0.22.0

Highlight

eBPF support for sysdig

New features

• eBPF support for sysdig: eBPF as the instrumentation backend in kernel space (beta)
  [#1110] [#1115] [#1116] [#1117] [#1122] [#1124] [#1125] [#1128] [#1132] [#1134] [#1145]
• Parsing an argument passed to sysdig-probe-loader as a custom URL for the kernel module like -e SYSDIG_PROBE_URL=http://54.183.253.176:52354 [#1085]
• Several changes to expand the set of events that are skipped by falco, and to centralize the logic for knowing which events to skip [#1105]
• Improved proc lookup in libsinsp [#1107] [#1110] [#1112]
• Improved performance [#1126] [#1120] [#1121] [#1137]
• In dropping mode, drop events that don't change system state [#1123]
• Introduce non-STL thread table API [#1142]
• Add the ability to ignore events by process name (comm). At the scap level, ignoring is by tid. At the sinsp level, as threads are added/removed from the thread table the comm is checked against a set of comms and if found the tid is added to the scap-level ignore hash table [#1139]
• The container_manager can now receive callbacks to call when a new container is detected or an inactive one is removed [#1133]
• Add support for adding custom container types alongside Docker etc (on sinsp level) [#1149]
  Parse and store three new container_info fields: repository, tag and digest [#1127]
• Skip proc scan in sinsp_dumper w/ threads_from_sinsp=true [#1164]
• Allow k8s filterchecks with analyzer [#1160]
• When creating the sysdig docker image, add the ability to directly set the sysdig version via the environment variable SYSDIG_VERSION [#1166]

Bug fixes

• Enable SME on userspace mappings [#1096]
• Falco might read a trace file containing older events. These events shouldn't be skipped simply because a newer version of the event exists [#1106]
• Get setpgid() handling working when the caller is in a pid namespace [#1080]
• Fix cwd initialization from non main thread forks [#1087]
• Fix netmask: Faster filter processing on PT_IPV4NET [#1091]
• Fix evt.abspath filter parsing: Don't compare the filter name against the whole string [#1093]
• Allow fd.port to be used with in operator [#1101]
• Allow evttype filters to work with syscalls [#1100]
• Preserve order between catchall & other filters [#1103]
• Detect tracer fds that were created before sysdig starts up [#1113]
• Write trailing newlines immediately even in JSON mode [#876]
• Fix for Linux 4.17 socket ops->getname API change [#1161]
• http_code type should be long not int [#1159]
• Replace the raw pointer with a weak_ptr that will become NULL when the parent threadinfo goes out of scope [#1143]
• string_to_cmpop is used in the lua api callbacks for parsing filters [#1153]
• gcc-7 requires to use std::function [#1158]
• Sanity check ptid/comm pointers [#115]
• Fix a malformed URL that was causing a 301 from the docker daemon; get docker image tag from images endpoint [#1174]
• Fix wrong handling of old docker versions [#1175]
• Several changes to update the flags used for filterchecks to make them accurately reflect how they can be used [#1109]
• Make sure the agent compiles under cygwin [#1119]

Misc

• Kernel module build script updates [#1094] [#1095] [#1098] [#1129] [#1130] [#1147] [#1162]
• travis: remove test without bundled deps [#1144]
• Reformat license text so that github recognizes it [#1104]

0.21.0

New Features

• Track Versioning in Capture Files: With this release, we will increment the pcap major/minor version in capture files when a release adds new event types, additional event fields, etc. that are incompatible with earlier sysdig versions. [#1081] [#1084]
• Add s390x as a platform using Docker [#1029]
• When saving container information, also store certain mesos-related environment information associated with the first process in the container [#1021] [#1057]
• New filtercheck fd.connected returns whether or not a network connection file descriptor is actually bound to a remote endpoint. Think of udp sockets that only use sendto() vs udp sockets that use connect() and then send(), or tcp sockets that have been created but not connect()ed yet. [#1051]
• New filtercheck fd.name_changed is true when an event changes the connection information for a connection fd. This can occur in some cases such as udp connections where a connect() changes the connection information for a fd.
• Make the thread table size configurable via sinsp::set_max_thread_table_size() [#1056]
• Add support for new AWS Linux 2 AMI [#1058]
• Add process group id to execve events [#1044] [#1080]
• Improved windows support [#1063] [#1069]
• Use gcc 5 by default to compile properly on Ubuntu Xenial, remove gcc 4.9 [#1067]
• Expand the set of system calls returned by the driver when in dropping mode [#1075]
• Handle AT_FDCWD arguments to linkat, openat, etc. and resolve the path relative to the cwd [#1020]
• Update fetching kernel sources for recent Debian releases [#1083]

Bug Fixes

• When used with Falco, Allow "in" operator to work with non-string values [#1049] [#1073] [#1072]
• Make sure inspector does not dereference scap handle until initialization is complete [#1048]
• When extracting fields from a formatted filtercheck string, handle cases where the filtercheck includes array indexing like proc.aname[2] [#1047]
• Fix incorrect assignment of client/server role for UDP sockets that initially do a recvfrom() followed by a later connect() [#1053]
• Cleanups to c++ friend usage [#1066]
• Fix bugs when matching fd.*net filterchecks, change them to filter only (e.g. not printable) [#1070]
• Improve handling of socket/bind events to set protocol/role [#1071]
• Fix fd.directory filtercheck for short paths like /file [#1074]
• Small improvements/fixes to various fs-related syscalls [#1076]

0.20.0

New Features

• Use dithered boxes to increase the number of available colors for spectrogram/subsecoffset views [#961] [#963] [#966]
• Add the ability to log json parse errors to a separate log file [#975] [#981] [#990]
• Update the embedded jsonpp implementation to 0.10.6 [#975] [#982]
• Reduce inactive container scan time from 20 minutes to 30 seconds [#985]
• Added the ability to parse and represent RAW sockets [#991]
• Handle finit_module syscall [#996] [#1001]
• Add error message when scap_open() is called with incorrect mode [#997]
• Use explicit versions for all Docker API Endpoints [#1000]
• Report more detailed errors when PPM_IOCTL_GET_N_TRACEPOINT_HIT fails [#1016]
• Update zlib/openssl/curl dependencies to ones that have security vulnerability fixes [#1030]
• Add support for bpf/seccomp syscalls [#1031] [#1033]
• When trying to build the kernel module using dkms fails, include dkms.log output along with the failure [#1038]

Bug Fixes

• Properly remove /dev/sysdig* devices on older kernels [#888]
• Properly set protocol for sockets used for listen() [#949]
• Make the check for identifying a container as mesos more strict [#955]
• Use insmod instead of modprobe to load dkms kernel module [#956]
• Fix typos/spelling mistakes [#968] [#1024]
• Fix bugs found by PVS-studio [#972]
• Add validation to value of SYSDIG_HOST_ROOT environment variable [#984]
• Add additional validation to contents of K8s auth string [#989]
• Ensure all extracted filtercheck values have lengths [#993]
• Fix a bug that could cause mesos json responses to be improperly truncated [#994]
• Fixed get_env() to handle spaces properly and to only return exact matches. [#1004]
• Fix a race condition that could cause a crash during non-blocking dns lookups [#1012]
• Add libelf as a dependency which prevents failures when sysdig is loaded by kernels using CONFIG_STACK_VALIDATION/CONFIG_ORC_UNWINDER [#1018]
• Fix AT_FDCWD 32-bit syscall decoding [#1025]
• Fix driver load problems with kernels that disable page fault tracepoints [#1034]
• Properly exit when reading truncated trace files with csysdig [#1037]
• Handle null return from sinsp_evt::get_thread_info() [#1039]
• Fix a memory leak when summarizing events by system call [#1042]
• Fix a crash caused when specifying a k8s api server but no certificate [#1045]

0.19.1

Bug fixes

• Fix a compilation issue on old versions of kernels 2.6.32 shipped by RHEL/CentOS

0.19.0

New features

• Add per-cpu counters when a tracepoint is hit [#947]

Bug fixes

• mq_unlink syscall reports as ptrace [#927]
• Fixed copy-paste typo [#946]
• expose the event masking/unmasking mechanism at the inspector level [#951]
• Fix targetViewFilter for "Accessed Files" in wsysdig_summary chisel [#952]
• Various improvements and fixes for Sysdig Inspect

0.18.0

New features

• Changed language of CLA to also cover government contributions [#902]
• Support mapped container docker networking mode, currently used by k8s pods [#922]
• Allow an external event capture dumper object to be used together with an inspector object [#912]
• Handle reading large execve args/env that might otherwise cause a page fault [#920]
• Add container events (container start/stop/etc) to capture files. In the future, will also be used for orchestrator information. [#935]
• Add the executable path as a filterable/displayable item proc.exepath [#845] [#934]
• Small README changes [#936]
• Support additional flags to clone() syscall [#909]
• Support page faults as events [#904]
• Support for upcoming visualization product [#931]

Bug fixes

• Compilation fixes for sysdig monitor agent [#942]
• Fix minor problems found by valgrind [#938]
• Fix crash when reading large messages from docker daemon [#932]
• Better cleanup of failed installation of the sysdig driver under coreos [#926]
• Ensure that a parent's ptid is set when an execve fills in information on a new process [#914]
• Fix IN operator so it works with non-string values [#913]
• fix compile errors with newer versions of libcurl [#895] [#911]
• fix compile errors when O_DIRECTORY not defined [#907]
• Use session id, not process group id, for proc.sid [#904] [#905]
• Small docs fixes related to container.mount.* [#901]
• Update installation script to use latest version of EPEL repository [#897]

0.17.0

New features

• Support netlink sockets [#809]

Bug fixes

• Fix a bug on cgroups parsing that prevented sysdig to start [#835]
• Allow sysdig to read k8s state from very large k8s environments [#856]
• Improve compatibility with older linux kernels [#889]
• Improve rkt detection by checking the existence of files into /var/lib/rkt [#893]

0.16.0

New features

• Support for Kernel 4.11
• sysdig -N is now the default option, server port decoding can be reenabled with -R
• Decode unshare syscall

Bug fixes

• Fix rkt detection for containers created before sysdig runs
• Fix container detection if docker itself is running inside a container
• Fix detection of lxc containers
• Fix compilation issues on RHEL5
• Fix memory leak on spy_users chisel

0.15.1

Bug fixes

• Fixed driver compilation issues on armv6l
• Fixes on Kubernetes support
• Regression on rkt detection #748
• Fixed high cpu usage when sysdig was used with -M parameter, #783
• Fixed a memory leak #772

0.15.0

New Features

• Support for Linux Kernel 4.10
• Use /proc/<pid>/status instead of custom ioctl to get process vpid for kernels >= 4.1

Bug fixes

• Various fixes on Kubernetes ingestion
• Fix some happening deadlocks in the driver when ioctl were exiting with error
• Fix mkdir and rmdir events, they were skipped in case of page faults
• Bugfix on topports_server chisel
• Avoid some cases of infinite loop when evaluating filters like proc.aname