tracee: tracee-ebpf: mount event missing source field

Hi, I’m using tracee-ebpf to collect mount events. However, the “source” field misses sometimes.

Here is an example (you can start a docker container a few times and see this scenario):

Also, you can notice that the “filesystem type” is also missing sometimes. The example shows that LTTng gives mount type “bind”, while tracee gives nothing.

{
  "processName":"runc:2:INIT]",
  "containerId":"2af0bc626525",
  "eventId":"165",
  "eventName":"mount",
  "argsNum":3,
  "returnValue":0,
  "args":[{ 
    "name":"target",
    "type":"const char*",
"value":"/var/lib/docker/overlay2/6fd16b36923947538d76e6b781d08f08d64ac69f513e7b24a889fa4337a948e0/merged/etc/resolv.conf"
  },{
    "name":"mountflags",
    "type":"unsigned long",
    "value":278528
  },{
    "name":"data",
    "type":"const void*",
    "value":0}
]}

As a comparison, LTTng will output this event as:

{
  "pid_ns":4026532645,
  "vtid":1,
  "event":"mount",
  "comm":"runc:[2:INIT]",
  "args":[{
    "Name":"dev_name",
    "Value":"/sys/fs/cgroup/devices/docker/2af0bc6265257c960d559b38134bf212b3292f226c586dd9295b42faa2945df7"
  },{
    "Name":"dir_name",
"Value":"/var/lib/docker/overlay2/6fd16b36923947538d76e6b781d08f08d64ac69f513e7b24a889fa4337a948e0/merged/etc/resolv.conf"
  },{
    "Name":"type","Value":"bind"
  },{
    "Name":"flags","Value":"278528"
  }],
  "tid":220199
}

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 19 (9 by maintainers)

Most upvoted comments

docker initialization with bind mount for a single file:

$ docker run --rm -v /etc/resolv.conf:/etc/resolv.conf.host --privileged --entrypoint /bin/sh -it ubuntu:hirsute

tracee (49 events)

