-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathtracer.go
358 lines (304 loc) · 10.7 KB
/
tracer.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
package main
import (
"encoding/json"
"fmt"
"os"
"strings"
"time"
"github.com/cilium/ebpf"
"github.com/cilium/ebpf/rlimit"
"github.com/go-errors/errors"
"github.com/kubeshark/tracer/misc"
"github.com/kubeshark/tracer/pkg/bpf"
"github.com/kubeshark/tracer/pkg/cgroup"
"github.com/kubeshark/tracer/pkg/discoverer"
packetHooks "github.com/kubeshark/tracer/pkg/hooks/packet"
syscallHooks "github.com/kubeshark/tracer/pkg/hooks/syscall"
"github.com/kubeshark/tracer/pkg/poller"
"github.com/moby/moby/pkg/parsers/kernel"
"github.com/rs/zerolog/log"
v1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/types"
"path/filepath"
)
const GlobalWorkerPid = 0
type containerInfo struct {
cgroupPath string
cgroupID uint64
}
type podInfo struct {
containers []containerInfo
}
type Tracer struct {
bpfObjects *bpf.BpfObjects
syscallHooks syscallHooks.SyscalHooks
eventsDiscoverer discoverer.InternalEventsDiscoverer
packetFilter *packetHooks.PacketFilter
procfs string
targetedCgroupIDs map[uint64]struct{}
runningPods map[types.UID]podInfo
cgroupsController cgroup.CgroupsController
tcpMap map[uint64]bool
stats tracerStats
}
func (t *Tracer) Init(
chunksBufferSize int,
logBufferSize int,
procfs string,
isCgroupsV2 bool,
) error {
var err error
log.Info().Msg(fmt.Sprintf("Initializing tracer (chunksSize: %d) (logSize: %d)", chunksBufferSize, logBufferSize))
err = setupRLimit()
if err != nil {
return fmt.Errorf("setup rlimit failed: %v", err)
}
if t.cgroupsController, err = cgroup.NewCgroupsController(procfs); err != nil {
return fmt.Errorf("cgroups controller create failed: %v", err)
}
var tlsEnabled, plainEnabled bool
defer func() {
if err := markPlain(plainEnabled); err != nil {
log.Warn().Msg(fmt.Sprintf("mark plain failed: %v", err))
return
}
if err := markTls(tlsEnabled); err != nil {
log.Warn().Msg(fmt.Sprintf("mark tls failed: %v", err))
return
}
}()
var kernelVersion *kernel.VersionInfo
kernelVersion, err = kernel.GetKernelVersion()
if err != nil {
return fmt.Errorf("kernel version detection failed: %v", err)
}
log.Info().Msg(fmt.Sprintf("Detected Linux kernel version: %s cgroups version2: %v", kernelVersion, isCgroupsV2))
t.bpfObjects, tlsEnabled, plainEnabled, err = bpf.NewBpfObjects(procfs, *preferCgroupV1Capture, isCgroupsV2, kernelVersion)
if err != nil {
return fmt.Errorf("creating bpf failed: %w", err)
}
if t.eventsDiscoverer, err = discoverer.NewInternalEventsDiscoverer(procfs, t.bpfObjects, t.cgroupsController); err != nil {
return fmt.Errorf("create internal discovery failed: %v", err)
}
if err := t.eventsDiscoverer.Start(); err != nil {
return fmt.Errorf("start internal discovery failed: %v", err)
}
t.syscallHooks = syscallHooks.NewSyscallHooks(t.bpfObjects)
if err = t.syscallHooks.Install(); err != nil {
return fmt.Errorf("install sycall hooks failed: %v", err)
}
for pidFd, isClient := range t.tcpMap {
var isCli uint8
if isClient {
isCli = 1
}
err := t.bpfObjects.BpfObjs.ConnectionContext.Update(pidFd, isCli, ebpf.UpdateNoExist)
if errors.Is(err, ebpf.ErrKeyExist) {
log.Warn().Uint64("pid fd", pidFd).Uint8("client", isCli).Msg("connection context key already exist")
} else if err != nil {
return fmt.Errorf("update connection context failed. pid fd: %v client: %v err: %v", pidFd, isCli, err)
}
}
allPollers, err := poller.NewBpfPoller(t.bpfObjects, t.cgroupsController, *disableTlsLog)
if err != nil {
return fmt.Errorf("create eBPF poler failed failed: %v", err)
}
if t.packetFilter, err = packetHooks.NewPacketFilter(procfs, t.bpfObjects.BpfObjs, t.cgroupsController, plainEnabled, isCgroupsV2); err != nil {
return fmt.Errorf("create packet filter failed: %v", err)
}
allPollers.Start()
log.Info().Msg(fmt.Sprintf("eBPF plain backend: %v, eBPF TLS backend: %v", plainEnabled, tlsEnabled))
return nil
}
func (t *Tracer) updateTargets(addPods, removePods []*v1.Pod, settings uint32) error {
log.Info().Int("Add pods", len(addPods)).Int("Remove pods", len(removePods)).Msg("Update targets")
if err := t.bpfObjects.BpfObjs.Settings.Update(uint32(0), settings, ebpf.UpdateAny); err != nil {
log.Error().Err(err).Msg("Update capture settings failed:")
}
for _, pod := range removePods {
pInfo, ok := t.runningPods[pod.UID]
if !ok {
continue
}
for _, cInfo := range pInfo.containers {
delete(t.targetedCgroupIDs, cInfo.cgroupID)
t.eventsDiscoverer.UntargetCgroup(cInfo.cgroupID)
if err := t.bpfObjects.BpfObjs.CgroupIds.Delete(cInfo.cgroupID); err != nil {
if !errors.Is(err, ebpf.ErrKeyNotExist) {
log.Error().Err(err).Uint64("Cgroup ID", cInfo.cgroupID).Msg("Cgroup IDs delete failed")
return err
}
} else {
t.stats.TargetedCgroups--
t.stats.TargetedCgroupsDel++
}
}
log.Info().Str("pod", pod.Name).Msg("Detached pod:")
delete(t.runningPods, pod.UID)
}
for _, pod := range addPods {
pd := t.runningPods[pod.UID]
for _, containerId := range getContainerIDs(pod) {
for _, value := range t.cgroupsController.GetCgroupsV2(containerId) {
cInfo := containerInfo{
cgroupPath: value.CgroupPath,
cgroupID: uint64(value.CgroupID),
}
pd.containers = append(pd.containers, cInfo)
if err := t.bpfObjects.BpfObjs.CgroupIds.Update(cInfo.cgroupID, uint32(0), ebpf.UpdateAny); err != nil {
log.Error().Err(err).Str("Cgroup Path", cInfo.cgroupPath).Str("Container ID", containerId).Uint64("Cgroup ID", cInfo.cgroupID).Msg("Cgroup IDs update failed")
return err
} else {
t.stats.TargetedCgroups++
t.stats.TargetedCgroupsAdd++
}
t.eventsDiscoverer.TargetCgroup(cInfo.cgroupID)
log.Info().Str("Container ID", containerId).Uint64("Cgroup ID", cInfo.cgroupID).Msg("Cgroup has been targeted")
}
}
t.runningPods[pod.UID] = pd
}
return nil
}
func (t *Tracer) Deinit() error {
var err error
if err = t.packetFilter.Close(); err != nil {
return err
}
if t.cgroupsController != nil {
if err = t.cgroupsController.Close(); err != nil {
return err
}
}
return nil
}
func setupRLimit() error {
err := rlimit.RemoveMemlock()
if err != nil {
return errors.New(fmt.Sprintf("%s: %v", "SYS_RESOURCE is required to change rlimits for eBPF", err))
}
return nil
}
func getContainerIDs(pod *v1.Pod) []string {
extractContainerId := func(cId string) string {
s := strings.Split(cId, "/")
return s[len(s)-1]
}
var containerIDs []string
{
for _, containerStatus := range pod.Status.InitContainerStatuses {
containerIDs = append(containerIDs, extractContainerId(containerStatus.ContainerID))
}
for _, containerStatus := range pod.Status.ContainerStatuses {
containerIDs = append(containerIDs, extractContainerId(containerStatus.ContainerID))
}
}
return containerIDs
}
func markPlain(enabled bool) error {
if enabled {
return createFeatureFile(bpf.PlainBackendSupportedFile)
}
return createFeatureFile(bpf.PlainBackendNotSupportedFile)
}
func markTls(enabled bool) error {
if enabled {
return createFeatureFile(bpf.TlsBackendSupportedFile)
}
return createFeatureFile(bpf.TlsBackendNotSupportedFile)
}
func createFeatureFile(fileName string) error {
filePath := filepath.Join(misc.GetDataDir(), fileName)
file, err := os.Create(filePath)
if err != nil {
return err
}
file.Close()
return nil
}
func (t *Tracer) collectStats() {
if t.bpfObjects.BpfObjs.AllStatsMap == nil {
// No such map in tracer
return
}
ticker := time.NewTicker(10 * time.Second)
defer ticker.Stop()
for {
<-ticker.C
t.collectStatItem()
}
}
type tracerStats struct {
TargetedCgroups uint64
TargetedCgroupsAdd uint64
TargetedCgroupsDel uint64
}
type tracerAllStats struct {
bpf.TracerAllStats
TracerStats tracerStats
Updated time.Time
}
func (t *Tracer) collectStatItem() {
var cpuStats []bpf.TracerAllStats
if err := t.bpfObjects.BpfObjs.AllStatsMap.Lookup(uint32(0), &cpuStats); err != nil {
log.Error().Err(err).Msg("Failed to lookup stats")
return
}
merged := tracerAllStats{
Updated: time.Now(),
TracerStats: t.stats,
}
pStMerged := &merged.PktSnifferStats
pSslMerged := &merged.OpensslStats
pGoTlsMerged := &merged.GotlsStats
for _, cpuStat := range cpuStats {
pSt := &cpuStat.PktSnifferStats
pStMerged.PacketsTotal += pSt.PacketsTotal
pStMerged.PacketsProgramEnabled += pSt.PacketsProgramEnabled
pStMerged.PacketsMatchedCgroup += pSt.PacketsMatchedCgroup
pStMerged.PacketsIpv4 += pSt.PacketsIpv4
pStMerged.PacketsIpv6 += pSt.PacketsIpv6
pStMerged.PacketsParsePassed += pSt.PacketsParsePassed
pStMerged.PacketsParseFailed += pSt.PacketsParseFailed
pStMerged.SaveStats.SavePackets += pSt.SaveStats.SavePackets
pStMerged.SaveStats.SaveFailedLogic += pSt.SaveStats.SaveFailedLogic
pStMerged.SaveStats.SaveFailedNotOpened += pSt.SaveStats.SaveFailedNotOpened
pStMerged.SaveStats.SaveFailedFull += pSt.SaveStats.SaveFailedFull
pStMerged.SaveStats.SaveFailedOther += pSt.SaveStats.SaveFailedOther
pSsl := &cpuStat.OpensslStats
pSslMerged.UprobesTotal += pSsl.UprobesTotal
pSslMerged.UprobesEnabled += pSsl.UprobesEnabled
pSslMerged.UprobesMatched += pSsl.UprobesMatched
pSslMerged.UprobesErrUpdate += pSsl.UprobesErrUpdate
pSslMerged.UretprobesTotal += pSsl.UretprobesTotal
pSslMerged.UretprobesEnabled += pSsl.UretprobesEnabled
pSslMerged.UretprobesMatched += pSsl.UretprobesMatched
pSslMerged.UretprobesErrContext += pSsl.UretprobesErrContext
pSslMerged.SaveStats.SavePackets += pSsl.SaveStats.SavePackets
pSslMerged.SaveStats.SaveFailedLogic += pSsl.SaveStats.SaveFailedLogic
pSslMerged.SaveStats.SaveFailedNotOpened += pSsl.SaveStats.SaveFailedNotOpened
pSslMerged.SaveStats.SaveFailedFull += pSsl.SaveStats.SaveFailedFull
pSslMerged.SaveStats.SaveFailedOther += pSsl.SaveStats.SaveFailedOther
pGoTls := &cpuStat.GotlsStats
pGoTlsMerged.UprobesTotal += pGoTls.UprobesTotal
pGoTlsMerged.UprobesEnabled += pGoTls.UprobesEnabled
pGoTlsMerged.UprobesMatched += pGoTls.UprobesMatched
pGoTlsMerged.UretprobesTotal += pGoTls.UretprobesTotal
pGoTlsMerged.UretprobesEnabled += pGoTls.UretprobesEnabled
pGoTlsMerged.UretprobesMatched += pGoTls.UretprobesMatched
pGoTlsMerged.SaveStats.SavePackets += pGoTls.SaveStats.SavePackets
pGoTlsMerged.SaveStats.SaveFailedLogic += pGoTls.SaveStats.SaveFailedLogic
pGoTlsMerged.SaveStats.SaveFailedNotOpened += pGoTls.SaveStats.SaveFailedNotOpened
pGoTlsMerged.SaveStats.SaveFailedFull += pGoTls.SaveStats.SaveFailedFull
pGoTlsMerged.SaveStats.SaveFailedOther += pGoTls.SaveStats.SaveFailedOther
}
jsonData, err := json.MarshalIndent(merged, "", " ")
if err != nil {
log.Error().Err(err).Msg("Failed to marshall stats")
return
}
if err := os.WriteFile(filepath.Join(misc.GetDataDir(), "stats_tracer.json"), jsonData, 0644); err != nil {
log.Error().Err(err).Msg("Failed to write stats")
return
}
}