[DONT TOUCH]agv15 to master chanes

.github/workflows/main.yml

@@ -36,7 +36,16 @@ on:
         options: 
           - legacy
           - ebpf
-        default: legacy  
+        default: legacy
+      Architecture:
+        description: "The target architecture(s) for the Docker image."
+        required: true
+        type: choice
+        options:
+          - both
+          - arm64
+          - amd64
+        default: both
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
@@ -82,11 +91,19 @@ jobs:
           ECR_REPOSITORY: akto-api-security
           REGISTRY_ALIAS: p7q3h0z2
           IMAGE_TAG: ${{ github.event.inputs.Tag }}
+          ARCH_INPUT: ${{ github.event.inputs.Architecture }}
         run: |
           # Build a docker container and push it to DockerHub 
           docker buildx create --use
-          echo "Building and Pushing image to ECR..."
-          docker buildx build --platform linux/arm64/v8,linux/amd64 -t $ECR_REGISTRY/$REGISTRY_ALIAS/mirror-api-logging:$IMAGE_TAG . --push
+          if [ "$ARCH_INPUT" == "arm64" ]; then
+            PLATFORM="linux/arm64/v8"
+          elif [ "$ARCH_INPUT" == "amd64" ]; then
+            PLATFORM="linux/amd64"
+          else
+            PLATFORM="linux/arm64/v8,linux/amd64"
+          fi
+          echo "Building and Pushing image to ECR with platform: $PLATFORM"
+          docker buildx build --platform $PLATFORM -t $ECR_REGISTRY/$REGISTRY_ALIAS/mirror-api-logging:$IMAGE_TAG . --push
           echo "::set-output name=image::$ECR_REGISTRY/$REGISTRY_ALIAS/mirror-api-logging:$IMAGE_TAG"
 
       - name: Build, tag, and push the image to Amazon ECR -ebpf
@@ -97,11 +114,19 @@ jobs:
           ECR_REPOSITORY: akto-api-security
           REGISTRY_ALIAS: p7q3h0z2
           IMAGE_TAG: ${{ github.event.inputs.EbpfTag }}
+          ARCH_INPUT: ${{ github.event.inputs.Architecture }}
         run: |
           # Build a docker container and push it to DockerHub 
           docker buildx create --use
-          echo "Building and Pushing image to ECR..."
-          docker buildx build --platform linux/arm64/v8,linux/amd64 -t $ECR_REGISTRY/$REGISTRY_ALIAS/mirror-api-logging:$IMAGE_TAG -f Dockerfile.eBPF . --push
+          if [ "$ARCH_INPUT" == "arm64" ]; then
+            PLATFORM="linux/arm64/v8"
+          elif [ "$ARCH_INPUT" == "amd64" ]; then
+            PLATFORM="linux/amd64"
+          else
+            PLATFORM="linux/arm64/v8,linux/amd64"
+          fi
+          echo "Building and Pushing image to ECR with platform: $PLATFORM"
+          docker buildx build --platform $PLATFORM -t $ECR_REGISTRY/$REGISTRY_ALIAS/mirror-api-logging:$IMAGE_TAG -f Dockerfile.eBPF . --push
           echo "::set-output name=image::$ECR_REGISTRY/$REGISTRY_ALIAS/mirror-api-logging:$IMAGE_TAG"
 
   build-docker:
@@ -136,11 +161,19 @@ jobs:
         env:
           ECR_REGISTRY: aktosecurity
           IMAGE_TAG: ${{ github.event.inputs.Tag }}
+          ARCH_INPUT: ${{ github.event.inputs.Architecture }}
         run: |
           # Build a docker container and push it to DockerHub 
           docker buildx create --use
-          echo "Building and Pushing image to DockerHub..."
-          docker buildx build --platform linux/arm64/v8,linux/amd64 -t $ECR_REGISTRY/mirror-api-logging:$IMAGE_TAG . --push
+          if [ "$ARCH_INPUT" == "arm64" ]; then
+            PLATFORM="linux/arm64/v8"
+          elif [ "$ARCH_INPUT" == "amd64" ]; then
+            PLATFORM="linux/amd64"
+          else
+            PLATFORM="linux/arm64/v8,linux/amd64"
+          fi
+          echo "Building and Pushing image to DockerHub with platform: $PLATFORM"
+          docker buildx build --platform $PLATFORM -t $ECR_REGISTRY/mirror-api-logging:$IMAGE_TAG . --push
           echo "::set-output name=image::$ECR_REGISTRY/mirror-api-logging:$IMAGE_TAG"
 