$ sudo ./dist/tracee-ebpf --trace event=security_sb_mount

TIME             UID    COMM             PID     TID     RET              EVENT                ARGS
14:05:06:630159  0      dockerd          2487798 2487805 0                security_sb_mount    dev_name: overlay, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb-init/merged, type: overlay, flags: 0
14:05:06:654107  0      dockerd          2487798 2487805 0                security_sb_mount    dev_name: overlay, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged, type: overlay, flags: 0
14:05:06:671076  0      dockerd          2487798 2487805 0                security_sb_mount    dev_name: overlay, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged, type: overlay, flags: 0
14:05:06:833628  0      exe              3173218 3173218 0                security_sb_mount    dev_name: /proc/self/exe, path: /run/docker/runtime-runc/moby/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e/runc.TjFvky, type: , flags: 4096
	14:05:06:833881  0      exe              3173218 3173218 0                security_sb_mount    dev_name: , path: /run/docker/runtime-runc/moby/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e/runc.TjFvky, type: , flags: 4129
	14:05:06:887454  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: , path: /, type: , flags: 540672
14:05:06:887822  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged, type: bind, flags: 20480
14:05:06:888008  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: proc, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/proc, type: proc, flags: 14
14:05:06:888287  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: tmpfs, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/dev, type: tmpfs, flags: 16777218
14:05:06:888627  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: devpts, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/dev/pts, type: devpts, flags: 10
14:05:06:888865  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: sysfs, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys, type: sysfs, flags: 14
14:05:06:889648  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: tmpfs, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup, type: tmpfs, flags: 14
14:05:06:890012  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/systemd/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/systemd, type: bind, flags: 20494
14:05:06:890188  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/systemd/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/systemd, type: bind, flags: 20526
14:05:06:890420  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/devices/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/devices, type: bind, flags: 20494
14:05:06:890568  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/devices/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/devices, type: bind, flags: 20526
14:05:06:890778  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/pids/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/pids, type: bind, flags: 20494
14:05:06:890926  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/pids/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/pids, type: bind, flags: 20526
14:05:06:891135  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/memory/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/memory, type: bind, flags: 20494
14:05:06:891300  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/memory/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/memory, type: bind, flags: 20526
14:05:06:891501  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/cpu,cpuacct/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/cpu,cpuacct, type: bind, flags: 20494
14:05:06:891662  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/cpu,cpuacct/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/cpu,cpuacct, type: bind, flags: 20526
14:05:06:891880  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/hugetlb/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/hugetlb, type: bind, flags: 20494
14:05:06:892058  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/hugetlb/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/hugetlb, type: bind, flags: 20526
14:05:06:892243  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/rdma, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/rdma, type: bind, flags: 20494
14:05:06:892391  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/rdma, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/rdma, type: bind, flags: 20526
14:05:06:892603  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/net_cls,net_prio/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/net_cls,net_prio, type: bind, flags: 20494
14:05:06:892758  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/net_cls,net_prio/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/net_cls,net_prio, type: bind, flags: 20526
14:05:06:892958  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/freezer/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/freezer, type: bind, flags: 20494
14:05:06:893117  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/freezer/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/freezer, type: bind, flags: 20526
14:05:06:893310  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/perf_event/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/perf_event, type: bind, flags: 20494
14:05:06:893503  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/perf_event/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/perf_event, type: bind, flags: 20526
14:05:06:893716  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/blkio/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/blkio, type: bind, flags: 20494
14:05:06:893873  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/blkio/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/blkio, type: bind, flags: 20526
14:05:06:894059  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/cpuset/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/cpuset, type: bind, flags: 20494
14:05:06:894210  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /sys/fs/cgroup/cpuset/docker/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/sys/fs/cgroup/cpuset, type: bind, flags: 20526
14:05:06:894392  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: mqueue, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/dev/mqueue, type: mqueue, flags: 14
14:05:06:894579  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: shm, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/dev/shm, type: tmpfs, flags: 14
14:05:06:895116  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /etc/resolv.conf, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/etc/resolv.conf.host, type: bind, flags: 20480
	14:05:06:895197  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: , path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/etc/resolv.conf.host, type: , flags: 278528
14:05:06:895344  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /var/lib/docker/containers/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e/resolv.conf, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/etc/resolv.conf, type: bind, flags: 20480
	14:05:06:895426  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: , path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/etc/resolv.conf, type: , flags: 278528
14:05:06:895569  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /var/lib/docker/containers/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e/hostname, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/etc/hostname, type: bind, flags: 20480
	14:05:06:895648  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: , path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/etc/hostname, type: , flags: 278528
14:05:06:895790  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /var/lib/docker/containers/a9029afcd059defe354a514ae287c5e16996ffdeb8688c6c3c262372ef3a3b8e/hosts, path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/etc/hosts, type: bind, flags: 20480
	14:05:06:895864  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: , path: /var/lib/docker/overlay2/95b6df1de55d7c0db6519afb87866b135b50e2fe23a771e1c27cbc3f8966a3fb/merged/etc/hosts, type: , flags: 278528
14:05:06:967330  0      dockerd          2487798 2487957 0                security_sb_mount    dev_name: /proc/3173221/ns/net, path: /run/docker/netns/d8a76344f311, type: bind, flags: 4096
	14:05:07:161442  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: , path: /, type: , flags: 540672
14:05:07:162210  0      runc:[2:INIT]    1       1       0                security_sb_mount    dev_name: /dev/pts/0, path: /dev/console, type: bind, flags: 4096

lttng (49 events)

[13:56:25.599037987] (+?.?????????) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "overlay", dir_name = "/var/lib/docker/overlay2/4ba8901d646aa96b90a8649e8e3fd7b0bd25d1c9c570d3e46c52fffc9bbd19c9-init/merged", type = "overlay", flags = 0, data = 824645812544 }
[13:56:25.626642332] (+0.026977690) fujitsu syscall_entry_mount: { cpu_id = 4 }, { dev_name = "overlay", dir_name = "/var/lib/docker/overlay2/4ba8901d646aa96b90a8649e8e3fd7b0bd25d1c9c570d3e46c52fffc9bbd19c9/merged", type = "overlay", flags = 0, data = 824637596704 }
[13:56:25.649884533] (+0.022899846) fujitsu syscall_entry_mount: { cpu_id = 7 }, { dev_name = "overlay", dir_name = "/var/lib/docker/overlay2/4ba8901d646aa96b90a8649e8e3fd7b0bd25d1c9c570d3e46c52fffc9bbd19c9/merged", type = "overlay", flags = 0, data = 824647312064 }
[13:56:25.809621430] (+0.158962055) fujitsu syscall_entry_mount: { cpu_id = 0 }, { dev_name = "/proc/self/exe", dir_name = "/var/run/docker/runtime-runc/moby/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad/runc.9YJyK8", type = "", flags = 4096, data = 94837636074005 }
	[13:56:25.809793479] (+0.000002618) fujitsu syscall_entry_mount: { cpu_id = 0 }, { dev_name = "", dir_name = "/var/run/docker/runtime-runc/moby/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad/runc.9YJyK8", type = "", flags = 4129, data = 94837636074005 }
	[13:56:25.849100876] (+0.039298805) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "", dir_name = "/", type = "", flags = 540672, data = 0 }
[13:56:25.849454989] (+0.000333273) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/var/lib/docker/overlay2/4ba8901d646aa96b90a8649e8e3fd7b0bd25d1c9c570d3e46c52fffc9bbd19c9/merged", dir_name = "/var/lib/docker/overlay2/4ba8901d646aa96b90a8649e8e3fd7b0bd25d1c9c570d3e46c52fffc9bbd19c9/merged", type = "bind", flags = 20480, data = 0 }
[13:56:25.849562237] (+0.000082761) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "proc", dir_name = "/proc/self/fd/7", type = "proc", flags = 14, data = 0 }
[13:56:25.849797812] (+0.000091760) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "tmpfs", dir_name = "/proc/self/fd/7", type = "tmpfs", flags = 16777218, data = 824634428480 }
[13:56:25.850072011] (+0.000138888) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "devpts", dir_name = "/proc/self/fd/7", type = "devpts", flags = 10, data = 824634918352 }
[13:56:25.850290859] (+0.000081845) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "sysfs", dir_name = "/proc/self/fd/7", type = "sysfs", flags = 14, data = 0 }
[13:56:25.850942823] (+0.000539774) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "tmpfs", dir_name = "/proc/self/fd/7", type = "tmpfs", flags = 14, data = 824634455648 }
[13:56:25.851251997] (+0.000178807) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/systemd/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20494, data = 0 }
[13:56:25.851365930] (+0.000095121) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/systemd/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20526, data = 0 }
[13:56:25.851475120] (+0.000102900) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/devices/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20494, data = 0 }
[13:56:25.851564550] (+0.000072169) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/devices/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20526, data = 0 }
[13:56:25.851701816] (+0.000131603) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/pids/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20494, data = 0 }
[13:56:25.851788456] (+0.000071979) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/pids/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20526, data = 0 }
[13:56:25.851898789] (+0.000104311) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/memory/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20494, data = 0 }
[13:56:25.852061430] (+0.000143953) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/memory/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20526, data = 0 }
[13:56:25.852173737] (+0.000106814) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/cpu,cpuacct/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20494, data = 0 }
[13:56:25.852261163] (+0.000071216) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/cpu,cpuacct/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20526, data = 0 }
[13:56:25.852367231] (+0.000100928) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/hugetlb/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20494, data = 0 }
[13:56:25.852450562] (+0.000067894) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/hugetlb/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20526, data = 0 }
[13:56:25.852550296] (+0.000094735) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/rdma", dir_name = "/proc/self/fd/7", type = "bind", flags = 20494, data = 0 }
[13:56:25.852630008] (+0.000067115) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/rdma", dir_name = "/proc/self/fd/7", type = "bind", flags = 20526, data = 0 }
[13:56:25.852744283] (+0.000109870) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/net_cls,net_prio/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20494, data = 0 }
[13:56:25.852832273] (+0.000060682) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/net_cls,net_prio/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20526, data = 0 }
[13:56:25.852931612] (+0.000094174) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/freezer/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20494, data = 0 }
[13:56:25.853013740] (+0.000067872) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/freezer/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20526, data = 0 }
[13:56:25.853114455] (+0.000095418) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/perf_event/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20494, data = 0 }
[13:56:25.853191566] (+0.000063828) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/perf_event/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20526, data = 0 }
[13:56:25.853286886] (+0.000090177) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/blkio/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20494, data = 0 }
[13:56:25.853360559] (+0.000060187) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/blkio/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20526, data = 0 }
[13:56:25.853451456] (+0.000085879) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/cpuset/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20494, data = 0 }
[13:56:25.853527136] (+0.000058662) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/sys/fs/cgroup/cpuset/docker/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad", dir_name = "/proc/self/fd/7", type = "bind", flags = 20526, data = 0 }
[13:56:25.853617151] (+0.000085119) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "mqueue", dir_name = "/proc/self/fd/7", type = "mqueue", flags = 14, data = 0 }
[13:56:25.853715284] (+0.000082617) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "shm", dir_name = "/proc/self/fd/7", type = "tmpfs", flags = 14, data = 824634746944 }
[13:56:25.854085838] (+0.000249391) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/etc/resolv.conf", dir_name = "/proc/self/fd/7", type = "bind", flags = 20480, data = 0 }
	[13:56:25.854121880] (+0.000024612) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "", dir_name = "/proc/self/fd/7", type = "", flags = 278528, data = 0 }
[13:56:25.854197886] (+0.000072211) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/var/lib/docker/containers/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad/resolv.conf", dir_name = "/proc/self/fd/7", type = "bind", flags = 20480, data = 0 }
	[13:56:25.854244839] (+0.000032087) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "", dir_name = "/proc/self/fd/7", type = "", flags = 278528, data = 0 }
[13:56:25.854308694] (+0.000060156) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/var/lib/docker/containers/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad/hostname", dir_name = "/proc/self/fd/7", type = "bind", flags = 20480, data = 0 }
	[13:56:25.854343651] (+0.000023279) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "", dir_name = "/proc/self/fd/7", type = "", flags = 278528, data = 0 }
[13:56:25.854405345] (+0.000058199) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/var/lib/docker/containers/3bef598402cfd5dd60d2e8ae86fea56813459bb8798907a6d6acf366681c6cad/hosts", dir_name = "/proc/self/fd/7", type = "bind", flags = 20480, data = 0 }
	[13:56:25.854440701] (+0.000024348) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "", dir_name = "/proc/self/fd/7", type = "", flags = 278528, data = 0 }
[13:56:25.913806902] (+0.059362549) fujitsu syscall_entry_mount: { cpu_id = 1 }, { dev_name = "/proc/3093910/ns/net", dir_name = "/var/run/docker/netns/79f735f0e204", type = "bind", flags = 4096, data = 0 }
	[13:56:26.193065900] (+0.279073152) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "", dir_name = ".", type = "", flags = 540672, data = 0 }
[13:56:26.193683502] (+0.000587007) fujitsu syscall_entry_mount: { cpu_id = 2 }, { dev_name = "/dev/pts/0", dir_name = "/dev/console", type = "bind", flags = 4096, data = 0 }

