capture filter "container.id" is not working when providing the full container id

draios / sysdig

Linux system exploration and troubleshooting tool with first class support for containers

http://www.sysdig.com/

Other

7.69k stars 728 forks source link

capture filter "container.id" is not working when providing the full container id #1763

Closed jossef closed 1 year ago

jossef commented 3 years ago

If I use the following command, I'm getting all container events as expected:

sysdig container.id=00f372b35933

However, if I use

sysdig container.id=00f372b35933e9c8d1020bc399949235d0337cf3f105486f5f9fb6a56f2cfd

Sysdig doesn't capture any event

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

therealbobo commented 1 year ago

Hi @jossef! I took a quick look and this appears the correct behaviour (here some references https://github.com/falcosecurity/libs/blob/0e0a7b26ed1f7e0f7717e2afec6b99b7ae72ecc0/userspace/libsinsp/filterchecks.cpp#L6598 https://github.com/falcosecurity/libs/blob/0e0a7b26ed1f7e0f7717e2afec6b99b7ae72ecc0/userspace/libsinsp/runc.cpp#L67). If you think that it's good idea to add a new field or to change the container.id field, you can open an issue on the libs repo (https://github.com/falcosecurity/libs) and start a discussion with the maintainers! 😄