Merge pull request #154 from coroot/ebpf_compatibility

fix agent crash on kernels without DEBUG symbols

cgroup/cgroup.go

@@ -107,15 +107,13 @@ func NewFromProcessCgroupFile(filePath string) (*Cgroup, error) {
 			cg.subsystems[cgType] = path.Join(baseCgroupPath, parts[2])
 		}
 	}
-	if p := cg.subsystems["name=systemd"]; p != "" {
-		cg.Id = p
-		cg.Version = V1
-	} else if p = cg.subsystems["cpu"]; p != "" {
-		cg.Id = p
-		cg.Version = V1
-	} else {
-		cg.Id = cg.subsystems[""]
+	if cg.Id = cg.subsystems[""]; cg.Id != "" {
 		cg.Version = V2
+	} else if cg.Id = cg.subsystems["cpu"]; cg.Id != "" {
+		cg.Version = V1
+	}
+	if (cg.Id == "" || cg.Id == "/") && cg.subsystems["name=systemd"] != "/" {
+		cg.Id = cg.subsystems["name=systemd"]
 	}
 	if cg.ContainerType, cg.ContainerId, err = containerByCgroup(cg.Id); err != nil {
 		return nil, err

cgroup/cgroup_test.go

@@ -69,6 +69,20 @@ func TestNewFromProcessCgroupFile(t *testing.T) {
 	assert.Equal(t, "/talos/runtime", cg.ContainerId)
 	assert.Equal(t, ContainerTypeTalosRuntime, cg.ContainerType)
 
+	cg, err = NewFromProcessCgroupFile(path.Join("fixtures/proc/800/cgroup"))
+	assert.Nil(t, err)
+	assert.Equal(t, V2, cg.Version)
+	assert.Equal(t, "/system.slice/docker-cf87ba651579c9231db817909e7865e5747bd7abcac0c57ce23cf4abbaee046b.scope", cg.Id)
+	assert.Equal(t, "cf87ba651579c9231db817909e7865e5747bd7abcac0c57ce23cf4abbaee046b", cg.ContainerId)
+	assert.Equal(t, ContainerTypeDocker, cg.ContainerType)
+
+	cg, err = NewFromProcessCgroupFile(path.Join("fixtures/proc/900/cgroup"))
+	assert.Nil(t, err)
+	assert.Equal(t, V1, cg.Version)
+	assert.Equal(t, "/system.slice/python-app.service", cg.Id)
+	assert.Equal(t, "/system.slice/python-app.service", cg.ContainerId)
+	assert.Equal(t, ContainerTypeSystemdService, cg.ContainerType)
+
 	baseCgroupPath = "/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-podc83d0428_58af_41eb_8dba_b9e6eddffe7b.slice/docker-0e612005fd07e7f47e2cd07df99a2b4e909446814d71d0b5e4efc7159dd51252.scope"
 	defer func() {
 		baseCgroupPath = ""
@@ -104,6 +118,11 @@ func TestContainerByCgroup(t *testing.T) {
 	as.Equal("63425c4a8b4291744a79dd9011fddc7a1f8ffda61f65d72196aa01d00cae2e2d", id)
 	as.Nil(err)
 
+	typ, id, err = containerByCgroup("/docker/63425c4a8b4291744a79dd9011fddc7a1f8ffda61f65d72196aa01d00cae2e2d")
+	as.Equal(typ, ContainerTypeDocker)
+	as.Equal("63425c4a8b4291744a79dd9011fddc7a1f8ffda61f65d72196aa01d00cae2e2d", id)
+	as.Nil(err)
+
 	typ, id, err = containerByCgroup("/lxc/mysql-primary-db")
 	as.Equal(typ, ContainerTypeLxc)
 	as.Equal("mysql-primary-db", id)

cgroup/fixtures/proc/800/cgroup

@@ -0,0 +1,2 @@
+1:name=systemd:/
+0::/system.slice/docker-cf87ba651579c9231db817909e7865e5747bd7abcac0c57ce23cf4abbaee046b.scope

cgroup/fixtures/proc/900/cgroup

@@ -0,0 +1,2 @@
+1:name=systemd:/system.slice/python-app.service
+7:cpu,cpuacct:/

ebpftracer/Dockerfile

@@ -7,14 +7,14 @@ WORKDIR /tmp/ebpf
 
 RUN clang -g -O2 -target bpf -D__KERNEL_FROM=416 -D__TARGET_ARCH_x86 -c ebpf.c -o ebpf416x86.o && llvm-strip --strip-debug ebpf416x86.o
 RUN clang -g -O2 -target bpf -D__KERNEL_FROM=420 -D__TARGET_ARCH_x86 -c ebpf.c -o ebpf420x86.o && llvm-strip --strip-debug ebpf420x86.o
+RUN clang -g -O2 -target bpf -D__KERNEL_FROM=503 -D__TARGET_ARCH_x86 -c ebpf.c -o ebpf503x86.o && llvm-strip --strip-debug ebpf503x86.o
 RUN clang -g -O2 -target bpf -D__KERNEL_FROM=506 -D__TARGET_ARCH_x86 -c ebpf.c -o ebpf506x86.o && llvm-strip --strip-debug ebpf506x86.o
-RUN clang -g -O2 -target bpf -D__KERNEL_FROM=507 -D__TARGET_ARCH_x86 -c ebpf.c -o ebpf507x86.o && llvm-strip --strip-debug ebpf507x86.o
 RUN clang -g -O2 -target bpf -D__KERNEL_FROM=512 -D__TARGET_ARCH_x86 -c ebpf.c -o ebpf512x86.o && llvm-strip --strip-debug ebpf512x86.o
 RUN clang -g -O2 -target bpf -D__KERNEL_FROM=512 -D__TARGET_ARCH_x86 -D__CTX_EXTRA_PADDING -c ebpf.c -o ebpf512x86cep.o && llvm-strip --strip-debug ebpf512x86cep.o
 RUN clang -g -O2 -target bpf -D__KERNEL_FROM=416 -D__TARGET_ARCH_arm64 -c ebpf.c -o ebpf416arm64.o && llvm-strip --strip-debug ebpf416arm64.o
 RUN clang -g -O2 -target bpf -D__KERNEL_FROM=420 -D__TARGET_ARCH_arm64 -c ebpf.c -o ebpf420arm64.o && llvm-strip --strip-debug ebpf420arm64.o
+RUN clang -g -O2 -target bpf -D__KERNEL_FROM=503 -D__TARGET_ARCH_arm64 -c ebpf.c -o ebpf503arm64.o && llvm-strip --strip-debug ebpf503arm64.o
 RUN clang -g -O2 -target bpf -D__KERNEL_FROM=506 -D__TARGET_ARCH_arm64 -c ebpf.c -o ebpf506arm64.o && llvm-strip --strip-debug ebpf506arm64.o
-RUN clang -g -O2 -target bpf -D__KERNEL_FROM=507 -D__TARGET_ARCH_arm64 -c ebpf.c -o ebpf507arm64.o && llvm-strip --strip-debug ebpf507arm64.o
 RUN clang -g -O2 -target bpf -D__KERNEL_FROM=512 -D__TARGET_ARCH_arm64 -c ebpf.c -o ebpf512arm64.o && llvm-strip --strip-debug ebpf512arm64.o
 RUN clang -g -O2 -target bpf -D__KERNEL_FROM=512 -D__TARGET_ARCH_arm64 -D__CTX_EXTRA_PADDING -c ebpf.c -o ebpf512arm64cep.o && llvm-strip --strip-debug ebpf512arm64cep.o
 
@@ -26,16 +26,16 @@ RUN echo -en '// generated - do not edit\npackage ebpftracer\n\nvar ebpfProgs =
 	&& echo -en '\t"amd64": {\n' >> ebpf.go \
 	&& echo -en '\t\t{"5.12", "ctx-extra-padding", []byte("' >> ebpf.go && gzip -c ebpf512x86cep.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
 	&& echo -en '\t\t{"5.12", "", []byte("' >> ebpf.go && gzip -c ebpf512x86.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
+	&& echo -en '\t\t{"5.3", "", []byte("' >> ebpf.go && gzip -c ebpf503x86.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
 	&& echo -en '\t\t{"5.6", "", []byte("' >> ebpf.go && gzip -c ebpf506x86.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
-	&& echo -en '\t\t{"5.7", "", []byte("' >> ebpf.go && gzip -c ebpf507x86.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
 	&& echo -en '\t\t{"4.20", "", []byte("' >> ebpf.go && gzip -c ebpf420x86.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
 	&& echo -en '\t\t{"4.16", "", []byte("' >> ebpf.go && gzip -c ebpf416x86.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
 	&& echo -en '\t},\n'>> ebpf.go \
 	&& echo -en '\t"arm64": {\n' >> ebpf.go \
 	&& echo -en '\t\t{"5.12", "ctx-extra-padding", []byte("' >> ebpf.go && gzip -c ebpf512arm64cep.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
 	&& echo -en '\t\t{"5.12", "", []byte("' >> ebpf.go && gzip -c ebpf512arm64.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
+	&& echo -en '\t\t{"5.3", "", []byte("' >> ebpf.go && gzip -c ebpf503arm64.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
 	&& echo -en '\t\t{"5.6", "", []byte("' >> ebpf.go && gzip -c ebpf506arm64.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
-	&& echo -en '\t\t{"5.7", "", []byte("' >> ebpf.go && gzip -c ebpf507arm64.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
 	&& echo -en '\t\t{"4.20", "", []byte("' >> ebpf.go && gzip -c ebpf420arm64.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
 	&& echo -en '\t\t{"4.16", "", []byte("' >> ebpf.go && gzip -c ebpf416arm64.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
 	&& echo -en '\t},\n'>> ebpf.go \

