tetragon: debug printer to show cgroup to namespace map

Its sometimes useful when debugging policy statements to be able to
dump the cgroup IDs to their namespace human readable names. This
helps ensure (a) the policy maps are correctly updated and (b) if
we are debugging kernel we can map cgroups to kubernetes names.

Signed-off-by: John Fastabend <[email protected]>

cmd/tetra/dump/dump.go

@@ -128,3 +128,28 @@ func PolicyfilterState(fname string) {
 		fmt.Printf("%d: %s\n", polId, strings.Join(ids, ","))
 	}
 }
+
+func NamespaceState(fname string) error {
+	m, err := ebpf.LoadPinnedMap(fname, &ebpf.LoadPinOptions{
+		ReadOnly: true,
+	})
+	if err != nil {
+		logger.GetLogger().WithError(err).WithField("file", fname).Warn("Could not open process tree map")
+		return err
+	}
+
+	defer m.Close()
+
+	var (
+		key uint64
+		val uint64
+	)
+
+	fmt.Printf("cgroupId: stableId\n")
+	iter := m.Iterate()
+	for iter.Next(&key, &val) {
+		fmt.Printf("%d: %d\n", key, val)
+	}
+
+	return nil
+}

cmd/tetra/policyfilter/policyfilter.go

@@ -28,11 +28,28 @@ func New() *cobra.Command {
 		dumpCmd(),
 		addCommand(),
 		cgroupGetIDCommand(),
+		dumpDebugCmd(),
 	)
 
 	return ret
 }
 
+func dumpDebugCmd() *cobra.Command {
+	mapFname := filepath.Join(defaults.DefaultMapRoot, defaults.DefaultMapPrefix, policyfilter.CgrpNsMapName)
+	ret := &cobra.Command{
+		Use:   "dumpcgrp",
+		Short: "dump cgroup ID to namespace state",
+		Args:  cobra.ExactArgs(0),
+		Run: func(_ *cobra.Command, _ []string) {
+			dump.NamespaceState(mapFname)
+		},
+	}
+
+	flags := ret.Flags()
+	flags.StringVar(&mapFname, "map-fname", mapFname, "policyfilter map filename")
+	return ret
+}
+
 func cgroupGetIDCommand() *cobra.Command {
 	mapFname := filepath.Join(defaults.DefaultMapRoot, defaults.DefaultMapPrefix, policyfilter.MapName)
 	ret := &cobra.Command{