Add eBPF connection tracking, without dependencies on kernel headers #2070
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
iaguis
force-pushed
the
alessandro/conn-perf-ebpf
branch
from
801dcfc to
a84a81e
Compare
Perhaps include all the binaries in the scope container image? Yes, it adds bloat, but dynamically downloading binaries (on every launch?) is gross. |
@rade It is already in the Scope Docker image. It is done at build-time (implemented in Scope's Makefile). At the moment, the size of the compiled ebpf programs is very small, I think <50KB uncompressed. |
|
Ah, so when you wrote "Scope fetches" you didn't actually mean "Scope" but "The scope build". Also you wrote "Scope fetches the pre-compiled ebpf program" (note the singular). Taking into account your comments, I believe that sentence should have read "The scope build fetches the pre-compiled ebpf programs." Correct? |
This was referenced Dec 8, 2016
|
I closed the two previous iterations of this work, in favor of this PR. For the record, this was:
|
Merged
|
Two graphs comparing the performance between master and this branch (by running our test dialer, #2082): With up to 4K connections (40 dialer container with 100 connections each):
With a pool of 100 containers, each holding a random number of connections between 1 and 20:
|
https://github.com/koalaman/shellcheck/wiki/SC2048 We get a https://github.com/koalaman/shellcheck/wiki/SC2016 but we do mean literal backquotes.
Based on work from Lorenzo, updated by Iago, Alban, and Alessandro
This PR adds connection tracking using eBPF. This feature is not enabled by default.
For now, you can enable it by launching scope with the following command:
```
sudo ./scope launch --probe.ebpf.connections=true
```
Scope Probe also falls back on the old /proc parsing if eBPF is not working
(e.g. too old kernel, or pre-compiled eBPF program missing for the current kernel).
This patch allows scope to get notified of every connection event, without relying
on the parsing of /proc/$pid/net/tcp{,6} and /proc/$pid/fd/*, and therefore
improve performance.
We vendor https://github.com/kinvolk/gobpf-elf-loader in Scope to load and
receive information from the ebpf program. Scope fetches the pre-compiled
ebpf program from https://hub.docker.com/r/kinvolk/tcptracer-bpf/
(see https://github.com/kinvolk/tcptracer-bpf)
At the moment, the eBPF program is pre-compiled for:
- Arch 4.8.11-1
- fedora-24
- debian-testing
- coreos
The ebpf program uses kprobes on the following kernel functions:
- tcp_v4_connect
- tcp_v6_connect
- inet_csk_accept
- tcp_close
It generates "connect", "accept" and "close" events containing the
connection tuple but also pid and netns.
Note: the IPv6 events are not plugged in Scope.
probe/endpoint/ebpf.go maintains the list of connections. Similarly to
conntrack, it also keeps the dead connections for one iteration in order
to report short-lived connections.
The code for parsing /proc/$pid/net/tcp{,6} and /proc/$pid/fd/* is still
there and still used at start-up because eBPF only brings us the events
and not the initial state. However, the /proc parsing for the initial
state is now done in foreground instead of background, via newForegroundReader().
NAT resolution on connections from eBPF works in the same way as it did on connections
from /proc: by using conntrack. One of the two conntrack instances was removed since
eBPF detects short-lived connections.
The Scope Docker image size comparison:
- weaveworks/scope in current master: 22 MB (compressed), 68 MB
(uncompressed)
- weaveworks/scope with this patchset: 24 MB (compressed), 70 MB
(uncompressed)
Fixes weaveworks#1168 (walking /proc to obtain connections is very expensive)
Fixes weaveworks#1260 (Short-lived connections not tracked for containers in
shared networking namespaces)
The variable EBPF_IMAGE in the Makefile determines where to fetch the pre-compiled ebpf programs. They are added in the Scope Docker image in /usr/libexec/scope/. This is so far less than 50KB. Then, at run-time, Scope will pick the correct ebpf program for the currently running kernel. This is determined by: - /etc/os-release bind-mounted from the host gives the distribution ID. - uname finds the architecture and the kernel version.
This patch adds a debug message to show the perf event details.
We now use CGO which requires an arm compiler and the CC environment variable set up. Also, the version of go shipped on debian doesn't have some standard library packages for arm and when it tries to install them it fails because it doesn't have permission to write to /usr/lib. Use -pkgdir if we build for arm so packages are installed in $HOME
The cyclomatic complexity was too high and the CI didn't pass.
To handle non-linux systems.
alepuccetti
force-pushed
the
alessandro/conn-perf-ebpf
branch
from
a84a81e to
c8396aa
Compare
This patch adds a debug message to show the perf event details.
We now use CGO which requires an arm compiler and the CC environment variable set up. Also, the version of go shipped on debian doesn't have some standard library packages for arm and when it tries to install them it fails because it doesn't have permission to write to /usr/lib. Use -pkgdir if we build for arm so packages are installed in $HOME
This goroutine is unnecessary because the `run()` function uses a goroutine itself. Goroutines are asynchronous, and they can introduce race between connections detected during the first pass and events form eBPF.
This prevents a race between conntrack information and ebpf. When using eBPF, we do a first pass on `/proc` and with conntrack to get the initial state, then eBPF takes over. To do so we "feed" this information to eBPF so it can pair active connection with future close events. It could happen that a connection is closed after the data from `/proc` and conntrack are populated and before eBPF takes over. In this case, we lose the close event, and we will have a "ghost" process that will never disappear from the report.
alepuccetti
force-pushed
the
alessandro/conn-perf-ebpf
branch
from
f16ea55 to
5f82411
Compare
schu
reviewed
Dec 22, 2016
| IMAGE_TAG=$(shell ./tools/image-tag) | ||
| EBPF_IMAGE=kinvolk/tcptracer-bpf:semaphore-master-475be63 |
This comment was marked as abuse.
This comment was marked as abuse.
Sorry, something went wrong.
2 tasks
|
Superseded by #2135 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Based on work from Lorenzo, updated by Iago, Alban, and Alessandro
This PR adds connection tracking using eBPF. This feature is not enabled by default.
For now, you can enable it by launching scope with the following command:
Scope Probe also falls back on the old /proc parsing if eBPF is not working
(e.g. too old kernel, or pre-compiled eBPF program missing for the current kernel).
This patch allows scope to get notified of every connection event, without relying
on the parsing of /proc/$pid/net/tcp{,6} and /proc/$pid/fd/*, and therefore
improve performance.
We vendor https://github.com/kinvolk/gobpf-elf-loader in Scope to load and
receive information from the ebpf programs. The Scope build fetches the pre-compiled
ebpf programs from https://hub.docker.com/r/kinvolk/tcptracer-bpf/
(see https://github.com/kinvolk/tcptracer-bpf)
At the moment, the eBPF programs are pre-compiled for:
The ebpf programs use kprobes on the following kernel functions:
It generates "connect", "accept" and "close" events containing the
connection tuple but also pid and netns.
Note: the IPv6 events are not plugged in Scope.
probe/endpoint/ebpf.go maintains the list of connections. Similarly to
conntrack, it also keeps the dead connections for one iteration in order
to report short-lived connections.
The code for parsing /proc/$pid/net/tcp{,6} and /proc/$pid/fd/* is still
there and still used at start-up because eBPF only brings us the events
and not the initial state. However, the /proc parsing for the initial
state is now done in foreground instead of background, via newForegroundReader().
NAT resolution on connections from eBPF works in the same way as it did on connections
from /proc: by using conntrack. One of the two conntrack instances was removed since
eBPF detects short-lived connections.
The Scope Docker image size comparison:
(uncompressed)
(uncompressed)
Fixes #1168 (walking /proc to obtain connections is very expensive)
Fixes #1260 (Short-lived connections not tracked for containers in
shared networking namespaces)
Fixes #1962 (Port ebpf tracker to Go)
Fixes #1961 (Remove runtime kernel header dependency from ebpf tracker)
Supersedes #2024