0.31.3

What's Changed

• fix(userspace): improve display filter performance by @jasondellaluce in #1938
• new(ci): add support for win/osx ci and dev artifacts by @FedeDP in #1924
• update(ci): add ci workflow on push to dev. by @FedeDP in #1940
• update(userspace): avoid using and relying on std namespace in headers by @jasondellaluce in #1939
• SECCOMP-26723 change download references to download.sysdig.com by @mbreitung in #1896
• update(cmake): bumped libs and driver to versions shipped by Falco 0.34 by @FedeDP in #1942
• update(cmake): bumped libs to latest version by @therealbobo in #1943
• Add stalebot by @therealbobo in #1947
• update(cmake): bumped libs to 0.10.4 by @therealbobo in #1948
• update(ci): moved stale to gha by @therealbobo in #1949
• fix(scripts): various improvements by @therealbobo in #1952
• fix(ci): label list to string by @therealbobo in #1950
• Fix(ci): update stale runner by @therealbobo in #1956
• fix(ci): fix manual trigger by @therealbobo in #1957
• update(scripts/driverkit): added distro exclude list by @therealbobo in #1958
• update: removed driver config for 42b053c and update driverkit configs by @therealbobo in #1951
• fix(scripts/driverkit): check if probe is present by @therealbobo in #1959
• update(config/driverkit): add driver configs for v4.0.0 by @therealbobo in #1953
• fix(scripts/driverkit): fix null handling by @therealbobo in #1960
• update(config/driverkit): update driver configs for v4.0.0 by @therealbobo in #1961
• fix deprecated statement. by @tao12345666333 in #1238
• update(config/driverkit): update driver configs for v3.0.1 by @therealbobo in #1954
• update(config/driverkit): update driver configs for e5c53d6… by @therealbobo in #1955
• fix(cmake): remove old cmake flag by @therealbobo in #1962
• new: introduction of the modern ebpf probe by @therealbobo in #1963
• fix(ci): added rebuild of skeleton builder on dev by @therealbobo in #1965
• Fix(ci): fix wrong image names on dev build by @therealbobo in #1966
• fix(sinspui): regression from libs 0.10.0 by @therealbobo in #1967
• update(cmake): bumped libs to 0.10.5 by @therealbobo in #1968
• fix(ci): gha updated to build modern bpf by @therealbobo in #1969
• fix(ci): added dependency and fixed typo by @therealbobo in #1970
• feat(ci): added gha linter by @therealbobo in #1971
• fix(ci): added missing mount by @therealbobo in #1972
• fix(docker): new docker image by @therealbobo in #1974
• fix(ci): fixed incorrect filename by @therealbobo in #1975

New Contributors

• @mbreitung made their first contribution in #1896
• @therealbobo made their first contribution in #1943
• @tao12345666333 made their first contribution in #1238

Full Changelog: 0.30.2...0.31.3

0.30.2

This patch release fixes the scap driver loader to use env variables with the SYSDIG_ prefix instead of the FALCO_ one.

0.30.1

• update(cmake): bump libs to 0.9.1

0.30.0

Changes

• Built on most recent falcosecurity/libs tag
• Updated plugin API support to latest 2.0.0 version
• Updated scap-driver-loader script with the most recent changes of Falco's driver loader
• Support for ARM64: multiarch packages, container images, and prebuilt-drivers (to be used with scap-driver-loader)
• Enlarged prebuilt driver matrix (5000+ drivers) and support with Falco's Kernel Crawler output
• Support to some new syscalls, and lots of generic events now have a correct syscall name
• More expressive plugin loading experience: detailed info, suggestions on which plugins to be loaded
• Improved some CLI options, such --list, --list-mardown, and -L

0.29.3

Hi everyone! Here is another bugfix release for Sysdig.
It only spots a single commit, but it has 2 bug fixes!

Bug fixes

• print json root "slices" even in minimal build
• always print the json closing char

0.29.2

Hi everyone!
Welcome to yet another bugfix release for the 0.29 cycle.

Bug Fixes

• Fix -z option that did require an extra argument
• Call init_plugins as soon as possible. It fixes using filters on field extracted by system-installed plugins
• Restored plugins support for non-linux builds
• When using a source plugin, force an exit only if the plugin is actually stuck on a next(), not if its working on the close()

Moreover, helper text and man pages were update accordingly.

0.29.1

This is a small bug fix release!

Bug Fixes

• Fix release-rpm job for release

0.29.0

New features

• Full Plugins support! With colored output formatting, because we know you love it!
• Podman support
• Introduced a versioning between libscap and kernel drivers, that will allow in the future to properly tag libs release and avoid rebuilding kernel drivers when their version is not changed.
• Integrated back ~4months worth of work on libs, on par with Falco 0.31.1 release
• New syscalls: mprotect, execveat, copy_file_range, clone3

Bug Fixes

• eBPF fixes
• Security fixes
• Fixed cgroups v2 support in libscap, a bug that prevented pre-existing containers (prior to running sysdig) to be matched with their processes
• Fixed some container events related issues

Plugins info

• Same plugins that are used for Falco can be used for sysdig
• cmd line options, examples:
• • Register any found plugin from supported system folders and use dummy as input source passing to it open params:

$ sysdig -I dummy:'{"start":1,"maxEvents":10}'

• • Load and register dummy source plugin passing to it init config and open params:

sysdig -H dummy:'{"jitter":50}' -I dummy:'{"start":1,"maxEvents":10}'

• Moreover, you can also load plugins using a Falco plugin configuration file, by passing the --plugin-config-file cmdline option ()
• The --help usage text was updated with new informations.

I hope you will enjoy this new Sysdig release as much as we loved bringing it to you!

0.28.0

New Features

This is the first Sysdig release to make full use of the Falco Libs since its donation to the CNCF in 2021.

• The full changeset includes many improvements and features which have been included in Falco for this year's releases.
• The release system has been modified and is now completely open source, based on GitHub actions
• The default Docker image is now based on UBI 8
• By default the event string formatting natively supports colors, in the same way Bash does via \e escape sequences and ANSI Escape Codes if supported by the terminal.

Bug Fixes

• Fixed compilation on MacOS: #1801
• Use "%s"-style format for printf()-style functions for ncurses #1810
• Fixed GIT_TAG for gtest #1815

Note: due to an issue in the release process, a functionally equivalent release was published earlier today but the repositories were not completely updated. Sorry for the inconvenience.

0.27.1

New features

• Support minimal build (no kubernetes, kernel module, eBPF, or container support): -DMINIMAL_BUILD=On
• Support static linking with musl on Alpine Linux: -DMUSL_OPTIMIZED_BUILD=On

Bug fixes

• Improve startup times on systems with lots of containers [#1676]
• Fix paths reported in *at events [#1680, #1695]
• Build fixes for eBPF with recent kernel [#1690]
• Fix Lua out of memory errors with large captures in Sysdig Inspect [#1694]