update: in nodriver mode, avoid loading proc, users and interfaces related informations #122
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: FedeDP The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Hi @FedeDP. Thanks for your PR. I'm waiting for a falcosecurity member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/ok-to-test |
What's the use for that? I mean, is there any particular use case where we want that in nodriver mode? EDIT: surely i can be missing a piece there :) |
… loading proc, users and interfaces related informations. Signed-off-by: Federico Di Pierro <[email protected]>
FedeDP
force-pushed
the
nodriver_no_scan_procs_users_interfaces
branch
from
11f87d3
to
a70dd4a
Compare
|
I thought nodriver mode still attempted to get a reconstructed view of the world and a minimal set of events that could be written to a capture file. (I don't remember the details). Do you know? |
As
when opening the scap file. With the implementation, all of these will be empty (except for machine_info possibly). IE: we are already avoiding dumping initial world for plugins; this is what we need to do not only for plugins, but whenever internal event source (ie: syscalls) is disabled. |
|
One big difference between nodriver mode and plugin mode is that when in plugin mode, the only events and state are within the plugin. All of libsinsp is effectively disabled. That's not true for nodriver mode, where the goal is to still obtain process and thread level state of the system. Let me get more familiar with nodriver mode and then comment more. |
|
I double-checked and nodriver mode depends on reading this info from /proc, so I think if the goal is to come up with a "light" mode that allowed only k8s audit logs and no syscalls, we should come up with another mode/solution, perhaps at the falco level instead of the libs level, to fix this. |
I think that when (if?) k8s audit logs will become a plugin, the issue will be fixed in any case; it's ok for me to close this PR and wait for a proper plugin implementation. |
|
Closing because nodriver mode still needs a system view. |
This reverts commit 35d80de. It was probably causing some container runtime tests to fail.
* Revert "Revert "Merge upstream pr 688 (falcosecurity#121)" (falcosecurity#122)" This reverts commit c8dbbf3. This adds the fix back. I'll test with an agent PR that updates/removes the tests. * Add the ability to "defer" an async lookup In some cases, the "server" code running run_impl might want to retry its work until later. The current version can't do that--once a key is dequeued using deque_next_key, it has to call store_value or lose the request. To make retries easier, add a method defer_lookup that pushes the key (and optional value) back onto the request queue with a configurable delay. After delay, the key will be pulled again with a call to dequeue_next_key(). Signed-off-by: Mark Stemm <[email protected]> * Use defer_lookup for container info retry instead of lookup_delayed When the container async lookup class wants to retry a lookup, the current version tries to use lookup_delayed to initiate a new request. It turns out that that doesn't work--if there's already an existing request in m_value_map, it assumes that the "server" doing run_impl will eventually return an answer, and doesn't add a request to the queue. The solution is to use the newly added lookup_delayed instead, which pushes the request back onto the queue with a short delay. Signed-off-by: Mark Stemm <[email protected]> * Use a separate max_wait_ms instead of re-using s_cri_timeout Now that timeouts are working, it may take several seconds for subsequent retries to complete. However, s_cri_timeout (typically 1 second) was being used for the max_wait_ms in cri_async_source. That would mean that a lookup would expire before the server side had retried the lookup. The solution is to use a separate 10 second max_wait_ms, which matches docker. Signed-off-by: Mark Stemm <[email protected]> Signed-off-by: Mark Stemm <[email protected]>
Signed-off-by: Federico Di Pierro [email protected]
What type of PR is this?
/kind cleanup
Any specific area of the project related to this PR?
/area libscap
/area libsinsp
What this PR does / why we need it:
In nodriver mode, skip loading proc, users and interfaces related informations as all event sources will be system-external.
Which issue(s) this PR fixes:
Possibly: falcosecurity/falco#1757
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: