/
accesslog.proto
364 lines (320 loc) · 10.6 KB
/
accesslog.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
syntax = "proto3";
package skywalking.v3;
option java_multiple_files = true;
option java_package = "org.apache.skywalking.apm.network.ebpf.accesslog.v3";
option go_package = "skywalking.apache.org/repo/goapi/collect/ebpf/accesslog/v3";
import "common/Common.proto";
service EBPFAccessLogService {
rpc collect(stream EBPFAccessLogMessage) returns (EBPFAccessLogDownstream) {
}
}
message EBPFAccessLogMessage {
// metadata of access log, only not null when first message
EBPFAccessLogMetadata metadata = 1;
// local process and remote process connection information
AccessLogConnection connection = 2;
// kernel level metrics
repeated AccessLogKernelLog kernelLogs = 3;
// application protocol log
// if the protocol is detected, the kernel logs is works the related logs
// otherwise, the kernel log is not related and is sent periodically
AccessLogProtocolLogs protocolLog = 4;
}
message EBPFAccessLogMetadata {
// current node information
EBPFAccessLogNodeInfo node = 1;
// policy for access logs
EBPFAccessLogPolicy policy = 2;
}
message EBPFAccessLogPolicy {
// which namespaces should be excluded to generate the connection
repeated string excludeNamespaces = 1;
}
message EBPFAccessLogNodeInfo {
// Node name
string name = 1;
// All net interfaces list
repeated EBPFAccessLogNodeNetInterface netInterfaces = 2;
// System boot time
Instant bootTime = 3;
// Cluster name
string clusterName = 4;
}
message EBPFAccessLogNodeNetInterface {
int32 index = 1;
int32 mtu = 2;
string name = 3;
}
// Connection information
message AccessLogConnection {
// local address
ConnectionAddress local = 1;
// remote/peer address
ConnectionAddress remote = 2;
// local address detect point
DetectPoint role = 3;
// is the connection using TLS or not
AccessLogConnectionTLSMode tlsMode = 4;
// application protocol type
AccessLogProtocolType protocol = 5;
}
message ConnectionAddress {
oneof address {
// if the address is monitored under the local machine, then return the kubernetes
KubernetesProcessAddress kubernetes = 1;
// if the address cannot be aware, then return the ip address
IPAddress ip = 2;
}
}
message KubernetesProcessAddress {
string serviceName = 1;
string podName = 2;
string containerName = 3;
string processName = 4;
int32 port = 5;
}
message IPAddress {
string host = 1;
int32 port = 2;
}
enum AccessLogConnectionTLSMode {
Plain = 0;
TLS = 1;
}
message AccessLogKernelLog {
oneof operation {
AccessLogKernelConnectOperation connect = 1;
AccessLogKernelAcceptOperation accept = 2;
AccessLogKernelCloseOperation close = 3;
AccessLogKernelReadOperation read = 4;
AccessLogKernelWriteOperation write = 5;
}
}
message AccessLogProtocolLogs {
oneof protocol {
AccessLogHTTPProtocol http = 1;
}
}
message AccessLogHTTPProtocol {
// first bytes receive/write timestamp
EBPFTimestamp startTime = 1;
// last bytes receive/write timestamp
EBPFTimestamp endTime = 2;
AccessLogHTTPProtocolVersion version = 3;
AccessLogHTTPProtocolRequest request = 4;
AccessLogHTTPProtocolResponse response = 5;
}
enum AccessLogHTTPProtocolVersion {
HTTP1 = 0;
HTTP2 = 1;
}
message AccessLogHTTPProtocolRequest {
AccessLogHTTPProtocolRequestMethod method = 1;
// The path portion from the incoming request URI.
string path = 2;
// Request header and body size.
uint64 sizeOfHeadersBytes = 3;
uint64 sizeOfBodyBytes = 4;
// The trace information if detected.
AccessLogTraceInfo trace = 5;
}
message AccessLogHTTPProtocolResponse {
int32 statusCode = 1;
// Response header and body size.
uint64 sizeOfHeadersBytes = 3;
uint64 sizeOfBodyBytes = 4;
}
message AccessLogTraceInfo {
AccessLogTraceInfoProvider provider = 1;
// [Optional] A string id represents the whole trace.
string traceId = 2;
// A unique id represents this segment. Other segments could use this id to reference as a child segment.
// [Optional] when this span reference
string traceSegmentId = 3;
// If type == SkyWalking
// The number id of the span. Should be unique in the whole segment.
// Starting at 0
//
// If type == Zipkin
// The type of span ID is string.
