0.29.1

This is a small bug fix release!

Bug Fixes

• Fix release-rpm job for release

0.29.0

New features

• Full Plugins support! With colored output formatting, because we know you love it!
• Podman support
• Introduced a versioning between libscap and kernel drivers, that will allow in the future to properly tag libs release and avoid rebuilding kernel drivers when their version is not changed.
• Integrated back ~4months worth of work on libs, on par with Falco 0.31.1 release
• New syscalls: mprotect, execveat, copy_file_range, clone3

Bug Fixes

• eBPF fixes
• Security fixes
• Fixed cgroups v2 support in libscap, a bug that prevented pre-existing containers (prior to running sysdig) to be matched with their processes
• Fixed some container events related issues

Plugins info

• Same plugins that are used for Falco can be used for sysdig
• cmd line options, examples:
• • Register any found plugin from supported system folders and use dummy as input source passing to it open params:

$ sysdig -I dummy:'{"start":1,"maxEvents":10}'

• • Load and register dummy source plugin passing to it init config and open params:

sysdig -H dummy:'{"jitter":50}' -I dummy:'{"start":1,"maxEvents":10}'

• Moreover, you can also load plugins using a Falco plugin configuration file, by passing the --plugin-config-file cmdline option ()
• The --help usage text was updated with new informations.

I hope you will enjoy this new Sysdig release as much as we loved bringing it to you!

0.28.0

New Features

This is the first Sysdig release to make full use of the Falco Libs since its donation to the CNCF in 2021.

• The full changeset includes many improvements and features which have been included in Falco for this year's releases.
• The release system has been modified and is now completely open source, based on GitHub actions
• The default Docker image is now based on UBI 8
• By default the event string formatting natively supports colors, in the same way Bash does via \e escape sequences and ANSI Escape Codes if supported by the terminal.

Bug Fixes

• Fixed compilation on MacOS: #1801
• Use "%s"-style format for printf()-style functions for ncurses #1810
• Fixed GIT_TAG for gtest #1815

Note: due to an issue in the release process, a functionally equivalent release was published earlier today but the repositories were not completely updated. Sorry for the inconvenience.

0.27.1

New features

• Support minimal build (no kubernetes, kernel module, eBPF, or container support): -DMINIMAL_BUILD=On
• Support static linking with musl on Alpine Linux: -DMUSL_OPTIMIZED_BUILD=On

Bug fixes

• Improve startup times on systems with lots of containers [#1676]
• Fix paths reported in *at events [#1680, #1695]
• Build fixes for eBPF with recent kernel [#1690]
• Fix Lua out of memory errors with large captures in Sysdig Inspect [#1694]

0.27.0

New features

• Userspace instrumentation support (#1636); see https://github.com/falcosecurity/pdig for more information
• renameat2 support
• Add new filter for open+create/create with exec permissions (#1637)
• Add parent pid to v_procs chisel (#1640)

Bug fixes

• Assorted build fixes (#1672, #1663 and more)

0.26.7

Bug fixes

• Fixed build error with kernels too old to support ktime_get_real (#1624)
• Fixed support for Fedora 32 and GCC 10 (#1620)
• Lowered cgroup limit size for ARM(#1622)
• Fixed compile errors on Linux 5.6 due to timespec/timeval (#1621)
• Changed timeout parameter for curl_multi_wait to avoid error return with libcurl >= 7.69.0 (#1616)
• Fixed return value checks for bpf_probe_read_str() (#1612)
• Fixed compile on Windows (#1604)

0.26.6

Bug fixes

• Rewrite the probe builder (#1576)
• Build fixes for 5.4+ kernels (#1595)
• Use Debian Stable as the base container image (#1605)
• All the fixes incorporated in 0.26.5 (that didn't get artifacts released for tooling reasons)

New features

• Support for s390x and ppc64le architectures

0.26.5

Bug fixes

• Fixed segfault that happens at startup (#1475, #1528)
• Fixed memory leaks from certain thread/socket operations (#1491)
• Fixed handling of SEND_SIG_NOINFO in the eBPF driver (#1493)
• Fixed a regression in reading certain partial container events from scap files (#1513)
• Updated use of Kubernetes APIs to support v1.16 (#1521)
• Fixed rare driver deadlock that could occur during a context switch (#1522)
• Fixed EPEL repo link in the install script (#1534)
• Added more detail to probe loader error message (#1541)

0.26.4

Bug fixes

• Fixed docker builds (#1492)

Internal changes

• Prevent double-definition of ASSERT macro (#1490)

0.26.3

New Features

• Added fillers for chmod syscalls (#1472)
• Added support for reporting cpu usage per docker cpuset (#1473)

Bug fixes

• Fixed build error on older Linux kernels (#1477)
• Fixed driver build for RHEL 7.7/4.13+ w/CONFIG_VIRT_CPU_ACCOUNTING_GEN (#1471)
• Fixed cmake to look for pkg-config before building grpc (#1470)
• Fixed printing of strings (#1466)
• readv input parsing improvements (#1463)

Internal changes

• Fixed comment about scap minor version (#1476)