-
Notifications
You must be signed in to change notification settings - Fork 428
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Populate client side trace's local address via tcp kprobes #1989
Changes from all commits
8e966f8
3bd7013
a01138e
f3548ef
7a5cd84
7960135
636d15f
945b211
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -176,7 +176,7 @@ DEFINE_bool( | |
stirling_debug_tls_sources, gflags::BoolFromEnv("PX_DEBUG_TLS_SOURCES", false), | ||
"If true, stirling will add additional prometheus metrics regarding the traced tls sources"); | ||
|
||
DEFINE_uint32(stirling_bpf_loop_limit, 42, | ||
DEFINE_uint32(stirling_bpf_loop_limit, 41, | ||
"The maximum number of iovecs to capture for syscalls. " | ||
"Set conservatively for older kernels by default to keep the instruction count below " | ||
"BPF's limit for version 4 kernels (4096 per probe)."); | ||
|
@@ -342,6 +342,18 @@ const auto kProbeSpecs = MakeArray<bpf_tools::KProbeSpec>({ | |
{"close", ProbeType::kReturn, "syscall__probe_ret_close"}, | ||
{"mmap", ProbeType::kEntry, "syscall__probe_entry_mmap"}, | ||
{"sock_alloc", ProbeType::kReturn, "probe_ret_sock_alloc", /*is_syscall*/ false}, | ||
{"tcp_v4_connect", ProbeType::kEntry, "probe_entry_populate_active_connect_sock", | ||
/*is_syscall*/ false}, | ||
{"tcp_v4_connect", ProbeType::kReturn, "probe_ret_populate_active_connect_sock", | ||
/*is_syscall*/ false}, | ||
{"tcp_v6_connect", ProbeType::kEntry, "probe_entry_populate_active_connect_sock", | ||
/*is_syscall*/ false}, | ||
{"tcp_v6_connect", ProbeType::kReturn, "probe_ret_populate_active_connect_sock", | ||
/*is_syscall*/ false}, | ||
{"tcp_sendmsg", ProbeType::kEntry, "probe_entry_populate_active_connect_sock", | ||
/*is_syscall*/ false}, | ||
{"tcp_sendmsg", ProbeType::kReturn, "probe_ret_populate_active_connect_sock", | ||
/*is_syscall*/ false}, | ||
Comment on lines
+353
to
+356
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Since we don't have an easy mechanism for testing this, I tried to test this mid stream case by creating a psql shell prior to the PEM starting and issuing queries after the socket tracer was initialized. I verified that a tcp connection was made and only Surprisingly, I saw that the |
||
{"security_socket_sendmsg", ProbeType::kEntry, "probe_entry_socket_sendmsg", | ||
/*is_syscall*/ false, /* is_optional */ false, | ||
std::make_shared<bpf_tools::KProbeSpec>(bpf_tools::KProbeSpec{ | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The iovec syscall return probes that rely on process_implicit_conn (recvmsg, recvmmsg, sendmsg, sendmmsg) had their instruction count increase beyond the 4.14 limit. This was my solution to getting the BPF instruction count on 4.14 kernels to work. The rationale is that cases that are right on the edge of this limit are likely to have problems already.
The other things I considered were the following:
submit_new_conn
call (e.g.submit_new_conn(ctx, tgid, fd, addr, /*sock*/ NULL, role, source_fn)
) -- not viable since it partially handles mid stream connectionsI'm open to other suggestions if you have any, but this was the set of things I came up with.