-
Notifications
You must be signed in to change notification settings - Fork 160
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolve falcosecurity/libs#932, use /proc/stat/ btime for boot time and /proc/1/cmdline for container start time #1003
Resolve falcosecurity/libs#932, use /proc/stat/ btime for boot time and /proc/1/cmdline for container start time #1003
Conversation
Welcome @happy-dude! It looks like this is your first PR to falcosecurity/libs 🎉 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM apart from one minor nit :)
Thank you for this! |
/cc @incertum too :) |
d0c4661
to
bf2eaf3
Compare
/milestone 0.11.0 |
I'll create a build internally with this patch and see if it fixes the incorrect-timestamp issue on all systems Falco is deployed on and validate this further 👍 |
@happy-dude thanks a lot for this patch, who would have thought, never surprised, always amazed! Perhaps we could patch below cases as well in this PR?
@gnosek and @FedeDP would you agree on adopting a consistent new approach? |
I was about to note that a few test builds didn't fix the issue on my hosts 😅 BUT @incertum may have caught the missing pieces, so I'll create a build and see what it looks like from there! |
bf2eaf3
to
7cb22d6
Compare
An aside -- I'm not the best with git magic -- how do I give co-author credit to @incertum for her suggestions? |
Unfortunate news: The change didn't fix the timestamp on my nodes; it's possible that Changing this PR to (WIP) while we discuss further in the #932 |
sad ... yes let's investigate further in the ticket and try a few options
git commit -s -> opens your editor, just add the line below above or below your signed off line or you could also append it via another git command, up to you, you can find the emails of any of us in a previous commit of the person Co-authored-by: Melissa Kilby melissa.kilby.oss@gmail.com |
f9f1c7a
to
6e3f981
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @happy-dude also for adding the amazing comments. Pulled it and checked it. Times make sense on my end.
Perhaps @gnosek and @FedeDP you would have some other style preferences when parsing /proc/stat? Let's see.
Stanley could you test it once again on all your test servers just to be sure all issues are resolved?
e752913
to
61ec61a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, except maybe the /proc/stat reading code (I left a comment, take it or leave it :))
snprintf(filename, sizeof(filename), "%sroot/proc/1", procdirname); | ||
if(stat(filename, &targetstat) == 0) | ||
snprintf(proc_cmdline_pidns, sizeof(proc_cmdline_pidns), "%sroot/proc/1/cmdline", procdirname); | ||
if(stat(proc_cmdline_pidns, &targetstat) == 0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a note: with this implementation, the "container start time" for host processes will not be equal to the boot time but (presumably) to the time when the host init started.
I am completely fine with this (and it does make sense), just pointing this out since we spent the whole Friday discussing the subtle differences of various timestamps :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks; added a comment block in the latest commit + rebase! Please let me know if I missed anything.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree with you @gnosek - but we can also polish this in a follow up PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gnosek hmmm having problems with if (tinfo->vpid != tinfo->pid)
to ever evaluate to true even when placing the check after those fields should have been parsed. Then also never got to else if(strstr(line, "NStgid:") == line)
in scap_proc_fill_info_from_stats
, so in summary yes it should be a follow up PR, something with that parser seems wonky as well!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@incertum can you show me the code?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just place that comparison if statement anywhere after vpid should have been populated or even add print or debug statements within that scap_proc_fill_info_from_stats parser, it never evaluated to true for me even though I was running containers etc with sleep processes. Is it working for you?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
61ec61a
to
df08144
Compare
Just made a fresh commit + rebase!
Request: I'll make a fresh build with this PR and evaluate the change on my systems; this should help me confirm if this fixes the boot time issue. However, can I get an assist evaluating the container-start-time change and ensuring those timestamps are correct/accurate as expected? |
b8d8f2a
to
99614d1
Compare
99614d1
to
a73f55a
Compare
…on time See falcosecurity#932 for more context Change occurrences of `/proc/1` to `/proc/1/cmdline` in * userspace/libscap/linux/scap_procs.c * userspace/libscap/scap.c Previous: ```c snprintf(proc_dir, sizeof(proc_dir), "%s/proc/1/", scap_get_host_root()); ``` This PR: ```c snprintf(proc_cmdline, sizeof(proc_cmdline), "%s/proc/1/cmdline", scap_get_host_root()); ``` Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com> Signed-off-by: Stanley Chan <pocketgamer5000@gmail.com>
429a640
to
c804f94
Compare
Get boot time from btime value in /proc/stat ref: falcosecurity#932 /proc/uptime and btime in /proc/stat are fed by the same kernel sources. Multiple ways to get boot time: * btime in /proc/stat * calculation via clock_gettime(CLOCK_REALTIME - CLOCK_BOOTTIME) * calculation via time(NULL) - sysinfo().uptime Maintainers preferred btime in /proc/stat because: * value does not depend on calculation using current timestamp * btime is "static" and doesn't change once set * btime is available in kernels from 2008 * CLOCK_BOOTTIME is available in kernels from 2011 (2.6.38) By scraping btime from /proc/stat, it is both the heaviest and most likely to succeed Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com> Signed-off-by: Stanley Chan <pocketgamer5000@gmail.com>
Co-authored-by: Grzegorz Nosek <grzegorz.nosek@sysdig.com> Co-authored-by: Melissa Kilby <melissa.kilby.oss@gmail.com> Signed-off-by: Stanley Chan <pocketgamer5000@gmail.com>
c804f94
to
3153288
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A follow up item for us, see https://github.com/falcosecurity/libs/pull/1003/files#r1149676712, but proposing to merge this first.
/approve
LGTM label has been added. Git tree hash: 8a531afd35e813542b8fe75035761e30f50e5d3f
|
Confirming that all my test hosts (bare-metal) are reporting the right timestamps after applying this PR as a patch 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Andreagit97, Happy-Dude, incertum The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
See #932 and #1003 (comment) for more context
Previous:
stat /proc/1
was used as boot timestat /proc/<pid>/root/proc/1
was used as container start timeThis PR:
btime
value inside/proc/stat
is used as boot timestat /proc/<pid>/root/proc/1/cmdline
is used as container start timeWhat type of PR is this?
Any specific area of the project related to this PR?
Does this PR require a change in the driver versions?
No
What this PR does / why we need it:
Use the
btime
from/proc/stat
as boot time.Use the change time from
/proc/1/cmdline
to derive container start time; this is similar to how Docker does it.Which issue(s) this PR fixes:
Fixes #932
Special notes for your reviewer:
cc @Andreagit97 and @FedeDP and @incertum
Does this PR introduce a user-facing change?: