ebpfcommon

package
v0.4.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 11, 2026 License: Apache-2.0 Imports: 48 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	EventTypeSQL            = 5  // EVENT_SQL_CLIENT
	EventTypeKHTTP          = 6  // HTTP Events generated by kprobes
	EventTypeKHTTP2         = 7  // HTTP2/gRPC Events generated by kprobes
	EventTypeTCP            = 8  // Unknown TCP protocol to be classified by user space
	EventTypeGoSarama       = 9  // Kafka client for Go (Shopify/IBM Sarama)
	EventTypeGoRedis        = 10 // Redis client for Go
	EventTypeGoKafkaGo      = 11 // Kafka-Go client from Segment-io
	EventTypeTCPLargeBuffer = 12 // Dynamically sized TCP buffers
	EventOTelSDKGo          = 13 // OTel SDK manual span
	EventTypeGoMongo        = 14 // Go MongoDB spans
	EventTypeFailedConnect  = 15 // Failed Connections
	EventTypeDNS            = 16 // DNS events
)
View Source 
const (
	ProtocolTypeUnknown uint8 = iota
	ProtocolTypeMySQL
	ProtocolTypePostgres
)

Kernel-side classification

View Source 
const (
	FrameData         http2FrameType = 0x0
	FrameHeaders      http2FrameType = 0x1
	FramePriority     http2FrameType = 0x2
	FrameRSTStream    http2FrameType = 0x3
	FrameSettings     http2FrameType = 0x4
	FramePushPromise  http2FrameType = 0x5
	FramePing         http2FrameType = 0x6
	FrameGoAway       http2FrameType = 0x7
	FrameWindowUpdate http2FrameType = 0x8
	FrameContinuation http2FrameType = 0x9
)

Variables

View Source 
var ActiveNamespaces = make(map[uint32]uint32)
View Source 
var IntegrityModeOverride = false
View Source 
var MisclassifiedEvents = make(chan MisclassifiedEvent)

Functions

func CMDLineForPID added in v0.3.0 

func CMDLineForPID(pid int32) (string, []string, error)

CMDLineForPID parses /proc/<pid>/cmdline and extracts the executable and arguments. Returns the executable path and a slice of arguments (excluding the executable). The cmdline file contains null-separated arguments.

func CWDForPID added in v0.3.0 

func CWDForPID(pid int32) (string, error)

CWDForPID extracts the current working directory for a process by reading the symlink at /proc/<pid>/cwd.

func FailedConnectToSpan 

func FailedConnectToSpan(trace *TCPRequestInfo) request.Span

func FindNetworkNamespace 

func FindNetworkNamespace(pid int32) (string, error)

func FixupSpec 

func FixupSpec(spec *ebpf.CollectionSpec, overrideKernelVersion bool)

func ForwardRingbuf 

func ForwardRingbuf(
	cfg *config.EBPFTracer,
	ringbuffer *ebpf.Map,
	filter ServiceFilter,
	reader func(*EBPFParseContext, *config.EBPFTracer, *ringbuf.Record, ServiceFilter) (request.Span, bool, error),
	logger *slog.Logger,
	metrics imetrics.Reporter,
	spansChan *msg.Queue[[]request.Span],
	closers ...io.Closer,
) func(context.Context, *msg.Queue[[]request.Span])

func GoKafkaSaramaToSpan 

func GoKafkaSaramaToSpan(event *GoSaramaClientInfo, data *KafkaInfo) request.Span

func HTTPInfoEventToSpan 

func HTTPInfoEventToSpan(parseCtx *EBPFParseContext, event *BPFHTTPInfo) (request.Span, bool, error)

func HTTPRequestTraceToSpan 

func HTTPRequestTraceToSpan(trace *HTTPRequestTrace) request.Span

func HasHostNetworkAccess 

func HasHostNetworkAccess() (bool, error)

func HasHostPidAccess 

func HasHostPidAccess() bool

func KernelVersion 

func KernelVersion() (major, minor int)

