From 90c21e3290c791e375d4c5a554a4fb298ee70b57 Mon Sep 17 00:00:00 2001 From: Alex In Date: Sat, 27 Jul 2024 17:04:57 +0300 Subject: [PATCH] tetragon: only allow single instance to run on a node This change will make Tetragon fail at startup if it finds out that another instance already created PID file and is still running. Previously it was only logging a warning. Signed-off-by: Alex In --- cmd/tetragon/main.go | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/cmd/tetragon/main.go b/cmd/tetragon/main.go index 390de6a43dd..c4912387d26 100644 --- a/cmd/tetragon/main.go +++ b/cmd/tetragon/main.go @@ -222,20 +222,23 @@ func tetragonExecute() error { proc.LogCurrentSecurityContext() // When an instance terminates or restarts it may cleanup bpf programs, - // having a check here to see if another instance is already running, can - // help debug errors. + // having a check here to see if another instance is already running. pid, err := pidfile.Create() if err != nil { - // Log error but do not fail - log.WithError(err).WithField("pid", pid).Warn("Tetragon pid file creation failed") - } else { - log.WithFields(logrus.Fields{ - "pid": pid, - "pidfile": defaults.DefaultPidFile, - }).Info("Tetragon pid file creation succeeded") + // pidfile.Create returns error if creation of pid file failed with error + // other than pidfile.ErrPidFileAccess and pidfile.ErrPidIsNotAlive. + // In most cases this will mean that another instance of Tetragon is up + // and running and may interfere on eBPF programs and/or maps and lead + // to unpredictable behavior. + return fmt.Errorf("failed to create pid file '%s', another Tetragon instance seems to be up and running: %w", defaults.DefaultPidFile, err) } defer pidfile.Delete() + log.WithFields(logrus.Fields{ + "pid": pid, + "pidfile": defaults.DefaultPidFile, + }).Info("Tetragon pid file creation succeeded") + if option.Config.ForceLargeProgs && option.Config.ForceSmallProgs { log.Fatalf("Can't specify --force-small-progs and --force-large-progs together") }