NETOBSERV-1255 Adding Raw Packet export capability as Packet Capture Agent(PCA)

[shach33]

This PR extends the agent to export raw packets through the network. We call it Packet Capture Agent(PCA).

This functionality is turned off by default. I have added 2 new environments to enable this.
set ENABLE_PCA=true to activate packet cpature.
set PCA_FILTER=[ipproto,port number] to indicate the filter for packet capture, e.g. export PCA_FILTER=tcp,22

The PCA_FILTER defaults to udp DNS(udp,53). If ENABLE_PCA is true, but filters are not specified, by default it captures DNS packets.

The captured packets are written to a socket in PCAP format.

[eranra]

@msherif1234, for awareness --- the idea behind this PR is to become the basis for both PANO (of course) but also for other Packet level network observability requirements, such as "selective" packet mirroring - functionality such as network tracing etc. So generalization and customization of the content are key ( hope this make sense to you )

[codecov]

Codecov Report

Patch coverage: 3.03% and project coverage change: -7.41% ⚠️

Comparison is base (7d31bf6) 39.56% compared to head (1f17d37) 32.16%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #113      +/-   ##
==========================================
- Coverage   39.56%   32.16%   -7.41%     
==========================================
  Files          31       36       +5     
  Lines        2391     2960     +569     
==========================================
+ Hits          946      952       +6     
- Misses       1388     1951     +563     
  Partials       57       57              

Flag	Coverage Δ
unittests	32.16% <3.03%> (-7.41%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Changed	Coverage Δ
pkg/agent/packets_agent.go	0.00% <0.00%> (ø)
pkg/ebpf/tracer.go	0.00% <0.00%> (ø)
pkg/exporter/packets.go	0.00% <0.00%> (ø)
pkg/flow/packet_record.go	0.00% <0.00%> (ø)
pkg/flow/perfbuffer.go	0.00% <0.00%> (ø)
pkg/flow/tracer_perf.go	0.00% <0.00%> (ø)
pkg/agent/agent.go	39.11% <58.06%> (+1.26%)	⬆️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[msherif1234]

I took initial look
I see ur created a parallel agent instead of extending the current one after u check the new config knob can u explain the reasoning ?

[shach33]

I took initial look I see ur created a parallel agent instead of extending the current one after u check the new config knob can u explain the reasoning ?

The current agent works at the level of flows and flow metrics. With PANO, we wish to use a 'packet' as the unit of communication. The struct elements of flow metrics are no longer required. Hope this helps.

[msherif1234]

I took initial look I see ur created a parallel agent instead of extending the current one after u check the new config knob can u explain the reasoning ?

The current agent works at the level of flows and flow metrics. With PANO, we wish to use a 'packet' as the unit of communication. The struct elements of flow metrics are no longer required. Hope this helps.

yeah I am aware of that as u know I went through the same trouble when I prototyped TCPlife span hook but was able to refactor the current agent so it can handle both probably something we need to poll the team on @jotak @eranra @praveingk wdyt ? will be great if we somehow abstract support to perf map as we have other use cases as well that wanted to use it like the one I mentioned above and more will come and will be nice to share this so all hooks need to generate perf event will reuse

[memodi]

/ok-to-test

[dushyantbehl]

@shach33 can you also remove the temp1.pcap file which I assume got pushed along with your commits.

[dushyantbehl]

Can you rename this to what it does ReadRawPacketFromBuffer or just ReadRawPacket

[shach33]

Updated to ReadRawPacket

[dushyantbehl]

I belive yes we can extract out common code and enable one or both functionalities in the agents rather than extending the code which can create code duplication.

[shach33]

Performed first level refactoring.

[dushyantbehl]

This PR needs a code review. Waiting for @shach33 to commit final version before providing the review

[jotak]

this is unclear to me why we would ignore .o files, I think we shouldn't?

[shach33]

I believe its a good practice to not include object files in commits. We cant get their diffs, they always have merge problems. But if thats how we do things. I will revert.

[shach33]

Done.

[jotak]

so this means the agent is started either for flow logs or for PCA, but cannot do both at the same time, right?
Do you see a technical limitation for doing so, or is that just a choice and we could change that any time?

[shach33]

Yes. The flows and packets agent are disparate and only one is active at a time. The metric of transfer in flows agent is a flow struct, while with PCA is a packet. We could merge them but that would add multiple unnecessary if checks at every step.

If the team deems this to be a better way to go, I can later create another PR with the merge. As of now, the code is cleanly separated between packet capture and flows agent.

[dushyantbehl]

Do you think if we are going to keep agent either PCA or Flow logs we should specify that make a single environment like AGENT_TYPE which can be PCA or FlowLogs

[shach33]

We can discuss this in our calls and make a decision then. In this PR, I would suggest to let it stay the way it is.

[jotak]

sounds good

[jotak]

Performed Resource analysis on the PR with 6 different use cases.

1. base netobserv:main

2. PR with PCA disabled

3. PR with PCA enabled - invalid filter

4. PR with PCA enabled - filter tcp,80

5. PR with PCA enabled - filter udp,53

6. PR with PCA enabled - filter tcp,443

@shach33 if I understand correctly your perf measurements, the current ebpf agent (without your PR) consumes twice as much memory than with your PR with PCA disabled? (1=~280MB vs 2=~140MB). This would be good news but is quite unexpected, how can we explain that? Or it could be a wrong measurement?

