NETOBSERV-1061: Add TCP drop and DNS tracking hooks

[msherif1234]

• Add skb_free tracepoint hook to detect when TCP flows are dropped and update flow metrics with tcp socket info.

• To view ebpf tracepoints with bpftool

bpftool perf show
pid 119418  fd 8: prog_id 134  tracepoint  kfree_skb

• For reference about tcpdrop https://www.brendangregg.com/blog/2018-05-31/linux-tcpdrop.html

• Steps for manual testing using flowsdump collector tool

- using ncat
=========
server: ncat -l 8080
client: ncat 192.168.122.69 8080

• use iptables rule to drop
  ============================

sudo iptables -I INPUT 1 -m tcp --proto tcp --dst 192.168.122.69/32 --dport 8080 -j DROP
switch back
sudo iptables -I INPUT 1 -m tcp --proto tcp --dst 192.168.122.69/32 --dport 8080 -j ACCEPT

once the drop iptable rule is installed we can see tcpdrop stats been updated

 },{
                "cpu": 2,
                "value": {
                    "packets": 1,
                    "bytes": 67,
                    "start_mono_time_ts": 5481943029602,
                    "end_mono_time_ts": 5481943029602,
                    "flags": 16,
                    "errno": 0,
                    "tcp_drops": {
                        "packets": 14,
                        "bytes": 800,
                        "flags": 16,
                        "state": 1,
                        "drop_cause": 8  <<<<< SKB_DROP_REASON_NETFILTER_DROP
                    }
                }	
            }

• add net_dev_queue trace point hook to implement light weight DNS tracker
• testing using dig google.coom

DNS id 23099
Query
 "dns_record": {
                "id": 23099,
                "flags": 288,
                "req_mono_time_ts": 3559391813403,
                "rsp_mono_time_ts": 0
}

Response
 "dns_record": {
                "id": 23099,
                "flags": 33152,
                "req_mono_time_ts": 0,
                "rsp_mono_time_ts": 3559392215340
}
~.4 msec latency

NOTE:

• here are all possible TCP state values https://elixir.bootlin.com/linux/v6.3/source/include/net/tcp_states.h#L12
• here are all drop causes
  https://elixir.bootlin.com/linux/latest/source/include/net/dropreason-core.h#L88

Related PRs:
netobserv/network-observability-operator#331
netobserv/flowlogs-pipeline#429
netobserv/network-observability-console-plugin#324

[codecov]

Codecov Report

Merging #115 (2cffd02) into main (2d63d90) will decrease coverage by 0.38%.
The diff coverage is 44.66%.

@@            Coverage Diff             @@
##             main     #115      +/-   ##
==========================================
- Coverage   40.48%   40.11%   -0.38%     
==========================================
  Files          31       31              
  Lines        2060     2124      +64     
==========================================
+ Hits          834      852      +18     
- Misses       1186     1227      +41     
- Partials       40       45       +5     

Flag	Coverage Δ
unittests	40.11% <44.66%> (-0.38%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/agent.go	39.20% <0.00%> (ø)
pkg/ebpf/tracer.go	0.00% <0.00%> (ø)
pkg/exporter/proto.go	82.73% <62.06%> (-17.27%)	⬇️
pkg/flow/record.go	71.42% <66.66%> (-4.58%)	⬇️
pkg/flow/account.go	82.69% <100.00%> (ø)
pkg/flow/tracer_map.go	79.41% <100.00%> (ø)

[openshift-ci-robot]

@msherif1234: This pull request references NETOBSERV-979 which is a valid jira issue.

In response to this:

• add skb_free tracepoint hook

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@msherif1234: This pull request references NETOBSERV-979 which is a valid jira issue.

In response to this:

• add skb_free tracepoint hook
  to view ebpf tracepoints with bpftool

bpftool perf show
pid 119418  fd 8: prog_id 134  tracepoint  kfree_skb

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@msherif1234: This pull request references NETOBSERV-979 which is a valid jira issue.

