Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add cwd to fork and ctty to exit. #197

Merged
merged 1 commit into from
Jul 2, 2024
Merged

Add cwd to fork and ctty to exit. #197

merged 1 commit into from
Jul 2, 2024

Conversation

haesbaert
Copy link
Contributor

This unifies what fork+exec+exit outputs once and for all. cwd cannot be gathered on exit as it's already gone by the time we try to fetch it.

@haesbaert
Add cwd to fork and ctty to exit.
4061700 
This unifies what fork+exec+exit outputs once and for all.
cwd cannot be gathered on exit as it's already gone by the time we try to fetch
it.
@haesbaert haesbaert requested a review from a team as a code owner July 1, 2024 07:56
nicholasberlin
nicholasberlin reviewed Jul 1, 2024
View reviewed changes
Copy link
Contributor

@nicholasberlin nicholasberlin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM, CI is failing though. Perhaps unrelated?

@haesbaert
Copy link
Contributor Author

Code LGTM, CI is failing though. Perhaps unrelated?

Yeah, I don't think it's related, I've seen this flapping in other diffs as well

haesbaert added a commit to elastic/quark that referenced this pull request Jul 1, 2024
@haesbaert
Fetch everything, everywhere, all at once. Issue #45
e9fa794 
This diff unifies the tracking of task_struct{} across all probes and ebpf
events. We now update ~all task_struct values everywhere we can.

Now exit and exec embed a raw_task{} into their own raw_type and functions taht
operate solely on raw_task{} have been unified so we stop repeating code.

TASK_SAMPLE takes a parameter for register as maybe we will have to track from
another register in the future

Now samples can include TASK_SAMPLE, like exec_connector does. This creates an
issue as before we were creating the wire protocol carefully aligned by making
sure it's all ordered 64->32->16->8 and so on. If we place TASK_SAMPLE in the
beginning of the sample, we might end up unaligned, but if we add it in the end,
then a task_sample stops being standalone as it defines `probe_ip` like all
other samples.

We solve this by defining an aligned/non-padded task_sample, and we enforce this
via #pragma forbidden magic. Luckly it is aligned in its current state, if we
add more members in the future, we may manually pad it with additional members.

We also start getting ppid from the wire instead of hardcoding it, that's
because ppid might change either when a process daemonizes or when docker is
doing its magic to start a container, which can change ppid multiple times via
PR_SET_CHILD_SUBREAPER blood magic. See issue #43.

This PR is pending on the merge of elastic/ebpf#197
@haesbaert haesbaert mentioned this pull request Jul 1, 2024
Merged
@haesbaert haesbaert merged commit ba15ef6 into main Jul 2, 2024
24 of 26 checks passed
@haesbaert haesbaert deleted the cwd-ctty branch July 2, 2024 05:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicholasberlin nicholasberlin nicholasberlin approved these changes

@nfritts nfritts nfritts approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@haesbaert @nicholasberlin @nfritts