Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: fix container edge case in events pipeline #3253

Merged
merged 1 commit into from Jun 21, 2023
Merged

fix: fix container edge case in events pipeline #3253

merged 1 commit into from Jun 21, 2023

Conversation

geyslan
Copy link
Member

@geyslan geyslan commented Jun 19, 2023
edited

1. Explain what the PR does

Fix: #3251

3ddc2a2 fix: Fix containerStarted flag in decode stage (2023/jun/19) Geyslan Gregório <geyslan@gmail.com>

This commit addresses an issue where an empty container ID was observed
while the containerStarted flag was set to true. Since it is not
possible to have knowledge of a started container without its ID,
this behavior is considered an edge case, potentially caused by a race
condition. The fix involves modifying the decode stage to set the
containerStarted flag to false whenever an empty container ID is found.

This ensures that the flag accurately reflects the event's container
status and resolves the inconsistency observed in the issue #3251.

2. Explain how to test it

3. Other comments

@geyslan geyslan requested a review from yanivagman June 19, 2023 17:25
@geyslan geyslan self-assigned this Jun 19, 2023
NDStrahilevitz
NDStrahilevitz reviewed Jun 20, 2023
View reviewed changes
Copy link
Collaborator

@NDStrahilevitz NDStrahilevitz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we could add a short description in the commit instead referring to the issue. While the race condition case is rather complex to describe, the additional condition here is very simple to explain as a sanity check.

pkg/ebpf/events_pipeline.go Show resolved Hide resolved
@geyslan
fix: Fix containerStarted flag in decode stage
3ddc2a2 
This commit addresses an issue where an empty container ID was observed
while the containerStarted flag was set to true. Since it is not
possible to have knowledge of a started container without its ID,
this behavior is considered an edge case, potentially caused by a race
condition. The fix involves modifying the decode stage to set the
containerStarted flag to false whenever an empty container ID is found.

This ensures that the flag accurately reflects the event's container
status and resolves the inconsistency observed in the issue aquasecurity#3251.
yanivagman
yanivagman approved these changes Jun 21, 2023
View reviewed changes
Copy link
Collaborator

@yanivagman yanivagman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@NDStrahilevitz NDStrahilevitz removed their request for review June 21, 2023 10:37
@geyslan geyslan merged commit 90d4fdf into aquasecurity:main Jun 21, 2023
25 checks passed
NDStrahilevitz pushed a commit to NDStrahilevitz/tracee that referenced this pull request Jul 3, 2023
@geyslan @NDStrahilevitz
fix: containerStarted flag race in decode stage (aquasecurity#3253)
a50a169 
This commit addresses an issue where an empty container ID was observed
while the containerStarted flag was set to true. Since it is not
possible to have knowledge of a started container without its ID,
this behavior is considered an edge case, potentially caused by a race
condition. The fix involves modifying the decode stage to set the
containerStarted flag to false whenever an empty container ID is found.

This ensures that the flag accurately reflects the event's container
status and resolves the inconsistency observed in the issue aquasecurity#3251.
@geyslan geyslan deleted the 3251-container-cgroup branch July 31, 2023 22:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NDStrahilevitz NDStrahilevitz NDStrahilevitz left review comments

@yanivagman yanivagman yanivagman approved these changes

Assignees

@geyslan geyslan

Labels
area/ebpf backport/v0.17.0 kind/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

containerId and containerStarted flag does not match
3 participants
@geyslan @yanivagman @NDStrahilevitz