In response to this:

inspired by https://www.brendangregg.com/blog/2018-05-31/linux-tcpdrop.html

• add skb_free tracepoint hook
  to view ebpf tracepoints with bpftool

bpftool perf show
pid 119418  fd 8: prog_id 134  tracepoint  kfree_skb

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@msherif1234: This pull request references NETOBSERV-979 which is a valid jira issue.

In response to this:

Add skb_free tracepoint hook to detect when TCP flows are dropped and update flow metrics with tcp socket info.

To view ebpf tracepoints with bpftool

bpftool perf show
pid 119418  fd 8: prog_id 134  tracepoint  kfree_skb

For reference about tcpdrop https://www.brendangregg.com/blog/2018-05-31/linux-tcpdrop.html

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@msherif1234: This pull request references NETOBSERV-979 which is a valid jira issue.

In response to this:

• Add skb_free tracepoint hook to detect when TCP flows are dropped and update flow metrics with tcp socket info.

• To view ebpf tracepoints with bpftool

bpftool perf show
pid 119418  fd 8: prog_id 134  tracepoint  kfree_skb

• For reference about tcpdrop https://www.brendangregg.com/blog/2018-05-31/linux-tcpdrop.html

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[msherif1234]

/assign @praveingk @jotak @jpinsonneau @ronensc

[github-actions]

New image: ["quay.io/netobserv/netobserv-ebpf-agent:8197b19"]. It will expire after two weeks.

[jpinsonneau]

@msherif1234 I tried to deploy this on a clusterbot using launch 4.13 aws,large but got the following error:

time="2023-04-28T07:46:46Z" level=debug msg="agent IP: 10.0.149.138" component=agent.Flows
time="2023-04-28T07:46:47Z" level=info msg="failed to attach the BPF program to kfree_skb tracepoint: reading file \"/sys/kernel/debug/tracing/events/skb/kfree_skb/id\": open /sys/kernel/debug/tracing/events/skb/kfree_skb/id: no such file or directory" component=ebpf.FlowFetcher
time="2023-04-28T07:46:47Z" level=fatal msg="can't instantiate NetObserv eBPF Agent" error="reading file \"/sys/kernel/debug/tracing/events/skb/kfree_skb/id\": open /sys/kernel/debug/tracing/events/skb/kfree_skb/id: no such file or directory"

I thought using privileged option in the CRD would solve it but it's not 😿

apiVersion: flows.netobserv.io/v1beta1
kind: FlowCollector
...
spec:
  agent:
    ebpf:
...
      privileged: true
...

Am I missing something ?

[msherif1234]

@msherif1234 I tried to deploy this on a clusterbot using launch 4.13 aws,large but got the following error:

time="2023-04-28T07:46:46Z" level=debug msg="agent IP: 10.0.149.138" component=agent.Flows
time="2023-04-28T07:46:47Z" level=info msg="failed to attach the BPF program to kfree_skb tracepoint: reading file \"/sys/kernel/debug/tracing/events/skb/kfree_skb/id\": open /sys/kernel/debug/tracing/events/skb/kfree_skb/id: no such file or directory" component=ebpf.FlowFetcher
time="2023-04-28T07:46:47Z" level=fatal msg="can't instantiate NetObserv eBPF Agent" error="reading file \"/sys/kernel/debug/tracing/events/skb/kfree_skb/id\": open /sys/kernel/debug/tracing/events/skb/kfree_skb/id: no such file or directory"

I thought using privileged option in the CRD would solve it but it's not 😿

apiVersion: flows.netobserv.io/v1beta1
kind: FlowCollector
...
spec:
  agent:
    ebpf:
...
      privileged: true
...

Am I missing something ?

Yes similar to what I added to e2e manifests we need to add the same mount volume to the crd

[openshift-ci-robot]

@msherif1234: This pull request references NETOBSERV-979 which is a valid jira issue.

In response to this:

• Add skb_free tracepoint hook to detect when TCP flows are dropped and update flow metrics with tcp socket info.

• To view ebpf tracepoints with bpftool

bpftool perf show
pid 119418  fd 8: prog_id 134  tracepoint  kfree_skb

• For reference about tcpdrop https://www.brendangregg.com/blog/2018-05-31/linux-tcpdrop.html

• Steps for manual testing using flowsdump collector tool

using ncat
=========
server ncat -l 8080
client ncat 192.168.122.69 8080


use iptables rule to drop
============================
sudo iptables -I INPUT 1 -m tcp --proto tcp --dst 192.168.122.69/32 --dport 8080 -j DROP
switch back
sudo iptables -I INPUT 1 -m tcp --proto tcp --dst 192.168.122.69/32 --dport 8080 -j ACCEPT

run local flow collector with long time to allow flow to stay longer (2Minutes)
===============================================================================
sudo FLOWS_TARGET_HOST=127.0.0.1 FLOWS_TARGET_PORT=9999 CACHE_ACTIVE_TIMEOUT="120s" ./bin/netobserv-ebpf-agent


use bpftool to find the map and dump it
=======================================
sudo bpftool map list
sudo bpftool map dump id 500 | grep dst_port

use bpftool to look at prog traces
=================================
sudo bpftool prog tracelog

use bpftool to check tracepoint is attached
===========================================
bpftool perf show

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci-robot]

@msherif1234: This pull request references NETOBSERV-979 which is a valid jira issue.

In response to this:

• Add skb_free tracepoint hook to detect when TCP flows are dropped and update flow metrics with tcp socket info.

• To view ebpf tracepoints with bpftool

bpftool perf show
pid 119418  fd 8: prog_id 134  tracepoint  kfree_skb

• For reference about tcpdrop https://www.brendangregg.com/blog/2018-05-31/linux-tcpdrop.html

• Steps for manual testing using flowsdump collector tool

using ncat
=========
server ncat -l 8080
client ncat 192.168.122.69 8080


use iptables rule to drop
============================
sudo iptables -I INPUT 1 -m tcp --proto tcp --dst 192.168.122.69/32 --dport 8080 -j DROP
switch back
sudo iptables -I INPUT 1 -m tcp --proto tcp --dst 192.168.122.69/32 --dport 8080 -j ACCEPT

run local flow collector with long time to allow flow to stay longer (2Minutes)
===============================================================================
sudo FLOWS_TARGET_HOST=127.0.0.1 FLOWS_TARGET_PORT=9999 CACHE_ACTIVE_TIMEOUT="120s" ./bin/netobserv-ebpf-agent


use bpftool to find the map and dump it
=======================================
sudo bpftool map list
sudo bpftool map dump id 500 | grep dst_port

use bpftool to look at prog traces
=================================
sudo bpftool prog tracelog

use bpftool to check tracepoint is attached
===========================================
bpftool perf show

once the drop iptable rule is installed we can see tcpdrop stats been updated

},{
               "cpu": 10,
               "value": {
                   "packets": 7,
                   "bytes": 540,
                   "start_mono_time_ts": 1047585604832,
                   "end_mono_time_ts": 1054159237862,
                   "flags": 16,
                   "errno": 0,
                   "tcp_drops": {
                       "packets": 7,
                       "bytes": 442,
                       "flags": 16,
                       "state": 1
                   }
               }

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[msherif1234]

/ok-to-test

[msherif1234]

/ok-to-test

[msherif1234]

/ok-to-test

[github-actions]

New image: quay.io/netobserv/netobserv-ebpf-agent:5aac091. It will expire after two weeks.

[jotak]

/lgtm

[dushyantbehl]

Not urgent for this commit but there's functionality being repeated in these functions and the fill_** functions so maybe we should look to just consolidate them.

[msherif1234]

sure we can do so

[msherif1234]

/ok-to-test

[github-actions]

New image: quay.io/netobserv/netobserv-ebpf-agent:cfcda6b. It will expire after two weeks.

[dushyantbehl]

/lgtm

[msherif1234]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: msherif1234

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [msherif1234]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment