Skip to content

Releases: draios/sysdig

0.24.2

21 Dec 22:59
aa82b2f
Compare
Choose a tag to compare

New Features

  • Added the ability to specify a set of ports where data is captured with bigger snaplen (20000) (#1256)

Bug Fixes

  • Made fd resolution work for getsockopt (#1280)
  • Check getsockopt event before accessing it (#1284)
  • Fixed snprintf placeholder for size_t/{u,}int64_t (#1279)
  • Disabled reading environment from /proc by default (#1272)
  • Excluding suppressed processes during initial /proc scan (#1269)
  • Fixed Windows build in CYGWIN environment (#1270)
  • Changes to eliminate warnings with gcc 5.4 (#1271)
  • Trigger build errors for extra compiler warnings (#1265)
  • Handling thread table overflows (#1263)
  • Deleted threadinfos that we failed to add to the thread table (#1260)
  • Reduce CPU usage (#1261)
  • Lua parser interfaces (#1254)
  • Fixed a compile issue when trying to make the project using VS2017 on Windows 10 (#1248)
  • Added ifdef guards to socket options with (#1257),(#1258)
  • Improved getsockopt()/setsockopt() support (#1188)
  • Fix fd.net comparisons with in operator (#1252)
  • Only check out sysdig for initial invocation (#1251)
  • Build probe modules only with sysdig directory (#1244)
  • Fixed spelling and copy/pased comment errors (#1250)

0.24.1

05 Oct 20:37
Compare
Choose a tag to compare

Bug Fixes

  • Fix struct packing[#1246]

0.24.0

04 Oct 22:57
91576de
Compare
Choose a tag to compare

New Features

  • Switch to Apache 2.0 License: All userspace code moves from GPL to Apache 2 license. Kernel module switches to dual-license MIT + GPLv2. Enjoy! [#1233] [#1242]
  • Complete IPv6 Support. Sysdig previously had partial IPv6 support, but this release rounds out full support for ipv6 addresses in filter fields, csysdig, etc. [#1204]
  • loginuid support. Add user.loginuid & user.loginname to track login users, which do not change despite sudo/su operations. [#1189] [#1214] [#1218] [#1219] [#1227]
  • Track connections by domain name: New fields fd.*ip.name allow matching connection ips with resolved domain names. [#1213]
  • Add endswith filter to support suffix matching on strings [#1209]
  • Add minikube support to the kernel module probe loader script [#1205]
  • Improve error string return handling at startup/when reading capture files [#1215]
  • Disable boot2docker kernel module builds for pre-built kernel modules [#1232]
  • eBPF Support Improvements/Fixes [#1235] [#1236] [#1237] [#1239]

Bug Fixes

  • Improve/fix windows build [#1242]
  • Don't drop setns events when in dropping mode [#1198]
  • At startup, wait a bit for an existing sysdig-probe module to be unloaded before loading a new one [#1201]
  • Support extracting container metadata for containers spawned with just an image id and not an image name [#1207]
  • Properly extract image metadata when the image contains a host:port component [#1206]
  • Minor compilation bug fixes [#1212]
  • Small packaging fixes [#1228] [#1229] [#1231]
  • Fix an inconsistency when writing capture files containing unknown fds [#1234]

0.23.1

14 Aug 20:59
b3c92bf
Compare
Choose a tag to compare

New Features

  • Update curl dependency to 7.61 [#1196]

Bug Fixes

  • Fix ia32 check on BPF for 4.14 and 4.15 kernels
  • Adjust wrong events lengths when reading older captures [#1195]

0.23.0

09 Aug 15:28
Compare
Choose a tag to compare

New Features

  • More flexible captures: the flexibility of the capture format/reading process has been improved to allow backward and forward-compatibility [#1163]
  • Support logging elapsed time on tracers [#1186]

Bug Fixes

  • Fixes on custom containers support [#1170]
  • Avoid invalid free() calls around m_suppressed_pointers [#1184]
  • Properly set the address list total length when reading a capture [#1185]

0.22.1

31 Jul 19:18
153e395
Compare
Choose a tag to compare

Bug fixes

  • Ensure that the /lib/modules symlink is properly set for the docker image [#1177]
  • Improve kernel module compatibility with fedora atomic kernels [#1172] [#1173]
  • Small improvements to pre-built kernel modules [#1180]
  • Fix a problem that caused the kernel module to not load on certain kernel versions [#1182]

