Tags: odigos-io/runtime-detector
Tags
RUN-00 | test: add compatibility tests and C written program for test… …ing (#42) Extending the testing to cover arm64 and alpine variants in addition to the current debian and x86 variants. Features like the files open tracking are affected by the distribution and architecture combinations (for example alpine based distrubtions might use open system call instead of openat if it is supported by the arch (open is present on x86 but not on arm64) - This was fixed in #41. In addition adding musl/glibc linked program written in C that is used in the tests. This is added to capture the different behaviors between the distributions.
chore: bump go version and base images to go1.25 variants, adjust bpf… … code based on new compiler from trixie image (#39) bump CI , go.mod and base images to use go1.25 base image used for testing is updated to Debian trixie which ships with clang-19 - this introduced some different behaviors in the probe load tests - since the compiled code changed. Added small adjustments to handle this.
if we filed to read the root pid ns, fallback to reporting PIDs in th… …at ns and avoid returning an error (#38) if we failed to read the root pid ns, fallback to reporting PIDs in that ns and avoid returning an error. Cases where the pid ns is crucial is when the detector is running inside a container without access to the host pid ns (kind cluster on macOS is an example). When running in k8s, as long as the host /proc dir is mounted the detector can function properly even without knowing the pid ns.
feat: support mounted /proc fs to avoid requirement to hostPid namesp… …ace (#33) This PR aims to reduce the permissions, mounts and host namespaces sharing of the detector. Adding a detector option to allow users to configure the location of the proc filesystem. This is done to remove the requirement for setting hostPID: true. The example CLI and daemonset are updated to reflect the change.
[RUN-104] add support for older kernels add tests for 4.19 (#32) Adjustments to support kernel 4.19: Replace const volatile with a config map that is marked read-only when this kind of flag is supported (from kernel 5.2). Remove bpf_printk since the strings used end up in the .rodata section - and the .rodata section is mapped to a read-only map - which might not be supported. As a future task a comprehensive mechanism to pass errors/warn events from eBPF code needs to be added. kernel 4.19 has a limitation of 4096 instructions per program and it does not support bounded loops - which were added in 5.3. Hence all the loops being used in that code needs to have pragam unroll. Doing that increases the instructions count - which get to the 4096 limit. To handle this added a flavor of small program to reduce the loops size - this is mainly relevant for the env vars scan which was adjusted to have 128 max iterations on kernels below 5.3. In order to further decrease the instruction count on older kernels the small program variant does not examine the executable name in the execve program. This can lead to some extra non necessary events being reported on those older kernels - the filtered executable test case is updated to being skipped on older kernels.
fix: report exec event from syscall exit instead of syscall entry (#29) Durrng testing and reducing the duration filter to zero, observed that processes can have the /proc files in an unstable state - probably not ready yet. This lead to logs liks: {"time":"2025-08-04T11:40:17.084570751Z","level":"WARN","msg":"skipping process event due to env prefix not present","pid":6186,"envPrefixFilter":"ODIGOS_POD_NAME","cmdLine":"runc init","exePath":"/membership"} The cmdline and the exe link seems inconsistent. In addition the environ files does not contain the expected env vars - which leads to the filtering of the event. Adding an exit tracepoint to the eceve syscall and reporting to user space from there solves that behavior. In addition, the duration_filter will be used as a passthrough filter if the duration passed is zero.
PreviousNext