Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Process ID for linked binaries #3208

Open
ArmanPasha opened this issue Dec 9, 2024 · 0 comments
Open

Process ID for linked binaries #3208

ArmanPasha opened this issue Dec 9, 2024 · 0 comments

Comments

@ArmanPasha
Copy link

Hey,
I'm new to Tetragon and I've been experimenting with it for some time. I've seen an unexpected behaviour which I don't know if it's from Tetragon, eBPF, or the kernel itself.
So, I'm running an Alpine Linux container in a Kubernetes cluster which is being monitored by Tetragon. When I run the /bin/sh using kubectl, Tetragon gives me a process exec event with a PID. Note that in Alpine Linux, /bin/sh is indeed a link to /bin/busybox .
The first issue is that when I look into the /proc directory on the host where the container runs, I don't see the PID Tetragon gave me; instead, I see a different PID that runs /bin/busybox (its /proc/<pid>/exe is /bin/busybox and its /proc/<pid>/cmdline is /bin/sh).
The second issue is that when the shell process exits, Tetragon gives me a process exit event with the same PID it gave for the process exec event (which does't exist in the /proc).
I would really appreciate if anyone could shed some lights on this behaviour.
Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant