Skip to content

feat(datastores): add DataStore API and registry infrastructure #5054

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

feat(datastores): add DataStore API and registry infrastructure #5054

wants to merge 9 commits into from

Conversation

@yanivagman
Copy link
Collaborator

@yanivagman yanivagman commented Nov 18, 2025

Introduces a unified DataStore API (api/v1beta1/datastores/) that provides
read-only access to system state for detectors and extensions. This is the
foundation layer for the detector framework.

What's Included

  • API Interfaces (api/v1beta1/datastores/):

    • DataStore - Base interface with health & metrics
    • ProcessStore - Process tree access
    • ContainerStore - Container information
    • KernelSymbolStore - Symbol resolution
    • DNSCacheStore - DNS query cache
    • SystemStore - Immutable system info (OS, kernel, hostname)
    • SyscallStore - Syscall ID/name mapping
    • Registry - Unified access to all stores

  • Store Implementations (pkg/datastores/):

    • Wrappers around existing Tracee components
    • New SystemStore and SyscallStore implementations
    • Implements all API interfaces with proper error handling
    • Null-safe accessors for optional stores

  • Registry (pkg/datastores/registry.go):

    • Centralized, thread-safe access to all registered stores
    • Type-safe accessor methods
    • Store availability checks and metadata retrieval
    • Integrated into Tracee initialization lifecycle

Testing

  • Comprehensive unit tests for all store interfaces
  • Registry tests covering registration, access, and error handling
  • All tests pass: make test-unit PKG=pkg/datastores

Impact

  • No breaking changes - Existing code continues to work
  • Foundation for detectors - Enables detector framework (next PR)
  • Extensible - Easy to add new datastores in the future

@yanivagman
feat(datastores): add DataStore API v1beta1 interfaces
297152f 
Create public DataStore API for unified access to system state:

New files:
- api/v1beta1/datastores/types.go: Core data types
  * ProcessInfo, ContainerInfo, SymbolInfo, DNSResponse
  * HealthInfo, HealthStatus, DataStoreMetrics
  * DataStoreMetadata, error types

- api/v1beta1/datastores/interfaces.go: Store interfaces
  * DataStore: Base interface with health & metrics
  * ProcessStore: Process tree access
  * ContainerStore: Container information
  * KernelSymbolStore: Symbol resolution
  * DNSCacheStore: DNS query cache

- api/v1beta1/datastores/registry.go: Registry interface
  * Unified access to all datastores
  * Custom store registration support
  * Metadata and availability queries
@yanivagman
feat(datastores): implement datastore interfaces for existing stores
0617578 
- Add store.go files implementing DataStore and specific store interfaces
- Process: GetProcess, GetChildProcesses
- Container: GetContainer, GetContainerByName
- Symbol: ResolveSymbolByAddress (returns all aliases), GetSymbolAddress, ResolveSymbolsBatch
- DNS: GetDNSResponse
- Track lastAccess timestamp for operational metrics
- Rename Manager.GetContainer -> LookupContainer to avoid method collision

All datastores implement Name(), GetHealth(), GetMetrics() for monitoring.
@yanivagman
test(datastores): add DataStore interface tests
eb9e8dd 
Add tests for DataStore interface implementations in process, container,
symbol, and dns datastores, validating Name(), GetHealth(), GetMetrics(),
store-specific methods, and LastAccess tracking.
@yanivagman
feat(datastores): implement DataStore Registry
10cbd4d 
Implement Registry providing centralized, thread-safe access to all
registered datastores:

- Exported Registry struct with RegisterStore() for Tracee engine
- Implements datastores.Registry interface for detector access
- Type-safe accessor methods for core stores
- Generic GetCustom() for extension datastores
- Store listing, availability checks, and metadata retrieval
- Comprehensive tests covering all functionality

Implements single concrete type usable both for registration
(Tracee engine) and read-only access (detectors via interface).
@yanivagman
feat(datastores): initialize datastore registry during Tracee startup
83511ff 
Initialize the datastore registry in Tracee.Init() and register core
datastores (process, container, symbol, dns) for access by detectors
and extensions. Kernel symbol store uses an adapter to support runtime
hot-reload without stale references.
@yanivagman
feat(datastores): add SystemStore API for immutable system info
9a7901f 
Add SystemStore interface and SystemInfo type to provide detectors
with read-only access to system metadata collected at startup.

SystemInfo includes:
- Architecture and kernel version
- Hostname and boot time
- OS distribution info (name, version, pretty name)
- Tracee version
- Init process namespaces

Design decisions:
- Single struct return for simplicity and forward compatibility
- Immutable data (collected once, never changes)
- Optional datastore (detectors opt-in via requirements)
Copilot AI reviewed Nov 18, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces a unified DataStore API and registry infrastructure that provides read-only access to system state for detectors and extensions. It establishes a foundation layer for the upcoming detector framework by creating standardized interfaces and implementations for accessing process trees, containers, kernel symbols, DNS cache, system information, and syscall metadata.

