WIP: Network viewer (ebpf version) #16856
Draft
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The goal is to provide a "network dependency map".
What is a "network dependency map"?
A "network dependency map" is a tool that users can consult to see all the network dependencies of their systems. So, if a server depends on another server or third party service, the network dependencies explorer should be able to identify this and report it.
For implementing this network dependency map this need only OUTBOUND sockets (i.e. sockets that have been initiated by a process on the local system, towards other systems). For each such socket we need:
To interconnect servers we also need to know the IPs they consider local. So, for each local-IP of a server we need:
Classifying the direction of sockets
Sockets is based on the information available on each socket. Such information is the local IP and port, the remote IP and port, the PID of the process that owns the socket and therefore its command name and various other socket attributes like the socket state.
TCP_LISTEN
state and all sockets that their remote IP is zero. The later (remote IP is zero) can be used to classify UDP sockets asLISTEN
.LISTEN
sockets that either their source IP or their remote IP are loopback addresses. Loopback addresses are those in127.0.0.0/8
and::1
. When IPv4 addresses are mapped into IPv6, their IPv4 addresses should be checked too.Also,
LOCAL
are those sockets that their remote-IP is one of the IPs that appear as local-IP on another socket. This way we detect when processes of a host communicate via a non-loopback IP of the same host.LISTEN
and non-LOCAL
sockets that their local port is a port of another socket that is marked asLISTEN
. This way we can detect that established sockets have been initiated from a listening server running on the system.Multi-Node view
In a multi-node view of the network dependency map, it is important to be able to connect nodes together, so that we can understand how they interact with each other.
For this we need each node to provide 2 lists:
By combining these 2 lists across multiple servers, we can build interconnects between the nodes.
Special care is needed in cases the local-IPs across servers are overlapping. This may happen because servers have internal bridges for containers or VMs. These internal IPs should normally be classified as
LOCAL
, because they start and end in the same server. Still we may have to deal with the situation that a remote-IP of a server appear as local-IP on multiple other servers.Once all the known servers contribute these 2 lists, we could then visualize a network dependency map, showing how servers depend on each other and how the whole infrastructure depends on third parties.
Implementation
Bootstrapping
local-listeners
is now using a library calledlocal-sockets.h
which is able to provide a list of all currently open sockets, categorized asLISTEN
,LOCAL
,INBOUND
andOUTBOUND
. This works for IPv4 and IPv6, TCP and UDP. You can see the full classification of sockets on any system by runninglocal-listeners debug
using the version oflocal-listeners
on this PR.This library is used to initialize the network dependency map with the information we need when Netdata starts (or restarts).
Detection with EBPF
An EBPF program intercepts sockets creation and status change and records the changes into the 2 lists (local IPs,
OUTBOUND
sockets) required for the network dependency map.