Guess offsets #9
Conversation
|
@schu @alepuccetti: The changes in bpf/bpf.go would go to iovisor/gobpf but the changes in main.go would go to Scope. |
|
|
||
| releaseStr := strings.Trim(utsnameStr(buf.Release[:]), "\x00") | ||
|
|
||
| kernelVersionStr := strings.Split(releaseStr, "-")[0] |
There was a problem hiding this comment.
@iaguis This does not work in the rkt kernel (rkt with the kvm flavor) because releaseStr is "4.8.6rkt-v1":
# uname -r
4.8.6rkt-v1
Symptoms:
strconv.ParseInt: parsing "6rkt": invalid syntax
There was a problem hiding this comment.
Doesn't break on my Debian box but the result doesn't reflect the current kernel version it seems: uname -r is 4.8.0-2-amd64 (kernel version 264192) whereas the actual version seems to be 4.8.11 (264203) and the prog cannot be loaded..
There was a problem hiding this comment.
The fix in rkt about localversion got merged rkt/rkt#3489
There was a problem hiding this comment.
@schu are you testing the correct branch of tcptracer-bpf? https://github.com/kinvolk/tcptracer-bpf/pull/15
There was a problem hiding this comment.
@alban I'm testing with dummy.c from iovisor/gobpf#6
|
Under the rkt (flavor kvm) kernel, this guesses the offsets correctly most of the time, but sometimes it freezes. dmesg says: We should add a timeout, so it does not wait for too long for the connection to succeed. Also, this code is not supposed to do many connections simultaneously, so this should not be a problem for conntrack. We might not close the connection correctly before testing the next offset. |
As gobpf now includes our elf package, the bpf part can be a separate pull request against iovisor/gobpf. |
Maybe we fill it up because the closed connections stay in |
I just tried with rkt-kvm and the connections stay in |
| @@ -298,6 +298,13 @@ func guessOffsets(b *bpf.BPFKProbePerf) error { | |||
| if err != nil { | |||
| return fmt.Errorf("error: %v", err) | |||
| } | |||
|
|
|||
| if tcpConn, ok := conn.(*net.TCPConn); ok { | |||
| tcpConn.SetLinger(0) | |||
There was a problem hiding this comment.
A comment would be nice to explain why
iaguis
force-pushed
the
iaguis/guess-offsets
branch
2 times, most recently
from
852adce to
d1ccfcc
Compare
Instead of requiring a different ebpf object file per kernel version / distro, we try to guess the offsets of the fields we access in the eBPF program. We do so by creating connections to a server we start, trying to read through struct sock, and comparing the obtained values with the expected ones.
We make a lot of connections when we get the offsets and they can potentially fill the conntrack table because the state the connections remain in when they get closed is TIME_WAIT and it stays like that for a while (around 2 minutes). We set SO_LINGER to 0 so the connection state after closing is CLOSE instead. In this way, they will disappear from the conntrack table after around 10 seconds.
iaguis
force-pushed
the
iaguis/guess-offsets
branch
from
d1ccfcc to
ee7be00
Compare
|
kinvolk/tcptracer-bpf#15 is merged. Let's merge this. |
Instead of requiring a different ebpf object file per kernel version /
distro, we try to guess the offsets of the fields we access in the eBPF
program.
We do so by creating connections to a server we start, trying to read
through struct sock, and comparing the obtained values with the expected
ones.
Requires https://github.com/kinvolk/tcptracer-bpf/pull/15