openSUSE Recommended Update: Recommended update for sysdig ______________________________________________________________________________ Announcement ID: openSUSE-RU-2020:0421-1 Rating: moderate References: Affected Products: openSUSE Leap 15.1 ______________________________________________________________________________ An update that has 0 recommended fixes can now be installed. Description: This update brings sysdig to version 0.26.5: - Update to version 0.26.5: * Fixed segfault that happens at startup (#1475, #1528) * Fixed memory leaks from certain thread/socket operations (#1491) * Fixed handling of SEND_SIG_NOINFO in the eBPF driver (#1493) * Fixed a regression in reading certain partial container events from scap files (#1513) * Updated use of Kubernetes APIs to support v1.16 (#1521) * Fixed rare driver deadlock that could occur during a context switch (#1522) * Added more detail to probe loader error message (#1541) - Update to version 0.26.4: * Prevent double-definition of ASSERT macro * Added fillers for chmod syscalls (#1472) * Added support for reporting cpu usage per docker cpuset (#1473) * Fixed build error on older Linux kernels (#1477) * Fixed driver build for RHEL 7.7/4.13+ w/CONFIG_VIRT_CPU_ACCOUNTING_GEN (#1471) * Fixed cmake to look for pkg-config before building grpc (#1470) * Fixed printing of strings (#1466) * readv input parsing improvements (#1463) * Suport Kubernetes liveness/readiness probes [#1320] * Fix edge cases in handling clone() and prlimit() system calls [#1401, #1465] * Stability and performance fixes - Drop no longer needed patches: * sysdig-include.patch * sysdig-linking.patch - Update to version 0.26.1: * Changes to build the kmod with 5.1 kernels [#1413] * Explicitly disable psl to address build failures on MAC OS [#1417] * Fix handling of container metadata in "infra" events [#1418] - Changes for version 0.26.0: * Perform docker metadata fetches asynchronously: When new containers are discovered, fetch metadata about the container asynchronously, which should significantly reduce the likelihood of dropped system call events. [#1326] [#1378] [#1374] [#1381] [#1373] [#1382] [#1388] [#1389] [#1384] [#1392] [#1396] [#1411] * Add field to display time in ISO 8601 UTC [#1317] [#1360] * Performance improvements of ring buffer processing [#1372] * Support major/minor device numbers for fd events [#1315] #1383] * Add the ability to prepend encoded log severity in the log message [#1327] * Raise the iov limit in eBPF [#1390] * Changes to pull user event logging out into a separate component. [#1375] * Log a debug message when looking up an IP address of an incomplete container [#1398] * Support cri-o container metadata caching [#1399] * Logging API with lazy parameter evaluation [#1394] * Support BPM container type [#1319] * Fix bug in fullcapture range check [#1386] * Allow chisels to receive the full content of big buffers. [#1361] * start the analyzer before forcing next for a scap file [#1366] * Create a grpc_channel_registry for all channels [#1369] * Modified the behavior of fullcapture port range [#1370] * Check file before dereferencing [#1397] * Fix build for older kernels (<3.9) [#1400] * Added -fno-stack-protector to avoid clang errors [#1401] * Addl loop prevention for traverse_parent_state [#1411] * Add interfaces for async metrics collection [#1346] * Use epel 7-11 (7-9 is no longer available) [#1362] * Make some global variables related to fetching container state thread-local [#1356] * Allow downloading prebuilt modules without SSL verification [#1358] * add test helper to container manager. [#1365] * Cleanup old docker images after building a new ebpf-probe-builder [#1367] * valgrind clean for analyzer end to end test [#1387] * flush flags change to new namespace, add code enabling easy use of sinsp_threadinfo in std::set/map [#1395] * add friend class for unit testing [#1406] - Changes for version 0.25.0: * Support Linux 5.0 * CRI container runtime support * runtimeSpec.linux returned by containerd is an object, not an array (#1343) * Fix gRPC build with gcc 7 (#1322) * CRI-O container support (#1310) * Fix check for Docker pause containers [SMAGENT-1305] (#1306) * Detect CRI pod sandbox containers (#1297) * Container Runtime Interface support (#1277) * Prebuilt probes * Prebuild minikube kernel modules (#1294) * Build probe modification to include Fedora-Atomic. [SMAGENT-1251] (#1293) * Fix for newer versions of LXC not being detected (#1345) * [SMAGENT-1433] pull legacy GCC artifacts from local cache as debian no longer supports (#1342) * Use TBB_INCLUDE_DIR for consistency w/ falco agent (#1329) * SMAGENT-1297: Rebuild gcc-plugins before building kernel module (#1305) * Modified BPF probe builder (#1301) * Call set*ent() before reading the user/group NSS database (#1341) * Properly initialize default settings for tracers (#1339) * Fix bpf ptrace filler (#1338) * Fix potential memory leak in libelf (#1337) * Fix case where fclose could be called twice. (#1330) * Handle mmap failure gracefully (#1324) * Add stream event details in csysdig output (#1335) * SMAGENT-1400: Make sinsp_logger thread-safe (#1333) * Never drop socket syscalls to ensure we have fdinfo for subsequent binds. SMAGENT-1270 (#1312) * Infer fd info for sendto system call [SMAGENT-1282] (#1304) * Async framework base [SMAGENT-1247] (#1303) * Handle events for unknown threads after scap start [SMAGENT-1082] (#1296) * Add ability to print filtercheck field names only (#1288) - Add patches to fix build issues with shared components: * sysdig-include.patch * sysdig-linking.patch - Update to version 0.24.2: * Added the ability to specify a set of ports where data is captured with bigger snaplen (20000) (#1256) * Made fd resolution work for getsockopt (#1280) * Check getsockopt event before accessing it (#1284) * Fixed snprintf placeholder for size_t/{u,}int64_t (#1279) * Disabled reading environment from /proc by default (#1272) * Excluding suppressed processes during initial /proc scan (#1269) * Fixed Windows build in CYGWIN environment (#1270) * Changes to eliminate warnings with gcc 5.4 (#1271) * Trigger build errors for extra compiler warnings (#1265) * Handling thread table overflows (#1263) * Deleted threadinfos that we failed to add to the thread table (#1260) * Reduce CPU usage (#1261) * Lua parser interfaces (#1254) * Fixed a compile issue when trying to make the project using VS2017 on Windows 10 (#1248) * Added ifdef guards to socket options with (#1257),(#1258) * Improved getsockopt()/setsockopt() support (#1188) * Fix fd.net comparisons with in operator (#1252) * Only check out sysdig for initial invocation (#1251) * Build probe modules only with sysdig directory (#1244) * Fixed spelling and copy/pased comment errors (#1250) - Changes for version 0.24.1: * Fix struct packing - Changes for version 0.24.0: * Switch to Apache 2.0 License: All userspace code moves from GPL to Apache 2 license. Kernel module switches to dual-license MIT + GPLv2. Enjoy! [#1233] [#1242] * Complete IPv6 Support. Sysdig previously had partial IPv6 support, but this release rounds out full support for ipv6 addresses in filter fields, csysdig, etc. [#1204] * loginuid support. Add user.loginuid & user.loginname to track login users, which do not change despite sudo/su operations. [#1189] [#1214] [#1218] [#1219] [#1227] * Track connections by domain name: New fields fd.*ip.name allow matching connection ips with resolved domain names. [#1213] * Add endswith filter to support suffix matching on strings [#1209] * Add minikube support to the kernel module probe loader script [#1205] * Improve error string return handling at startup/when reading capture files [#1215] * Disable boot2docker kernel module builds for pre-built kernel modules [#1232] * eBPF Support Improvements/Fixes [#1235] [#1236] [#1237] [#1239] * Improve/fix windows build [#1242] * Don't drop setns events when in dropping mode [#1198] * At startup, wait a bit for an existing sysdig-probe module to be unloaded before loading a new one [#1201] * Support extracting container metadata for containers spawned with just an image id and not an image name [#1207] * Properly extract image metadata when the image contains a host:port component [#1206] * Minor compilation bug