Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sending large eBPF events more memory efficient #119

Merged
merged 19 commits into from Jan 16, 2023
Merged

Make sending large eBPF events more memory efficient #119

merged 19 commits into from Jan 16, 2023

Conversation

MatteoNardi
Copy link
Contributor

Make sending large eBPF events more memory efficient

This fixes #73 by removing variable-length fields from the eBPF event payloads and adding them to a dynamic buffer, sent after the event.

  • eBPF buffer management code has been added to bpf-common/include/buffer.bpf.h
  • variable length fields have been replaced by indexes (start + len) of the buffer
    • struct buffer_index is used on the eBPF side
    • struct BufferIndex is used on the Rust side
  • Converting a C type to Event::Payload, now requires also the buffer. The IntoPayload trait was introduced.
  • We use bytes::Bytes for buffer management, this results in less data copying.
    • There's a copy when reading the PerfEvent (unavoidable with aya APIs)
    • There's a copy when converting the C-like struct to event::Payload
      • Ideally we could remove this by using Bytes inside event::Payload
    • We no longer make a copy of big buffers which are processed before being converted to Payload. For example the UDP message buffer, which is used for intercepting DNS, is copied only once, from kernel to user space. Previously it was copied 2 times.

This was the simplest solution I could envision for #73.

I have

  • run cargo fmt;
  • run cargo clippy;
  • run cargo testand all tests pass;
  • linked to the originating issue (if applicable).

@MatteoNardi MatteoNardi linked an issue Dec 2, 2022 that may be closed by this pull request
Make sending large eBPF events more memory efficient #73
Closed
@MatteoNardi
misc(bpf-common): remove StringArray/DataArray
3de875b 
Remove the deprecated StringArray and DataArray, which have been
replaced by the dynamic buffer.

See:
- bpf-common/include/buffer.bpf.h
- bpf-common/src/parsing/buffer_index.rs
@MatteoNardi
docs(bpf-common): improve documentation for buffer handling
643175e
@MatteoNardi MatteoNardi force-pushed the 73-make-sending-large-ebpf-events-more-memory-efficient branch from 7328b57 to 643175e Compare December 5, 2022 15:20
@MatteoNardi MatteoNardi mentioned this pull request Dec 7, 2022
Closed
@MatteoNardi
fix(bpf-common): treat warnings in eBPF code as errors
6acbe4f 
A warning was making all CI builds but x86_64 fail (I guess `-Werror`
got somehow enabled)

Also, since warnings are generally trivial to solve, but make the actual
compiler output hard to decipher, I think it's better to force to
address them.
@MatteoNardi MatteoNardi marked this pull request as ready for review December 7, 2022 09:45
@MatteoNardi MatteoNardi mentioned this pull request Jan 9, 2023
Merged
banditopazzo
banditopazzo requested changes Jan 13, 2023
View reviewed changes
modules/file-system-monitor/Cargo.toml Outdated Show resolved Hide resolved
pulsar-core/Cargo.toml Outdated Show resolved Hide resolved
.gitignore Outdated Show resolved Hide resolved
bpf-common/src/program.rs Outdated Show resolved Hide resolved
bpf-common/include/buffer.bpf.h Show resolved Hide resolved
modules/process-monitor/probes.bpf.c Outdated Show resolved Hide resolved
modules/process-monitor/probes.bpf.c Outdated Show resolved Hide resolved
modules/process-monitor/probes.bpf.c Outdated Show resolved Hide resolved
modules/file-system-monitor/probe.bpf.c Outdated Show resolved Hide resolved
pulsar-core/src/pdk/module.rs Show resolved Hide resolved
@banditopazzo
Copy link
Member

you can update bytes to "1.3.0" in bpf-common/Cargo.toml

@banditopazzo
Copy link
Member

also in network-monitor probe seems there is no check on length before output

@MatteoNardi MatteoNardi force-pushed the 73-make-sending-large-ebpf-events-more-memory-efficient branch from 4a37829 to c41ad7f Compare January 13, 2023 15:59
@MatteoNardi
fix(buffers): use better boundary checks
8958be4
@MatteoNardi
fix(ebpf): correctly output only the used buffer
0e59abf 
Old code didn't take advantage of dynamic buffer and always wrote
the whole event, even if most if it was unused.

Create an output.bpf.h with macros and utility functions for emitting
perf events.
@MatteoNardi
fix(ebpf): restore MAX_PATH_COMPONENTS to 20
1be778f 
Improve get_path_str and make it compatible again with 20 components, as
before the dynamic buffer refactor.
@MatteoNardi MatteoNardi merged commit 9285125 into main Jan 16, 2023
@MatteoNardi MatteoNardi deleted the 73-make-sending-large-ebpf-events-more-memory-efficient branch January 16, 2023 16:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@banditopazzo banditopazzo banditopazzo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make sending large eBPF events more memory efficient
2 participants
@MatteoNardi @banditopazzo