Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

in_ebpf: initial version of the plugin (experimental) #9576

Merged
merged 1 commit into from
Nov 11, 2024
Merged

Conversation

niedbalski
Copy link
Collaborator

@niedbalski niedbalski commented Nov 11, 2024

This is a proposal to implement a ebpf trace input plugin to allow sending traces from in kernel functions and userland through userland probes.

This initial implementation has 3 traces implemented: bind (tcp), malloc (uprobe) and signals (kernel trace).

Events types are defined in the fluent-bit code base and those has to be implemented by the ebpf program to follow when submitted into the ring buffer.

An example configuration is as follows

[INPUT]
    Name          ebpf
    Trace         trace_signal
    Trace         trace_execve
    Trace         trace_malloc
    Trace         trace_bind

[OUTPUT]
    Name          stdout
    Match         *

[SERVICE]
    log_level info

This produces an output set of log entries as follows:

[0] ebpf.0: [[1731333768.829643359, {}], {"event_type"=>"signal", "pid"=>117893, "tid"=>117893, "comm"=>"cpptools-srv", "signal"=>0, "tpid"=>117893}]
[0] ebpf.0: [[1731333769.829653344, {}], {"event_type"=>"signal", "pid"=>117893, "tid"=>117893, "comm"=>"cpptools-srv", "signal"=>0, "tpid"=>117893}]
[0] ebpf.0: [[1731333770.829523255, {}], {"event_type"=>"signal", "pid"=>117893, "tid"=>117893, "comm"=>"cpptools-srv", "signal"=>0, "tpid"=>117893}]
[0] ebpf.0: [[1731333771.829413630, {}], {"event_type"=>"signal", "pid"=>117893, "tid"=>117893, "comm"=>"cpptools-srv", "signal"=>0, "tpid"=>117893}]
[0] ebpf.0: [[1731333772.829621482, {}], {"event_type"=>"signal", "pid"=>117893, "tid"=>117893, "comm"=>"cpptools-srv", "signal"=>0, "tpid"=>117893}]
[1] ebpf.0: [[1731333772.830256768, {}], {"event_type"=>"bind", "pid"=>2310, "tid"=>2340, "comm"=>"Socket Thread", "pid"=>2310, "comm"=>"Socket Thread", "uid"=>1000, "gid"=>1000, "error_raw"=>0, "port"=>36155, "bound_dev_if"=>0}]
[0] ebpf.0: [[1731333773.829462953, {}], {"event_type"=>"signal", "pid"=>117893, "tid"=>117893, "comm"=>"cpptools-srv", "signal"=>0, "tpid"=>117893}]
[1] ebpf.0: [[1731333773.830034959, {}], {"event_type"=>"malloc", "pid"=>4026531841, "tid"=>121399, "comm"=>"flb-pipeline", "operation"=>2, "address"=>139997277961840, "size"=>56}]
[0] ebpf.0: [[1731333774.829801400, {}], {"event_type"=>"signal", "pid"=>117893, "tid"=>117893, "comm"=>"cpptools-srv", "signal"=>0, "tpid"=>117893}]
[0] ebpf.0: [[1731333775.829572805, {}], {"event_type"=>"signal", "pid"=>117893, "tid"=>117893, "comm"=>"cpptools-srv", "signal"=>0, "tpid"=>117893}]
[0] ebpf.0: [[1731333776.829087325, {}], {"event_type"=>"signal", "pid"=>117893, "tid"=>117893, "comm"=>"cpptools-srv", "signal"=>0, "tpid"=>117893}]

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

  • Example configuration file for the change
  • Debug log output from testing the change
  • Documentation required for this feature

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

This is a proposal to implement a ebpf trace ingestor
plugin to allow sending traces from in kernel functions and
userland through uprobes.

This initial implementation has 3 traces implemented:
bind (tcp), malloc (uprobe) and signals (kernel trace).

Events types are known and defined in the fluent-bit codebase and
those has to be implemented by the ebpf program to follow when submitted
into the ring buffer.

Signed-off-by: Jorge Niedbalski <jnr@metaklass.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants