Merge pull request #60 from ddosify/develop

use perf_event_array instead of ringbuf

ebpf/l7_req/l7.c

@@ -10,7 +10,7 @@
 #include <stddef.h>
 #include "../headers/pt_regs.h"
 
-#include "log.h"
+#include "../headers/log.h"
 #include "http.c"
 #include "amqp.c"
 #include "postgres.c"

ebpf/proc/main.go

@@ -2,13 +2,14 @@ package proc
 
 import (
 	"context"
+	"os"
 	"time"
 	"unsafe"
 
 	"github.com/ddosify/alaz/log"
 
 	"github.com/cilium/ebpf/link"
-	"github.com/cilium/ebpf/ringbuf"
+	"github.com/cilium/ebpf/perf"
 	"github.com/cilium/ebpf/rlimit"
 )
 
@@ -40,10 +41,10 @@ func (e ProcEventConversion) String() string {
 // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile.
 //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf proc.c -- -I../headers
 
-// for both ebpf and userspace
 type PEvent struct {
 	Pid   uint32
 	Type_ uint8
+	_     [3]byte
 }
 
 type ProcEvent struct {
@@ -97,7 +98,7 @@ func DeployAndWait(parentCtx context.Context, ch chan interface{}) {
 		l1.Close()
 	}()
 
-	pEvents, err := ringbuf.NewReader(objs.Rb)
+	pEvents, err := perf.NewReader(objs.ProcEvents, 16*os.Getpagesize())
 	if err != nil {
 		log.Logger.Fatal().Err(err).Msg("error creating ringbuf reader")
 	}
@@ -117,6 +118,11 @@ func DeployAndWait(parentCtx context.Context, ch chan interface{}) {
 					log.Logger.Warn().Err(err).Msg("error reading from pExitEvents")
 				}
 
+				if record.RawSample == nil || len(record.RawSample) == 0 {
+					log.Logger.Debug().Msgf("read sample l7-event nil or empty")
+					return
+				}
+
 				bpfEvent := (*PEvent)(unsafe.Pointer(&record.RawSample[0]))
 
 				go func() {

ebpf/proc/proc.c

@@ -7,20 +7,30 @@
 #include <bpf/bpf_tracing.h>
 #include <bpf/bpf_core_read.h>
 
+char __license[] SEC("license") = "Dual MIT/GPL";
+
 struct p_event{
     __u32 pid;
     __u8 type;
 };
 
 struct {
-    __uint(type, BPF_MAP_TYPE_RINGBUF);
-    __uint(max_entries, 256 * 1024);
-} rb SEC(".maps");
+     __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
+     __type(key, __u32);
+     __type(value, struct p_event);
+     __uint(max_entries, 1);
+} proc_event_heap SEC(".maps");
+
+struct {
+    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+    __uint(key_size, sizeof(int));
+    __uint(value_size, sizeof(int));
+} proc_events SEC(".maps");
+
 
 SEC("tracepoint/sched/sched_process_exec")
 int sched_process_exec(struct trace_event_raw_sched_process_exec* ctx)
 {
-    struct p_event *e;
     __u32 pid, tid;
     __u64 id = 0;
 
@@ -33,22 +43,23 @@ int sched_process_exec(struct trace_event_raw_sched_process_exec* ctx)
     if (pid != tid)
         return 0;
 
-    /* reserve sample from BPF ringbuf */
-    e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
-    if (!e)
+    int zero = 0;
+    struct p_event *e = bpf_map_lookup_elem(&proc_event_heap, &zero);
+    if (!e) {
         return 0;
+    }
+
     e->pid = pid;
     e->type = PROC_EXEC_EVENT;
 
-    bpf_ringbuf_submit(e, 0);
+    bpf_perf_event_output(ctx, &proc_events, BPF_F_CURRENT_CPU, e, sizeof(*e));
     return 0;
 }
 
 
 SEC("tracepoint/sched/sched_process_exit")
 int sched_process_exit(struct trace_event_raw_sched_process_exit* ctx)
 {
-    struct p_event *e;
     __u32 pid, tid;
     __u64 id = 0;
 
@@ -60,14 +71,16 @@ int sched_process_exit(struct trace_event_raw_sched_process_exit* ctx)
     /* ignore thread exits */
     if (pid != tid)
         return 0;
-
-    /* reserve sample from BPF ringbuf */
-    e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
-    if (!e)
+    
+    int zero = 0;
+    struct p_event *e = bpf_map_lookup_elem(&proc_event_heap, &zero);
+    if (!e) {
         return 0;
+    }
+
     e->pid = pid;
     e->type = PROC_EXIT_EVENT;
 
-    bpf_ringbuf_submit(e, 0);
+    bpf_perf_event_output(ctx, &proc_events, BPF_F_CURRENT_CPU, e, sizeof(*e));
     return 0;
 }