Fetch everything, everywhere, all at once. Issue #45 #47
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This diff unifies the tracking of task_struct{} across all probes and ebpf
events. We now update ~all task_struct values everywhere we can.
Now exit and exec embed a raw_task{} into their own raw_type and functions taht
operate solely on raw_task{} have been unified so we stop repeating code.
TASK_SAMPLE takes a parameter for register as maybe we will have to track from
another register in the future
Now samples can include TASK_SAMPLE, like exec_connector does. This creates an
issue as before we were creating the wire protocol carefully aligned by making
sure it's all ordered 64->32->16->8 and so on. If we place TASK_SAMPLE in the
beginning of the sample, we might end up unaligned, but if we add it in the end,
then a task_sample stops being standalone as it defines `probe_ip` like all
other samples.
We solve this by defining an aligned/non-padded task_sample, and we enforce this
via #pragma forbidden magic. Luckly it is aligned in its current state, if we
add more members in the future, we may manually pad it with additional members.
We also start getting ppid from the wire instead of hardcoding it, that's
because ppid might change either when a process daemonizes or when docker is
doing its magic to start a container, which can change ppid multiple times via
PR_SET_CHILD_SUBREAPER blood magic. See issue #43.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This diff unifies the tracking of task_struct{} across all probes and ebpf events. We now update ~all task_struct values everywhere we can.
Now exit and exec embed a raw_task{} into their own raw_type and functions taht operate solely on raw_task{} have been unified so we stop repeating code.
TASK_SAMPLE takes a parameter for register as maybe we will have to track from another register in the future
Now samples can include TASK_SAMPLE, like exec_connector does. This creates an issue as before we were creating the wire protocol carefully aligned by making sure it's all ordered 64->32->16->8 and so on. If we place TASK_SAMPLE in the beginning of the sample, we might end up unaligned, but if we add it in the end, then a task_sample stops being standalone as it defines
probe_iplike all other samples.We solve this by defining an aligned/non-padded task_sample, and we enforce this via #pragma forbidden magic. Luckly it is aligned in its current state, if we add more members in the future, we may manually pad it with additional members.
We also start getting ppid from the wire instead of hardcoding it, that's because ppid might change either when a process daemonizes or when docker is doing its magic to start a container, which can change ppid multiple times via PR_SET_CHILD_SUBREAPER blood magic. See issue #43.
This PR is pending on the merge of elastic/ebpf#197