Key Changes

  • Added API interfaces defining contracts for six datastore types (ProcessStore, ContainerStore, KernelSymbolStore, DNSStore, SystemStore, SyscallStore) with a unified Registry for centralized access
  • Implemented store wrappers around existing Tracee components with health monitoring, metrics tracking, and thread-safe access patterns
  • Integrated the registry into Tracee's initialization lifecycle with proper store registration and availability checks

Reviewed Changes

Copilot reviewed 24 out of 24 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
api/v1beta1/datastores/interfaces.go Defines base DataStore interface and six specialized store interfaces with standardized error handling
api/v1beta1/datastores/registry.go Registry interface for unified access to all datastores
api/v1beta1/datastores/types.go Common data types and structures shared across datastores
pkg/datastores/registry.go Thread-safe registry implementation with type-safe accessor methods
pkg/datastores/system/collector.go System information collection at startup
pkg/datastores/system/store.go Immutable system information store implementation
pkg/datastores/syscall/store.go Syscall ID/name mapping store implementation
pkg/datastores/symbol/adapter.go Adapter for hot-reloadable kernel symbol tables
pkg/datastores/symbol/store.go Kernel symbol resolution with DataStore interface
pkg/datastores/process/store.go Process tree access with DataStore interface
pkg/datastores/dns/store.go DNS cache access with DataStore interface
pkg/datastores/container/store.go Container information access with DataStore interface
pkg/ebpf/tracee.go Integration of datastore registry into Tracee initialization

@yanivagman
feat(datastores): implement system datastore
223d1ae 
Implement immutable SystemStore with collector, store, and tests.

Collector gathers system info using existing utilities (environment.GetOSInfo,
timeutil.GetBootTime, init namespaces from /proc/1/ns).

Store is always healthy with zero dynamic metrics (immutable read-only data).

Tests verify collection, interface implementation, and immutability.
@yanivagman
feat(datastores): integrate system datastore into Tracee
0ce3357 
Register system datastore in registry with System() accessor.

Collect system info at Tracee startup after timeutil.Init() and
register as optional datastore (non-critical for operation).
@yanivagman
feat(datastores): add SyscallStore for syscall ID/name mapping
242a5ec 
Implement a new SyscallStore datastore that provides:
- GetSyscallName(id int32): lookup syscall name by ID
- GetSyscallID(name string): lookup syscall ID by name

The store wraps events.Core and provides architecture-specific
syscall information (x86 vs ARM). Uses int32 for syscall IDs
to match kernel ABI and protobuf definitions.

This enables detectors to resolve syscall names without direct
access to internal pkg/events structures.

Includes comprehensive unit tests
@codecov
Copy link

codecov bot commented Nov 18, 2025

Codecov Report

❌ Patch coverage is 62.74194% with 231 lines in your changes missing coverage. Please review.
✅ Project coverage is 30.52%. Comparing base (034cbab) to head (242a5ec).
⚠️ Report is 10 commits behind head on main.

Files with missing lines Patch % Lines
pkg/datastores/symbol/store.go 44.00% 56 Missing ⚠️
pkg/datastores/container/store.go 63.21% 31 Missing and 1 partial ⚠️
pkg/datastores/process/store.go 63.63% 31 Missing and 1 partial ⚠️
pkg/ebpf/tracee.go 0.00% 32 Missing ⚠️
pkg/datastores/registry.go 78.76% 24 Missing ⚠️
pkg/datastores/system/collector.go 67.74% 13 Missing and 7 partials ⚠️
pkg/datastores/dns/store.go 67.85% 17 Missing and 1 partial ⚠️
pkg/datastores/symbol/adapter.go 0.00% 16 Missing ⚠️
pkg/datastores/container/containers.go 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5054      +/-   ##
==========================================
+ Coverage   29.72%   30.52%   +0.79%     
==========================================
  Files         234      237       +3     
  Lines       26186    26171      -15     
==========================================
+ Hits         7785     7988     +203     
+ Misses      17864    17650     -214     
+ Partials      537      533       -4
Flag Coverage Δ
unit 30.52% <62.74%> (+0.79%) ⬆️
Files with missing lines Coverage Δ
pkg/datastores/dns/dnscache.go 85.71% <ø> (ø)
pkg/datastores/process/proctree.go 30.49% <ø> (-1.35%) ⬇️
pkg/datastores/symbol/kernel.go 82.89% <ø> (+3.94%) ⬆️
pkg/datastores/syscall/store.go 100.00% <100.00%> (ø)
pkg/datastores/system/store.go 100.00% <100.00%> (ø)
pkg/datastores/container/containers.go 0.00% <0.00%> (ø)
pkg/datastores/symbol/adapter.go 0.00% <0.00%> (ø)
pkg/datastores/dns/store.go 67.85% <67.85%> (ø)
pkg/datastores/system/collector.go 67.74% <67.74%> (ø)
pkg/datastores/registry.go 78.76% <78.76%> (ø)
... and 4 more

... and 14 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@josedonizetti josedonizetti Awaiting requested review from josedonizetti

@NDStrahilevitz NDStrahilevitz Awaiting requested review from NDStrahilevitz

At least 1 approving review is required to merge this pull request.

Assignees

@yanivagman yanivagman

Labels

area/api area/ebpf area/testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yanivagman