diff options
| author | thiagoftsm <thiagoftsm@gmail.com> | 2022-03-08 17:49:23 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-03-08 17:49:23 +0000 |
| commit | 6123a8e1a66aa1c3d44e454f866588495b5a145e (patch) | |
| tree | e6683dfd32a9d31c51c41eb1f6326f0782ad9562 | |
| parent | 2f8f4dd6a7b0dc98563357ad4712e990a7c5c86a (diff) | |
CO-RE and syscalls (#12318)
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | Makefile.am | 1 | ||||
| -rw-r--r-- | collectors/ebpf.plugin/ebpf.c | 94 | ||||
| -rw-r--r-- | collectors/ebpf.plugin/ebpf.d/mount.conf | 13 | ||||
| -rw-r--r-- | collectors/ebpf.plugin/ebpf.d/shm.conf | 14 | ||||
| -rw-r--r-- | collectors/ebpf.plugin/ebpf.d/sync.conf | 13 | ||||
| -rw-r--r-- | collectors/ebpf.plugin/ebpf.h | 1 | ||||
| -rw-r--r-- | collectors/ebpf.plugin/ebpf_mount.c | 234 | ||||
| -rw-r--r-- | collectors/ebpf.plugin/ebpf_mount.h | 8 | ||||
| -rw-r--r-- | collectors/ebpf.plugin/ebpf_shm.c | 241 | ||||
| -rw-r--r-- | collectors/ebpf.plugin/ebpf_shm.h | 1 | ||||
| -rw-r--r-- | collectors/ebpf.plugin/ebpf_sync.c | 205 | ||||
| -rw-r--r-- | collectors/ebpf.plugin/ebpf_sync.h | 24 | ||||
| -rw-r--r-- | configure.ac | 2 | ||||
| -rwxr-xr-x | contrib/debian/rules | 1 | ||||
| -rw-r--r-- | libnetdata/ebpf/ebpf.c | 172 | ||||
| -rw-r--r-- | libnetdata/ebpf/ebpf.h | 31 | ||||
| -rwxr-xr-x | netdata-installer.sh | 54 | ||||
| -rw-r--r-- | netdata.spec.in | 3 | ||||
| -rwxr-xr-x | packaging/bundle-ebpf-co-re.sh | 9 | ||||
| -rwxr-xr-x | packaging/bundle-libbpf.sh | 1 | ||||
| -rw-r--r-- | packaging/ebpf-co-re.checksums | 1 | ||||
| -rw-r--r-- | packaging/ebpf-co-re.version | 1 |
23 files changed, 1085 insertions, 40 deletions
diff --git a/.gitignore b/.gitignore index cd4896f98f..6b5423cff1 100644 --- a/.gitignore +++ b/.gitignore @@ -72,6 +72,7 @@ cgroup-network ebpf.plugin collectors/ebpf.plugin/reset_netdata_trace.sh !ebpf.plugin/ +collectors/ebpf.plugin/includes/ # protoc generated files *.pb.cc diff --git a/Makefile.am b/Makefile.am index 2048b9f884..c3160bf78d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -61,6 +61,7 @@ dist_noinst_DATA = \ netdata.cppcheck \ netdata.spec \ packaging/bundle-ebpf.sh \ + packaging/bundle-ebpf-co-re.sh \ packaging/bundle-judy.sh \ packaging/bundle-libbpf.sh \ packaging/check-kernel-config.sh \ diff --git a/collectors/ebpf.plugin/ebpf.c b/collectors/ebpf.plugin/ebpf.c index 908583b239..f90712f2ef 100644 --- a/collectors/ebpf.plugin/ebpf.c +++ b/collectors/ebpf.plugin/ebpf.c @@ -68,7 +68,7 @@ ebpf_module_t ebpf_modules[] = { .config_file = NETDATA_SYNC_CONFIG_FILE, // All syscalls have the same kernels .kernels = NETDATA_V3_10 | NETDATA_V4_14 | NETDATA_V4_16 | NETDATA_V4_18 | NETDATA_V5_4, - .load = EBPF_LOAD_LEGACY, .targets = NULL}, + .load = EBPF_LOAD_LEGACY, .targets = sync_targets}, { .thread_name = "dc", .config_name = "dc", .enabled = 0, .start_routine = ebpf_dcstat_thread, .update_every = EBPF_DEFAULT_UPDATE_EVERY, .global_charts = 1, .apps_charts = CONFIG_BOOLEAN_NO, .cgroup_charts = CONFIG_BOOLEAN_NO, .mode = MODE_ENTRY, .optional = 0, @@ -113,7 +113,7 @@ ebpf_module_t ebpf_modules[] = { .pid_map_size = ND_EBPF_DEFAULT_PID_SIZE, .names = NULL, .cfg = &mount_config, .config_file = NETDATA_MOUNT_CONFIG_FILE, .kernels = NETDATA_V3_10 | NETDATA_V4_14 | NETDATA_V4_16 | NETDATA_V4_18 | NETDATA_V5_4, - .load = EBPF_LOAD_LEGACY, .targets = NULL}, + .load = EBPF_LOAD_LEGACY, .targets = mount_targets}, { .thread_name = "fd", .config_name = "fd", .enabled = 0, .start_routine = ebpf_fd_thread, .update_every = EBPF_DEFAULT_UPDATE_EVERY, .global_charts = 1, .apps_charts = CONFIG_BOOLEAN_NO, .cgroup_charts = CONFIG_BOOLEAN_NO, .mode = MODE_ENTRY, .optional = 0, @@ -151,7 +151,7 @@ ebpf_module_t ebpf_modules[] = { .pid_map_size = ND_EBPF_DEFAULT_PID_SIZE, .names = NULL, .cfg = &shm_config, .config_file = NETDATA_DIRECTORY_SHM_CONFIG_FILE, .kernels = NETDATA_V3_10 | NETDATA_V4_14 | NETDATA_V4_16 | NETDATA_V4_18 | NETDATA_V5_4, - .load = EBPF_LOAD_LEGACY, .targets = NULL}, + .load = EBPF_LOAD_LEGACY, .targets = shm_targets}, { .thread_name = "mdflush", .config_name = "mdflush", .enabled = 0, .start_routine = ebpf_mdflush_thread, .update_every = EBPF_DEFAULT_UPDATE_EVERY, .global_charts = 1, .apps_charts = CONFIG_BOOLEAN_NO, .cgroup_charts = CONFIG_BOOLEAN_NO, .mode = MODE_ENTRY, .optional = 0, .apps_routine = NULL, .maps = NULL, @@ -181,6 +181,11 @@ ebpf_network_viewer_options_t network_viewer_opt; ebpf_plugin_stats_t plugin_statistics = {.core = 0, .legacy = 0, .running = 0, .threads = 0, .tracepoints = 0, .probes = 0, .retprobes = 0, .trampolines = 0}; +#ifdef LIBBPF_MAJOR_VERSION +struct btf *default_btf = NULL; +#endif +char *btf_path = NULL; + /***************************************************************** * * FUNCTIONS USED TO CLEAN MEMORY AND OPERATE SYSTEM FILES @@ -290,6 +295,11 @@ static void ebpf_exit(int sig) } */ +#ifdef LIBBPF_MAJOR_VERSION + if (default_btf) + btf__free(default_btf); +#endif + exit(sig); } @@ -1116,6 +1126,56 @@ static void ebpf_update_table_size() } } +/** + * Set Load mode + * + * @param load default load mode. + */ +static inline void ebpf_set_load_mode(netdata_ebpf_load_mode_t load) +{ +#ifdef LIBBPF_MAJOR_VERSION + if (load == EBPF_LOAD_CORE || load == EBPF_LOAD_PLAY_DICE) { + load = (!default_btf) ? EBPF_LOAD_LEGACY : EBPF_LOAD_CORE; + } +#else + load = EBPF_LOAD_LEGACY; +#endif + + int i; + for (i = 0; ebpf_modules[i].thread_name; i++) { + // TO DO: Use `load` variable after we change all threads. + ebpf_modules[i].load = EBPF_LOAD_LEGACY; // load ; + } +} + +/** + * Update mode + * + * @param str value read from configuration file. + */ +static inline void epbf_update_load_mode(char *str) +{ + netdata_ebpf_load_mode_t load = epbf_convert_string_to_load_mode(str); + + ebpf_set_load_mode(load); +} + +#ifdef LIBBPF_MAJOR_VERSION +/** + * Set default btf file + * + * Load the default BTF file on environment. + */ +static void ebpf_set_default_btf_file() +{ + char path[PATH_MAX + 1]; + snprintfz(path, PATH_MAX, "%s/vmlinux", btf_path); + default_btf = ebpf_parse_btf_file(path); + if (!default_btf) + info("Your environment does not have BTF file %s/vmlinux. The plugin will work with 'legacy' code.", + btf_path); +} +#endif /** * Read collector values @@ -1137,6 +1197,17 @@ static void read_collector_values(int *disable_apps, int *disable_cgroups, int u how_to_load(value); + btf_path = appconfig_get(&collector_config, EBPF_GLOBAL_SECTION, EBPF_CFG_PROGRAM_PATH, + EBPF_DEFAULT_BTF_FILE); + +#ifdef LIBBPF_MAJOR_VERSION + ebpf_set_default_btf_file(); +#endif + + value = appconfig_get(&collector_config, EBPF_GLOBAL_SECTION, EBPF_CFG_TYPE_FORMAT, EBPF_CFG_DEFAULT_PROGRAM); + + epbf_update_load_mode(value); + ebpf_update_interval(update_every); ebpf_update_table_size(); @@ -1373,19 +1444,6 @@ static inline void ebpf_load_thread_config() } /** - * Set Load mode - * - * @param load default load mode. - */ -static inline void ebpf_set_load_mode(netdata_ebpf_load_mode_t load) -{ - int i; - for (i = 0; ebpf_modules[i].thread_name; i++) { - ebpf_modules[i].load = load; - } -} - -/** * Parse arguments given from user. * * @param argc the number of arguments @@ -1842,6 +1900,10 @@ int main(int argc, char **argv) ebpf_allocate_common_vectors(); +#ifdef LIBBPF_MAJOR_VERSION + libbpf_set_strict_mode(LIBBPF_STRICT_ALL); +#endif + read_local_addresses(); read_local_ports("/proc/net/tcp", IPPROTO_TCP); read_local_ports("/proc/net/tcp6", IPPROTO_TCP); diff --git a/collectors/ebpf.plugin/ebpf.d/mount.conf b/collectors/ebpf.plugin/ebpf.d/mount.conf index 9d31747550..fdd82f2205 100644 --- a/collectors/ebpf.plugin/ebpf.d/mount.conf +++ b/collectors/ebpf.plugin/ebpf.d/mount.conf @@ -3,6 +3,17 @@ # `return : In the `return` mode, the eBPF collector monitors the same kernel functions as `entry`, but also creates # new charts for the return of these functions, such as errors. # -#[global] +# The `ebpf type format` option accepts the following values : +# `auto` : The eBPF collector will investigate hardware and select between the two next options. +# `legacy`: The eBPF collector will load the legacy code. Note: This has a bigger overload. +# `co-re` : The eBPF collector will use latest tracing method. Note: This is not available on all platforms. +# +# The `ebpf co-re tracing` option accepts the following values: +# `trampoline`: This is the default mode used by the eBPF collector, due the small overhead added to host. +# `tracepoint`: When available, the eBPF collector will use kernel tracepoint to monitor syscall. +# `probe` : This is the same as legacy code. +[global] # ebpf load mode = entry # update every = 1 + ebpf type format = auto + ebpf co-re tracing = trampoline diff --git a/collectors/ebpf.plugin/ebpf.d/shm.conf b/collectors/ebpf.plugin/ebpf.d/shm.conf index c0a10c98e7..23ab96da4b 100644 --- a/collectors/ebpf.plugin/ebpf.d/shm.conf +++ b/collectors/ebpf.plugin/ebpf.d/shm.conf @@ -8,13 +8,25 @@ # If you want to disable the integration with `apps.plugin` or `cgroups.plugin` along with the above charts, change # the setting `apps` and `cgroups` to 'no'. # +# The `ebpf type format` option accepts the following values : +# `auto` : The eBPF collector will investigate hardware and select between the two next options. +# `legacy`: The eBPF collector will load the legacy code. Note: This has a bigger overload. +# `co-re` : The eBPF collector will use latest tracing method. Note: This is not available on all platforms. +# +# The `ebpf co-re tracing` option accepts the following values: +# `trampoline`: This is the default mode used by the eBPF collector, due the small overhead added to host. +# `tracepoint`: When available, the eBPF collector will use kernel tracepoint to monitor syscall. +# `probe` : This is the same as legacy code. +# # Uncomment lines to define specific options for thread. -#[global] +[global] # ebpf load mode = entry # apps = yes # cgroups = no # update every = 10 # pid table size = 32768 + ebpf type format = auto + ebpf co-re tracing = trampoline # List of monitored syscalls [syscalls] diff --git a/collectors/ebpf.plugin/ebpf.d/sync.conf b/collectors/ebpf.plugin/ebpf.d/sync.conf index 03c469f68e..ebec5d38e4 100644 --- a/collectors/ebpf.plugin/ebpf.d/sync.conf +++ b/collectors/ebpf.plugin/ebpf.d/sync.conf @@ -8,12 +8,23 @@ # If you want to disable the integration with `apps.plugin` or `cgroups.plugin` along with the above charts, change # the setting `apps` and `cgroups` to 'no'. # +# The `ebpf type format` option accepts the following values : +# `auto` : The eBPF collector will investigate hardware and select between the two next options. +# `legacy`: The eBPF collector will load the legacy code. Note: This has a bigger overload. +# `co-re` : The eBPF collector will use latest tracing method. Note: This is not available on all platforms. +# +# The `ebpf co-re tracing` option accepts the following values: +# `trampoline`: This is the default mode used by the eBPF collector, due the small overhead added to host. +# `tracepoint`: When available, the eBPF collector will use kernel tracepoint to monitor syscall. +# `probe` : This is the same as legacy code. # -#[global] +[global] # ebpf load mode = entry # apps = yes # cgroups = no # update every = 10 + ebpf type format = auto + ebpf co-re tracing = trampoline # List of monitored syscalls [syscalls] diff --git a/collectors/ebpf.plugin/ebpf.h b/collectors/ebpf.plugin/ebpf.h index 165a6bf36c..b2e52946d2 100644 --- a/collectors/ebpf.plugin/ebpf.h +++ b/collectors/ebpf.plugin/ebpf.h @@ -264,6 +264,7 @@ extern pthread_mutex_t mutex_cgroup_shm; extern size_t all_pids_count; extern uint32_t finalized_threads; extern ebpf_plugin_stats_t plugin_statistics; +extern struct btf *default_btf; // Socket functions and variables // Common functions diff --git a/collectors/ebpf.plugin/ebpf_mount.c b/collectors/ebpf.plugin/ebpf_mount.c index 666936d869..15febe13ec 100644 --- a/collectors/ebpf.plugin/ebpf_mount.c +++ b/collectors/ebpf.plugin/ebpf_mount.c @@ -30,6 +30,196 @@ struct netdata_static_thread mount_thread = {"MOUNT KERNEL", NULL, NULL, 1, NULL, NULL, NULL}; +netdata_ebpf_targets_t mount_targets[] = { {.name = "mount", .mode = EBPF_LOAD_TRAMPOLINE}, + {.name = "umount", .mode = EBPF_LOAD_TRAMPOLINE}, + {.name = NULL, .mode = EBPF_LOAD_TRAMPOLINE}}; + +#ifdef LIBBPF_MAJOR_VERSION +#include "includes/mount.skel.h" // BTF code + +static struct mount_bpf *bpf_obj = NULL; + +/***************************************************************** + * + * BTF FUNCTIONS + * + *****************************************************************/ + +/* + * Disable probe + * + * Disable all probes to use exclusively another method. + * + * @param obj is the main structure for bpf objects. + */ +static inline void ebpf_mount_disable_probe(struct mount_bpf *obj) +{ + bpf_program__set_autoload(obj->progs.netdata_mount_probe, false); + bpf_program__set_autoload(obj->progs.netdata_umount_probe, false); + + bpf_program__set_autoload(obj->progs.netdata_mount_retprobe, false); + bpf_program__set_autoload(obj->progs.netdata_umount_retprobe, false); +} + +/* + * Disable tracepoint + * + * Disable all tracepoints to use exclusively another method. + * + * @param obj is the main structure for bpf objects. + */ +static inline void ebpf_mount_disable_tracepoint(struct mount_bpf *obj) +{ + bpf_program__set_autoload(obj->progs.netdata_mount_exit, false); + bpf_program__set_autoload(obj->progs.netdata_umount_exit, false); +} + +/* + * Disable trampoline + * + * Disable all trampoline to use exclusively another method. + * + * @param obj is the main