[CWS] improve netns resolver close operations (#25806)

* correctly purge network namespaces * also flush namespaces
DataDog · May 23, 2024 · 05da53a · 05da53a
1 parent 8304093
commit 05da53a
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 9 deletions.
diff --git a/pkg/security/resolvers/netns/resolver.go b/pkg/security/resolvers/netns/resolver.go
@@ -413,6 +413,17 @@ func (nr *Resolver) Start(ctx context.Context) error {
 	return nil
 }
 
+func (nr *Resolver) manualFlushNamespaces() {
+	probesCount := nr.tcResolver.FlushInactiveProbes(nr.manager, nr.IsLazyDeletionInterface)
+
+	// There is a possible race condition if we lose all network device creations but do notice the new network
+	// namespace: we will create a handle that will never be flushed by `nr.probe.flushInactiveNamespaces()`.
+	// To detect this race, compute the list of namespaces that are in cache, but for which we do not have any
+	// device. Defer a snapshot process for each of those namespaces, and delete them if the snapshot yields
+	// no new device.
+	nr.preventNetworkNamespaceDrift(probesCount)
+}
+
 func (nr *Resolver) flushNamespaces(ctx context.Context) {
 	ticker := time.NewTicker(flushNamespacesPeriod)
 	defer ticker.Stop()
@@ -422,14 +433,7 @@ func (nr *Resolver) flushNamespaces(ctx context.Context) {
 		case <-ctx.Done():
 			return
 		case <-ticker.C:
-			probesCount := nr.tcResolver.FlushInactiveProbes(nr.manager, nr.IsLazyDeletionInterface)
-
-			// There is a possible race condition if we lose all network device creations but do notice the new network
-			// namespace: we will create a handle that will never be flushed by `nr.probe.flushInactiveNamespaces()`.
-			// To detect this race, compute the list of namespaces that are in cache, but for which we do not have any
-			// device. Defer a snapshot process for each of those namespaces, and delete them if the snapshot yields
-			// no new device.
-			nr.preventNetworkNamespaceDrift(probesCount)
+			nr.manualFlushNamespaces()
 		}
 	}
 }
@@ -547,6 +551,16 @@ func (nr *Resolver) SendStats() error {
 	return nil
 }
 
+// Close closes this resolver and frees all the resources
+func (nr *Resolver) Close() {
+	if nr.networkNamespaces != nil {
+		nr.Lock()
+		nr.networkNamespaces.Purge()
+		nr.Unlock()
+	}
+	nr.manualFlushNamespaces()
+}
+
 func newTmpFile(prefix string) (*os.File, error) {
 	f, err := os.CreateTemp("/tmp", prefix)
 	if err != nil {

diff --git a/pkg/security/resolvers/resolvers_ebpf.go b/pkg/security/resolvers/resolvers_ebpf.go
@@ -285,6 +285,14 @@ func (r *EBPFResolvers) snapshot() error {
 
 // Close cleans up any underlying resolver that requires a cleanup
 func (r *EBPFResolvers) Close() error {
+	// clean up the handles in netns resolver
+	r.NamespaceResolver.Close()
+
 	// clean up the dentry resolver eRPC segment
-	return r.DentryResolver.Close()
+	if err := r.DentryResolver.Close(); err != nil {
+		fmt.Println(err)
+		return err
+	}
+
+	return nil
 }