Add kernel 611 612 (test) #1
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently, ubuntu:latest uses Ubuntu version 24.04, which includes kernel 6.8. Since Tracee needs to be tested with kernel 6.8, it is better to pin the version of the Ubuntu runners. After testing Tracee with kernel 6.8 and confirming that everything works correctly, this commit can be reverted.
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.26.0 to 0.31.0. - [Commits](golang/crypto@v0.26.0...v0.31.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
- function load_str_from_buf created to retrieve str value based on index; - function reverse_string created to revert an string in order to enable suffix; - function evaluate_data_filters/match_data_filters created to apply: exact, prefix and suffix match; - eBPF maps for exact, prefix and suffix. eBPF map for hold temporary LPM TRI key; - extend event_config to have data filter config per event: used for exact, prefix and suffix match; - save offset at the specified index in the function save_str_to_buf.
- how to enable data filter in the eBPF program using the function evaluate_data_filters.
- eBPF map definition for exact, prefix, suffix match; - create updateDataFilterLPMBPF and updateDataFilterBPF to populate eBPF maps; - config map fields for exact, prefix and suffix; - Create the function createNewDataFilterMapsVersion in order to create the inner maps based on version and event id.
- method equalities created for data filter; - method computeDataFilterEqualities created for kernel data filter; - handle corner case when one policy uses a substring (path) of another policy; - disable data filter (only pathname) for selected events; - Kernel data filters restrict pathnames to 255 characters and disallow 'contains' filters - added functions to enforce that.
- Add MatchTypes{} and KernelDataFilter{} in cmp.AllowUnexported;
- Kernel data filters restrict pathnames to 255 characters and
disallow 'contains' filters; unit tests have been added to validate
these restrictions;
- Integration tests for specific events added, covering three filter
types with "equal" and "not equal" conditions.
- Add the restrictions applicable when the kernel-space data filter is available for an event field.
Running tool: /home/gg/.goenv/versions/1.22.4/bin/go test -benchmem -run=^$ -tags ebpf -bench ^Benchmark_Set$ github.com/aquasecurity/tracee/pkg/changelog -benchtime=10000000x goos: linux goarch: amd64 pkg: github.com/aquasecurity/tracee/pkg/changelog cpu: AMD Ryzen 9 7950X 16-Core Processor Benchmark_Set/All_Scenarios-32 10000000 1337 ns/op 992 B/op 42 allocs/op Benchmark_Set/Within_Limit-32 10000000 2130 ns/op 3424 B/op 60 allocs/op PASS ok github.com/aquasecurity/tracee/pkg/changelog 350.043s
The current Changelog structure consumes a significant amount of memory due to the allocation of metadata for each field/instance. As the number of fields increases, the memory usage grows linearly. Approximately 240 bytes per field were observed just for metadata, excluding the actual data and pointers for each field. To reduce memory consumption, the new changelog.Changelog[T] type was created. Changelog[T] implementation uses a single slice to store changes for a single field of type T. This approach is more memory-efficient than the previous implementation, since the map is no longer used. Its main advantage is achievable by setting T as a complete structure type, which gets rid of the need for metadata of each field. Avoid distributing Changelog[t] across multiple fields, as this would negate the purpose of reducing memory usage by increasing the metadata associated with each Changelog. However, one might consider using it as structure fields in scenarios where a mutable field (with many entries and high frequency of change) has a larger size than the sum of the Changelog metadata overhead and the size of the outer data structure itself. FileInfo and TaskInfo were modified to use the new Changelog[T] being T the respective feed structures. --- | Caches | GOGC | Branch | *Heap Use | *Heap | Diff of | Proctree | | | | | (Avg) | Growth | main | | |--------|------|--------|--------- -|------- -|---------|----------| | - | 5 | main | 18 | - | - | off | | 32768 | 5 | main | 209 | 191 | - | on | |---------------------------------- --------- ----------------------| | - | 5 | new | 18 | - | - | off | | 32768 | 5 | new | 96 | 78 | -59.16% | on | * in MB With GOGC set to 5, the new implementation reduces average heap usage by approximately 59% when using cache sizes of 32,768. The "Heap Use" and "Heap Growth" columns serve as a good indicator of memory consumption and can assist in determining optimal cache sizes. --- The Set method was hugely improved, reducing the number of allocations, memory usage, and execution time. The benchmark results are as follows: Running tool: /home/gg/.goenv/versions/1.22.4/bin/go test -benchmem -run=^$ -tags ebpf -bench ^Benchmark_Set$ github.com/aquasecurity/tracee/pkg/changelog -benchtime=10000000x goos: linux goarch: amd64 pkg: github.com/aquasecurity/tracee/pkg/changelog cpu: AMD Ryzen 9 7950X 16-Core Processor Benchmark_Set/All_Scenarios-32 10000000 322.8 ns/op 112 B/op 3 allocs/op Benchmark_Set/Within_Limit-32 10000000 506.8 ns/op 496 B/op 5 allocs/op PASS ok github.com/aquasecurity/tracee/pkg/changelog 367.236s | Scenario | ns/op. (%) | B/op Reduc. (%) | Alloc. Reduc. (%) | |:--------------|:-------------|:------------------|:------------------| | All Scenarios | -75.9% | -88.7% | -92.9% | | Within Limit | -76.2% | -85.5% | -91.7% |
Remove the interpreter FileInfo fields from the Process struct. This reduces the memory footprint of the Proctree by 8MB at average.
Adjust the default process cache size to 16,384, setting a 2:1 ratio between thread and process caches. With GOGC=5 and both caches stressed, was observed an average heap usage of 77MB.
Set INSTANCE_TYPE=LARGE for release workflows as release demands a runner with higher specs.
- Add kernel 6.8 and 6.10, both for x86_64 and aarch64; - Both kernels are based on Ubuntu 24.04 LTS (codename Noble).
This commit removes support for Rego-based signatures in Tracee. Rego signatures, while easier to write than compiled Go signatures, introduced performance overhead. This removal simplifies the Tracee codebase and prepares for the future introduction of Wasm-based signatures, which will offer both improved performance and extended capabilities. In the meantime, users can leverage the following: - **Go-based signatures:** For optimal performance and custom event handling. - **Tracee policies:** For basic event filtering needs, providing a convenient way to define filters directly within the policy. Tracee policies currently address the most common use case for signatures. Future development will focus on expanding Tracee's capabilities to accommodate more advanced scenarios.
This commit removes the 'Verify Signatures' step from the GitHub Actions workflow as it was specifically testing for rego signatures, which are no longer supported in the project.
- Add kernel 6.11 and 6.12, both for x86_64 and aarch64; - Both kernels are based on Ubuntu 24.04 LTS (codename Noble).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
1. Explain what the PR does
"Replace me with
make check-proutput"2. Explain how to test it
3. Other comments