New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(dependencies): further adopt dependencies API to ksymbols and probes #3967
base: main
Are you sure you want to change the base?
feat(dependencies): further adopt dependencies API to ksymbols and probes #3967
Conversation
This PR was extracted from #3965 and will serve it for its logic |
This however won't solve the issue that we need to update the |
34ba958
to
89b530b
Compare
For sure, could you put TODO comments? |
5542f04
to
706ea06
Compare
d44a759
to
578bbb6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I want to go over the logic again later this week.
return false, nil | ||
} | ||
|
||
// second stage: validate events |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have added support for unexpected events only in this function (ExpectAtLeastOneForEach
) as I only used this one.
If its seems good to you @NDStrahilevitz I can add it to all other functions as well.
I admit that I think that the current API created by @geyslan is a bit too complicated - it has too many functions so the differences between them is hard to understand. Anyways this PR is not about the testing infrastructure, so I only open it here for discussion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I admit that I think that the current API created by @geyslan is a bit too complicated
I agree with you @AlonZivony. Integration API must be rethought.
c134e0b
to
eaf952a
Compare
eaf952a
to
4d3a9bf
Compare
After a conversation with @yanivagman we arrived to the following problems that should be addressed with the watchers mechanism:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice work @AlonZivony
The automatic handling of event dependencies will make it easier to implement dynamic policy modification in the future. @geyslan FYI
pkg/events/dependencies/manager.go
Outdated
} | ||
|
||
// removeNode removes the node from the tree. | ||
func (m *Manager) removeHandle(handle *HandleNode) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the meaning of returning bool here? If it represent an error, let's use error
instead
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It represents if the remove was successful in the sense of if the handle existed in the manager.
I can replace it with an error, and create an error for "value not found". But as currently the remove cannot fail, the bool
value seems cleaner to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think using error
for non existing value is a a common practice
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can replace it with an error, and create an error for "value not found".
So the check against it should be if errors.Is(err, dependencies.ValueNotFoundError) {
. It's a good practice if we'll have more error types, if not... the check against the bool is cleaner.
pkg/events/dependencies/probes.go
Outdated
} | ||
|
||
func (hn *HandleNode) addDependant(dependant events.ID) { | ||
hn.dependants = append(hn.dependants, dependant) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shouldn't we check that dependant not already exists in the list?
pkg/ebpf/tracee.go
Outdated
probesToEvents[probeDep] = append(probesToEvents[probeDep], id) | ||
for _, probe := range depsNode.GetDependencies().GetProbes() { | ||
err := t.probes.Attach(probe.GetHandle(), t.cgroups) | ||
if err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit - to avoid extra indentation, use
if err == nil {
continue
}
detachUnusedProbes := func(probesToCheck []events.Probe) { | ||
for _, probe := range probesToCheck { | ||
_, ok := t.eventsDependencies.GetHandle(probe.GetHandle()) | ||
if !ok { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit - to avoid extra indentation, use:
if ok {
continue
}
pkg/ebpf/tracee.go
Outdated
if err != nil { | ||
return errfmt.WrapError(err) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not required since we call it anyway below
Track dependencies on probes. This makes it easier to understand when new probes are added or old ones removed.
Change the handling of the probes attach and detach to use the dependencies watchers. This allows to handle correctly failure of events and future events updates.
Create an end-to-end test for the dependencies failure mechanism. This should check that the new dependencies mechanism is integrating well with Tracee. This PR introduce test events for the first time.
Move useful helper functions for tests in the logger and policies area to the testutils package.
Use integration tests existing functions instead of self implemented.
Change the watchers to support any type of node to trigger watchers, according to required type. Also add the ability for add watcher to cancel the add of the node to get less buggy order of operations.
4d3a9bf
to
0f62fe0
Compare
1. Explain what the PR does
This PR expands and uses the dependencies API introduced in #3931 for other events dependencies handling.
It adds the probes dependencies to the dependencies manager, and use it to manage probes cancelling.
This PR also add the dependencies watchers for adding and removing the probes, and use the dependencies to cancel events with missing ksymbols.
Fix #3933
2. Explain how to test it
3. Other comments