-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: initial pcap exporter for lb #15376
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
borkmann
added
sig/datapath
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
area/daemon
Impacts operation of the Cilium daemon.
release-note/misc
This PR makes changes that have no direct user impact.
sig/hubble
Impacts hubble server or relay
feature/lb-only
Impacts cilium running in lb-only datapath mode
sig/loadbalancing
labels
Mar 17, 2021
borkmann
force-pushed
the
pr/lb-observ
branch
3 times, most recently
from
March 22, 2021 20:58
ba9e583
to
a4ad6d6
Compare
Add a per-cpu ktime cache we can use for the packet capturing exporter facility from the LB. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Add a new capture type for pcap exporter to perf RB that we're going to use for the lb-only mode out of XDP initially. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Add both to the XDP DSR load balancer for capture points upon packet arrival and departure after encap. Also guard it under ENABLE_CAPTURE so that there's no overhead when not compiled in, plus so that the agent can probe the boot ktime helper availability. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
And also add __ prefixed variants that abstract the ktime handling away from caller. Right now the capture is unconditional, next step we'll add a classifier where the value (rule_id) of the match is then passed through the capture helpers. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
force-pushed
the
pr/lb-observ
branch
8 times, most recently
from
March 29, 2021 23:27
e6f0de6
to
4da7db7
Compare
Add a common interface such that we prep both v4/v6 maps for allowing to dump their entries from CLI. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann
force-pushed
the
pr/lb-observ
branch
2 times, most recently
from
March 30, 2021 12:41
2d696d5
to
ab0f473
Compare
test-me-please |
1 similar comment
test-me-please |
brb
approved these changes
Mar 30, 2021
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Amazing!
retest-1.21-4.9 |
Move the v4/v6 maps under ENABLE_CAPTURE so they are not attempted to be included given we also don't define their names/sizes from agent size. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Add `cilium bpf recorder list` command to dump both the v4 and v6 wildcarded maps tht contain the capture n-tuple filters. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Add the dump of the recorder map to the sysdump for introspection. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Add generated cmdref to the documentation. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
test-me-please |
gandro
approved these changes
Mar 30, 2021
retest-runtime (CI provision fail) |
retest-runtime |
Allow for easy debugging of recorder events and thus provide a monitoring dissector. Example: # ./daemon/cilium-agent --enable-ipv4=true --enable-ipv6=true \ --datapath-mode=lb-only --bpf-lb-algorithm=maglev \ --bpf-lb-maglev-table-size=2039 --bpf-lb-mode=dsr \ --bpf-lb-acceleration=native --devices=enp10s0f0np0 \ --bpf-lb-dsr-dispatch=ipip --disable-envoy-version-check=true \ --enable-bpf-clock-probe=true --enable-recorder=true # bpftool map update pinned /sys/fs/bpf/tc/globals/cilium_capture4_rules \ key hex 0 0 0 0 c0 a8 a0 04 0 0 0 0 0 0 20 0 value hex 0 1 0 0 0 0 0 0 # ./cilium/cilium bpf recorder list 192.168.160.4/32:0 -> 0.0.0.0/0:0 ANY ID:256 CapLen:0 # ./cilium/cilium service list ID Frontend Service Type Backend 1 192.168.160.3:8080 ExternalIPs 1 => 192.168.160.4:8080 (from remote)# curl 192.168.160.3:8080 [...] # ./cilium/cilium monitor [...] Recorder capture: dir:ingress rule:256 ts:99992076120464 caplen:74 len:74 Ethernet {Contents=[..14..] Payload=[..62..] SrcMAC=b8:ce:f6:05:e7:76 DstMAC=b8:ce:f6:05:e7:62 EthernetType=IPv4 Length=0} IPv4 {Contents=[..20..] Payload=[..40..] Version=4 IHL=5 TOS=0 Length=60 Id=44495 Flags=DF FragOffset=0 TTL=64 Protocol=TCP Checksum=52115 SrcIP=192.168.160.4 DstIP=192.168.160.3 Options=[] Padding=[]} TCP {Contents=[..40..] Payload=[] SrcPort=52128 DstPort=8080(http-alt) Seq=592744369 Ack=0 DataOffset=10 FIN=false SYN=true RST=false PSH=false ACK=false URG=false ECE=false CWR=false NS=false Window=42340 Checksum=59261 Urgent=0 Options=[..5..] Padding=[]} ---- Recorder capture: dir:egress rule:256 ts:99992076120464 caplen:94 len:94 Ethernet {Contents=[..14..] Payload=[..86..] SrcMAC=b8:ce:f6:05:e7:62 DstMAC=b8:ce:f6:05:e7:76 EthernetType=IPv4 Length=0} IPv4 {Contents=[..20..] Payload=[..40..] Version=4 IHL=5 TOS=0 Length=60 Id=44495 Flags=DF FragOffset=0 TTL=64 Protocol=TCP Checksum=52115 SrcIP=192.168.160.4 DstIP=192.168.160.3 Options=[] Padding=[]} IPv4 {Contents=[..20..] Payload=[..40..] Version=4 IHL=5 TOS=0 Length=60 Id=44495 Flags=DF FragOffset=0 TTL=64 Protocol=TCP Checksum=52115 SrcIP=192.168.160.4 DstIP=192.168.160.3 Options=[] Padding=[]} TCP {Contents=[..40..] Payload=[] SrcPort=52128 DstPort=8080(http-alt) Seq=592744369 Ack=0 DataOffset=10 FIN=false SYN=true RST=false PSH=false ACK=false URG=false ECE=false CWR=false NS=false Window=42340 Checksum=59261 Urgent=0 Options=[..5..] Padding=[]} ---- [...] Note that our monitor dissector code is currently broken in that it cannot handle IPIP correctly (hence the same IP header twice above). It can only cache/dump IP layer once right now, subject to a different fix at some point. The future pcap writer code, needs to: 1) Translate the boot time ts into a time of day ts. 2) Dump into a different pcap file based on rule id. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
test-me-please |
retest-runtime |
Hit #15469 in 4.19: unrelated. |
Hit #14959 in 4.9: unrelated. |
This was referenced Apr 28, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/daemon
Impacts operation of the Cilium daemon.
feature/lb-only
Impacts cilium running in lb-only datapath mode
release-note/misc
This PR makes changes that have no direct user impact.
sig/datapath
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
sig/hubble
Impacts hubble server or relay
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See commit msgs.
Basis for agent + Hubble recorder framework: