Merge pull request #2135 from kinvolk/iaguis/conn-perf-ebpf-guess

Add eBPF connection tracking without dependencies on kernel headers

Makefile

@@ -24,13 +24,24 @@ RM=--rm
 RUN_FLAGS=-ti
 BUILD_IN_CONTAINER=true
 GO_ENV=GOGC=off
-GO=env $(GO_ENV) go
-NO_CROSS_COMP=unset GOOS GOARCH
-GO_HOST=$(NO_CROSS_COMP); $(GO)
-WITH_GO_HOST_ENV=$(NO_CROSS_COMP); $(GO_ENV)
 GO_BUILD_INSTALL_DEPS=-i
 GO_BUILD_TAGS='netgo unsafe'
 GO_BUILD_FLAGS=$(GO_BUILD_INSTALL_DEPS) -ldflags "-extldflags \"-static\" -X main.version=$(SCOPE_VERSION) -s -w" -tags $(GO_BUILD_TAGS)
+GOOS=$(shell go tool dist env | grep GOOS | sed -e 's/GOOS="\(.*\)"/\1/')
+
+ifeq ($(GOOS),linux)
+GO_ENV+=CGO_ENABLED=1
+endif
+
+ifeq ($(GOARCH),arm)
+ARM_CC=CC=/usr/bin/arm-linux-gnueabihf-gcc
+endif
+
+GO=env $(GO_ENV) $(ARM_CC) go
+
+NO_CROSS_COMP=unset GOOS GOARCH
+GO_HOST=$(NO_CROSS_COMP); env $(GO_ENV) go
+WITH_GO_HOST_ENV=$(NO_CROSS_COMP); $(GO_ENV)
 IMAGE_TAG=$(shell ./tools/image-tag)
 
 all: $(SCOPE_EXPORT)

backend/Dockerfile

@@ -1,6 +1,9 @@
-FROM golang:1.7.4
+FROM ubuntu:yakkety
+ENV GOPATH /go
+ENV GOVERSION 1.7
+ENV PATH /go/bin:/usr/lib/go-${GOVERSION}/bin:/usr/bin:/bin:/usr/sbin:/sbin
 RUN apt-get update && \
-	apt-get install -y libpcap-dev python-requests time file shellcheck && \
+	apt-get install -y libpcap-dev python-requests time file shellcheck golang-${GOVERSION} git gcc-arm-linux-gnueabihf && \
 	rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 RUN go clean -i net && \
 	go install -tags netgo std && \
@@ -13,7 +16,7 @@ RUN go get -tags netgo \
 		github.com/fatih/hclfmt \
 		github.com/mjibson/esc \
 		github.com/client9/misspell/cmd/misspell && \
-	chmod a+wr --recursive /usr/local/go/pkg && \
+	chmod a+wr --recursive /usr/lib/go-${GOVERSION}/pkg && \
 	rm -rf /go/pkg/ /go/src/
 COPY build.sh /
 ENTRYPOINT ["/build.sh"]

integration/300_internet_edge_test.sh

@@ -5,12 +5,6 @@
 
 start_suite "Test short lived connections from the Internet"
 
-if ! echo "$HOST1" | grep "us-central1-a"; then
-    echo "Skipping; test needs to be run against VMs on GCE."
-    scope_end_suite
-    exit
-fi
-
 weave_on "$HOST1" launch
 scope_on "$HOST1" launch
 docker_on "$HOST1" run -d -p 80:80 --name nginx nginx

integration/301_internet_edge_with_ebpf_test.sh

@@ -0,0 +1,28 @@
+#! /bin/bash
+
+# shellcheck disable=SC1091
+. ./config.sh
+
+start_suite "Test short lived connections from the Internet"
+
+weave_on "$HOST1" launch
+scope_on "$HOST1" launch --probe.ebpf.connections=true
+docker_on "$HOST1" run -d -p 80:80 --name nginx nginx
+
+do_connections() {
+    while true; do
+        curl -s "http://$HOST1:80/" >/dev/null || true
+        sleep 1
+    done
+}
+do_connections &
+
+wait_for_containers "$HOST1" 60 nginx "The Internet"
+
+has_connection_by_id containers "$HOST1" "in-theinternet" "$(node_id containers "$HOST1" nginx)"
+
+endpoints_have_ebpf "$HOST1"
+
+kill %do_connections
+
+scope_end_suite

integration/311_container_to_container_edge_with_ebpf_test.sh

@@ -0,0 +1,24 @@
+#! /bin/bash
+
+# shellcheck disable=SC1091
+. ./config.sh
+
+start_suite "Test short lived connections between containers, with ebpf connection tracking enabled"
+
+weave_on "$HOST1" launch
+scope_on "$HOST1" launch --probe.ebpf.connections=true
+weave_on "$HOST1" run -d --name nginx nginx
+weave_on "$HOST1" run -d --name client alpine /bin/sh -c "while true; do \
+	wget http://nginx.weave.local:80/ -O - >/dev/null || true; \
+	sleep 1; \
+done"
+
+wait_for_containers "$HOST1" 60 nginx client
+
+has_container "$HOST1" nginx
+has_container "$HOST1" client
+has_connection containers "$HOST1" client nginx
+
+endpoints_have_ebpf "$HOST1"
+
+scope_end_suite

integration/312_container_to_container_edge_same_netns_with_ebpf_test.sh

@@ -0,0 +1,20 @@
+#! /bin/bash
+
+# shellcheck disable=SC1091
+. ./config.sh
+
+start_suite "Test short lived connection between containers in same network namespace, with ebpf connection tracking enabled"
+
+scope_on "$HOST1" launch --probe.ebpf.connections=true
+docker_on "$HOST1" run -d --name nginx nginx
+docker_on "$HOST1" run -d --net=container:nginx --name client albanc/dialer /go/bin/dialer connectshortlived localhost:80
+
+wait_for_containers "$HOST1" 60 nginx client
+
+has_container "$HOST1" nginx
+has_container "$HOST1" client
+has_connection containers "$HOST1" client nginx
+
+endpoints_have_ebpf "$HOST1"
+
+scope_end_suite

integration/config.sh

@@ -90,6 +90,30 @@ has_connection_by_id() {
     assert "curl -s http://$host:4040/api/topology/${view}?system=show |  jq -r '.nodes[\"$from_id\"].adjacency | contains([\"$to_id\"])'" true
 }
 
+# this checks if ebpf is true on all endpoints on a given host
+endpoints_have_ebpf() {
+    local host="$1"
+    local timeout="${2:-60}"
+    local number_of_endpoints=-1
+    local have_ebpf=-1
+    local report
+
+    for i in $(seq "$timeout"); do
+        report=$(curl -s "http://${host}:4040/api/report")
+        number_of_endpoints=$(echo "${report}" | jq -r '.Endpoint.nodes | length')
+        have_ebpf=$(echo "${report}" | jq -r '.Endpoint.nodes[].latest.eBPF | select(.value != null) | contains({"value": "true"})' | wc -l)
+        if [[ "$number_of_endpoints" -gt 0 && "$have_ebpf" -gt 0 && "$number_of_endpoints" -eq "$have_ebpf" ]]; then
+            echo "Found ${number_of_endpoints} endpoints with ebpf enabled"
+            assert "echo '$have_ebpf'" "$number_of_endpoints"
+            return
+        fi
+        sleep 1
+    done
+
+    echo "Only ${have_ebpf} endpoints of ${number_of_endpoints} have ebpf enabled, should be equal"
+    assert "echo '$have_ebpf" "$number_of_endpoints"
+}
+
 has_connection() {
     local view="$1"
     local host="$2"