Merge pull request #3 from richiejp/cgroup

Add partial process tracking for CGroups

Author: dkorunic

README.md

@@ -19,8 +19,7 @@ By default eBPF component uses **TC** (Traffic Control) eBPF hooks with TCX atta
 
 Alternatively it can use **KProbes** to monitor TCP, UDP, ICMPv4 and ICMPv6 communication throughout all containers, K8s pods, translations and forwards and display process ID as well as process name, if the traffic was being sent or delivered to userspace application. KProbes traditionally work the slowest, being closest to the userspace -- but they bring sometimes useful process information. KProbes work also with much older Linux kernels as well, but the hard-dependancy is a [BTF-enabled](https://docs.ebpf.io/concepts/btf/) kernel.
 
-In case that you need to monitor just a specific **CGroup**, it is possible as well and monitoring both ingress and egress traffic is supported.
-
+In case that you need to monitor just a specific **CGroup**, it is possible as well and monitoring both ingress and egress traffic is supported. You can also monitor all traffic by attaching to the root CGroup (e.g. `/sys/fs/cgroup`). Process tracking is possible when using CGroups, but only for traffic where pktstat-bpf observed the socket creation. 
 ![Demo](demo.gif)
 
 ## Talk
@@ -50,7 +49,7 @@ The following table maps features, requirements and expected performance for des
 | Generic [PCAP](https://github.com/dkorunic/pktstat) | Yes     | Yes    | Low            | No               | Any             | No                |
 | [AF_PACKET](https://github.com/dkorunic/pktstat)    | Yes     | Yes    | Medium         | No               | v2.2            | No                |
 | KProbes                                             | Yes     | Yes    | Medium+        | **Yes**          | v4.1            | No                |
-| CGroup (SKB)                                        | Yes     | Yes    | Medium+        | No               | v4.10           | No                |
+| CGroup (SKB)                                        | Yes     | Yes    | Medium+        | Partial          | v4.10           | No                |
 | TC (SchedACT)                                       | Yes     | Yes    | **High**       | No               | v6.6            | No                |
 | XDP Generic                                         | Yes     | **No** | **High**       | No               | v5.9            | No                |
 | XDP Native                                          | Yes     | **No** | **Very high**  | No               | v5.9            | No                |

counter.c

@@ -46,6 +46,7 @@
 #define OK 1
 #define NOK 0
 #define ALLOW_PKT 1
+#define ALLOW_SK 1
 
 // Map key struct for IP traffic
 typedef struct statkey_t {
@@ -72,6 +73,18 @@ struct {
   __type(value, statvalue);
 } pkt_count SEC(".maps");
 
+typedef struct sockinfo_t {
+  __u8 comm[TASK_COMM_LEN];
+  pid_t pid;
+} sockinfo;
+
+struct {
+  __uint(type, BPF_MAP_TYPE_LRU_HASH);
+  __uint(max_entries, MAX_ENTRIES);
+  __type(key, __u64);
+  __type(value, sockinfo);
+} sock_info SEC(".maps");
+
 // IPv4-mapped IPv6 address prefix (for V4MAPPED conversion)
 static const __u8 ip4in6[] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xff, 0xff};
 
@@ -327,7 +340,13 @@ static inline void process_cgroup_skb(struct __sk_buff *skb) {
     return;
   }
 
-  // lookup value in hash
+  __u64 cookie = bpf_get_socket_cookie(skb);
+  sockinfo *ski = bpf_map_lookup_elem(&sock_info, &cookie);
+  if (ski) {
+    key.pid = ski->pid;
+    __builtin_memcpy(key.comm, ski->comm, sizeof(key.comm));
+  }
+
   statvalue *val = (statvalue *)bpf_map_lookup_elem(&pkt_count, &key);
   if (val) {
     // atomic XADD, doesn't need bpf_spin_lock()
@@ -411,6 +430,21 @@ int tc_count_packets(struct __sk_buff *skb) {
   return TC_ACT_UNSPEC;
 }
 
+SEC("cgroup/sock_create")
+int cgroup_sock_create(struct bpf_sock *sk) {
+  __u64 cookie = bpf_get_socket_cookie(sk);
+  sockinfo ski = {
+    .pid = bpf_get_current_pid_tgid(),
+    .comm = {0},
+  };
+
+  bpf_get_current_comm(ski.comm, sizeof(ski.comm));
+
+  bpf_map_update_elem(&sock_info, &cookie, &ski, BPF_ANY);
+
+  return ALLOW_SK;
+}
+
 SEC("cgroup_skb/ingress")
 int cgroup_skb_ingress(struct __sk_buff *skb) {
   process_cgroup_skb(skb);

counter_arm64_bpfel.go

@@ -304,6 +304,15 @@ func startCgroup(objs counterObjects, cgroupPath string, links []link.Link) []li
 		log.Fatalf("Error checking CGroupSKB support: %v", err)
 	}
 
+	l, err = link.AttachCgroup(link.CgroupOptions{
+		Program: objs.CgroupSockCreate,
+		Attach:  ebpf.AttachCGroupInetSockCreate,
+		Path:    cgroupPath,
+	})
+	if err != nil {
+		log.Fatalf("Error attaching CgroupSockCreate to %s: %v", cgroupPath, err)
+	}
+
 	l, err = link.AttachCgroup(link.CgroupOptions{
 		Program: objs.CgroupSkbIngress,
 		Attach:  ebpf.AttachCGroupInetIngress,

counter_arm64_bpfel.o

@@ -186,6 +186,16 @@ func outputPlain(m []statEntry) string {
 			}
 		}
 
+		if *useCGroup != "" {
+			if v.Pid > 0 {
+				sb.WriteString(fmt.Sprintf(", pid: %d", v.Pid))
+			}
+
+			if v.Comm != "" {
+				sb.WriteString(fmt.Sprintf(", comm: %v", v.Comm))
+			}
+		}
+
 		sb.WriteString("\n")
 	}
 

counter_x86_bpfel.go

@@ -98,6 +98,8 @@ func drawTUI(objs counterObjects, startTime time.Time) {
 	infoView := tview.NewTextView().
 		SetTextColor(tcell.ColorYellow)
 	switch {
+	case *useCGroup != "":
+		infoView.SetText("CGroup eBPF mode w/ partial PID and comm tracking")
 	case *useKProbes:
 		infoView.SetText("KProbes eBPF mode w/ PID and comm tracking")
 	case *useXDP:
@@ -244,6 +246,15 @@ func updateStatsTable(app *tview.Application, table *tview.Table, tableSort *fun
 				table.SetCell(i+1, 9, tview.NewTableCell(v.Comm).
 					SetTextColor(tcell.ColorWhite).
 					SetExpansion(1))
+			} else if *useCGroup != "" && v.Pid > 0 && v.Comm != "" {
+				table.SetCell(i+1, 8, tview.NewTableCell(strconv.FormatInt(int64(v.Pid), 10)).
+					SetTextColor(tcell.ColorWhite).
+					SetExpansion(1))
+
+				table.SetCell(i+1, 9, tview.NewTableCell(v.Comm).
+					SetTextColor(tcell.ColorWhite).
+					SetExpansion(1))
+
 			} else {
 				table.SetCell(i+1, 8, tview.NewTableCell("").
 					SetTextColor(tcell.ColorWhite).