[CWS] handle runc CLONE_INTO_CGROUP to fix cgroup ID propagation#47796
Open
[CWS] handle runc CLONE_INTO_CGROUP to fix cgroup ID propagation#47796
Conversation
safchain
added
changelog/no-changelog
safchain
changed the title
github-actions
bot
added
the
short review
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1674767a08
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Comment on lines
781
to
784
| struct proc_cache_t *parent_pc = get_proc_from_cookie(parent_cookie); | ||
| if (parent_pc) { | ||
| parent_inode = parent_pc->entry.executable.path_key.ino; | ||
|
|
||
| // inherit the parent cgroup context | ||
| fill_cgroup_context(parent_pc, &pc.cgroup); | ||
| } |
There was a problem hiding this comment.
Removing cgroup inheritance here means send_exec_event now always writes a new proc_cache entry with an empty cgroup, because pc is initialized with .cgroup = {} and never populated before bpf_map_update_elem. Userspace fallback fixes the exec event payload, but it does not repopulate kernel proc_cache (the resolver’s UpdateProcessContexts only updates in-memory Go structs), so kernel-side cgroup consumers lose context after exec; for example raw_syscalls/sys_enter profile lookup by event.cgroup.cgroup_file.ino and activity-dump cgroup tracing via should_trace_new_process_cgroup(..., &pc->cgroup) will stop matching for those processes.
Useful? React with 👍 / 👎.
Contributor
Files inventory check summaryFile checks results against ancestor 377ebbd5: Results for datadog-agent_7.78.0~devel.git.542.a1c7dcd.pipeline.102428884-1_amd64.deb:No change detected |
Contributor
Static quality checks✅ Please find below the results from static quality gates Successful checksInfo
16 successful checks with minimal change (< 2 KiB)
On-wire sizes (compressed)
|
Regression DetectorRegression Detector ResultsMetrics dashboard Baseline: 377ebbd Optimization Goals: ✅ No significant changes detected
|
| perf | experiment | goal | Δ mean % | Δ mean % CI | trials | links |
|---|---|---|---|---|---|---|
| ➖ | docker_containers_cpu | % cpu utilization | -3.68 | [-6.61, -0.74] | 1 | Logs |
Fine details of change detection per experiment
| perf | experiment | goal | Δ mean % | Δ mean % CI | trials | links |
|---|---|---|---|---|---|---|
| ➖ | quality_gate_logs | % cpu utilization | +1.75 | [+0.18, +3.33] | 1 | Logs bounds checks dashboard |
| ➖ | tcp_syslog_to_blackhole | ingress throughput | +1.00 | [+0.85, +1.15] | 1 | Logs |
| ➖ | ddot_logs | memory utilization | +0.32 | [+0.25, +0.39] | 1 | Logs |
| ➖ | uds_dogstatsd_20mb_12k_contexts_20_senders | memory utilization | +0.24 | [+0.18, +0.30] | 1 | Logs |
| ➖ | ddot_metrics | memory utilization | +0.20 | [+0.03, +0.38] | 1 | Logs |
| ➖ | file_tree | memory utilization | +0.15 | [+0.09, +0.21] | 1 | Logs |
| ➖ | quality_gate_idle_all_features | memory utilization | +0.11 | [+0.08, +0.15] | 1 | Logs bounds checks dashboard |
| ➖ | otlp_ingest_metrics | memory utilization | +0.08 | [-0.08, +0.24] | 1 | Logs |
| ➖ | uds_dogstatsd_to_api_v3 | ingress throughput | +0.00 | [-0.18, +0.19] | 1 | Logs |
| ➖ | uds_dogstatsd_to_api | ingress throughput | -0.01 | [-0.20, +0.18] | 1 | Logs |
| ➖ | tcp_dd_logs_filter_exclude | ingress throughput | -0.01 | [-0.11, +0.10] | 1 | Logs |
| ➖ | file_to_blackhole_1000ms_latency | egress throughput | -0.01 | [-0.45, +0.43] | 1 | Logs |
| ➖ | file_to_blackhole_0ms_latency | egress throughput | -0.02 | [-0.53, +0.49] | 1 | Logs |
| ➖ | file_to_blackhole_100ms_latency | egress throughput | -0.04 | [-0.13, +0.04] | 1 | Logs |
| ➖ | ddot_metrics_sum_cumulativetodelta_exporter | memory utilization | -0.07 | [-0.30, +0.15] | 1 | Logs |
| ➖ | file_to_blackhole_500ms_latency | egress throughput | -0.11 | [-0.51, +0.30] | 1 | Logs |
| ➖ | docker_containers_memory | memory utilization | -0.11 | [-0.18, -0.04] | 1 | Logs |
| ➖ | quality_gate_metrics_logs | memory utilization | -0.14 | [-0.38, +0.09] | 1 | Logs bounds checks dashboard |
| ➖ | ddot_metrics_sum_delta | memory utilization | -0.15 | [-0.32, +0.01] | 1 | Logs |
| ➖ | quality_gate_idle | memory utilization | -0.41 | [-0.46, -0.36] | 1 | Logs bounds checks dashboard |
| ➖ | otlp_ingest_logs | memory utilization | -0.42 | [-0.52, -0.32] | 1 | Logs |
| ➖ | ddot_metrics_sum_cumulative | memory utilization | -0.44 | [-0.58, -0.30] | 1 | Logs |
| ➖ | docker_containers_cpu | % cpu utilization | -3.68 | [-6.61, -0.74] | 1 | Logs |
Bounds Checks: ✅ Passed
| perf | experiment | bounds_check_name | replicates_passed | observed_value | links |
|---|---|---|---|---|---|
| ✅ | docker_containers_cpu | simple_check_run | 10/10 | 528 ≥ 26 | |
| ✅ | docker_containers_memory | memory_usage | 10/10 | 277.91MiB ≤ 370MiB | |
| ✅ | docker_containers_memory | simple_check_run | 10/10 | 709 ≥ 26 | |
| ✅ | file_to_blackhole_0ms_latency | memory_usage | 10/10 | 0.19GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_0ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | file_to_blackhole_1000ms_latency | memory_usage | 10/10 | 0.23GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_1000ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | file_to_blackhole_100ms_latency | memory_usage | 10/10 | 0.19GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_100ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | file_to_blackhole_500ms_latency | memory_usage | 10/10 | 0.21GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_500ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | quality_gate_idle | intake_connections | 10/10 | 3 = 3 | bounds checks dashboard |
| ✅ | quality_gate_idle | memory_usage | 10/10 | 172.83MiB ≤ 175MiB | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | intake_connections | 10/10 | 3 = 3 | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | memory_usage | 10/10 | 488.66MiB ≤ 550MiB | bounds checks dashboard |
| ✅ | quality_gate_logs | intake_connections | 10/10 | 4 ≤ 6 | bounds checks dashboard |
| ✅ | quality_gate_logs | memory_usage | 10/10 | 202.56MiB ≤ 220MiB | bounds checks dashboard |
| ✅ | quality_gate_logs | missed_bytes | 10/10 | 0B = 0B | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | cpu_usage | 10/10 | 347.69 ≤ 2000 | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | intake_connections | 10/10 | 3 ≤ 6 | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | memory_usage | 10/10 | 405.27MiB ≤ 475MiB | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | missed_bytes | 10/10 | 0B = 0B | bounds checks dashboard |
Explanation
Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%
Performance changes are noted in the perf column of each table:
- ✅ = significantly better comparison variant performance
- ❌ = significantly worse comparison variant performance
- ➖ = no significant change in performance
A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".
For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:
-
Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
-
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
-
Its configuration does not mark it "erratic".
CI Pass/Fail Decision
✅ Passed. All Quality Gates passed.
- quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
Contributor
eBPF complexity changesSummary result: ❔ - needs attention
runtime_security detailsruntime_security [programs with changes]
runtime_security [programs without changes]
runtime_security_fentry detailsruntime_security_fentry [programs with changes]
runtime_security_fentry [programs without changes]
runtime_security_syscall_wrapper detailsruntime_security_syscall_wrapper [programs with changes]
runtime_security_syscall_wrapper [programs without changes]
This report was generated based on the complexity data for the current branch safchain/fix-cgroup-write (pipeline 102428884, commit a1c7dcd) and the base branch main (commit 377ebbd). Objects without changes are not reported. Contact #ebpf-platform if you have any questions/feedback. Table complexity legend: 🔵 - new; ⚪ - unchanged; 🟢 - reduced; 🔴 - increased |
spikat
approved these changes
Mar 13, 2026
lebauce
approved these changes
Mar 13, 2026
safchain
force-pushed
the
safchain/fix-cgroup-write
branch
from
1674767 to
a1c7dcd
Compare
github-actions
bot
added
long review
hestonhoffman
approved these changes
Mar 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Recent versions of runc use clone3(2) with CLONE_INTO_CGROUP when available, placing new container processes directly into the target cgroup at spawn time without writing the PID to cgroup.procs. This eliminates the CgroupWriteEventType event that the security agent was relying on to propagate cgroup context to newly created processes, causing incorrect cgroup ID assignment.
Remove the parent cgroup inheritance via fill_cgroup_context during exec event handling. Instead, an empty CGroupContext is passed when inserting the exec entry, which causes the cgroup resolver to fall back to procfs (/proc//cgroup) to resolve the correct cgroup ID. Also inline copy_proc_cache into its single call site in trace__cgroup_write.
runc reference: opencontainers/runc@5af4dd4
What does this PR do?
Motivation
Describe how you validated your changes
Additional Notes