[CWS] do not use the parent cgroup as a fallback (#49243)

[safchain]

Using the parent cgroup as a fallback when cgroup resolution fails is dangerous: a process may legitimately belong to a different cgroup than its parent (e.g. when a new container is being spawned), so inheriting the parent cgroup produces an incorrect association.

This is especially risky for remediation: if a policy action (such as killing a container) is triggered on an event whose cgroup was resolved from the parent, the remediation targets the wrong container, causing unintended disruption.

Remove the two parent-cgroup fallback paths. When cgroup resolution fails the entry is now simply dropped instead of being mis-attributed.

(cherry picked from commit 171ea79)

What does this PR do?

Motivation

Describe how you validated your changes

Additional Notes

[temporal-github-worker-1]

Backport evaluation pending.

This is a placeholder — AI evaluation coming soon.

Expectations for Agent Releases

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3702df0620

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Restore dentry-based cgroup resolution on cache miss

When AddPID receives a non-null cgroupContext and no existing cache entry matches, this branch now skips resolveAndPushNewCacheEntry and immediately falls back to FindCGroupContext(pid, pid). That drops valid associations for short-lived processes whose /proc cgroup lookup races/fails, even though we already have enough cgroup metadata (path key / resolved ID) from the event to create a correct cache entry. This is a behavioral regression from the previous logic and will increase missed cgroup/container attribution in normal process-start races.

Useful? React with 👍 / 👎.

[AliDatadog]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-04-16 12:20:49 UTC ℹ️ Start processing command /merge

---

2026-04-16 12:20:54 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in 7.78.x is approximately 1h (p90).

---

2026-04-16 12:23:51 UTC ℹ️ MergeQueue: Retrying because an high priority merge request needed to be processed first. No action is needed from your side.

---

2026-04-16 12:23:53 UTC ⚠️ MergeQueue: This merge request build was cancelled

sylvain.afchain@datadoghq.com cancelled this merge request build

[safchain]

/merge --cancel

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-04-16 12:23:45 UTC ℹ️ Start processing command /merge --cancel

[agent-platform-auto-pr]

Files inventory check summary

File checks results against ancestor a1446fd8:

Results for datadog-agent_7.78.0.git.11.9c57273.pipeline.107994590-1_amd64.deb:

No change detected

[cit-pr-commenter-54b7da]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 62eb6faf-d909-4ea5-a70c-fafa8a9307d3

Baseline: a1446fd
Comparison: 9c57273
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	+2.87	[-0.21, +5.94]	1	Logs

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	+2.87	[-0.21, +5.94]	1	Logs
➖	ddot_metrics_sum_cumulativetodelta_exporter	memory utilization	+0.42	[+0.19, +0.64]	1	Logs
➖	tcp_syslog_to_blackhole	ingress throughput	+0.38	[+0.25, +0.51]	1	Logs
➖	otlp_ingest_logs	memory utilization	+0.35	[+0.24, +0.45]	1	Logs
➖	quality_gate_metrics_logs	memory utilization	+0.34	[+0.10, +0.57]	1	Logs bounds checks dashboard
➖	quality_gate_logs	% cpu utilization	+0.30	[-1.24, +1.83]	1	Logs bounds checks dashboard
➖	file_tree	memory utilization	+0.23	[+0.18, +0.28]	1	Logs
➖	ddot_metrics	memory utilization	+0.21	[+0.02, +0.39]	1	Logs
➖	ddot_logs	memory utilization	+0.14	[+0.08, +0.20]	1	Logs
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	+0.10	[+0.04, +0.17]	1	Logs
➖	ddot_metrics_sum_cumulative	memory utilization	+0.08	[-0.06, +0.23]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	+0.06	[-0.33, +0.46]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	+0.00	[-0.20, +0.20]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	+0.00	[-0.11, +0.11]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	-0.01	[-0.10, +0.08]	1	Logs
➖	uds_dogstatsd_to_api_v3	ingress throughput	-0.01	[-0.21, +0.19]	1	Logs
➖	ddot_metrics_sum_delta	memory utilization	-0.03	[-0.20, +0.15]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	-0.05	[-0.08, -0.01]	1	Logs bounds checks dashboard
➖	file_to_blackhole_1000ms_latency	egress throughput	-0.05	[-0.49, +0.38]	1	Logs
➖	quality_gate_idle	memory utilization	-0.13	[-0.18, -0.08]	1	Logs bounds checks dashboard
➖	file_to_blackhole_0ms_latency	egress throughput	-0.15	[-0.61, +0.32]	1	Logs
➖	docker_containers_memory	memory utilization	-0.48	[-0.55, -0.41]	1	Logs
➖	otlp_ingest_metrics	memory utilization	-0.54	[-0.70, -0.39]	1	Logs

