Implement process tree filter #927
Conversation
|
Doesn't work on 4.19: |
There was a problem hiding this comment.
Keeping track of parent and childs relations complicates the implementation.
It requires to loop until parent is found, which wastes cpu cycles, and defines a max depth of the tree (currently set to 100, but probably we will need to lower that so it can work in older kernels <5.2).
Instead, you can use the implementation I described in #836:
- Define a new map in the kernel - process_tree_map with a key that will represent a pid, and a value that will reresent if the process (and its descendants) should be traced or not.
- Populate this map during the init phase of tracee, as described above
- Update sched_process_fork event as follows: If the parent pid is in process_tree_map, add the child pid as well with the same value as of its parent.
- Update should_trace to consult this filter (probably we can use the equality filter semantics here).
- Update sched_process_exit to delete the pid entry from the map.
Using this method will not require to perform any loop, and no max depth of the process tree will limit the implementation
tracee-ebpf/main.go
Outdated
| if err != nil { | ||
| return fmt.Errorf("invalid PID given to filter: %s", valuesString) | ||
| } | ||
| procTreeFilter.PID = uint32(pid) |
There was a problem hiding this comment.
Any reason why not to support multiple tree filters?
tracee-ebpf/tracee/proc.go
Outdated
| for i := range procs { | ||
| stat, err := procs[i].Stat() | ||
| if err != nil { | ||
| return nil, err |
There was a problem hiding this comment.
will this retrun an error if a process exited while iterating procs?
There was a problem hiding this comment.
I just tested this, and yes you suspect correctly that it will.
There was a problem hiding this comment.
Do we want to fail in that case?
tracee-ebpf/tracee/proc.go
Outdated
| if err != nil { | ||
| return nil, err | ||
| } | ||
| processMap[uint32(stat.PPID)] = append(processMap[uint32(stat.PPID)], uint32(stat.PID)) |
There was a problem hiding this comment.
I think that using this method you will only have the pids, and not the tids.
This means that the threads of a process tree won't be included, which is not what we want.
There was a problem hiding this comment.
Hm alright, good call out. I'll change this to status.TGID, in bpf context->pid is tgid as we have it now.
There was a problem hiding this comment.
Actually tgid is same as pid in userspace context, why would threads not be included if in bpf we're looking at tgid?
There was a problem hiding this comment.
In the bpf code you update the map with parent_pid and child_pid (in sched_process_fork) - these are tids (in userspace), not tgids
There was a problem hiding this comment.
This is still a problem...
There was a problem hiding this comment.
The process tree map in bpf code is using tgid and in userspace we use pid, aren't these the same?
There was a problem hiding this comment.
Yes, I see that the bpf code is now using tgid. Should be ok now, however I wonder if it wouldn't have been better to set tids both in userspace and and bpf code for better granularity of the filter. Probably not that important, just a thought.
tracee-ebpf/tracee/tracee.go
Outdated
| @@ -902,6 +940,33 @@ func (t *Tracee) populateBPFMaps() error { | |||
| } | |||
| } | |||
|
|
|||
| err = t.populateProcessTreeMap(t.config.Filter.ProcessTreeFilter.PID) | |||
There was a problem hiding this comment.
This map is populated before the bpf programs are attached.
If processes are added/remved after this point, they will not be added/removed from the map.
We should probably do another iteration after the bpf programs are attached, and check if no changes occured to avoid race conditions
tracee-ebpf/tracee/proc.go
Outdated
| for i := range procs { | ||
| stat, err := procs[i].Stat() | ||
| if err != nil { | ||
| return nil, err |
There was a problem hiding this comment.
Do we want to fail in that case?
tracee-ebpf/tracee/proc.go
Outdated
| if err != nil { | ||
| return nil, err | ||
| } | ||
| processMap[uint32(stat.PID)] = processMap[uint32(stat.PID)] |
There was a problem hiding this comment.
What does this line do?
There was a problem hiding this comment.
This is so that all PIDs are recorded in the map, even if they don't have any child processes.
There was a problem hiding this comment.
But this is a self-assignment of processMap[uint32(stat.PID)] to itself, how does it achieves this?
There was a problem hiding this comment.
Lol that's actually interesting, I never stopped to think that it shouldn't be valid code. It does work though.
Played with it here:
https://play.golang.org/p/2uHNoyTcnfh
There was a problem hiding this comment.
It seems that it doesn't work:
./prog.go:30:2: self-assignment of x[foo] to x[foo]
There was a problem hiding this comment.
That's a go vet error, but i'm still not entirely sure why it doesn't complain in this context.
tracee-ebpf/tracee/proc.go
Outdated
| if err != nil { | ||
| return nil, err | ||
| } | ||
| processMap[uint32(stat.PPID)] = append(processMap[uint32(stat.PPID)], uint32(stat.PID)) |
There was a problem hiding this comment.
This is still a problem...
tracee-ebpf/tracee/proc.go
Outdated
| // populateProcessTreeFilterMap takes a map of the process tree (k=ppid, v=[]childpid) | ||
| // and a filter specification map (k=pid,v=trace/not) and returns a fully populated map | ||
| // where k=pid, v=trace/not for all pids | ||
| func populateProcessTreeFilterMap(processTree map[uint32][]uint32, |
There was a problem hiding this comment.
I don't understand why we shuold first gather the process tree representation, and only then initialize the map.
There is a big window for race conditions using this method, and it wastes cycles for processes we don't really need (were not requested by the user tree filter)
There was a problem hiding this comment.
The reason we gather the process tree first is so we can determine all of the descendant processes. Is there a way to query proc on a per pid basis to traverse through all its child pids that i'm not aware of?
There was a problem hiding this comment.
As in for each PID we can gather its PPID, but I don't see anything like a list of child pids
There was a problem hiding this comment.
Yes, there is actually a way to do that. For every process, you can list all of its threads and their children using:
/proc/pid/task/tid/children
There was a problem hiding this comment.
Ahhh, thanks for teaching me that. Will have iteration #5 soon :-)
There was a problem hiding this comment.
Ok, so here is another suggestion:
For every process 'p' in procfs:
- Get its ppid
- If ppid = one of the given tree filters pids -> add 'p' to the map, and continue to the next process
- If ppid = 1 -> continue to the next process (as we reached the root of the process tree)
- Go to step 1 with ppid
This method will find the relevant set of pids which are part of the tree of the pid given by the tree filter, and update the map in (almost) the same time, reducing the window of a possible race condition
There was a problem hiding this comment.
@rafaeldtinoco to get the changes of the process tree in runtime is not the problem here, as we have sched_process_fork and sched_process_exit.
The problem here is - how can we initialize a map that contains a "snapshot" of the pids in the process tree whose root is some given pid. The challenge here is to initialize this map and avoid race conditions of exited/new processes in this process tree
There was a problem hiding this comment.
@rafaeldtinoco to get the changes of the process tree in runtime is not the problem here, as we have sched_process_fork and sched_process_exit.
I had that in mind when I wrote.
The problem here is - how can we initialize a map that contains a "snapshot" of the pids in the process tree whose root is some given pid. The challenge here is to initialize this map and avoid race conditions of exited/new processes in this process tree
That's why I referred a userland way of following the process tree (by following forks, execs and exits from userland, using netlink, in parallel to BPF program startup).
A taskstats/conector go routine could monitor selected pid trees for forks an and exits and keep updating the map by removing the pid if that exited before the BPF program was loaded (or update the map with other needs)
It would still be racy - as there is no mutex locking mechanism in between kernel BPF program and a userland task - but the fact that pid numbers would keep growing, instead of reusing just exited ones, would protect us until BPF program is loaded, as the race window is small (not bigger than pid # being reused).
Of course this ads complexity to the initial logic.
Another possibility would be to timestamp each entry in the map and have some kind of prune mechanism within userland for leftovers.
There was a problem hiding this comment.
@yanivagman A couple of unfortunate issues with your design that I've run into. If we use filepath.WalkDir() we're not able to jump to different points in the process tree, it's iterative. That can be worked around, but the reason it's iterative is because it reads the entire directory upfront, taking a snapshot of it, and presenting the same data race as the current design. Even if not using filepath.WalkDir I run into the same issue with similar implementations that aren't iterative, we can only make the race window smaller if we can't get atomic state of the process tree (i.e. halt the OS 😄 ).
@rafaeldtinoco I will read through that kernel doc you linked, i'm not familiar with that interface.
Another simple idea (again, still has unavoidable race) is to use the current design except re-check the state of the whole process tree on every iteration of traversing PID/PPID relationship (i.e. call gatherEntireProcessTree()) in every iteration of the loop in populateProcessTreeFilterMap(). I may need to explore this.
There was a problem hiding this comment.
@grantseltzer its likely we wont use this, as a curiosity though: https://bewareofgeek.livejournal.com/2945.html ... I used something like this in my previous life example =). Its a good example on how to get PROC_EVENT_FORK, PROC_EVENT_EXIT, PROC_EVENT_EXEC from userland (before we could do this with eBPF, for example). It has a netlink socket buffer and its a stream from kernel to userland, but.. yet, its fast.
But again, I think your discussion with Yaniv is in advanced state already.
tracee-ebpf/tracee/proc.go
Outdated
| for pid, _ := range processTree { | ||
| filterMap[pid] = defaultFilter | ||
| } |
There was a problem hiding this comment.
I don't think we need to save this value for every pid in the system.
Instead, we can pass the default filter value in the config map, and use it when we don't find a given pid in the map
There was a problem hiding this comment.
Sure this takes up some extra space, but this adds a few more instructions in each should_trace() call to check the default value if the PID isn't in the map. I don't feel that strongly about this, I can if you'd like.
There was a problem hiding this comment.
equality_filter_matches (which you use in the bpf code) already takes care of that. You should just set CONFIG_PROC_TREE_FILTER to either FILTER_IN or FILTER_OUT in the config map.
tracee-ebpf/tracee/proc.go
Outdated
| // gatherAllDescedentPIDs takes a specific pid, and a map 'pids' which represents | ||
| // a snapshot of the process tree where k = ppid and v = slice of child pids | ||
| // and returns a slice of all the descedent pids | ||
| func gatherAllDescedentPIDs(pid uint32, pids map[uint32][]uint32) []uint32 { |
There was a problem hiding this comment.
This is where I think you should implement the procfs walk - only for the pids selected in the filter
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
… after bpf programs are loaded and attached Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
|
Ok, I'm satisfied with how I have this now. I've moved the bpf map update calls for the process tree map to be closer to when they're collected. This shortens the window for a data race to occur. Importantly, the bpf programs are installed before this map is populated, so the map is being updated before it's even finished being initialized. Another thing is that a data race should never be an issue when the filter is specified for long standing processes (which I expect it always will be). Ultimately there'll always be a tiny amount of risk of losing a data race unless we can halt the kernel, but the impact is negligible. Another interesting thing I discovered is that libbpfgo's new API that uses |
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
|
My latest commit also makes use of FILTER_IN/FILTER_OUT, so there's less time spent updating bpf maps, that should cut down the race window as well. |
Signed-off-by: grantseltzer <grantseltzer@gmail.com>
Handles #836
Couple of design decisions I made worth discussing
treeand can be passed like--trace tree!=3or--trace tree=1001We must verify that this works on older kernels than my development one however. I'm worried about the possibility that this blows the instruction limit.