| Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
| Name: tetragon | Distribution: openSUSE Tumbleweed |
| Version: 1.3.0 | Vendor: openSUSE |
| Release: 1.1 | Build date: Fri Dec 13 11:00:07 2024 |
| Group: Unspecified | Build host: reproducible |
| Size: 126600560 | Source RPM: tetragon-1.3.0-1.1.src.rpm |
| Packager: http://bugs.opensuse.org | |
| Url: https://github.com/cilium/tetragon | |
| Summary: eBPF-based Security Observability and Runtime Enforcement | |
Cilium’s new Tetragon component enables powerful real-time, eBPF-based Security Observability and Runtime Enforcement. Tetragon detects and is able to react to security-significant events, such as * Process execution events * System call activity * I/O activity including network & file access When used in a Kubernetes environment, Tetragon is Kubernetes-aware - that is, it understands Kubernetes identities such as namespaces, pods and so on - so that security event detection can be configured in relation to individual workloads.
Apache-2.0
* Fri Dec 13 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.3.0:
Large changelog, please find the full changelog here:
https://github.com/cilium/tetragon/releases
* Upgrade notes
Depending on your setup, changes listed here might require a
manual intervention.
- Behavior of export-file-perm flag (and corresponding Helm
value tetragon.exportFilePerm) changed. In case the export
file exists, but has different permissions than specified in
the option, Tetragon will change the file permissions on the
next log rotation. In older versions, log rotation preserved
permissions of the existing file. Before upgrading check if
permissions of the existing export file match the option (600
by default), and set the agent flag or Helm value to the
desired value if needed.
- Events (protobuf API)
New events for syscall64 type
Previous versions of Tetragon did not distinguish between
different ABIs when using the syscall64 type because the
output was just a size_arg with the id. When executing the
getcpu syscall, for example, the JSON for 64- and 32-bits
would be:
"args":[{"size_arg":"309"}]
"args":[{"size_arg":"318"}]
Note that id 318 for x86_64 is a different syscall: getrandom
so we cannot distinguish between a getrandom syscall on
x86_64 and a getcpu call on 32-bit (i386). To address this
issue, the output of syscall64 was changed to a SyscallId
object that also includes the ABI. So the JSON for 64- and
32-bits getcpu now is:
"args":[{"syscall_id":{"id":309,"abi":"x64"}}]
"args":[{"syscall_id":{"id":318,"abi":"i386"}}]
Users that want to maintain the old behavior can use the
- -enable-compatibility-syscall64-size-type flag for this
version.
The flag will be removed in v1.4.
- Metrics
tetragon_ratelimit_dropped_total metric is renamed to
tetragon_export_ratelimit_events_dropped_total
* Major Changes:
- IMA hashes in LSM events (#2818) by @anfedotoff
- tetragon: add support for associating pod information when
nested cgroups are used (#3170) by @kkourt
* - Bugfixes:
- Fix clone event eventcache retry handler when missing pod
info. (#2899) by @tpapagian
- pkg/sensors: fix memory use of unloaded sensors (#3021) by
@mtardy
- tetragon: fix the process exit signal when core dumped
(#3039) by @justin0u0
- tetragon: improve how we handle cgroupv1 and cgroupv2 (#3053)
by @tixxdz
- [metrics] Fix overhead_program metrics for return probes
(#3074) by @tpapagian
- exec: fix tracking of matchBinary children (#3186) by @kkourt
* Wed Nov 27 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.2.1:
* Prepare for v1.2.1 release
* filters: implement parent_arguments_regex
* chore(deps): update go to v1.22.9
* chore(deps): update docker.io/library/alpine:3.20.3 docker
digest to 1e42bbe
* tetragon: probe_read usage may cause issues with newer kernels
* e2e tests: skip label test on ARM
* workflows: use GitHub arm64 runners instead of actuated
* Add support to exclude valid processes from dump processCache
* tetra: add max-recv-size to processcache dump cmd
* tetra: rewrite dump processcache cmd for correct error code
* tetra: use consistent case in dump cmd and api
* Add support to dump processLRU
