Backports/v0.8: cgroups: add basic cgroups tracking and make it part of the testing framework #627
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tixxdz
requested review from
tpapagian and
kkourt
and removed request for
a team
Add MSG_OP_CGROUP and its sub operations. These operations will be forwarded to the ring buffer for logging and debugging purpose, except for MSG_OP_CGROUP_ATTACH_TASK that is used to discover cgroup config. - MSG_OP_CGROUP_MKDIR: is when cgroup is created, we send event for debugging. - MSG_OP_CGROUP_RMDIR: is when cgroup is removed from fs, used for debugging. - MSG_OP_CGROUP_RELEASE: is when cgroup is released, used for debugging. - MSG_OP_CGROUP_ATTACH_TASK: is when a task is migrated to a cgroup, used to migrate Tetragon so it discover current cgroup environment. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit 74bf80e)
This is a preparation patch that adds related cgroup structures and bpf maps: - cgroup_state enum: to track cgroups states. cgroup is being created (NEW), then when a cgroup is started it usually means a container process is running now (RUNNING), or maybe cgroup info was obtained from proc (RUNNING_PROC) - cgroup_tracking_value: is the necessary data that is used to track cgroups information. Key is the Cgroup ID. - msg_cgroup_event: is the cgroup event that is sent from bpf to user space about cgroup operations. Right now it will contain and handle only cgroup_attach_task tracepoint event that is used to detect Tetragon cgroup configurations. - tg_cgrps_tracking_map is the map where we track cgroups IDs that are under or before a cgroup level that is Tetragon cgroup level. This usually include containers cgroup levels. In other words it will track cgroups that are between cgroup level 1 (first) -> Tetragon cgroup level. - tg_cgrps_tracking_heap: is a heap used to construct dynamically cgroup_tracking_value structures. - tg_cgrps_msg_heap: is a heap used to construct dynamically msg_cgroup_event structures. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit bd78886)
Add our bpf helpers to retrieve cgroup levels and ancestors. It supports both Cgroupv1 and v2. Also add helpers to allocate and initialize cgroup_tracking_value structures from bpf heap map. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit 943dbd5)
This is a preparation patch that adds more fields to tetragon_conf: - Log level. - PID and PIDNS for debugging purpose. - Tetragon current cgroup level. - Tetragon cgroup ID. - Cgroup filesystem magic number. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit 6efde5b)
send_cgrp_event() will allow to send cgroup events to ring buffer. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit 9028496)
This patch adds: 1. bpf_cgroup_mkdir source that attaches to raw_tracepoint/cgroup_mkdir to track new cgroups that are being created. Tracking will be from the first cgroup level to discovered Tetragon cgroup level. Tracked cgroups will be saved inside the `tg_cgrps_tracking_map` BPF map. 2. bpf_cgroup_rmdir source that attaches to raw_tracepoint/cgroup_rmdir when a cgroup is being removed. It allows to remove entries from cgroup bpf maps. 3. bpf_cgroup_release source that attaches to raw_tracepoint/cgroup_release hook in order to ensure that we remove tracked cgroups from the bpf map. This extra precaution works when cgroup_release tracepoint is called to drop the reference on the css which could release the cgroup where it is attached. Those programs will also send events to ring buffer to notify user space about cgroup state. Right now we are using this for debugging purpose with log level trace. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit 1b6d8df)
Track only cgroups that are part of the hierarchy that we are interested in. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit 76d94b9)
Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit f27fb16)
Pass more runtime variables to TetragonConf struct that is stored inside `tg_conf_map` BPF map. These vars will be used by cgroup BPF programs. - NSPID: pid in current pid namespace from userspace point of view. - LogLevel: current user space loglevel - Cgroup FS Magic: either cgroupv1 or v2 Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit e733a99)
Add cgroup message definition that will be sent from bpf side. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit eb6ee20)
Add Cgroup operations and message definitions that are sent from BPF side. The events are not exported to JSON, right now we only use them for debugging and logging. In future the different Cgroup states will allow to identify exactly the state of containers if new, pre-running mode, running (exec container entry point), etc. While we are at it share the CgroupNameFromCStr() helper to convert cgroup names from BPF side to Golang strings. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit 5bc2d9c)
Add and register cgroup events handler. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit 6f37263)
Add cgrouptrackmap package that reads tracked cgroups from the `tg_cgrps_tracking_map`. The tracked cgroups information is pushed from bpf. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit d41e39a)
Add ReadTgRuntimeConf() to read Tetragon runtime configuration from `tg_conf_map` bpf map. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit 1eb3bf5)
Allow to pass custom BPF maps root directory to UpdateRuntimeConf() this way we can use it in testing, where tests have their own location for pinning bpf programs and maps. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit e046ecb)
This is needed by bpf unit tests to work on default cgroupfs. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit 8d47835)
Add simple Cgroup Operation and state tests that will help to assert their operation code, description and the different states. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit 3103a8f)
This test checks all Cgroup structs of processapi pkg against the alignchecker. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit 8f94753)
…cker This asserts that CgrpTrackingValue struct is aligned with cgroup_tracking_value. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit 14a38bf)
Assert that we return the corresponding copied data. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit a4b4a86)
Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit 7ad76b5)
Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit 764f3ad)
This allows to load and test bpf cgroups programs. Later we will move these bpf cgroups programs to be part of the base sensor; until then let's babysit them here. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit 1a40f0a)
Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit ecf7dae)
Test if runtime configuration is properly saved inside the `tg_conf_map` BPF map. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit 05f4a2d)
Add TestCgroupNoEvents() to ensure that we do not get BPF cgroups events. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit 18fa633)
This test ensure that we get bpf events when cgroup mkdir and rmdir happen, also it includes extended logic to track if the cgroup data is correct inside bpf map and if it was removed from the same cgroup tracking map after cgroup_rmmdir. Signed-off-by: Djalal Harouni <[email protected]> (cherry picked from commit e0a2feb)
tixxdz
force-pushed
the
backports/v0.8/tixxdz/prs-471
branch
from
3529d28 to
285f3f8
Compare
kkourt
approved these changes
Jan 16, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This backports #471 (all cherry picked)
#471 includes some cgroup patches that enforce the notion of being compatible with both cgroupv1 and cgroupv2, and transparently detecting that. Beside that more fixes will come on top from upstream: #541 and #594
By merging this it will allow to nearly align this branch with current upstream in regards to cgroups, and make it easy to incorporate further fixes! the bpf cgroups programs still sit in testing. We can try to split this up, and just get the proper fixes, but it is a pain as original PR was explicitly split for such reasons bisecting... during review it was requested to pack it together.
Conclusion: totally fine to merge, specially with all tests to assert stability.