Skip to content

Initial implementation for user space uprobe for Open SSL #819

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
msherif1234 wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Initial implementation for user space uprobe for Open SSL #819

msherif1234 wants to merge 7 commits into from

Conversation

@msherif1234
Copy link
Contributor

@msherif1234 msherif1234 commented Oct 20, 2025
edited
Loading

Description

This PR adds support to probe/uretprobe to track openSSL write function call to read the packets before being encrypted and generate events using ringbuffer to userspace

I was able to bring up ebpf agent with SSL_enable on kind cluster

./examples/test-ssl-host.sh
=== Testing SSL with Host Process ===

This will run curl on each cluster node directly on the host
This should trigger the SSL uprobes since the host process uses
the same libssl.so that the agent attached to.

=========================================
Testing node: kind-control-plane
=========================================
Warning: No agent pod found on node kind-control-plane, skipping...
=========================================
Testing node: kind-worker
=========================================
Agent pod: netobserv-ebpf-agent-lglkp
Running curl with HTTP/1.1 (--http1.1) on host...
HTTP Request completed successfully
Checking logs for SSL events:
time="2025-10-23T17:24:10Z" level=info msg="SSL EVENT: pid=2449200806146953, timestamp=51258572899030, data_len=78, ssl_type=3" component=flow.RingBufTracer
=========================================
Testing node: kind-worker2
=========================================
Agent pod: netobserv-ebpf-agent-2wp7h
Running curl with HTTP/1.1 (--http1.1) on host...
HTTP Request completed successfully
Checking logs for SSL events:
time="2025-10-23T17:24:10Z" level=info msg="SSL EVENT: pid=2449200806146953, timestamp=51258572913197, data_len=78, ssl_type=3" component=flow.RingBufTracer
time="2025-10-23T17:24:10Z" level=info msg="SSL EVENT: pid=2449282410525596, timestamp=51258737434405, data_len=78, ssl_type=3" component=flow.RingBufTracer
=========================================
Test completed for all nodes
=========================================

Dependencies

n/a

Checklist

If you are not familiar with our processes or don't know what to answer in the list below, let us know in a comment: the maintainers will take care of that.

  • Will this change affect NetObserv / Network Observability operator? If not, you can ignore the rest of this checklist.
  • Is this PR backed with a JIRA ticket? If so, make sure it is written as a title prefix (in general, PRs affecting the NetObserv/Network Observability product should be backed with a JIRA ticket - especially if they bring user facing changes).
  • Does this PR require product documentation?
    • If so, make sure the JIRA epic is labelled with "documentation" and provides a description relevant for doc writers, such as use cases or scenarios. Any required step to activate or configure the feature should be documented there, such as new CRD knobs.
  • Does this PR require a product release notes entry?
    • If so, fill in "Release Note Text" in the JIRA.
  • Is there anything else the QE team should know before testing? E.g: configuration changes, environment setup, etc.
    • If so, make sure it is described in the JIRA ticket.
  • QE requirements (check 1 from the list):
    • Standard QE validation, with pre-merge tests unless stated otherwise.
    • Regression tests only (e.g. refactoring with no user-facing change).
    • No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

To run a perfscale test, comment with: /test ebpf-node-density-heavy-25nodes

@msherif1234 msherif1234 marked this pull request as draft October 20, 2025 16:19
@msherif1234 msherif1234 requested a review from jotak October 20, 2025 18:36
@msherif1234 msherif1234 force-pushed the dev_ssl branch 20 times, most recently from f5957da to b833299 Compare October 23, 2025 17:22
@msherif1234 msherif1234 force-pushed the dev_ssl branch 3 times, most recently from 94c8a6a to 00fd511 Compare October 25, 2025 12:00
jotak
jotak reviewed Nov 3, 2025
View reviewed changes
bpf/configs.h Outdated
volatile const u8 network_events_monitoring_groupid = 0;
volatile const u8 enable_pkt_translation_tracking = 0;
volatile const u8 enable_ipsec = 0;
volatile const u8 enable_ssl = 0;
Copy link
Member

@jotak jotak Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe more specific "enable_openssl" to leave space for other implementations and also to remove any ambiguity as I'll also add something like "enable_tls_tracker" ?

@jotak
Copy link
Member

jotak commented Nov 3, 2025

@msherif1234 since there is no correlation with flows, I wonder if it's really something we want to send to FLP, or if just having something build-in (in the agent) to extract HTTP info and produce prometheus metrics, would be good enough?

The other use-case is to use specifically with the CLI/pcap

@msherif1234
Copy link
Contributor Author

msherif1234 commented Nov 14, 2025

@msherif1234 since there is no correlation with flows, I wonder if it's really something we want to send to FLP, or if just having something build-in (in the agent) to extract HTTP info and produce prometheus metrics, would be good enough?

The other use-case is to use specifically with the CLI/pcap

maybe for starter we can go with metrics maybe we can discuss this or collaborate together here I did rename the config

@github-actions github-actions bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Nov 17, 2025
@msherif1234
Copy link
Contributor Author

msherif1234 commented Nov 17, 2025

/ok-to-test

@openshift-ci openshift-ci bot added the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Nov 17, 2025
@github-actions
Copy link

github-actions bot commented Nov 17, 2025

New images:
quay.io/netobserv/ebpf-bytecode:486fe96
quay.io/netobserv/netobserv-ebpf-agent:486fe96

These will expire after two weeks.

To deploy this build, run from the operator repo, assuming the operator is running:

USER=netobserv VERSION=486fe96 make set-agent-image

@github-actions github-actions bot removed the ok-to-test To set manually when a PR is safe to test. Triggers image build on PR. label Nov 18, 2025
@jpinsonneau
Copy link
Contributor

jpinsonneau commented Nov 18, 2025

Hey @msherif1234, I took the opportunity to improve the script when testing on openshift:

Deploy the agents and collectors using:

$ AGENT_IMAGE=quay.io/netobserv/netobserv-ebpf-agent:486fe96 OPENSSL_PATH=/usr/lib64/libssl.so.3 ./scripts/deploy-agent.sh

Run your test SSL script (improved):

$ ./examples/test-ssl-host.sh 
=== Testing SSL with Host Process ===

Detected: Real Kubernetes/OpenShift cluster
Tests will run via privileged test pods with hostNetwork.
These pods mount the host's libssl.so to ensure uprobes are triggered.

This will run various SSL/TLS tests on each cluster node.
Tests use privileged pods with hostNetwork that mount the host's libssl.so,
ensuring processes use the same library that the agent's uprobe is attached to.

=========================================
Testing node: ip-10-0-1-225.ec2.internal
=========================================
Agent pod: netobserv-ebpf-agent-fcz6n

Node diagnostics:
  curl version: pod/ssl-test-ip-10-0-1-225-ec2-internal created
curl 7.76.1 (x86_64-redhat-linux-gnu) libcurl/7.76.1 OpenSSL/3.2.2 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh/0.10.4/openssl/zlib nghttp2/1.43.0
curl available
  OpenSSL library: OpenSSL 3 (libssl.so.3)
  libssl location: lrwxrwxrwx. 1 root root     15 Jan  1  1970 /usr/lib64/libssl.so.3 -> libssl.so.3.2.2

Agent SSL tracking status:
  ✓ SSL tracking is enabled
    time="2025-11-18T11:20:47Z" level=info msg="SSL tracking enabled with library: /usr/lib64/libssl.so.3" component=ebpf.FlowFetcher
    time="2025-11-18T11:20:47Z" level=info msg="SSL RingBuf tracer started - listening for SSL events" component=flow.RingBufTracer
  Agent OPENSSL_PATH: /usr/lib64/libssl.so.3

[TEST 1] Basic HTTPS GET with HTTP/1.1
✓ Request completed successfully
[TEST 2] HTTPS POST with JSON data
✓ Request completed successfully
[TEST 3] HTTPS with TLS 1.2 explicitly
✓ Request completed successfully
[TEST 4] HTTPS with TLS 1.3 explicitly (optional)
✓ Request completed successfully with alternative endpoint
[TEST 5] HTTPS with custom headers
✓ Request completed successfully
[TEST 6] HTTPS to GitHub API
✓ Request completed successfully
[TEST 7] HTTPS to Google
✓ Request completed successfully
[TEST 8] HTTPS with large response (1KB)
✓ Request completed successfully
[TEST 9] HTTPS with HTTP/2 (optional)
✓ Request completed successfully (HTTP/2 supported)

Checking logs for SSL events after all tests:
✓ SSL events found:
  time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00d\x00\x04\x02\x00\x00\x00\x00\x02\x00\x00\x00\x00" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935408031192, data_len=13, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x04\b\x00\x00\x00\x00\x00\x01\xff\x00\x01" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935408065424, data_len=40, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x1f\x01\x05\x00\x00\x00\x01\x82\x84\x87A\x8b\xf1\xe3\xc2\xf3\x1c\xf3PU\xc8z\x7fz\x88%\xb6Pë\xba\xe2\xe1S\x03*/*" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935410611546, data_len=9, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x00\x04\x01\x00\x00\x00\x00" component=flow.RingBufTracer

  Decoded SSL data (plaintext before encryption):
    Binary data (hex): 00 00 12 04 00 00 00 00 00 00 03 00 00 00 64 00 04 02 00 00 00 00 02 00 00 00 00 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 04 5c 62 00 00 00 00 00 01 ff 00 01 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 1f 01 05 00 00 00 01 82 84 87 41 8b f1 e3 c2 f3 1c f3 50 55 c8 7a 7f 7a 88 25 b6 50 eb ba e2 e1 53 03 2a 2f 2a 0a...
    → Likely HTTP/2 frame or TLS handshake data

Detailed SSL event analysis:
  Found SSL events:
    time="2025-11-18T12:39:02Z" level=debug msg="SSL EVENT: pid=720931735637935, timestamp=12928033086161, data_len=78, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:02Z" level=debug msg="SSL data as string: GET / HTTP/1.1\r\nHost: www.google.com\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:05Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:05Z" level=debug msg="SSL EVENT: pid=721155073937379, timestamp=12930250504317, data_len=85, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:05Z" level=debug msg="SSL data as string: GET /bytes/1024 HTTP/1.1\r\nHost: httpbin.org\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935407920281, data_len=24, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935407979485, data_len=27, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00d\x00\x04\x02\x00\x00\x00\x00\x02\x00\x00\x00\x00" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935408031192, data_len=13, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x04\b\x00\x00\x00\x00\x00\x01\xff\x00\x01" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935408065424, data_len=40, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x1f\x01\x05\x00\x00\x00\x01\x82\x84\x87A\x8b\xf1\xe3\xc2\xf3\x1c\xf3PU\xc8z\x7fz\x88%\xb6Pë\xba\xe2\xe1S\x03*/*" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935410611546, data_len=9, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x00\x04\x01\x00\x00\x00\x00" component=flow.RingBufTracer

  Decoded SSL data samples (plaintext before encryption):
    GET / HTTP/1.1\r\nHost: www.google.com\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n
    → HTTP patterns: GET
HTTP/1.1
Host:
    GET /bytes/1024 HTTP/1.1\r\nHost: httpbin.org\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n
    → HTTP patterns: GET
HTTP/1.1
Host:
    PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n
    → HTTP patterns: HTTP/2.0
    Binary data (hex): 00 00 12 04 00 00 00 00 00 00 03 00 00 00 64 00 04 02 00 00 00 00 02 00 00 00 00 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 04 5c 62 00 00 00 00 00 01 ff 00 01 0a...
    → Likely HTTP/2 frame or TLS handshake data


Node ip-10-0-1-225.ec2.internal test summary:
  Total tests: 9
  Passed: 9
  Failed: 0

=========================================
Testing node: ip-10-0-1-29.ec2.internal
=========================================
Agent pod: netobserv-ebpf-agent-szt5g

Node diagnostics:
  curl version: pod/ssl-test-ip-10-0-1-29-ec2-internal created
curl 7.76.1 (x86_64-redhat-linux-gnu) libcurl/7.76.1 OpenSSL/3.2.2 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh/0.10.4/openssl/zlib nghttp2/1.43.0
curl available
  OpenSSL library: OpenSSL 3 (libssl.so.3)
  libssl location: lrwxrwxrwx. 1 root root     15 Jan  1  1970 /usr/lib64/libssl.so.3 -> libssl.so.3.2.2

Agent SSL tracking status:
  ✓ SSL tracking is enabled
    time="2025-11-18T11:20:45Z" level=info msg="SSL tracking enabled with library: /usr/lib64/libssl.so.3" component=ebpf.FlowFetcher
    time="2025-11-18T11:20:45Z" level=info msg="SSL RingBuf tracer started - listening for SSL events" component=flow.RingBufTracer
  Agent OPENSSL_PATH: /usr/lib64/libssl.so.3

[TEST 10] Basic HTTPS GET with HTTP/1.1
✓ Request completed successfully
[TEST 11] HTTPS POST with JSON data
✓ Request completed successfully
[TEST 12] HTTPS with TLS 1.2 explicitly
✓ Request completed successfully
[TEST 13] HTTPS with TLS 1.3 explicitly (optional)
✓ Request completed successfully with alternative endpoint
[TEST 14] HTTPS with custom headers
✓ Request completed successfully
[TEST 15] HTTPS to GitHub API
✓ Request completed successfully
[TEST 16] HTTPS to Google
✓ Request completed successfully
[TEST 17] HTTPS with large response (1KB)
✓ Request completed successfully
[TEST 18] HTTPS with HTTP/2 (optional)
✓ Request completed successfully (HTTP/2 supported)

Checking logs for SSL events after all tests:
✓ SSL events found:
  time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00d\x00\x04\x02\x00\x00\x00\x00\x02\x00\x00\x00\x00" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915650335, data_len=13, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x04\b\x00\x00\x00\x00\x00\x01\xff\x00\x01" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915685336, data_len=40, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x1f\x01\x05\x00\x00\x00\x01\x82\x84\x87A\x8b\xf1\xe3\xc2\xf3\x1c\xf3PU\xc8z\x7fz\x88%\xb6Pë\xba\xe2\xe1S\x03*/*" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971918162827, data_len=9, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x00\x04\x01\x00\x00\x00\x00" component=flow.RingBufTracer

  Decoded SSL data (plaintext before encryption):
    Binary data (hex): 00 00 12 04 00 00 00 00 00 00 03 00 00 00 64 00 04 02 00 00 00 00 02 00 00 00 00 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 04 5c 62 00 00 00 00 00 01 ff 00 01 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 1f 01 05 00 00 00 01 82 84 87 41 8b f1 e3 c2 f3 1c f3 50 55 c8 7a 7f 7a 88 25 b6 50 eb ba e2 e1 53 03 2a 2f 2a 0a...
    → Likely HTTP/2 frame or TLS handshake data

Detailed SSL event analysis:
  Found SSL events:
    time="2025-11-18T12:39:47Z" level=debug msg="SSL EVENT: pid=579678851174199, timestamp=12964205535569, data_len=78, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:47Z" level=debug msg="SSL data as string: GET / HTTP/1.1\r\nHost: www.google.com\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:49Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:49Z" level=debug msg="SSL EVENT: pid=579854944833376, timestamp=12966346637358, data_len=85, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:49Z" level=debug msg="SSL data as string: GET /bytes/1024 HTTP/1.1\r\nHost: httpbin.org\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915565758, data_len=24, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915627452, data_len=27, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00d\x00\x04\x02\x00\x00\x00\x00\x02\x00\x00\x00\x00" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915650335, data_len=13, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x04\b\x00\x00\x00\x00\x00\x01\xff\x00\x01" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915685336, data_len=40, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x1f\x01\x05\x00\x00\x00\x01\x82\x84\x87A\x8b\xf1\xe3\xc2\xf3\x1c\xf3PU\xc8z\x7fz\x88%\xb6Pë\xba\xe2\xe1S\x03*/*" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971918162827, data_len=9, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x00\x04\x01\x00\x00\x00\x00" component=flow.RingBufTracer

  Decoded SSL data samples (plaintext before encryption):
    GET / HTTP/1.1\r\nHost: www.google.com\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n
    → HTTP patterns: GET
HTTP/1.1
Host:
    GET /bytes/1024 HTTP/1.1\r\nHost: httpbin.org\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n
    → HTTP patterns: GET
HTTP/1.1
Host:
    PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n
    → HTTP patterns: HTTP/2.0
    Binary data (hex): 00 00 12 04 00 00 00 00 00 00 03 00 00 00 64 00 04 02 00 00 00 00 02 00 00 00 00 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 04 5c 62 00 00 00 00 00 01 ff 00 01 0a...
    → Likely HTTP/2 frame or TLS handshake data


Node ip-10-0-1-29.ec2.internal test summary:
  Total tests: 18
  Passed: 18
  Failed: 0

=========================================
Test completed for all nodes
=========================================

Cleaning up test pods...
pod "ssl-test-ip-10-0-1-225-ec2-internal" deleted
pod "ssl-test-ip-10-0-1-29-ec2-internal" deleted

Overall Summary:
  Total tests executed: 18
  Passed: 18
  Failed: 0

  Pass rate: 100%

That seems to work fine 👌

Let me know if you see any issues in the results or if you want me to run something else. Thanks !

@msherif1234
Copy link
Contributor Author

msherif1234 commented Nov 18, 2025

Hey @msherif1234, I took the opportunity to improve the script when testing on openshift:

Deploy the agents and collectors using:

$ AGENT_IMAGE=quay.io/netobserv/netobserv-ebpf-agent:486fe96 OPENSSL_PATH=/usr/lib64/libssl.so.3 ./scripts/deploy-agent.sh

Run your test SSL script (improved):

$ ./examples/test-ssl-host.sh 
=== Testing SSL with Host Process ===

Detected: Real Kubernetes/OpenShift cluster
Tests will run via privileged test pods with hostNetwork.
These pods mount the host's libssl.so to ensure uprobes are triggered.

This will run various SSL/TLS tests on each cluster node.
Tests use privileged pods with hostNetwork that mount the host's libssl.so,
ensuring processes use the same library that the agent's uprobe is attached to.

=========================================
Testing node: ip-10-0-1-225.ec2.internal
=========================================
Agent pod: netobserv-ebpf-agent-fcz6n

Node diagnostics:
  curl version: pod/ssl-test-ip-10-0-1-225-ec2-internal created
curl 7.76.1 (x86_64-redhat-linux-gnu) libcurl/7.76.1 OpenSSL/3.2.2 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh/0.10.4/openssl/zlib nghttp2/1.43.0
curl available
  OpenSSL library: OpenSSL 3 (libssl.so.3)
  libssl location: lrwxrwxrwx. 1 root root     15 Jan  1  1970 /usr/lib64/libssl.so.3 -> libssl.so.3.2.2

Agent SSL tracking status:
  ✓ SSL tracking is enabled
    time="2025-11-18T11:20:47Z" level=info msg="SSL tracking enabled with library: /usr/lib64/libssl.so.3" component=ebpf.FlowFetcher
    time="2025-11-18T11:20:47Z" level=info msg="SSL RingBuf tracer started - listening for SSL events" component=flow.RingBufTracer
  Agent OPENSSL_PATH: /usr/lib64/libssl.so.3

[TEST 1] Basic HTTPS GET with HTTP/1.1
✓ Request completed successfully
[TEST 2] HTTPS POST with JSON data
✓ Request completed successfully
[TEST 3] HTTPS with TLS 1.2 explicitly
✓ Request completed successfully
[TEST 4] HTTPS with TLS 1.3 explicitly (optional)
✓ Request completed successfully with alternative endpoint
[TEST 5] HTTPS with custom headers
✓ Request completed successfully
[TEST 6] HTTPS to GitHub API
✓ Request completed successfully
[TEST 7] HTTPS to Google
✓ Request completed successfully
[TEST 8] HTTPS with large response (1KB)
✓ Request completed successfully
[TEST 9] HTTPS with HTTP/2 (optional)
✓ Request completed successfully (HTTP/2 supported)

Checking logs for SSL events after all tests:
✓ SSL events found:
  time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00d\x00\x04\x02\x00\x00\x00\x00\x02\x00\x00\x00\x00" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935408031192, data_len=13, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x04\b\x00\x00\x00\x00\x00\x01\xff\x00\x01" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935408065424, data_len=40, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x1f\x01\x05\x00\x00\x00\x01\x82\x84\x87A\x8b\xf1\xe3\xc2\xf3\x1c\xf3PU\xc8z\x7fz\x88%\xb6Pë\xba\xe2\xe1S\x03*/*" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935410611546, data_len=9, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x00\x04\x01\x00\x00\x00\x00" component=flow.RingBufTracer

  Decoded SSL data (plaintext before encryption):
    Binary data (hex): 00 00 12 04 00 00 00 00 00 00 03 00 00 00 64 00 04 02 00 00 00 00 02 00 00 00 00 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 04 5c 62 00 00 00 00 00 01 ff 00 01 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 1f 01 05 00 00 00 01 82 84 87 41 8b f1 e3 c2 f3 1c f3 50 55 c8 7a 7f 7a 88 25 b6 50 eb ba e2 e1 53 03 2a 2f 2a 0a...
    → Likely HTTP/2 frame or TLS handshake data

Detailed SSL event analysis:
  Found SSL events:
    time="2025-11-18T12:39:02Z" level=debug msg="SSL EVENT: pid=720931735637935, timestamp=12928033086161, data_len=78, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:02Z" level=debug msg="SSL data as string: GET / HTTP/1.1\r\nHost: www.google.com\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:05Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:05Z" level=debug msg="SSL EVENT: pid=721155073937379, timestamp=12930250504317, data_len=85, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:05Z" level=debug msg="SSL data as string: GET /bytes/1024 HTTP/1.1\r\nHost: httpbin.org\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935407920281, data_len=24, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935407979485, data_len=27, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00d\x00\x04\x02\x00\x00\x00\x00\x02\x00\x00\x00\x00" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935408031192, data_len=13, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x04\b\x00\x00\x00\x00\x00\x01\xff\x00\x01" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935408065424, data_len=40, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x1f\x01\x05\x00\x00\x00\x01\x82\x84\x87A\x8b\xf1\xe3\xc2\xf3\x1c\xf3PU\xc8z\x7fz\x88%\xb6Pë\xba\xe2\xe1S\x03*/*" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL EVENT: pid=721339757531150, timestamp=12935410611546, data_len=9, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:10Z" level=debug msg="SSL data as string: \x00\x00\x00\x04\x01\x00\x00\x00\x00" component=flow.RingBufTracer

  Decoded SSL data samples (plaintext before encryption):
    GET / HTTP/1.1\r\nHost: www.google.com\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n
    → HTTP patterns: GET
HTTP/1.1
Host:
    GET /bytes/1024 HTTP/1.1\r\nHost: httpbin.org\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n
    → HTTP patterns: GET
HTTP/1.1
Host:
    PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n
    → HTTP patterns: HTTP/2.0
    Binary data (hex): 00 00 12 04 00 00 00 00 00 00 03 00 00 00 64 00 04 02 00 00 00 00 02 00 00 00 00 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 04 5c 62 00 00 00 00 00 01 ff 00 01 0a...
    → Likely HTTP/2 frame or TLS handshake data


Node ip-10-0-1-225.ec2.internal test summary:
  Total tests: 9
  Passed: 9
  Failed: 0

=========================================
Testing node: ip-10-0-1-29.ec2.internal
=========================================
Agent pod: netobserv-ebpf-agent-szt5g

Node diagnostics:
  curl version: pod/ssl-test-ip-10-0-1-29-ec2-internal created
curl 7.76.1 (x86_64-redhat-linux-gnu) libcurl/7.76.1 OpenSSL/3.2.2 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh/0.10.4/openssl/zlib nghttp2/1.43.0
curl available
  OpenSSL library: OpenSSL 3 (libssl.so.3)
  libssl location: lrwxrwxrwx. 1 root root     15 Jan  1  1970 /usr/lib64/libssl.so.3 -> libssl.so.3.2.2

Agent SSL tracking status:
  ✓ SSL tracking is enabled
    time="2025-11-18T11:20:45Z" level=info msg="SSL tracking enabled with library: /usr/lib64/libssl.so.3" component=ebpf.FlowFetcher
    time="2025-11-18T11:20:45Z" level=info msg="SSL RingBuf tracer started - listening for SSL events" component=flow.RingBufTracer
  Agent OPENSSL_PATH: /usr/lib64/libssl.so.3

[TEST 10] Basic HTTPS GET with HTTP/1.1
✓ Request completed successfully
[TEST 11] HTTPS POST with JSON data
✓ Request completed successfully
[TEST 12] HTTPS with TLS 1.2 explicitly
✓ Request completed successfully
[TEST 13] HTTPS with TLS 1.3 explicitly (optional)
✓ Request completed successfully with alternative endpoint
[TEST 14] HTTPS with custom headers
✓ Request completed successfully
[TEST 15] HTTPS to GitHub API
✓ Request completed successfully
[TEST 16] HTTPS to Google
✓ Request completed successfully
[TEST 17] HTTPS with large response (1KB)
✓ Request completed successfully
[TEST 18] HTTPS with HTTP/2 (optional)
✓ Request completed successfully (HTTP/2 supported)

Checking logs for SSL events after all tests:
✓ SSL events found:
  time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00d\x00\x04\x02\x00\x00\x00\x00\x02\x00\x00\x00\x00" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915650335, data_len=13, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x04\b\x00\x00\x00\x00\x00\x01\xff\x00\x01" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915685336, data_len=40, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x1f\x01\x05\x00\x00\x00\x01\x82\x84\x87A\x8b\xf1\xe3\xc2\xf3\x1c\xf3PU\xc8z\x7fz\x88%\xb6Pë\xba\xe2\xe1S\x03*/*" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971918162827, data_len=9, ssl_type=0" component=flow.RingBufTracer
  time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x00\x04\x01\x00\x00\x00\x00" component=flow.RingBufTracer

  Decoded SSL data (plaintext before encryption):
    Binary data (hex): 00 00 12 04 00 00 00 00 00 00 03 00 00 00 64 00 04 02 00 00 00 00 02 00 00 00 00 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 04 5c 62 00 00 00 00 00 01 ff 00 01 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 1f 01 05 00 00 00 01 82 84 87 41 8b f1 e3 c2 f3 1c f3 50 55 c8 7a 7f 7a 88 25 b6 50 eb ba e2 e1 53 03 2a 2f 2a 0a...
    → Likely HTTP/2 frame or TLS handshake data

Detailed SSL event analysis:
  Found SSL events:
    time="2025-11-18T12:39:47Z" level=debug msg="SSL EVENT: pid=579678851174199, timestamp=12964205535569, data_len=78, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:47Z" level=debug msg="SSL data as string: GET / HTTP/1.1\r\nHost: www.google.com\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:49Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:49Z" level=debug msg="SSL EVENT: pid=579854944833376, timestamp=12966346637358, data_len=85, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:49Z" level=debug msg="SSL data as string: GET /bytes/1024 HTTP/1.1\r\nHost: httpbin.org\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915565758, data_len=24, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915627452, data_len=27, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x12\x04\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00d\x00\x04\x02\x00\x00\x00\x00\x02\x00\x00\x00\x00" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915650335, data_len=13, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x04\b\x00\x00\x00\x00\x00\x01\xff\x00\x01" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971915685336, data_len=40, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x1f\x01\x05\x00\x00\x00\x01\x82\x84\x87A\x8b\xf1\xe3\xc2\xf3\x1c\xf3PU\xc8z\x7fz\x88%\xb6Pë\xba\xe2\xe1S\x03*/*" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=info msg="SSL ringbuffer event received! Size: 16408 bytes" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL EVENT: pid=580065398230929, timestamp=12971918162827, data_len=9, ssl_type=0" component=flow.RingBufTracer
    time="2025-11-18T12:39:55Z" level=debug msg="SSL data as string: \x00\x00\x00\x04\x01\x00\x00\x00\x00" component=flow.RingBufTracer

