From 4aed25a413875fdb4facab254bceca80480a3d5c Mon Sep 17 00:00:00 2001 From: Stuart Geipel Date: Mon, 30 Sep 2024 11:53:30 -0400 Subject: [PATCH 1/6] [NTWK-557] Fix NPM probes in OpenSUSE 15rc6 --- .../tracer/connection/kprobe/config.go | 27 ++++++++++++++++--- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/pkg/network/tracer/connection/kprobe/config.go b/pkg/network/tracer/connection/kprobe/config.go index e86745416eebe..d4ef24e70d1ef 100644 --- a/pkg/network/tracer/connection/kprobe/config.go +++ b/pkg/network/tracer/connection/kprobe/config.go @@ -9,6 +9,7 @@ package kprobe import ( "fmt" + "github.com/DataDog/datadog-agent/pkg/util/log" "github.com/DataDog/datadog-agent/pkg/ebpf" "github.com/DataDog/datadog-agent/pkg/network/config" @@ -16,6 +17,22 @@ import ( "github.com/DataDog/datadog-agent/pkg/util/kernel" ) +// After kernel 6.5.0, tcp_sendpage and udp_sendpage are removed. +// We used to only check for kv < 6.5.0 here - however, OpenSUSE 15.6 backported +// this change into 6.4.0 to pick up a CVE so the version number is not reliable. +// Instead, we directly check if the function exists. +func getHasSendPage(kv kernel.Version) bool { + missing, err := ebpf.VerifyKernelFuncs("tcp_sendpage") + if err == nil { + return len(missing) == 0 + } + + log.Errorf("error verifying tcp_sendpage presence, falling back to v6.5 check: %s", err) + + kv650 := kernel.VersionCode(6, 5, 0) + return kv < kv650 +} + func enableProbe(enabled map[probes.ProbeFuncName]struct{}, name probes.ProbeFuncName) { enabled[name] = struct{}{} } @@ -30,12 +47,14 @@ func enabledProbes(c *config.Config, runtimeTracer, coreTracer bool) (map[probes kv4180 := kernel.VersionCode(4, 18, 0) kv5180 := kernel.VersionCode(5, 18, 0) kv5190 := kernel.VersionCode(5, 19, 0) - kv650 := kernel.VersionCode(6, 5, 0) + kv, err := kernel.HostVersion() if err != nil { return nil, err } + hasSendPage := getHasSendPage(kv) + if c.CollectTCPv4Conns || c.CollectTCPv6Conns { if ClassificationSupported(c) { enableProbe(enabled, probes.ProtocolClassifierEntrySocketFilter) @@ -47,7 +66,7 @@ func enabledProbes(c *config.Config, runtimeTracer, coreTracer bool) (map[probes } enableProbe(enabled, selectVersionBasedProbe(runtimeTracer, kv, probes.TCPSendMsg, probes.TCPSendMsgPre410, kv410)) enableProbe(enabled, probes.TCPSendMsgReturn) - if kv < kv650 { + if hasSendPage { enableProbe(enabled, probes.TCPSendPage) enableProbe(enabled, probes.TCPSendPageReturn) } @@ -79,7 +98,7 @@ func enabledProbes(c *config.Config, runtimeTracer, coreTracer bool) (map[probes enableProbe(enabled, probes.IPMakeSkbReturn) enableProbe(enabled, probes.InetBind) enableProbe(enabled, probes.InetBindRet) - if kv < kv650 { + if hasSendPage { enableProbe(enabled, probes.UDPSendPage) enableProbe(enabled, probes.UDPSendPageReturn) } @@ -112,7 +131,7 @@ func enabledProbes(c *config.Config, runtimeTracer, coreTracer bool) (map[probes enableProbe(enabled, probes.IP6MakeSkbReturn) enableProbe(enabled, probes.Inet6Bind) enableProbe(enabled, probes.Inet6BindRet) - if kv < kv650 { + if hasSendPage { enableProbe(enabled, probes.UDPSendPage) enableProbe(enabled, probes.UDPSendPageReturn) } From 68c440ec0c3637ab654bd5f2f55ac2dbc265295b Mon Sep 17 00:00:00 2001 From: Stuart Geipel Date: Mon, 30 Sep 2024 13:53:58 -0400 Subject: [PATCH 2/6] add release notes --- .../notes/fix-opensuse-15rc6-sendpage-11ba41034deaa721.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 releasenotes/notes/fix-opensuse-15rc6-sendpage-11ba41034deaa721.yaml diff --git a/releasenotes/notes/fix-opensuse-15rc6-sendpage-11ba41034deaa721.yaml b/releasenotes/notes/fix-opensuse-15rc6-sendpage-11ba41034deaa721.yaml new file mode 100644 index 0000000000000..080d07e998161 --- /dev/null +++ b/releasenotes/notes/fix-opensuse-15rc6-sendpage-11ba41034deaa721.yaml @@ -0,0 +1,5 @@ + +--- +fixes: + - | + Fixed issue with OpenSUSE 15 RC 6 where the eBPF tracer wouldn't to start due to a failed validation of the tcp_sendpage probe. From 02c4f29997ae78ad0e73f06832a78030d8cf3694 Mon Sep 17 00:00:00 2001 From: Stuart Geipel Date: Mon, 30 Sep 2024 13:55:47 -0400 Subject: [PATCH 3/6] lower case openSUSE lol --- .../notes/fix-opensuse-15rc6-sendpage-11ba41034deaa721.