searchusermenu
  • 发布文章
  • 消息中心
点赞
收藏
评论
分享
原创

k8s拓扑感知工具kindling分析

2024-04-29 03:23:45
24
0

一、概述

1、简介

Kindling是一个基于eBPF的云原生监控工具,旨在帮助用户了解从内核到代码堆栈的应用程序行为。通过跟踪分析,用户能够轻松了解应用程序的行为,并在几秒钟内找到根本原因。除了跟踪分析外,Kinling还提供了一种简单的方法来了解Kubernetes环境中的网络流,以及许多内置的网络监控仪表板,如TCP重传、DNS、吞吐量和TPS。

2、架构

二、关键原理分析

3.1 eBPF使用分析

3.2 kindling-agent

  • eBPF采集器,监听内核中与socket有关的event,采集eBPF监控数据并聚合
  • 从apiserver获取pod、service、node相关信息,将k8s资源与socket信息关联
  • 提供prometheus exporter,将聚合的eBPF数据以监控指标方式暴露

 

3.3 grafana topo plugin

grafana面板插件,提供拓扑图功能

3.4 支持的socket指标维度

  • Latency:时延
  • Calls:请求数
  • Error Rate:错误率
  • Sent Volume:发送包总量
  • Receive Volume:接收包总量
  • SRTT:RTT 的平滑计算值
  • Retransmit:tcp重传次数
  • Package Lost:丢包数
  • Connection Failure:建连失败率

 

四、核心源码分析

4.1 kindling-agent

BPF回调事件处理逻辑

BPF回调事件处理逻辑

int getEvent(void** pp_kindling_event) {
  int32_t res;
  sinsp_evt* ev;
  res = inspector->next(&ev);

  ppm_event_category category;
  int result = is_normal_event(res, ev, &category);
  if (result == -1) {
    return -1;
  }
  auto threadInfo = ev->get_thread_info();
  if (is_start_profile &&
      (ev->get_type() == PPME_SYSCALL_EXECVE_8_X || ev->get_type() == PPME_SYSCALL_EXECVE_13_X ||
       ev->get_type() == PPME_SYSCALL_EXECVE_15_X || ev->get_type() == PPME_SYSCALL_EXECVE_16_X ||
       ev->get_type() == PPME_SYSCALL_EXECVE_17_X || ev->get_type() == PPME_SYSCALL_EXECVE_18_X ||
       ev->get_type() == PPME_SYSCALL_EXECVE_19_X || ev->get_type() == PPME_SYSCALL_CLONE_11_X ||
       ev->get_type() == PPME_SYSCALL_CLONE_16_X || ev->get_type() == PPME_SYSCALL_CLONE_17_X ||
       ev->get_type() == PPME_SYSCALL_CLONE_20_X || ev->get_type() == PPME_SYSCALL_FORK_X ||
       ev->get_type() == PPME_SYSCALL_FORK_17_X || ev->get_type() == PPME_SYSCALL_FORK_20_X ||
       ev->get_type() == PPME_SYSCALL_VFORK_X || ev->get_type() == PPME_SYSCALL_VFORK_17_X ||
       ev->get_type() == PPME_SYSCALL_VFORK_20_X) &&
      threadInfo->is_main_thread()) {
    if (strstr(threadInfo->m_comm.c_str(), "java") != NULL) {
      string pid_str = std::to_string(threadInfo->m_pid);
      char* temp_char = (char*)pid_str.data();
      thread attach(attach_pid, temp_char, true, true, false, false);
      attach.join();
    }
  }
  uint16_t kindling_category = get_kindling_category(ev);
  uint16_t ev_type = ev->get_type();

  print_event(ev);
  if (ev_type != PPME_CPU_ANALYSIS_E && is_profile_debug && threadInfo->m_tid == debug_tid &&
      threadInfo->m_pid == debug_pid) {
    print_profile_debug_info(ev);
  }
  kindling_event_t_for_go* p_kindling_event;
  init_kindling_event(p_kindling_event, pp_kindling_event);

  sinsp_fdinfo_t* fdInfo = ev->get_fd_info();
  p_kindling_event = (kindling_event_t_for_go*)*pp_kindling_event;
  uint16_t userAttNumber = 0;
  uint16_t source = get_kindling_source(ev->get_type());
  if (is_start_profile) {
    for (auto it = qls.begin(); it != qls.end(); it++) {
      KindlingInterface* plugin = qobject_cast<KindlingInterface*>(*it);
      if (plugin) {
        plugin->addCache(ev, inspector);
      }
    }
  }

  if (is_start_profile && ev->get_type() == PPME_SYSCALL_WRITE_X && fdInfo != nullptr &&
      fdInfo->is_file()) {
    auto data_param = ev->get_param_value_raw("data");
    if (data_param != nullptr) {
      char* data_val = data_param->m_val;
      if (data_param->m_len > 6 && memcmp(data_val, "kd-jf@", 6) == 0) {
        parse_jf(data_val, *data_param, p_kindling_event, threadInfo, userAttNumber);
        return 1;
      }
      if (data_param->m_len > 8 && memcmp(data_val, "kd-txid@", 8) == 0) {
        parse_xtid(ev, data_val, *data_param, p_kindling_event, threadInfo, userAttNumber);
        return 1;
      }
      if (data_param->m_len > 8 && memcmp(data_val, "kd-span@", 8) == 0) {
        parse_span(ev, data_val, *data_param, p_kindling_event, threadInfo, userAttNumber);
        return 1;
      }
      if (data_param->m_len > 6 && memcmp(data_val, "kd-tm@", 6) == 0) {
        parse_tm(data_val, *data_param, threadInfo);
        return -1;
      }
    }
  }

  if (is_start_profile && ev_type == PPME_CPU_ANALYSIS_E) {
    char* tmp_comm;

    map<uint64_t, char*>::iterator key =
        ptid_comm.find(threadInfo->m_pid << 32 | (threadInfo->m_tid & 0xFFFFFFFF));
    if (key != ptid_comm.end()) {
      tmp_comm = key->second;
    } else {
      tmp_comm = (char*)threadInfo->m_comm.data();
    }

    strcpy(p_kindling_event->context.tinfo.comm, tmp_comm);
    return cpuConverter->convert(p_kindling_event, ev, qls, is_profile_debug, debug_pid, debug_tid);
  }

  if (event_filters[ev_type][kindling_category] == 0) {
    return -1;
  }

  if (source == SYSCALL_EXIT) {
    p_kindling_event->latency = threadInfo->m_latency;
  }
  p_kindling_event->timestamp = ev->get_ts();
  p_kindling_event->category = kindling_category;
  p_kindling_event->context.tinfo.pid = threadInfo->m_pid;
  p_kindling_event->context.tinfo.tid = threadInfo->m_tid;
  p_kindling_event->context.tinfo.uid = threadInfo->m_uid;
  p_kindling_event->context.tinfo.gid = threadInfo->m_gid;
  p_kindling_event->context.fdInfo.num = ev->get_fd_num();
  if (nullptr != fdInfo) {
    p_kindling_event->context.fdInfo.fdType = fdInfo->m_type;

    switch (fdInfo->m_type) {
      case SCAP_FD_FILE:
      case SCAP_FD_FILE_V2: {
        string name = fdInfo->m_name;
        size_t pos = name.rfind('/');
        if (pos != string::npos) {
          if (pos < name.size() - 1) {
            string fileName = name.substr(pos + 1, string::npos);
            memcpy(p_kindling_event->context.fdInfo.filename, fileName.data(), fileName.length());
            if (pos != 0) {
              name.resize(pos);

              strcpy(p_kindling_event->context.fdInfo.directory, (char*)name.data());
            } else {
              strcpy(p_kindling_event->context.fdInfo.directory, "/");
            }
          }
        }
        break;
      }
      case SCAP_FD_IPV4_SOCK:
        p_kindling_event->context.fdInfo.protocol = get_protocol(fdInfo->get_l4proto());
        p_kindling_event->context.fdInfo.role = fdInfo->is_role_server();
        p_kindling_event->context.fdInfo.sip[0] = fdInfo->m_sockinfo.m_ipv4info.m_fields.m_sip;
        p_kindling_event->context.fdInfo.dip[0] = fdInfo->m_sockinfo.m_ipv4info.m_fields.m_dip;
        p_kindling_event->context.fdInfo.sport = fdInfo->m_sockinfo.m_ipv4info.m_fields.m_sport;
        p_kindling_event->context.fdInfo.dport = fdInfo->m_sockinfo.m_ipv4info.m_fields.m_dport;
        break;
      case SCAP_FD_IPV4_SERVSOCK:
        p_kindling_event->context.fdInfo.protocol = get_protocol(fdInfo->get_l4proto());
        p_kindling_event->context.fdInfo.role = fdInfo->is_role_server();
        p_kindling_event->context.fdInfo.dip[0] = fdInfo->m_sockinfo.m_ipv4serverinfo.m_ip;
        p_kindling_event->context.fdInfo.dport = fdInfo->m_sockinfo.m_ipv4serverinfo.m_port;
        break;
      case SCAP_FD_IPV6_SOCK:
        p_kindling_event->context.fdInfo.protocol = get_protocol(fdInfo->get_l4proto());
        p_kindling_event->context.fdInfo.role = fdInfo->is_role_server();
        memcpy(p_kindling_event->context.fdInfo.sip, fdInfo->m_sockinfo.m_ipv6info.m_fields.m_sip.m_b, sizeof(fdInfo->m_sockinfo.m_ipv6info.m_fields.m_sip.m_b));
        memcpy(p_kindling_event->context.fdInfo.dip, fdInfo->m_sockinfo.m_ipv6info.m_fields.m_dip.m_b, sizeof(fdInfo->m_sockinfo.m_ipv6info.m_fields.m_dip.m_b));
        p_kindling_event->context.fdInfo.sport = fdInfo->m_sockinfo.m_ipv6info.m_fields.m_sport;
        p_kindling_event->context.fdInfo.dport = fdInfo->m_sockinfo.m_ipv6info.m_fields.m_dport;
        break;
      case SCAP_FD_IPV6_SERVSOCK:
        p_kindling_event->context.fdInfo.protocol = get_protocol(fdInfo->get_l4proto());
        p_kindling_event->context.fdInfo.role = fdInfo->is_role_server();
        memcpy(p_kindling_event->context.fdInfo.dip, fdInfo->m_sockinfo.m_ipv6serverinfo.m_ip.m_b, sizeof(fdInfo->m_sockinfo.m_ipv6serverinfo.m_ip.m_b));
        p_kindling_event->context.fdInfo.dport = fdInfo->m_sockinfo.m_ipv6serverinfo.m_port;
        break;
      case SCAP_FD_UNIX_SOCK:
        p_kindling_event->context.fdInfo.source = fdInfo->m_sockinfo.m_unixinfo.m_fields.m_source;
        p_kindling_event->context.fdInfo.destination =
            fdInfo->m_sockinfo.m_unixinfo.m_fields.m_dest;
        break;
      default:
        break;
    }
  }

