Recently running & actively running process events output at startup #1209
Comments
|
Thanks for the report!Could you please provide some examples of events that you 'd expect to be matched by the filter rules but are not? |
|
Also, how are you gathering the events? Are you using the |
|
ahh, upon closer inspection I think I see what is going on. the events I was looking at weren't filtered events, they were actually valid events. it looks like when tetragon starts up it prints out the |
Cheers! Another way to distinguish these events is to check for "proc" in the flags field (since these events are generated form /proc). |
|
thanks @kkourt ok, getting closer, many of them are As best I can tell these https://github.com/cilium/tetragon/blob/main/pkg/api/flags.go#L69-L75 execve clone event{
"process_exec": {
"process": {
"exec_id": "Ym00NToyNzk3Mjc4NTQ4MzAyMTk2OjE2MDY2Njg=",
"pid": 1606668,
"uid": 100,
"cwd": "/home/user/server",
"binary": "/usr/bin/chmod",
"arguments": "755 /tmp/sqlite-3.7.2-libsqlitejdbc.so",
"flags": "execve clone",
"start_time": "2023-07-17T00:33:10.815357493Z",
"auid": 4294967295,
"pod": {
"namespace": "game",
"name": "game-i-64aa20c54055f4ac2c902a9d",
"container": {
"id": "containerd://d9620432962d2f6e20c1622736631c0f2ca7dd97b7e322a763d6dabfc7d2291b",
"name": "instance",
"image": {
"id": "x",
"name": "x"
},
"start_time": "2023-07-17T00:32:56Z",
"pid": 190
},
"pod_labels": {
"app": "game-instance"
}
},
"docker": "d9620432962d2f6e20c1622736631c0",
"parent_exec_id": "Ym00NToyNzk3MjY5NjI3MTc3MTM2OjE2MDM5ODU=",
"cap": {},
"ns": {
"uts": {
"inum": 4026537567
},
"ipc": {
"inum": 4026537568
},
"mnt": {
"inum": 4026537570
},
"pid": {
"inum": 4026537571
},
"pid_for_children": {
"inum": 4026537571
},
"net": {
"inum": 4026536499
},
"time": {
"inum": 4026531834,
"is_host": true
},
"time_for_children": {
"inum": 4026531834,
"is_host": true
},
"cgroup": {
"inum": 4026537610
},
"user": {
"inum": 4026531837,
"is_host": true
}
},
"tid": 1606668
},
},
"node_name": "zm45",
"time": "2023-07-17T00:33:10.815357303Z"
}
|
rayjanoka
changed the title
The |
|
hmm, I'm not currently receiving the If I restart tetragon in succession, on startup it will keep telling me about the same old I guess the old data is just buffered somewhere in bpf land? It looks like I'll have to either check the thanks! |
|
Hi,
If you start Tetraragon multiple times, you will get the events from proc (the ones with the |
|
These aren't proc though, they are |
How are you retrieving those events? |
|
Just from the k8s logs on startup, I get a few of these from each node. For instance, if I restart tetragon on this node now, Aug 29 05:31:56 UTC 2023, then on startup of the new pod I get this event from back on Aug 27 19:54:13 UTC 2023 (over a day old). |
|
I think export-stdout just tails a file in the export directory, and this file is shared across multiple instances of the tetragon pod. So I believe what you are seeing is expected. |
|
ahhh I see it uses a Ok, adding export:
stdout:
commandOverride:
- sh
argsOverride:
- -c
- tail -n 0 -q -F /var/run/cilium/tetragon/tetragon.log 2> /dev/null |
rayjanoka
changed the title
rayjanoka
changed the title
Is there an existing issue for this?
What happened?
For a few seconds after I restart my tetragon daemonSet I always get a bunch of events for things that I have set to be filtered out via the
exportDenyList.We have a lot of activity in the cluster (monitoring 5k pods across 70 nodes w/tetra) and normal executions are filtered out, but when I restart the ds I get a flood of events that should have been filtered out. A few seconds after the tetragon startup I stop receiving the excess events and the deny filters work as expected.
Tetragon Version
0.9.0 & 0.10.0-pre.2
Kernel Version
5.19.0-43-generic
Kubernetes Version
1.26.4
Bugtool
No response
Relevant log output
Anything else?
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: