Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

usm: Refactor istio monitor to use new uprobe attacher #29303

Merged
merged 16 commits into from
Dec 11, 2024
Merged
5 changes: 0 additions & 5 deletions pkg/network/usm/ebpf_gotls.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ import (
"errors"
"fmt"
"io"
"time"

"github.com/cilium/ebpf"

Expand All @@ -35,10 +34,6 @@ const (
goTLSWriteArgsMap = "go_tls_write_args"
connectionTupleByGoTLSMap = "conn_tup_by_go_tls_conn"

// The interval of the periodic scan for terminated processes. Increasing the interval, might cause larger spikes in cpu
// and lowering it might cause constant cpu usage.
scanTerminatedProcessesInterval = 30 * time.Second

connReadProbe = "uprobe__crypto_tls_Conn_Read"
connReadRetProbe = "uprobe__crypto_tls_Conn_Read__return"
connWriteProbe = "uprobe__crypto_tls_Conn_Write"
Expand Down
181 changes: 33 additions & 148 deletions pkg/network/usm/istio.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,23 +8,22 @@
package usm

import (
"fmt"
"strings"
"sync"
"time"

manager "github.com/DataDog/ebpf-manager"

"github.com/DataDog/datadog-agent/pkg/ebpf/uprobes"
"github.com/DataDog/datadog-agent/pkg/network/config"
"github.com/DataDog/datadog-agent/pkg/network/usm/consts"
"github.com/DataDog/datadog-agent/pkg/network/usm/utils"
"github.com/DataDog/datadog-agent/pkg/process/monitor"
"github.com/DataDog/datadog-agent/pkg/util/kernel"
"github.com/DataDog/datadog-agent/pkg/util/log"
manager "github.com/DataDog/ebpf-manager"
)

const (
istioSslReadRetprobe = "istio_uretprobe__SSL_read"
istioSslWriteRetprobe = "istio_uretprobe__SSL_write"

istioAttacherName = "istio"
)

var istioProbes = []manager.ProbesSelector{
Expand Down Expand Up @@ -81,64 +80,42 @@ var istioProbes = []manager.ProbesSelector{
// because the Envoy binary embedded in the Istio containers have debug symbols
// whereas the "vanilla" Envoy images are distributed without them.
type istioMonitor struct {
registry *utils.FileRegistry
procRoot string
envoyCmd string

// `utils.FileRegistry` callbacks
registerCB func(utils.FilePath) error
unregisterCB func(utils.FilePath) error

// Termination
wg sync.WaitGroup
done chan struct{}
attacher *uprobes.UprobeAttacher
envoyCmd string
processMonitor *monitor.ProcessMonitor
}

// Validate that istioMonitor implements the Attacher interface.
var _ utils.Attacher = &istioMonitor{}

func newIstioMonitor(c *config.Config, mgr *manager.Manager) *istioMonitor {
if !c.EnableIstioMonitoring {
return nil
}

procRoot := kernel.ProcFSRoot()
return &istioMonitor{
registry: utils.NewFileRegistry(consts.USMModuleName, "istio"),
procRoot: procRoot,
m := &istioMonitor{
envoyCmd: c.EnvoyPath,
done: make(chan struct{}),

// Callbacks
registerCB: addHooks(mgr, procRoot, istioProbes),
unregisterCB: removeHooks(mgr, istioProbes),
attacher: nil,
}
}

// DetachPID detaches a given pid from the eBPF program
func (m *istioMonitor) DetachPID(pid uint32) error {
return m.registry.Unregister(pid)
}
attachCfg := uprobes.AttacherConfig{
ProcRoot: c.ProcRoot,
Rules: []*uprobes.AttachRule{{
Targets: uprobes.AttachToExecutable,
ProbesSelector: istioProbes,
ExecutableFilter: m.isIstioBinary,
}},
EbpfConfig: &c.Config,
ExcludeTargets: uprobes.ExcludeSelf | uprobes.ExcludeInternal | uprobes.ExcludeBuildkit | uprobes.ExcludeContainerdTmp,
vitkyrka marked this conversation as resolved.
Show resolved Hide resolved
EnablePeriodicScanNewProcesses: true,
}

var (
// ErrNoEnvoyPath is returned when no envoy path is found for a given PID
ErrNoEnvoyPath = fmt.Errorf("no envoy path found for PID")
)
m.processMonitor = monitor.GetProcessMonitor()
guyarb marked this conversation as resolved.
Show resolved Hide resolved

// AttachPID attaches a given pid to the eBPF program
func (m *istioMonitor) AttachPID(pid uint32) error {
path := m.getEnvoyPath(pid)
if path == "" {
return ErrNoEnvoyPath
attacher, err := uprobes.NewUprobeAttacher(consts.USMModuleName, istioAttacherName, attachCfg, mgr, nil, &uprobes.NativeBinaryInspector{}, m.processMonitor)
if err != nil {
log.Errorf("Cannot create uprobe attacher: %v", err)
}
guyarb marked this conversation as resolved.
Show resolved Hide resolved

return m.registry.Register(
path,
pid,
m.registerCB,
m.unregisterCB,
utils.IgnoreCB,
)
m.attacher = attacher
return m
guyarb marked this conversation as resolved.
Show resolved Hide resolved
}

// Start the istioMonitor
Expand All @@ -147,48 +124,7 @@ func (m *istioMonitor) Start() {
return
}

processMonitor := monitor.GetProcessMonitor()

// Subscribe to process events
doneExec := processMonitor.SubscribeExec(m.handleProcessExec)
doneExit := processMonitor.SubscribeExit(m.handleProcessExit)

// Attach to existing processes
m.sync()

m.wg.Add(1)
go func() {
// This ticker is responsible for controlling the rate at which
// we scrape the whole procFS again in order to ensure that we
// terminate any dangling uprobes and register new processes
// missed by the process monitor stream
processSync := time.NewTicker(scanTerminatedProcessesInterval)

defer func() {
processSync.Stop()
// Execute process monitor callback termination functions
doneExec()
doneExit()
// Stopping the process monitor (if we're the last instance)
processMonitor.Stop()
// Cleaning up all active hooks
m.registry.Clear()
// marking we're finished.
m.wg.Done()
}()

for {
select {
case <-m.done:
return
case <-processSync.C:
m.sync()
m.registry.Log()
vitkyrka marked this conversation as resolved.
Show resolved Hide resolved
}
}
}()

utils.AddAttacher(consts.USMModuleName, "istio", m)
_ = m.attacher.Start()
guyarb marked this conversation as resolved.
Show resolved Hide resolved
log.Info("Istio monitoring enabled")
}

Expand All @@ -198,62 +134,11 @@ func (m *istioMonitor) Stop() {
return
}

close(m.done)
m.wg.Wait()
}

// sync state of istioMonitor with the current state of procFS
// the purpose of this method is two-fold:
// 1) register processes for which we missed exec events (targeted mostly at startup)
// 2) unregister processes for which we missed exit events
func (m *istioMonitor) sync() {
deletionCandidates := m.registry.GetRegisteredProcesses()

_ = kernel.WithAllProcs(m.procRoot, func(pid int) error {
if _, ok := deletionCandidates[uint32(pid)]; ok {
// We have previously hooked into this process and it remains active,
// so we remove it from the deletionCandidates list, and move on to the next PID
delete(deletionCandidates, uint32(pid))
return nil
}

// This is a new PID so we attempt to attach SSL probes to it
_ = m.AttachPID(uint32(pid))
return nil
})

// At this point all entries from deletionCandidates are no longer alive, so
// we should detach our SSL probes from them
for pid := range deletionCandidates {
m.handleProcessExit(pid)
}
}

func (m *istioMonitor) handleProcessExit(pid uint32) {
// We avoid filtering PIDs here because it's cheaper to simply do a registry lookup
// instead of fetching a process name in order to determine whether it is an
// envoy process or not (which at the very minimum involves syscalls)
_ = m.DetachPID(pid)
}

func (m *istioMonitor) handleProcessExec(pid uint32) {
_ = m.AttachPID(pid)
m.attacher.Stop()
gjulianm marked this conversation as resolved.
Show resolved Hide resolved
}

// getEnvoyPath returns the executable path of the envoy binary for a given PID.
// It constructs the path to the symbolic link for the executable file of the process with the given PID,
// then resolves this symlink to determine the actual path of the binary.
//
// If the resolved path contains the expected envoy command substring (as defined by m.envoyCmd),
// the function returns this path. If the PID does not correspond to an envoy process or if an error
// occurs during resolution, it returns an empty string.
func (m *istioMonitor) getEnvoyPath(pid uint32) string {
exePath := fmt.Sprintf("%s/%d/exe", m.procRoot, pid)

envoyPath, err := utils.ResolveSymlink(exePath)
if err != nil || !strings.Contains(envoyPath, m.envoyCmd) {
return ""
}

return envoyPath
// isIstioBinary checks whether the given file is an istioBinary, based on the expected envoy
// command substring (as defined by m.envoyCmd).
func (m *istioMonitor) isIstioBinary(path string, _ *uprobes.ProcInfo) bool {
return strings.Contains(path, m.envoyCmd)
}
Loading
Loading