in_ebpf: initial version of the plugin

This is an initial proposal of a POC of an ebpf ingestor plugin. This adds capabilities to load and attach to an existing ebpf program and consume events from a fixed-sized ring buffer, subsequently those events are ingested in the log ingestion buffer. Events types are known and defined in the fluent-bit codebase and those has to be implemented by the ebpf program to follow when submitted into the ring buffer, this in the future must be serialized and be an extensible part of the project as we possibly make progress towards compability with other ebpf collectors. Also, i've implemented a fallback to allow strings to be passed as the payload of the event, without following a specific event type. Signed-off-by: Jorge Niedbalski <[email protected]>
fluent · Sep 27, 2024 · 10afcab · 10afcab
1 parent 41b90b7
commit 10afcab
Show file tree

Hide file tree

Showing 7 changed files with 498 additions and 0 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -1032,6 +1032,23 @@ else()
   set(FLB_ARROW OFF)
 endif()
 
+# EBPF Support
+# ============
+if (FLB_IN_EBPF)
+  find_package(PkgConfig)
+  pkg_check_modules(LIBBPF libbpf>=0.5.0)
+  if (LIBBPF_FOUND)
+    include_directories(${LIBBPF_INCLUDE_DIRS})
+    list(APPEND EXTRA_LIBS ${LIBBPF_LIBRARIES})
+  else()
+    if (FLB_SYSTEM_LINUX AND NOT(LIBBPF_FOUND))
+      MESSAGE(FATAL_ERROR "Libbpf required on Linux")
+    endif()
+    message(STATUS "Libbpf is not found")
+    set(FLB_IN_EBPF OFF)
+  endif()
+endif()
+
 # Pthread Local Storage
 # =====================
 # By default we expect the compiler already support thread local storage

diff --git a/cmake/plugins_options.cmake b/cmake/plugins_options.cmake
@@ -61,6 +61,7 @@ DEFINE_OPTION(FLB_IN_WINLOG                   "Enable Windows Log input plugin"
 DEFINE_OPTION(FLB_IN_WINDOWS_EXPORTER_METRICS "Enable windows exporter metrics input plugin" ON)
 DEFINE_OPTION(FLB_IN_WINEVTLOG                "Enable Windows EvtLog input plugin"           OFF)
 DEFINE_OPTION(FLB_IN_WINSTAT                  "Enable Windows Stat input plugin"             OFF)
+DEFINE_OPTION(FLB_IN_EBPF                     "Enable Linux eBPF input plugin"               OFF)
 
 # Processors
 # ==========

diff --git a/cmake/windows-setup.cmake b/cmake/windows-setup.cmake
@@ -53,6 +53,7 @@ if(FLB_WINDOWS_DEFAULTS)
   set(FLB_IN_STORAGE_BACKLOG    Yes)
   set(FLB_IN_EMITTER            Yes)
   set(FLB_IN_PODMAN_METRICS      No)
+  set(FLB_IN_EBPF		 No)
   set(FLB_IN_ELASTICSEARCH      Yes)
   set(FLB_IN_SPLUNK             Yes)
   set(FLB_IN_PROMETHEUS_REMOTE_WRITE Yes)

diff --git a/plugins/CMakeLists.txt b/plugins/CMakeLists.txt
@@ -207,6 +207,7 @@ if(${CMAKE_SYSTEM_NAME} MATCHES "Linux")
   REGISTER_IN_PLUGIN("in_docker_events")
   REGISTER_IN_PLUGIN("in_podman_metrics")
   REGISTER_IN_PLUGIN("in_process_exporter_metrics")
+  REGISTER_IN_PLUGIN("in_ebpf")
 endif()
 
 if(${CMAKE_SYSTEM_NAME} MATCHES "Linux" OR ${CMAKE_SYSTEM_NAME} MATCHES "Darwin")

diff --git a/plugins/in_ebpf/CMakeLists.txt b/plugins/in_ebpf/CMakeLists.txt
@@ -0,0 +1,6 @@
+set(src
+  in_ebpf.c
+)
+
+FLB_PLUGIN(in_ebpf "${src}" "")
+target_link_libraries(flb-plugin-in_ebpf -lbpf -lelf -lz)