-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sampling exclude #1314
base: master
Are you sure you want to change the base?
Sampling exclude #1314
Conversation
…d during sampling Signed-off-by: Manny Wang <[email protected]>
…d during sampling Signed-off-by: Manny Wang <[email protected]>
Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: wangyongfeng5 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Please double check driver/SCHEMA_VERSION file. See versioning. /hold |
Signed-off-by: Manny Wang <[email protected]>
Hi 👋 @wangyongfeng5 In addition to the global setting (not doing any sampling) libs/driver/bpf/plumbing_helpers.h Line 496 in bf1280f
libs/driver/bpf/plumbing_helpers.h Line 560 in bf1280f
UF_NEVER_DROP , see syscall table Line 34 in bf1280f
Would it be possible to summarize the gaps of the existing Lastly is this contribution intended to benefit the Falco client (where primary use cases are threat detection and compliance auditing) or a custom client? |
It's for a custom client. So we can't use UF_NEVER_DROP because it is static and cannot change with different scenes. I think which system calls should be excluded from sampling should be an option rather than static, and other similar options, such as whether to enable sampling or not, are per-user, so this option should also be per-user. |
Understood @wangyongfeng5 re this PR and the other one. Those are quite significant changes that align with custom clients and not the Falco client. Would it be ok to defer discussions until after Falco 0.36 release (aka in Oct 2023)? Possibly maybe it would make sense to jump on a community call and discuss or brainstorm more broadly to see if multiple custom clients can benefit from such capabilities and how a best approach would look like as we also need to ensure that new changes and major refactors are ok to maintain going forward. |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
What type of PR is this?
/kind feature
Any specific area of the project related to this PR?
/area API-version
/area driver-kmod
/area driver-bpf
/area driver-modern-bpf
/area libscap-engine-bpf
/area libscap-engine-kmod
/area libscap-engine-modern-bpf
/area libscap
/area libpman
Does this PR require a change in the driver versions?
/version driver-API-version-minor
What this PR does / why we need it:
Support an option to prevent certain system calls from being discarded during sampling.
Because some events that seem important on the user side need to be preserved in the sample