From 28ce8f4445394714077150ea1abc3de2a8a42c27 Mon Sep 17 00:00:00 2001 From: thiagoftsm Date: Wed, 19 Jan 2022 15:20:22 +0000 Subject: eBPF plugin CO-RE and monitoring (#11992) --- libnetdata/ebpf/ebpf.c | 250 +++++++++++++++++++++++++++++++++++++++---------- libnetdata/ebpf/ebpf.h | 136 +++++++++++++++++---------- 2 files changed, 287 insertions(+), 99 deletions(-) (limited to 'libnetdata') diff --git a/libnetdata/ebpf/ebpf.c b/libnetdata/ebpf/ebpf.c index 3aef243a47..ca40492f11 100644 --- a/libnetdata/ebpf/ebpf.c +++ b/libnetdata/ebpf/ebpf.c @@ -110,9 +110,23 @@ int ebpf_get_kernel_version() *move++ = *version++; *move = '\0'; - return ((int)(str2l(major) * 65536) + (int)(str2l(minor) * 256) + (int)str2l(patch)); + // This new rule is fixing kernel version according the formula: + // KERNEL_VERSION(a,b,c) (((a) << 16) + ((b) << 8) + ((c) > 255 ? 255 : (c))) + // that was extracted from /usr/include/linux/version.h + int ipatch = (int)str2l(patch); + if (ipatch > 255) + ipatch = 255; + + return ((int)(str2l(major) * 65536) + (int)(str2l(minor) * 256) + ipatch); } +/** + * Get RH release + * + * Read Red Hat release from /etc/redhat-release + * + * @return It returns RH release on success and -1 otherwise + */ int get_redhat_release() { char buffer[VERSION_STRING_LEN + 1]; @@ -249,66 +263,189 @@ int has_condition_to_run(int version) //---------------------------------------------------------------------------------------------------------------------- -char *ebpf_kernel_suffix(int version, int isrh) +/** + * Kernel Name + * + * Select kernel name used by eBPF programs + * + * Netdata delivers for users eBPF programs with specific suffixes that represent the kernels they were + * compiled, when we load the eBPF program, the suffix must be the nereast possible of the kernel running. + * + * @param selector select the kernel version. + * + * @return It returns the string to load kernel. + */ +static char *ebpf_select_kernel_name(uint32_t selector) { - if (isrh) { - if (version >= NETDATA_EBPF_KERNEL_4_11) - return "4.18"; - else - return "3.10"; - } else { - if (version >= NETDATA_EBPF_KERNEL_5_15) - return "5.15"; - else if (version >= NETDATA_EBPF_KERNEL_5_11) - return "5.11"; - else if (version >= NETDATA_EBPF_KERNEL_5_10) - return "5.10"; - else if (version >= NETDATA_EBPF_KERNEL_4_17) - return "5.4"; - else if (version >= NETDATA_EBPF_KERNEL_4_15) - return "4.16"; - else if (version >= NETDATA_EBPF_KERNEL_4_11) - return "4.14"; + static char *kernel_names[] = { NETDATA_IDX_STR_V3_10, NETDATA_IDX_STR_V4_14, NETDATA_IDX_STR_V4_16, + NETDATA_IDX_STR_V4_18, NETDATA_IDX_STR_V5_4, NETDATA_IDX_STR_V5_10, + NETDATA_IDX_STR_V5_11, NETDATA_IDX_STR_V5_15 + }; + + return kernel_names[selector]; +} + +/** + * Select Max Index + * + * Select last index that will be tested on host. + * + * @param is_rhf is Red Hat fammily? + * @param kver the kernel version + * + * @return it returns the index to access kernel string. + */ +static int ebpf_select_max_index(int is_rhf, uint32_t kver) +{ + if (is_rhf > 0) { // Is Red Hat family + if (kver >= NETDATA_EBPF_KERNEL_4_11) + return NETDATA_IDX_V4_18; + } else { // Kernels from kernel.org + if (kver >= NETDATA_EBPF_KERNEL_5_15) + return NETDATA_IDX_V5_15; + else if (kver >= NETDATA_EBPF_KERNEL_5_11) + return NETDATA_IDX_V5_11; + else if (kver >= NETDATA_EBPF_KERNEL_5_10) + return NETDATA_IDX_V5_10; + else if (kver >= NETDATA_EBPF_KERNEL_4_17) + return NETDATA_IDX_V5_4; + else if (kver >= NETDATA_EBPF_KERNEL_4_15) + return NETDATA_IDX_V4_16; + else if (kver >= NETDATA_EBPF_KERNEL_4_11) + return NETDATA_IDX_V4_14; } - return NULL; + return NETDATA_IDX_V3_10; +} + +/** + * Select Index + * + * Select index to load data. + * + * @param kernels is the variable with kernel versions. + * @param is_rhf is Red Hat fammily? + * param kver the kernel version + */ +static uint32_t ebpf_select_index(uint32_t kernels, int is_rhf, uint32_t kver) +{ + uint32_t start = ebpf_select_max_index(is_rhf, kver); + uint32_t idx; + + for (idx = start; idx; idx--) { + if (kernels & 1 << idx) + break; + } + + return idx; +} + +/** + * Mount Name + * + * Mount name of eBPF program to be loaded. + * + * Netdata eBPF programs has the following format: + * + * Tnetdata_ebpf_N.V.o + * + * where: + * T - Is the eBPF type. When starts with 'p', this means we are only adding probes, + * and when they start with 'r' we are using retprobes. + * N - The eBPF program name. + * V - The kernel version in string format. + * + * @param out the vector where the name will be stored + * @param path + * @param len the size of the out vector. + * @param kver the kernel version + * @param name the eBPF program name. + * @param is_return is return or entry ? + */ +static void ebpf_mount_name(char *out, size_t len, char *path, uint32_t kver, const char *name, int is_return) +{ + char *version = ebpf_select_kernel_name(kver); + snprintfz(out, len, "%s/ebpf.d/%cnetdata_ebpf_%s.%s.o", + path, + (is_return) ? 'r' : 'p', + name, + version); } //---------------------------------------------------------------------------------------------------------------------- /** - * Update Kernel + * Statistics from targets * - * Update string used to load eBPF programs + * Count the information from targets. * - * @param ks vector to store the value - * @param length available length to store kernel - * @param isrh Is a Red Hat distribution? - * @param version the kernel version + * @param report the output structure + * @param targets vector with information about the eBPF plugin. */ -void ebpf_update_kernel(char *ks, size_t length, int isrh, int version) +static void ebpf_stats_targets(ebpf_plugin_stats_t *report, netdata_ebpf_targets_t *targets) { - char *kernel = ebpf_kernel_suffix(version, (isrh < 0) ? 0 : 1); - size_t len = strlen(kernel); - if (len > length) - len = length - 1; - strncpyz(ks, kernel, len); - ks[len] = '\0'; + if (!targets) { + report->probes = report->tracepoints = report->trampolines = 0; + return; + } + + int i = 0; + while (targets[i].name) { + switch (targets[i].mode) { + case EBPF_LOAD_PROBE: { + report->probes++; + break; + } + case EBPF_LOAD_RETPROBE: { + report->retprobes++; + break; + } + case EBPF_LOAD_TRACEPOINT: { + report->tracepoints++; + break; + } + case EBPF_LOAD_TRAMPOLINE: { + report->trampolines++; + break; + } + } + + i++; + } } -static int select_file(char *name, const char *program, size_t length, int mode, char *kernel_string) +/** + * Update General stats + * + * Update eBPF plugin statistics that has relationship with the thread. + * + * This function must be called with mutex associated to charts is locked. + * + * @param report the output structure + * @param em the structure with information about how the module/thread is working. + */ +void ebpf_update_stats(ebpf_plugin_stats_t *report, ebpf_module_t *em) { - int ret = -1; - if (!mode) - ret = snprintf(name, length, "rnetdata_ebpf_%s.%s.o", program, kernel_string); - else if (mode == 1) - ret = snprintf(name, length, "dnetdata_ebpf_%s.%s.o", program, kernel_string); - else if (mode == 2) - ret = snprintf(name, length, "pnetdata_ebpf_%s.