       - name: Build, tag, and push the image to DockerHub - ebpf
@@ -149,9 +182,17 @@ jobs:
         env:
           ECR_REGISTRY: aktosecurity
           IMAGE_TAG: ${{ github.event.inputs.EbpfTag }}
+          ARCH_INPUT: ${{ github.event.inputs.Architecture }}
         run: |
           # Build a docker container and push it to DockerHub 
           docker buildx create --use
-          echo "Building and Pushing image to DockerHub..."
-          docker buildx build --platform linux/arm64/v8,linux/amd64 -t $ECR_REGISTRY/mirror-api-logging:$IMAGE_TAG -f Dockerfile.eBPF . --push
+          if [ "$ARCH_INPUT" == "arm64" ]; then
+            PLATFORM="linux/arm64/v8"
+          elif [ "$ARCH_INPUT" == "amd64" ]; then
+            PLATFORM="linux/amd64"
+          else
+            PLATFORM="linux/arm64/v8,linux/amd64"
+          fi
+          echo "Building and Pushing image to DockerHub with platform: $PLATFORM"
+          docker buildx build --platform $PLATFORM -t $ECR_REGISTRY/mirror-api-logging:$IMAGE_TAG -f Dockerfile.eBPF . --push
           echo "::set-output name=image::$ECR_REGISTRY/mirror-api-logging:$IMAGE_TAG"

.gitignore

@@ -2,4 +2,5 @@ mirroring-api-logging
 .idea/
 **/.vscode/
 temp
-**temp
+**temp
+data-*

Dockerfile.eBPF

@@ -1,12 +1,12 @@
-FROM alpine:3.21 AS base
+FROM alpine:3.22 AS base
 
 USER root
 RUN apk add bcc-tools bcc-dev bcc-doc linux-headers build-base
 
 FROM base AS builder
 
 # Install Go based on architecture
-ARG GO_VERSION=1.24.3
+ARG GO_VERSION=1.25.8
 ARG TARGETARCH
 
 RUN if [ "$TARGETARCH" = "arm64" ]; then \

ebpf-run.sh

@@ -1,8 +1,13 @@
 #!/bin/sh
 
-LOG_FILE="/tmp/dump.log"
+LOG_FILE=${LOG_FILE:-/tmp/dump.log}
 MAX_LOG_SIZE=${MAX_LOG_SIZE:-10485760}  # Default to 10 MB if not set (10 MB = 10 * 1024 * 1024 bytes)
-CHECK_INTERVAL=60                        # Check interval in seconds
+CHECK_INTERVAL=${CHECK_INTERVAL:-60}
+CHECK_INTERVAL_MEM=${CHECK_INTERVAL_MEM:-5}     # Check interval in seconds (configurable via env)
+MEMORY_THRESHOLD=${MEMORY_THRESHOLD:-85} # Kill process at this % memory usage (configurable via env)
+GOMEMLIMIT_PERCENT=${GOMEMLIMIT_PERCENT:-60} # GOMEMLIMIT as % of container memory limit (configurable via env)
+AKTO_SUPPRESS_TRACE=${AKTO_SUPPRESS_TRACE:-true}
+CRASH_RESTART_BACKOFF_SECONDS=${CRASH_RESTART_BACKOFF_SECONDS:-10}
 
 # Function to rotate the log file
 rotate_log() {
@@ -14,6 +19,39 @@ rotate_log() {
     fi
 }
 
+# Function to check memory usage and kill process if threshold exceeded
+check_memory_and_kill() {
+    # Resolve container's cgroup path (needed when hostPID: true shifts cgroup root)
+    CGROUP_BASE=$(cut -d: -f3 /proc/self/cgroup | head -1)
+
+    # Get current memory usage in bytes
+    if [ -f "/sys/fs/cgroup${CGROUP_BASE}/memory.current" ]; then
+        # cgroup v2 with hostPID
+        CURRENT_MEM=$(cat "/sys/fs/cgroup${CGROUP_BASE}/memory.current")
+    elif [ -f /sys/fs/cgroup/memory.current ]; then
+        # cgroup v2 normal
+        CURRENT_MEM=$(cat /sys/fs/cgroup/memory.current)
+    elif [ -f "/sys/fs/cgroup${CGROUP_BASE}/memory.usage_in_bytes" ]; then
+        # cgroup v1 with hostPID
+        CURRENT_MEM=$(cat "/sys/fs/cgroup${CGROUP_BASE}/memory.usage_in_bytes")
+    elif [ -f /sys/fs/cgroup/memory/memory.usage_in_bytes ]; then
+        # cgroup v1 normal
+        CURRENT_MEM=$(cat /sys/fs/cgroup/memory/memory.usage_in_bytes)
+    else
+        return
+    fi
+
+    # Calculate percentage used
+    PERCENT_USED=$((CURRENT_MEM * 100 / MEM_LIMIT_BYTES))
+
+    echo "Memory usage: ${PERCENT_USED}% (${CURRENT_MEM} / ${MEM_LIMIT_BYTES} bytes)"
+
+    if [ "$PERCENT_USED" -ge "$MEMORY_THRESHOLD" ]; then
+        echo "Memory threshold ${MEMORY_THRESHOLD}% exceeded (${PERCENT_USED}%), killing ebpf-logging process"
+        pkill -9 ebpf-logging
+    fi
+}
+
 # Start monitoring in the background
 if [[ "${ENABLE_LOGS}" == "false" ]]; then
     while true; do
@@ -22,12 +60,128 @@ if [[ "${ENABLE_LOGS}" == "false" ]]; then
     done &
 fi
 
