-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DRAFT] in_ebpf: initial version #9406
base: master
Are you sure you want to change the base?
Conversation
I'm actually living in Ubuntu 22.04 box. So, I needed to refer the actual architecture dependent header files: $ clang -D__TARGET_ARCH_X86_64 -g -O2 -target bpf -c ebpf_program_example.c -o ebpf_program.o -I /usr/include/x86_64-linux-gnu/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the current code base, I also concerned about libbpf linking status:
$ ldd bin/fluent-bit
linux-vdso.so.1 (0x00007ffeee7be000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x000078338b5c9000)
libyaml-0.so.2 => /lib/x86_64-linux-gnu/libyaml-0.so.2 (0x000078338b5a8000)
libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0 (0x000078338a139000)
libbpf.so.0 => /lib/x86_64-linux-gnu/libbpf.so.0 (0x000078338a0ea000)
libssl.so.3 => /lib/x86_64-linux-gnu/libssl.so.3 (0x000078338a046000)
libcrypto.so.3 => /lib/x86_64-linux-gnu/libcrypto.so.3 (0x0000783389c00000)
libcurl.so.4 => /lib/x86_64-linux-gnu/libcurl.so.4 (0x0000783389b59000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x0000783389b3d000)
libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1 (0x0000783389a6e000)
libsasl2.so.2 => /lib/x86_64-linux-gnu/libsasl2.so.2 (0x0000783389a53000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x0000783389a33000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x0000783389800000)
/lib64/ld-linux-x86-64.so.2 (0x000078338b6e9000)
<snip>
This could indicate that libbpf is linked as shared object. So. fluent-bit is not tainted for non-Apache License such as GNU like license.
This is an initial proposal of a POC of an ebpf ingestor plugin. This adds capabilities to load and attach to an existing ebpf program and consume events from a fixed-sized ring buffer, subsequently those events are ingested in the log ingestion buffer. Events types are known and defined in the fluent-bit codebase and those has to be implemented by the ebpf program to follow when submitted into the ring buffer, this in the future must be serialized and be an extensible part of the project as we possibly make progress towards compability with other ebpf collectors. Also, i've implemented a fallback to allow strings to be passed as the payload of the event, without following a specific event type. Signed-off-by: Jorge Niedbalski <[email protected]>
} | ||
|
||
/* Find the BPF program by its name */ | ||
struct bpf_program *prog = bpf_object__find_program_by_name(ctx->obj, bpf_prog_name); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We use the old style of variables declarations. So, we need to put the definition into around here: https://github.com/fluent/fluent-bit/pull/9406/files#diff-cfd08bb24498894b88fb371270031942876b24aae69176d146e26006d7710157R169-R173
} | ||
|
||
/* Attach the BPF program to the tracepoint */ | ||
struct bpf_link *link = bpf_program__attach(prog); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto.
int poll_seconds = ctx->poll_ms / 1000; | ||
int poll_nanoseconds = (ctx->poll_ms % 1000) * 1000000; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto.
.name = "ebpf", | ||
.description = "eBPF input plugin", | ||
.cb_init = in_ebpf_init, | ||
.cb_pre_run = NULL, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For future enhancement, it would be nice to add checking the existence of ebpf object in pre_run callback.
IIRC, this is because this callback is used for the prerequisites check for reloading.
This is a proposal for a proof of concept (POC) of an eBPF ingestor plugin. It uses libebpf to load and link to an existing eBPF program and pulls events from a fixed-size ring buffer. These events are then fed into the log ingestion pipeline.
The event types are predefined in the fluent-bit codebase, and the eBPF program must follow these definitions when submitting events to the ring buffer. In the future, this process needs to be flexible, so we can support other eBPF collectors.
Additionally, I've added a fallback option to pass strings as event payloads without needing a specific event type.
Compiled as
An example configuration is:
An example ebpf program used on this configuration
To compile this program, you need clang in your system and run
With the sample configuration, the following outputs are produced: