libs icon indicating copy to clipboard operation
libs copied to clipboard
verified publisher icon falcosecurity

FixTheCompatibilityIssueWithCgroupv2

Open seraphGod opened this issue 1 year ago • 4 comments

Fix the issue of cgroup subsystem controller files not being present when Calico is present

What type of PR is this?

/kind bug

Any specific area of the project related to this PR?

/area libscap

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-SCHEMA-version-major

What this PR does / why we need it: Environmental: K8s installed, there is calico present The system information is as follows PRETTY_NAME="Ubuntu 22.04.3 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.3 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian

There will be no files in the/proc/1/root/run/calico/cgroup/directory

Will cause the following fd issues 06-19 05:30:06.012043 total threads in the table:86, total fds in all threads:0

Add a check on the existence of the cgroup subsystem controller file to skip parsing the file and solve the problem

Which issue(s) this PR fixes:

Fixes # Fix the error in the absence of subsystem controller files in cgroupv2 under Ubuntu environment, which prevents the collection of fd thread information

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

seraphGod avatar Jun 19 '24 05:06 seraphGod

Welcome @seraphGod! It looks like this is your first PR to falcosecurity/libs 🎉

poiana avatar Jun 19 '24 05:06 poiana

Perf diff from master - unit tests

    12.79%     -1.69%  [.] sinsp_parser::reset
     0.67%     +1.16%  [.] scap_event_decode_params
     3.59%     -0.80%  [.] std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release
     8.10%     -0.71%  [.] sinsp::next
     3.27%     -0.68%  [.] sinsp_evt::load_params
     4.14%     +0.65%  [.] sinsp_parser::process_event
     4.01%     +0.65%  [.] sinsp_thread_manager::get_thread_ref
     0.88%     -0.60%  [.] sinsp_filter_check::parse_field_name
     1.47%     -0.52%  [.] libsinsp::events::names_to_event_set
     7.02%     +0.51%  [.] next

Perf diff from master - scap file

    13.70%     -6.94%  [.] libsinsp::runc::match_container_id
    13.88%     -6.74%  [.] sinsp_filter_check::extract
    10.55%     +5.72%  [.] sinsp_filter_check_event::extract_single
    10.23%     -4.17%  [.] gzfile_read
    10.23%     -3.95%  [.] sinsp_filter_check_thread::extract_single
    10.48%     -2.18%  [.] sinsp::next
    10.16%     +1.94%  [.] sinsp_evt_formatter::tostring_withformat
     3.53%     +1.31%  [.] sinsp_parser::process_event
     3.54%     +1.19%  [.] sinsp_parser::reset
     3.54%     -0.77%  [.] formatted_dump

github-actions[bot] avatar Jun 21 '24 07:06 github-actions[bot]

Perf CI / perf-libs-linux-amd64 (pull_request) Failing after 5m

Please don't look at this failure :) i am still playing around trying to improve thresholds!

FedeDP avatar Jun 25 '24 06:06 FedeDP

@gnosek would you be able to review this PR? Thanks!

incertum avatar Aug 08 '24 06:08 incertum

Thanks for the patch! :) the v1/v2 cgroup situation is a mess. I hoped I handled all the cases but reality always finds a way to prove me wrong.

Can you provide the output of a few commands (outside any container)?

# see what cgroup mounts are there
grep cgroup /proc/mounts

# list the cgroup-specific directory (is it v1 or v2?)
ls /run/calico/cgroup/directory

# same for the top level (does the controllers file exist there? are there any subsystems mounted?)
ls /run/calico/cgroup

# check the controllers at the top level
# (there really should be some in there, unless it's a mixed v1/v2 setup where all the v2 controllers are disabled)
# (but even then, I'd expect an empty file to exist)
cat /run/calico/cgroup/cgroup.controllers

If this is a v2 mount, the controllers file should exist. If it doesn't for whatever reason, and the cgroup really doesn't have any controllers, then your patch is fine.

On the other hand, I'm slightly worried we're picking up a v1 mount as v2, so I'd rather verify that before I rubberstamp the PR.

gnosek avatar Aug 08 '24 06:08 gnosek

cat /run/calico/cgroup/cgroup.controllers

D89157C6-1D17-43F7-BDD0-C5CA9A6521C7 Is this the information? @gnosek

seraphGod avatar Aug 08 '24 06:08 seraphGod

Yes, thank you! So it looks like two v2 mounts, one of them completely controllerless. Your patch is probably the right thing to do in this case.

/approve

gnosek avatar Aug 08 '24 07:08 gnosek

LGTM label has been added.

Git tree hash: cb60a3046a4571415ef616736125466d1530b894

poiana avatar Aug 08 '24 15:08 poiana

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, gnosek, incertum, seraphGod

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • ~~OWNERS~~ [Andreagit97,gnosek,incertum]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

poiana avatar Aug 08 '24 16:08 poiana