search

aquasecurity / tracee

Linux Runtime Security and Forensics using eBPF
https://aquasecurity.github.io/tracee/latest
Apache License 2.0
3.35k stars 394 forks source link

enrichment error message #3870

Open josedonizetti opened 4 months ago

josedonizetti commented 4 months ago

I keep seem messages like when running on minikube. Not sure if they are a bug because the cgroup that they are trying to enrich isn't from a container. Thought it gives the wrong message to a user, it seems like something is not working. Does it make sense to keep logging them as errors? Maybe change the severity? Anything else?

{
    "level":"error",
    "ts":1708089649.258455,
    "msg":"error enriching container in control plane",
    "error":"containers.(*Containers).EnrichCgroupInfo: cgroup 74730: no containerId (path /user.slice/user-1000.slice/user@1000.service/app.slice/snap.kubectl.kubectl-186be11b-11d3-462e-821c-83ce6d742804.scope)",
    "cgroup_id":74730
}
josedonizetti commented 4 months ago

@NDStrahilevitz WDYT?

NDStrahilevitz commented 4 months ago

Seems to me there's a bug here, as this pattern should not match to a container but to a pod. So the log did its work in identifying the bug. I'll add this to the milestone and likely self assign later.

josedonizetti commented 4 months ago

@NDStrahilevitz AH, nice, so it is indeed a bug! Thank you

NDStrahilevitz commented 3 days ago

@josedonizetti Can you try reproducing this? I got an error with the enrichment that the container doesn't exist (because I didn't manually setup the minikube dokcer socket), which means I did get the container id, unlike your case. Maybe different minikube versions?

minikube version: v1.33.1
commit: 5883c09216182566a63dff4c326a6fc9ed2982ff