  switch (ev->get_type()) {
    case PPME_TCP_RCV_ESTABLISHED_E:
    case PPME_TCP_CLOSE_E: {
      auto pTuple = ev->get_param_value_raw("tuple");
      userAttNumber = setTuple(p_kindling_event, pTuple, userAttNumber);

      auto pRtt = ev->get_param_value_raw("srtt");
      if (pRtt != NULL) {
        strcpy(p_kindling_event->userAttributes[userAttNumber].key, "rtt");
        memcpy(p_kindling_event->userAttributes[userAttNumber].value, pRtt->m_val, pRtt->m_len);
        p_kindling_event->userAttributes[userAttNumber].valueType = UINT32;
        p_kindling_event->userAttributes[userAttNumber].len = pRtt->m_len;
        userAttNumber++;
      }
      break;
    }
    case PPME_TCP_CONNECT_X: {
      auto pTuple = ev->get_param_value_raw("tuple");
      userAttNumber = setTuple(p_kindling_event, pTuple, userAttNumber);
      auto pRetVal = ev->get_param_value_raw("retval");
      if (pRetVal != NULL) {
        strcpy(p_kindling_event->userAttributes[userAttNumber].key, "retval");
        memcpy(p_kindling_event->userAttributes[userAttNumber].value, pRetVal->m_val,
               pRetVal->m_len);
        p_kindling_event->userAttributes[userAttNumber].valueType = UINT64;
        p_kindling_event->userAttributes[userAttNumber].len = pRetVal->m_len;
        userAttNumber++;
      }
      break;
    }
    case PPME_TCP_DROP_E:
    case PPME_TCP_SET_STATE_E: {
      auto pTuple = ev->get_param_value_raw("tuple");
      userAttNumber = setTuple(p_kindling_event, pTuple, userAttNumber);
      auto old_state = ev->get_param_value_raw("old_state");
      if (old_state != NULL) {
        strcpy(p_kindling_event->userAttributes[userAttNumber].key, "old_state");
        memcpy(p_kindling_event->userAttributes[userAttNumber].value, old_state->m_val,
               old_state->m_len);
        p_kindling_event->userAttributes[userAttNumber].len = old_state->m_len;
        p_kindling_event->userAttributes[userAttNumber].valueType = INT32;
        userAttNumber++;
      }
      auto new_state = ev->get_param_value_raw("new_state");
      if (new_state != NULL) {
        strcpy(p_kindling_event->userAttributes[userAttNumber].key, "new_state");
        memcpy(p_kindling_event->userAttributes[userAttNumber].value, new_state->m_val,
               new_state->m_len);
        p_kindling_event->userAttributes[userAttNumber].valueType = INT32;
        p_kindling_event->userAttributes[userAttNumber].len = new_state->m_len;
        userAttNumber++;
      }
      break;
    }
    case PPME_TCP_SEND_RESET_E:
    case PPME_TCP_RECEIVE_RESET_E: {
      auto pTuple = ev->get_param_value_raw("tuple");
      userAttNumber = setTuple(p_kindling_event, pTuple, userAttNumber);
      break;
    }
    case PPME_TCP_RETRANCESMIT_SKB_E:{
      auto pTuple = ev->get_param_value_raw("tuple");
      userAttNumber = setTuple(p_kindling_event, pTuple, userAttNumber);

      auto segs = ev->get_param_value_raw("segs");
      if (segs != NULL){
        strcpy(p_kindling_event->userAttributes[userAttNumber].key, "segs");
        memcpy(p_kindling_event->userAttributes[userAttNumber].value, segs->m_val,
               segs->m_len);
        p_kindling_event->userAttributes[userAttNumber].len = segs->m_len;
        p_kindling_event->userAttributes[userAttNumber].valueType = INT32;
        userAttNumber++;
      }
      break;
    }
    default: {
      uint16_t paramsNumber = ev->get_num_params();
      // Since current data structure specifies the maximum count of `user_attributes`
      if ((paramsNumber + userAttNumber) > MAX_USERATTR_NUM) {
        paramsNumber = MAX_USERATTR_NUM - userAttNumber;
      }
      // TODO Add another branch to verify the number of userAttNumber is less than MAX_USERATTR_NUM
      // after the program becomes more complexd
      for (auto i = 0; i < paramsNumber; i++) {
        strcpy(p_kindling_event->userAttributes[userAttNumber].key, (char*)ev->get_param_name(i));
        memcpy(p_kindling_event->userAttributes[userAttNumber].value, ev->get_param(i)->m_val,
               ev->get_param(i)->m_len);
        p_kindling_event->userAttributes[userAttNumber].len = ev->get_param(i)->m_len;
        p_kindling_event->userAttributes[userAttNumber].valueType =
            get_type(ev->get_param_info(i)->type);
        userAttNumber++;
      }
    }
  }
  p_kindling_event->paramsNumber = userAttNumber;
  strcpy(p_kindling_event->name, (char*)ev->get_name());
  char* tmp_comm;
  map<uint64_t, char*>::iterator key =
      ptid_comm.find(threadInfo->m_pid << 32 | (threadInfo->m_tid & 0xFFFFFFFF));
  if (key != ptid_comm.end()) {
    tmp_comm = key->second;
  } else {
    tmp_comm = (char*)threadInfo->m_comm.data();
  }
  strcpy(p_kindling_event->context.tinfo.comm, tmp_comm);
  strcpy(p_kindling_event->context.tinfo.containerId, (char*)threadInfo->m_container_id.data());
  return 1;
}

支持的事件列表

const static event kindling_to_sysdig[PPM_EVENT_MAX] = {
    {"syscall_enter-open", PPME_SYSCALL_OPEN_E},
    {"syscall_exit-open", PPME_SYSCALL_OPEN_X},
    {"syscall_enter-close", PPME_SYSCALL_CLOSE_E},
    {"syscall_exit-close", PPME_SYSCALL_CLOSE_X},
    {"syscall_enter-read", PPME_SYSCALL_READ_E},
    {"syscall_exit-read", PPME_SYSCALL_READ_X},
    {"syscall_enter-write", PPME_SYSCALL_WRITE_E},
    {"syscall_exit-write", PPME_SYSCALL_WRITE_X},
    {"syscall_enter-brk", PPME_SYSCALL_BRK_4_E},
    {"syscall_exit-brk", PPME_SYSCALL_BRK_4_X},
    {"syscall_enter-execve", PPME_SYSCALL_EXECVE_19_E},
    {"syscall_exit-execve", PPME_SYSCALL_EXECVE_19_X},
    {"syscall_enter-clone", PPME_SYSCALL_CLONE_20_E},
    {"syscall_exit-clone", PPME_SYSCALL_CLONE_20_X},
    {"syscall_enter-socket", PPME_SOCKET_SOCKET_E},
    {"syscall_exit-socket", PPME_SOCKET_SOCKET_X},
    {"syscall_enter-bind", PPME_SOCKET_BIND_E},
    {"syscall_exit-bind", PPME_SOCKET_BIND_X},
    {"syscall_enter-connect", PPME_SOCKET_CONNECT_E},
    {"syscall_exit-connect", PPME_SOCKET_CONNECT_X},
    {"syscall_enter-listen", PPME_SOCKET_LISTEN_E},
    {"syscall_exit-listen", PPME_SOCKET_LISTEN_X},
    {"syscall_enter-accept", PPME_SOCKET_ACCEPT_5_E},
    {"syscall_exit-accept", PPME_SOCKET_ACCEPT_5_X},
    {"syscall_enter-accept4", PPME_SOCKET_ACCEPT4_5_E},
    {"syscall_exit-accept4", PPME_SOCKET_ACCEPT4_5_X},
    {"syscall_enter-sendto", PPME_SOCKET_SENDTO_E},
    {"syscall_exit-sendto", PPME_SOCKET_SENDTO_X},
    {"syscall_enter-recvfrom", PPME_SOCKET_RECVFROM_E},
    {"syscall_exit-recvfrom", PPME_SOCKET_RECVFROM_X},
    {"syscall_enter-shutdown", PPME_SOCKET_SHUTDOWN_E},
    {"syscall_exit-shutdown", PPME_SOCKET_SHUTDOWN_X},
    {"syscall_enter-getsockname", PPME_SOCKET_GETSOCKNAME_E},
    {"syscall_exit-getsockname", PPME_SOCKET_GETSOCKNAME_X},
    {"syscall_enter-getpeername", PPME_SOCKET_GETPEERNAME_E},
    {"syscall_exit-getpeername", PPME_SOCKET_GETPEERNAME_X},
    {"syscall_enter-socketpair", PPME_SOCKET_SOCKETPAIR_E},
    {"syscall_exit-socketpair", PPME_SOCKET_SOCKETPAIR_X},
    {"syscall_enter-setsockopt", PPME_SOCKET_SETSOCKOPT_E},
    {"syscall_exit-setsockopt", PPME_SOCKET_SETSOCKOPT_X},
    {"syscall_enter-getsockopt", PPME_SOCKET_GETSOCKOPT_E},
    {"syscall_exit-getsockopt", PPME_SOCKET_GETSOCKOPT_X},
    {"syscall_enter-sendmsg", PPME_SOCKET_SENDMSG_E},
    {"syscall_exit-sendmsg", PPME_SOCKET_SENDMSG_X},
    {"syscall_enter-sendmmsg", PPME_SOCKET_SENDMMSG_E},
    {"syscall_exit-sendmmsg", PPME_SOCKET_SENDMMSG_X},
    {"syscall_enter-recvmsg", PPME_SOCKET_RECVMSG_E},
    {"syscall_exit-recvmsg", PPME_SOCKET_RECVMSG_X},
    {"syscall_enter-recvmmsg", PPME_SOCKET_RECVMMSG_E},
    {"syscall_exit-recvmmsg", PPME_SOCKET_RECVMMSG_X},
    {"syscall_enter-sendfile", PPME_SYSCALL_SENDFILE_E},
    {"syscall_exit-sendfile", PPME_SYSCALL_SENDFILE_X},
    {"syscall_enter-creat", PPME_SYSCALL_CREAT_E},
    {"syscall_exit-creat", PPME_SYSCALL_CREAT_X},
    {"syscall_enter-pipe", PPME_SYSCALL_PIPE_E},
    {"syscall_exit-pipe", PPME_SYSCALL_PIPE_X},
    {"syscall_enter-pipe2", PPME_SYSCALL_PIPE_E},
    {"syscall_exit-pipe2", PPME_SYSCALL_PIPE_X},
    {"syscall_enter-eventfd", PPME_SYSCALL_EVENTFD_E},
    {"syscall_exit-eventfd", PPME_SYSCALL_EVENTFD_X},
    {"syscall_enter-eventfd2", PPME_SYSCALL_EVENTFD_E},
    {"syscall_exit-eventfd2", PPME_SYSCALL_EVENTFD_X},
    {"syscall_enter-futex", PPME_SYSCALL_FUTEX_E},
    {"syscall_exit-futex", PPME_SYSCALL_FUTEX_X},
    {"syscall_enter-stat", PPME_SYSCALL_STAT_E},
    {"syscall_exit-stat", PPME_SYSCALL_STAT_X},
    {"syscall_enter-lstat", PPME_SYSCALL_LSTAT_E},
    {"syscall_exit-lstat", PPME_SYSCALL_LSTAT_X},
    {"syscall_enter-fstat", PPME_SYSCALL_FSTAT_E},
    {"syscall_exit-fstat", PPME_SYSCALL_FSTAT_X},
    {"syscall_enter-stat64", PPME_SYSCALL_STAT64_E},
    {"syscall_exit-stat64", PPME_SYSCALL_STAT64_X},
    {"syscall_enter-lstat64", PPME_SYSCALL_LSTAT64_E},
    {"syscall_exit-lstat64", PPME_SYSCALL_LSTAT64_X},
    {"syscall_enter-fstat64", PPME_SYSCALL_FSTAT64_E},
    {"syscall_exit-fstat64", PPME_SYSCALL_FSTAT64_X},
    {"syscall_enter-epoll_wait", PPME_SYSCALL_EPOLLWAIT_E},
    {"syscall_exit-epoll_wait", PPME_SYSCALL_EPOLLWAIT_X},
    {"syscall_enter-poll", PPME_SYSCALL_POLL_E},
    {"syscall_exit-poll", PPME_SYSCALL_POLL_X},
    {"syscall_enter-ppoll", PPME_SYSCALL_PPOLL_E},
    {"syscall_exit-ppoll", PPME_SYSCALL_PPOLL_X},
    {"syscall_enter-select", PPME_SYSCALL_SELECT_E},
    {"syscall_exit-select", PPME_SYSCALL_SELECT_X},
    {"syscall_enter-lseek", PPME_SYSCALL_LSEEK_E},
    {"syscall_exit-lseek", PPME_SYSCALL_LSEEK_X},
    {"syscall_enter-llseek", PPME_SYSCALL_LLSEEK_E},
    {"syscall_exit-llseek", PPME_SYSCALL_LLSEEK_X},
    {"syscall_enter-getcwd", PPME_SYSCALL_GETCWD_E},
    {"syscall_exit-getcwd", PPME_SYSCALL_GETCWD_X},
    {"syscall_enter-chdir", PPME_SYSCALL_CHDIR_E},
    {"syscall_exit-chdir", PPME_SYSCALL_CHDIR_X},
    {"syscall_enter-fchdir", PPME_SYSCALL_FCHDIR_E},
    {"syscall_exit-fchdir", PPME_SYSCALL_FCHDIR_X},
    {"syscall_enter-mkdir", PPME_SYSCALL_MKDIR_2_E},
    {"syscall_exit-mkdir", PPME_SYSCALL_MKDIR_2_X},
    {"syscall_enter-mkdirat", PPME_SYSCALL_MKDIRAT_E},
    {"syscall_exit-mkdirat", PPME_SYSCALL_MKDIRAT_X},
    {"syscall_enter-rmdir", PPME_SYSCALL_RMDIR_2_E},
    {"syscall_exit-rmdir", PPME_SYSCALL_RMDIR_2_X},
    {"syscall_enter-unlink", PPME_SYSCALL_UNLINK_2_E},
    {"syscall_exit-unlink", PPME_SYSCALL_UNLINK_2_X},
    {"syscall_enter-unlinkat", PPME_SYSCALL_UNLINKAT_2_E},
    {"syscall_exit-unlinkat", PPME_SYSCALL_UNLINKAT_2_X},
    {"syscall_enter-openat", PPME_SYSCALL_OPENAT_2_E},
    {"syscall_exit-openat", PPME_SYSCALL_OPENAT_2_X},
    {"syscall_enter-link", PPME_SYSCALL_LINK_2_E},
    {"syscall_exit-link", PPME_SYSCALL_LINK_2_X},
    {"syscall_enter-linkat", PPME_SYSCALL_LINKAT_2_E},
    {"syscall_exit-linkat", PPME_SYSCALL_LINKAT_2_X},
    {"syscall_enter-pread", PPME_SYSCALL_PREAD_E},
    {"syscall_exit-pread", PPME_SYSCALL_PREAD_X},
    {"syscall_enter-pwrite", PPME_SYSCALL_PWRITE_E},
    {"syscall_exit-pwrite", PPME_SYSCALL_PWRITE_X},
    {"syscall_enter-readv", PPME_SYSCALL_READV_E},
    {"syscall_exit-readv", PPME_SYSCALL_READV_X},
    {"syscall_enter-writev", PPME_SYSCALL_WRITEV_E},
    {"syscall_exit-writev", PPME_SYSCALL_WRITEV_X},
    {"syscall_enter-preadv", PPME_SYSCALL_PREADV_E},
    {"syscall_exit-preadv", PPME_SYSCALL_PREADV_X},
    {"syscall_enter-pwritev", PPME_SYSCALL_PWRITEV_E},
    {"syscall_exit-pwritev", PPME_SYSCALL_PWRITEV_X},
    {"syscall_enter-dup", PPME_SYSCALL_DUP_E},
    {"syscall_exit-dup", PPME_SYSCALL_DUP_X},
    {"syscall_enter-dup2", PPME_SYSCALL_DUP_E},
    {"syscall_exit-dup2", PPME_SYSCALL_DUP_X},
    {"syscall_enter-dup3", PPME_SYSCALL_DUP_E},
    {"syscall_exit-dup3", PPME_SYSCALL_DUP_X},
    {"syscall_enter-signalfd", PPME_SYSCALL_SIGNALFD_E},
    {"syscall_exit-signalfd", PPME_SYSCALL_SIGNALFD_X},
    {"syscall_enter-signalfd4", PPME_SYSCALL_SIGNALFD_E},
    {"syscall_exit-signalfd4", PPME_SYSCALL_SIGNALFD_X},
    {"syscall_enter-kill", PPME_SYSCALL_KILL_E},
    {"syscall_exit-kill", PPME_SYSCALL_KILL_X},
    {"syscall_enter-tkill", PPME_SYSCALL_TKILL_E},
    {"syscall_exit-tkill", PPME_SYSCALL_TKILL_X},
    {"syscall_enter-tgkill", PPME_SYSCALL_TGKILL_E},
    {"syscall_exit-tgkill", PPME_SYSCALL_TGKILL_X},
    {"syscall_enter-nanosleep", PPME_SYSCALL_NANOSLEEP_E},
    {"syscall_exit-nanosleep", PPME_SYSCALL_NANOSLEEP_X},
