probes: BPF uprobe service that ships fires through the log interface

Add a probes package that:
  - parses a YAML config of (symbol, file_match regex) pairs and assigns
    a 1-based spec_id per entry;
  - loads an embedded BPF uprobe program (probe.bpf.amd64, built by
    `make probes-bpf`) that emits one ringbuf record per fire carrying
    ktime/pid/tid/comm/spec_id;
  - on each newly-observed executable, regex-matches its path and
    attaches an exec.Uprobe per matching spec, encoding the spec_id in
    the uprobe cookie;
  - drains the ringbuf in a goroutine and forwards each event as a
    reporter.LogEvent (Body=symbol, attrs=pid/tid/comm/spec_id) via
    reporter.ParcaReporter.ReportLogEvents. The BPF service no longer
    owns the Arrow log stream — that lives in the reporter package now.

Reporter integration is via two small additions: a ProbesHook interface
(OnExecutable) plus a SetProbes setter on arrowReporter so ReportExecutable
can notify the BPF service to attach to fresh binaries.

Wires the existing --probe-config flag through main.go: when set, the
service is started with the parca reporter; offline mode is rejected
since log streaming needs a gRPC conn.

Author: gnurizen

.gitignore

@@ -6,6 +6,9 @@
 /out
 /bin
 *.bpf.o
+probes/bpf/*.amd64
+probes/bpf/*.arm64
+probes/bpf/*.ll
 TODO.md
 minikube-*
 /data

Makefile

@@ -1,7 +1,21 @@
-.PHONY: all crossbuild build build-debug snap
+.PHONY: all crossbuild build build-debug snap probes-bpf
+
+GOARCH ?= $(shell go env GOARCH)
+PROBES_BPF_OBJ := probes/bpf/probe.bpf.$(GOARCH)
+CLANG ?= clang
 
 all: crossbuild
 
+probes-bpf: $(PROBES_BPF_OBJ)
+
+# Compiles the simple-probes-v1 uprobe program. Requires clang with the bpf
+# target and libbpf headers (libbpf-dev / libbpf-devel).
+$(PROBES_BPF_OBJ): probes/bpf/probe.bpf.c
+	$(CLANG) -O2 -g -target bpf \
+		-D__TARGET_ARCH_$(GOARCH) \
+		-Wall -Werror \
+		-c $< -o $@
+
 crossbuild:
 	DOCKER_CLI_EXPERIMENTAL="enabled" docker run \
 		--rm \
@@ -13,10 +27,10 @@ crossbuild:
 		docker.io/goreleaser/goreleaser-cross:v1.22.4 \
 		release --snapshot --clean --skip=publish --verbose
 
-build:
+build: probes-bpf
 	go build -o parca-agent -buildvcs=false -ldflags="-extldflags=-static" -tags osusergo,netgo
 
-build-debug:
+build-debug: probes-bpf
 	go build -o parca-agent-debug -buildvcs=false -ldflags="-extldflags=-static" -tags osusergo,netgo -gcflags "all=-N -l"
 
 snap: crossbuild

flags/flags.go

@@ -164,6 +164,8 @@ type Flags struct {
 	MergeGpuProfiles bool `default:"false" help:"Report GPU kernel timing and GPU PC sampling under a single gpu_time/nanoseconds sample_type, differentiated by a gpu_view label (pc_sample|kernel_time). When false (the default), they are reported as separate sample_types (gpu_kernel_time/nanoseconds and gpu_pcsample/count) with no per-sample labels."`
 
 	OTLPLogging bool `default:"false" help:"Forward parca-agent's own logrus output to the remote-store as OTLP log records (in addition to local stderr). Requires a remote-store; ignored in offline mode."`
+
+	ProbeConfig string `default:"" help:"Path to a YAML file declaring uprobe attachments. When set, parca-agent attaches a uprobe per matching binary and streams probe-fire events to the configured remote-store as OTLP/Arrow logs. Empty disables the feature."`
 }
 
 type ExitCode int

main.go

@@ -61,6 +61,7 @@ import (
 	"github.com/parca-dev/parca-agent/flags"
 	"github.com/parca-dev/parca-agent/oom"
 	"github.com/parca-dev/parca-agent/parcagpu"
+	"github.com/parca-dev/parca-agent/probes"
 	"github.com/parca-dev/parca-agent/reporter"
 	"github.com/parca-dev/parca-agent/uploader"
 )
@@ -443,6 +444,24 @@ func mainWithExitCode() flags.ExitCode {
 		}
 	}
 
+	if f.ProbeConfig != "" {
+		if grpcConn == nil {
+			return flags.Failure("--probe-config requires a remote-store; cannot be used in offline mode")
+		}
+		probesSvc, err := probes.Start(mainCtx, probes.StartConfig{
+			ConfigPath: f.ProbeConfig,
+		}, parcaReporter)
+		if err != nil {
+			return flags.Failure("Failed to start probes: %v", err)
+		}
+		parcaReporter.SetProbes(probesSvc)
+		defer func() {
+			if err := probesSvc.Close(); err != nil {
+				log.Warnf("probes: close: %v", err)
+			}
+		}()
+	}
+
 	includeEnvVars := libpf.Set[string]{}
 	if len(f.IncludeEnvVar) > 0 {
 		for _, env := range f.IncludeEnvVar {

probes/attach.go

@@ -0,0 +1,154 @@
+//go:build linux
+
+package probes
+
+import (
+	"context"
+	"sync"
+
+	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/link"
+	log "github.com/sirupsen/logrus"
+	"go.opentelemetry.io/ebpf-profiler/libpf"
+)
+
+// attachReq is enqueued by OnExecutable for the worker goroutine to process.
+type attachReq struct {
+	filePath string
+	fileID   libpf.FileID
+	specs    []ProbeSpec
+}
+
+// attacher owns the state for matching new binaries against the spec list and
+// attaching paired entry/exit uprobes to them on a worker goroutine. The
+// hot-path callback only holds the mutex long enough to dedupe by FileID and
+// run regexes.
+type attacher struct {
+	progEntry *ebpf.Program
+	progExit  *ebpf.Program
+	specs     []ProbeSpec
+
+	mu       sync.Mutex
+	attached map[libpf.FileID]struct{}
+	links    map[libpf.FileID][]link.Link
+
+	queue chan attachReq
+}
+
+func newAttacher(progEntry, progExit *ebpf.Program, specs []ProbeSpec, queueDepth int) *attacher {
+	return &attacher{
+		progEntry: progEntry,
+		progExit:  progExit,
+		specs:     specs,
+		attached:  make(map[libpf.FileID]struct{}),
+		links:     make(map[libpf.FileID][]link.Link),
+		queue:     make(chan attachReq, queueDepth),
+	}
+}
+
+// OnExecutable is the cheap-path callback invoked from the otel ebpf-profiler
+// reporter goroutine. It must not block: dedupe, regex-match, and enqueue.
+// All disk I/O happens in attachWorker.
+func (a *attacher) OnExecutable(filePath string, fileID libpf.FileID) {
+	a.mu.Lock()
+	if _, seen := a.attached[fileID]; seen {
+		a.mu.Unlock()
+		return
+	}
+	a.attached[fileID] = struct{}{}
+	a.mu.Unlock()
+
+	var matched []ProbeSpec
+	for _, s := range a.specs {
+		if s.FileMatchRE.MatchString(filePath) {
+			matched = append(matched, s)
+		}
+	}
+	if len(matched) == 0 {
+		log.Debugf("probes: received %s (fileID=%s) — no spec matched", filePath, fileID.StringNoQuotes())
+		return
+	}
+	log.Debugf("probes: received %s (fileID=%s) — %d spec(s) matched", filePath, fileID.StringNoQuotes(), len(matched))
+
+	select {
+	case a.queue <- attachReq{filePath: filePath, fileID: fileID, specs: matched}:
+	default:
+		// Queue full: log and forget. We've already marked this fileID as
+		// "seen" so we won't try again, which is fine for v1 — the user
+		// can restart with a smaller probe-config or a deeper queue.
+		log.Warnf("probes: attach queue full, dropping %s (fileID=%s)", filePath, fileID.StringNoQuotes())
+	}
+}
+
+// run is the attachWorker goroutine. Returns when the queue is drained after
+// ctx is cancelled.
+func (a *attacher) run(ctx context.Context) {
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case req := <-a.queue:
+			a.handle(req)
+		}
+	}
+}
+
+func (a *attacher) handle(req attachReq) {
+	ex, err := link.OpenExecutable(req.filePath)
+	if err != nil {
+		log.Warnf("probes: open executable %s: %v", req.filePath, err)
+		return
+	}
+
+	var newLinks []link.Link
+	for _, s := range req.specs {
+		cookie := s.Cookie()
+
+		entryLink, err := ex.Uprobe(s.EntrySymbol, a.progEntry, &link.UprobeOptions{
+			Cookie: cookie,
+			PID:    0,
+		})
+		if err != nil {
+			log.Warnf("probes: attach entry %s @ %s: %v", s.EntrySymbol, req.filePath, err)
+			continue
+		}
+		exitLink, err := ex.Uprobe(s.ExitSymbol, a.progExit, &link.UprobeOptions{
+			Cookie: cookie,
+			PID:    0,
+		})
+		if err != nil {
+			log.Warnf("probes: attach exit %s @ %s: %v", s.ExitSymbol, req.filePath, err)
+			// Roll back the entry uprobe so we don't have orphan stack pushes
+			// with no exit to drain them.
+			if cerr := entryLink.Close(); cerr != nil {
+				log.Warnf("probes: rollback entry %s: %v", s.EntrySymbol, cerr)
+			}
+			continue
+		}
+		newLinks = append(newLinks, entryLink, exitLink)
+		log.Debugf("probes: attached pair %s/%s @ %s (spec_id=%d, id=%s)",
+			s.EntrySymbol, s.ExitSymbol, req.filePath, s.SpecID, s.ID)
+	}
+	if len(newLinks) == 0 {
+		return
+	}
+
+	a.mu.Lock()
+	a.links[req.fileID] = append(a.links[req.fileID], newLinks...)
+	a.mu.Unlock()
+}
+
+// closeAllLinks tears down every attached uprobe link. Called from
+// service.Close.
+func (a *attacher) closeAllLinks() {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	for fid, links := range a.links {
+		for _, l := range links {
+			if err := l.Close(); err != nil {
+				log.Warnf("probes: close link for fileID=%s: %v", fid.StringNoQuotes(), err)
+			}
+		}
+	}
+	a.links = nil
+}

probes/bpf/README.md

@@ -0,0 +1,11 @@
+# probes BPF
+
+`probe.bpf.c` is the kernel-side uprobe program. The compiled outputs
+`probe.bpf.amd64` and `probe.bpf.arm64` are produced by `make probes-bpf`
+in the parca-agent repository root and are git-ignored.
+
+This README is committed so `//go:embed bpf` in `../loader.go` always has
+a valid embed target even before the BPF object is compiled.
+
+Build dependencies: clang (>= 14, with the bpf target) and the libbpf
+headers (`bpf/bpf_helpers.h` etc., from libbpf-dev / libbpf-devel).