-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kallsyms: use ebpf alternative when kallsyms not available #2280
Conversation
pkg/kallsyms/kallsyms.go
Outdated
@@ -179,6 +179,12 @@ func specUpdateAddresses( | |||
} | |||
} | |||
|
|||
// List of symbols that we're able to find without using /proc/kallsyms |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am wondering if we cannot use this approach for all symbols and get rid of /proc/kallsyms
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kallsyms is also used in:
- profile-cpu gadget (
kAllSyms.LookupByInstructionPointer(ip)
) - top-block-io gadget (
__blk_account_io_start
,blk_account_io_start
,__blk_account_io_done
,blk_account_io_done
In those cases, the symbol is not used in any field of a struct file *
, so the same trick to pass a file descriptor in a unix socket (SCM_RIGHTS
) cannot be used.
Why not, but if everything failed (reading |
78e4382
to
86ca019
Compare
I've refactorised the code to make it possible to add some unit tests. It is now possible to test that the two methods to get the addresses of
After more thinking, I think both could be done in a future PR. |
86ca019
to
76d4125
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some more comments but it is looking great:
76d4125
to
20f7d21
Compare
What do you mean by both? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested it and it works fine but I am wondering about #2270.
Sorry I was confused. At the moment, we print a warning when both methods (kallsyms and eBPF) fail, so I think it is fine as it is. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some initial comments. Will look at tests later on.
pkg/kallsyms/kallsyms.go
Outdated
// List of symbols that we're able to find in 'struct file *' using eBPF | ||
symbolsBypass := map[string]fdType{ | ||
"socket_file_ops": fdTypeSocket, | ||
"bpf_prog_fops": fdTypeEbpfProgram, | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
general golang question: is it better to use a map than a switch case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some comments about previous implementation:
- Would merging
symbolsMap
andtriedGetAddr
maps in a single one containing atype symbolResolve struct { addr uint64; err error }
as value make the code better? - Does SymbolExists have to acquire the lock? Why it doesn't trigger the lookup logic and only returns from cache?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps specUpdateAddresses
can be refactored in a function that just returns the symbols and it'll be easier to test without having to always use the bpf spec?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't touch these to avoid changing to much but happy to revisit if you think they should be part of this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps specUpdateAddresses
can be refactored in a function that just returns the symbols and it'll be easier to test without having to always use the bpf spec?
It seems this is affecting integrations runs on GKE (OS:
I tested it with the image from this PR and results are looking better. |
ad5b24d
to
eaa4397
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi!
What is the status of this PR?
I did take a quick look but I can see there are still some previous unresolved comments.
Best regards.
Thanks for the quick look, I am still working on unresolved comments. I will mark this PR draft and open it for reviews once I am done! |
d08a73d
to
661af6b
Compare
On the minikube kernel 5.10.57, /proc/kallsyms does not provide the following symbols: - bpf_prog_fops (used by the top-ebpf gadget) - socket_file_ops (used by the socket enricher) This patch provides an alternative to get the address of those symbols using ebpf. Most of the required ebpf code was already implemented for the container-hook package. The file is moved to make it available in a generic package: pkg/container-hook/bpf/privatedata.bpf.c -> pkg/kfilefields/bpf/filefields.bpf.c Co-authored-by: Qasim Sarfraz <qasimsarfraz@microsoft.com> Co-authored-by: Alban Crequy <albancrequy@linux.microsoft.com> Signed-off-by: Alban Crequy <albancrequy@linux.microsoft.com>
Signed-off-by: Qasim Sarfraz <qasimsarfraz@microsoft.com>
72a892c
to
9036995
Compare
Thanks for the reviews! |
kallsyms: use ebpf alternative when kallsyms not available
On the minikube kernel 5.10.57, /proc/kallsyms does not provide the following symbols:
This patch provides an alternative to get the address of those symbols using ebpf.
Most of the required ebpf code was already implemented for the container-hook package. The file is moved to make it available in a generic package:
pkg/container-hook/bpf/privatedata.bpf.c -> pkg/kfilefields/bpf/filefields.bpf.c
How to use
No changes
Testing done
Tested by adding a
fmt.Printf
:Tested by reverting 681c370 (#2270). It works too.
GKE
integration tests run on GKE are passing now since symbol are being resolved:
Links
top/ebpf
does not work onminikube
withkvm
driver #1213TODO