Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hunt PIDTYPE_PGID and PIDTYPE_SID in BTF. Fixes RHEL8. #210

Merged
merged 1 commit into from
Oct 31, 2024
Merged

Hunt PIDTYPE_PGID and PIDTYPE_SID in BTF. Fixes RHEL8. #210

merged 1 commit into from
Oct 31, 2024

Conversation

haesbaert
Copy link
Contributor

@haesbaert haesbaert commented Oct 31, 2024
edited
Loading

Found in quark-test when running on RHEL8:
Linux rocky8 4.18.0-553.22.1.el8_10.x86_64 #1 SMP Wed Sep 25 09:20:43 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Related commit in quark: elastic/quark@89e606b

New kernels have a PIDTYPE_TGID after PIDTYPE_PID, which bumpes PIDTYPE_PGID and PIDTYPE_SID: https://elixir.bootlin.com/linux/v6.11/source/include/linux/pid_types.h#L8

4.18 (RHEL8) which we can actually run on since redhat backported ebpf ringbuffers still has the old definition:
https://elixir.bootlin.com/linux/v4.18/source/include/linux/pid.h

With this diff quark-test passes on asserting pgid and sid correspond to the return of getpgid(2) and getsid(2) on 4.18.0-553.22.1.el8_10.x86_64:

https://github.com/elastic/quark/blob/main/quark-test.c#L273-L274

(edit fixed link)

@haesbaert haesbaert requested a review from a team as a code owner October 31, 2024 15:13
nicholasberlin
nicholasberlin approved these changes Oct 31, 2024
View reviewed changes
Copy link
Contributor

@nicholasberlin nicholasberlin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM if CI agrees

@haesbaert
Hunt PIDTYPE_PGID and PIDTYPE_SID in BTF. Fixes RHEL8.
6f19328 
Found in quark-test when running on RHEL8:
Linux rocky8 4.18.0-553.22.1.el8_10.x86_64 #1 SMP Wed Sep 25 09:20:43 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Related commit in quark: elastic/quark@89e606b

New kernels have a PIDTYPE_TGID after PIDTYPE_PID, which bumpes PIDTYPE_PGID and PIDTYPE_SID:
https://elixir.bootlin.com/linux/v6.11/source/include/linux/pid_types.h#L8

4.18 (RHEL8) which we can actually run on since redhat backported ebpf
ringbuffers still has the old definition:
https://elixir.bootlin.com/linux/v4.18/source/include/linux/pid.h

With this diff `quark-test` passes on asserting pgid and sid correspond to the
return of getpgid(2) and getsid(2) on 4.18.0-553.22.1.el8_10.x86_64:

https://github.com/elastic/quark/blob/main/quark-test.c#L273-L274
@haesbaert haesbaert merged commit f8b0fc6 into main Oct 31, 2024
24 of 25 checks passed
@haesbaert haesbaert deleted the pgid_sid_fix branch October 31, 2024 19:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicholasberlin nicholasberlin nicholasberlin approved these changes

@fearful-symmetry fearful-symmetry fearful-symmetry approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@haesbaert @fearful-symmetry @nicholasberlin