structure for bpf objects. + */ +static inline void ebpf_mount_disable_trampoline(struct mount_bpf *obj) +{ + bpf_program__set_autoload(obj->progs.netdata_mount_fentry, false); + bpf_program__set_autoload(obj->progs.netdata_umount_fentry, false); + bpf_program__set_autoload(obj->progs.netdata_mount_fexit, false); + bpf_program__set_autoload(obj->progs.netdata_umount_fexit, false); +} + +/** + * Set trampoline target + * + * Set the targets we will monitor. + * + * @param obj is the main structure for bpf objects. + */ +static inline void netdata_set_trampoline_target(struct mount_bpf *obj) +{ + char syscall[NETDATA_EBPF_MAX_SYSCALL_LENGTH + 1]; + ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH, + mount_targets[NETDATA_MOUNT_SYSCALL].name, running_on_kernel); + + bpf_program__set_attach_target(obj->progs.netdata_mount_fentry, 0, + syscall); + + bpf_program__set_attach_target(obj->progs.netdata_mount_fexit, 0, + syscall); + + ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH, + mount_targets[NETDATA_UMOUNT_SYSCALL].name, running_on_kernel); + + bpf_program__set_attach_target(obj->progs.netdata_umount_fentry, 0, + syscall); + + bpf_program__set_attach_target(obj->progs.netdata_umount_fexit, 0, + syscall); +} + +/** + * Mount Attach Probe + * + * Attach probes to target + * + * @param obj is the main structure for bpf objects. + * + * @return It returns 0 on success and -1 otherwise. + */ +static int ebpf_mount_attach_probe(struct mount_bpf *obj) +{ + char syscall[NETDATA_EBPF_MAX_SYSCALL_LENGTH + 1]; + + ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH, + mount_targets[NETDATA_MOUNT_SYSCALL].name, running_on_kernel); + + obj->links.netdata_mount_probe = bpf_program__attach_kprobe(obj->progs.netdata_mount_probe, + false, syscall); + int ret = (int)libbpf_get_error(obj->links.netdata_mount_probe); + if (ret) + return -1; + + obj->links.netdata_mount_retprobe = bpf_program__attach_kprobe(obj->progs.netdata_mount_retprobe, + true, syscall); + ret = (int)libbpf_get_error(obj->links.netdata_mount_retprobe); + if (ret) + return -1; + + ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH, + mount_targets[NETDATA_UMOUNT_SYSCALL].name, running_on_kernel); + + obj->links.netdata_umount_probe = bpf_program__attach_kprobe(obj->progs.netdata_umount_probe, + false, syscall); + ret = (int)libbpf_get_error(obj->links.netdata_umount_probe); + if (ret) + return -1; + + obj->links.netdata_umount_retprobe = bpf_program__attach_kprobe(obj->progs.netdata_umount_retprobe, + true, syscall); + ret = (int)libbpf_get_error(obj->links.netdata_umount_retprobe); + if (ret) + return -1; + + return 0; +} + +/** + * Set hash tables + * + * Set the values for maps according the value given by kernel. + * + * @param obj is the main structure for bpf objects. + */ +static void ebpf_mount_set_hash_tables(struct mount_bpf *obj) +{ + mount_maps[NETDATA_KEY_MOUNT_TABLE].map_fd = bpf_map__fd(obj->maps.tbl_mount); +} + +/** + * Load and attach + * + * Load and attach the eBPF code in kernel. + * + * @param obj is the main structure for bpf objects. + * @param em structure with configuration + * + * @return it returns 0 on succes and -1 otherwise + */ +static inline int ebpf_mount_load_and_attach(struct mount_bpf *obj, ebpf_module_t *em) +{ + netdata_ebpf_targets_t *mt = em->targets; + netdata_ebpf_program_loaded_t test = mt[NETDATA_MOUNT_SYSCALL].mode; + + // We are testing only one, because all will have the same behavior + if (test == EBPF_LOAD_TRAMPOLINE ) { + ebpf_mount_disable_probe(obj); + ebpf_mount_disable_tracepoint(obj); + + netdata_set_trampoline_target(obj); + } else if (test == EBPF_LOAD_PROBE || + test == EBPF_LOAD_RETPROBE ) { + ebpf_mount_disable_tracepoint(obj); + ebpf_mount_disable_trampoline(obj); + } else { + ebpf_mount_disable_probe(obj); + ebpf_mount_disable_trampoline(obj); + } + + int ret = mount_bpf__load(obj); + if (!ret) { + if (test != EBPF_LOAD_PROBE && test != EBPF_LOAD_RETPROBE ) + ret = mount_bpf__attach(obj); + else + ret = ebpf_mount_attach_probe(obj); + + if (!ret) + ebpf_mount_set_hash_tables(obj); + } + + return ret; +} +#endif /***************************************************************** * * FUNCTIONS TO CLOSE THE THREAD @@ -59,6 +249,11 @@ static void ebpf_mount_cleanup(void *ptr) } bpf_object__close(objects); } +#ifdef LIBBPF_MAJOR_VERSION + else if (bpf_obj) + mount_bpf__destroy(bpf_obj); +#endif + } /***************************************************************** @@ -219,6 +414,39 @@ static void ebpf_create_mount_charts(int update_every) * *****************************************************************/ +/* + * Load BPF + * + * Load BPF files. + * + * @param em the structure with configuration + */ +static int ebpf_mount_load_bpf(ebpf_module_t *em) +{ + int ret = 0; + if (em->load == EBPF_LOAD_LEGACY) { + probe_links = ebpf_load_program(ebpf_plugin_dir, em, running_on_kernel, isrh, &objects); + if (!probe_links) { + em->enabled = CONFIG_BOOLEAN_NO; + ret = -1; + } + } +#ifdef LIBBPF_MAJOR_VERSION + else { + bpf_obj = mount_bpf__open(); + if (!bpf_obj) + ret = -1; + else + ret = ebpf_mount_load_and_attach(bpf_obj, em); + } +#endif + + if (ret) + error("%s %s", EBPF_DEFAULT_ERROR_MSG, em->thread_name); + + return ret; +} + /** * Mount thread * @@ -238,8 +466,10 @@ void *ebpf_mount_thread(void *ptr) if (!em->enabled) goto endmount; - probe_links = ebpf_load_program(ebpf_plugin_dir, em, running_on_kernel, isrh, &objects); - if (!probe_links) { +#ifdef LIBBPF_MAJOR_VERSION + ebpf_adjust_thread_load(em, default_btf); +#endif + if (ebpf_mount_load_bpf(em)) { em->enabled = CONFIG_BOOLEAN_NO; goto endmount; } diff --git a/collectors/ebpf.plugin/ebpf_mount.h b/collectors/ebpf.plugin/ebpf_mount.h index 700bea13be..d4f48efd10 100644 --- a/collectors/ebpf.plugin/ebpf_mount.h +++ b/collectors/ebpf.plugin/ebpf_mount.h @@ -30,7 +30,15 @@ enum mount_tables { NETDATA_KEY_MOUNT_TABLE }; +enum netdata_mount_syscalls { + NETDATA_MOUNT_SYSCALL, + NETDATA_UMOUNT_SYSCALL, + + NETDATA_MOUNT_SYSCALLS_END +}; + extern struct config mount_config; extern void *ebpf_mount_thread(void *ptr); +extern netdata_ebpf_targets_t mount_targets[]; #endif /* NETDATA_EBPF_MOUNT_H */ diff --git a/collectors/ebpf.plugin/ebpf_shm.c b/collectors/ebpf.plugin/ebpf_shm.c index 0cfb3abdcc..685f9bcdd6 100644 --- a/collectors/ebpf.plugin/ebpf_shm.c +++ b/collectors/ebpf.plugin/ebpf_shm.c @@ -41,6 +41,203 @@ static struct bpf_object *objects = NULL; struct netdata_static_thread shm_threads = {"SHM KERNEL", NULL, NULL, 1, NULL, NULL, NULL}; +netdata_ebpf_targets_t shm_targets[] = { {.name = "shmget", .mode = EBPF_LOAD_TRAMPOLINE}, + {.name = "shmat", .mode = EBPF_LOAD_TRAMPOLINE}, + {.name = "shmdt", .mode = EBPF_LOAD_TRAMPOLINE}, + {.name = "shmctl", .mode = EBPF_LOAD_TRAMPOLINE}, + {.name = NULL, .mode = EBPF_LOAD_TRAMPOLINE}}; + +#ifdef LIBBPF_MAJOR_VERSION +#include "includes/shm.skel.h" + +static struct shm_bpf *bpf_obj = NULL; + +/***************************************************************** + * + * BTF FUNCTIONS + * + *****************************************************************/ + +/* + * Disable tracepoint + * + * Disable all tracepoints to use exclusively another method. + * + * @param obj is the main structure for bpf objects. + */ +static void ebpf_shm_disable_tracepoint(struct shm_bpf *obj) +{ + bpf_program__set_autoload(obj->progs.netdata_syscall_shmget, false); + bpf_program__set_autoload(obj->progs.netdata_syscall_shmat, false); + bpf_program__set_autoload(obj->progs.netdata_syscall_shmdt, false); + bpf_program__set_autoload(obj->progs.netdata_syscall_shmctl, false); +} + +/* + * Disable probe + * + * Disable all probes to use exclusively another method. + * + * @param obj is the main structure for bpf objects. + */ +static void ebpf_disable_probe(struct shm_bpf *obj) +{ + bpf_program__set_autoload(obj->progs.netdata_shmget_probe, false); + bpf_program__set_autoload(obj->progs.netdata_shmat_probe, false); + bpf_program__set_autoload(obj->progs.netdata_shmdt_probe, false); + bpf_program__set_autoload(obj->progs.netdata_shmctl_probe, false); +} + +/* + * Disable trampoline + * + * Disable all trampoline to use exclusively another method. + * + * @param obj is the main structure for bpf objects. + */ +static void ebpf_disable_trampoline(struct shm_bpf *obj) +{ + bpf_program__set_autoload(obj->progs.netdata_shmget_fentry, false); + bpf_program__set_autoload(obj->progs.netdata_shmat_fentry, false); + bpf_program__set_autoload(obj->progs.netdata_shmdt_fentry, false); + bpf_program__set_autoload(obj->progs.netdata_shmctl_fentry, false); +} + +/** + * Set trampoline target + * + * Set the targets we will monitor. + * + * @param obj is the main structure for bpf objects. + */ +static void ebpf_set_trampoline_target(struct shm_bpf *obj) +{ + char syscall[NETDATA_EBPF_MAX_SYSCALL_LENGTH + 1]; + ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH, + shm_targets[NETDATA_KEY_SHMGET_CALL].name, running_on_kernel); + + bpf_program__set_attach_target(obj->progs.netdata_shmget_fentry, 0, + syscall); + + ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH, + shm_targets[NETDATA_KEY_SHMAT_CALL].name, running_on_kernel); + bpf_program__set_attach_target(obj->progs.netdata_shmat_fentry, 0, + syscall); + + ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH, + shm_targets[NETDATA_KEY_SHMDT_CALL].name, running_on_kernel); + bpf_program__set_attach_target(obj->progs.netdata_shmdt_fentry, 0, + syscall); + + ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH, + shm_targets[NETDATA_KEY_SHMCTL_CALL].name, running_on_kernel); + bpf_program__set_attach_target(obj->progs.netdata_shmctl_fentry, 0, + syscall); +} + +/** + * SHM Attach Probe + * + * Attach probes to target + * + * @param obj is the main structure for bpf objects. + * + * @return It returns 0 on success and -1 otherwise. + */ +static int ebpf_shm_attach_probe(struct shm_bpf *obj) +{ + char syscall[NETDATA_EBPF_MAX_SYSCALL_LENGTH + 1]; + ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH, + shm_targets[NETDATA_KEY_SHMGET_CALL].name, running_on_kernel); + + obj->links.netdata_shmget_probe = bpf_program__attach_kprobe(obj->progs.netdata_shmget_probe, + false, syscall); + int