libs
libs copied to clipboard
falcosecurity
fix(libscap): cgroupv2 path discovery with empty cgroup2 mountpoint
What type of PR is this?
Uncomment one (or more)
/kind <>lines:
/kind bug
/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
Any specific area of the project related to this PR?
Uncomment one (or more)
/area <>lines:
/area API-version
/area build
/area CI
/area driver-kmod
/area driver-bpf
/area driver-modern-bpf
/area libscap-engine-bpf
/area libscap-engine-gvisor
/area libscap-engine-kmod
/area libscap-engine-modern-bpf
/area libscap-engine-nodriver
/area libscap-engine-noop
/area libscap-engine-source-plugin
/area libscap-engine-savefile
/area libscap
/area libpman
/area libsinsp
/area tests
/area proposals
Does this PR require a change in the driver versions?
/version driver-API-version-major
/version driver-API-version-minor
/version driver-API-version-patch
/version driver-SCHEMA-version-major
/version driver-SCHEMA-version-minor
/version driver-SCHEMA-version-patch
What this PR does / why we need it:
The cgroup v2 path detection logic breaks when a mountpoint of type cgroup2 with no controllers is present. This issue has been observed on nodes of a RKE cluster (version 1.4.3).
[root@ip-172-31-58-203 /]# mount | grep "type cgroup2"
cgroup on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
none on /host/run/calico/cgroup type cgroup2 (rw,relatime,nsdelegate,memory_recursiveprot)
cgroup on /host/var/lib/docker/overlay2/eeb2a1f2ac65e8311bd2c3b3badeb3134968b81b0710a5d3ab9456b4d05d8cc7/merged/sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
none on /host/var/lib/docker/overlay2/eeb2a1f2ac65e8311bd2c3b3badeb3134968b81b0710a5d3ab9456b4d05d8cc7/merged/host/run/calico/cgroup type cgroup2 (rw,relatime,nsdelegate,memory_recursiveprot)
cgroup2 on /host/sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot)
none on /host/var/run/calico/cgroup type cgroup2 (rw,relatime,nsdelegate,memory_recursiveprot)
[root@ip-172-31-58-203 /]# ls -alh /host/var/run/calico/cgroup
total 0
This mount is created by a calico init container.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
NONE
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Perf diff from master - unit tests
0.50% +0.32% [.] sinsp_evt::get_syscall_return_value
3.89% +0.29% [.] sinsp_thread_manager::find_thread
5.07% -0.28% [.] sinsp_parser::reset
2.13% +0.26% [.] sinsp_evt::load_params
1.57% -0.25% [.] user_group_updater::~user_group_updater
2.54% -0.22% [.] gzfile_read
6.48% +0.21% [.] sinsp::next
1.19% +0.18% [.] std::_Hashtable<long, std::pair<long const, std::shared_ptr<sinsp_threadinfo> >, std::allocator<std::pair<long const, std::shared_ptr<sinsp_threadinfo> > >, std::__detail::_Select1st, std::equal_to<long>, std::hash<long>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true> >::_M_find_before_node
0.88% -0.18% [.] sinsp::fetch_next_event
0.99% +0.17% [.] std::_Hashtable<unsigned long, std::pair<unsigned long const, std::shared_ptr<ppm_evt_hdr> >, std::allocator<std::pair<unsigned long const, std::shared_ptr<ppm_evt_hdr> > >, std::__detail::_Select1st, std::equal_to<unsigned long>, std::hash<unsigned long>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true> >::_M_find_before_node
Heap diff from master - unit tests
peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B
Heap diff from master - scap file
peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B
Benchmarks diff from master
Comparing gbench_data.json to /root/actions-runner/_work/libs/libs/build/gbench_data.json
Benchmark Time CPU Time Old Time New CPU Old CPU New
----------------------------------------------------------------------------------------------------------------------------------------------
BM_sinsp_split_mean +0.3952 +0.3951 148 206 148 206
BM_sinsp_split_median +0.3979 +0.3978 148 206 148 206
BM_sinsp_split_stddev +0.2334 +0.2178 1 1 1 1
BM_sinsp_split_cv -0.1159 -0.1271 0 0 0 0
BM_sinsp_concatenate_paths_relative_path_mean +0.1322 +0.1322 56 63 56 63
BM_sinsp_concatenate_paths_relative_path_median +0.1301 +0.1300 56 63 56 63
BM_sinsp_concatenate_paths_relative_path_stddev +0.2262 +0.2273 0 0 0 0
BM_sinsp_concatenate_paths_relative_path_cv +0.0830 +0.0840 0 0 0 0
BM_sinsp_concatenate_paths_empty_path_mean +0.0028 +0.0028 25 25 25 25
BM_sinsp_concatenate_paths_empty_path_median +0.0033 +0.0032 25 25 25 25
BM_sinsp_concatenate_paths_empty_path_stddev -0.3714 -0.3702 0 0 0 0
BM_sinsp_concatenate_paths_empty_path_cv -0.3732 -0.3720 0 0 0 0
BM_sinsp_concatenate_paths_absolute_path_mean +0.1075 +0.1075 59 65 59 65
BM_sinsp_concatenate_paths_absolute_path_median +0.1024 +0.1023 59 65 59 65
BM_sinsp_concatenate_paths_absolute_path_stddev -0.3093 -0.3092 1 1 1 1
BM_sinsp_concatenate_paths_absolute_path_cv -0.3764 -0.3763 0 0 0 0
Codecov Report
:white_check_mark: All modified and coverable lines are covered by tests.
:white_check_mark: Project coverage is 78.12%. Comparing base (6279e22) to head (f486461).
:warning: Report is 28 commits behind head on master.
Additional details and impacted files
@@ Coverage Diff @@
## master #2404 +/- ##
==========================================
- Coverage 78.17% 78.12% -0.05%
==========================================
Files 298 298
Lines 32087 32088 +1
Branches 4691 4697 +6
==========================================
- Hits 25083 25069 -14
- Misses 7004 7019 +15
| Flag | Coverage Δ | |
|---|---|---|
| libsinsp | 78.12% <ø> (-0.05%) |
:arrow_down: |
Flags with carried forward coverage won't be shown. Click here to find out more.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
:rocket: New features to boost your workflow:
- :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue relates https://github.com/falcosecurity/libs/pull/1921, which looks like a tentative or partial fix.
LGTM label has been added.
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: ekoops, irozzo-1A
The full list of commands accepted by this bot can be found here.
The pull request process is described here
- ~~OWNERS~~ [ekoops]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
