation.

Signed-off-by: t0x01 <[email protected]>
@t0x01 t0x01 marked this pull request as ready for review October 10, 2024 10:13
@t0x01
Copy link
Author

t0x01 commented Oct 10, 2024

I think i misunderstood the purpose of both MsgProcessCleanupEventUnix and refcnt initially, so i no longer call RefInc / RefDec for ancestors. Sorry for that.

So now there seems to be no real reason to return []*ProcessInternal in GetAncestorProcessesInternal instead of []*tetragon.Process. And, if i change that, it will solve the double loop problem as well. But i'm not sure if i should actually do that, because returning []*ProcessInternal may be beneficial in the future for reasons i don't yet see.

And there is still inconsistency in the ancestors field's value across protobuf messages in api/v1/tetragon/tetragon.proto and vendor/github.com/cilium/tetragon/api/v1/tetragon/tetragon.proto. I'm still not sure how to properly handle that.

@jrfastab, may I ask you for a code review now? Sorry for the delay.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtardy mtardy Awaiting requested review from mtardy mtardy is a code owner

@jrfastab jrfastab Awaiting requested review from jrfastab

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
release-note/major This PR introduces major new functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Tetragon is not showing process exec ancestors
3 participants
@t0x01 @jrfastab @mtardy