Skip to content

[WIP][WP] Implementation of Otel 4947 thread context #48446

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Gui774ume wants to merge 14 commits into
base: main
Choose a base branch
from
Open

[WIP][WP] Implementation of Otel 4947 thread context #48446

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
930fbe9
[WP] Implementation of Otel 4947 thread context
Gui774ume Apr 10, 2026
95b731d
[WP] Implementation of Otel 4947 thread context: golang pprof label
Gui774ume Apr 10, 2026
5c95dd2
[WP] Implementation of Otel 4947 thread context: dd-trace-go test
Gui774ume Apr 10, 2026
85e056c
[WP] Add support for attrs data
Gui774ume Apr 10, 2026
ef1a2d5
[WP] Regenerate post rebase
Gui774ume May 26, 2026
f7511a0
[WP] Add configuration parameter for legacy apm correlation
Gui774ume May 26, 2026
0aed848
[WP] Improve test coverage
Gui774ume May 26, 2026
c5068fb
[WP] Add fork exec test case
Gui774ume May 27, 2026
ccc674d
[WP] Add SpanContext to PCE and tests
Gui774ume May 27, 2026
8492799
[WP] Taxonomy update
Gui774ume May 27, 2026
c650495
[Network] Fix network events monitor tests
Gui774ume May 28, 2026
690368c
[WP] Fix trace ID serialization
Gui774ume May 28, 2026
07480cb
[WP] Support <6.12 kernels
Gui774ume May 29, 2026
75c8f98
[WP] Fetch go label offsets and otel offsets on snapshot
Gui774ume May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
207 changes: 150 additions & 57 deletions docs/cloud-workload-security/backend_linux.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -330,21 +330,6 @@ Workload Protection events for Linux systems have the following JSON schema:
"type": "object",
"description": "ContainerContextSerializer serializes a container context to JSON"
},
"DDContext": {
"properties": {
"span_id": {
"type": "string",
"description": "Span ID used for APM correlation"
},
"trace_id": {
"type": "string",
"description": "Trace ID used for APM correlation"
}
},
"additionalProperties": false,
"type": "object",
"description": "DDContextSerializer serializes a span context to JSON"
},
"DNSEvent": {
"properties": {
"id": {
Expand Down Expand Up @@ -1498,8 +1483,8 @@ Workload Protection events for Linux systems have the following JSON schema:
"description": "List of AWS Security Credentials that the process had access to"
},
"tracer": {
"$ref": "#/$defs/TracerMetadata",
"description": "Metadata from APM tracer instrumentation"
"$ref": "#/$defs/Tracer",
"description": "Tracer bundles the per-process APM tracer state: the captured span\n(trace_id / span_id / attributes) under \"trace\", and the tracer\nmetadata under \"metadata\". For a process that fork+exec'd a\nsubprocess, .trace carries the parent's span captured by\nfill_span_context at sched_process_fork; the top-level event\n\"dd\"/\"trace\" fields are built by newTraceSerializer which walks the\nancestor lineage to find the same value."
},
"variables": {
"$ref": "#/$defs/Variables",
Expand Down Expand Up @@ -1681,8 +1666,8 @@ Workload Protection events for Linux systems have the following JSON schema:
"description": "List of AWS Security Credentials that the process had access to"
},
"tracer": {
"$ref": "#/$defs/TracerMetadata",
"description": "Metadata from APM tracer instrumentation"
"$ref": "#/$defs/Tracer",
"description": "Tracer bundles the per-process APM tracer state: the captured span\n(trace_id / span_id / attributes) under \"trace\", and the tracer\nmetadata under \"metadata\". For a process that fork+exec'd a\nsubprocess, .trace carries the parent's span captured by\nfill_span_context at sched_process_fork; the top-level event\n\"dd\"/\"trace\" fields are built by newTraceSerializer which walks the\nancestor lineage to find the same value."
},
"variables": {
"$ref": "#/$defs/Variables",
Expand Down Expand Up @@ -2279,6 +2264,43 @@ Workload Protection events for Linux systems have the following JSON schema:
"type": "object",
"description": "TLSContextSerializer defines a tls context serializer"
},
"Trace": {
"properties": {
"span_id": {
"type": "string",
"description": "Span ID used for APM correlation"
},
"trace_id": {
"type": "string",
"description": "Trace ID used for APM correlation"
},
"attributes": {
"additionalProperties": {
"type": "string"
},
"type": "object",
"description": "Custom OTel thread-local attributes from the span context"
}
},
"additionalProperties": false,
"type": "object",
"description": "TraceSerializer serializes a span context to JSON"
},
"Tracer": {
"properties": {
"trace": {
"$ref": "#/$defs/Trace",
"description": "Captured APM span context for this process."
},
"metadata": {
"$ref": "#/$defs/TracerMetadata",
"description": "Metadata from APM tracer instrumentation (schema version, language,\nversion, thread-local attribute keys, ...)."
}
},
"additionalProperties": false,
"type": "object",
"description": "TracerSerializer groups the per-process APM tracer information surfaced under the \"tracer\" key in the serialized process: the captured span context (.trace) and the static tracer metadata (.metadata)."
},
"TracerMetadata": {
"properties": {
"schema_version": {
Expand Down Expand Up @@ -2313,6 +2335,12 @@ Workload Protection events for Linux systems have the following JSON schema:
},
"logs_collected": {
"type": "boolean"
},
"threadlocal_attribute_keys": {
"items": {
"type": "string"
},
"type": "array"
}
},
"additionalProperties": false,
Expand Down Expand Up @@ -2445,7 +2473,12 @@ Workload Protection events for Linux systems have the following JSON schema:
"$ref": "#/$defs/NetworkContext"
},
"dd": {
"$ref": "#/$defs/DDContext"
"$ref": "#/$defs/Trace",
"description": "DD holds the APM correlation span context under the \"dd\" key, the\nshape the Datadog backend expects at ingest. This field is consumed\nby the intake and not surfaced back to end users."
},
"trace": {
"$ref": "#/$defs/Trace",
"description": "Trace is the same span/trace/attributes payload, exposed under a\nuser-facing key. Built from newTraceSerializer just like the \"dd\"\nfield above \u2014 the two pointers reference the same serializer\ninstance, so the two views can never drift."
},
"security_profile": {
"$ref": "#/$defs/SecurityProfileContext"
Expand Down Expand Up @@ -2554,7 +2587,8 @@ Workload Protection events for Linux systems have the following JSON schema:
| `container` | $ref | Please see [ContainerContext](#containercontext) |
| `signature` | string | |
| `network` | $ref | Please see [NetworkContext](#networkcontext) |
| `dd` | $ref | Please see [DDContext](#ddcontext) |
| `dd` | $ref | Please see [Trace](#trace) |
| `trace` | $ref | Please see [Trace](#trace) |
| `security_profile` | $ref | Please see [SecurityProfileContext](#securityprofilecontext) |
| `cgroup` | $ref | Please see [CGroupContext](#cgroupcontext) |
| `selinux` | $ref | Please see [SELinuxEvent](#selinuxevent) |
Expand Down Expand Up @@ -3097,34 +3131,6 @@ Workload Protection events for Linux systems have the following JSON schema:
| ---------- |
| [Variables](#variables) |