    {"syscall_enter-timerfd_create", PPME_SYSCALL_TIMERFD_CREATE_E},
    {"syscall_exit-timerfd_create", PPME_SYSCALL_TIMERFD_CREATE_X},
    {"syscall_enter-inotify_init", PPME_SYSCALL_INOTIFY_INIT_E},
    {"syscall_exit-inotify_init", PPME_SYSCALL_INOTIFY_INIT_X},
    {"syscall_enter-inotify_init1", PPME_SYSCALL_INOTIFY_INIT_E},
    {"syscall_exit-inotify_init1", PPME_SYSCALL_INOTIFY_INIT_X},
    {"syscall_enter-getrlimit", PPME_SYSCALL_GETRLIMIT_E},
    {"syscall_exit-getrlimit", PPME_SYSCALL_GETRLIMIT_X},
    {"syscall_enter-setrlimit", PPME_SYSCALL_SETRLIMIT_E},
    {"syscall_exit-setrlimit", PPME_SYSCALL_SETRLIMIT_X},
    {"syscall_enter-prlimit", PPME_SYSCALL_PRLIMIT_E},
    {"syscall_exit-prlimit", PPME_SYSCALL_PRLIMIT_X},
    {"syscall_enter-fcntl", PPME_SYSCALL_FCNTL_E},
    {"syscall_exit-fcntl", PPME_SYSCALL_FCNTL_X},
    {"syscall_enter-ioctl", PPME_SYSCALL_IOCTL_3_E},
    {"syscall_exit-ioctl", PPME_SYSCALL_IOCTL_3_X},
    {"syscall_enter-mmap", PPME_SYSCALL_MMAP_E},
    {"syscall_exit-mmap", PPME_SYSCALL_MMAP_X},
    {"syscall_enter-mmap2", PPME_SYSCALL_MMAP2_E},
    {"syscall_exit-mmap2", PPME_SYSCALL_MMAP2_X},
    {"syscall_enter-munmap", PPME_SYSCALL_MUNMAP_E},
    {"syscall_exit-munmap", PPME_SYSCALL_MUNMAP_X},
    {"syscall_enter-splice", PPME_SYSCALL_SPLICE_E},
    {"syscall_exit-splice", PPME_SYSCALL_SPLICE_X},
    {"syscall_enter-ptrace", PPME_SYSCALL_PTRACE_E},
    {"syscall_exit-ptrace", PPME_SYSCALL_PTRACE_X},
    {"syscall_enter-rename", PPME_SYSCALL_RENAME_E},
    {"syscall_exit-rename", PPME_SYSCALL_RENAME_X},
    {"syscall_enter-renameat", PPME_SYSCALL_RENAMEAT_E},
    {"syscall_exit-renameat", PPME_SYSCALL_RENAMEAT_X},
    {"syscall_enter-symlink", PPME_SYSCALL_SYMLINK_E},
    {"syscall_exit-symlink", PPME_SYSCALL_SYMLINK_X},
    {"syscall_enter-symlinkat", PPME_SYSCALL_SYMLINKAT_E},
    {"syscall_exit-symlinkat", PPME_SYSCALL_SYMLINKAT_X},
    {"syscall_enter-fork", PPME_SYSCALL_FORK_20_E},
    {"syscall_exit-fork", PPME_SYSCALL_FORK_20_X},
    {"syscall_enter-vfork", PPME_SYSCALL_VFORK_20_E},
    {"syscall_exit-vfork", PPME_SYSCALL_VFORK_20_X},
    {"syscall_enter-quotactl", PPME_SYSCALL_QUOTACTL_E},
    {"syscall_exit-quotactl", PPME_SYSCALL_QUOTACTL_X},
    {"syscall_enter-setresuid", PPME_SYSCALL_SETRESUID_E},
    {"syscall_exit-setresuid", PPME_SYSCALL_SETRESUID_X},
    {"syscall_enter-setresgid", PPME_SYSCALL_SETRESGID_E},
    {"syscall_exit-setresgid", PPME_SYSCALL_SETRESGID_X},
    {"syscall_enter-setuid", PPME_SYSCALL_SETUID_E},
    {"syscall_exit-setuid", PPME_SYSCALL_SETUID_X},
    {"syscall_enter-setgid", PPME_SYSCALL_SETGID_E},
    {"syscall_exit-setgid", PPME_SYSCALL_SETGID_X},
    {"syscall_enter-getuid", PPME_SYSCALL_GETUID_E},
    {"syscall_exit-getuid", PPME_SYSCALL_GETUID_X},
    {"syscall_enter-geteuid", PPME_SYSCALL_GETEUID_E},
    {"syscall_exit-geteuid", PPME_SYSCALL_GETEUID_X},
    {"syscall_enter-getgid", PPME_SYSCALL_GETGID_E},
    {"syscall_exit-getgid", PPME_SYSCALL_GETGID_X},
    {"syscall_enter-getegid", PPME_SYSCALL_GETEGID_E},
    {"syscall_exit-getegid", PPME_SYSCALL_GETEGID_X},
    {"syscall_enter-getresuid", PPME_SYSCALL_GETRESUID_E},
    {"syscall_exit-getresuid", PPME_SYSCALL_GETRESUID_X},
    {"syscall_enter-getresgid", PPME_SYSCALL_GETRESGID_E},
    {"syscall_exit-getresgid", PPME_SYSCALL_GETRESGID_X},
    {"syscall_enter-getdents", PPME_SYSCALL_GETDENTS_E},
    {"syscall_exit-getdents", PPME_SYSCALL_GETDENTS_X},
    {"syscall_enter-getdents64", PPME_SYSCALL_GETDENTS64_E},
    {"syscall_exit-getdents64", PPME_SYSCALL_GETDENTS64_X},
    {"syscall_enter-setns", PPME_SYSCALL_SETNS_E},
    {"syscall_exit-setns", PPME_SYSCALL_SETNS_X},
    {"syscall_enter-flock", PPME_SYSCALL_FLOCK_E},
    {"syscall_exit-flock", PPME_SYSCALL_FLOCK_X},
    {"syscall_enter-semop", PPME_SYSCALL_SEMOP_E},
    {"syscall_exit-semop", PPME_SYSCALL_SEMOP_X},
    {"syscall_enter-semctl", PPME_SYSCALL_SEMCTL_E},
    {"syscall_exit-semctl", PPME_SYSCALL_SEMCTL_X},
    {"syscall_enter-mount", PPME_SYSCALL_MOUNT_E},
    {"syscall_exit-mount", PPME_SYSCALL_MOUNT_X},
    {"syscall_enter-umount", PPME_SYSCALL_UMOUNT_E},
    {"syscall_exit-umount", PPME_SYSCALL_UMOUNT_X},
    {"syscall_enter-semget", PPME_SYSCALL_SEMGET_E},
    {"syscall_exit-semget", PPME_SYSCALL_SEMGET_X},
    {"syscall_enter-access", PPME_SYSCALL_ACCESS_E},
    {"syscall_exit-access", PPME_SYSCALL_ACCESS_X},
    {"syscall_enter-chroot", PPME_SYSCALL_CHROOT_E},
    {"syscall_exit-chroot", PPME_SYSCALL_CHROOT_X},
    {"syscall_enter-setsid", PPME_SYSCALL_SETSID_E},
    {"syscall_exit-setsid", PPME_SYSCALL_SETSID_X},
    {"syscall_enter-setpgid", PPME_SYSCALL_SETPGID_E},
    {"syscall_exit-setpgid", PPME_SYSCALL_SETPGID_X},
    {"syscall_enter-unshare", PPME_SYSCALL_UNSHARE_E},
    {"syscall_exit-unshare", PPME_SYSCALL_UNSHARE_X},
    {"syscall_enter-bpf", PPME_SYSCALL_BPF_E},
    {"syscall_exit-bpf", PPME_SYSCALL_BPF_X},
    {"syscall_enter-seccomp", PPME_SYSCALL_SECCOMP_E},
    {"syscall_exit-seccomp", PPME_SYSCALL_SECCOMP_X},
    {"syscall_enter-fchmodat", PPME_SYSCALL_FCHMODAT_E},
    {"syscall_exit-fchmodat", PPME_SYSCALL_FCHMODAT_X},
    {"syscall_enter-chmod", PPME_SYSCALL_CHMOD_E},
    {"syscall_exit-chmod", PPME_SYSCALL_CHMOD_X},
    {"syscall_enter-fchmod", PPME_SYSCALL_FCHMOD_E},
    {"syscall_exit-fchmod", PPME_SYSCALL_FCHMOD_X},
    {"tracepoint-sched_switch", PPME_SCHEDSWITCH_6_E},
    {"tracepoint-signaldeliver", PPME_SIGNALDELIVER_E},
    {"tracepoint-signaldeliver", PPME_SIGNALDELIVER_X},
    {"syscall_enter-alarm", PPME_GENERIC_E},
    {"syscall_exit-alarm", PPME_GENERIC_X},
    {"syscall_enter-epoll_create", PPME_GENERIC_E},
    {"syscall_exit-epoll_create", PPME_GENERIC_X},
    {"syscall_enter-epoll_ctl", PPME_GENERIC_E},
    {"syscall_exit-epoll_ctl", PPME_GENERIC_X},
    {"syscall_enter-lchown", PPME_GENERIC_E},
    {"syscall_exit-lchown", PPME_GENERIC_X},
    {"syscall_enter-old_select", PPME_GENERIC_E},
    {"syscall_exit-old_select", PPME_GENERIC_X},
    {"syscall_enter-pause", PPME_GENERIC_E},
    {"syscall_exit-pause", PPME_GENERIC_X},
    {"syscall_enter-process_vm_readv", PPME_GENERIC_E},
    {"syscall_exit-process_vm_readv", PPME_GENERIC_X},
    {"syscall_enter-process_vm_writev", PPME_GENERIC_E},
    {"syscall_exit-process_vm_writev", PPME_GENERIC_X},
    {"syscall_enter-pselect6", PPME_GENERIC_E},
    {"syscall_exit-pselect6", PPME_GENERIC_X},
    {"syscall_enter-sched_getparam", PPME_GENERIC_E},
    {"syscall_exit-sched_getparam", PPME_GENERIC_X},
    {"syscall_enter-sched_setparam", PPME_GENERIC_E},
    {"syscall_exit-sched_setparam", PPME_GENERIC_X},
    {"syscall_enter-syslog", PPME_GENERIC_E},
    {"syscall_exit-syslog", PPME_GENERIC_X},
    {"syscall_enter-uselib", PPME_GENERIC_E},
    {"syscall_exit-uselib", PPME_GENERIC_X},
    {"syscall_enter-utime", PPME_GENERIC_E},
    {"syscall_exit-utime", PPME_GENERIC_X},
    {"tracepoint-ingress", PPME_NETIF_RECEIVE_SKB_E},
    {"tracepoint-egress", PPME_NET_DEV_XMIT_E},
    {"kprobe-tcp_close", PPME_TCP_CLOSE_E},
    {"kprobe-tcp_rcv_established", PPME_TCP_RCV_ESTABLISHED_E},
    {"kprobe-tcp_drop", PPME_TCP_DROP_E},
    {"kprobe-tcp_retransmit_skb", PPME_TCP_RETRANCESMIT_SKB_E},
    {"kretprobe-tcp_connect", PPME_TCP_CONNECT_X},
    {"kprobe-tcp_set_state", PPME_TCP_SET_STATE_E},
    {"tracepoint-tcp_send_reset", PPME_TCP_SEND_RESET_E},
    {"tracepoint-tcp_receive_reset", PPME_TCP_RECEIVE_RESET_E},
    {"tracepoint-cpu_analysis", PPME_CPU_ANALYSIS_E},
    {"tracepoint-procexit", PPME_PROCEXIT_1_E},
};

