You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hey,
I'm new to Tetragon and I've been experimenting with it for some time. I've seen an unexpected behaviour which I don't know if it's from Tetragon, eBPF, or the kernel itself.
So, I'm running an Alpine Linux container in a Kubernetes cluster which is being monitored by Tetragon. When I run the /bin/sh using kubectl, Tetragon gives me a process exec event with a PID. Note that in Alpine Linux, /bin/sh is indeed a link to /bin/busybox .
The first issue is that when I look into the /proc directory on the host where the container runs, I don't see the PID Tetragon gave me; instead, I see a different PID that runs /bin/busybox (its /proc/<pid>/exe is /bin/busybox and its /proc/<pid>/cmdline is /bin/sh).
The second issue is that when the shell process exits, Tetragon gives me a process exit event with the same PID it gave for the process exec event (which does't exist in the /proc).
I would really appreciate if anyone could shed some lights on this behaviour.
Thanks
The text was updated successfully, but these errors were encountered:
Hey,
I'm new to Tetragon and I've been experimenting with it for some time. I've seen an unexpected behaviour which I don't know if it's from Tetragon, eBPF, or the kernel itself.
So, I'm running an Alpine Linux container in a Kubernetes cluster which is being monitored by Tetragon. When I run the
/bin/sh
usingkubectl
, Tetragon gives me a process exec event with a PID. Note that in Alpine Linux,/bin/sh
is indeed a link to/bin/busybox
.The first issue is that when I look into the
/proc
directory on the host where the container runs, I don't see the PID Tetragon gave me; instead, I see a different PID that runs/bin/busybox
(its/proc/<pid>/exe
is/bin/busybox
and its/proc/<pid>/cmdline
is/bin/sh
).The second issue is that when the shell process exits, Tetragon gives me a process exit event with the same PID it gave for the process exec event (which does't exist in the
/proc
).I would really appreciate if anyone could shed some lights on this behaviour.
Thanks
The text was updated successfully, but these errors were encountered: