[CWS] Use u64 image tag

[kovagsm]

What does this PR do?

Makes nodes use an u64 id representing the image tag to reduce the memory footprint.

Motivation

With Activity Profile v2, we create many more nodes in the activity tree and the memory footprint of using a map of string on each node becomes noticeable (on average ~ +15MiB heap).

Describe how you validated your changes

Additional Notes

[github-actions]

@codex review

[datadog-datadog-prod-us1]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 4 Pipeline jobs failed

DataDog/datadog-agent | kmt_run_secagent_tests_x64: [rocky_8.5, cws_host]     

🔧 Fix in code (Fix with Cursor).

2 tests failed: TestSSHUserSession and TestSSHUserSession/ssh_then_pwd. Exit code 42 from test command indicates failure without retrying.

DataDog/datadog-agent | files_inventory_check     

🛟 This job is unlikely to succeed on retry. Please review your pipeline configuration.

Failed to access key 'datadog-agent/static_quality_gates/GATE_REPORTS/61691af9d6c1a02449e9bd2333005ec9d9455949/agent_deb_amd64_size_report_61691af9.yml': not found (404)

Label analysis | release-note-check     

🛟 This job is unlikely to succeed on retry. Please review your pipeline configuration.

Release note not found for this PR. Please add one using 'reno' or apply the label 'changelog/no-changelog'.

View all 4 failed jobs.

ℹ️ Info

🎯 Code Coverage (details)
• Patch Coverage: 25.97%
• Overall Coverage: 50.48% (+0.12%)

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 8b77373 | Docs | Datadog PR Page | Give us feedback!}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7fe2ec9260

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[dd-octo-sts]

Files inventory check summary

File checks results against ancestor 120c1774:

Results for datadog-agent_7.81.0~devel.git.84.7f125d1.pipeline.114501129-1_amd64.deb:

No change detected

[dd-octo-sts]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor 61691af
📊 Static Quality Gates Dashboard
🔗 SQG Job
SOME SIZE DELTAS ARE N/A (ANCESTOR METRICS NOT YET AVAILABLE). RETRY JOB

Successful checks

Info

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	N/A	N/A → 745.267 → 750.800
✅	agent_deb_amd64_fips	N/A	N/A → 703.041 → 703.150
✅	agent_heroku_amd64	N/A	N/A → 310.138 → 314.260
✅	agent_rpm_amd64	N/A	N/A → 745.251 → 750.770
✅	agent_rpm_amd64_fips	N/A	N/A → 703.025 → 703.130
✅	agent_rpm_arm64	N/A	N/A → 722.807 → 724.500
✅	agent_rpm_arm64_fips	N/A	N/A → 683.743 → 684.870
✅	agent_suse_amd64	N/A	N/A → 745.251 → 750.770
✅	agent_suse_amd64_fips	N/A	N/A → 703.025 → 703.130
✅	agent_suse_arm64	N/A	N/A → 722.807 → 724.500
✅	agent_suse_arm64_fips	N/A	N/A → 683.743 → 684.870
✅	docker_agent_amd64	N/A	N/A → 805.408 → 806.340
✅	docker_agent_arm64	N/A	N/A → 807.786 → 810.120
✅	docker_agent_jmx_amd64	N/A	N/A → 996.328 → 997.060
✅	docker_agent_jmx_arm64	N/A	N/A → 987.484 → 989.800
✅	docker_cluster_agent_amd64	N/A	N/A → 206.995 → 207.710
✅	docker_cluster_agent_arm64	N/A	N/A → 220.952 → 221.210
✅	docker_cws_instrumentation_amd64	N/A	N/A → 7.154 → 7.190
✅	docker_cws_instrumentation_arm64	N/A	N/A → 6.689 → 6.920
✅	docker_dogstatsd_amd64	N/A	N/A → 39.487 → 39.560
✅	docker_dogstatsd_arm64	N/A	N/A → 37.690 → 38.080
✅	docker_host_profiler_amd64	N/A	N/A → 302.188 → 315.880
✅	docker_host_profiler_arm64	N/A	N/A → 313.676 → 327.470
✅	dogstatsd_deb_amd64	N/A	N/A → 30.143 → 30.790
✅	dogstatsd_deb_arm64	N/A	N/A → 28.268 → 29.290
✅	dogstatsd_rpm_amd64	N/A	N/A → 30.143 → 30.790
✅	dogstatsd_suse_amd64	N/A	N/A → 30.143 → 30.790
✅	iot_agent_deb_amd64	N/A	N/A → 44.578 → 45.230
✅	iot_agent_deb_arm64	N/A	N/A → 41.539 → 42.800
✅	iot_agent_deb_armhf	N/A	N/A → 42.247 → 42.960
✅	iot_agent_rpm_amd64	N/A	N/A → 44.578 → 45.230
✅	iot_agent_suse_amd64	N/A	N/A → 44.578 → 45.230

[cit-pr-commenter-54b7da]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: b5dd6266-9634-4baa-8868-9e954752aa5d

Baseline: b7c4f46
Comparison: 8b77373
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
❌	docker_containers_cpu	% cpu utilization	+5.39	[+2.36, +8.43]	1	Logs

