inspektor-gadget
734 строки · 20.9 Кб
1// Copyright 2019-2023 The Inspektor Gadget authors2//3// Licensed under the Apache License, Version 2.0 (the "License");4// you may not use this file except in compliance with the License.5// You may obtain a copy of the License at6//7// http://www.apache.org/licenses/LICENSE-2.08//9// Unless required by applicable law or agreed to in writing, software10// distributed under the License is distributed on an "AS IS" BASIS,11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.12// See the License for the specific language governing permissions and13// limitations under the License.14//go:build !withoutebpf16package tracer18import (20"context"21"errors"22"fmt"23"os"24"sort"25"strconv"26"sync"27"syscall"28"time"29"unsafe"30"github.com/cilium/ebpf"32"github.com/cilium/ebpf/link"33"github.com/cilium/ebpf/perf"34log "github.com/sirupsen/logrus"35containercollection "github.com/inspektor-gadget/inspektor-gadget/pkg/container-collection"37gadgetcontext "github.com/inspektor-gadget/inspektor-gadget/pkg/gadget-context"38"github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets"39"github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/traceloop/types"40eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types"41"github.com/inspektor-gadget/inspektor-gadget/pkg/utils/syscalls"42)43//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -type syscall_event_t -type syscall_event_cont_t -target ${TARGET} -cc clang -cflags ${CFLAGS} traceloop ./bpf/traceloop.bpf.c -- -I./bpf/45// These consts must match the content of traceloop.h.47const (48useNullByteLength uint64 = 0x0fffffffffffffff49useRetAsParamLength uint64 = 0x0ffffffffffffffe50useArgIndexAsParamLength uint64 = 0x0ffffffffffffff051paramProbeAtExitMask uint64 = 0xf00000000000000052syscallEventTypeEnter uint8 = 054syscallEventTypeExit uint8 = 155syscallArgs uint8 = 657)58var (60syscallsOnce sync.Once61syscallsDeclarations map[string]syscallDeclaration62)63type containerRingReader struct {65perfReader *perf.Reader66mntnsID uint6467}68type Tracer struct {70enricher gadgets.DataEnricherByMntNs71innerMapSpec *ebpf.MapSpec73objs traceloopObjects75enterLink link.Link76exitLink link.Link77// Same comment than above, this map is designed to handle parallel access.79// The keys of this map are containerID.80readers sync.Map81gadgetCtx gadgets.GadgetContext83ctx context.Context84cancel context.CancelFunc85eventCallback func(event *types.Event)86waitGroup sync.WaitGroup87syscallFilters []string89}90type syscallEvent struct {92bootTimestamp uint6493monotonicTimestamp uint6494typ uint895contNr uint896cpu uint1697id uint1698pid uint3299comm string100args []uint64101mountNsID uint64102retval int103}104type syscallEventContinued struct {106monotonicTimestamp uint64107index uint8108param string109}110func NewTracer(enricher gadgets.DataEnricherByMntNs, filters []string) (*Tracer, error) {112t := &Tracer{113enricher: enricher,114syscallFilters: filters,115}116if err := t.install(); err != nil {117t.close()118return nil, err119}120return t, nil121}122func (t *Tracer) install() error {124spec, err := loadTraceloop()125if err != nil {126return fmt.Errorf("loading ebpf program: %w", err)127}128gadgets.FixBpfKtimeGetBootNs(spec.Programs)130syscallsOnce.Do(func() {132syscallsDeclarations, err = gatherSyscallsDeclarations()133})134if err != nil {135return fmt.Errorf("gathering syscall definitions: %w", err)136}137// Fill the syscall map with specific syscall signatures.139syscallsMapSpec := spec.Maps["syscalls"]140for name, def := range syscallDefs {141number, ok := syscalls.GetSyscallNumberByName(name)142if !ok {143// It's possible that the syscall doesn't exist for this architecture, skip it144continue145}146// We need to do so to avoid taking each time the same address.148def := def149syscallsMapSpec.Contents = append(syscallsMapSpec.Contents, ebpf.MapKV{150Key: uint64(number),151Value: def,152})153}154// Fill the syscall filter map with the corresponding syscall numbers.156syscallFiltersMapSpec := spec.Maps["syscall_filters"]157for _, name := range t.syscallFilters {158if name == "" {159continue160}161number, ok := syscalls.GetSyscallNumberByName(name)163if !ok {164return fmt.Errorf("syscall %q does not exist", name)165}166syscallFiltersMapSpec.Contents = append(syscallFiltersMapSpec.Contents, ebpf.MapKV{168Key: uint64(number),169// We do not care about the value itself but we need to provide one.170Value: true,171})172}173consts := make(map[string]interface{})175consts["filter_syscall"] = len(syscallFiltersMapSpec.Contents) > 0176if err := gadgets.LoadeBPFSpec(nil, spec, consts, &t.objs); err != nil {177return fmt.Errorf("loading ebpf program: %w", err)178}179t.enterLink, err = link.AttachRawTracepoint(link.RawTracepointOptions{181Name: "sys_enter",182Program: t.objs.IgTraceloopE,183})184if err != nil {185return fmt.Errorf("opening enter tracepoint: %w", err)186}187t.exitLink, err = link.AttachRawTracepoint(link.RawTracepointOptions{189Name: "sys_exit",190Program: t.objs.IgTraceloopX,191})192if err != nil {193return fmt.Errorf("opening exit tracepoint: %w", err)194}195t.innerMapSpec = spec.Maps["map_of_perf_buffers"].InnerMap197return nil199}200// Stop stops the tracer202// TODO: Remove after refactoring203func (t *Tracer) Stop() {204t.close()205}206func (t *Tracer) close() {208t.enterLink = gadgets.CloseLink(t.enterLink)209t.exitLink = gadgets.CloseLink(t.exitLink)210t.readers.Range(func(key, _ any) bool {212t.Delete(key.(string))213return true215})216t.objs.Close()218}219func (t *Tracer) Attach(containerID string, mntnsID uint64) error {221innerBufferSpec := t.innerMapSpec.Copy()222innerBufferSpec.Name = fmt.Sprintf("perf_buffer_%d", mntnsID)223// 1. Create inner Map as perf buffer.225innerBuffer, err := ebpf.NewMap(innerBufferSpec)226if err != nil {227return fmt.Errorf("creating inner map: %w", err)228}229// 2. Use this inner Map to create the perf reader.231perfReader, err := perf.NewReaderWithOptions(innerBuffer, gadgets.PerfBufferPages*os.Getpagesize(), perf.ReaderOptions{Overwritable: true})232if err != nil {233innerBuffer.Close()234return fmt.Errorf("creating perf ring buffer: %w", err)236}237// 3. Add the inner map's file descriptor to outer map.239err = t.objs.MapOfPerfBuffers.Put(mntnsID, innerBuffer)240if err != nil {241innerBuffer.Close()242perfReader.Close()243return fmt.Errorf("adding perf buffer to map with mntnsID %d: %w", mntnsID, err)245}246t.readers.Store(containerID, &containerRingReader{248perfReader: perfReader,249mntnsID: mntnsID,250})251return nil253}254func timestampFromEvent(event *syscallEvent) eventtypes.Time {256if !gadgets.HasBpfKtimeGetBootNs() {257// Traceloop works differently than other gadgets: if the258// kernel does not support bpf_ktime_get_boot_ns, don't259// generate a timestamp from userspace because traceloop reads260// events from the ring buffer an arbitrary long time after261// they are generated, so the timestamp would be meaningless.262// However we need some kind of timestamp for sorting events264return gadgets.WallTimeFromBootTime(event.monotonicTimestamp)265}266return gadgets.WallTimeFromBootTime(event.bootTimestamp)267}268// Copied/pasted/adapted from kernel macro round_up:270// https://elixir.bootlin.com/linux/v6.0/source/include/linux/math.h#L25271func roundUp(x, y uintptr) uintptr {272return ((x - 1) | (y - 1)) + 1273}274// The kernel aligns size of perf event with the following snippet:276// void perf_prepare_sample(...)277//278// {279// //...280// size = round_up(sum + sizeof(u32), sizeof(u64));281// raw->size = size - sizeof(u32);282// frag->pad = raw->size - sum;283// // ...284// }285//286// (https://elixir.bootlin.com/linux/v6.0/source/kernel/events/core.c#L7353)287// In the case of our structure of interest (i.e. struct_syscall_event_t and288// struct_syscall_event_cont_t), their size will be increased by 4, here is289// an example for struct_syscall_event_t which size is 88:290// size = round_up(sum + sizeof(u32), sizeof(u64))291//292// = round_up(88 + 4, 8)293// = round_up(92, 8)294// = 96295//296// raw->size = size - sizeof(u32)297//298// = 96 - 4299// = 92300//301// So, 4 bytes will be added as padding at the end of the event and the size we302// will read getting perfEventSample will be 92 instead of 88.303func alignSize(structSize uintptr) uintptr {304var ret uintptr305var foo uint64306var bar uint32307ret = roundUp(structSize+unsafe.Sizeof(bar), unsafe.Sizeof(foo))309ret = ret - unsafe.Sizeof(bar)310return ret312}313// Convert a return value to corresponding error number if meaningful.315// See man syscalls:316// Note:317// system calls indicate a failure by returning a negative error318// number to the caller on architectures without a separate error319// register/flag, as noted in syscall(2); when this happens, the320// wrapper function negates the returned error number (to make it321// positive), copies it to errno, and returns -1 to the caller of322// the wrapper.323func retToStr(ret int) string {324errNo := int64(ret)325if errNo >= -4095 && errNo <= -1 {326return fmt.Sprintf("-1 (%s)", syscall.Errno(-errNo).Error())327}328return fmt.Sprintf("%d", ret)329}330func (t *Tracer) Read(containerID string) ([]*types.Event, error) {332syscallContinuedEventsMap := make(map[uint64][]*syscallEventContinued)333syscallEnterEventsMap := make(map[uint64][]*syscallEvent)334syscallExitEventsMap := make(map[uint64][]*syscallEvent)335events := make([]*types.Event, 0)336r, ok := t.readers.Load(containerID)338if !ok {339return nil, fmt.Errorf("no perf reader for %q", containerID)340}341reader, ok := r.(*containerRingReader)343if !ok {344return nil, errors.New("the map should only contain *containerRingReader")345}346if reader.perfReader == nil {348log.Infof("reader for %v is nil, it was surely detached", containerID)349return nil, nil351}352err := reader.perfReader.Pause()354if err != nil {355return nil, err356}357reader.perfReader.SetDeadline(time.Now())359records := make([]*perf.Record, 0)361for {362record, err := reader.perfReader.Read()363if err != nil {364if errors.Is(err, os.ErrDeadlineExceeded) {365break366} else {367return nil, err368}369}370records = append(records, &record)371}372err = reader.perfReader.Resume()374if err != nil {375return nil, err376}377for _, record := range records {379size := len(record.RawSample)380var sysEvent *traceloopSyscallEventT382var sysEventCont *traceloopSyscallEventContT383switch uintptr(size) {385case alignSize(unsafe.Sizeof(*sysEvent)):386sysEvent = (*traceloopSyscallEventT)(unsafe.Pointer(&record.RawSample[0]))387event := &syscallEvent{389bootTimestamp: sysEvent.BootTimestamp,390monotonicTimestamp: sysEvent.MonotonicTimestamp,391typ: sysEvent.Typ,392contNr: sysEvent.ContNr,393cpu: sysEvent.Cpu,394id: sysEvent.Id,395pid: sysEvent.Pid,396comm: gadgets.FromCString(sysEvent.Comm[:]),397mountNsID: reader.mntnsID,398}399var typeMap *map[uint64][]*syscallEvent401switch event.typ {402case syscallEventTypeEnter:403event.args = make([]uint64, syscallArgs)404for i := uint8(0); i < syscallArgs; i++ {405event.args[i] = sysEvent.Args[i]406}407typeMap = &syscallEnterEventsMap409case syscallEventTypeExit:410// In the C structure, args is an array of uint64.411// But in this particular case, we used it to store a C long, i.e. the412// syscall return value, so it is safe to cast it to golang int.413event.retval = int(sysEvent.Args[0])414typeMap = &syscallExitEventsMap416default:417// Rather than returning an error, we skip this event.418log.Debugf("type %d is not a valid type for syscallEvent, received data are: %v", event.typ, record.RawSample)419continue421}422if _, ok := (*typeMap)[event.monotonicTimestamp]; !ok {424(*typeMap)[event.monotonicTimestamp] = make([]*syscallEvent, 0)425}426(*typeMap)[event.monotonicTimestamp] = append((*typeMap)[event.monotonicTimestamp], event)428case alignSize(unsafe.Sizeof(*sysEventCont)):429sysEventCont = (*traceloopSyscallEventContT)(unsafe.Pointer(&record.RawSample[0]))430event := &syscallEventContinued{432monotonicTimestamp: sysEventCont.MonotonicTimestamp,433index: sysEventCont.Index,434}435if sysEventCont.Failed != 0 {437event.param = "(Failed to dereference pointer)"438} else if sysEventCont.Length == useNullByteLength {439// 0 byte at [C.PARAM_LENGTH - 1] is enforced in BPF code440event.param = gadgets.FromCString(sysEventCont.Param[:])441} else {442event.param = gadgets.FromCStringN(sysEventCont.Param[:], int(sysEventCont.Length))443}444// Remove all non unicode character from the string.446event.param = strconv.Quote(event.param)447_, ok := syscallContinuedEventsMap[event.monotonicTimestamp]449if !ok {450// Just create a 0 elements slice for the moment, the ContNr will be451// checked later.452syscallContinuedEventsMap[event.monotonicTimestamp] = make([]*syscallEventContinued, 0)453}454syscallContinuedEventsMap[event.monotonicTimestamp] = append(syscallContinuedEventsMap[event.monotonicTimestamp], event)456default:457log.Debugf("size %d does not correspond to any expected element, which are %d and %d; received data are: %v", size, unsafe.Sizeof(sysEvent), unsafe.Sizeof(sysEventCont), record.RawSample)458}459}460// Let's try to publish the events we gathered.462for enterTimestamp, enterTimestampEvents := range syscallEnterEventsMap {463for _, enterEvent := range enterTimestampEvents {464event := &types.Event{465Event: eventtypes.Event{466Type: eventtypes.NORMAL,467Timestamp: timestampFromEvent(enterEvent),468},469CPU: enterEvent.cpu,470Pid: enterEvent.pid,471Comm: enterEvent.comm,472WithMountNsID: eventtypes.WithMountNsID{MountNsID: enterEvent.mountNsID},473Syscall: syscallGetName(enterEvent.id),474}475syscallDeclaration, err := getSyscallDeclaration(syscallsDeclarations, event.Syscall)477if err != nil {478return nil, fmt.Errorf("getting syscall definition")479}480parametersNumber := syscallDeclaration.getParameterCount()482event.Parameters = make([]types.SyscallParam, parametersNumber)483log.Debugf("\tevent parametersNumber: %d", parametersNumber)484for i := uint8(0); i < parametersNumber; i++ {486paramName, err := syscallDeclaration.getParameterName(i)487if err != nil {488return nil, fmt.Errorf("getting syscall parameter name: %w", err)489}490log.Debugf("\t\tevent paramName: %q", paramName)491isPointer, err := syscallDeclaration.paramIsPointer(i)493if err != nil {494return nil, fmt.Errorf("checking syscall parameter is a pointer: %w", err)495}496format := "%d"498if isPointer {499format = "0x%x"500}501paramValue := fmt.Sprintf(format, enterEvent.args[i])502log.Debugf("\t\tevent paramValue: %q", paramValue)503var paramContent *string505for _, syscallContEvent := range syscallContinuedEventsMap[enterTimestamp] {507if syscallContEvent.index == i {508paramContent = &syscallContEvent.param509log.Debugf("\t\t\tevent paramContent: %q", *paramContent)510break512}513}514event.Parameters[i] = types.SyscallParam{516Name: paramName,517Value: paramValue,518Content: paramContent,519}520}521delete(syscallContinuedEventsMap, enterTimestamp)523// There is no exit event for exit(), exit_group() and rt_sigreturn().525if event.Syscall == "exit" || event.Syscall == "exit_group" || event.Syscall == "rt_sigreturn" {526delete(syscallEnterEventsMap, enterTimestamp)527if t.enricher != nil {529t.enricher.EnrichByMntNs(&event.CommonData, event.MountNsID)530}531// As there is no exit events for these syscalls,533// then there is no return value.534event.Retval = "X"535log.Debugf("%v", event)537events = append(events, event)538continue540}541exitTimestampEvents, ok := syscallExitEventsMap[enterTimestamp]543if !ok {544log.Debugf("no exit event for timestamp %d", enterTimestamp)545continue547}548for _, exitEvent := range exitTimestampEvents {550if enterEvent.id != exitEvent.id || enterEvent.pid != exitEvent.pid {551continue552}553event.Retval = retToStr(exitEvent.retval)555delete(syscallEnterEventsMap, enterTimestamp)557delete(syscallExitEventsMap, enterTimestamp)558if t.enricher != nil {560t.enricher.EnrichByMntNs(&event.CommonData, event.MountNsID)561}562log.Debugf("%v", event)563events = append(events, event)564break566}567}568}569log.Debugf("len(events): %d; len(syscallEnterEventsMap): %d; len(syscallExitEventsMap): %d; len(syscallContinuedEventsMap): %d\n", len(events), len(syscallEnterEventsMap), len(syscallExitEventsMap), len(syscallContinuedEventsMap))571// It is possible there are some incomplete events for two mains reasons:573// 1. Traceloop was started in the middle of a syscall, then we will only get574// the exit but not the enter.575// 2. The buffer is full and so it only remains some exit events and not the576// corresponding enter.577// Rather than dropping these incomplete events, we just add them to the578// events to be published.579for _, enterTimestampEvents := range syscallEnterEventsMap {580for _, enterEvent := range enterTimestampEvents {581syscallName := syscallGetName(enterEvent.id)582incompleteEnterEvent := &types.Event{584Event: eventtypes.Event{585Type: eventtypes.NORMAL,586Timestamp: timestampFromEvent(enterEvent),587},588CPU: enterEvent.cpu,589Pid: enterEvent.pid,590Comm: enterEvent.comm,591WithMountNsID: eventtypes.WithMountNsID{MountNsID: enterEvent.mountNsID},592Syscall: syscallName,593Retval: "unfinished",594}595if t.enricher != nil {597t.enricher.EnrichByMntNs(&incompleteEnterEvent.CommonData, incompleteEnterEvent.MountNsID)598}599events = append(events, incompleteEnterEvent)601log.Debugf("enterEvent(%q): %v\n", syscallName, enterEvent)603}604}605for _, exitTimestampEvents := range syscallExitEventsMap {607for _, exitEvent := range exitTimestampEvents {608syscallName := syscallGetName(exitEvent.id)609incompleteExitEvent := &types.Event{611Event: eventtypes.Event{612Type: eventtypes.NORMAL,613Timestamp: timestampFromEvent(exitEvent),614},615CPU: exitEvent.cpu,616Pid: exitEvent.pid,617Comm: exitEvent.comm,618WithMountNsID: eventtypes.WithMountNsID{MountNsID: exitEvent.mountNsID},619Syscall: syscallName,620Retval: retToStr(exitEvent.retval),621}622if t.enricher != nil {624t.enricher.EnrichByMntNs(&incompleteExitEvent.CommonData, incompleteExitEvent.MountNsID)625}626events = append(events, incompleteExitEvent)628log.Debugf("exitEvent(%q): %v\n", syscallName, exitEvent)630}631}632// Sort all events by ascending timestamp.634sort.Slice(events, func(i, j int) bool {635return events[i].Timestamp < events[j].Timestamp636})637// Remove timestamps if we couldn't get reliable ones639if !gadgets.HasBpfKtimeGetBootNs() {640for i := range events {641events[i].Timestamp = 0642}643}644return events, nil646}647func (t *Tracer) Detach(mntnsID uint64) error {649err := t.objs.MapOfPerfBuffers.Delete(mntnsID)650if err != nil {651return fmt.Errorf("removing perf buffer from map with mntnsID %d", mntnsID)652}653return nil655}656func (t *Tracer) Delete(containerID string) error {658r, ok := t.readers.LoadAndDelete(containerID)659if !ok {660return fmt.Errorf("no reader for containerID %s", containerID)661}662reader := r.(*containerRingReader)664err := reader.perfReader.Close()665reader.perfReader = nil666return err668}669// --- Registry changes671func (g *GadgetDesc) NewInstance() (gadgets.Gadget, error) {673return &Tracer{}, nil674}675func (t *Tracer) Init(gadgetCtx gadgets.GadgetContext) error {677t.syscallFilters = gadgetCtx.GadgetParams().Get(ParamSyscallFilters).AsStringSlice()678if err := t.install(); err != nil {680t.close()681return fmt.Errorf("installing tracer: %w", err)682}683// Context must be created before the first call to AttachContainer685t.gadgetCtx = gadgetCtx686t.ctx, t.cancel = gadgetcontext.WithTimeoutOrCancel(gadgetCtx.Context(), gadgetCtx.Timeout())687return nil688}689func (t *Tracer) SetEventHandler(handler any) {691nh, ok := handler.(func(ev *types.Event))692if !ok {693panic("event handler invalid")694}695t.eventCallback = nh696}697func (t *Tracer) AttachContainer(container *containercollection.Container) error {699t.waitGroup.Add(1)700err := t.Attach(container.Runtime.ContainerID, container.Mntns)701if err != nil {702t.waitGroup.Done()703return err704}705go func() {706defer t.waitGroup.Done()707<-t.ctx.Done()708evs, err := t.Read(container.Runtime.ContainerID)709if err != nil {710t.gadgetCtx.Logger().Debugf("error reading from container %s: %v", container.Runtime.ContainerID, err)711return712}713for _, ev := range evs {714ev.SetContainerMetadata(&container.K8s.BasicK8sMetadata, &container.Runtime.BasicRuntimeMetadata)715t.eventCallback(ev)716}717}()718return nil719}720func (t *Tracer) DetachContainer(container *containercollection.Container) error {722return t.Detach(container.Mntns)723}724func (t *Tracer) Run(gadgetCtx gadgets.GadgetContext) error {726<-t.ctx.Done()727t.waitGroup.Wait()728return nil729}730func (t *Tracer) Close() {732t.cancel()733t.close()734}735