Skip to content

in_ebpf: Handle debian like systems' signal probes#9596

Merged
niedbalski merged 2 commits intomasterfrom
cosmo0920-handle-debian-like-systems-signal-probes
Nov 15, 2024
Merged

in_ebpf: Handle debian like systems' signal probes#9596
niedbalski merged 2 commits intomasterfrom
cosmo0920-handle-debian-like-systems-signal-probes

Conversation

@cosmo0920
Copy link
Contributor

@cosmo0920 cosmo0920 commented Nov 15, 2024
edited
Loading

In Debian like systems, there is no libc.so.6 under /lib64.
Instead, it exists in the architecture specific places.

e.g.)

  • x86_64) /usr/lib/x86_64-linux-gnu/libc.so.6
  • i[3-6]86) /usr/lib/i386-linux-gnu/libc.so.6
  • arm64|aarch64) /usr/lib/aarch64-linux-gnu/libc.so.6

So, we need to detect that place in configuring phase.

Plus, the original implementation always refers the pre-generated [trace_name].skel.h headers.
We also needed to refer the actual generated location for eBPF skeleton programs for loading into Linux Kernel.

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

  • Example configuration file for the change
% cat in_ebpf.conf                                                                                                                                                           (git)[cosmo0920-handle-debian-like-systems-signal-probes]-[OK]
[INPUT]
    Name          ebpf
    Trace         trace_signal
    Trace         trace_malloc
    Trace         trace_bind

[OUTPUT]
    Name stdout
  • Debug log output from testing the change
Fluent Bit v3.2.0
* Copyright (C) 2015-2024 The Fluent Bit Authors
* Fluent Bit is a CNCF sub-project under the umbrella of Fluentd
* https://fluentbit.io

______ _                  _    ______ _ _           _____  _____ 
|  ___| |                | |   | ___ (_) |         |____ |/ __  \
| |_  | |_   _  ___ _ __ | |_  | |_/ /_| |_  __   __   / /`' / /'
|  _| | | | | |/ _ \ '_ \| __| | ___ \ | __| \ \ / /   \ \  / /  
| |   | | |_| |  __/ | | | |_  | |_/ / | |_   \ V /.___/ /./ /___
\_|   |_|\__,_|\___|_| |_|\__| \____/|_|\__|   \_/ \____(_)_____/


