in_ebpf: Implement sched eBPF trace

Signed-off-by: Hiroshi Hatake <hiroshi@chronosphere.io>

Author: cosmo0920

plugins/in_ebpf/traces/includes/common/encoder.h

@@ -27,6 +27,8 @@ static inline char *event_type_to_string(enum event_type type) {
             return "connect";
         case EVENT_TYPE_DNS:
             return "dns";
+        case EVENT_TYPE_SCHED:
+            return "sched";
         default:
             return "unknown";
     }

plugins/in_ebpf/traces/includes/common/events.h

@@ -21,6 +21,7 @@ enum event_type {
     EVENT_TYPE_ACCEPT,
     EVENT_TYPE_CONNECT,
     EVENT_TYPE_DNS,
+    EVENT_TYPE_SCHED,
 };
 
 enum vfs_op {
@@ -145,6 +146,17 @@ struct dns_event {
     __u8 query_raw[DNS_QUERY_RAW_MAX];
 };
 
+struct sched_event {
+    __u32 prev_pid;
+    int prev_prio;
+    long prev_state;
+    __u32 next_pid;
+    int next_prio;
+    __u32 cpu;
+    __u64 runq_latency_ns;
+    __u8 wakeup_tracked;
+};
+
 struct event {
     enum event_type type;           // Type of event (execve, signal, mem, bind)
     struct event_common common;     // Common fields for all events
@@ -158,6 +170,7 @@ struct event {
         struct accept_event accept;
         struct connect_event connect;
         struct dns_event dns;
+        struct sched_event sched;
     } details;
 };
 

plugins/in_ebpf/traces/sched/bpf.c

@@ -0,0 +1,122 @@
+// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
+#define __TARGET_ARCH_x86_64
+
+#include <vmlinux.h>
+
+#define _LINUX_TYPES_H
+#define _LINUX_POSIX_TYPES_H
+
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_core_read.h>
+
+#include <gadget/buffer.h>
+#include <gadget/mntns_filter.h>
+
+#include "common/events.h"
+
+struct wakeup_info {
+    __u64 wakeup_ns;
+};
+
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __uint(max_entries, 65536);
+    __type(key, __u32);
+    __type(value, struct wakeup_info);
+} wakeup_by_pid SEC(".maps");
+
+struct {
+    __uint(type, BPF_MAP_TYPE_RINGBUF);
+    __uint(max_entries, 1 << 20);
+} events SEC(".maps");
+
+static __always_inline int track_wakeup(__u32 pid)
+{
+    struct wakeup_info info = {0};
+
+    if (pid == 0) {
+        return 0;
+    }
+
+    info.wakeup_ns = bpf_ktime_get_ns();
+    bpf_map_update_elem(&wakeup_by_pid, &pid, &info, BPF_ANY);
+
+    return 0;
+}
+
+SEC("tracepoint/sched/sched_wakeup")
+int trace_sched_wakeup(struct trace_event_raw_sched_wakeup_template *ctx)
+{
+    return track_wakeup((__u32) ctx->pid);
+}
+
+SEC("tracepoint/sched/sched_wakeup_new")
+int trace_sched_wakeup_new(struct trace_event_raw_sched_wakeup_template *ctx)
+{
+    return track_wakeup((__u32) ctx->pid);
+}
+
+SEC("tracepoint/sched/sched_switch")
+int trace_sched_switch(struct trace_event_raw_sched_switch *ctx)
+{
+    struct event *event;
+    struct wakeup_info *wakeup;
+    __u64 now_ns;
+    __u64 pid_tgid;
+    __u32 next_pid;
+    __u64 uid_gid;
+    __u64 mntns_id;
+
+    mntns_id = gadget_get_mntns_id();
+    if (gadget_should_discard_mntns_id(mntns_id)) {
+        return 0;
+    }
+
+    next_pid = (__u32) ctx->next_pid;
+    if (next_pid == 0) {
+        return 0;
+    }
+
+    event = gadget_reserve_buf(&events, sizeof(*event));
+    if (!event) {
+        return 0;
+    }
+
+    now_ns = bpf_ktime_get_ns();
+    pid_tgid = bpf_get_current_pid_tgid();
+    uid_gid = bpf_get_current_uid_gid();
+
+    event->type = EVENT_TYPE_SCHED;
+    event->common.timestamp_raw = bpf_ktime_get_boot_ns();
+    event->common.pid = next_pid;
+    event->common.tid = next_pid;
+    event->common.uid = (u32) uid_gid;
+    event->common.gid = (u32) (uid_gid >> 32);
+    event->common.mntns_id = mntns_id;
+
+    __builtin_memcpy(event->common.comm, ctx->next_comm, sizeof(event->common.comm));
+
+    event->details.sched.prev_pid = (__u32) ctx->prev_pid;
+    event->details.sched.prev_prio = ctx->prev_prio;
+    event->details.sched.prev_state = ctx->prev_state;
+    event->details.sched.next_pid = next_pid;
+    event->details.sched.next_prio = ctx->next_prio;
+    event->details.sched.cpu = bpf_get_smp_processor_id();
+    event->details.sched.wakeup_tracked = 0;
+    event->details.sched.runq_latency_ns = 0;
+
+    wakeup = bpf_map_lookup_elem(&wakeup_by_pid, &next_pid);
+    if (wakeup) {
+        event->details.sched.wakeup_tracked = 1;
+        if (now_ns > wakeup->wakeup_ns) {
+            event->details.sched.runq_latency_ns = now_ns - wakeup->wakeup_ns;
+        }
+        bpf_map_delete_elem(&wakeup_by_pid, &next_pid);
+    }
+
+    gadget_submit_buf(ctx, &events, event, sizeof(*event));
+
+    return 0;
+}
+
+char LICENSE[] SEC("license") = "Dual BSD/GPL";

plugins/in_ebpf/traces/sched/handler.c

@@ -0,0 +1,155 @@
+#include <fluent-bit/flb_input_plugin.h>
+#include <fluent-bit/flb_log_event_encoder.h>
+
+#include "common/events.h"
+#include "common/event_context.h"
+#include "common/encoder.h"
+
+#include "handler.h"
+
+int encode_sched_event(struct flb_log_event_encoder *log_encoder,
+                       const struct event *e)
+{
+    int ret;
+
+    ret = flb_log_event_encoder_begin_record(log_encoder);
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        return -1;
+    }
+
+    ret = encode_common_fields(log_encoder, e);
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        flb_log_event_encoder_rollback_record(log_encoder);
+        return -1;
+    }
+
+    ret = flb_log_event_encoder_append_body_cstring(log_encoder, "cpu");
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        flb_log_event_encoder_rollback_record(log_encoder);
+        return -1;
+    }
+    ret = flb_log_event_encoder_append_body_uint32(log_encoder, e->details.sched.cpu);
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        flb_log_event_encoder_rollback_record(log_encoder);
+        return -1;
+    }
+
+    ret = flb_log_event_encoder_append_body_cstring(log_encoder, "prev_pid");
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        flb_log_event_encoder_rollback_record(log_encoder);
+        return -1;
+    }
+    ret = flb_log_event_encoder_append_body_uint32(log_encoder, e->details.sched.prev_pid);
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        flb_log_event_encoder_rollback_record(log_encoder);
+        return -1;
+    }
+
+    ret = flb_log_event_encoder_append_body_cstring(log_encoder, "prev_prio");
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        flb_log_event_encoder_rollback_record(log_encoder);
+        return -1;
+    }
+    ret = flb_log_event_encoder_append_body_int32(log_encoder, e->details.sched.prev_prio);
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        flb_log_event_encoder_rollback_record(log_encoder);
+        return -1;
+    }
+
+    ret = flb_log_event_encoder_append_body_cstring(log_encoder, "prev_state");
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        flb_log_event_encoder_rollback_record(log_encoder);
+        return -1;
+    }
+    ret = flb_log_event_encoder_append_body_int64(log_encoder, e->details.sched.prev_state);
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        flb_log_event_encoder_rollback_record(log_encoder);
+        return -1;
+    }
+
+    ret = flb_log_event_encoder_append_body_cstring(log_encoder, "next_pid");
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        flb_log_event_encoder_rollback_record(log_encoder);
+        return -1;
+    }
+    ret = flb_log_event_encoder_append_body_uint32(log_encoder, e->details.sched.next_pid);
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        flb_log_event_encoder_rollback_record(log_encoder);
+        return -1;
+    }
+
+    ret = flb_log_event_encoder_append_body_cstring(log_encoder, "next_prio");
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        flb_log_event_encoder_rollback_record(log_encoder);
+        return -1;
+    }
+    ret = flb_log_event_encoder_append_body_int32(log_encoder, e->details.sched.next_prio);
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        flb_log_event_encoder_rollback_record(log_encoder);
+        return -1;
+    }
+
+    ret = flb_log_event_encoder_append_body_cstring(log_encoder, "runq_latency_ns");
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        flb_log_event_encoder_rollback_record(log_encoder);
+        return -1;
+    }
+    ret = flb_log_event_encoder_append_body_uint64(log_encoder, e->details.sched.runq_latency_ns);
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        flb_log_event_encoder_rollback_record(log_encoder);
+        return -1;
+    }
+
+    ret = flb_log_event_encoder_append_body_cstring(log_encoder, "wakeup_tracked");
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        flb_log_event_encoder_rollback_record(log_encoder);
+        return -1;
+    }
+    ret = flb_log_event_encoder_append_body_boolean(log_encoder, e->details.sched.wakeup_tracked);
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        flb_log_event_encoder_rollback_record(log_encoder);
+        return -1;
+    }
+
+    ret = flb_log_event_encoder_commit_record(log_encoder);
+    if (ret != FLB_EVENT_ENCODER_SUCCESS) {
+        return -1;
+    }
+
+    return 0;
+}
+
+int trace_sched_handler(void *ctx, void *data, size_t data_sz)
+{
+    struct trace_event_context *event_ctx;
+    struct flb_log_event_encoder *encoder;
+    struct event *e;
+    int ret;
+
+    event_ctx = (struct trace_event_context *) ctx;
+    e = (struct event *) data;
+
+    if (data_sz < sizeof(struct event) || e->type != EVENT_TYPE_SCHED) {
+        return -1;
+    }
+
+    encoder = event_ctx->log_encoder;
+
+    ret = encode_sched_event(encoder, e);
+    if (ret != 0) {
+        return -1;
+    }
+
+    ret = flb_input_log_append(event_ctx->ins,
+                               NULL,
+                               0,
+                               encoder->output_buffer,
+                               encoder->output_length);
+    if (ret == -1) {
+        return -1;
+    }
+
+    flb_log_event_encoder_reset(encoder);
+
+    return 0;
+}

