0.26.0

New features

• Perform docker metadata fetches asynchronously: When new containers are discovered, fetch metadata about the container asynchronously, which should significantly reduce the likelihood of dropped system call events. [#1326] [#1378] [#1374] [#1381] [#1373] [#1382] [#1388] [#1389] [#1384] [#1392] [#1396] [#1411]
• Add field to display time in ISO 8601 UTC [#1317] [#1360]
• Performance improvements of ring buffer processing [#1372]
• Support major/minor device numbers for fd events [#1315] #1383]
• Add the ability to prepend encoded log severity in the log message [#1327]
• Raise the iov limit in eBPF [#1390]
• Changes to pull user event logging out into a separate component. [#1375]
• Log a debug message when looking up an IP address of an incomplete container [#1398]
• Support cri-o container metadata caching [#1399]
• Logging API with lazy parameter evaluation [#1394]
• Support BPM container type [#1319]

Bug fixes

• Fix bug in fullcapture range check [#1386]
• Allow chisels to receive the full content of big buffers. [#1361]
• start the analyzer before forcing next for a scap file [#1366]
• Create a grpc_channel_registry for all channels [#1369]
• Modified the behavior of fullcapture port range [#1370]
• Check file before dereferencing [#1397]
• Fix build for older kernels (<3.9) [#1400]
• Added -fno-stack-protector to avoid clang errors [#1401]
• Addl loop prevention for traverse_parent_state [#1411]

Internal changes

• Add interfaces for async metrics collection [#1346]
• Use epel 7-11 (7-9 is no longer available) [#1362]
• Make some global variables related to fetching container state thread-local [#1356]
• Allow downloading prebuilt modules without SSL verification [#1358]
• add test helper to container manager. [#1365]
• Cleanup old docker images after building a new ebpf-probe-builder [#1367]
• valgrind clean for analyzer end to end test [#1387]
• flush flags change to new namespace, add code enabling easy use of sinsp_threadinfo in std::set/map [#1395]
• add friend class for unit testing [#1406]

0.25

New features

• Support Linux 5.0
  • Redefine asm_volatile_goto needed for 5.0 kernels (#1332)
  • Update for change to access_ok in Linux 5.0 (#1302)
• CRI container runtime support
  • runtimeSpec.linux returned by containerd is an object, not an array (#1343)
  • Fix gRPC build with gcc 7 (#1322)
  • CRI-O container support (#1310)
  • Fix check for Docker pause containers [SMAGENT-1305] (#1306)
  • Detect CRI pod sandbox containers (#1297)
  • Container Runtime Interface support (#1277)
• Prebuilt probes
  • Prebuild minikube kernel modules (#1294)
  • Build probe modification to include Fedora-Atomic. [SMAGENT-1251] (#1293)

Bug fixes

• Fix for newer versions of LXC not being detected (#1345)
• Build fixes
  • [SMAGENT-1433] pull legacy GCC artifacts from local cache as debian no longer supports (#1342)
  • Use TBB_INCLUDE_DIR for consistency w/ falco agent (#1329)
  • SMAGENT-1297: Rebuild gcc-plugins before building kernel module (#1305)
  • Modified BPF probe builder (#1301)
• Stability fixes
  • Call set*ent() before reading the user/group NSS database (#1341)
  • Properly initialize default settings for tracers (#1339)
  • Fix bpf ptrace filler (#1338)
  • Fix potential memory leak in libelf (#1337)
  • Fix case where fclose could be called twice. (#1330)
  • Handle mmap failure gracefully (#1324)

Internal changes

• Add stream event details in csysdig output (#1335)
• SMAGENT-1400: Make sinsp_logger thread-safe (#1333)
• Never drop socket syscalls to ensure we have fdinfo for subsequent binds. SMAGENT-1270 (#1312)
• Infer fd info for sendto system call [SMAGENT-1282] (#1304)
• Async framework base [SMAGENT-1247] (#1303)
• Handle events for unknown threads after scap start [SMAGENT-1082] (#1296)
• Add ability to print filtercheck field names only (#1288)

0.24.2

New Features

• Added the ability to specify a set of ports where data is captured with bigger snaplen (20000) (#1256)

Bug Fixes

• Made fd resolution work for getsockopt (#1280)
• Check getsockopt event before accessing it (#1284)
• Fixed snprintf placeholder for size_t/{u,}int64_t (#1279)
• Disabled reading environment from /proc by default (#1272)
• Excluding suppressed processes during initial /proc scan (#1269)
• Fixed Windows build in CYGWIN environment (#1270)
• Changes to eliminate warnings with gcc 5.4 (#1271)
• Trigger build errors for extra compiler warnings (#1265)
• Handling thread table overflows (#1263)
• Deleted threadinfos that we failed to add to the thread table (#1260)
• Reduce CPU usage (#1261)
• Lua parser interfaces (#1254)
• Fixed a compile issue when trying to make the project using VS2017 on Windows 10 (#1248)
• Added ifdef guards to socket options with (#1257),(#1258)
• Improved getsockopt()/setsockopt() support (#1188)
• Fix fd.net comparisons with in operator (#1252)
• Only check out sysdig for initial invocation (#1251)
• Build probe modules only with sysdig directory (#1244)
• Fixed spelling and copy/pased comment errors (#1250)

0.24.1

Bug Fixes

• Fix struct packing[#1246]

0.24.0

New Features

• Switch to Apache 2.0 License: All userspace code moves from GPL to Apache 2 license. Kernel module switches to dual-license MIT + GPLv2. Enjoy! [#1233] [#1242]
• Complete IPv6 Support. Sysdig previously had partial IPv6 support, but this release rounds out full support for ipv6 addresses in filter fields, csysdig, etc. [#1204]
• loginuid support. Add user.loginuid & user.loginname to track login users, which do not change despite sudo/su operations. [#1189] [#1214] [#1218] [#1219] [#1227]
• Track connections by domain name: New fields fd.*ip.name allow matching connection ips with resolved domain names. [#1213]
• Add endswith filter to support suffix matching on strings [#1209]
• Add minikube support to the kernel module probe loader script [#1205]
• Improve error string return handling at startup/when reading capture files [#1215]
• Disable boot2docker kernel module builds for pre-built kernel modules [#1232]
• eBPF Support Improvements/Fixes [#1235] [#1236] [#1237] [#1239]

Bug Fixes

• Improve/fix windows build [#1242]
• Don't drop setns events when in dropping mode [#1198]
• At startup, wait a bit for an existing sysdig-probe module to be unloaded before loading a new one [#1201]
• Support extracting container metadata for containers spawned with just an image id and not an image name [#1207]
• Properly extract image metadata when the image contains a host:port component [#1206]
• Minor compilation bug fixes [#1212]
• Small packaging fixes [#1228] [#1229] [#1231]
• Fix an inconsistency when writing capture files containing unknown fds [#1234]

0.23.1

New Features

• Update curl dependency to 7.61 [#1196]

Bug Fixes

• Fix ia32 check on BPF for 4.14 and 4.15 kernels
• Adjust wrong events lengths when reading older captures [#1195]

0.23.0

New Features

• More flexible captures: the flexibility of the capture format/reading process has been improved to allow backward and forward-compatibility [#1163]
• Support logging elapsed time on tracers [#1186]

Bug Fixes

• Fixes on custom containers support [#1170]
• Avoid invalid free() calls around m_suppressed_pointers [#1184]
• Properly set the address list total length when reading a capture [#1185]

0.22.1

Bug fixes

• Ensure that the /lib/modules symlink is properly set for the docker image [#1177]
• Improve kernel module compatibility with fedora atomic kernels [#1172] [#1173]
• Small improvements to pre-built kernel modules [#1180]
• Fix a problem that caused the kernel module to not load on certain kernel versions [#1182]

0.22.0

Highlight

eBPF support for sysdig

New features

• eBPF support for sysdig: eBPF as the instrumentation backend in kernel space (beta)
  [#1110] [#1115] [#1116] [#1117] [#1122] [#1124] [#1125] [#1128] [#1132] [#1134] [#1145]
• Parsing an argument passed to sysdig-probe-loader as a custom URL for the kernel module like -e SYSDIG_PROBE_URL=http://54.183.253.176:52354 [#1085]
• Several changes to expand the set of events that are skipped by falco, and to centralize the logic for knowing which events to skip [#1105]
• Improved proc lookup in libsinsp [#1107] [#1110] [#1112]
• Improved performance [#1126] [#1120] [#1121] [#1137]
• In dropping mode, drop events that don't change system state [#1123]
• Introduce non-STL thread table API [#1142]
• Add the ability to ignore events by process name (comm). At the scap level, ignoring is by tid. At the sinsp level, as threads are added/removed from the thread table the comm is checked against a set of comms and if found the tid is added to the scap-level ignore hash table [#1139]
• The container_manager can now receive callbacks to call when a new container is detected or an inactive one is removed [#1133]
• Add support for adding custom container types alongside Docker etc (on sinsp level) [#1149]
  Parse and store three new container_info fields: repository, tag and digest [#1127]
• Skip proc scan in sinsp_dumper w/ threads_from_sinsp=true [#1164]
• Allow k8s filterchecks with analyzer [#1160]
• When creating the sysdig docker image, add the ability to directly set the sysdig version via the environment variable SYSDIG_VERSION [#1166]