* [btf] Flush kernel spec (BTF) after loading a sensor
* [ksyms] Do not cache ksyms to reduce memory consumption
* fix(deps): update module github.com/cilium/cilium to v1.15.10
[security]
* chore(deps): update docker.io/library/golang:1.22.8 docker
digest to 0ca97f4
* chore(deps): update docker.io/library/alpine docker tag to
v3.20.3
* chore(deps): update go to v1.22.8
* fix(deps): update module github.com/containers/common to
v0.60.4 [security]
* chore(deps): update docker.io/library/golang:1.22.6 docker
digest to a632201
* chore: update containers/common
* Remove const from parameters
* bpf: allow all operations for syscall64 type
* watcher: add metrics for deleted pod cache
* watcher: add a deleted pod cache
* watcher: add test for "fast" k8s API server
* watcher: change FindContainer function
* watcher: add a containerIDKey function
* watcher: refactor watcher
* Export EventCache tunables in the Helm Chart
* Reduce the delay in GRPC gotests
* Make EventCache configurable
* helm: Set rthooks.podSecurityContext to empty by default
* helm: Remove deprecated tetragon.skipCRDCreation value
* [bugfix] Fix clone event caching due to missing pod info
* Fri Sep 13 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.2.0:
Full changelog see
https://github.com/cilium/tetragon/releases/tag/v1.2.0
* Major Changes
- feat: Username for process_exec events (#2369) by @anfedotoff
- tetragon: Allow persistent enforcement during tetragon
restart (#2600) by @olsajiri
- LSM sensor (#2566) by @anfedotoff
* Bugfixes
- bpf: use CORE for execve hook (#2399) by @kkourt
- Don't create PodInfo if the pod is being deleted (#2431) by
@michi-covalent
- tetragon: allow namespaced and non-namespaced policies to
have the same name (#2337) by @joshuajorel
- operator: Don't start metrics server if Helm value
tetragonOperator.prometheus.enabled is set to false. (#2484)
by @yukinakanaka
- enforcer: fix issue when using multiple calls with fmod_ret
(#2524) by @kkourt
- Reduce the kernel memory footprint (accounted by the cgroup
memory controller) of the stack trace feature when unused.
(#2546) by @mtardy
- Reduce the kernel memory footprint (accounted by the cgroup
memory controller) of the ratelimit feature when unused
(around ~10MB per kprobe). (#2551) by @mtardy
- Reduce the kernel memory footprint (accounted by the cgroup
memory controller) of the fdinstall feature when unused
(around ~11MB per kprobe). (#2563) by @mtardy
- Do not increase the reference count when we cannot find a
parent in kthreads. (#2620) by @tpapagian
- Reduce the kernel memory footprint (accounted by the cgroup
v2 memory controller) of the override feature when unused
(around ~3MB per kprobe). (#2692) by @mtardy
- Fix a bug related to the matchBinaries Prefix operator by
increasing the buffer size used by our dentry walk. Now the
matchBinaries Prefix operator can correctly trigger a match
on any path above 255 chars. (#2764) by @mtardy
- Fix a bug where the tetra getevents command would timeout
even if the connection was successful. (#2765) by @mtardy
- Fix missing cases in the compact encoder for tetra. (#2819)
by @willfindlay
- add support for pod association via cgroup id (#2776) by
@kkourt
- Allow disabling gRPC either by selecting 'enabled:false' in
the helm chart or by passing an empty address to the agent
(#2826) by @kkourt
- Fix tetragon_process_cache_size metric (#2827) by @lambdanis
* Mon Jul 29 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- exclude architectures that fail to build due to
'pkg/syscallinfo/syscallinfo.go:39:34: undefined: syscallNames'
errors
* Wed Jun 12 2024 opensuse_buildservice@ojkastl.de
- Update to version 1.1.2:
* Bugfixes:
- Don't create PodInfo if the pod is being deleted
- [v1.1] backport: bpf: use CORE for execve hook
- enforcer: fix issue when using multiple calls with fmod_ret
* Minor Changes:
- backports:1.1:tests: fix trace module testing
- backports:1.1: uid username resolution support
- helm: Add tetragon.livenessProbe value
- backport:v1.1: btf: take first entry on multiple function
matches
* Misc Changes:
- Prepare for v1.1.0 release
- Use gRPC-based liveness probe instead of tetra status.
- [v1.1] Introduce upgrade notes
- Prepare for v1.1.1 release
- [v1.1] Makefile: exclude api tags from version
- v1.1: misc updates relating to release process
- Prepare for v1.1.2 release
* Tue Apr 30 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de>
- new package tetragon: eBPF-based Security Observability and
Runtime Enforcement
/etc/tetragon /etc/tetragon/tetragon.conf.d /etc/tetragon/tetragon.conf.d/bpf-lib /etc/tetragon/tetragon.conf.d/export-file-compress /etc/tetragon/tetragon.conf.d/export-filename /etc/tetragon/tetragon.conf.d/gops-address /etc/tetragon/tetragon.conf.d/log-format /etc/tetragon/tetragon.conf.d/log-level /etc/tetragon/tetragon.conf.d/metrics-server /etc/tetragon/tetragon.conf.d/server-address /etc/tetragon/tetragon.conf.d/verbose /usr/bin/tetragon /usr/lib/systemd/system/tetragon.service /usr/lib64/tetragon /usr/lib64/tetragon/bpf /usr/lib64/tetragon/bpf/bpf_alignchecker.o /usr/lib64/tetragon/bpf/bpf_cgroup.o /usr/lib64/tetragon/bpf/bpf_cgroup_mkdir.o /usr/lib64/tetragon/bpf/bpf_cgroup_release.o /usr/lib64/tetragon/bpf/bpf_cgroup_rmdir.o /usr/lib64/tetragon/bpf/bpf_cgtracker.o /usr/lib64/tetragon/bpf/bpf_enforcer.o /usr/lib64/tetragon/bpf/bpf_execve_bprm_commit_creds.o /usr/lib64/tetragon/bpf/bpf_execve_event.o /usr/lib64/tetragon/bpf/bpf_execve_event_v511.o /usr/lib64/tetragon/bpf/bpf_execve_event_v53.o /usr/lib64/tetragon/bpf/bpf_execve_event_v61.o /usr/lib64/tetragon/bpf/bpf_exit.o /usr/lib64/tetragon/bpf/bpf_fmodret_enforcer.o /usr/lib64/tetragon/bpf/bpf_fork.o /usr/lib64/tetragon/bpf/bpf_generic_kprobe.o /usr/lib64/tetragon/bpf/bpf_generic_kprobe_v511.o /usr/lib64/tetragon/bpf/bpf_generic_kprobe_v53.o /usr/lib64/tetragon/bpf/bpf_generic_kprobe_v61.o /usr/lib64/tetragon/bpf/bpf_generic_lsm_core.o /usr/lib64/tetragon/bpf/bpf_generic_lsm_core_v511.o /usr/lib64/tetragon/bpf/bpf_generic_lsm_core_v61.o /usr/lib64/tetragon/bpf/bpf_generic_lsm_ima_bprm_v511.o /usr/lib64/tetragon/bpf/bpf_generic_lsm_ima_bprm_v61.o /usr/lib64/tetragon/bpf/bpf_generic_lsm_ima_file_v511.o /usr/lib64/tetragon/bpf/bpf_generic_lsm_ima_file_v61.o /usr/lib64/tetragon/bpf/bpf_generic_lsm_output.o /usr/lib64/tetragon/bpf/bpf_generic_lsm_output_v511.o /usr/lib64/tetragon/bpf/bpf_generic_lsm_output_v61.o /usr/lib64/tetragon/bpf/bpf_generic_retkprobe.o /usr/lib64/tetragon/bpf/bpf_generic_retkprobe_v511.o /usr/lib64/tetragon/bpf/bpf_generic_retkprobe_v53.o /usr/lib64/tetragon/bpf/bpf_generic_retkprobe_v61.o /usr/lib64/tetragon/bpf/bpf_generic_tracepoint.o /usr/lib64/tetragon/bpf/bpf_generic_tracepoint_v511.o /usr/lib64/tetragon/bpf/bpf_generic_tracepoint_v53.o /usr/lib64/tetragon/bpf/bpf_generic_tracepoint_v61.o /usr/lib64/tetragon/bpf/bpf_generic_uprobe.o /usr/lib64/tetragon/bpf/bpf_generic_uprobe_v511.o /usr/lib64/tetragon/bpf/bpf_generic_uprobe_v53.o /usr/lib64/tetragon/bpf/bpf_generic_uprobe_v61.o /usr/lib64/tetragon/bpf/bpf_loader.o /usr/lib64/tetragon/bpf/bpf_lseek.o /usr/lib64/tetragon/bpf/bpf_map_test_p1.o /usr/lib64/tetragon/bpf/bpf_map_test_p2.o /usr/lib64/tetragon/bpf/bpf_map_test_p3.o /usr/lib64/tetragon/bpf/bpf_multi_enforcer.o /usr/lib64/tetragon/bpf/bpf_multi_kprobe_v511.o /usr/lib64/tetragon/bpf/bpf_multi_kprobe_v53.o /usr/lib64/tetragon/bpf/bpf_multi_kprobe_v61.o /usr/lib64/tetragon/bpf/bpf_multi_retkprobe_v511.o /usr/lib64/tetragon/bpf/bpf_multi_retkprobe_v53.o /usr/lib64/tetragon/bpf/bpf_multi_retkprobe_v61.o /usr/lib64/tetragon/bpf/bpf_multi_uprobe_v61.o /usr/lib64/tetragon/bpf/bpf_prog_iter.o /usr/share/doc/packages/tetragon /usr/share/doc/packages/tetragon/README.md /usr/share/licenses/tetragon /usr/share/licenses/tetragon/LICENSE
Generated by rpm2html 1.8.1
Fabrice Bellet, Fri Jan 24 23:52:04 2025