 

 
0条评论
0 / 1000
覃****枫
2文章数
0粉丝数
覃****枫
2 文章 | 0 粉丝
覃****枫
2文章数
0粉丝数
覃****枫
2 文章 | 0 粉丝
原创

k8s拓扑感知工具kindling分析

2024-04-29 03:23:45
24
0

一、概述

1、简介

Kindling是一个基于eBPF的云原生监控工具,旨在帮助用户了解从内核到代码堆栈的应用程序行为。通过跟踪分析,用户能够轻松了解应用程序的行为,并在几秒钟内找到根本原因。除了跟踪分析外,Kinling还提供了一种简单的方法来了解Kubernetes环境中的网络流,以及许多内置的网络监控仪表板,如TCP重传、DNS、吞吐量和TPS。

2、架构

二、关键原理分析

3.1 eBPF使用分析

3.2 kindling-agent

  • eBPF采集器,监听内核中与socket有关的event,采集eBPF监控数据并聚合
  • 从apiserver获取pod、service、node相关信息,将k8s资源与socket信息关联
  • 提供prometheus exporter,将聚合的eBPF数据以监控指标方式暴露

 

3.3 grafana topo plugin

grafana面板插件,提供拓扑图功能

3.4 支持的socket指标维度

  • Latency:时延
  • Calls:请求数
  • Error Rate:错误率
  • Sent Volume:发送包总量
  • Receive Volume:接收包总量
  • SRTT:RTT 的平滑计算值
  • Retransmit:tcp重传次数
  • Package Lost:丢包数
  • Connection Failure:建连失败率

 

四、核心源码分析

4.1 kindling-agent

BPF回调事件处理逻辑

BPF回调事件处理逻辑

int getEvent(void** pp_kindling_event) {
  int32_t res;
  sinsp_evt* ev;
  res = inspector->next(&ev);

  ppm_event_category category;
  int result = is_normal_event(res, ev, &category);
  if (result == -1) {
    return -1;
  }
  auto threadInfo = ev->get_thread_info();
  if (is_start_profile &&
      (ev->get_type() == PPME_SYSCALL_EXECVE_8_X || ev->get_type() == PPME_SYSCALL_EXECVE_13_X ||
       ev->get_type() == PPME_SYSCALL_EXECVE_15_X || ev->get_type() == PPME_SYSCALL_EXECVE_16_X ||
       ev->get_type() == PPME_SYSCALL_EXECVE_17_X || ev->get_type() == PPME_SYSCALL_EXECVE_18_X ||
       ev->get_type() == PPME_SYSCALL_EXECVE_19_X || ev->get_type() == PPME_SYSCALL_CLONE_11_X ||
       ev->get_type() == PPME_SYSCALL_CLONE_16_X || ev->get_type() == PPME_SYSCALL_CLONE_17_X ||
       ev->get_type() == PPME_SYSCALL_CLONE_20_X || ev->get_type() == PPME_SYSCALL_FORK_X ||
       ev->get_type() == PPME_SYSCALL_FORK_17_X || ev->get_type() == PPME_SYSCALL_FORK_20_X ||
       ev->get_type() == PPME_SYSCALL_VFORK_X || ev->get_type() == PPME_SYSCALL_VFORK_17_X ||
       ev->get_type() == PPME_SYSCALL_VFORK_20_X) &&
      threadInfo->is_main_thread()) {
    if (strstr(threadInfo->m_comm.c_str(), "java") != NULL) {
      string pid_str = std::to_string(threadInfo->m_pid);
      char* temp_char = (char*)pid_str.data();
      thread attach(attach_pid, temp_char, true, true, false, false);
      attach.join();
    }
  }
  uint16_t kindling_category = get_kindling_category(ev);
  uint16_t ev_type = ev->get_type();

  print_event(ev);
  if (ev_type != PPME_CPU_ANALYSIS_E && is_profile_debug && threadInfo->m_tid == debug_tid &&
      threadInfo->m_pid == debug_pid) {
    print_profile_debug_info(ev);
  }
  kindling_event_t_for_go* p_kindling_event;
  init_kindling_event(p_kindling_event, pp_kindling_event);

  sinsp_fdinfo_t* fdInfo = ev->get_fd_info();
  p_kindling_event = (kindling_event_t_for_go*)*pp_kindling_event;
  uint16_t userAttNumber = 0;
  uint16_t source = get_kindling_source(ev->get_type());
  if (is_start_profile) {
    for (auto it = qls.begin(); it != qls.end(); it++) {
      KindlingInterface* plugin = qobject_cast<KindlingInterface*>(*it);
      if (plugin) {
        plugin->addCache(ev, inspector);
      }
    }
  }

  if (is_start_profile && ev->get_type() == PPME_SYSCALL_WRITE_X && fdInfo != nullptr &&
      fdInfo->is_file()) {
    auto data_param = ev->get_param_value_raw("data");
    if (data_param != nullptr) {
      char* data_val = data_param->m_val;
      if (data_param->m_len > 6 && memcmp(data_val, "kd-jf@", 6) == 0) {
        parse_jf(data_val, *data_param, p_kindling_event, threadInfo, userAttNumber);
        return 1;
      }
      if (data_param->m_len > 8 && memcmp(data_val, "kd-txid@", 8) == 0) {
        parse_xtid(ev, data_val, *data_param, p_kindling_event, threadInfo, userAttNumber);
        return 1;
      }
      if (data_param->m_len > 8 && memcmp(data_val, "kd-span@", 8) == 0) {
        parse_span(ev, data_val, *data_param, p_kindling_event, threadInfo, userAttNumber);
        return 1;
      }
      if (data_param->m_len > 6 && memcmp(data_val, "kd-tm@", 6) == 0) {
        parse_tm(data_val, *data_param, threadInfo);
        return -1;
      }
    }
  }

  if (is_start_profile && ev_type == PPME_CPU_ANALYSIS_E) {
    char* tmp_comm;

    map<uint64_t, char*>::iterator key =
        ptid_comm.find(threadInfo->m_pid << 32 | (threadInfo->m_tid & 0xFFFFFFFF));
    if (key != ptid_comm.end()) {
      tmp_comm = key->second;
    } else {
      tmp_comm = (char*)threadInfo->m_comm.data();
    }

