Skip to content

Enable kprobe-multi for kmods by default#470

Merged
brb merged 3 commits intocilium:mainfrom
rgo3:pr/rgo3/enable-kmods-kprobe-multi
Dec 27, 2024
Merged

Enable kprobe-multi for kmods by default#470
brb merged 3 commits intocilium:mainfrom
rgo3:pr/rgo3/enable-kmods-kprobe-multi

Conversation

@rgo3
Copy link
Contributor

@rgo3 rgo3 commented Dec 17, 2024

This commit enables using the kprobe-multi backend for tracing functions in kernel modules by default if supported. Previously that was only possible by specifying the --backend=kprobe-multi option.

Fixes #147

@rgo3 rgo3 requested a review from a team as a code owner December 17, 2024 13:30
@rgo3 rgo3 requested review from brb and removed request for a team December 17, 2024 13:30
@rgo3
Copy link
Contributor Author

rgo3 commented Dec 17, 2024
edited
Loading

Observation:
Running with kprobe backend:

sudo ./pwru --backend kprobe --kmods wireguard --filter-mark 0x0e00
2024/12/17 14:11:07 Attaching kprobes (via kprobe)...
1572 / 1572 [-----------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 184 p/s
2024/12/17 14:11:16 Attached (ignored 115)
2024/12/17 14:11:16 Listening for `events..`
SKB                CPU PROCESS          NETNS      MARK/x        IFACE       PROTO  MTU   LEN   TUPLE FUNC
^C2024/12/17 14:11:20 Received signal, exiting program..
2024/12/17 14:11:20 Detaching kprobes...
1457 / 1457 [------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 76 p/s

Running with kprobe-multi backend:

sudo ./pwru --kmods wireguard --filter-mark 0x0e00
2024/12/17 14:32:28 Attaching kprobes (via kprobe-multi)...
1480 / 1460 [-------------------------------------------------------------------------------------------------------------------------------------------------------------------] 101.37% ? p/s
2024/12/17 14:32:28 Attached (ignored 20)
2024/12/17 14:32:28 Listening for events..
SKB                CPU PROCESS          NETNS      MARK/x        IFACE       PROTO  MTU   LEN   TUPLE FUNC
^C2024/12/17 14:32:30 Received signal, exiting program..
2024/12/17 14:32:30 Detaching kprobes...
5 / 5 [------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 10 p/s

@brb Do the respective numbers we observe for attached and ignored functions make sense? I'm having a hard time coming up with a meaningful way to test if enabling the kprobe-multi backend breaks any attachments.

jschwinger233
jschwinger233 reviewed Dec 19, 2024
View reviewed changes
Copy link
Member

@jschwinger233 jschwinger233 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can compare what's been ignored by kprobe to kprobemulti. For example, we can print(fn) at https://github.com/cilium/pwru/blob/v1.0.10-pre/internal/pwru/kprobe.go#L180.

My feeling is this is fine, since kprobemulti ignored less targets (20) than kprobe (115).

brb
brb requested changes Dec 19, 2024
View reviewed changes
Copy link
Member

@brb brb left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR!

Unfortunately, I don't see kmods in a pwru traces.

The way I tested.

  1. Block 1.1.1.1 with iptables -t filter -I OUTPUT 1 -m tcp --proto tcp --dst 1.1.1.1/32 -j DROP.
  2. Run pwru with your changes:
KMODS=$(ls /sys/kernel/btf/ | grep -v vmlinux | grep -E '(ip|xt|nf)' | tr '\n' , | sed 's/.$//')
./pwru --kmods="$KMODS" 'host 1.1.1.1 and port 80'
  1. Observe that curl 1.1.1.1 does not show any function calls from netfilter modules.
  2. Run ./pwru --kmods="$KMODS" --backend=kprobe 'host 1.1.1.1 and port 80' and see the modules, e.g., the nf_nat module:
59:36298->1.1.1.1:80(tcp) nf_nat_ipv4_local_fn[nf_nat]
0xffff9feec55880e8 4   <empty>:0        4026531840 0               0         0x0800 1500  60    192.168.1.159:36298->1.1.1.1:80(tcp) sk_skb_reason_drop(SKB_DROP_REASON_NETFILTER_DROP)

My gut feeling is that the kmod functions are being ignored due to not exposed in the available_filter_functions (see #147 (comment)).

@rgo3
Copy link
Contributor Author

rgo3 commented Dec 20, 2024

Yes agreed, it definitely needs some troubleshooting. Thanks for the test example, I'll start by taking a look at which funcs get ignored for the respective backend. However, on my machine the available_filter_functions file does contain funcs of kmods so this might not be the issue we are seeing. In any case, will turn the PR to a draft and reopen once I've figured out more.

@rgo3 rgo3 marked this pull request as draft December 20, 2024 08:51
rgo3 added 3 commits December 23, 2024 16:23
@rgo3
Filter for available filter functions regardless of the used backend
971e3f4 
This commit ensures that we remove potential suitors of functions from
the set of functions we want to attach to if they are not available in
/sys/kernel/debug/tracing/available_filter_functions regardless of the
backend that will be used. While this isn't technically only necessary
for the kprobe-multi backend, this improves the output of pwru telling
the user how many functions it attached to and how many were ignored.

Signed-off-by: Robin Gögge <r.goegge@isovalent.com>
@rgo3
Enable kprobe-multi for kmods by default
0f67ad3 
This commit enables using the kprobe-multi backend for tracing functions
in kernel modules by default if supported. Previously that was only possible
by specifying the --backend=kprobe-multi option.

Fixes cilium#147

Signed-off-by: Robin Gögge <r.goegge@isovalent.com>
@rgo3
Remove use of deprecated field cilium/ebpf/ProgramOptions.LogSize
92bf0ca 
The needed log size is now automatically determined by the cilium/ebpf
library.

Signed-off-by: Robin Gögge <r.goegge@isovalent.com>
@rgo3 rgo3 force-pushed the pr/rgo3/enable-kmods-kprobe-multi branch from e4c11a7 to 92bf0ca Compare December 23, 2024 15:24
@rgo3
Copy link
Contributor Author

rgo3 commented Dec 24, 2024

I think I fixed it, had to make sure we parse out functions from kmods in available_filter_functions and kallsyms files the same way. Merry Christmas everyone 🎄

@rgo3 rgo3 marked this pull request as ready for review December 24, 2024 14:43
brb
brb approved these changes Dec 27, 2024
View reviewed changes
Copy link
Member

@brb brb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, thank you! Happy X-mas 🍕

@brb brb merged commit d10a78c into cilium:main Dec 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brb brb brb approved these changes

@jschwinger233 jschwinger233 jschwinger233 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Enable kprobe-multi backend for kernel modules tracing (--kmods)

3 participants

@rgo3 @brb @jschwinger233