add probes on fd_install to catch accept events before kretprobe was installed

[alban]

First start a process that will block in the accept() syscall:

$ busybox nc -l -p 8181

Once the accept() syscall has started, start the tcptracer-bpf tool:

$ sudo ./tracer $(pidof busybox)
Ready

Makes the accept() syscall return:

$ busybox nc 127.0.0.1 8181

Notice that we get the "connect" event as normal. The "accept" event is missing because of #10 but we get the new event "fdinstall" that says that the process 16389 received the new file descriptor 4:

224557401988314 cpu#2 connect 16402 busybox 127.0.0.1:45488 127.0.0.1:8181 4026531969
224557402151953 cpu#3 fdinstall 16389 busybox 0.0.0.0:0 0.0.0.0:0 4

Weave Scope would need to iterate over /proc to find all the processes blocked on the accept syscall (/proc/$pid/wchan will show inet_csk_accept) and then request the tracker to monitor fd_install on them:

  t.AddFdInstallWatcher(pid)

We don't notify fd_install events for all processes because that would be too much. Instead, Scope would only request the notification for specific pids. Internally, this uses a hash map to keep track of the pids to monitor or not.

We don't need any new offset guessing for this because we don't dereference any kernel structures in the fd_install kprobes.

This is for #10

Depends on:

• elf: map: add DeleteElement iovisor/gobpf#45
• update build-tools git-subtree (again) #40
• shellcheck: fix escaping issue build-tools#97

TODO

• test on Linux 4.4
• add a field for fd in the event struct

/cc @iaguis @2opremio

[2opremio]

Weave Scope would need iterate over /proc to find all the processes blocked on the accept syscall (/proc/$pid/wchan will show inet_csk_accept) and then requests the tracker to monitor fd_install on them

Could we avoid this by making the probe on fd_install detect whether the file descriptor comes from a socket which was on LISTEN state?

[alban]

Could we avoid this by making the probe on fd_install detect whether the file descriptor comes from a socket which was on LISTEN state?

Not sure how to do that, but this would involve more complicated offset guessing to inspect the struct file received as a parameter of fd_install.

[alban]

I rebased this on top of #37 because I needed to revendor gobpf for iovisor/gobpf#45 but this also brings other gobpf API changes that cause tcptracer-bpf changes that were already done in #37.

[alban]

I added a test and it passes in Semaphore with Linux 4.4.45 and 4.9.6. It works as well on my laptop with Linux 4.10.10.

[alban]

I updated this PR:

• fix compilation on Darwin (revealed by Scope tests in CircleCI)
• added more shellcheck fixes (it will need a proper "git subtree" update after shellcheck: fix escaping issue build-tools#97 is merged)

[alban]

Since weaveworks/build-tools#97 is merged, I rebased & updated the "git subtree". But this time, there are new errors (see weaveworks/build-tools#99)

[alban]

I added a commit that fixes the error. The Dockerfile now uses shfmt with another importpath. Thanks @tomwilkie for the hint in weaveworks/build-tools#99 (comment)

@2opremio PTAL

[2opremio]

Minor comment, otherwise LGTM

[alban]

@2opremio I think I replied to the comment. Someone with merge-powers could merge this :)

[2opremio]

Merging, but let's continue the comment thread on LLVM please.