feat(core) : reducing locks coverage to avoid potential deadlocks #1883
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Prateeknandle
force-pushed
the
deadlock
branch
from
2d19e32
to
9044b8f
Compare
daemon1024
previously approved these changes
Oct 30, 2024
daemon1024
changed the title
Signed-off-by: Prateek <[email protected]>
rootxrishabh
previously approved these changes
Nov 13, 2024
There was a problem hiding this comment.
Basic sanity successful -
rootxrishabh@fedora:~/KubeArmor/KubeArmor/build$ karmor logs
local port to be used for port forwarding kubearmor-relay-66999cb886-scthr: 32785
Created a gRPC client (localhost:32785)
Checked the liveness of the gRPC server
Started to watch alerts
== Alert / 2024-11-13 14:50:33.957179 ==
ClusterName: default
HostName: gke-rishabh-cluster-default-pool-7ceba30f-fpcc
NamespaceName: default
PodName: nginx-bf5d5cf98-2s97v
Labels: app=nginx
ContainerName: nginx
ContainerID: d74ce140d48a586c5d6c55b5586356a635d6d3975e15ebe7a7aa86e0d238544d
ContainerImage: docker.io/library/nginx:latest@sha256:bc5eac5eafc581aeda3008b4b1f07ebba230de2f27d47767129a6a905c84f470
Type: MatchedPolicy
PolicyName: block-pkg-mgmt-tools-exec
Severity: 1
Source: /usr/bin/bash
Resource: /usr/bin/apt
Operation: Process
Action: Block
Data: lsm=SECURITY_BPRM_CHECK
Enforcer: BPFLSM
Result: Permission denied
Cwd: /
HostPID: 99824
HostPPID: 99799
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 43
PPID: 99799
ParentProcessName: /usr/bin/bash
ProcessName: /usr/bin/apt
UID: 0
rootxrishabh@fedora:~/KubeArmor/KubeArmor/build$ k exec -it nginx-bf5d5cf98-2s97v -n default -- bash
root@nginx-bf5d5cf98-2s97v:/# apt
bash: /usr/bin/apt: Permission denied
Containers:
kubearmor:
Container ID: containerd://7c30be7cf790666a4bb38648d71c0544712066dbf6d6164b382a0dafe336ab47
Image: rootxrishabh/kubearmor:deadlock
Image ID: docker.io/rootxrishabh/kubearmor@sha256:310790aa69a419da76e16a4a09d0d2e779a3ed0082df6fb4068058db5c25f5c9
Environment -
- K8s -> GKE
- Container Runtime -> containerd://1.7.22
- Kernel Version -> 6.1.100+
- Operating system -> Container-Optimized OS from Google
|
race conditions found, @Prateeknandle can you check again? |
|
@Prateeknandle this is a must for stable release. Can you please check @rksharma95's comments? |
…before going further Signed-off-by: Prateek <[email protected]>
Prateeknandle
dismissed stale reviews from rootxrishabh and daemon1024
via
103b22a
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Purpose of PR?:
Fixes #
Does this PR introduce a breaking change?
If the changes in this PR are manually verified, list down the scenarios covered::
Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs
Checklist:
<type>(<scope>): <subject>