From df89bd1ccf6501b6efb2988679224438c6a41732 Mon Sep 17 00:00:00 2001
From: William Findlay <william.findlay@isovalent.com>
Date: Fri, 24 Jan 2025 14:39:26 -0500
Subject: [PATCH] proc: handle docker container id format in CI

In our CI environment, docker cgroups do not contain the key word docker. This caused the
procfs walker to fail to identify the container ID's of docker container processes started
before Tetragon. Add some naive logic to fall back to so that we can handle this case.

Signed-off-by: William Findlay <william.findlay@isovalent.com>
---
 pkg/sensors/exec/procevents/proc.go        | 12 ++++++++++++
 pkg/sensors/exec/procevents/proc_reader.go |  6 ------
 pkg/sensors/exec/procevents/proc_test.go   |  5 +++++
 3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/pkg/sensors/exec/procevents/proc.go b/pkg/sensors/exec/procevents/proc.go
index 0901c94c5e1..3d41d298fc2 100644
--- a/pkg/sensors/exec/procevents/proc.go
+++ b/pkg/sensors/exec/procevents/proc.go
@@ -5,6 +5,7 @@ package procevents
 
 import (
 	"bytes"
+	"encoding/hex"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -136,6 +137,17 @@ func procsFindDockerId(cgroups string) (string, int) {
 				return container, i
 			}
 		}
+		// In some environments, such as the GitHub Ubuntu CI runner, docker cgroups do not contain the docker keyword but do end with a hex ID in their last component. Fall back to a naive approach here to handle that case.
+		components := strings.Split(s, "/")
+		if len(components) > 0 {
+			id := components[len(components)-1]
+			_, err := hex.DecodeString(id)
+			if err == nil {
+				if len(id) >= 31 {
+					return id[:31], len(strings.Join(components[:len(components)-1], "")) + 1
+				}
+			}
+		}
 	}
 	return "", 0
 }
diff --git a/pkg/sensors/exec/procevents/proc_reader.go b/pkg/sensors/exec/procevents/proc_reader.go
index 7580507b315..7917338cc84 100644
--- a/pkg/sensors/exec/procevents/proc_reader.go
+++ b/pkg/sensors/exec/procevents/proc_reader.go
@@ -4,12 +4,10 @@
 package procevents
 
 import (
-	"cmp"
 	"fmt"
 	"os"
 	"path/filepath"
 	"regexp"
-	"slices"
 	"sort"
 	"strconv"
 	"strings"
@@ -661,10 +659,6 @@ func listRunningProcs(procPath string) ([]procs, error) {
 
 	logger.GetLogger().Infof("Read ProcFS %s appended %d/%d entries", option.Config.ProcFS, len(processes), len(procFS))
 
-	slices.SortFunc(processes, func(a, b procs) int {
-		return cmp.Compare(a.pid, b.pid)
-	})
-
 	return processes, nil
 }
 
diff --git a/pkg/sensors/exec/procevents/proc_test.go b/pkg/sensors/exec/procevents/proc_test.go
index 452282ab5a2..0da8fb17a70 100644
--- a/pkg/sensors/exec/procevents/proc_test.go
+++ b/pkg/sensors/exec/procevents/proc_test.go
@@ -165,6 +165,11 @@ func TestProcsFindContainerId(t *testing.T) {
 	assert.Equal(t, i, 80, "ContainerId offset wrong")
 	assert.Equal(t, d, "0ca2b3cd20e5f55a2bbe8d4aa3f811c", "ContainerId wrong")
 
+	p = "11:pids:/actions_job/ec5fd62ba68d0b75a3cbdb7f7f78b526440b7969e22b2b362fb6f429ded42fdc"
+	d, i = procsFindDockerId(p)
+	assert.Equal(t, i, 20, "ContainerId offset wrong")
+	assert.Equal(t, d, "ec5fd62ba68d0b75a3cbdb7f7f78b52", "ContainerId wrong")
+
 	p = ""
 	d, i = procsFindDockerId(p)
 	assert.Equal(t, d, "", "Expect output '' empty string")