ebpf

package
v0.0.0-...-8c6aa2b Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 26, 2025 License: Apache-2.0 Imports: 31 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	Go = ProcessTracerType(iota)
	Generic
)
View Source 
const PinInternal = ebpf.PinType(100)

Variables

This section is empty.

Functions

func RunUtilityTracer 

func RunUtilityTracer(ctx context.Context, eventContext *common.EBPFEventContext, p UtilityTracer) error

Types

type CommonTracer 

type CommonTracer interface {
	// Load the bpf object that is generated by the bpf2go compiler
	Load() (*ebpf.CollectionSpec, error)
	// AddCloser adds io.Closer instances that need to be invoked when the
	// Run function ends.
	AddCloser(c ...io.Closer)
	// BpfObjects that are created by the bpf2go compiler
	BpfObjects() any
	// Sets up any tail call tables if the BPF program has it
	SetupTailCalls()
}

type Instrumentable 

type Instrumentable struct {
	Type                 svc.InstrumentableType
	InstrumentationError error

	// in some runtimes, like python gunicorn, we need to allow
	// tracing both the parent pid and all of its children pid
	ChildPids []uint32

	FileInfo *exec.FileInfo
	Offsets  *goexec.Offsets
	Tracer   *ProcessTracer
}

func (*Instrumentable) CopyToServiceAttributes 

func (ie *Instrumentable) CopyToServiceAttributes()

type KprobesTracer 

type KprobesTracer interface {
	CommonTracer
	// KProbes returns a map with the name of the kernel probes that need to be
	// tapped into. Start matches kprobe, End matches kretprobe
	KProbes() map[string]ebpfcommon.ProbeDesc
	Tracepoints() map[string]ebpfcommon.ProbeDesc
}

type PIDsAccounter 

type PIDsAccounter interface {
	// AllowPID notifies the tracer to accept traces from the process with the
	// provided PID. The Tracer should discard
	// traces from processes whose PID has not been allowed before
	// We must use a pointer for svc.Attrs so that all child processes share the same
	// object. This is important when we tag a service as exporting traces or metrics.
	AllowPID(uint32, uint32, *svc.Attrs)
	// BlockPID notifies the tracer to stop accepting traces from the process
	// with the provided PID. After receiving them via ringbuffer, it should
	// discard them.
	BlockPID(uint32, uint32)
}

type ProcessTracer 

type ProcessTracer struct {
	Programs []Tracer

	Type            ProcessTracerType
	Instrumentables map[uint64]*instrumenter
	// contains filtered or unexported fields
}

ProcessTracer instruments an executable with eBPF and provides the eBPF readers that will forward the traces to later stages in the pipeline TODO: We need to pass the ELFInfo from this ProcessTracker to inside a Tracer so that the GPU kernel event listener can find symbols names from addresses in the ELF file.

func NewProcessTracer 

func NewProcessTracer(tracerType ProcessTracerType, programs []Tracer, shutdownTimeout time.Duration, metrics imetrics.Reporter) *ProcessTracer

func (*ProcessTracer) AllowPID 

func (pt *ProcessTracer) AllowPID(pid, ns uint32, svc *svc.Attrs)

func (*ProcessTracer) BlockPID 

func (pt *ProcessTracer) BlockPID(pid, ns uint32)

func (*ProcessTracer) Init 

func (pt *ProcessTracer) Init(eventContext *common.EBPFEventContext) error

func (*ProcessTracer) NewExecutable 

func (pt *ProcessTracer) NewExecutable(exe *link.Executable, ie *Instrumentable) error

func (*ProcessTracer) NewExecutableInstance 

func (pt *ProcessTracer) NewExecutableInstance(ie *Instrumentable) error

func (*ProcessTracer) Run 

func (pt *ProcessTracer) Run(ctx context.Context, ebpfEventContext *common.EBPFEventContext, out *msg.Queue[[]request.Span])

func (*ProcessTracer) UnlinkExecutable 

func (pt *ProcessTracer) UnlinkExecutable(info *exec.FileInfo)

type ProcessTracerType 

type ProcessTracerType int

type Tracer 

type Tracer interface {
	PIDsAccounter
	KprobesTracer
	// Constants returns a map of constants to be overridden into the eBPF program.
	// The key is the constant name and the value is the value to overwrite.
	Constants() map[string]any
	// GoProbes returns a slice with the name of Go functions that need to be inspected
	// in the executable, as well as the eBPF programs that optionally need to be
	// inserted as the Go function start and end probes
	GoProbes() map[string][]*ebpfcommon.ProbeDesc
	// UProbes returns a map with the module name mapping to the uprobes that need to be
	// tapped into. Start matches uprobe, End matches uretprobe
	UProbes() map[string]map[string][]*ebpfcommon.ProbeDesc
	// SocketFilters  returns a list of programs that need to be loaded as a
	// generic eBPF socket filter
	SocketFilters() []*ebpf.Program
	// SockMsgs returns a list of programs that need to be loaded as a
	// BPF_PROG_TYPE_SK_MSG eBPF programs
	SockMsgs() []ebpfcommon.SockMsg
	// SockOps returns a list of programs that need to be loaded as a
	// BPF_PROG_TYPE_SOCK_OPS eBPF programs
	SockOps() []ebpfcommon.SockOps
	// Iters returns a list of programs that need to be loaded as a
	// BPF_PROG_TYPE_TRACING with BPF_TRACE_ITER attach type
	Iters() []*ebpfcommon.Iter
	// Probes can potentially instrument a shared library among multiple executables
	// These two functions alow programs to remember this and avoid duplicated instrumentations
	// The argument is the OS file id
	// Closers are the associated closable resources to this lib, that may be
	// closed when UnlinkInstrumentedLib() is called
	RecordInstrumentedLib(uint64, []io.Closer)
	AddInstrumentedLibRef(uint64)
	AlreadyInstrumentedLib(uint64) bool
	UnlinkInstrumentedLib(uint64)
	RegisterOffsets(*exec.FileInfo, *goexec.Offsets)
	ProcessBinary(*exec.FileInfo)
	Required() bool
	// Run will do the action of listening for eBPF traces and forward them
	// periodically to the output channel.
	Run(context.Context, *ebpfcommon.EBPFEventContext, *msg.Queue[[]request.Span])
}

Tracer is an individual eBPF program (e.g. the net/http or the grpc tracers)

type UtilityTracer 

type UtilityTracer interface {
	KprobesTracer
	Run(context.Context)
}

Subset of the above interface, which supports loading eBPF programs which are not tied to service monitoring

Source Files

View all Source files

Directories

Path Synopsis
kafkaparser
Package ringbuf provides some type aliases to prevent testing/compilation errors in non-linux environments due to the use of Cilium's ringbuf package, which is only available on Linux.
 Package ringbuf provides some type aliases to prevent testing/compilation errors in non-linux environments due to the use of Cilium's ringbuf package, which is only available on Linux.
line below avoids linter errors on Mac
 line below avoids linter errors on Mac

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.