Bug fixes

• Enable SME on userspace mappings [#1096]
• Falco might read a trace file containing older events. These events shouldn't be skipped simply because a newer version of the event exists [#1106]
• Get setpgid() handling working when the caller is in a pid namespace [#1080]
• Fix cwd initialization from non main thread forks [#1087]
• Fix netmask: Faster filter processing on PT_IPV4NET [#1091]
• Fix evt.abspath filter parsing: Don't compare the filter name against the whole string [#1093]
• Allow fd.port to be used with in operator [#1101]
• Allow evttype filters to work with syscalls [#1100]
• Preserve order between catchall & other filters [#1103]
• Detect tracer fds that were created before sysdig starts up [#1113]
• Write trailing newlines immediately even in JSON mode [#876]
• Fix for Linux 4.17 socket ops->getname API change [#1161]
• http_code type should be long not int [#1159]
• Replace the raw pointer with a weak_ptr that will become NULL when the parent threadinfo goes out of scope [#1143]
• string_to_cmpop is used in the lua api callbacks for parsing filters [#1153]
• gcc-7 requires to use std::function [#1158]
• Sanity check ptid/comm pointers [#115]
• Fix a malformed URL that was causing a 301 from the docker daemon; get docker image tag from images endpoint [#1174]
• Fix wrong handling of old docker versions [#1175]
• Several changes to update the flags used for filterchecks to make them accurately reflect how they can be used [#1109]
• Make sure the agent compiles under cygwin [#1119]

Misc

• Kernel module build script updates [#1094] [#1095] [#1098] [#1129] [#1130] [#1147] [#1162]
• travis: remove test without bundled deps [#1144]
• Reformat license text so that github recognizes it [#1104]

0.21.0

New Features

• Track Versioning in Capture Files: With this release, we will increment the pcap major/minor version in capture files when a release adds new event types, additional event fields, etc. that are incompatible with earlier sysdig versions. [#1081] [#1084]
• Add s390x as a platform using Docker [#1029]
• When saving container information, also store certain mesos-related environment information associated with the first process in the container [#1021] [#1057]
• New filtercheck fd.connected returns whether or not a network connection file descriptor is actually bound to a remote endpoint. Think of udp sockets that only use sendto() vs udp sockets that use connect() and then send(), or tcp sockets that have been created but not connect()ed yet. [#1051]
• New filtercheck fd.name_changed is true when an event changes the connection information for a connection fd. This can occur in some cases such as udp connections where a connect() changes the connection information for a fd.
• Make the thread table size configurable via sinsp::set_max_thread_table_size() [#1056]
• Add support for new AWS Linux 2 AMI [#1058]
• Add process group id to execve events [#1044] [#1080]
• Improved windows support [#1063] [#1069]
• Use gcc 5 by default to compile properly on Ubuntu Xenial, remove gcc 4.9 [#1067]
• Expand the set of system calls returned by the driver when in dropping mode [#1075]
• Handle AT_FDCWD arguments to linkat, openat, etc. and resolve the path relative to the cwd [#1020]
• Update fetching kernel sources for recent Debian releases [#1083]

Bug Fixes

• When used with Falco, Allow "in" operator to work with non-string values [#1049] [#1073] [#1072]
• Make sure inspector does not dereference scap handle until initialization is complete [#1048]
• When extracting fields from a formatted filtercheck string, handle cases where the filtercheck includes array indexing like proc.aname[2] [#1047]
• Fix incorrect assignment of client/server role for UDP sockets that initially do a recvfrom() followed by a later connect() [#1053]
• Cleanups to c++ friend usage [#1066]
• Fix bugs when matching fd.*net filterchecks, change them to filter only (e.g. not printable) [#1070]
• Improve handling of socket/bind events to set protocol/role [#1071]
• Fix fd.directory filtercheck for short paths like /file [#1074]
• Small improvements/fixes to various fs-related syscalls [#1076]