[jotak]

For info, I did some tests on my cluster for memory usage: there's indeed an increase with this feature (even when disabled) , I guess essentially due to the map. On my cluster, that's around 10MB increase per pod. Since it is constant, the more loaded is the agent, the more negligible is this overhead.

[shach33]

Kernel does not support BPF_F_NO_PREALLOC for LRU type maps.
cilium/ebpf#1072

[msherif1234]

pls use u32

[shach33]

done.

[msherif1234]

BPF_F_NO_PREALLOC not avaliable for all map types

[msherif1234]

isn't there a limit of how much hdr we can send with perf event ?

[msherif1234]

it seems there is no enforced limit by the kernel and if userspace can't hold it the event will be dropped

[shach33]

If the size is too big, the call to bpf_perf_event_output will fail and return -EFAULT.

[msherif1234]

what is the point of checking the return code if either way u return ok ?

[shach33]

this was an oversight. Fixed it.

[msherif1234]

this is not right , we can't assume if its not TCP its UDP, we have SCTP, ICMPv4 and ICMPv6 protocols support

[shach33]

Updated. Only checks for tcp/udp, for anything else, we return.

[msherif1234]

sctp will work very similar to ycp and udp unless we see no use case for it ? which isn't true because svc can use sctp protocol taht is why we added it

[shach33]

I added SCTP. ICMP packets dont really have port associated to them. So, it would require an update to the filter specifications, which I can do as part of an extension, but may be not with the current PR.

[msherif1234]

nit: u don't use current_time here so u can read it in attach_packet_payload and remove it from here

[shach33]

Sure. Fixed.

[msherif1234]

nit pls add line to the end

[shach33]

Added

[msherif1234]

might be more efficient instruction wise to do

u16 ethType = bpf_ntohs(eth->h_proto);
if (ethType != ETH_P_IP && ethType != ETH_P_IPV6) {
}

[shach33]

Updated.

[msherif1234]

why did u add this ? for standalone testing ?

[shach33]

This was to reuse the same code block for terminating both netobserv and PCA.

[msherif1234]

can't we treat that as capture everything instead of error ?

[shach33]

Should we treat this for capture everything? That might be extremely resource intensive. This was a design decision we made. This could be updated if the team deems this behavior correct.

[msherif1234]

wanted to share one of the PM customers asked use case is to do capture all (just learnt this now) cc'd @jpinsonneau

[jpinsonneau]

+1 it seems to be a use case now 🙃
Would it work if we capture everything expect our own netobserv traffic ? Let's say with unlimited resources

[shach33]

Updated to collect and export all packets if the filter (enviroment variable PCA_FILTER) is not set at all.
However if the filter is wrongly set, incorrect format/ non-supported protocols etc, then the agent doesnt export anything.

[jotak]

@shach33 : here's a suggestion as discussed on slack. This is to minimize the memory allocation when PCA isn't used.

[jotak]

Suggested change

	//Deleting specs for PCA
	//Deleting specs for PCA
	// Always set pcaRecordsMap to the minimum in FlowFetcher - PCA and Flow Fetcher are mutually exclusive.
	spec.Maps[pcaRecordsMap].MaxEntries = 1

[shach33]

Sure Joel.

[msherif1234]

I think we come to this case for TCP DNS have u tried to capture DNS over TCP and measured the CPU usage ? u can simply do dig google.om +tcp to do DNS over TCP

[shach33]

I am not sure what is happening here, but when I experiment, the requests/response generated via dig google.com +tcp are also UDP packets.

[msherif1234]

no that is indeed tcp dns I have used it

[shach33]

Then, I am able to capture those.

[msherif1234]

nit: we don't use __types in the agent code so probably need to stick to the same style

[shach33]

Fixed.

[msherif1234]

no that is indeed tcp dns I have used it

[msherif1234]

it seems there is no enforced limit by the kernel and if userspace can't hold it the event will be dropped

[msherif1234]

sctp will work very similar to ycp and udp unless we see no use case for it ? which isn't true because svc can use sctp protocol taht is why we added it

[msherif1234]

you aren't using this interface ?

[shach33]

I am. This is the one being used to delete map.

[msherif1234]

is there a way to show interface name with the collected flow, u already have if_index in thr perf hdr

iface, err := net.InterfaceByIndex(int(eventHdr.IfId))
ifcace.Name

[shach33]

PCA eventually only transmits a packet stream. How do you think we should include the interface information?

[msherif1234]

do u need the above logs won't some of this will flood the logs ?

[shach33]

It is a debug log. But removed it for now.

[jotak]

Thanks @shach33 , LGTM on my side, I'm leaving it in @msherif1234 / @dushyantbehl hands! :)

[dushyantbehl]

nit: Please add {} here with else to keep the code structure same across all C code.

@shach33

[dushyantbehl]

@shach33 nit: you can possibly do bpf_htons(pca_port) once.

[dushyantbehl]

Added 2 minor things for @shach33.
Let me know when they are done and I can add a lgtm here.

Leaving for @msherif1234 for taking a final view

[jpinsonneau]

@shach33 can we just rebase this ? then we are good to merge 😸
thanks !

[msherif1234]

@shach33 why the changes in main is showing up in ur PR as new diffs ?

[shach33]

@msherif1234 This is fixed now.

[msherif1234]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: msherif1234

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [msherif1234]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment