tetragon icon indicating copy to clipboard operation
tetragon copied to clipboard
verified publisher icon cilium

Process ID for linked binaries

Open ArmanPasha opened this issue 1 year ago • 2 comments

Hey, I'm new to Tetragon and I've been experimenting with it for some time. I've seen an unexpected behaviour which I don't know if it's from Tetragon, eBPF, or the kernel itself. So, I'm running an Alpine Linux container in a Kubernetes cluster which is being monitored by Tetragon. When I run the /bin/sh using kubectl, Tetragon gives me a process exec event with a PID. Note that in Alpine Linux, /bin/sh is indeed a link to /bin/busybox . The first issue is that when I look into the /proc directory on the host where the container runs, I don't see the PID Tetragon gave me; instead, I see a different PID that runs /bin/busybox (its /proc/<pid>/exe is /bin/busybox and its /proc/<pid>/cmdline is /bin/sh). The second issue is that when the shell process exits, Tetragon gives me a process exit event with the same PID it gave for the process exec event (which does't exist in the /proc). I would really appreciate if anyone could shed some lights on this behaviour. Thanks

ArmanPasha avatar Dec 09 '24 23:12 ArmanPasha

Hello, sorry we skipped this issue it seems:

Tetragon is running on the host PID namespace so the PID you should see is the actual PID of the host. However containers runs in separate PID namespaces. So when you say "when I look into the /proc directory on the host where the container runs, I don't see the PID Tetragon gave me", are you sure you are running on the host PID namespace?

that runs /bin/busybox (its /proc//exe is /bin/busybox and its /proc//cmdline is /bin/sh).

This is logical given how busybox works.

However if you think you were in the correct PID namespace and can provide a reproducer, we'll surely take a look.

mtardy avatar Jan 27 '25 10:01 mtardy

Hi, I had a hostPath volume mounted from /proc to a directory in an Alpine container and observed this issue, so the PID is indeed in the host namespace.

Here is how you can reproduce this issue; given your k8s default namespace is being monitored by Tetragon, you just apply the manifest below which spins up an Alpine container with the /proc of host being mounted to /hostProc in the container. Then if you run kubectl exec -it pod/test-pod -- sh you should get a Tetragon process exec event with the PID of P1 that is running /bin/sh binary. However, if you look into the /hostProc you won't find /hostProc/<P1>. Instead, you find another PID lets say P2 that is running /bin/busybox process.

apiVersion: v1
kind: Pod
metadata:
  name: test-pod
spec:
  containers:
  - name: test-container
    image: alpine:3.15
    command: ["sleep", "1000"]
    volumeMounts:
    - mountPath: /hostProc
      name: host-proc
  volumes:
  - name: host-proc
    hostPath:
      path: /proc
      type: Directory

ArmanPasha avatar Jan 27 '25 22:01 ArmanPasha