  Decoded SSL data samples (plaintext before encryption):
    GET / HTTP/1.1\r\nHost: www.google.com\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n
    → HTTP patterns: GET
HTTP/1.1
Host:
    GET /bytes/1024 HTTP/1.1\r\nHost: httpbin.org\r\nUser-Agent: curl/7.76.1\r\nAccept: */*\r\n\r\n
    → HTTP patterns: GET
HTTP/1.1
Host:
    PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n
    → HTTP patterns: HTTP/2.0
    Binary data (hex): 00 00 12 04 00 00 00 00 00 00 03 00 00 00 64 00 04 02 00 00 00 00 02 00 00 00 00 0a...
    → Likely HTTP/2 frame or TLS handshake data
    Binary data (hex): 00 00 04 5c 62 00 00 00 00 00 01 ff 00 01 0a...
    → Likely HTTP/2 frame or TLS handshake data


Node ip-10-0-1-29.ec2.internal test summary:
  Total tests: 18
  Passed: 18
  Failed: 0

=========================================
Test completed for all nodes
=========================================

Cleaning up test pods...
pod "ssl-test-ip-10-0-1-225-ec2-internal" deleted
pod "ssl-test-ip-10-0-1-29-ec2-internal" deleted

Overall Summary:
  Total tests executed: 18
  Passed: 18
  Failed: 0

  Pass rate: 100%

That seems to work fine 👌

Let me know if you see any issues in the results or if you want me to run something else. Thanks !

Thanks @jpinsonneau were able to check the dash board metrics ? if so can pls include some pic here ?

@jpinsonneau
Copy link
Contributor

jpinsonneau commented Nov 18, 2025

Thanks @jpinsonneau were able to check the dash board metrics ? if so can pls include some pic here ?

Oh I don't have it here as I only deployed the agent + collector. Let me deploy netobserv and check 😉

@msherif1234
Copy link
Contributor Author

msherif1234 commented Nov 18, 2025
edited
Loading

Thanks @jpinsonneau were able to check the dash board metrics ? if so can pls include some pic here ?

Oh I don't have it here as I only deployed the agent + collector. Let me deploy netobserv and check 😉

Thank you!!, also if u have a min pls run make docker-generate ci/cd doesn't like s390 files generated from my Mac.

@jpinsonneau
Copy link
Contributor

jpinsonneau commented Nov 18, 2025

@msherif1234 I capture some events and those are reported to the metrics. However, I only see openssl_type="0".

Is it expected ?

# HELP ebpf_agent_openssl_data_events_total Number of OpenSSL data events
# TYPE ebpf_agent_openssl_data_events_total counter
ebpf_agent_openssl_data_events_total{data_len="118",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="13",openssl_type="0"} 4
ebpf_agent_openssl_data_events_total{data_len="147",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="24",openssl_type="0"} 4
ebpf_agent_openssl_data_events_total{data_len="27",openssl_type="0"} 4
ebpf_agent_openssl_data_events_total{data_len="40",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="43",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="78",openssl_type="0"} 6
ebpf_agent_openssl_data_events_total{data_len="85",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="88",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="9",openssl_type="0"} 4

@msherif1234
Copy link
Contributor Author

msherif1234 commented Nov 18, 2025

@msherif1234 I capture some events and those are reported to the metrics. However, I only see openssl_type="0".

Is it expected ?

# HELP ebpf_agent_openssl_data_events_total Number of OpenSSL data events
# TYPE ebpf_agent_openssl_data_events_total counter
ebpf_agent_openssl_data_events_total{data_len="118",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="13",openssl_type="0"} 4
ebpf_agent_openssl_data_events_total{data_len="147",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="24",openssl_type="0"} 4
ebpf_agent_openssl_data_events_total{data_len="27",openssl_type="0"} 4
ebpf_agent_openssl_data_events_total{data_len="40",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="43",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="78",openssl_type="0"} 6
ebpf_agent_openssl_data_events_total{data_len="85",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="88",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="9",openssl_type="0"} 4

were u running the test script during this collection or those was just default flows ?

@jpinsonneau
Copy link
Contributor

jpinsonneau commented Nov 18, 2025

@msherif1234 I capture some events and those are reported to the metrics. However, I only see openssl_type="0".
Is it expected ?

# HELP ebpf_agent_openssl_data_events_total Number of OpenSSL data events
# TYPE ebpf_agent_openssl_data_events_total counter
ebpf_agent_openssl_data_events_total{data_len="118",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="13",openssl_type="0"} 4
ebpf_agent_openssl_data_events_total{data_len="147",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="24",openssl_type="0"} 4
ebpf_agent_openssl_data_events_total{data_len="27",openssl_type="0"} 4
ebpf_agent_openssl_data_events_total{data_len="40",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="43",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="78",openssl_type="0"} 6
ebpf_agent_openssl_data_events_total{data_len="85",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="88",openssl_type="0"} 2
ebpf_agent_openssl_data_events_total{data_len="9",openssl_type="0"} 4

were u running the test script during this collection or those was just default flows ?

yes that's with the test script running multiple times

@msherif1234
Copy link
Contributor Author

msherif1234 commented Nov 18, 2025
edited
Loading

this is are the expected types
https://github.com/openssl/openssl/blob/master/ssl/ssl_local.h#L1225

so means its SSL connection type

jotak
jotak reviewed Dec 2, 2025
View reviewed changes
scripts/generators.Dockerfile Outdated
@@ -1,4 +1,4 @@
FROM fedora:42
FROM fedora:40
Copy link
Member

@jotak jotak Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why downgrading fedora?

Copy link
Contributor Author

@msherif1234 msherif1234 Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so I can build on Mac, for some reason I can't run 42 , will try again and share the error I got

- LegacyKeyValueFormat: "ENV key=value" should be used instead of legacy "ENV key value" format (line 36)
 - LegacyKeyValueFormat: "ENV key=value" should be used instead of legacy "ENV key value" format (line 26)
 - LegacyKeyValueFormat: "ENV key=value" should be used instead of legacy "ENV key value" format (line 28)
docker run --privileged --rm -v /Users/mmahmoud/go/src/netobserv-ebpf-agent:/src ebpf-generator:latest
WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
/bin/sh: line 1: which: command not found
basename: missing operand
Try 'basename --help' for more information.
basename: missing operand
Try 'basename --help' for more information.
### Checking if prerequisites are met, and installing missing dependencies
github.com/cilium/ebpf/asm: /go/pkg/tool/linux_amd64/compile: signal: segmentation fault
### Generating BPF Go bindings
pkg/ebpf/gen.go:4: running "bpf2go": exec: "bpf2go": executable file not found in $PATH
make: *** [Makefile:135: gen-bpf] Error 1
make: *** [docker-generate] Error 2

I will revert this and I keep it locally

jotak
jotak reviewed Dec 2, 2025
View reviewed changes
Dockerfile
# Build the manager binary
FROM docker.io/library/golang:1.24 as builder

ARG TARGETARCH
Copy link
Member

@jotak jotak Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this must not be removed, it's used in the line below:

RUN CGO_ENABLED=0 GOARCH=$TARGETARCH go build

Copy link
Contributor Author

@msherif1234 msherif1234 Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm that I don't remember why will revert as well and if needed I will keep it locally

Copy link
Member

@jotak jotak Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe when running from mac you need to pass explicitly MULTIARCH_TARGETS=arm64

Copy link
Member

@jotak jotak Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

perhaps that's also what make you have different bytecode than the CI (and hence get it rejected)

Copy link
Contributor Author

@msherif1234 msherif1234 Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that option is there for make docker-generate

red-hat-konflux bot and others added 6 commits December 2, 2025 08:58
@red-hat-konflux @msherif1234
fix(deps): update module github.com/netobserv/flowlogs-pipeline to v1…
c85f977 
….8.0-crc0 (#590)

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux @msherif1234
fix(deps): update module github.com/vmware/go-ipfix to v0.13.0 (#592)
d279a16 
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@msherif1234
Initial PR to implement openSSL userspace tracker
76c869d 
Signed-off-by: Mohamed S. Mahmoud <[email protected]>
@msherif1234
Add promo metrics for openSSL tracker
9eb6cb0 
Signed-off-by: Mohamed S. Mahmoud <[email protected]>
@jpinsonneau @msherif1234
improved tests for openshift
41dbbe6
@msherif1234
revert docker file changes
3e47174 
Signed-off-by: Mohamed S. Mahmoud <[email protected]>
@msherif1234 msherif1234 requested a review from jotak December 2, 2025 14:02
@openshift-ci
Copy link

openshift-ci bot commented Dec 3, 2025

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign memodi for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci
Copy link

openshift-ci bot commented Dec 3, 2025

@msherif1234: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/netobserv-cli-tests dc723f4 link false /test netobserv-cli-tests
ci/prow/qe-e2e-tests dc723f4 link false /test qe-e2e-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jpinsonneau jpinsonneau Awaiting requested review from jpinsonneau

@jotak jotak Awaiting requested review from jotak

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@msherif1234 @jotak @jpinsonneau @openshift-merge-robot