Use patched node-agent (#123)

Author: paweljw

.github/workflows/node-agent-patch-ci.yml

@@ -0,0 +1,65 @@
+name: Node Agent Patch CI
+
+on:
+  pull_request:
+    paths:
+      - 'ebpf/patches/node-agent/**'
+      - 'ebpf/Dockerfile'
+  push:
+    branches:
+      - main
+    paths:
+      - 'ebpf/patches/node-agent/**'
+      - 'ebpf/Dockerfile'
+
+jobs:
+  test-node-agent-patch:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Clone node-agent and apply patches
+        run: |
+          NODE_AGENT_VERSION=$(grep 'NODE_AGENT_VERSION=' ebpf/Dockerfile | head -1 | sed 's/.*=//')
+          git clone --depth 1 --branch ${NODE_AGENT_VERSION} \
+            https://github.com/coroot/coroot-node-agent.git /tmp/node-agent
+          cd /tmp/node-agent
+          git apply ${{ github.workspace }}/ebpf/patches/node-agent/*.patch
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version: '1.23.8'
+          cache: false
+
+      - uses: actions/cache@v4
+        with:
+          path: |
+            ~/go/pkg/mod
+            ~/.cache/go-build
+          key: node-agent-go-${{ hashFiles('/tmp/node-agent/go.sum') }}
+          restore-keys: node-agent-go-
+
+      - run: sudo apt-get install -y libsystemd-dev
+
+      - name: go mod download
+        working-directory: /tmp/node-agent
+        run: go mod download
+
+      - name: gofmt -l .
+        working-directory: /tmp/node-agent
+        run: files=$(gofmt -l .); if [[ -n "$files" ]]; then echo "$files"; exit 1; fi
+
+      - name: goimports -l .
+        working-directory: /tmp/node-agent
+        run: |
+          go install golang.org/x/tools/cmd/goimports@latest
+          files=$(goimports -l .); if [[ -n "$files" ]]; then echo "$files"; exit 1; fi
+
+      - name: go vet
+        working-directory: /tmp/node-agent
+        run: go vet ./...
+
+      - name: go test
+        working-directory: /tmp/node-agent
+        run: go test ./...
+

ebpf/Dockerfile

@@ -1,5 +1,21 @@
-# Add Node Agent to the image
-FROM ghcr.io/coroot/coroot-node-agent:1.28.3 AS node-agent
+# Build Node Agent from source with patches
+FROM debian:bullseye AS node-agent-builder
+RUN apt-get update && apt-get install -y \
+    curl git build-essential pkg-config libsystemd-dev
+ARG GO_VERSION=1.24.9
+RUN curl -fsSL https://go.dev/dl/go${GO_VERSION}.linux-$(dpkg --print-architecture).tar.gz -o go.tar.gz && \
+    tar -C /usr/local -xzf go.tar.gz && rm go.tar.gz
+ENV PATH="/usr/local/go/bin:${PATH}"
+ARG CUSTOMIZATION_TAG="betterstack"
+ARG NODE_AGENT_VERSION=v1.28.3
+RUN git clone --depth 1 --branch ${NODE_AGENT_VERSION} \
+    https://github.com/coroot/coroot-node-agent.git /tmp/node-agent
+WORKDIR /tmp/node-agent
+COPY ebpf/patches/node-agent/*.patch ./
+RUN git apply *.patch
+RUN CGO_ENABLED=1 go build -mod=readonly \
+    -ldflags "-extldflags='-Wl,-z,lazy' -X 'github.com/coroot/coroot-node-agent/flags.Version=${NODE_AGENT_VERSION}-${CUSTOMIZATION_TAG}'" \
+    -o /usr/bin/coroot-node-agent .
 
 # Add Cluster Agent to the image
 FROM ghcr.io/coroot/coroot-cluster-agent:1.2.4 AS cluster-agent
@@ -48,7 +64,7 @@ COPY --from=obi-source --chmod=755 /tmp/obi /usr/local/bin/ebpf-instrument
 COPY --from=obi-source /tmp/LICENSE /tmp/NOTICE /usr/share/doc/ebpf-instrument/
 
 # Copy Node Agent
-COPY --from=node-agent --chmod=755 /usr/bin/coroot-node-agent /usr/local/bin/node-agent
+COPY --from=node-agent-builder --chmod=755 /usr/bin/coroot-node-agent /usr/local/bin/node-agent
 
 # Copy Cluster Agent
 COPY --from=cluster-agent --chmod=755 /usr/bin/coroot-cluster-agent /usr/local/bin/cluster-agent

ebpf/patches/node-agent/001-configurable-ebpf-maps-and-gc.patch

@@ -0,0 +1,106 @@
+diff --git a/containers/container.go b/containers/container.go
+index abb2cfb..5ab58ce 100644
+--- a/containers/container.go
++++ b/containers/container.go
+@@ -26,7 +26,7 @@ import (
+ )
+ 
+ var (
+-	gcInterval                = 10 * time.Minute
++	gcInterval                = *flags.GCInterval
+ 	pingTimeout               = 300 * time.Millisecond
+ 	multilineCollectorTimeout = time.Second
+ 	gpuStatsWindow            = 15 * time.Second
+diff --git a/containers/registry.go b/containers/registry.go
+index b5f6a00..549d532 100644
+--- a/containers/registry.go
++++ b/containers/registry.go
+@@ -116,7 +116,7 @@ func NewRegistry(reg prometheus.Registerer, processInfoCh chan<- ProcessInfo, gp
+ 
+ 		processInfoCh: processInfoCh,
+ 
+-		tracer: ebpftracer.NewTracer(hostNetNs, selfNetNs, *flags.DisableL7Tracing),
++		tracer: ebpftracer.NewTracer(hostNetNs, selfNetNs, *flags.DisableL7Tracing, *flags.MaxConnections, *flags.MaxL7Requests),
+ 
+ 		trafficStatsUpdateCh: make(chan *TrafficStatsUpdate),
+ 		nodejsStatsUpdateCh:  make(chan *NodejsStatsUpdate),
+diff --git a/ebpftracer/tracer.go b/ebpftracer/tracer.go
+index f79b23e..0d3f445 100644
+--- a/ebpftracer/tracer.go
++++ b/ebpftracer/tracer.go
+@@ -82,6 +82,8 @@ type Tracer struct {
+ 	disableL7Tracing bool
+ 	hostNetNs        netns.NsHandle
+ 	selfNetNs        netns.NsHandle
++	maxConnections   int
++	maxL7Requests    int
+ 
+ 	collection *ebpf.Collection
+ 	readers    map[string]*perf.Reader
+@@ -89,7 +91,7 @@ type Tracer struct {
+ 	uprobes    map[string]*ebpf.Program
+ }
+ 
+-func NewTracer(hostNetNs, selfNetNs netns.NsHandle, disableL7Tracing bool) *Tracer {
++func NewTracer(hostNetNs, selfNetNs netns.NsHandle, disableL7Tracing bool, maxConnections, maxL7Requests int) *Tracer {
+ 	if disableL7Tracing {
+ 		klog.Infoln("L7 tracing is disabled")
+ 	}
+@@ -97,6 +99,8 @@ func NewTracer(hostNetNs, selfNetNs netns.NsHandle, disableL7Tracing bool) *Trac
+ 		disableL7Tracing: disableL7Tracing,
+ 		hostNetNs:        hostNetNs,
+ 		selfNetNs:        selfNetNs,
++		maxConnections:   maxConnections,
++		maxL7Requests:    maxL7Requests,
+ 
+ 		readers: map[string]*perf.Reader{},
+ 		uprobes: map[string]*ebpf.Program{},
+@@ -217,6 +221,20 @@ func (t *Tracer) ebpf(ch chan<- Event) error {
+ 	if err != nil {
+ 		return fmt.Errorf("failed to load collection spec: %w", err)
+ 	}
++	if t.maxConnections > 0 {
++		for _, name := range []string{"active_connections", "connection_id_by_socket"} {
++			if m := collectionSpec.Maps[name]; m != nil {
++				klog.Infof("overriding %s max_entries: %d -> %d", name, m.MaxEntries, t.maxConnections)
++				m.MaxEntries = uint32(t.maxConnections)
++			}
++		}
++	}
++	if t.maxL7Requests > 0 {
++		if m := collectionSpec.Maps["active_l7_requests"]; m != nil {
++			klog.Infof("overriding active_l7_requests max_entries: %d -> %d", m.MaxEntries, t.maxL7Requests)
++			m.MaxEntries = uint32(t.maxL7Requests)
++		}
++	}
+ 	_ = unix.Setrlimit(unix.RLIMIT_MEMLOCK, &unix.Rlimit{Cur: unix.RLIM_INFINITY, Max: unix.RLIM_INFINITY})
+ 	c, err := ebpf.NewCollectionWithOptions(collectionSpec, ebpf.CollectionOptions{
+ 		//Programs: ebpf.ProgramOptions{LogLevel: 2, LogSize: 20 * 1024 * 1024},
+diff --git a/ebpftracer/tracer_test.go b/ebpftracer/tracer_test.go
+index c8cf7cc..9fe98de 100644
+--- a/ebpftracer/tracer_test.go
++++ b/ebpftracer/tracer_test.go
+@@ -327,7 +327,7 @@ func runTracer(t *testing.T, verbose bool) (func() *Event, func()) {
+ 	assert.NoError(t, common.SetKernelVersion(string(bytes.Split(uname.Release[:], []byte{0})[0])))
+ 
+ 	go func() {
+-		tt := NewTracer(0, 0, false)
++		tt := NewTracer(0, 0, false, 0, 0)
+ 		err := tt.Run(events)
+ 		require.NoError(t, err)
+ 		<-done
+diff --git a/flags/flags.go b/flags/flags.go
+index c80323f..ff89896 100644
+--- a/flags/flags.go
++++ b/flags/flags.go
+@@ -16,6 +16,10 @@ var (
+ 	DisableL7Tracing     = kingpin.Flag("disable-l7-tracing", "Disable L7 tracing").Default("false").Envar("DISABLE_L7_TRACING").Bool()
+ 	DisableGPUMonitoring = kingpin.Flag("disable-gpu-monitoring", "Disable GPU monitoring (NVML)").Default("false").Envar("DISABLE_GPU_MONITORING").Bool()
+ 
++	MaxConnections = kingpin.Flag("max-connections", "Maximum number of tracked TCP connections in eBPF maps").Default("1000000").Envar("MAX_CONNECTIONS").Int()
++	MaxL7Requests  = kingpin.Flag("max-l7-requests", "Maximum number of in-flight L7 requests in eBPF maps").Default("32768").Envar("MAX_L7_REQUESTS").Int()
++	GCInterval     = kingpin.Flag("gc-interval", "How often to run container garbage collection").Default("10m").Envar("GC_INTERVAL").Duration()
++
+ 	ContainerAllowlist = kingpin.Flag("container-allowlist", "List of allowed containers (regex patterns)").Envar("CONTAINER_ALLOWLIST").Strings()
+ 	ContainerDenylist  = kingpin.Flag("container-denylist", "List of denied containers (regex patterns)").Envar("CONTAINER_DENYLIST").Strings()
+