[] Fargate breakage fix - 26.2 backport#331
Open
MosheFriedland wants to merge 2 commits into
Open
Conversation
New value configuration.env.injection.fargate_ptrace_allow (default true) that flows to the helper as S1_FARGATE_PTRACE_ALLOW. When set to false, the helper webhook skips injecting s1-fargate-init / libptrace_allow.so into Fargate pods and leaves their container CMD unchanged. Add LD_PRELOAD env to helper's agent container to load libptrace_allow.so when ptrace injection is enabled. Co-Authored-By: Moshe Friedland <moshe.friedland@sentinelone.com> Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add S1_FARGATE_PTRACE_ALLOW to the env of the agent container that the helper webhook injects into Fargate pods, sharing the existing fargate_ptrace_allow gate next to LD_PRELOAD. The agent's cws_deployment startup reads this env var and translates it to the daemon_executor_ptrace_allow_enabled config key. When set, the agent's shell_spawner opts its remote-shell child (orphaned to pid 1 by daemon_executor's double-fork) into prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY) so the agent's subsequent PTRACE_ATTACH succeeds under YAMA mode 1. The same toggle now drives all three Fargate ptrace fixes: workload LD_PRELOAD libptrace_allow.so, workload CMD wrap with s1-fargate-init, and the agent's own remote-shell PR_SET_PTRACER opt-in.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.