more accurate binding of L7 requests to TCP connections

Author: def

containers/container.go

@@ -63,6 +63,8 @@ type ActiveConnection struct {
 	ActualDest netaddr.IPPort
 	Pid        uint32
 	Fd         uint64
+	Timestamp  uint64
+	Closed     time.Time
 }
 
 type L7Stats struct {
@@ -89,7 +91,7 @@ type Container struct {
 	connectsSuccessful map[AddrPair]int64           // dst:actual_dst -> count
 	connectsFailed     map[netaddr.IPPort]int64     // dst -> count
 	connectLastAttempt map[netaddr.IPPort]time.Time // dst -> time
-	connectionsActive  map[AddrPair]ActiveConnection
+	connectionsActive  map[AddrPair]*ActiveConnection
 	retransmits        map[AddrPair]int64 // dst:actual_dst -> count
 
 	l7Stats map[ebpftracer.L7Protocol]map[AddrPair]*L7Stats // protocol -> dst:actual_dst -> stats
@@ -119,7 +121,7 @@ func NewContainer(cg *cgroup.Cgroup, md *ContainerMetadata) *Container {
 		connectsSuccessful: map[AddrPair]int64{},
 		connectsFailed:     map[netaddr.IPPort]int64{},
 		connectLastAttempt: map[netaddr.IPPort]time.Time{},
-		connectionsActive:  map[AddrPair]ActiveConnection{},
+		connectionsActive:  map[AddrPair]*ActiveConnection{},
 		retransmits:        map[AddrPair]int64{},
 		l7Stats:            map[ebpftracer.L7Protocol]map[AddrPair]*L7Stats{},
 
@@ -265,6 +267,9 @@ func (c *Container) Collect(ch chan<- prometheus.Metric) {
 
 	connections := map[AddrPair]int{}
 	for c, conn := range c.connectionsActive {
+		if !conn.Closed.IsZero() {
+			continue
+		}
 		connections[AddrPair{src: c.dst, dst: conn.ActualDest}]++
 	}
 	for d, count := range connections {
@@ -378,7 +383,7 @@ func (c *Container) onListenClose(pid uint32, addr netaddr.IPPort) {
 	}
 }
 
-func (c *Container) onConnectionOpen(pid uint32, fd uint64, src, dst netaddr.IPPort, failed bool) {
+func (c *Container) onConnectionOpen(pid uint32, fd uint64, src, dst netaddr.IPPort, timestamp uint64, failed bool) {
 	if dst.IP().IsLoopback() {
 		netNs, err := proc.GetNetNs(pid)
 		isHostNs := err == nil && hostNetNsId == netNs.UniqueId()
@@ -405,10 +410,11 @@ func (c *Container) onConnectionOpen(pid uint32, fd uint64, src, dst netaddr.IPP
 	} else {
 		actualDst := ConntrackGetActualDestination(src, dst)
 		c.connectsSuccessful[AddrPair{src: dst, dst: actualDst}]++
-		c.connectionsActive[AddrPair{src: src, dst: dst}] = ActiveConnection{
+		c.connectionsActive[AddrPair{src: src, dst: dst}] = &ActiveConnection{
 			ActualDest: actualDst,
 			Pid:        pid,
 			Fd:         fd,
+			Timestamp:  timestamp,
 		}
 	}
 	c.connectLastAttempt[dst] = time.Now()
@@ -417,16 +423,17 @@ func (c *Container) onConnectionOpen(pid uint32, fd uint64, src, dst netaddr.IPP
 func (c *Container) onConnectionClose(srcDst AddrPair) bool {
 	c.lock.Lock()
 	defer c.lock.Unlock()
-	if _, ok := c.connectionsActive[srcDst]; !ok {
+	conn := c.connectionsActive[srcDst]
+	if conn == nil {
 		return false
 	}
-	delete(c.connectionsActive, srcDst)
+	conn.Closed = time.Now()
 	return true
 }
 
-func (c *Container) onL7Request(pid uint32, fd uint64, r *ebpftracer.L7Request) {
+func (c *Container) onL7Request(pid uint32, fd uint64, timestamp uint64, r *ebpftracer.L7Request) {
 	for dest, conn := range c.connectionsActive {
-		if conn.Pid == pid && conn.Fd == fd {
+		if conn.Pid == pid && conn.Fd == fd && (timestamp == 0 || conn.Timestamp == timestamp) {
 			key := AddrPair{src: dest.dst, dst: conn.ActualDest}
 			stats := c.l7Stats[r.Protocol]
 			if stats == nil {
@@ -731,9 +738,13 @@ func (c *Container) gc(now time.Time) {
 
 	c.revalidateListens(now, listens)
 
-	for srcDst := range c.connectionsActive {
+	for srcDst, conn := range c.connectionsActive {
 		if _, ok := established[srcDst]; !ok {
 			delete(c.connectionsActive, srcDst)
+			continue
+		}
+		if !conn.Closed.IsZero() && now.Sub(conn.Closed) > gcInterval {
+			delete(c.connectionsActive, srcDst)
 		}
 	}
 	for dst, at := range c.connectLastAttempt {

containers/registry.go

@@ -178,13 +178,13 @@ func (r *Registry) handleEvents(ch <-chan ebpftracer.Event) {
 
 			case ebpftracer.EventTypeConnectionOpen:
 				if c := r.getOrCreateContainer(e.Pid); c != nil {
-					c.onConnectionOpen(e.Pid, e.Fd, e.SrcAddr, e.DstAddr, false)
+					c.onConnectionOpen(e.Pid, e.Fd, e.SrcAddr, e.DstAddr, e.Timestamp, false)
 				} else {
 					klog.Infoln("TCP connection from unknown container", e)
 				}
 			case ebpftracer.EventTypeConnectionError:
 				if c := r.getOrCreateContainer(e.Pid); c != nil {
-					c.onConnectionOpen(e.Pid, e.Fd, e.SrcAddr, e.DstAddr, true)
+					c.onConnectionOpen(e.Pid, e.Fd, e.SrcAddr, e.DstAddr, 0, true)
 				} else {
 					klog.Infoln("TCP connection error from unknown container", e)
 				}
@@ -207,7 +207,7 @@ func (r *Registry) handleEvents(ch <-chan ebpftracer.Event) {
 					continue
 				}
 				if c := r.containersByPid[e.Pid]; c != nil {
-					c.onL7Request(e.Pid, e.Fd, e.L7Request)
+					c.onL7Request(e.Pid, e.Fd, e.Timestamp, e.L7Request)
 				}
 			}
 		}

ebpftracer/ebpf.go

@@ -15,6 +15,7 @@
 
 struct l7_event {
     __u64 fd;
+    __u64 connection_timestamp;
     __u32 pid;
     __u32 status;
     __u64 duration;
@@ -136,6 +137,7 @@ int trace_exit_read(struct trace_event_raw_sys_exit_rw__stub* ctx) {
     e.protocol = req->protocol;
     e.fd = k.fd;
     e.pid = k.pid;
+    e.connection_timestamp = 0;
     __u64 ns = req->ns;
     __u8 partial = req->partial;
     bpf_map_delete_elem(&active_l7_requests, &k);
@@ -165,6 +167,10 @@ int trace_exit_read(struct trace_event_raw_sys_exit_rw__stub* ctx) {
         return 0;
     }
     e.duration = bpf_ktime_get_ns() - ns;
+    __u64 *timestamp = bpf_map_lookup_elem(&connection_timestamps, &k);
+    if (timestamp) {
+        e.connection_timestamp = *timestamp;
+    }
     bpf_perf_event_output(ctx, &l7_events, BPF_F_CURRENT_CPU, &e, sizeof(e));
     return 0;
 }

ebpftracer/ebpf/l7/l7.c

@@ -2,6 +2,7 @@
 
 struct tcp_event {
     __u64 fd;
+    __u64 timestamp;
     __u32 type;
     __u32 pid;
     __u16 sport;
@@ -59,6 +60,13 @@ struct {
     __uint(max_entries, 10240);
 } sk_info SEC(".maps");
 
+struct {
+    __uint(type, BPF_MAP_TYPE_LRU_HASH);
+    __uint(key_size, sizeof(struct sk_info));
+    __uint(value_size, sizeof(__u64));
+    __uint(max_entries, 32768);
+} connection_timestamps SEC(".maps");
+
 SEC("tracepoint/sock/inet_sock_set_state")
 int inet_sock_set_state(void *ctx)
 {
@@ -88,18 +96,22 @@ int inet_sock_set_state(void *ctx)
 
     __u64 fd = 0;
     __u32 type = 0;
+    __u64 timestamp = 0;
     void *map = &tcp_connect_events;
     if (args.oldstate == BPF_TCP_SYN_SENT) {
+        struct sk_info *i = bpf_map_lookup_elem(&sk_info, &args.skaddr);
+        if (!i) {
+            return 0;
+        }
         if (args.newstate == BPF_TCP_ESTABLISHED) {
+            timestamp = bpf_ktime_get_ns();
+            struct sk_info k = {};
+            k.pid = i->pid;
+            k.fd = i->fd;
+            bpf_map_update_elem(&connection_timestamps, &k, &timestamp, BPF_ANY);
             type = EVENT_TYPE_CONNECTION_OPEN;
         } else if (args.newstate == BPF_TCP_CLOSE) {
             type = EVENT_TYPE_CONNECTION_ERROR;
-        } else {
-            return 0;
-        }
-        struct sk_info *i = bpf_map_lookup_elem(&sk_info, &args.skaddr);
-        if (!i) {
-            return 0;
         }
         pid = i->pid;
         fd = i->fd;
@@ -124,6 +136,7 @@ int inet_sock_set_state(void *ctx)
 
     struct tcp_event e = {};
     e.type = type;
+    e.timestamp = timestamp;
     e.pid = pid;
     e.sport = args.sport;
     e.dport = args.dport;
@@ -136,15 +149,15 @@ int inet_sock_set_state(void *ctx)
     return 0;
 }
 
-struct trace_event_raw_sys_enter_connect__stub {
+struct trace_event_raw_args_with_fd__stub {
     __u64 unused;
     long int id;
     __u64 fd;
 };
 
 SEC("tracepoint/syscalls/sys_enter_connect")
 int sys_enter_connect(void *ctx) {
-    struct trace_event_raw_sys_enter_connect__stub args = {};
+    struct trace_event_raw_args_with_fd__stub args = {};
     if (bpf_probe_read(&args, sizeof(args), ctx) < 0) {
         return 0;
     }

ebpftracer/ebpf/tcp/state.c

@@ -81,6 +81,7 @@ type Event struct {
 	SrcAddr   netaddr.IPPort
 	DstAddr   netaddr.IPPort
 	Fd        uint64
+	Timestamp uint64
 	L7Request *L7Request
 }
 
@@ -287,17 +288,25 @@ func (e procEvent) Event() Event {
 }
 
 type tcpEvent struct {
-	Fd    uint64
-	Type  uint32
-	Pid   uint32
-	SPort uint16
-	DPort uint16
-	SAddr [16]byte
-	DAddr [16]byte
+	Fd        uint64
+	Timestamp uint64
+	Type      uint32
+	Pid       uint32
+	SPort     uint16
+	DPort     uint16
+	SAddr     [16]byte
+	DAddr     [16]byte
 }
 
 func (e tcpEvent) Event() Event {
-	return Event{Type: EventType(e.Type), Pid: e.Pid, SrcAddr: ipPort(e.SAddr, e.SPort), DstAddr: ipPort(e.DAddr, e.DPort), Fd: e.Fd}
+	return Event{
+		Type:      EventType(e.Type),
+		Pid:       e.Pid,
+		SrcAddr:   ipPort(e.SAddr, e.SPort),
+		DstAddr:   ipPort(e.DAddr, e.DPort),
+		Fd:        e.Fd,
+		Timestamp: e.Timestamp,
+	}
 }
 
 type fileEvent struct {
@@ -311,15 +320,16 @@ func (e fileEvent) Event() Event {
 }
 
 type l7Event struct {
-	Fd       uint64
-	Pid      uint32
-	Status   uint32
-	Duration uint64
-	Protocol uint8
+	Fd                  uint64
+	ConnectionTimestamp uint64
+	Pid                 uint32
+	Status              uint32
+	Duration            uint64
+	Protocol            uint8
 }
 
 func (e l7Event) Event() Event {
-	return Event{Type: EventTypeL7Request, Pid: e.Pid, Fd: e.Fd, L7Request: &L7Request{
+	return Event{Type: EventTypeL7Request, Pid: e.Pid, Fd: e.Fd, Timestamp: e.ConnectionTimestamp, L7Request: &L7Request{
 		Protocol: L7Protocol(e.Protocol),
 		Status:   int(e.Status),
 		Duration: time.Duration(e.Duration),