Open
Conversation
Test includes cargo test and cargo fmt. Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
Simple interface to get kernel symbols addresses from their name and the opposite. This will be useful for probing the kernel, from configuring kprobes to understanding where an event is coming from. Signed-off-by: Antoine Tenart <atenart@redhat.com>
Add Cirrus CI
Signed-off-by: Paolo Valerio <pvalerio@redhat.com>
core: add a kernel_symbol module
ci: check lints adding clippy support
It seems there's an undetected or_fun_call in get_symbols() macro. Fix it for consistency. Signed-off-by: Paolo Valerio <pvalerio@redhat.com>
kernel_symbols.rs: fix clippy::or_fun_call
Signed-off-by: Antoine Tenart <atenart@redhat.com>
Signed-off-by: Antoine Tenart <atenart@redhat.com>
Signed-off-by: Antoine Tenart <atenart@redhat.com>
ci: prerequisites for supporting BPF objects
Signed-off-by: Antoine Tenart <atenart@redhat.com>
Collectors are modules gathering information, mainly collecting events and/or appropriate data; they are at the core of the tool. This adds an initial implementation to allow registering collectors, using a Trait to describe their common behaviour as well as defining a way to manipulate a group of collectors (aka. the public API). Please look at the patch itself for more insights about the implementation (as it is documented in lengths there already). Signed-off-by: Antoine Tenart <atenart@redhat.com>
Signed-off-by: Antoine Tenart <atenart@redhat.com>
Signed-off-by: Antoine Tenart <atenart@redhat.com>
Generated on Fedora 36 running 5.19.15-201.fc36.x86_64, with: $ bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h Signed-off-by: Antoine Tenart <atenart@redhat.com>
Add support to build complete eBPF program and their libbpf_rs skeleton. A common include directory is used, at src/core/probe/kernel/bpf/include and eBPF programs should only be rebuilt if their source code is modified, including the common headers. Signed-off-by: Antoine Tenart <atenart@redhat.com>
The ProbeBuilder trait defines the interface the different probe types supported by this module will expose. Signed-off-by: Antoine Tenart <atenart@redhat.com>
Signed-off-by: Antoine Tenart <atenart@redhat.com>
Signed-off-by: Antoine Tenart <atenart@redhat.com>
Signed-off-by: Antoine Tenart <atenart@redhat.com>
Signed-off-by: Antoine Tenart <atenart@redhat.com>
Some modules cannot be tested in a development environment as they
require either privileged capabilities or have prerequisites. To support
testing those modules, we add a 'cap_bpf' feature.
By default the 'cap_bpf' tests will be skipped,
$ cargo test
[...]
test collector::tests::init_collectors ... ok
test core::probe::kernel::kprobe::tests::init_and_attach ... ignored
test core::probe::kernel::tests::add_probe ... ok
test core::probe::kernel::tests::reuse_map ... ok
[...]
Those tests can be enabled on the command line,
$ cargo test --features=cap_bpf
[...]
test collector::tests::init_collectors ... ok
test core::probe::kernel::kprobe::tests::init_and_attach ... ok
test core::probe::kernel::tests::add_probe ... ok
test core::probe::kernel::tests::reuse_map ... ok
[...]
Signed-off-by: Antoine Tenart <atenart@redhat.com>
Signed-off-by: Antoine Tenart <atenart@redhat.com>
Add a common context to probes to allow retrieving information later on in either the probes or their hooks. This is required as each probe type comes with its own context and an abstraction layer is need. Signed-off-by: Antoine Tenart <atenart@redhat.com>
Using kallsyms and BTF we can retrieve information about the targets at runtime, which is then used when attaching probes as they are as generic as possible and need some inputs. Signed-off-by: Antoine Tenart <atenart@redhat.com>
This adds hook definitions and the logic to call them from the BPF probes. The hooks will be replaced at runtime, before the BPF programs are loaded. We are supporting 10 hooks for now. Signed-off-by: Antoine Tenart <atenart@redhat.com>
Add an API for registering hooks in kernel probes. The logic to replace the hooks in the BPF object is also added. For now hooks registered through this API will be attached to all loaded programs and will run unconditionally. [libbpfs_rs logic to replace functions in loaded objects] Co-developed-by: Paolo Valerio <pvalerio@redhat.com> Signed-off-by: Antoine Tenart <atenart@redhat.com>
Signed-off-by: Antoine Tenart <atenart@redhat.com>
…bpf.h This is a prerequisite in order to allow interaction with the kernel via bpf() syscall. Signed-off-by: Paolo Valerio <pvalerio@redhat.com>
…h bpf(2) Signed-off-by: Paolo Valerio <pvalerio@redhat.com>
Signed-off-by: Paolo Valerio <pvalerio@redhat.com>
Signed-off-by: Paolo Valerio <pvalerio@redhat.com>
Signed-off-by: Paolo Valerio <pvalerio@redhat.com>
Filter prereqs
A first object Process is introduced. It exposes simple APIs to find process information from a pid, cmd or path. This patch introduces a new dependency: thiserror. It's used to easily defined std::Error-compatible variants. Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
Move Process to it's own file. Create UsdtNote and UsdtInfo structs to represent USDT information and extract it from a binary. Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
Several changes in how the code is organized as a preparation for future reorgs. The main goal is to use probe::Probe as the main object that is passed through the important APIs, i.e: ProbeBuilder. This patch contains the following changes: - Use Probe in ProbeBuilder (not Symbol and TargetDescriptor) - Make Probe::Kprobe and Kprobe::RawTracepoint combine both Symbol and target descriptions and configurations. Basically, everything that is needed in order to attach to a tp/kprobe is inside that variant. Coincidentally, they just need the same data so they actually share the same internal struct: KernelProbe - Invert the Probe creation. Currently core/kernel has generic kernel symbol manipulation and inspection. We want to keep it that way, so instead of Symbol creating Probes, we have Probes constructs from Symbols. Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
Move the ProbeBuilder to the probe level (not probe/kernel). Do the same with Hook which is now in probe module. These are preliminary steps to make ProbeBuilder work for other types of Probes. Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
Currently kernel.Kernel manages all probes. It exposes an API to register probes, maps and hooks, organizes them into ProbeSets and attaches them. Now that the specific type of probe is hidden (inside Probe's variants), this code can easily be generalized. This patch renames probe.kernel.Kernel -> probe.ProbeManager. There should be no functionality change. Signed-off-by: Adrián Moreno <amorenoz@redhat.com>
The Probe::Usdt data (UsdtProbe), is built using a Process and a string representing the target. Only 1 hook is supported so it's just a simplified version of the already existing probes. Signed-off-by: Adrián Moreno <amorenoz@redhat.com>
Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
Some ProbeSets, like the ones used for Usdt probes do not support dynamic probes. Add a flag to them so the manager knows not to append the dynamic hooks to it before attaching. Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
This is just a placeholder use of the USDT infrastructure. Both to verify it works and to show the API. Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
Instead of having a common section that inclues ksym, move it to a new section called kernel. Create also a section for userspace information that includes the pid. Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
USDT symbols have to be resolved at runtime because the information stored in the elf headers are just offsets while the instruction pointer we receive from EBPF is a virtual address. Support virtual to offset address calculation and USDT symbol resolution. In the userspace section, we parse the binary every time which is very inefficient. This will be improved in a later patch. Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
Having a versatile struct passed through unmarshalers can help performance and implement temporal correlations. Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
Use unmarshaling context to cache Process information for a faster unmarshaling of the userspace section. Signed-off-by: Adrian Moreno <amorenoz@redhat.com>
proc.rs provides utility functions to inspect userspace programs, it has nothing to do with probes. Move it to it's own top level module called "user". Signed-off-by: Adrián Moreno <amorenoz@redhat.com>
Programs might link statically or dynamically against third party libraries that might contain USDT probes. This is currently painful for users who have to figure out if the USDT they are looking for is defined on a shared library and whether the target process linked statically or dynamically against it. To fix this, split the current process API in two: - Binary: contains information about a binary which might be an executable or a library. - Program: contains one executable Binary and zero or more library Binary objects while hiding where the USDT comes from. Signed-off-by: Adrián Moreno <amorenoz@redhat.com>
amorenoz
force-pushed
the
usdt_probe_test
branch
7 times, most recently
from
fd6c629 to
738c451
Compare
amorenoz
force-pushed
the
usdt_probe_test
branch
from
738c451 to
82d0325
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.