## `DDContext`


{{< code-block lang="json" collapsible="true" >}}
{
"properties": {
"span_id": {
"type": "string",
"description": "Span ID used for APM correlation"
},
"trace_id": {
"type": "string",
"description": "Trace ID used for APM correlation"
}
},
"additionalProperties": false,
"type": "object",
"description": "DDContextSerializer serializes a span context to JSON"
}

{{< /code-block >}}

| Field | Description |
| ----- | ----------- |
| `span_id` | Span ID used for APM correlation |
| `trace_id` | Trace ID used for APM correlation |


## `DNSEvent`


Expand Down Expand Up @@ -4747,8 +4753,8 @@ Workload Protection events for Linux systems have the following JSON schema:
"description": "List of AWS Security Credentials that the process had access to"
},
"tracer": {
"$ref": "#/$defs/TracerMetadata",
"description": "Metadata from APM tracer instrumentation"
"$ref": "#/$defs/Tracer",
"description": "Tracer bundles the per-process APM tracer state: the captured span\n(trace_id / span_id / attributes) under \"trace\", and the tracer\nmetadata under \"metadata\". For a process that fork+exec'd a\nsubprocess, .trace carries the parent's span captured by\nfill_span_context at sched_process_fork; the top-level event\n\"dd\"/\"trace\" fields are built by newTraceSerializer which walks the\nancestor lineage to find the same value."
},
"variables": {
"$ref": "#/$defs/Variables",
Expand Down Expand Up @@ -4806,7 +4812,13 @@ Workload Protection events for Linux systems have the following JSON schema:
| `source` | Process source |
| `syscalls` | List of syscalls captured to generate the event |
| `aws_security_credentials` | List of AWS Security Credentials that the process had access to |
| `tracer` | Metadata from APM tracer instrumentation |
| `tracer` | Tracer bundles the per-process APM tracer state: the captured span
(trace_id / span_id / attributes) under "trace", and the tracer
metadata under "metadata". For a process that fork+exec'd a
subprocess, .trace carries the parent's span captured by
fill_span_context at sched_process_fork; the top-level event
"dd"/"trace" fields are built by newTraceSerializer which walks the
ancestor lineage to find the same value. |
| `variables` | Variable values |

| References |
Expand All @@ -4817,7 +4829,7 @@ Workload Protection events for Linux systems have the following JSON schema:
| [CGroupContext](#cgroupcontext) |
| [ContainerContext](#containercontext) |
| [SyscallsEvent](#syscallsevent) |
| [TracerMetadata](#tracermetadata) |
| [Tracer](#tracer) |
| [Variables](#variables) |