    strcpy(p_kindling_event->context.tinfo.comm, tmp_comm);
    return cpuConverter->convert(p_kindling_event, ev, qls, is_profile_debug, debug_pid, debug_tid);
  }

  if (event_filters[ev_type][kindling_category] == 0) {
    return -1;
  }

  if (source == SYSCALL_EXIT) {
    p_kindling_event->latency = threadInfo->m_latency;
  }
  p_kindling_event->timestamp = ev->get_ts();
  p_kindling_event->category = kindling_category;
  p_kindling_event->context.tinfo.pid = threadInfo->m_pid;
  p_kindling_event->context.tinfo.tid = threadInfo->m_tid;
  p_kindling_event->context.tinfo.uid = threadInfo->m_uid;
  p_kindling_event->context.tinfo.gid = threadInfo->m_gid;
  p_kindling_event->context.fdInfo.num = ev->get_fd_num();
  if (nullptr != fdInfo) {
    p_kindling_event->context.fdInfo.fdType = fdInfo->m_type;

    switch (fdInfo->m_type) {
      case SCAP_FD_FILE:
      case SCAP_FD_FILE_V2: {
        string name = fdInfo->m_name;
        size_t pos = name.rfind('/');
        if (pos != string::npos) {
          if (pos < name.size() - 1) {
            string fileName = name.substr(pos + 1, string::npos);
            memcpy(p_kindling_event->context.fdInfo.filename, fileName.data(), fileName.length());
            if (pos != 0) {
              name.resize(pos);

              strcpy(p_kindling_event->context.fdInfo.directory, (char*)name.data());
            } else {
              strcpy(p_kindling_event->context.fdInfo.directory, "/");
            }
          }
        }
        break;
      }
      case SCAP_FD_IPV4_SOCK:
        p_kindling_event->context.fdInfo.protocol = get_protocol(fdInfo->get_l4proto());
        p_kindling_event->context.fdInfo.role = fdInfo->is_role_server();
        p_kindling_event->context.fdInfo.sip[0] = fdInfo->m_sockinfo.m_ipv4info.m_fields.m_sip;
        p_kindling_event->context.fdInfo.dip[0] = fdInfo->m_sockinfo.m_ipv4info.m_fields.m_dip;
        p_kindling_event->context.fdInfo.sport = fdInfo->m_sockinfo.m_ipv4info.m_fields.m_sport;
        p_kindling_event->context.fdInfo.dport = fdInfo->m_sockinfo.m_ipv4info.m_fields.m_dport;
        break;
      case SCAP_FD_IPV4_SERVSOCK:
        p_kindling_event->context.fdInfo.protocol = get_protocol(fdInfo->get_l4proto());
        p_kindling_event->context.fdInfo.role = fdInfo->is_role_server();
        p_kindling_event->context.fdInfo.dip[0] = fdInfo->m_sockinfo.m_ipv4serverinfo.m_ip;
        p_kindling_event->context.fdInfo.dport = fdInfo->m_sockinfo.m_ipv4serverinfo.m_port;
        break;
      case SCAP_FD_IPV6_SOCK:
        p_kindling_event->context.fdInfo.protocol = get_protocol(fdInfo->get_l4proto());
        p_kindling_event->context.fdInfo.role = fdInfo->is_role_server();
        memcpy(p_kindling_event->context.fdInfo.sip, fdInfo->m_sockinfo.m_ipv6info.m_fields.m_sip.m_b, sizeof(fdInfo->m_sockinfo.m_ipv6info.m_fields.m_sip.m_b));
        memcpy(p_kindling_event->context.fdInfo.dip, fdInfo->m_sockinfo.m_ipv6info.m_fields.m_dip.m_b, sizeof(fdInfo->m_sockinfo.m_ipv6info.m_fields.m_dip.m_b));
        p_kindling_event->context.fdInfo.sport = fdInfo->m_sockinfo.m_ipv6info.m_fields.m_sport;
        p_kindling_event->context.fdInfo.dport = fdInfo->m_sockinfo.m_ipv6info.m_fields.m_dport;
        break;
      case SCAP_FD_IPV6_SERVSOCK:
        p_kindling_event->context.fdInfo.protocol = get_protocol(fdInfo->get_l4proto());
        p_kindling_event->context.fdInfo.role = fdInfo->is_role_server();
        memcpy(p_kindling_event->context.fdInfo.dip, fdInfo->m_sockinfo.m_ipv6serverinfo.m_ip.m_b, sizeof(fdInfo->m_sockinfo.m_ipv6serverinfo.m_ip.m_b));
        p_kindling_event->context.fdInfo.dport = fdInfo->m_sockinfo.m_ipv6serverinfo.m_port;
        break;
      case SCAP_FD_UNIX_SOCK:
        p_kindling_event->context.fdInfo.source = fdInfo->m_sockinfo.m_unixinfo.m_fields.m_source;
        p_kindling_event->context.fdInfo.destination =
            fdInfo->m_sockinfo.m_unixinfo.m_fields.m_dest;
        break;
      default:
        break;
    }
  }

  switch (ev->get_type()) {
    case PPME_TCP_RCV_ESTABLISHED_E:
    case PPME_TCP_CLOSE_E: {
      auto pTuple = ev->get_param_value_raw("tuple");
      userAttNumber = setTuple(p_kindling_event, pTuple, userAttNumber);

      auto pRtt = ev->get_param_value_raw("srtt");
      if (pRtt != NULL) {
        strcpy(p_kindling_event->userAttributes[userAttNumber].key, "rtt");
        memcpy(p_kindling_event->userAttributes[userAttNumber].value, pRtt->m_val, pRtt->m_len);
        p_kindling_event->userAttributes[userAttNumber].valueType = UINT32;
        p_kindling_event->userAttributes[userAttNumber].len = pRtt->m_len;
        userAttNumber++;
      }
      break;
    }
    case PPME_TCP_CONNECT_X: {
      auto pTuple = ev->get_param_value_raw("tuple");
      userAttNumber = setTuple(p_kindling_event, pTuple, userAttNumber);
      auto pRetVal = ev->get_param_value_raw("retval");
      if (pRetVal != NULL) {
        strcpy(p_kindling_event->userAttributes[userAttNumber].key, "retval");
        memcpy(p_kindling_event->userAttributes[userAttNumber].value, pRetVal->m_val,
               pRetVal->m_len);
        p_kindling_event->userAttributes[userAttNumber].valueType = UINT64;
        p_kindling_event->userAttributes[userAttNumber].len = pRetVal->m_len;
        userAttNumber++;
      }
      break;
    }
    case PPME_TCP_DROP_E:
    case PPME_TCP_SET_STATE_E: {
      auto pTuple = ev->get_param_value_raw("tuple");
      userAttNumber = setTuple(p_kindling_event, pTuple, userAttNumber);
      auto old_state = ev->get_param_value_raw("old_state");
      if (old_state != NULL) {
        strcpy(p_kindling_event->userAttributes[userAttNumber].key, "old_state");
        memcpy(p_kindling_event->userAttributes[userAttNumber].value, old_state->m_val,
               old_state->m_len);
        p_kindling_event->userAttributes[userAttNumber].len = old_state->m_len;
        p_kindling_event->userAttributes[userAttNumber].valueType = INT32;
        userAttNumber++;
      }
      auto new_state = ev->get_param_value_raw("new_state");
      if (new_state != NULL) {
        strcpy(p_kindling_event->userAttributes[userAttNumber].key, "new_state");
        memcpy(p_kindling_event->userAttributes[userAttNumber].value, new_state->m_val,
               new_state->m_len);
        p_kindling_event->userAttributes[userAttNumber].valueType = INT32;
        p_kindling_event->userAttributes[userAttNumber].len = new_state->m_len;
        userAttNumber++;
      }
      break;
    }
    case PPME_TCP_SEND_RESET_E:
    case PPME_TCP_RECEIVE_RESET_E: {
      auto pTuple = ev->get_param_value_raw("tuple");
      userAttNumber = setTuple(p_kindling_event, pTuple, userAttNumber);
      break;
    }
    case PPME_TCP_RETRANCESMIT_SKB_E:{
      auto pTuple = ev->get_param_value_raw("tuple");
      userAttNumber = setTuple(p_kindling_event, pTuple, userAttNumber);

      auto segs = ev->get_param_value_raw("segs");
      if (segs != NULL){
        strcpy(p_kindling_event->userAttributes[userAttNumber].key, "segs");
        memcpy(p_kindling_event->userAttributes[userAttNumber].value, segs->m_val,
               segs->m_len);
        p_kindling_event->userAttributes[userAttNumber].len = segs->m_len;
        p_kindling_event->userAttributes[userAttNumber].valueType = INT32;
        userAttNumber++;
      }
      break;
    }
    default: {
      uint16_t paramsNumber = ev->get_num_params();
      // Since current data structure specifies the maximum count of `user_attributes`
      if ((paramsNumber + userAttNumber) > MAX_USERATTR_NUM) {
        paramsNumber = MAX_USERATTR_NUM - userAttNumber;
      }
      // TODO Add another branch to verify the number of userAttNumber is less than MAX_USERATTR_NUM
      // after the program becomes more complexd
      for (auto i = 0; i < paramsNumber; i++) {
        strcpy(p_kindling_event->userAttributes[userAttNumber].key, (char*)ev->get_param_name(i));
        memcpy(p_kindling_event->userAttributes[userAttNumber].value, ev->get_param(i)->m_val,
               ev->get_param(i)->m_len);
        p_kindling_event->userAttributes[userAttNumber].len = ev->get_param(i)->m_len;
        p_kindling_event->userAttributes[userAttNumber].valueType =
            get_type(ev->get_param_info(i)->type);
        userAttNumber++;
      }
    }
  }
  p_kindling_event->paramsNumber = userAttNumber;
  strcpy(p_kindling_event->name, (char*)ev->get_name());
  char* tmp_comm;
  map<uint64_t, char*>::iterator key =
      ptid_comm.find(threadInfo->m_pid << 32 | (threadInfo->m_tid & 0xFFFFFFFF));
  if (key != ptid_comm.end()) {
    tmp_comm = key->second;
  } else {
    tmp_comm = (char*)threadInfo->m_comm.data();
  }
  strcpy(p_kindling_event->context.tinfo.comm, tmp_comm);
  strcpy(p_kindling_event->context.tinfo.containerId, (char*)threadInfo->m_container_id.data());
  return 1;
}