0.22.0

13 Jul 16:45
38a1c42
Compare
Choose a tag to compare

Highlight

eBPF support for sysdig

New features

  • eBPF support for sysdig: eBPF as the instrumentation backend in kernel space (beta)
    [#1110] [#1115] [#1116] [#1117] [#1122] [#1124] [#1125] [#1128] [#1132] [#1134] [#1145]
  • Parsing an argument passed to sysdig-probe-loader as a custom URL for the kernel module like -e SYSDIG_PROBE_URL=http://54.183.253.176:52354 [#1085]
  • Several changes to expand the set of events that are skipped by falco, and to centralize the logic for knowing which events to skip [#1105]
  • Improved proc lookup in libsinsp [#1107] [#1110] [#1112]
  • Improved performance [#1126] [#1120] [#1121] [#1137]
  • In dropping mode, drop events that don't change system state [#1123]
  • Introduce non-STL thread table API [#1142]
  • Add the ability to ignore events by process name (comm). At the scap level, ignoring is by tid. At the sinsp level, as threads are added/removed from the thread table the comm is checked against a set of comms and if found the tid is added to the scap-level ignore hash table [#1139]
  • The container_manager can now receive callbacks to call when a new container is detected or an inactive one is removed [#1133]
  • Add support for adding custom container types alongside Docker etc (on sinsp level) [#1149]
    Parse and store three new container_info fields: repository, tag and digest [#1127]
  • Skip proc scan in sinsp_dumper w/ threads_from_sinsp=true [#1164]
  • Allow k8s filterchecks with analyzer [#1160]
  • When creating the sysdig docker image, add the ability to directly set the sysdig version via the environment variable SYSDIG_VERSION [#1166]

Bug fixes

  • Enable SME on userspace mappings [#1096]
  • Falco might read a trace file containing older events. These events shouldn't be skipped simply because a newer version of the event exists [#1106]
  • Get setpgid() handling working when the caller is in a pid namespace [#1080]
  • Fix cwd initialization from non main thread forks [#1087]
  • Fix netmask: Faster filter processing on PT_IPV4NET [#1091]
  • Fix evt.abspath filter parsing: Don't compare the filter name against the whole string [#1093]
  • Allow fd.port to be used with in operator [#1101]
  • Allow evttype filters to work with syscalls [#1100]
  • Preserve order between catchall & other filters [#1103]
  • Detect tracer fds that were created before sysdig starts up [#1113]
  • Write trailing newlines immediately even in JSON mode [#876]
  • Fix for Linux 4.17 socket ops->getname API change [#1161]
  • http_code type should be long not int [#1159]
  • Replace the raw pointer with a weak_ptr that will become NULL when the parent threadinfo goes out of scope [#1143]
  • string_to_cmpop is used in the lua api callbacks for parsing filters [#1153]
  • gcc-7 requires to use std::function [#1158]
  • Sanity check ptid/comm pointers [#115]
  • Fix a malformed URL that was causing a 301 from the docker daemon; get docker image tag from images endpoint [#1174]
  • Fix wrong handling of old docker versions [#1175]
  • Several changes to update the flags used for filterchecks to make them accurately reflect how they can be used [#1109]
  • Make sure the agent compiles under cygwin [#1119]

Misc

0.21.0

29 Mar 23:44
567c2e2
Compare
Choose a tag to compare

New Features

  • Track Versioning in Capture Files: With this release, we will increment the pcap major/minor version in capture files when a release adds new event types, additional event fields, etc. that are incompatible with earlier sysdig versions. [#1081] [#1084]
  • Add s390x as a platform using Docker [#1029]
  • When saving container information, also store certain mesos-related environment information associated with the first process in the container [#1021] [#1057]
  • New filtercheck fd.connected returns whether or not a network connection file descriptor is actually bound to a remote endpoint. Think of udp sockets that only use sendto() vs udp sockets that use connect() and then send(), or tcp sockets that have been created but not connect()ed yet. [#1051]
  • New filtercheck fd.name_changed is true when an event changes the connection information for a connection fd. This can occur in some cases such as udp connections where a connect() changes the connection information for a fd.
  • Make the thread table size configurable via sinsp::set_max_thread_table_size() [#1056]
  • Add support for new AWS Linux 2 AMI [#1058]
  • Add process group id to execve events [#1044] [#1080]
  • Improved windows support [#1063] [#1069]
  • Use gcc 5 by default to compile properly on Ubuntu Xenial, remove gcc 4.9 [#1067]
  • Expand the set of system calls returned by the driver when in dropping mode [#1075]
  • Handle AT_FDCWD arguments to linkat, openat, etc. and resolve the path relative to the cwd [#1020]
  • Update fetching kernel sources for recent Debian releases [#1083]