KernelVersion from https://github.com/golang/go/blob/go1.21.3/src/internal/syscall/unix/kernel_version_linux.go

func ReadBPFTraceAsSpan 

func ReadBPFTraceAsSpan(parseCtx *EBPFParseContext, cfg *config.EBPFTracer, record *ringbuf.Record, filter ServiceFilter) (request.Span, bool, error)

func ReadFailedConnectIntoSpan 

func ReadFailedConnectIntoSpan(record *ringbuf.Record, filter ServiceFilter) (request.Span, bool, error)

func ReadGoKafkaGoRequestIntoSpan 

func ReadGoKafkaGoRequestIntoSpan(record *ringbuf.Record) (request.Span, bool, error)

func ReadGoMongoRequestIntoSpan 

func ReadGoMongoRequestIntoSpan(record *ringbuf.Record) (request.Span, bool, error)

func ReadGoOTelEventIntoSpan 

func ReadGoOTelEventIntoSpan(record *ringbuf.Record) (request.Span, bool, error)

func ReadGoRedisRequestIntoSpan 

func ReadGoRedisRequestIntoSpan(record *ringbuf.Record) (request.Span, bool, error)

func ReadGoSaramaRequestIntoSpan 

func ReadGoSaramaRequestIntoSpan(record *ringbuf.Record) (request.Span, bool, error)

func ReadHTTP2InfoIntoSpan 

func ReadHTTP2InfoIntoSpan(parseContext *EBPFParseContext, record *ringbuf.Record, filter ServiceFilter) (request.Span, bool, error)

func ReadHTTPInfoIntoSpan 

func ReadHTTPInfoIntoSpan(parseCtx *EBPFParseContext, record *ringbuf.Record, filter ServiceFilter) (request.Span, bool, error)

func ReadSQLRequestTraceAsSpan 

func ReadSQLRequestTraceAsSpan(record *ringbuf.Record) (request.Span, bool, error)

func ReadTCPRequestIntoSpan 

func ReadTCPRequestIntoSpan(parseCtx *EBPFParseContext, cfg *config.EBPFTracer, record *ringbuf.Record, filter ServiceFilter) (request.Span, bool, error)

ReadTCPRequestIntoSpan returns a request.Span from the provided ring buffer record

func ReinterpretCast 

func ReinterpretCast[T any](b []byte) (*T, error)

func RootDirectoryForPID 

func RootDirectoryForPID(pid int32) string

func SQLRequestTraceToSpan 

func SQLRequestTraceToSpan(trace *SQLRequestTrace) request.Span

func SharedRingbuf 

func SharedRingbuf(
	eventContext *EBPFEventContext,
	parseContext *EBPFParseContext,
	cfg *config.EBPFTracer,
	filter ServiceFilter,
	ringbuffer *ebpf.Map,
	metrics imetrics.Reporter,
) func(context.Context, []io.Closer, *msg.Queue[[]request.Span])

SharedRingbuf returns a function reads HTTPRequestTraces from an input ring buffer, accumulates them into an internal buffer, and forwards them to an output events channel, previously converted to request.Span instances.

func SupportsContextPropagationWithProbe 

func SupportsContextPropagationWithProbe(log *slog.Logger) bool

func SupportsEBPFLoops 

func SupportsEBPFLoops(log *slog.Logger, overrideKernelVersion bool) bool

func TCPToFastCGIToSpan 

func TCPToFastCGIToSpan(trace *TCPRequestInfo, op, uri string, status int) request.Span

func TCPToKafkaToSpan 

func TCPToKafkaToSpan(trace *TCPRequestInfo, data *KafkaInfo) request.Span

func TCPToMongoToSpan 

func TCPToMongoToSpan(trace *TCPRequestInfo, info *mongoSpanInfo) request.Span

func TCPToRedisToSpan 

func TCPToRedisToSpan(trace *TCPRequestInfo, op, text string, status, db int, dbError request.DBError) request.Span

func TCPToSQLToSpan 

func TCPToSQLToSpan(trace *TCPRequestInfo, op, table, sql string, kind request.SQLKind, sqlCommand string, sqlError *request.SQLError) request.Span

Types

type BPFConnInfo 

type BPFConnInfo BpfConnectionInfoT

HTTPRequestTrace contains information from an HTTP request as directly received from the eBPF layer. This contains low-level C structures for accurate binary read from ring buffer.

type BPFHTTP2Info 

type BPFHTTP2Info BpfHttp2GrpcRequestT

type BPFHTTPInfo 

type BPFHTTPInfo BpfHttpInfoT

HTTPRequestTrace contains information from an HTTP request as directly received from the eBPF layer. This contains low-level C structures for accurate binary read from ring buffer.

type DNSInfo 

type DNSInfo BpfDnsReqT

HTTPRequestTrace contains information from an HTTP request as directly received from the eBPF layer. This contains low-level C structures for accurate binary read from ring buffer.

type EBPFEventContext 

type EBPFEventContext struct {
	CommonPIDsFilter ServiceFilter
	SharedRingBuffer *ringBufForwarder
	EBPFMaps         map[string]*ebpf.Map
	RingBufLock      sync.Mutex
	MapsLock         sync.Mutex
	LoadLock         sync.Mutex
}

func NewEBPFEventContext 

func NewEBPFEventContext() *EBPFEventContext

type EBPFParseContext 

type EBPFParseContext struct {
	// contains filtered or unexported fields
}

func NewEBPFParseContext 

func NewEBPFParseContext(cfg *config.EBPFTracer, spansChan *msg.Queue[[]request.Span], filter ServiceFilter) *EBPFParseContext

type Filter 

type Filter struct {
	io.Closer
	Fd int
}

func (*Filter) Close 

func (f *Filter) Close() error

type GoKafkaGoClientInfo 

type GoKafkaGoClientInfo BpfKafkaGoReqT

HTTPRequestTrace contains information from an HTTP request as directly received from the eBPF layer. This contains low-level C structures for accurate binary read from ring buffer.

type GoMongoClientInfo 

type GoMongoClientInfo BpfMongoGoClientReqT

HTTPRequestTrace contains information from an HTTP request as directly received from the eBPF layer. This contains low-level C structures for accurate binary read from ring buffer.

type GoOTelSpanTrace 

type GoOTelSpanTrace BpfOtelSpanT

HTTPRequestTrace contains information from an HTTP request as directly received from the eBPF layer. This contains low-level C structures for accurate binary read from ring buffer.

type GoRedisClientInfo 

type GoRedisClientInfo BpfRedisClientReqT

HTTPRequestTrace contains information from an HTTP request as directly received from the eBPF layer. This contains low-level C structures for accurate binary read from ring buffer.

type GoSaramaClientInfo 

type GoSaramaClientInfo BpfKafkaClientReqT

HTTPRequestTrace contains information from an HTTP request as directly received from the eBPF layer. This contains low-level C structures for accurate binary read from ring buffer.

type HTTPInfo 

type HTTPInfo struct {
	BPFHTTPInfo
	Method     string
	URL        string
	Host       string
	Peer       string
	HeaderHost string
	Body       string
}

type HTTPRequestTrace 

type HTTPRequestTrace BpfHttpRequestTraceT

HTTPRequestTrace contains information from an HTTP request as directly received from the eBPF layer. This contains low-level C structures for accurate binary read from ring buffer.

type IdentityPidsFilter 

type IdentityPidsFilter struct{}

IdentityPidsFilter is a PIDsFilter that does not filter anything. It is feasible for concrete cases like GPU tracer

func (*IdentityPidsFilter) AllowPID 

func (pf *IdentityPidsFilter) AllowPID(_ uint32, _ uint32, _ *svc.Attrs, _ PIDType)

func (*IdentityPidsFilter) BlockPID 

func (pf *IdentityPidsFilter) BlockPID(_ uint32, _ uint32)

func (*IdentityPidsFilter) CurrentPIDs 

func (pf *IdentityPidsFilter) CurrentPIDs(_ PIDType) map[uint32]map[uint32]svc.Attrs

func (*IdentityPidsFilter) Filter 

func (pf *IdentityPidsFilter) Filter(inputSpans []request.Span) []request.Span

func (*IdentityPidsFilter) ValidPID 

func (pf *IdentityPidsFilter) ValidPID(_ uint32, _ uint32, _ PIDType) bool

type InstrumentedLibsT 

type InstrumentedLibsT map[uint64]*LibModule

Hold onto Linux inode numbers of files that are already instrumented, e.g. libssl.so.3

func (InstrumentedLibsT) AddRef 

func (libs InstrumentedLibsT) AddRef(id uint64) *LibModule

func (InstrumentedLibsT) At 

func (libs InstrumentedLibsT) At(id uint64) *LibModule

func (InstrumentedLibsT) Find 

func (libs InstrumentedLibsT) Find(id uint64) *LibModule

func (InstrumentedLibsT) RemoveRef 

func (libs InstrumentedLibsT) RemoveRef(id uint64) (*LibModule, error)

type Iter 

type Iter struct {
	Program *ebpf.Program
	Link    link.Link
}

type KafkaInfo 

type KafkaInfo struct {
	Operation     Operation
	Topic         string
	ClientID      string
	PartitionInfo *PartitionInfo
}

func ProcessKafkaEvent 

func ProcessKafkaEvent(pkt []byte, rpkt []byte, kafkaTopicUUIDToName *simplelru.LRU[kafkaparser.UUID, string]) (*KafkaInfo, bool, error)

func ProcessKafkaRequest 

func ProcessKafkaRequest(pkt []byte, kafkaTopicUUIDToName *simplelru.LRU[kafkaparser.UUID, string]) (*KafkaInfo, bool, error)

func ProcessPossibleKafkaEvent 

func ProcessPossibleKafkaEvent(event *TCPRequestInfo, pkt []byte, rpkt []byte, kafkaTopicUUIDToName *simplelru.LRU[kafkaparser.UUID, string]) (*KafkaInfo, bool, error)

ProcessPossibleKafkaEvent processes a TCP packet and returns error if the packet is not a valid Kafka request. Otherwise, return kafka.Info with the processed data.

type KernelLockdown 

type KernelLockdown uint8
const (
	KernelLockdownNone KernelLockdown = iota + 1
	KernelLockdownIntegrity
	KernelLockdownConfidentiality
	KernelLockdownOther
)

func KernelLockdownMode 

func KernelLockdownMode() KernelLockdown

type LibModule 

type LibModule struct {
	References uint64
	Closers    []io.Closer
}

type MisclassifiedEvent 

type MisclassifiedEvent struct {
	EventType int
	TCPInfo   *TCPRequestInfo
}

type MongoRequestKey 

type MongoRequestKey struct {
	// contains filtered or unexported fields
}

type MongoRequestValue 

type MongoRequestValue struct {
	RequestSections  []mongoSection
	ResponseSections []mongoSection
	StartTime        int64 // timestamp when the request was received
	EndTime          int64 // timestamp when the response was received
	Flags            int32 // Flags to indicate the state of the request
}

func ProcessMongoEvent 

func ProcessMongoEvent(buf []uint8, startTime int64, endTime int64, connInfo BpfConnectionInfoT, requests PendingMongoDBRequests) (*MongoRequestValue, bool, error)

type Operation 

type Operation int8
const (
	Produce Operation = 0
	Fetch   Operation = 1
)

func (Operation) String 

func (k Operation) String() string

type PIDInfo 

type PIDInfo struct {
	// contains filtered or unexported fields
}

type PIDType 

type PIDType uint8
const (
	PIDTypeKProbes PIDType = iota + 1
	PIDTypeGo
)

type PIDsFilter 

type PIDsFilter struct {
	// contains filtered or unexported fields
}

PIDsFilter keeps a thread-safe copy of the PIDs whose traces are allowed to be forwarded. Its Filter method filters the request.Span instances whose PIDs are not in the allowed list.