支持的事件列表

const static event kindling_to_sysdig[PPM_EVENT_MAX] = {
    {"syscall_enter-open", PPME_SYSCALL_OPEN_E},
    {"syscall_exit-open", PPME_SYSCALL_OPEN_X},
    {"syscall_enter-close", PPME_SYSCALL_CLOSE_E},
    {"syscall_exit-close", PPME_SYSCALL_CLOSE_X},
    {"syscall_enter-read", PPME_SYSCALL_READ_E},
    {"syscall_exit-read", PPME_SYSCALL_READ_X},
    {"syscall_enter-write", PPME_SYSCALL_WRITE_E},
    {"syscall_exit-write", PPME_SYSCALL_WRITE_X},
    {"syscall_enter-brk", PPME_SYSCALL_BRK_4_E},
    {"syscall_exit-brk", PPME_SYSCALL_BRK_4_X},
    {"syscall_enter-execve", PPME_SYSCALL_EXECVE_19_E},
    {"syscall_exit-execve", PPME_SYSCALL_EXECVE_19_X},
    {"syscall_enter-clone", PPME_SYSCALL_CLONE_20_E},
    {"syscall_exit-clone", PPME_SYSCALL_CLONE_20_X},
    {"syscall_enter-socket", PPME_SOCKET_SOCKET_E},
    {"syscall_exit-socket", PPME_SOCKET_SOCKET_X},
    {"syscall_enter-bind", PPME_SOCKET_BIND_E},
    {"syscall_exit-bind", PPME_SOCKET_BIND_X},
    {"syscall_enter-connect", PPME_SOCKET_CONNECT_E},
    {"syscall_exit-connect", PPME_SOCKET_CONNECT_X},
    {"syscall_enter-listen", PPME_SOCKET_LISTEN_E},
    {"syscall_exit-listen", PPME_SOCKET_LISTEN_X},
    {"syscall_enter-accept", PPME_SOCKET_ACCEPT_5_E},
    {"syscall_exit-accept", PPME_SOCKET_ACCEPT_5_X},
    {"syscall_enter-accept4", PPME_SOCKET_ACCEPT4_5_E},
    {"syscall_exit-accept4", PPME_SOCKET_ACCEPT4_5_X},
    {"syscall_enter-sendto", PPME_SOCKET_SENDTO_E},
    {"syscall_exit-sendto", PPME_SOCKET_SENDTO_X},
    {"syscall_enter-recvfrom", PPME_SOCKET_RECVFROM_E},
    {"syscall_exit-recvfrom", PPME_SOCKET_RECVFROM_X},
    {"syscall_enter-shutdown", PPME_SOCKET_SHUTDOWN_E},
    {"syscall_exit-shutdown", PPME_SOCKET_SHUTDOWN_X},
    {"syscall_enter-getsockname", PPME_SOCKET_GETSOCKNAME_E},
    {"syscall_exit-getsockname", PPME_SOCKET_GETSOCKNAME_X},
    {"syscall_enter-getpeername", PPME_SOCKET_GETPEERNAME_E},
    {"syscall_exit-getpeername", PPME_SOCKET_GETPEERNAME_X},
    {"syscall_enter-socketpair", PPME_SOCKET_SOCKETPAIR_E},
    {"syscall_exit-socketpair", PPME_SOCKET_SOCKETPAIR_X},
    {"syscall_enter-setsockopt", PPME_SOCKET_SETSOCKOPT_E},
    {"syscall_exit-setsockopt", PPME_SOCKET_SETSOCKOPT_X},
    {"syscall_enter-getsockopt", PPME_SOCKET_GETSOCKOPT_E},
    {"syscall_exit-getsockopt", PPME_SOCKET_GETSOCKOPT_X},
    {"syscall_enter-sendmsg", PPME_SOCKET_SENDMSG_E},
    {"syscall_exit-sendmsg", PPME_SOCKET_SENDMSG_X},
    {"syscall_enter-sendmmsg", PPME_SOCKET_SENDMMSG_E},
    {"syscall_exit-sendmmsg", PPME_SOCKET_SENDMMSG_X},
    {"syscall_enter-recvmsg", PPME_SOCKET_RECVMSG_E},
    {"syscall_exit-recvmsg", PPME_SOCKET_RECVMSG_X},
    {"syscall_enter-recvmmsg", PPME_SOCKET_RECVMMSG_E},
    {"syscall_exit-recvmmsg", PPME_SOCKET_RECVMMSG_X},
    {"syscall_enter-sendfile", PPME_SYSCALL_SENDFILE_E},
    {"syscall_exit-sendfile", PPME_SYSCALL_SENDFILE_X},
    {"syscall_enter-creat", PPME_SYSCALL_CREAT_E},
    {"syscall_exit-creat", PPME_SYSCALL_CREAT_X},
    {"syscall_enter-pipe", PPME_SYSCALL_PIPE_E},
    {"syscall_exit-pipe", PPME_SYSCALL_PIPE_X},
    {"syscall_enter-pipe2", PPME_SYSCALL_PIPE_E},
    {"syscall_exit-pipe2", PPME_SYSCALL_PIPE_X},
    {"syscall_enter-eventfd", PPME_SYSCALL_EVENTFD_E},
    {"syscall_exit-eventfd", PPME_SYSCALL_EVENTFD_X},
    {"syscall_enter-eventfd2", PPME_SYSCALL_EVENTFD_E},
    {"syscall_exit-eventfd2", PPME_SYSCALL_EVENTFD_X},
    {"syscall_enter-futex", PPME_SYSCALL_FUTEX_E},
    {"syscall_exit-futex", PPME_SYSCALL_FUTEX_X},
    {"syscall_enter-stat", PPME_SYSCALL_STAT_E},
    {"syscall_exit-stat", PPME_SYSCALL_STAT_X},
    {"syscall_enter-lstat", PPME_SYSCALL_LSTAT_E},
    {"syscall_exit-lstat", PPME_SYSCALL_LSTAT_X},
    {"syscall_enter-fstat", PPME_SYSCALL_FSTAT_E},
    {"syscall_exit-fstat", PPME_SYSCALL_FSTAT_X},
    {"syscall_enter-stat64", PPME_SYSCALL_STAT64_E},
    {"syscall_exit-stat64", PPME_SYSCALL_STAT64_X},
    {"syscall_enter-lstat64", PPME_SYSCALL_LSTAT64_E},
    {"syscall_exit-lstat64", PPME_SYSCALL_LSTAT64_X},
    {"syscall_enter-fstat64", PPME_SYSCALL_FSTAT64_E},
    {"syscall_exit-fstat64", PPME_SYSCALL_FSTAT64_X},
    {"syscall_enter-epoll_wait", PPME_SYSCALL_EPOLLWAIT_E},
    {"syscall_exit-epoll_wait", PPME_SYSCALL_EPOLLWAIT_X},
    {"syscall_enter-poll", PPME_SYSCALL_POLL_E},
    {"syscall_exit-poll", PPME_SYSCALL_POLL_X},
    {"syscall_enter-ppoll", PPME_SYSCALL_PPOLL_E},
    {"syscall_exit-ppoll", PPME_SYSCALL_PPOLL_X},
    {"syscall_enter-select", PPME_SYSCALL_SELECT_E},
    {"syscall_exit-select", PPME_SYSCALL_SELECT_X},
    {"syscall_enter-lseek", PPME_SYSCALL_LSEEK_E},
    {"syscall_exit-lseek", PPME_SYSCALL_LSEEK_X},
    {"syscall_enter-llseek", PPME_SYSCALL_LLSEEK_E},
    {"syscall_exit-llseek", PPME_SYSCALL_LLSEEK_X},
    {"syscall_enter-getcwd", PPME_SYSCALL_GETCWD_E},
    {"syscall_exit-getcwd", PPME_SYSCALL_GETCWD_X},
    {"syscall_enter-chdir", PPME_SYSCALL_CHDIR_E},
    {"syscall_exit-chdir", PPME_SYSCALL_CHDIR_X},
    {"syscall_enter-fchdir", PPME_SYSCALL_FCHDIR_E},
    {"syscall_exit-fchdir", PPME_SYSCALL_FCHDIR_X},
    {"syscall_enter-mkdir", PPME_SYSCALL_MKDIR_2_E},
    {"syscall_exit-mkdir", PPME_SYSCALL_MKDIR_2_X},
    {"syscall_enter-mkdirat", PPME_SYSCALL_MKDIRAT_E},
    {"syscall_exit-mkdirat", PPME_SYSCALL_MKDIRAT_X},
    {"syscall_enter-rmdir", PPME_SYSCALL_RMDIR_2_E},
    {"syscall_exit-rmdir", PPME_SYSCALL_RMDIR_2_X},
    {"syscall_enter-unlink", PPME_SYSCALL_UNLINK_2_E},
    {"syscall_exit-unlink", PPME_SYSCALL_UNLINK_2_X},