-while :
-do
-if [[ "${ENABLE_LOGS}" == "false" ]]; then
-    ./ebpf-logging >> "$LOG_FILE" 2>&1 
+# 1. Check if MEM_LIMIT is provided as env variable
+if [ -z "$MEM_LIMIT" ]; then
+    # Resolve container's cgroup path (needed when hostPID: true shifts cgroup root)
+    CGROUP_BASE=$(cut -d: -f3 /proc/self/cgroup | head -1)
+
+    # Not provided, detect and read cgroup memory limits
+    if [ -f "/sys/fs/cgroup${CGROUP_BASE}/memory.max" ]; then
+        # cgroup v2 with hostPID
+        MEM_LIMIT_BYTES=$(cat "/sys/fs/cgroup${CGROUP_BASE}/memory.max")
+    elif [ -f /sys/fs/cgroup/memory.max ]; then
+        # cgroup v2 normal
+        MEM_LIMIT_BYTES=$(cat /sys/fs/cgroup/memory.max)
+    elif [ -f "/sys/fs/cgroup${CGROUP_BASE}/memory.limit_in_bytes" ]; then
+        # cgroup v1 with hostPID
+        MEM_LIMIT_BYTES=$(cat "/sys/fs/cgroup${CGROUP_BASE}/memory.limit_in_bytes")
+    elif [ -f /sys/fs/cgroup/memory/memory.limit_in_bytes ]; then
+        # cgroup v1 normal
+        MEM_LIMIT_BYTES=$(cat /sys/fs/cgroup/memory/memory.limit_in_bytes)
+    else
+        # Fallback to free -b (bytes) if cgroup file not found
+        echo "Neither cgroup v2 nor v1 memory file found, defaulting to free -b"
+        MEM_LIMIT_BYTES=$(free -b | awk '/Mem:/ {print $2}')
+    fi
+
+    # 2. Handle edge cases: "max" (cgroup v2) or 9223372036854775807 (cgroup v1 INT64_MAX) mean no limit
+    if [ "$MEM_LIMIT_BYTES" = "max" ] || [ "$MEM_LIMIT_BYTES" = "9223372036854775807" ]; then
+        echo "Cgroup memory limit is unlimited, defaulting to free memory"
+        MEM_LIMIT_BYTES=$(free -b | awk '/Mem:/ {print $2}')
+    fi
+
+    # 3. Convert the memory limit from bytes to MB (integer division)
+    MEM_LIMIT_MB=$((MEM_LIMIT_BYTES / 1024 / 1024))
 else
-    ./ebpf-logging
+    # MEM_LIMIT provided as env variable, treat as MB
+    echo "Using MEM_LIMIT from environment variable: ${MEM_LIMIT} MB"
+    MEM_LIMIT_MB=$MEM_LIMIT
+    # Convert MB to bytes for calculations
+    MEM_LIMIT_BYTES=$((MEM_LIMIT * 1024 * 1024))
 fi
-    sleep 2
+
+echo "Using container memory limit: ${MEM_LIMIT_MB} MB"
+
+# Set GOMEMLIMIT for the Go process
+GOMEMLIMIT_MB=$((MEM_LIMIT_MB * GOMEMLIMIT_PERCENT / 100))
+export GOMEMLIMIT="${GOMEMLIMIT_MB}MiB"
+echo "Setting GOMEMLIMIT to: ${GOMEMLIMIT} (${GOMEMLIMIT_PERCENT}% of ${MEM_LIMIT_MB} MB)"
+
+# ENABLE_LOGS (same intent as always):
+#   false -> append ebpf stdout+stderr to LOG_FILE (2>&1), not primary container streams.
+#   true  (or anything else) -> ebpf inherits container stdout/stderr (kubectl logs).
+# AKTO_SUPPRESS_TRACE=true -> optional stderr-only SIGSEGV/cgo filter; when off, file mode matches legacy exactly.
+run_ebpf_once() {
+	log_to_file=false
+	[[ "${ENABLE_LOGS}" == "false" ]] && log_to_file=true
+
+	# Legacy path: single merged stream, no FIFO.
+	if [ "${AKTO_SUPPRESS_TRACE}" != "true" ]; then
+		if [ "$log_to_file" = "true" ]; then
+			./ebpf-logging >> "$LOG_FILE" 2>&1
+		else
+			./ebpf-logging
+		fi
+		return $?
+	fi
+
+	# Filter path: stderr only through awk; stdout unchanged. FIFO connects ebpf stderr -> awk reader.
+	ERRPIPE="/tmp/ebpf-stderr-$$"
+	rm -f "$ERRPIPE"
+	if ! mkfifo "$ERRPIPE"; then
+		return 1
+	fi
+
+	to_logfile=0
+	[ "$log_to_file" = "true" ] && to_logfile=1
+
+	awk -v to_logfile="$to_logfile" -v logf="$LOG_FILE" '
+	BEGIN { quiet = 0 }
+	/^SIGSEGV:/ || /^signal arrived during cgo execution/ {
+		if (!quiet) {
+			msg = "SIGSEGV/cgo crash (multi-line trace suppressed; set AKTO_SUPPRESS_TRACE=false for full output)"
+			if (to_logfile) print msg >> logf
+			else print msg > "/dev/stderr"
+		}
+		quiet = 1
+		next
+	}
+	quiet { next }
+	{
+		if (to_logfile) print >> logf
+		else print > "/dev/stderr"
+	}
+	' < "$ERRPIPE" &
+	AWKPID=$!
+
+	if [ "$log_to_file" = "true" ]; then
+		./ebpf-logging >> "$LOG_FILE" 2>"$ERRPIPE"
+	else
+		./ebpf-logging 2>"$ERRPIPE"
+	fi
+	ebpf_exit=$?
+	wait "$AWKPID" 2>/dev/null
+	rm -f "$ERRPIPE"
+	return "$ebpf_exit"
+}
+
+# Start memory monitoring in the background
+while true; do
+    check_memory_and_kill
+    sleep "$CHECK_INTERVAL_MEM"
+done &
+
+while :
+do
+	# Source environment file if it exists (contains vars set by processCommandMessage)
+	if [ -f /ebpf/.env ]; then
+		set -a
+		source /ebpf/.env
+		set +a
+	fi
+
+	run_ebpf_once
+	ebpf_exit=$?
+
+	sleep "${CRASH_RESTART_BACKOFF_SECONDS}"
 done

ebpf/bpfwrapper/eventCallbacks.go

@@ -178,6 +178,7 @@ func SocketDataEventCallback(inputChan chan []byte, connectionFactory *connectio
 			"data", dataStr,
 			"rc", event.Attr.ReadEventsCount,
 			"wc", event.Attr.WriteEventsCount,
-			"ssl", event.Attr.Ssl)
+			"ssl", event.Attr.Ssl,
+			"bytesSent", bytesSent)
 	}
 }