Skip to content

fix(plugins/container): use an unique ctx for fetcher.#758

Merged
poiana merged 1 commit intofalcosecurity:mainfrom
FedeDP:fix/use_unique_ctx_fetcher
May 6, 2025
Merged

fix(plugins/container): use an unique ctx for fetcher.#758
poiana merged 1 commit intofalcosecurity:mainfrom
FedeDP:fix/use_unique_ctx_fetcher

Conversation

@FedeDP
Copy link
Contributor

@FedeDP FedeDP commented May 6, 2025

What type of PR is this?

/kind bug

Any specific area of the project related to this PR?

/area plugins

What this PR does / why we need it:

Podman relies upon context to store its connection infos. Using same ctx already used by the real Podman engine means that we are going to tamper with its connection info stored in the main ctx.

Instead, fetcher should use its own context.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

@FedeDP
fix(plugins/container): use an unique ctx for fetcher.
14c7a5e 
Podman relies upon context to store its connection infos.
Using same ctx already used by the real Podman engine means that
we are going to tamper with its connection info stored in the main ctx.

Instead, fetcher should use its own context.

Signed-off-by: Federico Di Pierro <nierro92@gmail.com>
@poiana poiana requested review from LucaGuerra and mstemm May 6, 2025 08:11
@poiana poiana added the size/S label May 6, 2025
@FedeDP
Copy link
Contributor Author

FedeDP commented May 6, 2025

This was causing:

panic: runtime error: index out of range [32] with length 32

goroutine 76 [running]:
net/url.escape({"container.id":"08491c4650e1","container.image.repository":"","container.image.tag":"","container.name":"","evt.args":"res=3 exe=/http-echo args=-text=hello. tid=20832(http-echo) pid=20832(http-echo) ptid=20830(conmon) cwd=<NA> fdlimit=1048576 pgft_maj=0 pgft_min=148 vm_size=705624 vm_rss=3740 vm_swap=0 comm=http-echo cgroups=cpuset=/machine.slice/libpod-08491c4650e16a86717dbbdef22866b653cd38fa3cfaed91b7f9829d3b8765a7.scope/container.cpu=/machine.slice/libpod-08491c4650e16a86717dbbdef22866b653cd38fa3cfaed91b7f9829d3b8765a7.scope/container.cpuacct=/.io=/machine.slice/libpod-08491c4650e16a86717dbbdef22866b653cd38fa3cfaed91b7f9829d3b8765a7.scope/container.memory=/machine.slice/libpod-08491c4650e16a86717dbbdef22866b653cd38fa3cfaed91b7f9829d3b8765a7.scope/container.devices=/.freezer=/.net_cls=/.perf_event=/machine.slice/libpod-08491c4650e16a86717dbbdef22866b653cd38fa3cfaed91b7f9829d3b8765a7.scope/container.net_prio=/.hugetlb=/machine.slice/libpod-08491c4650e16a86717dbbdef22866b653cd38fa3cfaed91b7f9829d3b8765a7.scope/container.pids=/machine.slice/libpod-08491c4650e16a86717dbbdef22866b653cd38fa3cfaed91b7f9829d3b8765a7.scope/container.rdma=/machine.slice.misc=/machine.slice. flags=570472451(CLONE_FILES|CLONE_FS|CLONE_SIGHAND|CLONE_SYSVSEM|CLONE_THREAD|CLONE_VM|CLONE_SETTLS) uid=11 gid=100 vtid=1(systemd) vpid=1(systemd) pidns_init_start_ts=0","evt.category":"process","evt.type":"clone","group.gid":100,"group.name":"users","k8s.ns.name":"","k8s.pod.name":"","proc.cmdline":"http-echo -text=hello","proc.exe":"/http-echo","user.homedir":"/root","user.name":"operator","user.uid":11}
{0x7ffe5260ed60, 0xc}, 0x2)
	/usr/local/go/src/net/url/url.go:331 +0x335
net/url.PathEscape(...)
	/usr/local/go/src/net/url/url.go:283
github.com/containers/podman/v5/pkg/bindings.(*Connection).DoRequest(0xc000059620, {0x7f6d907600d8, 0xc000226690}, {0x0, 0x0}, {0x7f6d9016d3bf, 0x3}, {0x7f6d90181825, 0x13}, 0xc00025e960, ...)
	/go/pkg/mod/github.com/containers/podman/v5@v5.4.1/pkg/bindings/connection.go:393 +0x319
github.com/containers/podman/v5/pkg/bindings/containers.Inspect({0x7f6d907600d8, 0xc000226690}, {0x7ffe5260ed60, 0xc}, 0x0?)
	/go/pkg/mod/github.com/containers/podman/v5@v5.4.1/pkg/bindings/containers/containers.go:119 +0x146
github.com/falcosecurity/plugins/plugins/container/go-worker/pkg/container.(*podmanEngine).get(0xc0000641a0, {0x7f6d90760110?, 0xc0000f4370?}, {0x7ffe5260ed60, 0xc})
	/__w/plugins/plugins/plugins/container/go-worker/pkg/container/podman.go:191 +0xb5
github.com/falcosecurity/plugins/plugins/container/go-worker/pkg/container.(*fetcher).Listen.func1()
	/__w/plugins/plugins/plugins/container/go-worker/pkg/container/fetcher.go:78 +0x1a2
created by github.com/falcosecurity/plugins/plugins/container/go-worker/pkg/container.(*fetcher).Listen in goroutine 52
	/__w/plugins/plugins/plugins/container/go-worker/pkg/container/fetcher.go:65 +0xf5

@FedeDP FedeDP mentioned this pull request May 6, 2025
Merged
FedeDP
FedeDP commented May 6, 2025
View reviewed changes
plugins/container/go-worker/pkg/container/fetcher.go
panic("not a copier")
}
e, _ := copyEngine.copy(ctx)
e, _ := copyEngine.copy(f.ctx)
Copy link
Contributor Author

@FedeDP FedeDP May 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this call, podman will store into ctx its key/value for the connection, see https://github.com/falcosecurity/plugins/blob/main/plugins/container/go-worker/pkg/container/podman.go#L32 (and NewConnection behavior: https://github.com/containers/podman/blob/main/pkg/bindings/connection.go#L139).

From NewConnection doc:

// NewConnectionWithIdentity takes a URI as a string and returns a context with the
// Connection embedded as a value. This context needs to be passed to each
// endpoint to work correctly.

@github-actions
Copy link

github-actions bot commented May 6, 2025

Rules files suggestions

@poiana
Copy link
Contributor

poiana commented May 6, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: FedeDP, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit a5840d1 into falcosecurity:main May 6, 2025
22 checks passed
@FedeDP FedeDP mentioned this pull request May 6, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leogr leogr leogr approved these changes

@LucaGuerra LucaGuerra Awaiting requested review from LucaGuerra

@mstemm mstemm Awaiting requested review from mstemm

Assignees

@leogr leogr

Labels

approved area/plugins dco-signoff: yes kind/bug Something isn't working lgtm size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@FedeDP @poiana @leogr