trace exec: add exe path

[alban]

trace exec: add exe path

Thanks to this new field, we can distinguish the executable with its full path when it is not visible in the args, e.g. when executing via a symlink or via a procfs magic link such as /proc/self/exe.

How to use

Example of output:

$ sudo ig trace exec
RUNTIME.CONTAINERNAME PID    PPID   COMM  RET ARGS
test                  644871 639225 mkdir 0   /usr/bin/mkdir -p /tmp/bar/foo/
test                  644888 639225 cat   0   /usr/bin/cat /dev/null

$ sudo ig trace exec --paths
RUNTIME.CONTAINERN… PID    PPID   COMM  RET ARGS                     CWD EXEPATH
test                644377 639225 mkdir 0   /usr/bin/mkdir -p /tmp/… /   /usr/bin/mkdir
test                644497 639225 cat   0   /usr/bin/cat /dev/null   /   /usr/bin/cat

TBD

Similar to the cwd option (#1700), I didn't enable it by default. This increases the event in the ring buffer by 4k. It would be nice to optimise the event size.

Testing done

...

cc @omriShneor

Fixes #1950

[mauriciovasquezbernal]

Similar to the cwd option (#1700), I didn't enable it by default. This increases the event in the ring buffer by 4k. It would be nice to optimise the event size.

TBH I'm not sure we should be keeping these optional and big fields on the event. Perhaps we can update the logic to send multiple events on the perf ring buffer, one with the main information and one (or more) with additional fields. However image-based gadgets will be challenge. I think your approach is good for this PR, we need to think more about it for the image-based gadgets case.

[alban]

I updated this PR with a single flag --paths for enabling both the cwd and exe paths.

I'll think more about the image-based gadgets.

[alban]

Rebased again to fix new conflicts from recent changes on the main branch.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity.
It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

[mauriciovasquezbernal]

I suppose we still need it. @alban would you mind rebasing one last time. I'll review it after.

[alban]

I rebased and fixed the conflicts. Let's see if the CI accepts it.

[eiffel-fl]

Similar to the cwd option (#1700), I didn't enable it by default. This increases the event in the ring buffer by 4k. It would be nice to optimise the event size.

TBH I'm not sure we should be keeping these optional and big fields on the event. Perhaps we can update the logic to send multiple events on the perf ring buffer, one with the main information and one (or more) with additional fields. However image-based gadgets will be challenge. I think your approach is good for this PR, we need to think more about it for the image-based gadgets case.

I also do not like increasing the size of event.
I will not go against it for the built-in gadgets as we will deprecate it soon.
For the image based one, I would rather see people needing this feature maintaining their own flavor of it.

[eiffel-fl]

Hi!

Please, see my comment with regard to the event size.
However, this is a good addition for people needing it.
I tested it and it works fine:

$ sudo ./ig trace exec --paths                              alban_exec_long_paths % u=
RUNTIME.CONTAINER… PID        PPID       COMM       PCOMM     RET ARGS                    CWD                     EXE                    
eloquent_shirley   47511      47487      bash       containe… 0   /usr/bin/bash           /                       /usr/bin/bash          
eloquent_shirley   47540      47511      ls         bash      0   /usr/bin/ls             /                       /usr/bin/ls

I have some comments nonetheless.

Best regards.

[eiffel-fl]

I am wondering if we should else if and set this properly.

[alban]

I am not sure what you suggest. I didn't change the logic of the if below.

[eiffel-fl]

I am not convinced about this name, what about BinPath?
At least, this should make clear this is a path to something.
With Exe, I am awaiting ELF or stuff like this.

[alban]

Good idea. I suggest ExePath because it is similar to sysdig's proc.exepath.

Sysdig has both exe and exepath:

proc.exe                      The first command line argument argv[0] (truncated after 4096 bytes) which is usually the 
                              executable name but it could be also a custom string, it depends on what the user 
                              specifies. [...] 
proc.exepath                  The full executable path of the process [...]

[mauriciovasquezbernal]

Just one minor comment. LGTM once CI is green.