Bounds Checks: ❌ Failed

perf	experiment	bounds_check_name	replicates_passed	observed_value	links
✅	docker_containers_cpu	simple_check_run	10/10	705 ≥ 26
✅	docker_containers_memory	memory_usage	10/10	280.39MiB ≤ 370MiB
✅	docker_containers_memory	simple_check_run	10/10	730 ≥ 26
✅	file_to_blackhole_0ms_latency	memory_usage	10/10	0.19GiB ≤ 1.20GiB
✅	file_to_blackhole_0ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10	0.23GiB ≤ 1.20GiB
✅	file_to_blackhole_1000ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_100ms_latency	memory_usage	10/10	0.20GiB ≤ 1.20GiB
✅	file_to_blackhole_100ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_500ms_latency	memory_usage	10/10	0.21GiB ≤ 1.20GiB
✅	file_to_blackhole_500ms_latency	missed_bytes	10/10	0B = 0B
✅	quality_gate_idle	intake_connections	10/10	3 = 3	bounds checks dashboard
❌	quality_gate_idle	memory_usage	9/10	175.06MiB > 175MiB	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	2 ≤ 3	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	489.28MiB ≤ 550MiB	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	206.20MiB ≤ 220MiB	bounds checks dashboard
✅	quality_gate_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	370.02 ≤ 2000	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	412.40MiB ≤ 475MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

❌ Failed. Some Quality Gates were violated.

• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 9/10 replicas passed. Failed 1 which is > 0. Gate FAILED.
• quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.

[AliDatadog]

/merge

[gh-worker-devflow-routing-ef8351]

View all feedbacks in Devflow UI.

2026-04-16 13:51:06 UTC ℹ️ Start processing command /merge

---

2026-04-16 13:51:13 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in 7.78.x is approximately 1h (p90).

---

2026-04-16 14:44:45 UTC ℹ️ MergeQueue: This merge request was merged

[agent-platform-auto-pr]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor a1446fd
📊 Static Quality Gates Dashboard
🔗 SQG Job

Successful checks

Info

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	-16.0 KiB (0.00% reduction)	747.697 → 747.682 → 753.380
✅	agent_deb_amd64_fips	-16.0 KiB (0.00% reduction)	704.574 → 704.558 → 713.900
✅	agent_rpm_amd64	-16.0 KiB (0.00% reduction)	747.681 → 747.665 → 753.350
✅	agent_rpm_amd64_fips	-16.0 KiB (0.00% reduction)	704.558 → 704.542 → 713.880
✅	agent_rpm_arm64	-16.0 KiB (0.00% reduction)	726.060 → 726.044 → 735.290
✅	agent_rpm_arm64_fips	-12.0 KiB (0.00% reduction)	685.969 → 685.958 → 696.840
✅	agent_suse_amd64	-16.0 KiB (0.00% reduction)	747.681 → 747.665 → 753.350
✅	agent_suse_amd64_fips	-16.0 KiB (0.00% reduction)	704.558 → 704.542 → 713.880
✅	agent_suse_arm64	-16.0 KiB (0.00% reduction)	726.060 → 726.044 → 735.290
✅	agent_suse_arm64_fips	-12.0 KiB (0.00% reduction)	685.969 → 685.958 → 696.840
✅	docker_agent_amd64	-16.0 KiB (0.00% reduction)	807.991 → 807.976 → 815.700
✅	docker_agent_arm64	-16.0 KiB (0.00% reduction)	811.140 → 811.125 → 821.970
✅	docker_agent_jmx_amd64	-15.98 KiB (0.00% reduction)	998.907 → 998.891 → 1006.580
✅	docker_agent_jmx_arm64	-16.0 KiB (0.00% reduction)	990.834 → 990.819 → 1001.570

17 successful checks with minimal change (< 2 KiB)

	Quality gate	Current Size
✅	agent_heroku_amd64	309.529 MiB
✅	agent_msi	599.770 MiB
✅	docker_cluster_agent_amd64	205.404 MiB
✅	docker_cluster_agent_arm64	219.742 MiB
✅	docker_cws_instrumentation_amd64	7.142 MiB
✅	docker_cws_instrumentation_arm64	6.689 MiB
✅	docker_dogstatsd_amd64	39.222 MiB
✅	docker_dogstatsd_arm64	37.436 MiB
✅	dogstatsd_deb_amd64	29.874 MiB
✅	dogstatsd_deb_arm64	28.027 MiB
✅	dogstatsd_rpm_amd64	29.874 MiB
✅	dogstatsd_suse_amd64	29.874 MiB
✅	iot_agent_deb_amd64	43.257 MiB
✅	iot_agent_deb_arm64	40.308 MiB
✅	iot_agent_deb_armhf	41.052 MiB
✅	iot_agent_rpm_amd64	43.258 MiB
✅	iot_agent_suse_amd64	43.258 MiB

On-wire sizes (compressed)

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	neutral	174.051 MiB → 178.360
✅	agent_deb_amd64_fips	-6.8 KiB (0.00% reduction)	164.789 → 164.782 → 172.790
✅	agent_heroku_amd64	-7.18 KiB (0.01% reduction)	74.453 → 74.446 → 79.970
✅	agent_msi	+24.0 KiB (0.02% increase)	137.664 → 137.688 → 146.220
✅	agent_rpm_amd64	+24.49 KiB (0.01% increase)	176.814 → 176.838 → 181.830
✅	agent_rpm_amd64_fips	+27.11 KiB (0.02% increase)	166.710 → 166.737 → 173.370
✅	agent_rpm_arm64	neutral	158.885 MiB → 163.060
✅	agent_rpm_arm64_fips	neutral	150.734 MiB → 156.170
✅	agent_suse_amd64	+24.49 KiB (0.01% increase)	176.814 → 176.838 → 181.830
✅	agent_suse_amd64_fips	+27.11 KiB (0.02% increase)	166.710 → 166.737 → 173.370
✅	agent_suse_arm64	neutral	158.885 MiB → 163.060
✅	agent_suse_arm64_fips	neutral	150.734 MiB → 156.170
✅	docker_agent_amd64	-2.04 KiB (0.00% reduction)	267.245 → 267.243 → 272.480
✅	docker_agent_arm64	-8.98 KiB (0.00% reduction)	254.450 → 254.441 → 261.060
✅	docker_agent_jmx_amd64	+9.19 KiB (0.00% increase)	335.890 → 335.899 → 341.100
✅	docker_agent_jmx_arm64	-10.09 KiB (0.00% reduction)	319.085 → 319.075 → 325.620
✅	docker_cluster_agent_amd64	neutral	71.970 MiB → 72.920
✅	docker_cluster_agent_arm64	neutral	67.539 MiB → 68.220
✅	docker_cws_instrumentation_amd64	neutral	2.999 MiB → 3.330
✅	docker_cws_instrumentation_arm64	neutral	2.729 MiB → 3.090
✅	docker_dogstatsd_amd64	neutral	15.162 MiB → 15.820
✅	docker_dogstatsd_arm64	neutral	14.477 MiB → 14.830
✅	dogstatsd_deb_amd64	neutral	7.891 MiB → 8.790
✅	dogstatsd_deb_arm64	neutral	6.776 MiB → 7.710
✅	dogstatsd_rpm_amd64	neutral	7.903 MiB → 8.800
✅	dogstatsd_suse_amd64	neutral	7.903 MiB → 8.800
✅	iot_agent_deb_amd64	neutral	11.396 MiB → 12.040
✅	iot_agent_deb_arm64	neutral	9.699 MiB → 10.450
✅	iot_agent_deb_armhf	neutral	9.936 MiB → 10.620
✅	iot_agent_rpm_amd64	+2.58 KiB (0.02% increase)	11.411 → 11.414 → 12.060
✅	iot_agent_suse_amd64	+2.58 KiB (0.02% increase)	11.411 → 11.414 → 12.060