ebpftracer/ebpf/file.c

@@ -18,10 +18,6 @@ struct path {
     __u64 mnt;
 };
 
-struct nameidata {
-    struct path path;
-};
-
 struct file_info {
     __u64 mnt;
     __u64 log;
@@ -49,33 +45,21 @@ struct trace_event_raw_sys_enter_openat__stub {
 	long int flags;
 };
 
-static __always_inline
-int do_open(struct pt_regs *ctx) {
+SEC("kprobe/path_get")
+int path_get(struct pt_regs *ctx) {
     __u64 id = bpf_get_current_pid_tgid();
-    struct nameidata nd;
-    if (bpf_probe_read_kernel(&nd, sizeof(nd), (void *)PT_REGS_PARM1(ctx)) != 0) {
-        return 0;
-    }
     struct file_info *i = bpf_map_lookup_elem(&open_file_info, &id);
     if (!i) {
         return 0;
     }
-    i->mnt = nd.path.mnt;
+    struct path p;
+    if (bpf_probe_read_kernel(&p, sizeof(p), (void *)PT_REGS_PARM1(ctx)) != 0) {
+        return 0;
+    }
+    i->mnt = p.mnt;
     return 0;
 }
 
-#if __KERNEL_FROM >= 507
-SEC("kprobe/do_open")
-int do_open_kprobe(struct pt_regs *ctx) {
-    return do_open(ctx);
-}
-#else
-SEC("kprobe/do_last")
-int do_last_kprobe(struct pt_regs *ctx) {
-    return do_open(ctx);
-}
-#endif
-
 static __always_inline
 int trace_enter_open(long int flags, char *filename)
 {

ebpftracer/ebpf/tcp/conntrack.c

@@ -44,13 +44,9 @@ struct {
     __uint(max_entries, 10240);
 } actual_destinations SEC(".maps");
 
-SEC("kprobe/__nf_conntrack_hash_insert")
-int nf_conntrack_hash_insert(struct pt_regs *ctx)
+static __always_inline
+int handle_ct(struct pt_regs *ctx, struct nf_conn conn)
 {
-    struct nf_conn conn;
-    if (bpf_probe_read(&conn, sizeof(conn), (void *)PT_REGS_PARM1(ctx)) != 0) {
-        return 0;
-    }
     struct nf_conntrack_tuple orig = conn.tuplehash[0].tuple;
     struct nf_conntrack_tuple repl = conn.tuplehash[1].tuple;
 
@@ -83,3 +79,23 @@ int nf_conntrack_hash_insert(struct pt_regs *ctx)
     bpf_map_update_elem(&actual_destinations, &src, &actualDst, BPF_ANY);
     return 0;
 }
+
+#if __KERNEL_FROM >= 503
+SEC("kprobe/nf_confirm")
+int nf_confirm(struct pt_regs *ctx) {
+    struct nf_conn conn;
+    if (bpf_probe_read(&conn, sizeof(conn), (void *)PT_REGS_PARM3(ctx)) != 0) {
+        return 0;
+    }
+    return handle_ct(ctx, conn);
+}
+#else
+SEC("kprobe/__nf_conntrack_hash_insert")
+int nf_conntrack_hash_insert(struct pt_regs *ctx) {
+    struct nf_conn conn;
+    if (bpf_probe_read(&conn, sizeof(conn), (void *)PT_REGS_PARM1(ctx)) != 0) {
+        return 0;
+    }
+    return handle_ct(ctx, conn);
+}
+#endif