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/releasenotes/notes/fix-opensuse-15rc6-sendpage-11ba41034deaa721.yaml b/releasenotes/notes/fix-opensuse-15rc6-sendpage-11ba41034deaa721.yaml index 080d07e998161..3c7eb7cd5a21b 100644 --- a/releasenotes/notes/fix-opensuse-15rc6-sendpage-11ba41034deaa721.yaml +++ b/releasenotes/notes/fix-opensuse-15rc6-sendpage-11ba41034deaa721.yaml @@ -2,4 +2,4 @@ --- fixes: - | - Fixed issue with OpenSUSE 15 RC 6 where the eBPF tracer wouldn't to start due to a failed validation of the tcp_sendpage probe. + Fixed issue with openSUSE 15 RC 6 where the eBPF tracer wouldn't to start due to a failed validation of the tcp_sendpage probe. From 3ddce911ad08e9d2c2100018e920008b0eac8025 Mon Sep 17 00:00:00 2001 From: Stuart Geipel Date: Mon, 30 Sep 2024 14:28:44 -0400 Subject: [PATCH 4/6] hasan feedback --- pkg/network/tracer/connection/kprobe/config.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/network/tracer/connection/kprobe/config.go b/pkg/network/tracer/connection/kprobe/config.go index d4ef24e70d1ef..a5efa46f1aa53 100644 --- a/pkg/network/tracer/connection/kprobe/config.go +++ b/pkg/network/tracer/connection/kprobe/config.go @@ -9,25 +9,25 @@ package kprobe import ( "fmt" - "github.com/DataDog/datadog-agent/pkg/util/log" "github.com/DataDog/datadog-agent/pkg/ebpf" "github.com/DataDog/datadog-agent/pkg/network/config" "github.com/DataDog/datadog-agent/pkg/network/ebpf/probes" "github.com/DataDog/datadog-agent/pkg/util/kernel" + "github.com/DataDog/datadog-agent/pkg/util/log" ) // After kernel 6.5.0, tcp_sendpage and udp_sendpage are removed. // We used to only check for kv < 6.5.0 here - however, OpenSUSE 15.6 backported // this change into 6.4.0 to pick up a CVE so the version number is not reliable. // Instead, we directly check if the function exists. -func getHasSendPage(kv kernel.Version) bool { +func hasTCPSendPage(kv kernel.Version) bool { missing, err := ebpf.VerifyKernelFuncs("tcp_sendpage") if err == nil { return len(missing) == 0 } - log.Errorf("error verifying tcp_sendpage presence, falling back to v6.5 check: %s", err) + log.Warnf("error verifying tcp_sendpage presence, falling back to v6.5 check: %s", err) kv650 := kernel.VersionCode(6, 5, 0) return kv < kv650 @@ -53,7 +53,7 @@ func enabledProbes(c *config.Config, runtimeTracer, coreTracer bool) (map[probes return nil, err } - hasSendPage := getHasSendPage(kv) + hasSendPage := hasTCPSendPage(kv) if c.CollectTCPv4Conns || c.CollectTCPv6Conns { if ClassificationSupported(c) { From 7c600dc002af53d8687c6627f40abca15c1eecf8 Mon Sep 17 00:00:00 2001 From: Stuart Geipel Date: Tue, 1 Oct 2024 09:52:55 -0400 Subject: [PATCH 5/6] Update releasenotes/notes/fix-opensuse-15rc6-sendpage-11ba41034deaa721.yaml Co-authored-by: Sandra (neko) <165049174+neko-dd@users.noreply.github.com> --- .../notes/fix-opensuse-15rc6-sendpage-11ba41034deaa721.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/releasenotes/notes/fix-opensuse-15rc6-sendpage-11ba41034deaa721.yaml b/releasenotes/notes/fix-opensuse-15rc6-sendpage-11ba41034deaa721.yaml index 3c7eb7cd5a21b..7f7dcaba44f35 100644 --- a/releasenotes/notes/fix-opensuse-15rc6-sendpage-11ba41034deaa721.yaml +++ b/releasenotes/notes/fix-opensuse-15rc6-sendpage-11ba41034deaa721.yaml @@ -2,4 +2,4 @@ --- fixes: - | - Fixed issue with openSUSE 15 RC 6 where the eBPF tracer wouldn't to start due to a failed validation of the tcp_sendpage probe. + Fixed issue with openSUSE 15 RC 6 where the eBPF tracer wouldn't start due to a failed validation of the ``tcp_sendpage`` probe. From 821ec00138f8d2a121257fb5c62cef69b5ca7eb0 Mon Sep 17 00:00:00 2001 From: Stuart Geipel Date: Tue, 1 Oct 2024 16:07:15 -0400 Subject: [PATCH 6/6] more clear log --- pkg/network/tracer/connection/kprobe/config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/network/tracer/connection/kprobe/config.go b/pkg/network/tracer/connection/kprobe/config.go index a5efa46f1aa53..880a2f0a5e838 100644 --- a/pkg/network/tracer/connection/kprobe/config.go +++ b/pkg/network/tracer/connection/kprobe/config.go @@ -27,7 +27,7 @@ func hasTCPSendPage(kv kernel.Version) bool { return len(missing) == 0 } - log.Warnf("error verifying tcp_sendpage presence, falling back to v6.5 check: %s", err) + log.Debugf("unable to determine whether tcp_sendpage exists, using kernel version instead: %s", err) kv650 := kernel.VersionCode(6, 5, 0) return kv < kv650