Releases: draios/sysdig
Releases · draios/sysdig
0.24.2
New Features
- Added the ability to specify a set of ports where data is captured with bigger snaplen (20000) (#1256)
Bug Fixes
- Made fd resolution work for getsockopt (#1280)
- Check getsockopt event before accessing it (#1284)
- Fixed snprintf placeholder for size_t/{u,}int64_t (#1279)
- Disabled reading environment from /proc by default (#1272)
- Excluding suppressed processes during initial /proc scan (#1269)
- Fixed Windows build in CYGWIN environment (#1270)
- Changes to eliminate warnings with gcc 5.4 (#1271)
- Trigger build errors for extra compiler warnings (#1265)
- Handling thread table overflows (#1263)
- Deleted threadinfos that we failed to add to the thread table (#1260)
- Reduce CPU usage (#1261)
- Lua parser interfaces (#1254)
- Fixed a compile issue when trying to make the project using VS2017 on Windows 10 (#1248)
- Added ifdef guards to socket options with (#1257),(#1258)
- Improved getsockopt()/setsockopt() support (#1188)
- Fix fd.net comparisons with in operator (#1252)
- Only check out sysdig for initial invocation (#1251)
- Build probe modules only with sysdig directory (#1244)
- Fixed spelling and copy/pased comment errors (#1250)
0.24.1
0.24.0
New Features
- Switch to Apache 2.0 License: All userspace code moves from GPL to Apache 2 license. Kernel module switches to dual-license MIT + GPLv2. Enjoy! [#1233] [#1242]
- Complete IPv6 Support. Sysdig previously had partial IPv6 support, but this release rounds out full support for ipv6 addresses in filter fields, csysdig, etc. [#1204]
- loginuid support. Add
user.loginuid
&user.loginname
to track login users, which do not change despite sudo/su operations. [#1189] [#1214] [#1218] [#1219] [#1227] - Track connections by domain name: New fields
fd.*ip.name
allow matching connection ips with resolved domain names. [#1213] - Add
endswith
filter to support suffix matching on strings [#1209] - Add minikube support to the kernel module probe loader script [#1205]
- Improve error string return handling at startup/when reading capture files [#1215]
- Disable boot2docker kernel module builds for pre-built kernel modules [#1232]
- eBPF Support Improvements/Fixes [#1235] [#1236] [#1237] [#1239]
Bug Fixes
- Improve/fix windows build [#1242]
- Don't drop setns events when in dropping mode [#1198]
- At startup, wait a bit for an existing sysdig-probe module to be unloaded before loading a new one [#1201]
- Support extracting container metadata for containers spawned with just an image id and not an image name [#1207]
- Properly extract image metadata when the image contains a
host:port
component [#1206] - Minor compilation bug fixes [#1212]
- Small packaging fixes [#1228] [#1229] [#1231]
- Fix an inconsistency when writing capture files containing unknown fds [#1234]
0.23.1
0.23.0
0.22.1
Bug fixes
- Ensure that the
/lib/modules
symlink is properly set for the docker image [#1177] - Improve kernel module compatibility with fedora atomic kernels [#1172] [#1173]
- Small improvements to pre-built kernel modules [#1180]
- Fix a problem that caused the kernel module to not load on certain kernel versions [#1182]
0.22.0
Highlight
New features
- eBPF support for sysdig: eBPF as the instrumentation backend in kernel space (beta)
[#1110] [#1115] [#1116] [#1117] [#1122] [#1124] [#1125] [#1128] [#1132] [#1134] [#1145] - Parsing an argument passed to sysdig-probe-loader as a custom URL for the kernel module like -e SYSDIG_PROBE_URL=http://54.183.253.176:52354 [#1085]
- Several changes to expand the set of events that are skipped by falco, and to centralize the logic for knowing which events to skip [#1105]
- Improved proc lookup in libsinsp [#1107] [#1110] [#1112]
- Improved performance [#1126] [#1120] [#1121] [#1137]
- In dropping mode, drop events that don't change system state [#1123]
- Introduce non-STL thread table API [#1142]
- Add the ability to ignore events by process name (comm). At the scap level, ignoring is by tid. At the sinsp level, as threads are added/removed from the thread table the comm is checked against a set of comms and if found the tid is added to the scap-level ignore hash table [#1139]
- The container_manager can now receive callbacks to call when a new container is detected or an inactive one is removed [#1133]
- Add support for adding custom container types alongside Docker etc (on sinsp level) [#1149]
Parse and store three new container_info fields: repository, tag and digest [#1127] - Skip proc scan in sinsp_dumper w/ threads_from_sinsp=true [#1164]
- Allow k8s filterchecks with analyzer [#1160]
- When creating the sysdig docker image, add the ability to directly set the sysdig version via the environment variable SYSDIG_VERSION [#1166]
Bug fixes
- Enable SME on userspace mappings [#1096]
- Falco might read a trace file containing older events. These events shouldn't be skipped simply because a newer version of the event exists [#1106]
- Get setpgid() handling working when the caller is in a pid namespace [#1080]
- Fix cwd initialization from non main thread forks [#1087]
- Fix netmask: Faster filter processing on PT_IPV4NET [#1091]
- Fix evt.abspath filter parsing: Don't compare the filter name against the whole string [#1093]
- Allow fd.port to be used with in operator [#1101]
- Allow evttype filters to work with syscalls [#1100]
- Preserve order between catchall & other filters [#1103]
- Detect tracer fds that were created before sysdig starts up [#1113]
- Write trailing newlines immediately even in JSON mode [#876]
- Fix for Linux 4.17 socket ops->getname API change [#1161]
- http_code type should be long not int [#1159]
- Replace the raw pointer with a weak_ptr that will become NULL when the parent threadinfo goes out of scope [#1143]
- string_to_cmpop is used in the lua api callbacks for parsing filters [#1153]
- gcc-7 requires to use std::function [#1158]
- Sanity check ptid/comm pointers [#115]
- Fix a malformed URL that was causing a 301 from the docker daemon; get docker image tag from images endpoint [#1174]
- Fix wrong handling of old docker versions [#1175]
- Several changes to update the flags used for filterchecks to make them accurately reflect how they can be used [#1109]
- Make sure the agent compiles under cygwin [#1119]
Misc
0.21.0
New Features
- Track Versioning in Capture Files: With this release, we will increment the pcap major/minor version in capture files when a release adds new event types, additional event fields, etc. that are incompatible with earlier sysdig versions. [#1081] [#1084]
- Add s390x as a platform using Docker [#1029]
- When saving container information, also store certain mesos-related environment information associated with the first process in the container [#1021] [#1057]
- New filtercheck
fd.connected
returns whether or not a network connection file descriptor is actually bound to a remote endpoint. Think of udp sockets that only usesendto()
vs udp sockets that useconnect()
and thensend()
, or tcp sockets that have been created but notconnect()
ed yet. [#1051] - New filtercheck
fd.name_changed
is true when an event changes the connection information for a connection fd. This can occur in some cases such as udp connections where a connect() changes the connection information for a fd. - Make the thread table size configurable via
sinsp::set_max_thread_table_size()
[#1056] - Add support for new AWS Linux 2 AMI [#1058]
- Add process group id to execve events [#1044] [#1080]
- Improved windows support [#1063] [#1069]
- Use gcc 5 by default to compile properly on Ubuntu Xenial, remove gcc 4.9 [#1067]
- Expand the set of system calls returned by the driver when in dropping mode [#1075]
- Handle
AT_FDCWD
arguments tolinkat
,openat
, etc. and resolve the path relative to the cwd [#1020] - Update fetching kernel sources for recent Debian releases [#1083]
Bug Fixes
- When used with Falco, Allow "in" operator to work with non-string values [#1049] [#1073] [#1072]
- Make sure inspector does not dereference scap handle until initialization is complete [#1048]
- When extracting fields from a formatted filtercheck string, handle cases where the filtercheck includes array indexing like proc.aname[2] [#1047]
- Fix incorrect assignment of client/server role for UDP sockets that initially do a
recvfrom()
followed by a laterconnect()
[#1053] - Cleanups to c++ friend usage [#1066]
- Fix bugs when matching
fd.*net
filterchecks, change them to filter only (e.g. not printable) [#1070] - Improve handling of
socket
/bind
events to set protocol/role [#1071] - Fix
fd.directory
filtercheck for short paths like/file
[#1074] - Small improvements/fixes to various fs-related syscalls [#1076]
0.20.0
New Features
- Use dithered boxes to increase the number of available colors for spectrogram/subsecoffset views [#961] [#963] [#966]
- Add the ability to log json parse errors to a separate log file [#975] [#981] [#990]
- Update the embedded jsonpp implementation to 0.10.6 [#975] [#982]
- Reduce inactive container scan time from 20 minutes to 30 seconds [#985]
- Added the ability to parse and represent RAW sockets [#991]
- Handle finit_module syscall [#996] [#1001]
- Add error message when
scap_open()
is called with incorrect mode [#997] - Use explicit versions for all Docker API Endpoints [#1000]
- Report more detailed errors when PPM_IOCTL_GET_N_TRACEPOINT_HIT fails [#1016]
- Update zlib/openssl/curl dependencies to ones that have security vulnerability fixes [#1030]
- Add support for bpf/seccomp syscalls [#1031] [#1033]
- When trying to build the kernel module using dkms fails, include dkms.log output along with the failure [#1038]
Bug Fixes
- Properly remove
/dev/sysdig*
devices on older kernels [#888] - Properly set protocol for sockets used for listen() [#949]
- Make the check for identifying a container as mesos more strict [#955]
- Use insmod instead of modprobe to load dkms kernel module [#956]
- Fix typos/spelling mistakes [#968] [#1024]
- Fix bugs found by PVS-studio [#972]
- Add validation to value of SYSDIG_HOST_ROOT environment variable [#984]
- Add additional validation to contents of K8s auth string [#989]
- Ensure all extracted filtercheck values have lengths [#993]
- Fix a bug that could cause mesos json responses to be improperly truncated [#994]
- Fixed get_env() to handle spaces properly and to only return exact matches. [#1004]
- Fix a race condition that could cause a crash during non-blocking dns lookups [#1012]
- Add libelf as a dependency which prevents failures when sysdig is loaded by kernels using CONFIG_STACK_VALIDATION/CONFIG_ORC_UNWINDER [#1018]
- Fix AT_FDCWD 32-bit syscall decoding [#1025]
- Fix driver load problems with kernels that disable page fault tracepoints [#1034]
- Properly exit when reading truncated trace files with csysdig [#1037]
- Handle null return from sinsp_evt::get_thread_info() [#1039]
- Fix a memory leak when summarizing events by system call [#1042]
- Fix a crash caused when specifying a k8s api server but no certificate [#1045]