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
❌	docker_containers_cpu	% cpu utilization	+5.39	[+2.36, +8.43]	1	Logs
➖	quality_gate_metrics_logs	memory utilization	+2.74	[+2.49, +3.00]	1	Logs bounds checks dashboard
➖	tcp_syslog_to_blackhole	ingress throughput	+0.78	[+0.57, +0.99]	1	Logs
➖	otlp_ingest_logs	memory utilization	+0.52	[+0.42, +0.61]	1	Logs
➖	quality_gate_idle	memory utilization	+0.47	[+0.42, +0.52]	1	Logs bounds checks dashboard
➖	otlp_ingest_metrics	memory utilization	+0.40	[+0.24, +0.56]	1	Logs
➖	ddot_metrics_sum_cumulativetodelta_exporter	memory utilization	+0.24	[+0.00, +0.48]	1	Logs
➖	quality_gate_logs	% cpu utilization	+0.02	[-0.97, +1.02]	1	Logs bounds checks dashboard
➖	file_to_blackhole_0ms_latency	egress throughput	+0.02	[-0.47, +0.50]	1	Logs
➖	docker_containers_memory	memory utilization	+0.01	[-0.09, +0.11]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	+0.00	[-0.13, +0.13]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	+0.00	[-0.46, +0.46]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	-0.00	[-0.20, +0.19]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	-0.00	[-0.10, +0.10]	1	Logs
➖	uds_dogstatsd_to_api_v3	ingress throughput	-0.01	[-0.21, +0.19]	1	Logs
➖	ddot_metrics_sum_cumulative	memory utilization	-0.05	[-0.21, +0.11]	1	Logs
➖	ddot_metrics	memory utilization	-0.07	[-0.27, +0.13]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	-0.07	[-0.47, +0.33]	1	Logs
➖	ddot_logs	memory utilization	-0.11	[-0.18, -0.05]	1	Logs
➖	ddot_metrics_sum_delta	memory utilization	-0.12	[-0.31, +0.07]	1	Logs
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	-0.28	[-0.32, -0.23]	1	Logs
➖	file_tree	memory utilization	-0.34	[-0.39, -0.30]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	-0.37	[-0.43, -0.30]	1	Logs bounds checks dashboard

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	observed_value	links
✅	docker_containers_cpu	simple_check_run	10/10	699 ≥ 26
✅	docker_containers_memory	memory_usage	10/10	243.54MiB ≤ 370MiB
✅	docker_containers_memory	simple_check_run	10/10	725 ≥ 26
✅	file_to_blackhole_0ms_latency	memory_usage	10/10	0.16GiB ≤ 1.20GiB
✅	file_to_blackhole_0ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10	0.20GiB ≤ 1.20GiB
✅	file_to_blackhole_1000ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_100ms_latency	memory_usage	10/10	0.17GiB ≤ 1.20GiB
✅	file_to_blackhole_100ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_500ms_latency	memory_usage	10/10	0.18GiB ≤ 1.20GiB
✅	file_to_blackhole_500ms_latency	missed_bytes	10/10	0B = 0B
✅	quality_gate_idle	intake_connections	10/10	3 ≤ 4	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	144.33MiB ≤ 147MiB	bounds checks dashboard
✅	quality_gate_idle	total_bytes_received	10/10	740.47KiB ≤ 819.20KiB	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	2 ≤ 4	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	424.29MiB ≤ 495MiB	bounds checks dashboard
✅	quality_gate_idle_all_features	total_bytes_received	10/10	1.12MiB ≤ 1.25MiB	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	174.48MiB ≤ 195MiB	bounds checks dashboard
✅	quality_gate_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_logs	total_bytes_received	10/10	264.00MiB ≤ 292MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	346.54 ≤ 2000	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	390.77MiB ≤ 430MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_metrics_logs	total_bytes_received	10/10	0.94GiB ≤ 1.04GiB	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.

[github-actions]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1afe91c6e3

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[github-actions]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7dc1890eee

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Preserve image tag mapping for protected-node refresh

EvictUnusedNodes now refreshes protected process nodes by converting profileImageTag to an internal ID (tagToID) before checking Seen. If that tag string has not been inserted into the tree registry (for example when a node carries a valid non-zero tag ID but the registry entry is absent), tagToID returns 0 and the refresh path is skipped, so nodes that should be kept alive can still be evicted. This is a behavioral regression from the previous direct string-key lookup path in the same function.

Useful? React with 👍 / 👎.

[github-actions]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Hooray!

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[github-actions]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b518fd4139

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Defer image-tag registration until event validation

Insert now allocates an image-tag ID before any of the early rejection paths in insertEvent run. When an event is dropped (for example invalid/untraced event types, invalid IMDS payloads, or missing/invalid process lineage), the tag slot remains in imageTagIDs even though no node references it. In environments with many transient image tags, this can cause unbounded registry growth and retain tags that were never actually learned by the tree.

Useful? React with 👍 / 👎.

[kovagsm]

Good catch on the theoretical hole — fixed in the latest commit. Insert now checks whether the tag was freshly allocated, and if insertEvent returns an error before any node could reference it, the slot is freed immediately via removeImageTag.

That said, "unbounded registry growth" isn't realistic in practice: the imageTag argument to Insert is the workload's container image version (e.g. v1.2.3), not a per-event value. It's the same string across all events for a given profile. So a slot allocated on a failed first event would be reused on every subsequent event for the same tag — no accumulation. The growth is bounded by the number of distinct image versions seen by a tree, which is O(few) in any real deployment.

The fix closes the theoretical gap anyway.

[chatgpt-codex-connector]

Keep dry-run process lookups side-effect free

CreateProcessNode now calls GetOrInsertImageTag before any dry-run behavior is applied, so read-only probes can still mutate imageTagIDs (including when entry is nil). That changes tree state during what is expected to be a non-mutating path and can accumulate orphan tag IDs that never get attached to nodes.

Useful? React with 👍 / 👎.

[kovagsm]

Fixed. CreateProcessNode now uses GetImageTagID (read-only) when dryRun is true, so read-only probes no longer mutate imageTagIDs. If the tag isn't registered yet, ID 0 is passed down — consistent with the null sentinel used everywhere else.

Worth noting: the only real-world caller today passes dryRun: false (profile.go), so this wasn't causing actual orphan tags in production. But the API contract was wrong regardless.