Update Falco libs to 0.21.0

The latest version of Falco has a number of changes that are
incompatible with collector, biggest ones are:
- Removal of the container manager code in favor of a plugin.
- Major refactoring of sinsp.

In order to make collector compatible again, we had to drop the
ContainerEngine that we implemented in favor of a method in the event
extractor that will get the container id from the cgroups when it is
called. The ContainerMetadata is also essentially dead in the water,
since we can't get container metadata without the container plugin.

Filtering of events that used to happen in the inspector itself has been
moved into collector, since we can't filter events by container id
without the container engine.

Author: Molter73

collector/lib/ContainerEngine.h

@@ -11,28 +11,15 @@ ContainerMetadata::ContainerMetadata(sinsp* inspector) : event_extractor_(std::m
 }
 
 std::string ContainerMetadata::GetNamespace(sinsp_evt* event) {
-  const char* ns = event_extractor_->get_k8s_namespace(event);
-  return ns != nullptr ? ns : "";
+  return "";
 }
 
 std::string ContainerMetadata::GetNamespace(const std::string& container_id) {
   return GetContainerLabel(container_id, "io.kubernetes.pod.namespace");
 }
 
 std::string ContainerMetadata::GetContainerLabel(const std::string& container_id, const std::string& label) {
-  auto containers = inspector_->m_container_manager.get_containers();
-  const auto& container = containers->find(container_id);
-  if (container == containers->end()) {
-    return "";
-  }
-
-  const auto& labels = container->second->m_labels;
-  const auto& label_it = labels.find(label);
-  if (label_it == labels.end()) {
-    return "";
-  }
-
-  return label_it->second;
+  return "";
 }
 
-}  // namespace collector
+}  // namespace collector

collector/lib/ContainerMetadata.cpp

@@ -380,8 +380,8 @@ std::ostream& operator<<(std::ostream& os, const ContainerEndpoint& container_en
 class Connection {
  public:
   Connection() : flags_(0) {}
-  Connection(std::string container, const Endpoint& local, const Endpoint& remote, L4Proto l4proto, bool is_server)
-      : container_(std::move(container)), local_(local), remote_(remote), flags_((static_cast<uint8_t>(l4proto) << 1) | ((is_server) ? 1 : 0)) {}
+  Connection(std::string_view container, const Endpoint& local, const Endpoint& remote, L4Proto l4proto, bool is_server)
+      : container_(container), local_(local), remote_(remote), flags_((static_cast<uint8_t>(l4proto) << 1) | ((is_server) ? 1 : 0)) {}
 
   const std::string& container() const { return container_; }
   const Endpoint& local() const { return local_; }

collector/lib/NetworkConnection.h

@@ -133,7 +133,7 @@ std::optional<Connection> NetworkSignalHandler::GetConnection(sinsp_evt* evt) {
   const Endpoint* local = is_server ? &server : &client;
   const Endpoint* remote = is_server ? &client : &server;
 
-  const std::string* container_id = event_extractor_->get_container_id(evt);
+  auto container_id = event_extractor_->get_container_id(evt);
   if (!container_id) {
     return std::nullopt;
   }

collector/lib/NetworkSignalHandler.cpp

@@ -5,6 +5,7 @@
 #include <libsinsp/sinsp.h>
 
 #include "CollectorStats.h"
+#include "system-inspector/EventExtractor.h"
 #include "system-inspector/Service.h"
 
 namespace collector {
@@ -32,7 +33,10 @@ std::string Process::container_id() const {
   WaitForProcessInfo();
 
   if (system_inspector_threadinfo_) {
-    return system_inspector_threadinfo_->m_container_id;
+    auto container_id = system_inspector::EventExtractor::get_container_id(system_inspector_threadinfo_.get());
+    if (container_id) {
+      return std::string{*container_id};
+    }
   }
 
   return NOT_AVAILABLE;

collector/lib/Process.cpp

@@ -22,6 +22,8 @@ using LineageInfo = ProcessSignalFormatter::LineageInfo;
 using Timestamp = google::protobuf::Timestamp;
 using TimeUtil = google::protobuf::util::TimeUtil;
 
+using EventExtractor = system_inspector::EventExtractor;
+
 namespace {
 
 enum ProcessSignalType {
@@ -59,7 +61,7 @@ std::string extract_proc_args(sinsp_threadinfo* tinfo) {
 ProcessSignalFormatter::ProcessSignalFormatter(
     sinsp* inspector,
     const CollectorConfig& config) : event_names_(EventNames::GetInstance()),
-                                     event_extractor_(std::make_unique<system_inspector::EventExtractor>()),
+                                     event_extractor_(std::make_unique<EventExtractor>()),
                                      container_metadata_(inspector),
                                      config_(config) {
   event_extractor_->Init(inspector);
@@ -163,10 +165,10 @@ ProcessSignal* ProcessSignalFormatter::CreateProcessSignal(sinsp_evt* event) {
   }
 
   // set user and group id credentials
-  if (const uint32_t* uid = event_extractor_->get_uid(event)) {
+  if (auto uid = EventExtractor::get_uid(event)) {
     signal->set_uid(*uid);
   }
-  if (const uint32_t* gid = event_extractor_->get_gid(event)) {
+  if (auto gid = EventExtractor::get_gid(event)) {
     signal->set_gid(*gid);
   }
 
@@ -176,7 +178,7 @@ ProcessSignal* ProcessSignalFormatter::CreateProcessSignal(sinsp_evt* event) {
   signal->set_allocated_time(timestamp);
 
   // set container_id
-  if (const std::string* container_id = event_extractor_->get_container_id(event)) {
+  if (auto container_id = EventExtractor::get_container_id(event)) {
     signal->set_container_id(*container_id);
   }
 
@@ -232,16 +234,25 @@ ProcessSignal* ProcessSignalFormatter::CreateProcessSignal(sinsp_threadinfo* tin
   signal->set_pid(tinfo->m_pid);
 
   // set user and group id credentials
-  signal->set_uid(tinfo->m_user.uid());
-  signal->set_gid(tinfo->m_group.gid());
+  auto uid = EventExtractor::get_uid(tinfo);
+  if (uid) {
+    signal->set_uid(*uid);
+  }
+  auto gid = EventExtractor::get_gid(tinfo);
+  if (gid) {
+    signal->set_gid(*gid);
+  }
 
   // set time
   auto timestamp = Allocate<Timestamp>();
   *timestamp = TimeUtil::NanosecondsToTimestamp(tinfo->m_clone_ts);
   signal->set_allocated_time(timestamp);
 
   // set container_id
-  signal->set_container_id(tinfo->m_container_id);
+  auto container_id = EventExtractor::get_container_id(tinfo);
+  if (container_id) {
+    signal->set_container_id(*container_id);
+  }
 
   // set process lineage
   std::vector<LineageInfo> lineage;
@@ -265,7 +276,7 @@ std::string ProcessSignalFormatter::ProcessDetails(sinsp_evt* event) {
   std::stringstream ss;
   const std::string* path = event_extractor_->get_exepath(event);
   const std::string* name = event_extractor_->get_comm(event);
-  const std::string* container_id = event_extractor_->get_container_id(event);
+  auto container_id = EventExtractor::get_container_id(event);
   const char* args = event_extractor_->get_proc_args(event);
   const int64_t* pid = event_extractor_->get_pid(event);
 
@@ -347,7 +358,7 @@ void ProcessSignalFormatter::GetProcessLineage(sinsp_threadinfo* tinfo,
     // all platforms.
     //
     if (pt->m_vpid == 0) {
-      if (pt->m_container_id.empty()) {
+      if (!EventExtractor::get_container_id(pt)) {
         return false;
       }
     } else if (pt->m_pid == pt->m_vpid) {
@@ -361,7 +372,10 @@ void ProcessSignalFormatter::GetProcessLineage(sinsp_threadinfo* tinfo,
     // Collapse parent child processes that have the same path
     if (lineage.empty() || (lineage.back().parent_exec_file_path() != pt->m_exepath)) {
       LineageInfo info;
-      info.set_parent_uid(pt->m_user.uid());
+      auto uid = EventExtractor::get_uid(pt);
+      if (uid) {
+        info.set_parent_uid(*uid);
+      }
       info.set_parent_exec_file_path(pt->m_exepath);
       lineage.push_back(info);
     }

collector/lib/ProcessSignalFormatter.cpp

@@ -57,15 +57,6 @@ const char* SignalName(int signum) {
   }
 }
 
-std::ostream& operator<<(std::ostream& os, const sinsp_threadinfo* t) {
-  if (t) {
-    os << "Container: \"" << t->m_container_id << "\", Name: " << t->m_comm << ", PID: " << t->m_pid << ", Args: " << t->m_exe;
-  } else {
-    os << "NULL\n";
-  }
-  return os;
-}
-
 const char* UUIDStr() {
   uuid_t uuid;
   constexpr int kUuidStringLength = 36;  // uuid_unparse manpage says so.

collector/lib/Utility.cpp

@@ -63,8 +63,6 @@ std::string Str(Args&&... args) {
   return string_stream.str();
 }
 
-std::ostream& operator<<(std::ostream& os, const sinsp_threadinfo* t);
-
 // UUIDStr returns UUID in string format.
 const char* UUIDStr();
 

collector/lib/Utility.h

@@ -7,6 +7,8 @@
 #include "libsinsp/sinsp.h"
 
 #include "Logging.h"
+#include "Utility.h"
+#include "threadinfo.h"
 
 namespace collector::system_inspector {
 
@@ -129,16 +131,11 @@ class EventExtractor {
   //
   // ADD ANY NEW FIELDS BELOW THIS LINE
 
-  // Container related fields
-  TINFO_FIELD(container_id);
-
   // Process related fields
   TINFO_FIELD(comm);
   TINFO_FIELD(exe);
   TINFO_FIELD(exepath);
   TINFO_FIELD(pid);
-  TINFO_FIELD_RAW_GETTER(uid, m_user.uid, uint32_t);
-  TINFO_FIELD_RAW_GETTER(gid, m_group.gid, uint32_t);
   FIELD_CSTR(proc_args, "proc.args");
 
   // General event information
@@ -148,15 +145,57 @@ class EventExtractor {
   FIELD_RAW_SAFE(client_port, "fd.cport", uint16_t);
   FIELD_RAW_SAFE(server_port, "fd.sport", uint16_t);
 
-  // k8s metadata
-  FIELD_CSTR(k8s_namespace, "k8s.ns.name");
-
 #undef TINFO_FIELD
 #undef FIELD_RAW
 #undef FIELD_CSTR
 #undef EVT_ARG
 #undef EVT_ARG_RAW
 #undef DECLARE_FILTER_CHECK
+
+ public:
+  static std::optional<std::string_view> get_container_id(const sinsp_threadinfo* tinfo) {
+    for (const auto& [_, cgroup] : tinfo->cgroups()) {
+      auto container_id = ExtractContainerIDFromCgroup(cgroup);
+      if (container_id) {
+        return container_id;
+      }
+    }
+
+    return {};
+  }
+
+  static std::optional<std::string_view> get_container_id(const sinsp_evt* evt) {
+    const auto* tinfo = evt->get_tinfo();
+    if (tinfo == nullptr) {
+      return {};
+    }
+
+    return get_container_id(tinfo);
+  }
+
+  static std::optional<uint32_t> get_uid(sinsp_threadinfo* tinfo) {
+    return tinfo->m_uid;
+  }
+
+  static std::optional<uint32_t> get_uid(sinsp_evt* evt) {
+    auto* tinfo = evt->get_tinfo();
+    if (tinfo == nullptr) {
+      return {};
+    }
+    return get_uid(tinfo);
+  }
+
+  static std::optional<uint32_t> get_gid(sinsp_threadinfo* tinfo) {
+    return tinfo->m_gid;
+  }
+
+  static std::optional<uint32_t> get_gid(sinsp_evt* evt) {
+    auto* tinfo = evt->get_tinfo();
+    if (tinfo == nullptr) {
+      return {};
+    }
+    return get_gid(tinfo);
+  }
 };
 
 }  // namespace collector::system_inspector

collector/lib/system-inspector/EventExtractor.h

@@ -6,7 +6,6 @@
 
 #include <linux/ioctl.h>
 
-#include "libsinsp/container_engine/sinsp_container_type.h"
 #include "libsinsp/parsers.h"
 #include "libsinsp/sinsp.h"
 
@@ -15,7 +14,6 @@
 #include "CollectionMethod.h"
 #include "CollectorException.h"
 #include "CollectorStats.h"
-#include "ContainerEngine.h"
 #include "ContainerMetadata.h"
 #include "EventExtractor.h"
 #include "EventNames.h"
@@ -50,7 +48,7 @@ Service::Service(const CollectorConfig& config)
   inspector_->disable_log_timestamps();
   inspector_->set_log_callback(logging::InspectorLogCallback);
 
-  inspector_->set_import_users(config.ImportUsers(), false);
+  inspector_->set_import_users(config.ImportUsers());
   inspector_->set_thread_timeout_s(30);
   inspector_->set_auto_threads_purging_interval_s(60);
   inspector_->m_thread_manager->set_max_thread_table_size(config.GetSinspThreadCacheSize());
@@ -62,6 +60,7 @@ Service::Service(const CollectorConfig& config)
     inspector_->get_parser()->set_track_connection_status(true);
   }
 
+  /*
   if (config.EnableRuntimeConfig()) {
     uint64_t mask = 1 << CT_CRI |
                     1 << CT_CRIO |
@@ -87,6 +86,7 @@ Service::Service(const CollectorConfig& config)
   }
 
   inspector_->set_filter("container.id != 'host'");
+  */
 
   // The self-check handlers should only operate during start up,
   // so they are added to the handler list first, so they have access
@@ -160,6 +160,12 @@ sinsp_evt* Service::GetNext() {
     return nullptr;
   }
 
+  // If there is no container id, this is an event from the host.
+  // We ignore these for now.
+  if (!EventExtractor::get_container_id(event)) {
+    return nullptr;
+  }
+
   userspace_stats_.event_parse_micros[event->get_type()] += (NowMicros() - parse_start);
   ++userspace_stats_.nUserspaceEvents[event->get_type()];
 
@@ -296,7 +302,8 @@ bool Service::SendExistingProcesses(SignalHandler* handler) {
   }
 
   return threads->loop([&](sinsp_threadinfo& tinfo) {
-    if (!tinfo.m_container_id.empty() && tinfo.is_main_thread()) {
+    auto container_id = EventExtractor::get_container_id(&tinfo);
+    if (container_id && tinfo.is_main_thread()) {
       auto result = handler->HandleExistingProcess(&tinfo);
       if (result == SignalHandler::ERROR || result == SignalHandler::NEEDS_REFRESH) {
         CLOG(WARNING) << "Failed to write existing process signal: " << &tinfo;