ret = (int)libbpf_get_error(obj->links.netdata_shmget_probe); + if (ret) + return -1; + + ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH, + shm_targets[NETDATA_KEY_SHMAT_CALL].name, running_on_kernel); + obj->links.netdata_shmat_probe = bpf_program__attach_kprobe(obj->progs.netdata_shmat_probe, + false, syscall); + ret = (int)libbpf_get_error(obj->links.netdata_shmat_probe); + if (ret) + return -1; + + ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH, + shm_targets[NETDATA_KEY_SHMDT_CALL].name, running_on_kernel); + obj->links.netdata_shmdt_probe = bpf_program__attach_kprobe(obj->progs.netdata_shmdt_probe, + false, syscall); + ret = (int)libbpf_get_error(obj->links.netdata_shmdt_probe); + if (ret) + return -1; + + ebpf_select_host_prefix(syscall, NETDATA_EBPF_MAX_SYSCALL_LENGTH, + shm_targets[NETDATA_KEY_SHMCTL_CALL].name, running_on_kernel); + obj->links.netdata_shmctl_probe = bpf_program__attach_kprobe(obj->progs.netdata_shmctl_probe, + false, syscall); + ret = (int)libbpf_get_error(obj->links.netdata_shmctl_probe); + if (ret) + return -1; + + return 0; +} + +/** + * Set hash tables + * + * Set the values for maps according the value given by kernel. + */ +static void ebpf_shm_set_hash_tables(struct shm_bpf *obj) +{ + shm_maps[NETDATA_PID_SHM_TABLE].map_fd = bpf_map__fd(obj->maps.tbl_pid_shm); + shm_maps[NETDATA_SHM_CONTROLLER].map_fd = bpf_map__fd(obj->maps.shm_ctrl); + shm_maps[NETDATA_SHM_GLOBAL_TABLE].map_fd = bpf_map__fd(obj->maps.tbl_shm); +} + +/** + * Load and attach + * + * Load and attach the eBPF code in kernel. + * + * @param obj is the main structure for bpf objects. + * @param em structure with configuration + * + * @return it returns 0 on succes and -1 otherwise + */ +static inline int ebpf_shm_load_and_attach(struct shm_bpf *obj, ebpf_module_t *em) +{ + netdata_ebpf_targets_t *shmt = em->targets; + netdata_ebpf_program_loaded_t test = shmt[NETDATA_KEY_SHMGET_CALL].mode; + + // We are testing only one, because all will have the same behavior + if (test == EBPF_LOAD_TRAMPOLINE ) { + ebpf_shm_disable_tracepoint(obj); + ebpf_disable_probe(obj); + + ebpf_set_trampoline_target(obj); + } else if (test == EBPF_LOAD_PROBE || test == EBPF_LOAD_RETPROBE ) { + ebpf_shm_disable_tracepoint(obj); + ebpf_disable_trampoline(obj); + } else { + ebpf_disable_probe(obj); + ebpf_disable_trampoline(obj); + } + + int ret = shm_bpf__load(obj); + if (!ret) { + if (test != EBPF_LOAD_PROBE && test != EBPF_LOAD_RETPROBE) + shm_bpf__attach(obj); + else + ret = ebpf_shm_attach_probe(obj); + + if (!ret) + ebpf_shm_set_hash_tables(obj); + } + + return ret; +} +#endif /***************************************************************** * FUNCTIONS TO CLOSE THE THREAD *****************************************************************/ @@ -91,6 +288,10 @@ static void ebpf_shm_cleanup(void *ptr) } bpf_object__close(objects); } +#ifdef LIBBPF_MAJOR_VERSION + else if (bpf_obj) + shm_bpf__destroy(bpf_obj); +#endif } /***************************************************************** @@ -802,6 +1003,40 @@ static void ebpf_create_shm_charts(int update_every) fflush(stdout); } +/* + * Load BPF + * + * Load BPF files. + * + * @param em the structure with configuration + */ +static int ebpf_shm_load_bpf(ebpf_module_t *em) +{ + int ret = 0; + if (em->load == EBPF_LOAD_LEGACY) { + probe_links = ebpf_load_program(ebpf_plugin_dir, em, runn |