fixes [#1212] * Small packaging fixes [#1228] [#1229] [#1231] * Fix an inconsistency when writing capture files containing unknown fds [#1234] - Update to version 0.23.1: * Fix ia32 check on BPF for 4.14 and 4.15 kernels * Adjust wrong events lengths when reading older captures [#1195] * More flexible captures: the flexibility of the capture format/reading process has been improved to allow backward and forward-compatibility [#1163] * Support logging elapsed time on tracers [#1186] * Fixes on custom containers support [#1170] * Avoid invalid free() calls around m_suppressed_pointers [#1184] * Properly set the address list total length when reading a capture [#1185] - Update to version 0.22: * eBPF support for sysdig: eBPF as the instrumentation backend in kernel space (beta) * Parsing an argument passed to sysdig-probe-loader as a custom URL for the kernel module like -e SYSDIG_PROBE_URL=http://54.183.253.176:52354 [#1085] * Several changes to expand the set of events that are skipped by falco, and to centralize the logic for knowing which events to skip [#1105] * Improved proc lookup in libsinsp [#1107] [#1110] [#1112] * Improved performance [#1126] [#1120] [#1121] [#1137] * In dropping mode, drop events that don't change system state [#1123] * Introduce non-STL thread table API [#1142] * Add the ability to ignore events by process name (comm). At the scap level, ignoring is by tid. At the sinsp level, as threads are added/removed from the thread table the comm is checked against a set of comms and if found the tid is added to the scap-level ignore hash table [#1139] * The container_manager can now receive callbacks to call when a new container is detected or an inactive one is removed [#1133] * Add support for adding custom container types alongside Docker etc (on sinsp level) [#1149] * Parse and store three new container_info fields: repository, tag and digest [#1127] * Skip proc scan in sinsp_dumper w/ threads_from_sinsp=true [#1164] * Allow k8s filterchecks with analyzer [#1160] * When creating the sysdig docker image, add the ability to directly set the sysdig version via the environment variable SYSDIG_VERSION [#1166] - Drop upstreamed patch: * sysdig_proto_ops_getname.patch - Patch sysdig_proto_ops_getname.patch to fix build - Seth Forshee : Update for proto_ops.getname() prototype changes in Linux 4.17 (#1114) - Update to version 0.21.0: * Track Versioning in Capture Files: With this release, we will increment the pcap major/minor version in capture files when a release adds new event types, additional event fields, etc. that are incompatible with earlier sysdig versions. [#1081] [#1084] * Add s390x as a platform using Docker [#1029] * When saving container information, also store certain mesos-related environment information associated with the first process in the container [#1021] [#1057] * New filtercheck fd.connected returns whether or not a network connection file descriptor is actually bound to a remote endpoint. Think of udp sockets that only use sendto() vs udp sockets that use connect() and then send(), or tcp sockets that have been created but not connect()ed yet. [#1051] * New filtercheck fd.name_changed is true when an event changes the connection information for a connection fd. This can occur in some cases such as udp connections where a connect() changes the connection information for a fd. * Make the thread table size configurable via sinsp::set_max_thread_table_size() [#1056] * Add support for new AWS Linux 2 AMI [#1058] * Add process group id to execve events [#1044] [#1080] * Expand the set of system calls returned by the driver when in dropping mode [#1075] * Handle AT_FDCWD arguments to linkat, openat, etc. and resolve the path relative to the cwd [#1020] Patch Instructions: To install this openSUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-421=1 Package List: - openSUSE Leap 15.1 (x86_64): sysdig-0.26.5-lp151.4.3.1 sysdig-debuginfo-0.26.5-lp151.4.3.1 sysdig-debugsource-0.26.5-lp151.4.3.1 sysdig-kmp-default-0.26.5_k4.12.14_lp151.28.44-lp151.4.3.1 sysdig-kmp-default-debuginfo-0.26.5_k4.12.14_lp151.28.44-lp151.4.3.1 References: