feat(dependencies): further adopt dependencies API to ksymbols and probes #3967
Conversation
|
This PR was extracted from #3965 and will serve it for its logic |
|
This however won't solve the issue that we need to update the |
AlonZivony
force-pushed
the
feature/further-dependencies-adaptation
branch
from
34ba958
to
89b530b
Compare
For sure, could you put TODO comments? |
AlonZivony
force-pushed
the
feature/further-dependencies-adaptation
branch
7 times, most recently
from
5542f04
to
706ea06
Compare
AlonZivony
force-pushed
the
feature/further-dependencies-adaptation
branch
3 times, most recently
from
d44a759
to
578bbb6
Compare
| return false, nil | ||
| } | ||
|
|
||
| // second stage: validate events |
There was a problem hiding this comment.
I have added support for unexpected events only in this function (ExpectAtLeastOneForEach) as I only used this one.
If its seems good to you @NDStrahilevitz I can add it to all other functions as well.
I admit that I think that the current API created by @geyslan is a bit too complicated - it has too many functions so the differences between them is hard to understand. Anyways this PR is not about the testing infrastructure, so I only open it here for discussion.
There was a problem hiding this comment.
I admit that I think that the current API created by @geyslan is a bit too complicated
I agree with you @AlonZivony. Integration API must be rethought.
AlonZivony
force-pushed
the
feature/further-dependencies-adaptation
branch
from
c134e0b
to
eaf952a
Compare
AlonZivony
force-pushed
the
feature/further-dependencies-adaptation
branch
from
eaf952a
to
4d3a9bf
Compare
|
After a conversation with @yanivagman we arrived to the following problems that should be addressed with the watchers mechanism:
|
There was a problem hiding this comment.
Nice work @AlonZivony
The automatic handling of event dependencies will make it easier to implement dynamic policy modification in the future. @geyslan FYI
pkg/events/dependencies/manager.go
Outdated
| } | ||
|
|
||
| // removeNode removes the node from the tree. | ||
| func (m *Manager) removeHandle(handle *HandleNode) bool { |
There was a problem hiding this comment.
What's the meaning of returning bool here? If it represent an error, let's use error instead
There was a problem hiding this comment.
It represents if the remove was successful in the sense of if the handle existed in the manager.
I can replace it with an error, and create an error for "value not found". But as currently the remove cannot fail, the bool value seems cleaner to me.
There was a problem hiding this comment.
I think using error for non existing value is a a common practice
There was a problem hiding this comment.
I can replace it with an error, and create an error for "value not found".
So the check against it should be if errors.Is(err, dependencies.ValueNotFoundError) {. It's a good practice if we'll have more error types, if not... the check against the bool is cleaner.
pkg/events/dependencies/probes.go
Outdated
| } | ||
|
|
||
| func (hn *HandleNode) addDependant(dependant events.ID) { | ||
| hn.dependants = append(hn.dependants, dependant) |
There was a problem hiding this comment.
shouldn't we check that dependant not already exists in the list?
pkg/ebpf/tracee.go
Outdated
| probesToEvents[probeDep] = append(probesToEvents[probeDep], id) | ||
| for _, probe := range depsNode.GetDependencies().GetProbes() { | ||
| err := t.probes.Attach(probe.GetHandle(), t.cgroups) | ||
| if err != nil { |
There was a problem hiding this comment.
nit - to avoid extra indentation, use
if err == nil {
continue
}
| detachUnusedProbes := func(probesToCheck []events.Probe) { | ||
| for _, probe := range probesToCheck { | ||
| _, ok := t.eventsDependencies.GetHandle(probe.GetHandle()) | ||
| if !ok { |
There was a problem hiding this comment.
nit - to avoid extra indentation, use:
if ok {
continue
}
pkg/ebpf/tracee.go
Outdated
| if err != nil { | ||
| return errfmt.WrapError(err) | ||
| } |
There was a problem hiding this comment.
This is not required since we call it anyway below
Track dependencies on probes. This makes it easier to understand when new probes are added or old ones removed.
Change the handling of the probes attach and detach to use the dependencies watchers. This allows to handle correctly failure of events and future events updates.
Create an end-to-end test for the dependencies failure mechanism. This should check that the new dependencies mechanism is integrating well with Tracee. This PR introduce test events for the first time.
Move useful helper functions for tests in the logger and policies area to the testutils package.
Use integration tests existing functions instead of self implemented.
Change the watchers to support any type of node to trigger watchers, according to required type. Also add the ability for add watcher to cancel the add of the node to get less buggy order of operations.
AlonZivony
force-pushed
the
feature/further-dependencies-adaptation
branch
from
4d3a9bf
to
0f62fe0
Compare
1. Explain what the PR does
This PR expands and uses the dependencies API introduced in #3931 for other events dependencies handling.
It adds the probes dependencies to the dependencies manager, and use it to manage probes cancelling.
This PR also add the dependencies watchers for adding and removing the probes, and use the dependencies to cancel events with missing ksymbols.
Fix #3933
2. Explain how to test it
3. Other comments