For my reproducer I can count the exact same amount of missing “dev_name” mount calls.

continuing on your buggy example:

{ cpu_id = 3 },
	{ tid = 32309, vtid = 1, ppid = 32298, vppid = 0, procname = "runc:[2:INIT]", pid_ns = 4026532649, net_ns = 4026532651 },
	{ dev_name = "/sys/fs/cgroup/memory/docker/2a09e07bdac0f9ff162eee310ddfe61b6f0ae6a1a72e5f7bec97f6c9f96a3339",
	  dir_name = "/var/lib/docker/overlay2/cb25d821fd2087f80d5d708ee88e5b8fc8794e21ca2479bffb4e5c018ec71b54/merged/etc/resolv.conf",
	  type = "bind",
	  flags = 278528,
	  data = 0
	}
  1. This looks like a bug on lttng side, likely a race condition when showing dev_name versus dir_name.
  2. All the cgroupfs bind mounts target a file descriptor.
  3. In your buggy example, the cgroupfs dev_name it is targetting a file that is actually a file-based bind mount.
  4. A file based bind mount has a file as “dev_name” as another file as “target” or “path”.
  5. All subtree operations on shared mounts show no “dev_name” (either empty or “none”).

example on how the correct operation works:

  1. docker is initially bind mounting the file /etc/resolv.conf to a directory result of an overlay mount.
  2. docker does a mount --make-rprivate to …/merged/etc/resolv.conf so it cannot forward or receive propagations.
  3. it propates the bind mount to other containers
  • similar commands:
$ sudo mount --make-rprivate /merged
$ sudo touch /etc/e
$ sudo touch /merged/hosts
$ touch /merged/hosts
$ sudo mount -o bind /merged/hosts /etc/testing
$ sudo mount --make-rprivate /etc/testing
$ sudo mount -o bind /etc/hosts /merged/hosts.host
$ sudo mount --make-rprivate /merged/hosts.host
  • result:
$ sudo ./dist/tracee-ebpf --trace event=security_sb_mount
TIME             UID    COMM             PID     TID     RET              EVENT                ARGS
14:19:36:920329  0      mount            3302643 3302643 0                security_sb_mount    dev_name: overlay, path: /merged, type: overlay, flags: 0
14:19:49:768942  0      mount            3305634 3305634 0                security_sb_mount    dev_name: none, path: /merged, flags: 278528
14:20:21:260434  0      mount            3308808 3308808 0                security_sb_mount    dev_name: none, path: /merged/hosts, flags: 278528
14:20:36:225821  0      mount            3311878 3311878 0                security_sb_mount    dev_name: /merged/hosts, path: /etc/testing, type: none, flags: 4096
14:20:48:260745  0      mount            3312037 3312037 0                security_sb_mount    dev_name: none, path: /etc/testing, flags: 278528
14:23:00:100334  0      mount            3334107 3334107 0                security_sb_mount    dev_name: /etc/hosts, path: /merged/hosts.host, type: none, flags: 4096
14:23:15:934267  0      mount            3334231 3334231 0                security_sb_mount    dev_name: none, path: /merged/hosts.host, flags: 278528

as you can see, “none” here is added by the “util-linux” package, orelse it could be empty also (like docker does).

Conclusion:

IMO, the “dev_name” being showed when executing shared subtree operation, when dev_name is “none” or empty, is likely a leftover from a previous triggered probe within LTTNG.

+2
rafaeldtinoco on Oct 11, 2021

A couple observations while looking into this:

  • Strace has the same behavior as Tracee, ‘source’ is missing for the same events
  • @SericaLaw, in the LTTng examples you provide I think the ‘flags’ arguments mean that the source argument is ignored [1]. I’m not familiar with LTTng, but perhaps in the mechanisms that tracee and strace use, the argument is optimized out.

[1] For example: 278528 = MS_REC|MS_SLAVE, according to the man page for mount, changing the propagation type of an existing mount means the source, fstype and data arguments are ignored.

+1
grantseltzer on Sep 28, 2021

@yanivagman the security_sb_mount gives 4 args, but there are empty strings:

{"processName":"runc:[2:INIT]","containerId":"a5d6e5bf90f2","eventId":"1022","eventName":"security_sb_mount","argsNum":4,"returnValue":0,"args":[{"name":"dev_name","type":"const char*","value":""},{"name":"path","type":"const char*","value":"/var/lib/docker/overlay2/d3ccce5b3e33fce6f2cd041d06db6f9c9e89497e1cd31e4fe06fa56a8c730b2d/merged/etc/hosts"},{"name":"type","type":"const char*","value":""},{"name":"flags","type":"unsigned long","value":278528}]}

{"processName":"runc:[2:INIT]","containerId":"a5d6e5bf90f2","eventId":"165","eventName":"mount","argsNum":3,"returnValue":0,"args":[{"name":"target","type":"const char*","value":"/var/lib/docker/overlay2/d3ccce5b3e33fce6f2cd041d06db6f9c9e89497e1cd31e4fe06fa56a8c730b2d/merged/etc/hosts"},{"name":"mountflags","type":"unsigned long","value":278528},{"name":"data","type":"const void*","value":0}]}

The corresponding LTTng output:

{"eventname": "syscall_entry_mount", "procname": "runc:[2:INIT]", "payload": [{"name": "dev_name", "value": "/sys/fs/cgroup/devices/docker/a5d6e5bf90f2e4e9163b2e73ada542458f13fb000e84c2ef4dae95a6bad39aac"}, {"name": "dir_name", "value": "/var/lib/docker/overlay2/d3ccce5b3e33fce6f2cd041d06db6f9c9e89497e1cd31e4fe06fa56a8c730b2d/merged/etc/hosts"}, {"name": "type", "value": "bind"}, {"name": "flags", "value": "278528"}, {"name": "data", "value": "0"}], "cpu_id": "2"}
+1
SericaLaw on Aug 26, 2021

@rafaeldtinoco Here is the content of ./dist:

libbpf  tracee.bpf  tracee.bpf.5_11_0-25-generic.v0_6_0-35-g5a0eb2d.o  tracee.bpf.core.o  tracee-builder  tracee-ebpf

And if I run without assigning TRACEE_BPF_FILE, the output is like:

BTF: bpfenv = false, btfenv = false, vmlinux = false
BPF: no BTF file was found or provided, building BPF object
found bpf object file at: /tmp/tracee/tracee.bpf.5_11_0-27-generic.v0_6_0-35-g5a0eb2d.o

so it’s not CO-RE.

I started the docker again with TRACEE_BPF_FILE env provided, the scenario was reproduced again. Sometimes the mount has 4 args, sometimes just 3.

+1
SericaLaw on Aug 26, 2021
Read more comments on GitHub
← tracee: Initial BPFMaps population freezes tracee-ebpf
tracee: Tracee fails on startup after signal other than sigint, doesn't have cleanup behavior →