feat: support origin detection (#214)

Origin Detection allows to detect where the contaienr traces come from, and add container tags automatically to the local root span.

Author: dmehala

CMakePresets.json

@@ -19,6 +19,16 @@
       "cacheVariables": {
         "CMAKE_POLICY_VERSION_MINIMUM": "3.5"
       }
+    },
+    {
+      "name": "dev",
+      "displayName": "Development",
+      "cacheVariables": {
+        "CMAKE_BUILD_TYPE": "Debug",
+        "DD_TRACE_ENABLE_SANITIZE": "ON",
+        "DD_TRACE_BUILD_TESTING": "ON",
+        "DD_TRACE_BUILD_EXAMPLES": "ON"
+      }
     }
   ]
 }

examples/http-server/Dockerfile

@@ -3,7 +3,7 @@ from ubuntu:22.04
 WORKDIR /dd-trace-cpp
 
 ARG DEBIAN_FRONTEND=noninteractive
-ARG BRANCH=v0.2.1
+ARG BRANCH=v1.0.0
 
 run apt update -y \
  && apt install -y g++ make git wget sed \

examples/http-server/docker-compose.yaml

@@ -53,3 +53,4 @@ services:
             - DD_APM_ENABLED=true
             - DD_LOG_LEVEL=ERROR
             - DOCKER_HOST
+            - DD_SITE

include/datadog/datadog_agent_config.h

@@ -87,6 +87,9 @@ class FinalizedDatadogAgentConfig {
   std::chrono::steady_clock::duration shutdown_timeout;
   std::chrono::steady_clock::duration remote_configuration_poll_interval;
   std::unordered_map<ConfigName, ConfigMetadata> metadata;
+
+  // Origin detection
+  Optional<std::string> admission_controller_uid;
 };
 
 Expected<FinalizedDatadogAgentConfig> finalize_config(

include/datadog/environment.h

@@ -59,7 +59,8 @@ namespace environment {
   MACRO(DD_TELEMETRY_LOG_COLLECTION_ENABLED)         \
   MACRO(DD_INSTRUMENTATION_INSTALL_ID)               \
   MACRO(DD_INSTRUMENTATION_INSTALL_TYPE)             \
-  MACRO(DD_INSTRUMENTATION_INSTALL_TIME)
+  MACRO(DD_INSTRUMENTATION_INSTALL_TIME)             \
+  MACRO(DD_EXTERNAL_ENV)
 
 #define WITH_COMMA(ARG) ARG,
 

src/datadog/datadog_agent.cpp

@@ -17,6 +17,7 @@
 #include "collector_response.h"
 #include "json.hpp"
 #include "msgpack.h"
+#include "platform_util.h"
 #include "span_data.h"
 #include "telemetry_metrics.h"
 #include "trace_sampler.h"
@@ -156,10 +157,36 @@ DatadogAgent::DatadogAgent(
       flush_interval_(config.flush_interval),
       request_timeout_(config.request_timeout),
       shutdown_timeout_(config.shutdown_timeout),
-      remote_config_(tracer_signature, rc_listeners, logger),
-      tracer_signature_(tracer_signature) {
+      remote_config_(tracer_signature, rc_listeners, logger) {
   assert(logger_);
 
+  // Set HTTP headers
+  headers_.emplace("Content-Type", "application/msgpack");
+  headers_.emplace("Datadog-Meta-Lang", "cpp");
+  headers_.emplace("Datadog-Meta-Lang-Version",
+                   tracer_signature.library_language_version);
+  headers_.emplace("Datadog-Meta-Tracer-Version",
+                   tracer_signature.library_version);
+
+  // Origin Detection headers are not necessary when Unix Domain Socket (UDS)
+  // is used to communicate with the Datadog Agent.
+  if (!contains(config.url.scheme, "unix")) {
+    if (auto container_id = container::get_id()) {
+      if (container_id->type == container::ContainerID::Type::container_id) {
+        headers_.emplace("Datadog-Container-ID", container_id->value);
+        headers_.emplace("Datadog-Entity-Id", "ci-" + container_id->value);
+      } else if (container_id->type ==
+                 container::ContainerID::Type::cgroup_inode) {
+        headers_.emplace("Datadog-Entity-Id", "in-" + container_id->value);
+      }
+    }
+
+    if (config.admission_controller_uid) {
+      headers_.emplace("Datadog-External-Env",
+                       *config.admission_controller_uid);
+    }
+  }
+
   tasks_.emplace_back(event_scheduler_->schedule_recurring_event(
       config.flush_interval, [this]() { flush(); }));
 
@@ -252,14 +279,11 @@ void DatadogAgent::flush() {
 
   // This is the callback for setting request headers.
   // It's invoked synchronously (before `post` returns).
-  auto set_request_headers = [&](DictWriter& headers) {
-    headers.set("Content-Type", "application/msgpack");
-    headers.set("Datadog-Meta-Lang", "cpp");
-    headers.set("Datadog-Meta-Lang-Version",
-                tracer_signature_.library_language_version);
-    headers.set("Datadog-Meta-Tracer-Version",
-                tracer_signature_.library_version);
-    headers.set("X-Datadog-Trace-Count", std::to_string(trace_chunks.size()));
+  auto set_request_headers = [&](DictWriter& writer) {
+    writer.set("X-Datadog-Trace-Count", std::to_string(trace_chunks.size()));
+    for (const auto& [key, value] : headers_) {
+      writer.set(key, value);
+    }
   };
 
   // This is the callback for the HTTP response.  It's invoked

src/datadog/datadog_agent.h

@@ -49,7 +49,8 @@ class DatadogAgent : public Collector {
   std::chrono::steady_clock::duration shutdown_timeout_;
 
   remote_config::Manager remote_config_;
-  TracerSignature tracer_signature_;
+
+  std::unordered_map<std::string, std::string> headers_;
 
   void flush();
 

src/datadog/datadog_agent_config.cpp

@@ -7,6 +7,7 @@
 
 #include "default_http_client.h"
 #include "parse_util.h"
+#include "platform_util.h"
 #include "threaded_event_scheduler.h"
 
 namespace datadog {
@@ -144,6 +145,12 @@ Expected<FinalizedDatadogAgentConfig> finalize_config(
   result.metadata[ConfigName::AGENT_URL] =
       ConfigMetadata(ConfigName::AGENT_URL, url, origin);
 
+  /// Starting Agent X, the admission controller inject a unique identifier
+  /// through `DD_EXTERNAL_ENV`. This uid is used for origin detection.
+  if (auto external_env = lookup(environment::DD_EXTERNAL_ENV)) {
+    result.admission_controller_uid = std::string(*external_env);
+  }
+
   return result;
 }
 

src/datadog/platform_util.cpp

@@ -1,5 +1,8 @@
 #include "platform_util.h"
 
+#include <cstdint>
+#include <fstream>
+
 // clang-format off
 #if defined(__x86_64__) || defined(_M_X64)
 #  define DD_SDK_CPU_ARCH "x86_64"
@@ -24,11 +27,13 @@
 #    define DD_SDK_OS "GNU/Linux"
 #    define DD_SDK_KERNEL "Linux"
 #    include "string_util.h"
+#    include <errno.h>
 #    include <fstream>
+#    include <fcntl.h>
 #    include <sys/types.h>
 #    include <sys/mman.h>
-#    include <fcntl.h>
-#    include <errno.h>
+#    include <sys/stat.h>
+#    include <sys/statfs.h>
 #  endif
 #elif defined(_MSC_VER)
 #  include <windows.h>
@@ -281,5 +286,126 @@ Expected<InMemoryFile> InMemoryFile::make(StringView) {
 }
 #endif
 
+namespace container {
+namespace {
+#if defined(__linux__) || defined(__unix__)
+/// Magic numbers from linux/magic.h:
+/// <https://github.com/torvalds/linux/blob/ca91b9500108d4cf083a635c2e11c884d5dd20ea/include/uapi/linux/magic.h#L71>
+constexpr uint64_t CGROUP_SUPER_MAGIC = 0x27e0eb;
+constexpr uint64_t CGROUP2_SUPER_MAGIC = 0x63677270;
+
+/// Magic number from linux/proc_ns.h:
+/// <https://github.com/torvalds/linux/blob/5859a2b1991101d6b978f3feb5325dad39421f29/include/linux/proc_ns.h#L41-L49>
+constexpr ino_t HOST_CGROUP_NAMESPACE_INODE = 0xeffffffb;
+
+/// Represents the cgroup version of the current process.
+enum class Cgroup : char { v1, v2 };
+
+Optional<ino_t> get_inode(std::string_view path) {
+  struct stat buf;
+  if (stat(path.data(), &buf) != 0) {
+    return nullopt;
+  }
+
+  return buf.st_ino;
+}
+
+// Host namespace inode number are hardcoded, which allows for dectection of
+// whether the binary is running in host or not. However, it does not work when
+// running in a Docker in Docker environment.
+bool is_running_in_host_namespace() {
+  // linux procfs file that represents the cgroup namespace of the current
+  // process.
+  if (auto inode = get_inode("/proc/self/ns/cgroup")) {
+    return *inode == HOST_CGROUP_NAMESPACE_INODE;
+  }
+
+  return false;
+}
+
+Optional<Cgroup> get_cgroup_version() {
+  struct statfs buf;
+
+  if (statfs("/sys/fs/cgroup", &buf) != 0) {
+    return nullopt;
+  }
+
+  if (buf.f_type == CGROUP_SUPER_MAGIC)
+    return Cgroup::v1;
+  else if (buf.f_type == CGROUP2_SUPER_MAGIC)
+    return Cgroup::v2;
+
+  return nullopt;
+}
+
+Optional<std::string> find_docker_container_id_from_cgroup() {
+  auto cgroup_fd = std::ifstream("/proc/self/cgroup", std::ios::in);
+  if (!cgroup_fd.is_open()) return nullopt;
+
+  return find_docker_container_id(cgroup_fd);
+}
+#endif
+}  // namespace
+
+Optional<std::string> find_docker_container_id(std::istream& source) {
+  constexpr std::string_view docker_str = "docker-";
+
+  std::string line;
+  while (std::getline(source, line)) {
+    // Example:
+    // `0::/system.slice/docker-abcdef0123456789abcdef0123456789.scope`
+    if (auto beg = line.find(docker_str); beg != std::string::npos) {
+      beg += docker_str.size();
+      auto end = line.find(".scope", beg);
+      if (end == std::string::npos || end - beg <= 0) {
+        continue;
+      }
+
+      auto container_id = line.substr(beg, end - beg);
+      return container_id;
+    }
+  }
+
+  return nullopt;
+}
+
+Optional<ContainerID> get_id() {
+#if defined(__linux__) || defined(__unix__)
+  if (is_running_in_host_namespace()) {
+    // Not in a container, no need to continue.
+    return nullopt;
+  }
+
+  auto maybe_cgroup = get_cgroup_version();
+  if (!maybe_cgroup) return nullopt;
+
+  ContainerID id;
+  switch (*maybe_cgroup) {
+    case Cgroup::v1: {
+      if (auto maybe_id = find_docker_container_id_from_cgroup()) {
+        id.value = *maybe_id;
+        id.type = ContainerID::Type::container_id;
+        break;
+      }
+    }
+      // NOTE(@dmehala): failed to find the container ID, try getting the cgroup
+      // inode.
+      [[fallthrough]];
+    case Cgroup::v2: {
+      if (auto maybe_inode = get_inode("/sys/fs/cgroup")) {
+        id.type = ContainerID::Type::cgroup_inode;
+        id.value = std::to_string(*maybe_inode);
+      }
+    }; break;
+  }
+
+  return id;
+#else
+  return nullopt;
+#endif
+}
+
+}  // namespace container
+
 }  // namespace tracing
 }  // namespace datadog

src/datadog/platform_util.h

@@ -72,5 +72,33 @@ std::string get_process_name();
 
 int at_fork_in_child(void (*on_fork)());
 
+namespace container {
+
+struct ContainerID final {
+  /// Type of unique ID.
+  enum class Type : char { container_id, cgroup_inode } type;
+  /// Identifier of the container. It _mostly_ depends on the
+  /// cgroup version:
+  ///  - For cgroup v1, it contains the container ID.
+  ///  - For cgroup v2, it contains the "container" inode.
+  std::string value;
+};
+
+/// Find the docker container ID from a given source.
+/// This function is exposed mainly for testing purposes.
+///
+/// @param source The input from which to read the Docker container ID.
+/// @return An Optional containing the Docker container ID if found, otherwise
+/// nothing.
+Optional<std::string> find_docker_container_id(std::istream& source);
+
+/// Function to retrieve the container metadata.
+///
+/// @return A `ContainerID` object containing id of the container in
+/// which the current process is running.
+Optional<ContainerID> get_id();
+
+}  // namespace container
+
 }  // namespace tracing
 }  // namespace datadog