## `ProcessContext`
Expand Down Expand Up @@ -4989,8 +5001,8 @@ Workload Protection events for Linux systems have the following JSON schema:
"description": "List of AWS Security Credentials that the process had access to"
},
"tracer": {
"$ref": "#/$defs/TracerMetadata",
"description": "Metadata from APM tracer instrumentation"
"$ref": "#/$defs/Tracer",
"description": "Tracer bundles the per-process APM tracer state: the captured span\n(trace_id / span_id / attributes) under \"trace\", and the tracer\nmetadata under \"metadata\". For a process that fork+exec'd a\nsubprocess, .trace carries the parent's span captured by\nfill_span_context at sched_process_fork; the top-level event\n\"dd\"/\"trace\" fields are built by newTraceSerializer which walks the\nancestor lineage to find the same value."
},
"variables": {
"$ref": "#/$defs/Variables",
Expand Down Expand Up @@ -5063,7 +5075,13 @@ Workload Protection events for Linux systems have the following JSON schema:
| `source` | Process source |
| `syscalls` | List of syscalls captured to generate the event |
| `aws_security_credentials` | List of AWS Security Credentials that the process had access to |
| `tracer` | Metadata from APM tracer instrumentation |
| `tracer` | Tracer bundles the per-process APM tracer state: the captured span
(trace_id / span_id / attributes) under "trace", and the tracer
metadata under "metadata". For a process that fork+exec'd a
subprocess, .trace carries the parent's span captured by
fill_span_context at sched_process_fork; the top-level event
"dd"/"trace" fields are built by newTraceSerializer which walks the
ancestor lineage to find the same value. |
| `variables` | Variable values |
| `parent` | Parent process |
| `ancestors` | Ancestor processes |
Expand All @@ -5077,7 +5095,7 @@ Workload Protection events for Linux systems have the following JSON schema:
| [CGroupContext](#cgroupcontext) |
| [ContainerContext](#containercontext) |
| [SyscallsEvent](#syscallsevent) |
| [TracerMetadata](#tracermetadata) |
| [Tracer](#tracer) |
| [Variables](#variables) |
| [Process](#process) |

Expand Down Expand Up @@ -5942,6 +5960,75 @@ Workload Protection events for Linux systems have the following JSON schema:



## `Trace`


{{< code-block lang="json" collapsible="true" >}}
{
"properties": {
"span_id": {
"type": "string",
"description": "Span ID used for APM correlation"
},
"trace_id": {
"type": "string",
"description": "Trace ID used for APM correlation"
},
"attributes": {
"additionalProperties": {
"type": "string"
},
"type": "object",
"description": "Custom OTel thread-local attributes from the span context"
}
},
"additionalProperties": false,
"type": "object",
"description": "TraceSerializer serializes a span context to JSON"
}

{{< /code-block >}}

| Field | Description |
| ----- | ----------- |
| `span_id` | Span ID used for APM correlation |
| `trace_id` | Trace ID used for APM correlation |
| `attributes` | Custom OTel thread-local attributes from the span context |


## `Tracer`


{{< code-block lang="json" collapsible="true" >}}
{
"properties": {
"trace": {
"$ref": "#/$defs/Trace",
"description": "Captured APM span context for this process."
},
"metadata": {
"$ref": "#/$defs/TracerMetadata",
"description": "Metadata from APM tracer instrumentation (schema version, language,\nversion, thread-local attribute keys, ...)."
}
},
"additionalProperties": false,
"type": "object",
"description": "TracerSerializer groups the per-process APM tracer information surfaced under the \"tracer\" key in the serialized process: the captured span context (.trace) and the static tracer metadata (.metadata)."
}

{{< /code-block >}}

| Field | Description |
| ----- | ----------- |
| `trace` | Captured APM span context for this process. |
| `metadata` | Metadata from APM tracer instrumentation (schema version, language,
version, thread-local attribute keys, ...). |

| References |
| ---------- |
| [Trace](#trace) |
| [TracerMetadata](#tracermetadata) |

## `TracerMetadata`


Expand Down Expand Up @@ -5980,6 +6067,12 @@ Workload Protection events for Linux systems have the following JSON schema:
},
"logs_collected": {
"type": "boolean"
},
"threadlocal_attribute_keys": {
"items": {
"type": "string"
},
"type": "array"
}
},
"additionalProperties": false,
Expand Down
Loading
Loading