remove pid file on exit #3075

geyslan · 2023-05-08T17:15:28Z

1. Explain what the PR does

tracee: remove pid file on exit

This also does some cosmetic changes to the code.

2. Explain how to test it

$ sudo ./dist/tracee --filter event=ptrace_code_injection
TIME             UID    COMM             PID     TID     RET              EVENT                     ARGS

then

ctrl+c

and watch:

$ find /tmp/tracee
/tmp/tracee
/tmp/tracee/out

3. Other comments

Fix: #3074

pkg/ebpf/tracee.go

josedonizetti

There is a problem of having the PID file internal to Tracee{} library, instead of part of the main.go, which should create the pid file as the first thing, and clean it up at the end of it.

For anything using the pid file as a metric to know if tracee is alive or not (tracee-action does it, and k8s files might do it in the future), cleaning inside the lib, means those services will think tracee is not live and either stop docker or restart the container, even though there is logic to be execute after t.Run() like drain the chan of events, for example.

So if possible, maybe we could fix this problem here? Ideally we should remove the pid creation from inside the lib, and have it under cmd/tracee.goas the first and last thing before the process exits.

geyslan · 2023-05-08T19:02:55Z

@josedonizetti this e5c1cea is a proposal based on your concerns. I couldn't extract it to main as the pidfile uses capture output path logic which is only set in Runner.Run(). But with that I was able to extract the creation and destruction of the pidfile to the highest execution path. WDYT?

yanivagman · 2023-05-08T19:28:39Z

There is a problem of having the PID file internal to Tracee{} library, instead of part of the main.go, which should create the pid file as the first thing, and clean it up at the end of it.

For anything using the pid file as a metric to know if tracee is alive or not (tracee-action does it, and k8s files might do it in the future), cleaning inside the lib, means those services will think tracee is not live and either stop docker or restart the container, even though there is logic to be execute after t.Run() like drain the chan of events, for example.

So if possible, maybe we could fix this problem here? Ideally we should remove the pid creation from inside the lib, and have it under cmd/tracee.goas the first and last thing before the process exits.

I think this problem is bigger than what this PR comes to solve (#3074 (comment)) and we should probably tackle it later. In the future, I believe the liveness/readiness probes can be implemented using our API server, and not through this pid file.

josedonizetti · 2023-05-08T19:41:38Z

@yanivagman Liveness/readiness will use the server, that is why we introduced the --healthz flag, tracee-action uses the pid, for starting for now, so removing is not a problem, though others could be using the pid, for the ideas mentioned here, or others ideas, and having its removal before the full stop of the flow might lead to misbehavior. The pid should not be tied to the internals of the lib, but to the start/exit of the process.

rafaeldtinoco · 2023-05-09T03:03:05Z

Issue is being mitigated by: 6aee729 at #3076 so tests won't fail because of tracee.pid leftovers.

geyslan · 2023-05-09T13:37:40Z

@josedonizetti if you agree with this solution let's merge it.

pkg/utils/files.go

This also does some cosmetic changes to the code and adds utils.RemoveAt() wrapper.

geyslan added this to the v0.14.1 milestone May 8, 2023

geyslan self-assigned this May 8, 2023

github-actions bot added the area/ebpf label May 8, 2023

geyslan force-pushed the 3074-del-pid-file branch from 868c9f4 to ddf9f1d Compare May 8, 2023 17:18

geyslan marked this pull request as ready for review May 8, 2023 17:18

geyslan commented May 8, 2023

View reviewed changes

pkg/ebpf/tracee.go Show resolved Hide resolved

josedonizetti suggested changes May 8, 2023

View reviewed changes

github-actions bot added the area/UX label May 8, 2023

geyslan force-pushed the 3074-del-pid-file branch from d32d6c6 to 768b20d Compare May 8, 2023 18:57

geyslan force-pushed the 3074-del-pid-file branch from 768b20d to e5c1cea Compare May 8, 2023 19:08

rafaeldtinoco added the milestone/v0.14.1 label May 9, 2023

yanivagman removed this from the v0.14.1 milestone May 9, 2023

geyslan requested a review from josedonizetti May 9, 2023 13:37

josedonizetti approved these changes May 9, 2023

View reviewed changes

geyslan force-pushed the 3074-del-pid-file branch 2 times, most recently from 70193b7 to eb0ed15 Compare May 9, 2023 14:12

geyslan commented May 9, 2023

View reviewed changes

pkg/utils/files.go Show resolved Hide resolved

tracee: remove pid file on exit

ef59bb0

This also does some cosmetic changes to the code and adds utils.RemoveAt() wrapper.

geyslan force-pushed the 3074-del-pid-file branch from eb0ed15 to ef59bb0 Compare May 9, 2023 16:02

geyslan merged commit a8369af into aquasecurity:main May 9, 2023

geyslan deleted the 3074-del-pid-file branch May 29, 2023 22:22

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

remove pid file on exit #3075

remove pid file on exit #3075

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

remove pid file on exit #3075

remove pid file on exit #3075

Uh oh!

Conversation

1. Explain what the PR does

2. Explain how to test it

3. Other comments

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!