Bug Fixes

  • When used with Falco, Allow "in" operator to work with non-string values [#1049] [#1073] [#1072]
  • Make sure inspector does not dereference scap handle until initialization is complete [#1048]
  • When extracting fields from a formatted filtercheck string, handle cases where the filtercheck includes array indexing like proc.aname[2] [#1047]
  • Fix incorrect assignment of client/server role for UDP sockets that initially do a recvfrom() followed by a later connect() [#1053]
  • Cleanups to c++ friend usage [#1066]
  • Fix bugs when matching fd.*net filterchecks, change them to filter only (e.g. not printable) [#1070]
  • Improve handling of socket/bind events to set protocol/role [#1071]
  • Fix fd.directory filtercheck for short paths like /file [#1074]
  • Small improvements/fixes to various fs-related syscalls [#1076]

0.20.0

19 Jan 01:25
Compare
Choose a tag to compare

New Features

  • Use dithered boxes to increase the number of available colors for spectrogram/subsecoffset views [#961] [#963] [#966]
  • Add the ability to log json parse errors to a separate log file [#975] [#981] [#990]
  • Update the embedded jsonpp implementation to 0.10.6 [#975] [#982]
  • Reduce inactive container scan time from 20 minutes to 30 seconds [#985]
  • Added the ability to parse and represent RAW sockets [#991]
  • Handle finit_module syscall [#996] [#1001]
  • Add error message when scap_open() is called with incorrect mode [#997]
  • Use explicit versions for all Docker API Endpoints [#1000]
  • Report more detailed errors when PPM_IOCTL_GET_N_TRACEPOINT_HIT fails [#1016]
  • Update zlib/openssl/curl dependencies to ones that have security vulnerability fixes [#1030]
  • Add support for bpf/seccomp syscalls [#1031] [#1033]
  • When trying to build the kernel module using dkms fails, include dkms.log output along with the failure [#1038]

Bug Fixes

  • Properly remove /dev/sysdig* devices on older kernels [#888]
  • Properly set protocol for sockets used for listen() [#949]
  • Make the check for identifying a container as mesos more strict [#955]
  • Use insmod instead of modprobe to load dkms kernel module [#956]
  • Fix typos/spelling mistakes [#968] [#1024]
  • Fix bugs found by PVS-studio [#972]
  • Add validation to value of SYSDIG_HOST_ROOT environment variable [#984]
  • Add additional validation to contents of K8s auth string [#989]
  • Ensure all extracted filtercheck values have lengths [#993]
  • Fix a bug that could cause mesos json responses to be improperly truncated [#994]
  • Fixed get_env() to handle spaces properly and to only return exact matches. [#1004]
  • Fix a race condition that could cause a crash during non-blocking dns lookups [#1012]
  • Add libelf as a dependency which prevents failures when sysdig is loaded by kernels using CONFIG_STACK_VALIDATION/CONFIG_ORC_UNWINDER [#1018]
  • Fix AT_FDCWD 32-bit syscall decoding [#1025]
  • Fix driver load problems with kernels that disable page fault tracepoints [#1034]
  • Properly exit when reading truncated trace files with csysdig [#1037]
  • Handle null return from sinsp_evt::get_thread_info() [#1039]
  • Fix a memory leak when summarizing events by system call [#1042]
  • Fix a crash caused when specifying a k8s api server but no certificate [#1045]

0.19.1

05 Oct 13:52
Compare
Choose a tag to compare

Bug fixes

  • Fix a compilation issue on old versions of kernels 2.6.32 shipped by RHEL/CentOS