upgrade to IG v0.48.1

[matthyx]

Summary by CodeRabbit

• Updates

  • Gadget toolset renamed and bumped to v0.48.1; images moved to a new registry path.

• Performance

  • Event data flow simplified to use direct deep-copies, removing pooling and clarifying ownership.

• Features

  • ECS runtime alert support and ECS metadata accessors added to events.

• Tests

  • Tests enhanced to detect unexpected/extra fields in data sources.

• Chores

  • Broad dependency version updates across modules.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated gadget names and image registry/tags to ghcr.io/inspektor-gadget/gadget at v0.48.1, removed pooled datasource allocation in tracers in favor of direct source.DeepCopy(data), bumped many Go module dependencies, added ECS metadata accessors to events and rule failure structures, and tightened tests to detect unexpected datasource fields.

Changes

Cohort / File(s)	Summary
Build / Release Makefile, .github/workflows/*	Updated GADGETS list and bumped VERSION to v0.48.1; changed gadget image pull/export to ghcr.io/inspektor-gadget/gadget/...:v0.48.1; CI steps updated to install ig v0.48.1.
Go modules go.mod	Bumped many dependencies (k8s.io/*, grpc, prometheus, containerd, opentelemetry, etc.) and updated replace directive for inspektor-gadget to a forked version.
Tracer image refs pkg/containerwatcher/v2/tracers/{capabilities,dns,exec,open,syscall}.go	Repointed tracer image constants to ghcr.io/inspektor-gadget/gadget/...:v0.48.1.
Tracer data handling (many files) pkg/containerwatcher/v2/tracers/*.go	Removed pooled allocation + DeepCopyInto; tracers now populate DatasourceEvent.Data with source.DeepCopy(data) and forward to callbacks across tracer implementations.
Datasource pooling removal & ECS enrichment pkg/utils/datasource_event.go	Removed global dataPools and GetPooledDataItem; DatasourceEvent.Release() delegates to Datasource.Release(e.Data); added ECS-specific getters on DatasourceEvent.
ECS enrichment in events & failures pkg/utils/events.go, pkg/utils/struct_event.go, pkg/rulemanager/types/failure.go	Extended EnrichEvent interface with ECS accessors; implemented ECS getters on StructEvent (return empty strings); added RuntimeAlertECSDetails field and accessors to GenericRuleFailure and RuleFailure interface.
Tests: datasource field validation pkg/containerwatcher/v2/tracers/*_test.go	Added slices import; replaced strict field-count assertions with per-field presence checks plus iteration to flag unexpected extra fields; added proc.parent.tid to several expected field lists.
Misc tests / BPF pkg/containerwatcher/v2/tracers/bpf_test.go	Added expected field proc.parent.tid, switched to containment-based validation.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Feature/ecs alerts #699: Direct overlap — gadgets image refs, tracer data-copy refactor, go.mod bumps, ECS additions.
• bump: update dependencies for backend, storage, and OpenAPI packages #704: Related dependency/version bumps and replace directive changes for inspektor-gadget.
• Feature/rule engine redesign #685: Related edits to datasource_event handling and ECS accessor additions.

Suggested labels

release

Poem

🐇 I hopped from Quay to GHCR today,
Copies simplified, pools tucked away.
Versions climbed to v0.48.1, hooray —
Tests sniff extra fields and kindly say “nay.”
A carrot cheer — new gadgets on display!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'upgrade to IG v0.48.1' directly and clearly summarizes the main change: upgrading Inspektor-Gadget from v0.45.0 to v0.48.1 across multiple configuration files and dependencies.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch panic

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/containerwatcher/v2/tracers/syscall.go (1)

130-137: Data sharing is protected from Release() but remains vulnerable to mutation by downstream handlers.

The shared event.Data is actually safe from being released during loop iteration because SyscallEventType events are explicitly excluded from Release in the worker pool (see container_watcher.go line 162-163). Additionally, the initial data is already deep-copied when the event is created (line 112), so the loop iterations operate on a stable copy.

However, the design remains fragile: if any downstream handler mutates (rather than releases) the shared data during callback processing, subsequent loop iterations will see corrupted data. The current safeguard depends on the Release() exclusion logic, which is more of a workaround than a definitive fix.

Consider either:

• Deep-copying the data for each syscall iteration, or
• Documenting that downstream handlers must not mutate the shared data and cannot rely on Release() semantics

🤖 Fix all issues with AI agents

In `@go.mod`:
- Line 447: Add a clear comment above the replace directive for
github.com/inspektor-gadget/inspektor-gadget =>
github.com/matthyx/inspektor-gadget v0.0.0-20260126124411-303be8df37f7 in go.mod
that states which specific bugfixes or features from the matthyx fork are
required (cite commit hashes or PR numbers if possible), whether this replace is
temporary pending an upstream merge or intended long-term, and include a short
tracking plan: the upstream PR/issue to watch, expected timeline or criteria for
switching back to the official module, and who owns monitoring/updating (e.g.,
team or person).

In `@pkg/utils/datasource_event.go`:
- Around line 881-883: The Release method on DatasourceEvent should guard
against a nil Datasource to avoid panics; update the DatasourceEvent.Release
function to check if e.Datasource is nil and return early if so (consistent with
patterns like getFieldAccessor), otherwise call e.Datasource.Release(e.Data);
ensure the nil-check uses the same style/error-handling conventions as other
methods in this file.

🧹 Nitpick comments (4)

pkg/containerwatcher/v2/tracers/ptrace.go (1)

21-21: Inconsistent image versioning: using :latest instead of pinned version.

Same issue as hardlink.go - using :latest tag instead of a pinned version like dns.go uses.

♻️ Suggested fix for version consistency

-	ptraceImageName = "ghcr.io/inspektor-gadget/gadget/ptrace:latest"
+	ptraceImageName = "ghcr.io/inspektor-gadget/gadget/ptrace:v0.48.0"

pkg/containerwatcher/v2/tracers/kmod.go (1)

22-22: Consider pinning to a specific version tag for reproducibility.

Other tracers in this PR (e.g., open.go, exec.go, syscall.go) use the explicit v0.48.0 tag, while this uses :latest. Using :latest can lead to unexpected behavior changes when the image is updated upstream.

Suggested fix

-	kmodImageName = "ghcr.io/inspektor-gadget/gadget/kmod:latest"
+	kmodImageName = "ghcr.io/inspektor-gadget/gadget/kmod:v0.48.0"

pkg/containerwatcher/v2/tracers/fork.go (1)

21-21: Consider pinning to a specific version tag for reproducibility.

Similar to the kmod tracer, this uses :latest while other tracers in this PR use :v0.48.0. Pinning to an explicit version ensures consistent behavior across deployments.

Suggested fix

-	forkImageName = "ghcr.io/inspektor-gadget/gadget/fork:latest"
+	forkImageName = "ghcr.io/inspektor-gadget/gadget/fork:v0.48.0"

pkg/containerwatcher/v2/tracers/exit.go (1)

21-21: Consider pinning to a specific version tag for reproducibility.

Similar to kmod and fork tracers, this uses :latest while other tracers in this PR use :v0.48.0. Pinning to an explicit version ensures consistent behavior across deployments.

Suggested fix

-	exitImageName = "ghcr.io/inspektor-gadget/gadget/exit:latest"
+	exitImageName = "ghcr.io/inspektor-gadget/gadget/exit:v0.48.0"

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

go.mod (1)

10-458: ⚠️ Potential issue | 🟡 Minor

Fix kubectl version skew: update k8s.io/kubectl from v0.34.1 to v0.35.0.

The go.mod has an inconsistent Kubernetes version: k8s.io/kubectl v0.34.1 while all other k8s.io/* modules are at v0.35.0, violating Kubernetes' version skew policy. Although the specific breaking changes in v1.35.0 (kubelet flag removal, cgroups v1 hardening, API removals) do not appear directly used in this codebase, the version mismatch creates maintenance issues and operational confusion. Align all k8s.io/* dependencies to v0.35.0 for consistency. Ensure the existing CI test suite runs to catch any subtle incompatibilities with grpc v1.77.0 and containerd v1.7.30.

🤖 Fix all issues with AI agents

In `@pkg/containerwatcher/v2/tracers/syscall.go`:
- Around line 111-113: The closure passed to d.Subscribe captures the loop
variable d, causing stale references; change the callback to use the provided
source parameter instead of d when building the event (i.e. call
st.callback(&utils.DatasourceEvent{Datasource: source, Data:
source.DeepCopy(data), EventType: utils.SyscallEventType})) so the correct
datasource is used for each Subscribe callback and avoid range-variable capture.

🧹 Nitpick comments (1)

.github/workflows/go-basic-tests.yaml (1)

91-92: Add checksum verification for the IG .deb download.

The download currently lacks integrity validation. The v0.48.1 release includes SHA256SUMS and SHA256SUMS.sig assets; pin the checksum and verify before installation. Also use curl -fL to fail fast on download errors.

Suggested hardening

-      - name: Ensure ig is installed
-        run: curl https://github.com/inspektor-gadget/inspektor-gadget/releases/download/v0.48.1/ig_0.48.1_amd64.deb -LO && sudo dpkg -i ig_0.48.1_amd64.deb
+      - name: Ensure ig is installed
+        run: |
+          curl -fL -o ig_0.48.1_amd64.deb \
+            https://github.com/inspektor-gadget/inspektor-gadget/releases/download/v0.48.1/ig_0.48.1_amd64.deb
+          echo "<SHA256_FROM_RELEASE>  ig_0.48.1_amd64.deb" | sha256sum -c -
+          sudo dpkg -i ig_0.48.1_amd64.deb

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@pkg/containerwatcher/v2/tracers/capabilities.go`:
- Around line 110-112: Replace the undocumented source.DeepCopy(data) use inside
the d.Subscribe callback: instead consume the datasource.Data synchronously,
extract the raw protobuf via data.Packet.Raw() (or Packet array Raw for arrays)
and recreate a durable packet using the datasource.DataSource methods
NewPacketSingleFromRaw() or NewPacketArrayFromRaw(), then pass that recreated
packet into ct.callback via utils.DatasourceEvent (same fields: Datasource: d,
Data: <recreated>, EventType: utils.CapabilitiesEventType); ensure you stop
retaining the original datasource.Data outside the callback and use the public
Packet/raw + NewPacket... API instead of DeepCopy.

🧹 Nitpick comments (2)

pkg/containerwatcher/v2/tracers/http.go (1)

23-23: Consider using explicit version tag instead of latest.

The HTTP tracer uses ghcr.io/inspektor-gadget/gadget/http:latest while other tracers (e.g., capabilities) use explicit version tags like v0.48.1. Using latest can lead to non-reproducible builds and unexpected behavior when the upstream image is updated.

♻️ Suggested fix for consistent versioning

 const (
-	httpImageName       = "ghcr.io/inspektor-gadget/gadget/http:latest"
+	httpImageName       = "ghcr.io/inspektor-gadget/gadget/http:v0.48.1"
 	httpTraceName       = "trace_http"

pkg/containerwatcher/v2/tracers/iouring.go (1)

23-24: Consider using explicit version tags instead of latest.

Both iouring images use latest tag, which can lead to non-reproducible builds. For consistency with tracers like capabilities that use explicit v0.48.1 tags, consider pinning these versions.

♻️ Suggested fix for consistent versioning

 const (
-	iouringImageName = "ghcr.io/inspektor-gadget/gadget/iouring_new:latest"
+	iouringImageName = "ghcr.io/inspektor-gadget/gadget/iouring_new:v0.48.1"
 	iouringTraceName = "trace_iouring"

And for the fallback:

 	} else {
-		imageName = "ghcr.io/inspektor-gadget/gadget/iouring_old:latest"
+		imageName = "ghcr.io/inspektor-gadget/gadget/iouring_old:v0.48.1"
 	}

Also applies to: 66-66