Skip to content

Commit 9e9aad1

Browse files
vsochvsoch
committed
draft for collection
I am just collecting the open events with a filename. We do not have closes so we cannot time things, but that is not the goal here. I am also limiting to a container cgroup id instead of trying to do a bunch of parsing of processes and getting confused with tid tgid pid ppid and then the fact that the kernel pid != the pid we understand. Signed-off-by: vsoch <[email protected]>
1 parent 03f7330 commit 9e9aad1

File tree

6 files changed

+308
-82
lines changed

6 files changed

+308
-82
lines changed

README.md

Lines changed: 3 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -54,23 +54,15 @@ kind create cluster --config ./kind-config.yaml
5454
For ebpf (that requires mounting the host) I recommend a cloud:
5555

5656
```bash
57-
NODES=2
58-
GOOGLE_PROJECT=myproject
57+
NODES=1
58+
GOOGLE_PROJECT=llnl-flux
5959
INSTANCE=h3-standard-88
60-
61-
time gcloud container clusters create test-cluster \
62-
--threads-per-core=1 \
63-
--num-nodes=$NODES \
64-
--machine-type=$INSTANCE \
65-
--placement-type=COMPACT \
66-
--image-type=UBUNTU_CONTAINERD \
67-
--region=us-central1-a --project=${GOOGLE_PROJECT}
60+
time gcloud container clusters create test-cluster --threads-per-core=1 --num-nodes=$NODES --machine-type=$INSTANCE --placement-type=COMPACT --image-type=UBUNTU_CONTAINERD --region=us-central1-a --project=${GOOGLE_PROJECT}
6861
```
6962

7063
Finally, install the Flux Operator
7164

7265
```bash
73-
# Install the Flux Operator
7466
kubectl apply -f https://raw.githubusercontent.com/flux-framework/flux-operator/refs/heads/main/examples/dist/flux-operator.yaml
7567
```
7668

base-template/docker/bcc-sidecar/Dockerfile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,7 @@ RUN git clone -b v0.34.0 https://github.com/iovisor/bcc /usr/src/bcc && \
4848

4949
# Set up environment for Python BCC tools (if needed)
5050
ENV PYTHONPATH=/usr/lib/python3/dist-packages
51+
COPY ./programs /opt/programs
5152

5253
# Command to keep the container running
5354
CMD ["tail", "-f", "/dev/null"]

base-template/docker/bcc-sidecar/programs/open-close/ebpf-collect.c

Lines changed: 26 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -7,9 +7,15 @@
77
enum event_type { EVENT_OPEN = 0, EVENT_CLOSE = 1 };
88

99
struct data_t {
10-
u64 timestamp_ns; u32 pid; char comm[TASK_COMM_LEN_EBPF];
11-
enum event_type type; char filename[MAX_FILENAME_LEN_EBPF];
12-
int fd; int ret_val;
10+
u64 timestamp_ns;
11+
u32 pid;
12+
u32 ppid;
13+
u64 cgroup_id;
14+
char comm[TASK_COMM_LEN_EBPF];
15+
enum event_type type;
16+
char filename[MAX_FILENAME_LEN_EBPF];
17+
int fd;
18+
int ret_val;
1319
};
1420
BPF_RINGBUF_OUTPUT(events, 8);
1521

@@ -89,12 +95,12 @@ int trace_openat_return_kretprobe(struct pt_regs *ctx) {
8995
event_data_ptr->timestamp_ns = bpf_ktime_get_ns();
9096
event_data_ptr->pid = id >> 32;
9197
bpf_get_current_comm(&event_data_ptr->comm, sizeof(event_data_ptr->comm));
92-
event_data_ptr->comm[TASK_COMM_LEN_EBPF - 1] = '\0'; // CORRECTED
98+
event_data_ptr->comm[TASK_COMM_LEN_EBPF - 1] = '\0';
9399
event_data_ptr->type = EVENT_OPEN;
94100
event_data_ptr->fd = ret_fd;
95101
event_data_ptr->ret_val = ret_fd;
96102
__builtin_memcpy(event_data_ptr->filename, temp_fn_ptr->fname, MAX_FILENAME_LEN_EBPF);
97-
event_data_ptr->filename[MAX_FILENAME_LEN_EBPF - 1] = '\0'; // CORRECTED
103+
event_data_ptr->filename[MAX_FILENAME_LEN_EBPF - 1] = '\0';
98104
events.ringbuf_submit(event_data_ptr, 0);
99105
open_filenames_map.delete(&id);
100106
return 0;
@@ -106,12 +112,25 @@ int trace_close_entry_kprobe(struct pt_regs *ctx, int fd_to_close) {
106112
if (!event_data_ptr) { return 0; }
107113
event_data_ptr->timestamp_ns = bpf_ktime_get_ns();
108114
event_data_ptr->pid = id >> 32;
115+
116+
// Read parent's TGID carefully
117+
u64 cgroup_id = bpf_get_current_cgroup_id();
118+
struct task_struct *real_parent_task = NULL;
119+
struct task_struct *current_task = (struct task_struct *)bpf_get_current_task();
120+
int res = bpf_probe_read_kernel(&real_parent_task, sizeof(real_parent_task), &current_task->real_parent);
121+
if (res == 0 && real_parent_task != NULL) {
122+
bpf_probe_read_kernel(&event_data_ptr->ppid, sizeof(event_data_ptr->ppid), &real_parent_task->tgid);
123+
} else {
124+
// Error or no parent found this way
125+
event_data_ptr->ppid = 0;
126+
}
109127
bpf_get_current_comm(&event_data_ptr->comm, sizeof(event_data_ptr->comm));
110-
event_data_ptr->comm[TASK_COMM_LEN_EBPF - 1] = '\0'; // CORRECTED
128+
event_data_ptr->comm[TASK_COMM_LEN_EBPF - 1] = '\0';
111129
event_data_ptr->type = EVENT_CLOSE;
112130
event_data_ptr->fd = fd_to_close;
113-
event_data_ptr->filename[0] = '\0'; // CORRECTED
131+
event_data_ptr->filename[0] = '\0';
114132
event_data_ptr->ret_val = 0;
133+
event_data_ptr->cgroup_id = cgroup_id;
115134
events.ringbuf_submit(event_data_ptr, 0);
116135
return 0;
117136
}

0 commit comments

Comments
 (0)