func (*PIDsFilter) AllowPID 

func (pf *PIDsFilter) AllowPID(pid, ns uint32, svc *svc.Attrs, pidType PIDType)

func (*PIDsFilter) BlockPID 

func (pf *PIDsFilter) BlockPID(pid, ns uint32)

func (*PIDsFilter) CurrentPIDs 

func (pf *PIDsFilter) CurrentPIDs(t PIDType) map[uint32]map[uint32]svc.Attrs

func (*PIDsFilter) Filter 

func (pf *PIDsFilter) Filter(inputSpans []request.Span) []request.Span

func (*PIDsFilter) ValidPID 

func (pf *PIDsFilter) ValidPID(userPID, ns uint32, pidType PIDType) bool

type PartitionInfo 

type PartitionInfo struct {
	Partition int
	Offset    int64
}

type PendingMongoDBRequests 

type PendingMongoDBRequests = *expirable.LRU[MongoRequestKey, *MongoRequestValue]

type ProbeDesc 

type ProbeDesc struct {
	// Required, if true, will cancel the execution of the eBPF Tracer
	// if the function has not been found in the executable
	Required bool

	// The eBPF program to attach to the symbol as a uprobe (either to the
	// symbol name or to StartOffset)
	Start *ebpf.Program

	// The eBPF program to attach to the symbol either as a uretprobe or as a
	// uprobe to ReturnOffsets
	End *ebpf.Program

	// Optional offset to the start of the symbol
	StartOffset uint64

	// Optional list of the offsets of every RET instruction in the symbol
	ReturnOffsets []uint64
}

ProbeDesc holds the information of the instrumentation points of a given function/symbol

type Protocol 

type Protocol uint8
const (
	HTTP2 Protocol = iota + 1
	GRPC
)

The following consts need to coincide with some C identifiers: EVENT_HTTP_REQUEST, EVENT_GRPC_REQUEST, EVENT_HTTP_CLIENT, EVENT_GRPC_CLIENT, EVENT_SQL_CLIENT

type SQLRequestTrace 

type SQLRequestTrace BpfSqlRequestTraceT

HTTPRequestTrace contains information from an HTTP request as directly received from the eBPF layer. This contains low-level C structures for accurate binary read from ring buffer.

type SectionType 

type SectionType uint8

https://www.mongodb.com/docs/manual/reference/mongodb-wire-protocol/#sections

type ServiceFilter 

type ServiceFilter interface {
	AllowPID(uint32, uint32, *svc.Attrs, PIDType)
	BlockPID(uint32, uint32)
	ValidPID(uint32, uint32, PIDType) bool
	Filter(inputSpans []request.Span) []request.Span
	CurrentPIDs(PIDType) map[uint32]map[uint32]svc.Attrs
}

func CommonPIDsFilter 

func CommonPIDsFilter(c *services.DiscoveryConfig, metrics imetrics.Reporter) ServiceFilter

type SockMsg 

type SockMsg struct {
	io.Closer
	Program  *ebpf.Program
	MapFD    int
	AttachAs ebpf.AttachType
}

func (*SockMsg) Close 

func (s *SockMsg) Close() error

type SockOps 

type SockOps struct {
	io.Closer
	Program       *ebpf.Program
	AttachAs      ebpf.AttachType
	SockopsCgroup link.Link
}

func (*SockOps) Close 

func (s *SockOps) Close() error

type TCPLargeBufferHeader 

type TCPLargeBufferHeader BpfTcpLargeBufferT

HTTPRequestTrace contains information from an HTTP request as directly received from the eBPF layer. This contains low-level C structures for accurate binary read from ring buffer.

type TCPRequestInfo 

type TCPRequestInfo BpfTcpReqT

HTTPRequestTrace contains information from an HTTP request as directly received from the eBPF layer. This contains low-level C structures for accurate binary read from ring buffer.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.