Use Aya in the userspace #142
Conversation
|
I would say it's ready for review, since the code on lockc side is most likely not going to radically change. Why I keep it as a draft? The problem is that we discovered some bugs in Aya, which has some troubles with loading lockc eBPF programs. For now we are using partial fixes from Dave Tucker's branch, not upstreamed yet: https://github.com/dave-tucker/aya/tree/lockc We are also discussing those problems every day on Aya Discord server (https://discord.gg/xHW2cb2N6G) |
vadorovsky
force-pushed
the
aya-userspace
branch
4 times, most recently
from
17cc60f
to
ed35f8f
Compare
|
It fully works and is ready for review! 🎉 So far it uses the following fork and branch of Aya: But all those fixes should land in the main branch soon. |
vadorovsky
force-pushed
the
aya-userspace
branch
3 times, most recently
from
8eade52
to
c50679d
Compare
lockc/src/main.rs
Outdated
| let log_level = match env::var("LOCKC_DEBUG") { | ||
| Ok(_) => LevelFilter::Debug, | ||
| Err(_) => LevelFilter::Info, | ||
| }; |
There was a problem hiding this comment.
I think it would be nice to handle all of that via clap, which allows both cli and env variables to be set. Plus it does many kind of checks and generates a nice help output.
This is something I would not do as part of this PR, but I would file an issue and work on that later on if I were you
lockc/src/main.rs
Outdated
| TermLogger::init( | ||
| LevelFilter::Debug, | ||
| ConfigBuilder::new() | ||
| .set_target_level(log_level) | ||
| .set_location_level(log_level) | ||
| .build(), | ||
| TerminalMode::Mixed, | ||
| ColorChoice::Auto, | ||
| )?; |
There was a problem hiding this comment.
Another issue that could be filed for future work: it's pretty easy to use a JSON formatter that prints logs in a "machine-friendly" way.
I would offer the user a choice between two console output format: pretty/human and json. If you look into kubewarden/policy-server you can find the code to deal with that :)
lockc/src/runc.rs
Outdated
| .build()? | ||
| .block_on(self.add_container(container_id, pid, policy_level))?; | ||
|
|
||
| Ok(()) |
vadorovsky
force-pushed
the
aya-userspace
branch
2 times, most recently
from
666f986
to
025fae4
Compare
lockc/src/bpfstructs.rs
Outdated
| let mut id_b = CString::new(id)?.into_bytes_with_nul(); | ||
| id_b.resize(CONTAINER_ID_LIMIT as usize, 0); | ||
| Ok(container_id { | ||
| id: id_b.try_into().unwrap(), |
There was a problem hiding this comment.
You should not unwrap here, rather bubble up the error. This function already returns a Result
There was a problem hiding this comment.
The main reason why I did unwrap here is that I didn't find any way to successfully convert TryInto errors into anything which can be listed in thiserror::Error enums. But it seems that the cleanest way to handle that will be converting TryInto error into some custom error with map_err. At least that's how this StackOverflow topic concludes:
https://stackoverflow.com/questions/66508331/cast-error-from-try-into-to-custom-error
There was a problem hiding this comment.
Yes, this is what I would do. Eventually define a new error type with thiserror and then rely onmap_err to do the conversion
vadorovsky
force-pushed
the
aya-userspace
branch
6 times, most recently
from
4c46033
to
7b8e79f
Compare
|
@flavio PTAL To sum it up:
What I didn't to was removal of |
vadorovsky
force-pushed
the
aya-userspace
branch
3 times, most recently
from
92f3472
to
eac6ed3
Compare
Since we are dropping the usage of libbpf-rs, we are going to keep only C source files (to be built directly with Clang). Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
Follow up changes are goinng to handle container add/delete operations in the userspace. Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
We are going to dron the usage of libbpf-rs at all. The first step is to remove libbpf-cargo dependency from our build. This change replaces it with direct usage of clang and libbpf headers copied from libbpf-sys. Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
BTF maps defined in SEC(".maps") are still bonkers in Aya. Let's switch
to SEC("maps/...") temporarily.
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
vadorovsky
force-pushed
the
aya-userspace
branch
2 times, most recently
from
2ce4a93
to
204d92a
Compare
lockc/src/runc.rs
Outdated
| bundle = bundle_path.display().to_string().as_str(), | ||
| config = config_path.display().to_string().as_str(), |
There was a problem hiding this comment.
tracing handles that in a nice way, there's no need to call display()...:
debug!(
bundle = %bundle_path,
config = ?config_path,
"bundle uses display, while config uses debug");This is documented here
vadorovsky
force-pushed
the
aya-userspace
branch
from
204d92a
to
aaa170a
Compare
This change replaces libbpf-rs with Aya as a loader of eBPF programs in the userspace part in lockc. eBPF programs still remain written in C and are going to be rewritten in Rust in separate changes. Another change is change of logging library to tracing. Fixes: lockc-project#135 Fixes: lockc-project#106 Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
vadorovsky
force-pushed
the
aya-userspace
branch
from
aaa170a
to
87c4995
Compare
In pull request lockc-project#142 we made a mistake of converting lockc into full binary crate, therefore renaming lockcd to lockc and removing a possibility of creating multiple binaries (if there will be a need - i.e. for some CLI tool). This change fixes that by creating a bin/ directory with binaries again. Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
This change replaces libbpf-rs with Aya as a loader of eBPF programs in
the userspace part in lockc.
eBPF programs still remain written in C and are going to be rewritten in
Rust in separate changes.
Another change is change of logging library to tracing.
Fixes: #135
Fixes: #106
Signed-off-by: Michal Rostecki mrostecki@opensuse.org