Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Process ID for linked binaries #3208

Open
ArmanPasha opened this issue Dec 9, 2024 · 2 comments
Open

Process ID for linked binaries #3208

ArmanPasha opened this issue Dec 9, 2024 · 2 comments

Comments

@ArmanPasha
Copy link

Hey,
I'm new to Tetragon and I've been experimenting with it for some time. I've seen an unexpected behaviour which I don't know if it's from Tetragon, eBPF, or the kernel itself.
So, I'm running an Alpine Linux container in a Kubernetes cluster which is being monitored by Tetragon. When I run the /bin/sh using kubectl, Tetragon gives me a process exec event with a PID. Note that in Alpine Linux, /bin/sh is indeed a link to /bin/busybox .
The first issue is that when I look into the /proc directory on the host where the container runs, I don't see the PID Tetragon gave me; instead, I see a different PID that runs /bin/busybox (its /proc/<pid>/exe is /bin/busybox and its /proc/<pid>/cmdline is /bin/sh).
The second issue is that when the shell process exits, Tetragon gives me a process exit event with the same PID it gave for the process exec event (which does't exist in the /proc).
I would really appreciate if anyone could shed some lights on this behaviour.
Thanks
@mtardy
Copy link
Member

mtardy commented Jan 27, 2025

Hello, sorry we skipped this issue it seems:

Tetragon is running on the host PID namespace so the PID you should see is the actual PID of the host. However containers runs in separate PID namespaces. So when you say "when I look into the /proc directory on the host where the container runs, I don't see the PID Tetragon gave me", are you sure you are running on the host PID namespace?

that runs /bin/busybox (its /proc//exe is /bin/busybox and its /proc//cmdline is /bin/sh).

This is logical given how busybox works.

However if you think you were in the correct PID namespace and can provide a reproducer, we'll surely take a look.

@ArmanPasha
Copy link
Author

Hi,
I had a hostPath volume mounted from /proc to a directory in an Alpine container and observed this issue, so the PID is indeed in the host namespace.

Here is how you can reproduce this issue; given your k8s default namespace is being monitored by Tetragon, you just apply the manifest below which spins up an Alpine container with the /proc of host being mounted to /hostProc in the container. Then if you run kubectl exec -it pod/test-pod -- sh you should get a Tetragon process exec event with the PID of P1 that is running /bin/sh binary. However, if you look into the /hostProc you won't find /hostProc/<P1>. Instead, you find another PID lets say P2 that is running /bin/busybox process.

apiVersion: v1
kind: Pod
metadata:
  name: test-pod
spec:
  containers:
  - name: test-container
    image: alpine:3.15
    command: ["sleep", "1000"]
    volumeMounts:
    - mountPath: /hostProc
      name: host-proc
  volumes:
  - name: host-proc
    hostPath:
      path: /proc
      type: Directory

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mtardy @ArmanPasha