run: Fix a lot of leakages and implement support for multiple socket filter programs #2264
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@mauriciovasquezbernal I find this approach much better, LGTM |
burak-ok
approved these changes
Dec 1, 2023
| @@ -124,11 +124,7 @@ func (t *Tracer) Init(gadgetCtx gadgets.GadgetContext) error { | |||
| return nil | |||
| } | |||
|
|
|||
| // Close is needed because of the StartStopGadget interface | |||
There was a problem hiding this comment.
Now I remember the importance of the override keyword in C++
eiffel-fl
approved these changes
Dec 1, 2023
| } | ||
| socketFilterFound = true | ||
| err := t.networkTracer.AttachProg(t.collection.Programs[progName]) | ||
| networkTracer := t.networkTracers[p.Name] |
There was a problem hiding this comment.
Should you test if ok to avoid a SEGFAULT?
There was a problem hiding this comment.
I don't think that case is possible. If that happens, it seems there's something very broken, so crashing is fine.
The GadgetStartStop interface was removed a long time ago in a3e5871 ("pkg/runtime/local: Move context and timeout management into tracers"), so the Stop() method was never being called. It was causing to leak all BPF objects of the gadgets being run. This commit also fixes a leakage on the network tracer as it was never being closed. Fixes: 07ca0fb ("Initial support for containerized gadgets") Fixes: c1cc966 ("implement networking gadgets for containerized gadgets") Signed-off-by: Mauricio Vásquez <mauriciov@microsoft.com>
mauriciovasquezbernal
force-pushed
the
mauricio/socket-filter-network-tracer
branch
from
175be40
to
966b473
Compare
The logic to create the network tracer (needed by socket filter programs) was placed in NewInstance(), unfortunately it has a lot of drawbacks: 1. NewInstance() is called many times in the workflow without running the gadget, it was causing the network tracer to be instantiated multiple times without any purpose. 2. Creating the network tracer requires root. It was making `ig --help` to print some annoying warnings (#2108) 3. The network tracer was always created, even for gadgets that don't need it, also only a single socket filter program was supported. The main motivation to have this logic on NewInstance() was that the network tracer has to be created before calling AttachContainer(). This commit moves all that logic to Init() (that is called before AttachContainer()) and enables the support for multiple socket filter programs on a gadget. Signed-off-by: Mauricio Vásquez <mauriciov@microsoft.com>
mauriciovasquezbernal
force-pushed
the
mauricio/socket-filter-network-tracer
branch
from
966b473
to
b663533
Compare
mauriciovasquezbernal
deleted the
mauricio/socket-filter-network-tracer
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
All of this started while investigating this comment, which refers to #2108. I found that we weren't releasing the network tracer, and then I found that the issue was worst and we're not releasing any programs at all when running image-based gadgets.
How to test
Before this fix
Before running any gadget, there are some programs and maps in the node:
Run a gadget, and terminate it as soon as it prints some events.
The number of open programs and maps increased:
If you run the gadget again, they keep increasing
The situation is worst with a networking gadget:
A lot of maps named tail_call and the dns program itself are leaked
After this fix
Before running any gadget, there are some programs and maps in the node:
Run a gadget, and terminate it as soon as it prints some events.
The number of open programs and maps is the same as before
Running the dns gadget has the same behaviour
In this case the numbers increased because the socket enricher is lazily-loaded, if we run again the numbers keep constant:
Fixes #2108