%s.o", program, kernel_string); + report->threads++; - return ret; + // It is not necessary to report more information. + if (!em->enabled) + return; + + report->running++; + + // In theory the `else if` is useless, because when this function is called, the module should not stay in + // EBPF_LOAD_PLAY_DICE. We have this additional condition to detect errors from developers. + if (em->load == EBPF_LOAD_LEGACY) + report->legacy++; + else if (em->load == EBPF_LOAD_CORE) + report->core++; + + ebpf_stats_targets(report, em->targets); } +//---------------------------------------------------------------------------------------------------------------------- + void ebpf_update_pid_table(ebpf_local_maps_t *pid, ebpf_module_t *em) { pid->user_input = em->pid_map_size; @@ -454,17 +591,28 @@ static void ebpf_update_controller(ebpf_module_t *em, struct bpf_object *obj) } } -struct bpf_link **ebpf_load_program(char *plugins_dir, ebpf_module_t *em, char *kernel_string, +/** + * Load Program + * + * Load eBPF program into kernel + * + * @param plugins_dir directory where binary are stored + * @param em structure with information about eBPF program we will load. + * @param kver the kernel version according /usr/include/linux/version.h + * @param is_rhf is a kernel from Red Hat Family? + * @param obj structure where we will store object loaded. + * + * @return it returns a link for each target we associated an eBPF program. + */ +struct bpf_link **ebpf_load_program(char *plugins_dir, ebpf_module_t *em, int kver, int is_rhf, struct bpf_object **obj) { char lpath[4096]; - char lname[128]; - int test = select_file(lname, em->thread_name, (size_t)127, em->mode, kernel_string); - if (test < 0 || test > 127) - return NULL; + uint32_t idx = ebpf_select_index(em->kernels, is_rhf, kver); + + ebpf_mount_name(lpath, 4095, plugins_dir, idx, em->thread_name, em->mode); - snprintf(lpath, 4096, "%s/ebpf.d/%s", plugins_dir, lname); *obj = bpf_object__open_file(lpath, NULL); if (libbpf_get_error(obj)) { error("Cannot open BPF object %s", lpath); @@ -485,6 +633,10 @@ struct bpf_link **ebpf_load_program(char *plugins_dir, ebpf_module_t *em, char * size_t count_programs = ebpf_count_programs(*obj); +#ifdef NETDATA_INTERNAL_CHECKS + info("eBPF program %s loaded with success!", lpath); +#endif + return ebpf_attach_programs(*obj, count_programs, em->names); } diff --git a/libnetdata/ebpf/ebpf.h b/libnetdata/ebpf/ebpf.h index 1da28d4cb3..1252996725 100644 --- a/libnetdata/ebpf/ebpf.h +++ b/libnetdata/ebpf/ebpf.h @@ -22,14 +22,6 @@ #define EBPF_CFG_APPLICATION "apps" #define EBPF_CFG_CGROUP "cgroups" -/** - * The next magic number is got doing the following math: - * 294960 = 4*65536 + 11*256 + 0 - * - * For more details, please, read /usr/include/linux/version.h - */ -#define NETDATA_MINIMUM_EBPF_KERNEL 264960 - /** * The RedHat magic number was got doing: * @@ -46,53 +38,63 @@ #define NETDATA_RH_8 2048 /** - * Kernel 5.15 + * Kernel Version * - * 331520 = 5*65536 + 15*256 - */ -#define NETDATA_EBPF_KERNEL_5_15 331520 - -/** - * Kernel 5.11 + * Kernel versions are calculated using the following formula: * - * 330240 = 5*65536 + 11*256 - */ -#define NETDATA_EBPF_KERNEL_5_11 330496 - -/** - * Kernel 5.10 + * VERSION = LINUX_VERSION_MAJOR*65536 + LINUX_VERSION_PATCHLEVEL*256 + LINUX_VERSION_SUBLEVEL * - * 330240 = 5*65536 + 10*256 - */ -#define NETDATA_EBPF_KERNEL_5_10 330240 - -/** - * Kernel 5.0 + * Where LINUX_VERSION_MAJOR, LINUX_VERSION_PATCHLEVEL, and LINUX_VERSION_SUBLEVEL are extracted + * from /usr/include/linux/version.h. * - * 327680 = 5*65536 +256*0 - */ -#define NETDATA_EBPF_KERNEL_5_0 327680 - -/** - * Kernel 4.17 + * LINUX_VERSION_SUBLEVEL has the maximum value 255, but linux can have more SUBLEVELS. * - * 266496 = 4*65536 + 17*256 */ -#define NETDATA_EBPF_KERNEL_4_17 266496 +enum netdata_ebpf_kernel_versions { + NETDATA_EBPF_KERNEL_4_11 = 264960, // 264960 = 4 * 65536 + 15 * 256 + NETDATA_EBPF_KERNEL_4_15 = 265984, // 265984 = 4 * 65536 + 15 * 256 + NETDATA_EBPF_KERNEL_4_17 = 266496, // 266496 = 4 * 65536 + 17 * 256 + NETDATA_EBPF_KERNEL_5_0 = 327680, // 327680 = 5 * 65536 + 0 * 256 + NETDATA_EBPF_KERNEL_5_10 = 330240, // 330240 = 5 * 65536 + 10 * 256 + NETDATA_EBPF_KERNEL_5_11 = 330496, // 330240 = 5 * 65536 + 11 * 256 + NETDATA_EBPF_KERNEL_5_15 = 331520 // 331520 = 5 * 65536 + 15 * 256 +}; -/** - * Kernel 4.15 - * - * 265984 = 4*65536 + 15*256 - */ -#define