Feature: add process tree data source #3488

AlonZivony · 2023-09-20T11:15:26Z

1. Explain what the PR does

ce696ac chore(proctree): add process tree e2e tests
7098db0 feat(proctree): create process tree data source

types/datasource/proctree.go

pkg/proctree/datasource.go

tests/e2e-inst-signatures/e2e-proctree_data_source.go

rafaeldtinoco · 2023-09-21T01:02:42Z

types/datasource/proctree.go

+	ForkTime    time.Time
+	ExitTime    time.Time
+	Name        string
+	ProcessHash uint32


Is this hash from the "thread group leader" ? Maybe we should use the same names both sides (process tree and here).

So this connects to my previous comment.
There should be a clear distinction between processes and threads.
I think we have too much of a mish-mash between kernel terms and user terms.
This should be the process hash, because the user is interested in the process information. Not necessarily the thread group leader information (the TaskInfo of the group leader is irrelevant for most use cases of the process tree).

** I took a closer look on the current design, and I see that some crucial process information is accessible only through the TaskInfo struct of the process. We need to discuss the design here to think what is the best API here.

Agree, just need to decide on the name

I believe in the end that having more user-friendly names here is more appropriate.
Tell me what you think.

tests/e2e-inst-signatures/scripts/proctree_data_source.sh

types/datasource/proctree.go

rafaeldtinoco · 2023-09-21T01:11:34Z

Hey Alon, I think we're close. Overall I like the datasource, the way you're accessing the process tree, etc. I have some doubts on why you're not distinguishing between threads and processes in the signature (you can answer in those comments).

I'll get back to this tomorrow as soon as you answer/re-push things. Please check the tests results as well.

Cheers!

pkg/ebpf/signature_engine.go

pkg/proctree/datasource.go

types/datasource/proctree.go

AlonZivony · 2023-09-24T09:33:37Z

Answering #3488 (comment)
I agree, but currently the version is uint, so it is not supported to implement it like this.
If you prefer, we can open an issue and do a refactor after this PR changing the datasources version to be a string in the major.minor.patch fashion.

AlonZivony · 2023-09-24T13:13:31Z

Has errors with the e2e tests when trying to find the thread hash in the tree.
Should figure how to solve them for the milestone.

yanivagman

LGTM,
needs types PR to be merged first

rafaeldtinoco · 2023-09-27T16:27:56Z

#3509 merged, feel free to rebase.

AlonZivony · 2023-09-27T17:49:55Z

@yanivagman @rafaeldtinoco needs someone to restart the tests

AlonZivony · 2023-09-27T18:21:05Z

My local e2e test is not working.
I guess at this point that the reason for it is the race condition between the feed of the proctree and the actual events.
Still trying to figure it out.

EDIT:
From my check, we have 3 issues with the e2e test:

Race condition between signal processing and events processing.
The fact that if the sched_process_exec event hook is triggered before the exec signal, the execution time registered in the process tree will be later then the exec event, resulting incorrect information when querying the process tree.
The task name during runtime is the cmdPath instead of the task name, which is not matching the expected behavior (for example, tasks info from the procfs is not in the same format - its the short name of the command that ran).

rafaeldtinoco · 2023-09-27T19:30:09Z

My local e2e test is not working.
I guess at this point that the reason for it is the race condition between the feed of the proctree and the actual events.
Still trying to figure it out.

Like we've just discussed, the only way to get rid of this would be to get "both" sources of events enabled (with #3498).

Then the proctree entry would always exist since the fork/exec/exit events would come in the same pipeline (at least for this test that doesn't have a filled pipeline).

I'm pretty sure in regular situations the signal events will happen first, but, still ... its an event oriented architecture, can't guarantee a transaction with unordered events without holding the pipeline.

AlonZivony · 2023-09-28T10:09:59Z

I decided to make this PR only on the data source, and putting the e2e tests on another PR.
The e2e tests doesn't fail because of the datasource, and the tests are mergeable after code freeze.
Will push the datasource commit alone soon.

Expose the process tree to the signatures using a datasource. This way a signatures can use the process tree to have state, instead of using multiple events and saving the state internally.

rafaeldtinoco · 2023-09-28T14:28:27Z

Rebased at #3522 (solving conflicts mostly)

github-actions bot assigned AlonZivony Sep 20, 2023

github-actions bot added area/ebpf area/testing area/build labels Sep 20, 2023

AlonZivony added kind/feature milestone/v0.18.0 area/proctree and removed area/ebpf area/build labels Sep 20, 2023

AlonZivony force-pushed the feature/tree-datasource branch from ce696ac to 620da57 Compare September 20, 2023 11:18

github-actions bot added area/ebpf area/build labels Sep 20, 2023

AlonZivony force-pushed the feature/tree-datasource branch from 620da57 to f4b8f28 Compare September 20, 2023 12:14

AlonZivony commented Sep 20, 2023

View reviewed changes

types/datasource/proctree.go Outdated Show resolved Hide resolved