-
Notifications
You must be signed in to change notification settings - Fork 336
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recently running & actively running process events output at startup #1209
Comments
Thanks for the report!Could you please provide some examples of events that you 'd expect to be matched by the filter rules but are not? |
Also, how are you gathering the events? Are you using the |
ahh, upon closer inspection I think I see what is going on. the events I was looking at weren't filtered events, they were actually valid events. it looks like when tetragon starts up it prints out the |
Cheers! Another way to distinguish these events is to check for "proc" in the flags field (since these events are generated form /proc). |
thanks @kkourt ok, getting closer, many of them are As best I can tell these https://github.com/cilium/tetragon/blob/main/pkg/api/flags.go#L69-L75 execve clone event{ "process_exec": { "process": { "exec_id": "Ym00NToyNzk3Mjc4NTQ4MzAyMTk2OjE2MDY2Njg=", "pid": 1606668, "uid": 100, "cwd": "/home/user/server", "binary": "/usr/bin/chmod", "arguments": "755 /tmp/sqlite-3.7.2-libsqlitejdbc.so", "flags": "execve clone", "start_time": "2023-07-17T00:33:10.815357493Z", "auid": 4294967295, "pod": { "namespace": "game", "name": "game-i-64aa20c54055f4ac2c902a9d", "container": { "id": "containerd://d9620432962d2f6e20c1622736631c0f2ca7dd97b7e322a763d6dabfc7d2291b", "name": "instance", "image": { "id": "x", "name": "x" }, "start_time": "2023-07-17T00:32:56Z", "pid": 190 }, "pod_labels": { "app": "game-instance" } }, "docker": "d9620432962d2f6e20c1622736631c0", "parent_exec_id": "Ym00NToyNzk3MjY5NjI3MTc3MTM2OjE2MDM5ODU=", "cap": {}, "ns": { "uts": { "inum": 4026537567 }, "ipc": { "inum": 4026537568 }, "mnt": { "inum": 4026537570 }, "pid": { "inum": 4026537571 }, "pid_for_children": { "inum": 4026537571 }, "net": { "inum": 4026536499 }, "time": { "inum": 4026531834, "is_host": true }, "time_for_children": { "inum": 4026531834, "is_host": true }, "cgroup": { "inum": 4026537610 }, "user": { "inum": 4026531837, "is_host": true } }, "tid": 1606668 }, }, "node_name": "zm45", "time": "2023-07-17T00:33:10.815357303Z" } |
The |
hmm, I'm not currently receiving the If I restart tetragon in succession, on startup it will keep telling me about the same old I guess the old data is just buffered somewhere in bpf land? It looks like I'll have to either check the thanks! |
Hi,
If you start Tetraragon multiple times, you will get the events from proc (the ones with the |
These aren't proc though, they are |
How are you retrieving those events? |
Just from the k8s logs on startup, I get a few of these from each node. For instance, if I restart tetragon on this node now, Aug 29 05:31:56 UTC 2023, then on startup of the new pod I get this event from back on Aug 27 19:54:13 UTC 2023 (over a day old).
|
I think export-stdout just tails a file in the export directory, and this file is shared across multiple instances of the tetragon pod. So I believe what you are seeing is expected. |
ahhh I see it uses a Ok, adding export:
stdout:
commandOverride:
- sh
argsOverride:
- -c
- tail -n 0 -q -F /var/run/cilium/tetragon/tetragon.log 2> /dev/null |
Is there an existing issue for this?
What happened?
For a few seconds after I restart my tetragon daemonSet I always get a bunch of events for things that I have set to be filtered out via the
exportDenyList
.We have a lot of activity in the cluster (monitoring 5k pods across 70 nodes w/tetra) and normal executions are filtered out, but when I restart the ds I get a flood of events that should have been filtered out. A few seconds after the tetragon startup I stop receiving the excess events and the deny filters work as expected.
Tetragon Version
0.9.0 & 0.10.0-pre.2
Kernel Version
5.19.0-43-generic
Kubernetes Version
1.26.4
Bugtool
No response
Relevant log output
Anything else?
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: