add filtering for systemd system services

Author: def

containers/registry.go

@@ -373,6 +373,14 @@ func (r *Registry) getOrCreateContainer(pid uint32) *Container {
 		r.containersByPidIgnored[pid] = &t
 		return nil
 	}
+	if cg.ContainerType == cgroup.ContainerTypeSystemdService && *flags.SkipSystemdSystemServices {
+		if md.systemd.IsSystemService() {
+			klog.InfoS("skipping system service", "id", id, "unit", md.systemd.Unit, "type", md.systemd.Type, "triggered_by", md.systemd.TriggeredBy, "pid", pid)
+			t := time.Now()
+			r.containersByPidIgnored[pid] = &t
+			return nil
+		}
+	}
 
 	if c := r.containersById[id]; c != nil {
 		klog.Warningln("id conflict:", id)

containers/systemd.go

@@ -18,6 +18,23 @@ import (
 var (
 	dbusConn    *dbus.Conn
 	dbusTimeout = time.Second
+
+	systemServicePrefixes = []string{
+		"systemd-",
+		"dbus",
+		"getty",
+		"system-serial",
+		"system-getty",
+		"serial-getty",
+		"snapd",
+		"packagekit",
+		"unattended-upgrades",
+		"multipathd",
+		"qemu-guest-agent",
+		"irqbalance",
+		"networkd-dispatcher",
+		"rpcbind",
+	}
 )
 
 func init() {
@@ -40,6 +57,7 @@ func init() {
 }
 
 type SystemdProperties struct {
+	Unit        string
 	TriggeredBy string
 	Type        string
 }
@@ -48,6 +66,22 @@ func (sp SystemdProperties) IsEmpty() bool {
 	return sp.TriggeredBy == "" && sp.Type == ""
 }
 
+func (sp SystemdProperties) IsSystemService() bool {
+	switch sp.Type {
+	case "oneshot", "dbus":
+		return true
+	}
+	if strings.HasSuffix(sp.TriggeredBy, ".timer") {
+		return true
+	}
+	for _, prefix := range systemServicePrefixes {
+		if strings.HasPrefix(sp.Unit, prefix) {
+			return true
+		}
+	}
+	return false
+}
+
 func getSystemdProperties(id string) SystemdProperties {
 	props := SystemdProperties{}
 	if dbusConn == nil {
@@ -57,6 +91,7 @@ func getSystemdProperties(id string) SystemdProperties {
 	defer cancel()
 	parts := strings.Split(id, "/")
 	unit := parts[len(parts)-1]
+	props.Unit = unit
 	properties, err := dbusConn.GetAllPropertiesContext(ctx, unit)
 	if err != nil {
 		klog.Warningln("failed to get systemd properties:", err)

flags/flags.go

@@ -18,6 +18,8 @@ var (
 	ContainerAllowlist = kingpin.Flag("container-allowlist", "List of allowed containers (regex patterns)").Envar("CONTAINER_ALLOWLIST").Strings()
 	ContainerDenylist  = kingpin.Flag("container-denylist", "List of denied containers (regex patterns)").Envar("CONTAINER_DENYLIST").Strings()
 
+	SkipSystemdSystemServices = kingpin.Flag("skip-systemd-system-services", "Skip well-known systemd system services (apt, motd, udev, etc.)").Default("true").Envar("SKIP_SYSTEMD_SYSTEM_SERVICES").Bool()
+
 	ExcludeHTTPMetricsByPath = kingpin.Flag("exclude-http-requests-by-path", "Skip HTTP metrics and traces by path").Envar("EXCLUDE_HTTP_REQUESTS_BY_PATH").Strings()
 
 	ExternalNetworksWhitelist = kingpin.

proc/fd.go

@@ -34,7 +34,7 @@ func ReadFds(pid uint32) ([]Fd, error) {
 		}
 		dest, err := os.Readlink(path.Join(fdDir, entry.Name()))
 		if err != nil {
-			if os.IsNotExist(err) {
+			if !os.IsNotExist(err) {
 				klog.Warningf("failed to read link '%s': %s", entry.Name(), err)
 			}
 			continue