Change the PID filter implementation to use bloom filter

[grcevski]

Our existing PID filtering for kprobes used an LRU hashmap, which can easily overflow with large number of PIDs. This PR changes the underlying implementation to use a bloom filter, which will favour false positives over negative collisions in the map.

Essentially, we set a bit on a bit array for a given namespace,pid tuple. If this PID matches, we create an event. The userspace code in Go will consult the internal map if this event is possibly a false positive and filter it out.

Adding and removing processes to be tracked is more expensive now, since we rebuild the PID array from scratch each time and we update the BPF array.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 96.42857% with 1 lines in your changes are missing coverage. Please review.

Project coverage is 76.16%. Comparing base (a22db74) to head (954dd5e).
Report is 3 commits behind head on main.

Files	Patch %	Lines
pkg/internal/ebpf/httpfltr/httpfltr.go	96.42%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #851      +/-   ##
==========================================
- Coverage   79.63%   76.16%   -3.48%     
==========================================
  Files         117      117              
  Lines        8050     8044       -6     
==========================================
- Hits         6411     6127     -284     
- Misses       1231     1496     +265     
- Partials      408      421      +13     

Flag	Coverage Δ
integration-test	?
k8s-integration-test	65.13% <96.42%> (-0.06%)	⬇️
oats-test	35.81% <89.28%> (+0.26%)	⬆️
unittests	46.07% <17.85%> (+0.07%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[mariomac]

Amazing

[mariomac]

In another PR, I'd make this value configurable by the user.

Here is an example about how we do this for the Network flows:

beyla/bpf/flows_common.h

Lines 39 to 45 in a22db74

	// Key: the flow identifier. Value: the flow metrics for that identifier.
	// The userspace will aggregate them into a single flow.
	struct {
	__uint(type, BPF_MAP_TYPE_LRU_PERCPU_HASH);
	__type(key, flow_id);
	__type(value, flow_metrics);
	} aggregated_flows SEC(".maps");

beyla/pkg/internal/netolly/ebpf/tracer.go

Lines 85 to 86 in a22db74

	// Resize aggregated flows map according to user-provided configuration
	spec.Maps[aggregatedFlowsMap].MaxEntries = uint32(cacheMaxSize)

[grcevski]

Cool!