string spanId = 4;
}
enum AccessLogTraceInfoProvider {
Zipkin = 0;
SkyWalking = 1;
}
enum AccessLogHTTPProtocolRequestMethod {
Get = 0;
Post = 1;
Put = 2;
Delete = 3;
Head = 4;
Patch = 5;
Options = 6;
Trace = 7;
Connect = 8;
}
message AccessLogKernelConnectOperation {
// Starting to connect with peer address timestamp
EBPFTimestamp startTime = 1;
// Finish connect operation timestamp
EBPFTimestamp endTime = 2;
// Is the connect operation success or not
bool success = 3;
}
message AccessLogKernelAcceptOperation {
// Starting to accept socket timestamp
EBPFTimestamp startTime = 1;
// Finish accept operation timestamp
EBPFTimestamp endTime = 2;
}
message AccessLogKernelCloseOperation {
// Starting to close the connection timestamp
EBPFTimestamp startTime = 1;
// Finish close operation timestamp
EBPFTimestamp endTime = 2;
// Is the close operation success or not
bool success = 3;
}
message AccessLogKernelWriteOperation {
// Starting to write data timestamp
EBPFTimestamp startTime = 1;
// Finish write operation timestamp
EBPFTimestamp endTime = 2;
// Which kind of syscall of current write operation
AccessLogKernelWriteSyscall syscall = 3;
// Layer 2-4 related metrics
AccessLogKernelWriteL4Metrics l4Metrics = 4;
AccessLogKernelWriteL3Metrics l3Metrics = 5;
AccessLogKernelWriteL2Metrics l2Metrics = 6;
}
message AccessLogKernelWriteL4Metrics {
// total duration(nanosecond) of layer 4
uint64 totalDuration = 1;
// total send package(contains retransmit count) count(sk_buff in linux)
int64 totalTransmitPackageCount = 2;
// total retransmit package count(sk_buff in linux)
int64 totalRetransmitPackageCount = 3;
// total losted package count metrics
repeated AccessLogLossPackageMetrics lossPackageMetrics = 4;
// total package size(bytes)
int64 totalPackageSize = 5;
}
message AccessLogLossPackageMetrics {
string location = 1;
int32 count = 2;
}
message AccessLogKernelWriteL3Metrics {
// total duration(nanosecond) of layer 3
uint64 totalDuration = 1;
// total local out use duration(nanoseconds) -> kernel: ip_local_out
uint64 totalLocalDuration = 2;
// total output use duration(nanoseconds) -> kernel: ip_finish_output2 - ip_output
uint64 totalOutputDuration = 3;
// total resolve remote MAC address(ARP Request) count and duration(nanosecond) -> kernel: neigh_resolve_output
uint64 totalResolveMACCount = 5;
uint64 totalResolveMACDuration = 6;
// total netfiltering count and duration(nanosecond) -> kernel: nf_hook
uint64 totalNetFilterCount = 7;
uint64 totalNetFilterDuration = 8;
}
message AccessLogKernelWriteL2Metrics {
// total duration(nanosecond) of layer 2
uint64 totalDuration = 1;
// target network hardware interface index, get the net hardware name through EBPFAccessLogNodeNetInterface#index
uint32 ifindex = 2;
// total enter the net device buffer count
uint64 totalEnterQueueBufferCount = 3;
// total buffer data ready to send duration(nanosecond), ready_to_send - enter_queue
uint64 totalReadySendDuration = 4;
// total send buffer to the net device duration(nanosecond)
uint64 totalNetDeviceSendDuration = 5;
}
message AccessLogKernelReadOperation {
// Starting to read data timestamp
EBPFTimestamp startTime = 1;
// Finish read operation timestamp
EBPFTimestamp endTime = 2;
// Which kind of syscall of current read operation
AccessLogKernelReadSyscall syscall = 3;
// Layer 2-4 related metrics
AccessLogKernelReadL2Metrics l2Metrics = 4;
AccessLogKernelReadL3Metrics l3Metrics = 5;
AccessLogKernelReadL4Metrics l4Metrics = 6;
}
message AccessLogKernelReadL2Metrics {
// from network hardware interface index, get the net hardware name through EBPFAccessLogNodeNetInterface#index
uint32 ifindex = 1;
// total package count
uint32 totalPackageCount = 2;
// total package size
uint64 totalPackageSize = 3;
// total duration(nanosecond) of all data packets queued (waiting to be read).
uint64 totalPackageToQueueDuration = 4;
// total duration(nanosecond) of all data packets read from the queue.
uint64 totalRcvPackageFromQueueDuration = 5;
}
message AccessLogKernelReadL3Metrics {
uint64 totalDuration = 1;
// total local receive use duration(nanoseconds) -> kernel: ip_rcv_finish - ip_rcv
uint64 totalRecvDuration = 2;
// total local use duration(nanoseconds) -> kernel: ip_local_deliver_finish - ip_local_deliver
uint64 totalLocalDuration = 3;
// total netfiltering count and duration(nanosecond) -> kernel: nf_hook
uint64 totalNetFilterCount = 4;
uint64 totalNetFilterDuration = 5;
}
message AccessLogKernelReadL4Metrics {
uint64 totalDuration = 1;
}
enum AccessLogKernelWriteSyscall {
Write = 0;
Writev = 1;
Send = 2;
SendTo = 3;
SendMsg = 4;
SendMmsg = 5;
SendFile = 6;
SendFile64 = 7;
}
enum AccessLogKernelReadSyscall {
Read = 0;
Readv = 1;
Recv = 2;
RecvFrom = 3;
RecvMsg = 4;
RecvMmsg = 5;
}
enum AccessLogProtocolType {
TCP = 0;
HTTP_1 = 1;
HTTP_2 = 2;
}
message EBPFTimestamp {
oneof timestamp {
EBPFOffsetTimestamp offset = 1;
}
}
// Get nanosecond through offset with node start instant
message EBPFOffsetTimestamp {
uint64 offset = 1;
}
message EBPFAccessLogDownstream {
}