NETDATA_EBPF_KERNEL_4_15 265984 +enum netdata_kernel_flag { + NETDATA_V3_10 = 1 << 0, + NETDATA_V4_14 = 1 << 1, + NETDATA_V4_16 = 1 << 2, + NETDATA_V4_18 = 1 << 3, + NETDATA_V5_4 = 1 << 4, + NETDATA_V5_10 = 1 << 5, + NETDATA_V5_11 = 1 << 6, + NETDATA_V5_15 = 1 << 7 +}; + +enum netdata_kernel_idx { + NETDATA_IDX_V3_10, + NETDATA_IDX_V4_14, + NETDATA_IDX_V4_16, + NETDATA_IDX_V4_18, + NETDATA_IDX_V5_4 , + NETDATA_IDX_V5_10, + NETDATA_IDX_V5_11, + NETDATA_IDX_V5_15 +}; + +#define NETDATA_IDX_STR_V3_10 "3.10" +#define NETDATA_IDX_STR_V4_14 "4.14" +#define NETDATA_IDX_STR_V4_16 "4.16" +#define NETDATA_IDX_STR_V4_18 "4.18" +#define NETDATA_IDX_STR_V5_4 "5.4" +#define NETDATA_IDX_STR_V5_10 "5.10" +#define NETDATA_IDX_STR_V5_11 "5.11" +#define NETDATA_IDX_STR_V5_15 "5.15" /** - * Kernel 4.11 - * - * 264960 = 4*65536 + 15*256 + * Minimum value has relationship with libbpf support. */ -#define NETDATA_EBPF_KERNEL_4_11 264960 +#define NETDATA_MINIMUM_EBPF_KERNEL NETDATA_EBPF_KERNEL_4_11 #define VERSION_STRING_LEN 256 #define EBPF_KERNEL_REJECT_LIST_FILE "ebpf_kernel_reject_list.txt" @@ -155,6 +157,39 @@ typedef struct ebpf_specify_name { bool retprobe; } ebpf_specify_name_t; +typedef enum netdata_ebpf_load_mode { + EBPF_LOAD_LEGACY, // Select legacy mode, this means we will load binaries + EBPF_LOAD_CORE, // When CO-RE is used, it is necessary to use the souce code + + EBPF_LOAD_PLAY_DICE // Take a look on environment and choose the best option +} netdata_ebpf_load_mode_t; + +typedef enum netdata_ebpf_program_loaded { + EBPF_LOAD_PROBE, // Attach probes on targets + EBPF_LOAD_RETPROBE, // Attach retprobes on targets + EBPF_LOAD_TRACEPOINT, // This stores log given description about the errors raised + EBPF_LOAD_TRAMPOLINE, // This attaches kprobe when the function is called +} netdata_ebpf_program_loaded_t; + +typedef struct netdata_ebpf_targets { + char *name; + netdata_ebpf_program_loaded_t mode; +} netdata_ebpf_targets_t; + +typedef struct ebpf_plugin_stats { + // Load options + uint32_t legacy; // Legacy codes + uint32_t core; // CO-RE codes, this means we are using source code compiled. + + uint32_t threads; // Total number of threads + uint32_t running; // total number of threads running + + uint32_t probes; // Number of kprobes loaded + uint32_t retprobes; // Number of kretprobes loaded + uint32_t tracepoints; // Number of tracepoints used + uint32_t trampolines; // Number of trampolines used +} ebpf_plugin_stats_t; + typedef struct ebpf_module { const char *thread_name; const char *config_name; @@ -173,17 +208,17 @@ typedef struct ebpf_module { uint32_t pid_map_size; struct config *cfg; const char *config_file; + uint64_t kernels; + netdata_ebpf_load_mode_t load; + netdata_ebpf_targets_t *targets; } ebpf_module_t; extern int ebpf_get_kernel_version(); extern int get_redhat_release(); extern int has_condition_to_run(int version); extern char *ebpf_kernel_suffix(int version, int isrh); -extern void ebpf_update_kernel(char *ks, size_t length, int isrh, int version); -extern struct bpf_link **ebpf_load_program(char *plugins_dir, - ebpf_module_t *em, - char *kernel_string, - struct bpf_object **obj); +extern struct bpf_link **ebpf_load_program(char *plugins_dir, ebpf_module_t *em, int kver, int is_rhf, + struct bpf_object **obj); extern void ebpf_mount_config_name(char *filename, size_t length, char *path, const char *config); extern int ebpf_load_config(struct config *config, char *filename); @@ -193,6 +228,7 @@ extern char *ebpf_find_symbol(char *search); extern void ebpf_load_addresses(ebpf_addresses_t *fa, int fd); extern void ebpf_fill_algorithms(int *algorithms, size_t length, int algorithm); extern char **ebpf_fill_histogram_dimension(size_t maximum); +extern void ebpf_update_stats(ebpf_plugin_stats_t *report, ebpf_module_t *em); // Histogram #define NETDATA_EBPF_HIST_MAX_BINS 24UL -- cgit v1.2.3