Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable kprobe-multi for kmods by default #470

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Enable kprobe-multi for kmods by default #470

wants to merge 3 commits into from
+11 −16

Conversation

rgo3
Copy link
Contributor

@rgo3 rgo3 commented Dec 17, 2024

This commit enables using the kprobe-multi backend for tracing functions in kernel modules by default if supported. Previously that was only possible by specifying the --backend=kprobe-multi option.

Fixes #147

@rgo3 rgo3 requested a review from a team as a code owner December 17, 2024 13:30
@rgo3 rgo3 requested review from brb and removed request for a team December 17, 2024 13:30
@rgo3
Copy link
Contributor Author

rgo3 commented Dec 17, 2024
edited
Loading

Observation:
Running with kprobe backend:

sudo ./pwru --backend kprobe --kmods wireguard --filter-mark 0x0e00
2024/12/17 14:11:07 Attaching kprobes (via kprobe)...
1572 / 1572 [-----------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 184 p/s
2024/12/17 14:11:16 Attached (ignored 115)
2024/12/17 14:11:16 Listening for `events..`
SKB                CPU PROCESS          NETNS      MARK/x        IFACE       PROTO  MTU   LEN   TUPLE FUNC
^C2024/12/17 14:11:20 Received signal, exiting program..
2024/12/17 14:11:20 Detaching kprobes...
1457 / 1457 [------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 76 p/s

Running with kprobe-multi backend:

sudo ./pwru --kmods wireguard --filter-mark 0x0e00
2024/12/17 14:32:28 Attaching kprobes (via kprobe-multi)...
1480 / 1460 [-------------------------------------------------------------------------------------------------------------------------------------------------------------------] 101.37% ? p/s
2024/12/17 14:32:28 Attached (ignored 20)
2024/12/17 14:32:28 Listening for events..
SKB                CPU PROCESS          NETNS      MARK/x        IFACE       PROTO  MTU   LEN   TUPLE FUNC
^C2024/12/17 14:32:30 Received signal, exiting program..
2024/12/17 14:32:30 Detaching kprobes...
5 / 5 [------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 10 p/s

@brb Do the respective numbers we observe for attached and ignored functions make sense? I'm having a hard time coming up with a meaningful way to test if enabling the kprobe-multi backend breaks any attachments.

jschwinger233
jschwinger233 reviewed Dec 19, 2024
View reviewed changes
Copy link
Member

@jschwinger233 jschwinger233 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can compare what's been ignored by kprobe to kprobemulti. For example, we can print(fn) at https://github.com/cilium/pwru/blob/v1.0.10-pre/internal/pwru/kprobe.go#L180.

My feeling is this is fine, since kprobemulti ignored less targets (20) than kprobe (115).

brb
brb requested changes Dec 19, 2024
View reviewed changes
Copy link
Member

@brb brb left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR!

Unfortunately, I don't see kmods in a pwru traces.

The way I tested.

  1. Block 1.1.1.1 with iptables -t filter -I OUTPUT 1 -m tcp --proto tcp --dst 1.1.1.1/32 -j DROP.
  2. Run pwru with your changes:
KMODS=$(ls /sys/kernel/btf/ | grep -v vmlinux | grep -E '(ip|xt|nf)' | tr '\n' , | sed 's/.$//')
./pwru --kmods="$KMODS" 'host 1.1.1.1 and port 80'
  1. Observe that curl 1.1.1.1 does not show any function calls from netfilter modules.
  2. Run ./pwru --kmods="$KMODS" --backend=kprobe 'host 1.1.1.1 and port 80' and see the modules, e.g., the nf_nat module:
59:36298->1.1.1.1:80(tcp) nf_nat_ipv4_local_fn[nf_nat]
0xffff9feec55880e8 4   <empty>:0        4026531840 0               0         0x0800 1500  60    192.168.1.159:36298->1.1.1.1:80(tcp) sk_skb_reason_drop(SKB_DROP_REASON_NETFILTER_DROP)

My gut feeling is that the kmod functions are being ignored due to not exposed in the available_filter_functions (see #147 (comment)).

@rgo3
Copy link
Contributor Author

rgo3 commented Dec 20, 2024

Yes agreed, it definitely needs some troubleshooting. Thanks for the test example, I'll start by taking a look at which funcs get ignored for the respective backend. However, on my machine the available_filter_functions file does contain funcs of kmods so this might not be the issue we are seeing. In any case, will turn the PR to a draft and reopen once I've figured out more.

@rgo3 rgo3 marked this pull request as draft December 20, 2024 08:51
rgo3 added 3 commits December 23, 2024 16:23
@rgo3
Filter for available filter functions regardless of the used backend
971e3f4 
This commit ensures that we remove potential suitors of functions from
the set of functions we want to attach to if they are not available in
/sys/kernel/debug/tracing/available_filter_functions regardless of the
backend that will be used. While this isn't technically only necessary
for the kprobe-multi backend, this improves the output of pwru telling
the user how many functions it attached to and how many were ignored.

Signed-off-by: Robin Gögge <[email protected]>
@rgo3
Enable kprobe-multi for kmods by default
0f67ad3 
This commit enables using the kprobe-multi backend for tracing functions
in kernel modules by default if supported. Previously that was only possible
by specifying the --backend=kprobe-multi option.

Fixes cilium#147

Signed-off-by: Robin Gögge <[email protected]>
@rgo3
Remove use of deprecated field cilium/ebpf/ProgramOptions.LogSize
92bf0ca 
The needed log size is now automatically determined by the cilium/ebpf
library.

Signed-off-by: Robin Gögge <[email protected]>
@rgo3 rgo3 force-pushed the pr/rgo3/enable-kmods-kprobe-multi branch from e4c11a7 to 92bf0ca Compare December 23, 2024 15:24
@rgo3
Copy link
Contributor Author

rgo3 commented Dec 24, 2024

I think I fixed it, had to make sure we parse out functions from kmods in available_filter_functions and kallsyms files the same way. Merry Christmas everyone 🎄

@rgo3 rgo3 marked this pull request as ready for review December 24, 2024 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brb brb brb requested changes

@jschwinger233 jschwinger233 jschwinger233 approved these changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Enable kprobe-multi backend for kernel modules tracing (--kmods)
3 participants
@rgo3 @brb @jschwinger233