Propagate context through TCP packets

[grcevski]

This PR finishes the work required to propagate context with trace context injection through TCP packets. The feature is disabled by default. I'm proposing the PR to ensure we can pass all integration tests without this enabled.

To complete the work, I plan to follow-up with another PR that will do the following:

• Add option to disable black-box context propagation
• Add tests without black-box context propagation and TCP packet propagation.

Relates to #871

[grcevski]

I split this so that we can use it on older kernels where bpf_printk allowed for at most 3 arguments.

[grcevski]

Connect runs before the SYN packet is sent. We use this opportunity to setup a trace context information for the connection. We'll later query the trace information in tc_egress, and serialize it on the TCP packet.

[grcevski]

these prints will have to be removed, but keeping them for now since this is disabled. bpf_dbg_printk doesnt' work because we need to fix it to not use bpf_get_pid_tid, but bpf_get_task info

[grcevski]

Once we receive a traceID over the wire (TCP packet) we store it for later to be used by the trace code.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.35%. Comparing base (77cba46) to head (06ddc8d).
Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1161      +/-   ##
==========================================
- Coverage   81.07%   78.35%   -2.73%     
==========================================
  Files         136      136              
  Lines       11416    11416              
==========================================
- Hits         9256     8945     -311     
- Misses       1636     1920     +284     
- Partials      524      551      +27     

Flag	Coverage Δ
integration-test	?
k8s-integration-test	58.81% <ø> (-0.12%)	⬇️
oats-test	35.77% <ø> (ø)
unittests	53.23% <ø> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[grcevski]

Before this change the client code only looked for a server trace and if it doesn't find it it will generate the trace information later. Now we look if the TCP egress has setup trace info for us, if we find it we mark as having trace info, we must not regenerate it. If we have our own TCP egress info, but there's server incoming request that wrapped this client call, then we'll overwrite this info.

[rafaelroquetto]

I'd actually put that in a comment

[grcevski]

For server requests, we first look for TCP info and then we fall back to black-box info.

[rafaelroquetto]

This is great, awesome! Very clever!

My comments are very minor (pedantic) nits, feel free to ignore.

[rafaelroquetto]

nit: trailing whitespace

[rafaelroquetto]

I was looking into this, and stumbled upon this check in read_sk_buff()

 if ((skb->len - tcp->hdr_len) < 0) { // less than 0 is a packet we can't parse

both len and hdr_len are unsigned, so I think, to complement this check, we should change read_sk_buff() to

 if ((skb->len - tcp->hdr_len) > skb->len) { // underflow, hdr_len is > len, packet too big

or even better

if (tcp->hdr_len > skb->len) { // package too big

[rafaelroquetto]

Suggested change

	bpf_printk("tot_len = %d, new_tot_len = %d", bpf_ntohs(tcp.tot_len), bpf_ntohs(new_tot_len));
	bpf_printk("h_proto = %d, skb->len = %d", tcp.h_proto, skb->len);
	bpf_printk("tot_len = %u, new_tot_len = %u", bpf_ntohs(tcp.tot_len), bpf_ntohs(new_tot_len));
	bpf_printk("h_proto = %u, skb->len = %u", tcp.h_proto, skb->len);

[rafaelroquetto]

I'd actually put that in a comment

[rafaelroquetto]

I wonder if it may be a good idea to have tp_info_pid_t store some sort of magic number - it's highly unlikely, but if someone stores the exact same amount of bytes there, we will be fooled. Who knows how many other people are doing crazy things like this?

Something like [0xb3l4][tp_info_pid_t]

[grcevski]

Good idea! I initially thought of this and said to myself, so if they do, we'll read something random and it's no worse than generating new ID. However, on a second thought, the value someone else puts in could be not random, but a constant and it will make all of our traceIDs be the same. I took your advice to put an ID on the PID (we don't use this field for TCP and it's later overwritten with -1). So I'll check the PID on ingress and if it doesn't match our magic value we'll not take in the packet.

[rafaelroquetto]

I'd add a comment such as:

// handle SYN only, ignore SYN+ACK packets

[mariomac]

Amazing! As Rafael suggests, I'd write your GitHub explanations as actual code comments.

[mariomac]

LGTM