-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use Aya in the userspace #142
Conversation
I would say it's ready for review, since the code on lockc side is most likely not going to radically change. Why I keep it as a draft? The problem is that we discovered some bugs in Aya, which has some troubles with loading lockc eBPF programs. For now we are using partial fixes from Dave Tucker's branch, not upstreamed yet: https://github.com/dave-tucker/aya/tree/lockc We are also discussing those problems every day on Aya Discord server (https://discord.gg/xHW2cb2N6G) |
17cc60f
to
ed35f8f
Compare
It fully works and is ready for review! 🎉 So far it uses the following fork and branch of Aya: But all those fixes should land in the main branch soon. |
8eade52
to
c50679d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I cannot comment about the BPF-related parts. As for the others, I left some comments.
Sorry for being pedantic about structured logging, I think it's super important to have it and it's something that must be enforced always while writing code
lockc/src/main.rs
Outdated
let log_level = match env::var("LOCKC_DEBUG") { | ||
Ok(_) => LevelFilter::Debug, | ||
Err(_) => LevelFilter::Info, | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be nice to handle all of that via clap, which allows both cli and env variables to be set. Plus it does many kind of checks and generates a nice help output.
This is something I would not do as part of this PR, but I would file an issue and work on that later on if I were you
lockc/src/main.rs
Outdated
TermLogger::init( | ||
LevelFilter::Debug, | ||
ConfigBuilder::new() | ||
.set_target_level(log_level) | ||
.set_location_level(log_level) | ||
.build(), | ||
TerminalMode::Mixed, | ||
ColorChoice::Auto, | ||
)?; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another issue that could be filed for future work: it's pretty easy to use a JSON formatter that prints logs in a "machine-friendly" way.
I would offer the user a choice between two console output format: pretty/human and json. If you look into kubewarden/policy-server
you can find the code to deal with that :)
lockc/src/runc.rs
Outdated
.build()? | ||
.block_on(self.add_container(container_id, pid, policy_level))?; | ||
|
||
Ok(()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same here
666f986
to
025fae4
Compare
lockc/src/bpfstructs.rs
Outdated
let mut id_b = CString::new(id)?.into_bytes_with_nul(); | ||
id_b.resize(CONTAINER_ID_LIMIT as usize, 0); | ||
Ok(container_id { | ||
id: id_b.try_into().unwrap(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should not unwrap
here, rather bubble up the error. This function already returns a Result
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The main reason why I did unwrap here is that I didn't find any way to successfully convert TryInto
errors into anything which can be listed in thiserror::Error
enums. But it seems that the cleanest way to handle that will be converting TryInto
error into some custom error with map_err
. At least that's how this StackOverflow topic concludes:
https://stackoverflow.com/questions/66508331/cast-error-from-try-into-to-custom-error
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this is what I would do. Eventually define a new error type with thiserror
and then rely onmap_err
to do the conversion
4c46033
to
7b8e79f
Compare
@flavio PTAL To sum it up:
What I didn't to was removal of |
92f3472
to
eac6ed3
Compare
Since we are dropping the usage of libbpf-rs, we are going to keep only C source files (to be built directly with Clang). Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
Follow up changes are goinng to handle container add/delete operations in the userspace. Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
We are going to dron the usage of libbpf-rs at all. The first step is to remove libbpf-cargo dependency from our build. This change replaces it with direct usage of clang and libbpf headers copied from libbpf-sys. Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
BTF maps defined in SEC(".maps") are still bonkers in Aya. Let's switch to SEC("maps/...") temporarily. Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
2ce4a93
to
204d92a
Compare
lockc/src/runc.rs
Outdated
bundle = bundle_path.display().to_string().as_str(), | ||
config = config_path.display().to_string().as_str(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tracing handles that in a nice way, there's no need to call display()...
:
debug!(
bundle = %bundle_path,
config = ?config_path,
"bundle uses display, while config uses debug");
This is documented here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks good to me. There are some minor improvements that can be done, see the latest comment I left
204d92a
to
aaa170a
Compare
This change replaces libbpf-rs with Aya as a loader of eBPF programs in the userspace part in lockc. eBPF programs still remain written in C and are going to be rewritten in Rust in separate changes. Another change is change of logging library to tracing. Fixes: lockc-project#135 Fixes: lockc-project#106 Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
aaa170a
to
87c4995
Compare
In pull request lockc-project#142 we made a mistake of converting lockc into full binary crate, therefore renaming lockcd to lockc and removing a possibility of creating multiple binaries (if there will be a need - i.e. for some CLI tool). This change fixes that by creating a bin/ directory with binaries again. Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
This change replaces libbpf-rs with Aya as a loader of eBPF programs in
the userspace part in lockc.
eBPF programs still remain written in C and are going to be rewritten in
Rust in separate changes.
Another change is change of logging library to tracing.
Fixes: #135
Fixes: #106
Signed-off-by: Michal Rostecki mrostecki@opensuse.org