plugins/in_ebpf/traces/sched/handler.h

@@ -0,0 +1,13 @@
+#ifndef SCHED_HANDLER_H
+#define SCHED_HANDLER_H
+
+#include <fluent-bit/flb_log_event_encoder.h>
+#include <stddef.h>
+
+#include "common/events.h"
+
+int encode_sched_event(struct flb_log_event_encoder *log_encoder,
+                       const struct event *e);
+int trace_sched_handler(void *ctx, void *data, size_t data_sz);
+
+#endif

plugins/in_ebpf/traces/traces.h

@@ -10,6 +10,7 @@
 #include "generated/trace_tcp.skel.h"
 #include "generated/trace_exec.skel.h"
 #include "generated/trace_dns.skel.h"
+#include "generated/trace_sched.skel.h"
 
 #include "bind/handler.h"
 #include "signal/handler.h"  // Include signal handler
@@ -18,6 +19,7 @@
 #include "tcp/handler.h"
 #include "exec/handler.h"
 #include "dns/handler.h"
+#include "sched/handler.h"
 
 /* Skeleton function pointer types */
 typedef void *(*trace_skel_open_func_t)(void);
@@ -72,6 +74,7 @@ DEFINE_GET_BPF_OBJECT(trace_vfs)
 DEFINE_GET_BPF_OBJECT(trace_tcp)
 DEFINE_GET_BPF_OBJECT(trace_exec)
 DEFINE_GET_BPF_OBJECT(trace_dns)
+DEFINE_GET_BPF_OBJECT(trace_sched)
 
 static struct trace_registration trace_table[] = {
     REGISTER_TRACE(trace_signal, trace_signal_handler),
@@ -81,6 +84,7 @@ static struct trace_registration trace_table[] = {
     REGISTER_TRACE(trace_tcp, trace_tcp_handler),
     REGISTER_TRACE(trace_exec, trace_exec_handler),
     REGISTER_TRACE(trace_dns, trace_dns_handler),
+    REGISTER_TRACE(trace_sched, trace_sched_handler),
 };
 
 #endif // TRACE_TRACES_H