[2024/11/15 16:25:14] [ info] Configuration:
[2024/11/15 16:25:14] [ info]  flush time     | 1.000000 seconds
[2024/11/15 16:25:14] [ info]  grace          | 5 seconds
[2024/11/15 16:25:14] [ info]  daemon         | 0
[2024/11/15 16:25:14] [ info] ___________
[2024/11/15 16:25:14] [ info]  inputs:
[2024/11/15 16:25:14] [ info]      ebpf
[2024/11/15 16:25:14] [ info] ___________
[2024/11/15 16:25:14] [ info]  filters:
[2024/11/15 16:25:14] [ info] ___________
[2024/11/15 16:25:14] [ info]  outputs:
[2024/11/15 16:25:14] [ info]      stdout.0
[2024/11/15 16:25:14] [ info] ___________
[2024/11/15 16:25:14] [ info]  collectors:
[2024/11/15 16:25:14] [ info] [fluent bit] version=3.2.0, commit=961094354a, pid=9645
[2024/11/15 16:25:14] [debug] [engine] coroutine stack size: 24576 bytes (24.0K)
[2024/11/15 16:25:14] [ info] [storage] ver=1.5.2, type=memory, sync=normal, checksum=off, max_chunks_up=128
[2024/11/15 16:25:14] [ info] [simd    ] disabled
[2024/11/15 16:25:14] [ info] [cmetrics] version=0.9.9
[2024/11/15 16:25:14] [ info] [ctraces ] version=0.5.7
[2024/11/15 16:25:14] [ info] [input:ebpf:ebpf.0] initializing
[2024/11/15 16:25:14] [ info] [input:ebpf:ebpf.0] storage_strategy='memory' (memory only)
[2024/11/15 16:25:14] [debug] [ebpf:ebpf.0] created event channels: read=25 write=26
[2024/11/15 16:25:14] [debug] [input:ebpf:ebpf.0] initializing eBPF input plugin
[2024/11/15 16:25:14] [debug] [input:ebpf:ebpf.0] processing trace: trace_signal
[2024/11/15 16:25:14] [debug] [input:ebpf:ebpf.0] setting up trace configuration for: trace_signal
[2024/11/15 16:25:14] [debug] [input:ebpf:ebpf.0] attaching BPF program for trace: trace_signal
[2024/11/15 16:25:14] [debug] [input:ebpf:ebpf.0] registering trace handler for: trace_signal
[2024/11/15 16:25:14] [ info] [input:ebpf:ebpf.0] registered trace handler for: trace_signal
[2024/11/15 16:25:14] [ info] [input:ebpf:ebpf.0] trace configuration completed for: trace_signal
[2024/11/15 16:25:14] [debug] [input:ebpf:ebpf.0] processing trace: trace_malloc
[2024/11/15 16:25:14] [debug] [input:ebpf:ebpf.0] setting up trace configuration for: trace_malloc
[2024/11/15 16:25:14] [debug] [input:ebpf:ebpf.0] attaching BPF program for trace: trace_malloc
[2024/11/15 16:25:14] [debug] [input:ebpf:ebpf.0] registering trace handler for: trace_malloc
[2024/11/15 16:25:14] [ info] [input:ebpf:ebpf.0] registered trace handler for: trace_malloc
[2024/11/15 16:25:14] [ info] [input:ebpf:ebpf.0] trace configuration completed for: trace_malloc
[2024/11/15 16:25:14] [debug] [input:ebpf:ebpf.0] processing trace: trace_bind
[2024/11/15 16:25:14] [debug] [input:ebpf:ebpf.0] setting up trace configuration for: trace_bind
[2024/11/15 16:25:14] [debug] [input:ebpf:ebpf.0] attaching BPF program for trace: trace_bind
[2024/11/15 16:25:14] [debug] [input:ebpf:ebpf.0] registering trace handler for: trace_bind
[2024/11/15 16:25:14] [ info] [input:ebpf:ebpf.0] registered trace handler for: trace_bind
[2024/11/15 16:25:14] [ info] [input:ebpf:ebpf.0] trace configuration completed for: trace_bind
[2024/11/15 16:25:14] [debug] [input:ebpf:ebpf.0] setting up collector with poll interval: 1000 ms
[2024/11/15 16:25:14] [ info] [input:ebpf:ebpf.0] eBPF input plugin initialized successfully
[2024/11/15 16:25:14] [debug] [stdout:stdout.0] created event channels: read=116 write=117
[2024/11/15 16:25:14] [ info] [output:stdout:stdout.0] worker #0 started
[2024/11/15 16:25:14] [ info] [sp] stream processor started
[2024/11/15 16:25:15] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2024/11/15 16:25:15] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_signal
[2024/11/15 16:25:15] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_signal
[2024/11/15 16:25:15] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_malloc
[2024/11/15 16:25:15] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_malloc
[2024/11/15 16:25:15] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_bind
[2024/11/15 16:25:15] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_bind
[2024/11/15 16:25:16] [debug] [task] created task=0x700b5809ae80 id=0 OK
[2024/11/15 16:25:16] [debug] [output:stdout:stdout.0] task_id=0 assigned to thread #0
[2024/11/15 16:25:16] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2024/11/15 16:25:16] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_signal
[0] ebpf.0: [[1731655515.335807347, {}], {"event_type"=>"signal", "pid"=>6581, "tid"=>6581, "comm"=>"systemd-oomd", "signal"=>11, "tpid"=>6581}]
[1] ebpf.0: [[1731655515.335933776, {}], {"event_type"=>"malloc", "pid"=>0, "tid"=>9646, "comm"=>"flb-pipeline", "operation"=>0, "address"=>123194023483616, "size"=>100}]
[2024/11/15 16:25:16] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_signal
[2024/11/15 16:25:16] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_malloc
[2024/11/15 16:25:16] [debug] [input:ebpf:ebpf.0] error consuming from ring buffer: -1
[2024/11/15 16:25:16] [debug] [out flush] cb_destroy coro_id=0
[2024/11/15 16:25:16] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_bind
[2024/11/15 16:25:16] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_bind
[2024/11/15 16:25:16] [debug] [task] destroy task=0x700b5809ae80 (task_id=0)
[2024/11/15 16:25:17] [debug] [task] created task=0x700b5805ac10 id=0 OK
[2024/11/15 16:25:17] [debug] [output:stdout:stdout.0] task_id=0 assigned to thread #0
[2024/11/15 16:25:17] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2024/11/15 16:25:17] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_signal
[0] ebpf.0: [[1731655516.336299409, {}], {"event_type"=>"signal", "pid"=>9683, "tid"=>9683, "comm"=>"(-profile)", "signal"=>11, "tpid"=>9683}]
[2024/11/15 16:25:17] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_signal
[2024/11/15 16:25:17] [debug] [out flush] cb_destroy coro_id=1
[2024/11/15 16:25:17] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_malloc
[2024/11/15 16:25:17] [debug] [input:ebpf:ebpf.0] error consuming from ring buffer: -1
[2024/11/15 16:25:17] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_bind
[2024/11/15 16:25:17] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_bind
[2024/11/15 16:25:17] [debug] [task] destroy task=0x700b5805ac10 (task_id=0)
[2024/11/15 16:25:18] [debug] [task] created task=0x700b5805ae00 id=0 OK
[2024/11/15 16:25:18] [debug] [output:stdout:stdout.0] task_id=0 assigned to thread #0
[2024/11/15 16:25:18] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2024/11/15 16:25:18] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_signal
[0] ebpf.0: [[1731655517.335810558, {}], {"event_type"=>"signal", "pid"=>6580, "tid"=>6580, "comm"=>"wireplumber", "signal"=>13, "tpid"=>6580}]
[2024/11/15 16:25:18] [debug] [out flush] cb_destroy coro_id=2
[2024/11/15 16:25:18] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_signal
[2024/11/15 16:25:18] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_malloc
[2024/11/15 16:25:18] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_malloc
[2024/11/15 16:25:18] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_bind
[2024/11/15 16:25:18] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_bind
[2024/11/15 16:25:18] [debug] [task] destroy task=0x700b5805ae00 (task_id=0)
[2024/11/15 16:25:19] [debug] [task] created task=0x700b5805aff0 id=0 OK
[2024/11/15 16:25:19] [debug] [output:stdout:stdout.0] task_id=0 assigned to thread #0
[2024/11/15 16:25:19] [debug] [input:ebpf:ebpf.0] collecting events from ring buffers
[2024/11/15 16:25:19] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_signal
[0] ebpf.0: [[1731655518.335846083, {}], {"event_type"=>"signal", "pid"=>9728, "tid"=>9728, "comm"=>"(resolved)", "signal"=>11, "tpid"=>9728}]
[2024/11/15 16:25:19] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_signal
[2024/11/15 16:25:19] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_malloc
[2024/11/15 16:25:19] [debug] [input:ebpf:ebpf.0] error consuming from ring buffer: -1
[2024/11/15 16:25:19] [debug] [input:ebpf:ebpf.0] consuming events from ring buffer trace_bind
[2024/11/15 16:25:19] [debug] [input:ebpf:ebpf.0] successfully consumed events from ring buffer trace_bind
[1] ebpf.0: [[1731655518.335940666, {}], {"event_type"=>"malloc", "pid"=>0, "tid"=>9728, "comm"=>"(resolved)", "operation"=>0, "address"=>98363660784816, "size"=>224}]
[2024/11/15 16:25:19] [debug] [out flush] cb_destroy coro_id=3
[2024/11/15 16:25:19] [debug] [task] destroy task=0x700b5805aff0 (task_id=0)
^C[2024/11/15 16:25:19] [engine] caught signal (SIGINT)
[2024/11/15 16:25:19] [debug] [task] created task=0x700b5805b150 id=0 OK
[2024/11/15 16:25:19] [debug] [output:stdout:stdout.0] task_id=0 assigned to thread #0
[2024/11/15 16:25:19] [ warn] [engine] service will shutdown in max 5 seconds
[2024/11/15 16:25:19] [ info] [input] pausing ebpf.0
[2024/11/15 16:25:19] [debug] [input:ebpf:ebpf.0] collector paused
[0] ebpf.0: [[1731655519.335889882, {}], {"event_type"=>"signal", "pid"=>9753, "tid"=>9753, "comm"=>"(md-udevd)", "signal"=>11, "tpid"=>9753}]
[2024/11/15 16:25:19] [debug] [out flush] cb_destroy coro_id=4
[2024/11/15 16:25:19] [debug] [task] destroy task=0x700b5805b150 (task_id=0)
[2024/11/15 16:25:20] [ info] [engine] service has stopped (0 pending tasks)
[2024/11/15 16:25:20] [ info] [input] pausing ebpf.0
[2024/11/15 16:25:20] [debug] [input:ebpf:ebpf.0] collector paused
[2024/11/15 16:25:20] [ info] [output:stdout:stdout.0] thread worker #0 stopping...
[2024/11/15 16:25:20] [ info] [output:stdout:stdout.0] thread worker #0 stopped
[2024/11/15 16:25:20] [ info] [input:ebpf:ebpf.0] eBPF input plugin exited
  • Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

  • Run local packaging test showing all targets (including any new ones) build.
  • Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

  • Documentation required for this feature

Backporting

  • Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

@cosmo0920
in_ebpf: Handle Debian like systems' libc path
bf7d88d 
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
@cosmo0920
in_ebpf: Refer the generated skel headers of eBPF correctly
9610943 
Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
@cosmo0920 cosmo0920 requested review from niedbalski and removed request for fujimotos November 15, 2024 07:28
@niedbalski niedbalski merged commit 8d90de8 into master Nov 15, 2024
@niedbalski niedbalski deleted the cosmo0920-handle-debian-like-systems-signal-probes branch November 15, 2024 08:32
@cosmo0920 cosmo0920 added this to the Fluent Bit Next milestone Nov 15, 2024
@BrewTestBot BrewTestBot mentioned this pull request Nov 18, 2024
Merged
scne59 pushed a commit to scne59/fluent-bit that referenced this pull request Apr 9, 2025
@cosmo0920 @scne59
in_ebpf: Handle debian like systems' signal probes (fluent#9596)
15aa0cc 
* in_ebpf: Handle Debian like systems' libc path

Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>

* in_ebpf: Refer the generated skel headers of eBPF correctly

Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>

---------

Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
nourdouf pushed a commit to seveas/fluent-bit that referenced this pull request Sep 23, 2025
@cosmo0920 @nourdouf
in_ebpf: Handle debian like systems' signal probes (fluent#9596)
bc37836 
* in_ebpf: Handle Debian like systems' libc path

Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>

* in_ebpf: Refer the generated skel headers of eBPF correctly

Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>

---------

Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@niedbalski niedbalski niedbalski approved these changes

@edsiper edsiper Awaiting requested review from edsiper edsiper is a code owner

@leonardo-albertovich leonardo-albertovich Awaiting requested review from leonardo-albertovich

@koleini koleini Awaiting requested review from koleini

Assignees

No one assigned

Labels

docs-required

Projects

None yet

Milestone

Fluent Bit Next

Development

Successfully merging this pull request may close these issues.

2 participants

@cosmo0920 @niedbalski

Comments