fix: use correct datasource fields for iouring events

[slashben]

Summary

The iouring event handler was accessing fields that don't exist in the iouring gadget datasource, causing a field not found warning on every single iouring event. On affected nodes this accounted for ~97% of all node-agent log lines (~6249 out of 6433).

Two field mismatches fixed:

• identifier → GetComm(): The rule policy reporter called GetIdentifier() for iouring events, but the iouring datasource has no identifier field. Changed to GetComm() (process name), matching the pattern used by exec, symlink, and hardlink events. This was the main source of log noise.

• flags_raw → flags: GetFlags() and GetFlagsRaw() accessed flags_raw, but the iouring gadget exposes flags (no _raw suffix). Also avoided applying decodeOpenFlags() (file open flags) to io_uring SQE flags.

Available iouring datasource fields (from iouring_test.go)

flags, opcode, proc, proc.comm, proc.creds, proc.creds.gid, proc.creds.uid,
proc.mntns_id, proc.parent, proc.parent.comm, proc.parent.pid, proc.parent.tid,
proc.pid, proc.tid, timestamp_raw

Note: no identifier or flags_raw in this list.

Test plan

• Deploy updated node-agent and confirm field not found warnings for iouring are gone
• Verify iouring rule alerts still fire correctly with proper comm and flags metadata
• Run existing unit tests (go test ./...)

Made with Cursor

Summary by CodeRabbit

• Bug Fixes
  • Improved accuracy of I/O event reporting by using the process command name instead of the prior identifier, yielding clearer event source info.
  • Enhanced parsing and reporting of event flags for I/O events: flag values are now returned in a consistent numeric format and zero/empty flags are omitted to reduce noise.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 25aad20f-f7dd-4285-987c-a24b68b70bce

📥 Commits

Reviewing files that changed from the base of the PR and between 4a316df and a0d19b6.

📒 Files selected for processing (1)

• pkg/utils/datasource_event.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/utils/datasource_event.go

---

📝 Walkthrough

Walkthrough

Replaced IoUring event reporting payload to use the event's comm (GetComm()) instead of identifier, and added IoUring-specific branching in GetFlags/GetFlagsRaw to read "flags" as uint32/string while preserving prior behavior for other event types.

Changes

Cohort / File(s)	Summary
IoUring event reporting pkg/containerwatcher/v2/event_handler_factory.go	Reporting of IoUring events now passes GetComm() instead of GetIdentifier() to the RulePolicyReporter.
Datasource flag handling pkg/utils/datasource_event.go	Added strconv import and IoUring-specific branches: GetFlags() reads "flags" as uint32 and returns a decimal string slice or nil; GetFlagsRaw() returns "flags" as uint32. Other event types continue using flags_raw decoding.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Refactor DatasourceEvent methods to suppress invalid field length warnings #739: Modifies the same GetFlags/GetFlagsRaw getters and IoUring-related field handling.
• Improve logging for DatasourceEvent field access errors, fix error_raw type #730: Adjusts pkg/utils/datasource_event.go behavior for the "flags" field and IoUring-specific accessors.

Suggested labels

release

Poem

🐰 Hopping swift through kernel streams,
I swap the name and tweak the beams,
Comm now calls where id once stood,
Flags split paths — both old and good,
A tiny change, the watcher gleams.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: fixing incorrect datasource field accesses in iouring event handling.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/iouring-event-field-mismatch

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/utils/datasource_event.go`:
- Around line 412-423: The GetFlags() accessor currently reads the io_uring
"flags" field as a string but the schema defines it as __u32; change the
IoUringEventType branch in GetFlags() to call
e.getFieldAccessor("flags").Uint32(e.Data), handle the zero/empty case, convert
the uint32 to a string (use strconv.FormatUint(uint64(val), 10)) and return it
as []string{...}; also add "strconv" to imports if missing. Ensure you reference
GetFlags(), IoUringEventType, and getFieldAccessor("flags") when making the
change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8955cd9a-4c35-4a6e-8b40-5d2946225a9e

📥 Commits

Reviewing files that changed from the base of the PR and between f673d45 and 4a316df.

📒 Files selected for processing (2)

• pkg/containerwatcher/v2/event_handler_factory.go
• pkg/utils/datasource_event.go

[matthyx]

@slashben did you try deploying it in your cluster?

[matthyx]

thanks @slashben