    {"syscall_enter-unlinkat", PPME_SYSCALL_UNLINKAT_2_E},
    {"syscall_exit-unlinkat", PPME_SYSCALL_UNLINKAT_2_X},
    {"syscall_enter-openat", PPME_SYSCALL_OPENAT_2_E},
    {"syscall_exit-openat", PPME_SYSCALL_OPENAT_2_X},
    {"syscall_enter-link", PPME_SYSCALL_LINK_2_E},
    {"syscall_exit-link", PPME_SYSCALL_LINK_2_X},
    {"syscall_enter-linkat", PPME_SYSCALL_LINKAT_2_E},
    {"syscall_exit-linkat", PPME_SYSCALL_LINKAT_2_X},
    {"syscall_enter-pread", PPME_SYSCALL_PREAD_E},
    {"syscall_exit-pread", PPME_SYSCALL_PREAD_X},
    {"syscall_enter-pwrite", PPME_SYSCALL_PWRITE_E},
    {"syscall_exit-pwrite", PPME_SYSCALL_PWRITE_X},
    {"syscall_enter-readv", PPME_SYSCALL_READV_E},
    {"syscall_exit-readv", PPME_SYSCALL_READV_X},
    {"syscall_enter-writev", PPME_SYSCALL_WRITEV_E},
    {"syscall_exit-writev", PPME_SYSCALL_WRITEV_X},
    {"syscall_enter-preadv", PPME_SYSCALL_PREADV_E},
    {"syscall_exit-preadv", PPME_SYSCALL_PREADV_X},
    {"syscall_enter-pwritev", PPME_SYSCALL_PWRITEV_E},
    {"syscall_exit-pwritev", PPME_SYSCALL_PWRITEV_X},
    {"syscall_enter-dup", PPME_SYSCALL_DUP_E},
    {"syscall_exit-dup", PPME_SYSCALL_DUP_X},
    {"syscall_enter-dup2", PPME_SYSCALL_DUP_E},
    {"syscall_exit-dup2", PPME_SYSCALL_DUP_X},
    {"syscall_enter-dup3", PPME_SYSCALL_DUP_E},
    {"syscall_exit-dup3", PPME_SYSCALL_DUP_X},
    {"syscall_enter-signalfd", PPME_SYSCALL_SIGNALFD_E},
    {"syscall_exit-signalfd", PPME_SYSCALL_SIGNALFD_X},
    {"syscall_enter-signalfd4", PPME_SYSCALL_SIGNALFD_E},
    {"syscall_exit-signalfd4", PPME_SYSCALL_SIGNALFD_X},
    {"syscall_enter-kill", PPME_SYSCALL_KILL_E},
    {"syscall_exit-kill", PPME_SYSCALL_KILL_X},
    {"syscall_enter-tkill", PPME_SYSCALL_TKILL_E},
    {"syscall_exit-tkill", PPME_SYSCALL_TKILL_X},
    {"syscall_enter-tgkill", PPME_SYSCALL_TGKILL_E},
    {"syscall_exit-tgkill", PPME_SYSCALL_TGKILL_X},
    {"syscall_enter-nanosleep", PPME_SYSCALL_NANOSLEEP_E},
    {"syscall_exit-nanosleep", PPME_SYSCALL_NANOSLEEP_X},
    {"syscall_enter-timerfd_create", PPME_SYSCALL_TIMERFD_CREATE_E},
    {"syscall_exit-timerfd_create", PPME_SYSCALL_TIMERFD_CREATE_X},
    {"syscall_enter-inotify_init", PPME_SYSCALL_INOTIFY_INIT_E},
    {"syscall_exit-inotify_init", PPME_SYSCALL_INOTIFY_INIT_X},
    {"syscall_enter-inotify_init1", PPME_SYSCALL_INOTIFY_INIT_E},
    {"syscall_exit-inotify_init1", PPME_SYSCALL_INOTIFY_INIT_X},
    {"syscall_enter-getrlimit", PPME_SYSCALL_GETRLIMIT_E},
    {"syscall_exit-getrlimit", PPME_SYSCALL_GETRLIMIT_X},
    {"syscall_enter-setrlimit", PPME_SYSCALL_SETRLIMIT_E},
    {"syscall_exit-setrlimit", PPME_SYSCALL_SETRLIMIT_X},
    {"syscall_enter-prlimit", PPME_SYSCALL_PRLIMIT_E},
    {"syscall_exit-prlimit", PPME_SYSCALL_PRLIMIT_X},
    {"syscall_enter-fcntl", PPME_SYSCALL_FCNTL_E},
    {"syscall_exit-fcntl", PPME_SYSCALL_FCNTL_X},
    {"syscall_enter-ioctl", PPME_SYSCALL_IOCTL_3_E},
    {"syscall_exit-ioctl", PPME_SYSCALL_IOCTL_3_X},
    {"syscall_enter-mmap", PPME_SYSCALL_MMAP_E},
    {"syscall_exit-mmap", PPME_SYSCALL_MMAP_X},
    {"syscall_enter-mmap2", PPME_SYSCALL_MMAP2_E},
    {"syscall_exit-mmap2", PPME_SYSCALL_MMAP2_X},
    {"syscall_enter-munmap", PPME_SYSCALL_MUNMAP_E},
    {"syscall_exit-munmap", PPME_SYSCALL_MUNMAP_X},
    {"syscall_enter-splice", PPME_SYSCALL_SPLICE_E},
    {"syscall_exit-splice", PPME_SYSCALL_SPLICE_X},
    {"syscall_enter-ptrace", PPME_SYSCALL_PTRACE_E},
    {"syscall_exit-ptrace", PPME_SYSCALL_PTRACE_X},
    {"syscall_enter-rename", PPME_SYSCALL_RENAME_E},
    {"syscall_exit-rename", PPME_SYSCALL_RENAME_X},
    {"syscall_enter-renameat", PPME_SYSCALL_RENAMEAT_E},
    {"syscall_exit-renameat", PPME_SYSCALL_RENAMEAT_X},
    {"syscall_enter-symlink", PPME_SYSCALL_SYMLINK_E},
    {"syscall_exit-symlink", PPME_SYSCALL_SYMLINK_X},
    {"syscall_enter-symlinkat", PPME_SYSCALL_SYMLINKAT_E},
    {"syscall_exit-symlinkat", PPME_SYSCALL_SYMLINKAT_X},
    {"syscall_enter-fork", PPME_SYSCALL_FORK_20_E},
    {"syscall_exit-fork", PPME_SYSCALL_FORK_20_X},
    {"syscall_enter-vfork", PPME_SYSCALL_VFORK_20_E},
    {"syscall_exit-vfork", PPME_SYSCALL_VFORK_20_X},
    {"syscall_enter-quotactl", PPME_SYSCALL_QUOTACTL_E},
    {"syscall_exit-quotactl", PPME_SYSCALL_QUOTACTL_X},
    {"syscall_enter-setresuid", PPME_SYSCALL_SETRESUID_E},
    {"syscall_exit-setresuid", PPME_SYSCALL_SETRESUID_X},
    {"syscall_enter-setresgid", PPME_SYSCALL_SETRESGID_E},
    {"syscall_exit-setresgid", PPME_SYSCALL_SETRESGID_X},
    {"syscall_enter-setuid", PPME_SYSCALL_SETUID_E},
    {"syscall_exit-setuid", PPME_SYSCALL_SETUID_X},
    {"syscall_enter-setgid", PPME_SYSCALL_SETGID_E},
    {"syscall_exit-setgid", PPME_SYSCALL_SETGID_X},
    {"syscall_enter-getuid", PPME_SYSCALL_GETUID_E},
    {"syscall_exit-getuid", PPME_SYSCALL_GETUID_X},
    {"syscall_enter-geteuid", PPME_SYSCALL_GETEUID_E},
    {"syscall_exit-geteuid", PPME_SYSCALL_GETEUID_X},
    {"syscall_enter-getgid", PPME_SYSCALL_GETGID_E},
    {"syscall_exit-getgid", PPME_SYSCALL_GETGID_X},
    {"syscall_enter-getegid", PPME_SYSCALL_GETEGID_E},
    {"syscall_exit-getegid", PPME_SYSCALL_GETEGID_X},
    {"syscall_enter-getresuid", PPME_SYSCALL_GETRESUID_E},
    {"syscall_exit-getresuid", PPME_SYSCALL_GETRESUID_X},
    {"syscall_enter-getresgid", PPME_SYSCALL_GETRESGID_E},
    {"syscall_exit-getresgid", PPME_SYSCALL_GETRESGID_X},
    {"syscall_enter-getdents", PPME_SYSCALL_GETDENTS_E},
    {"syscall_exit-getdents", PPME_SYSCALL_GETDENTS_X},
    {"syscall_enter-getdents64", PPME_SYSCALL_GETDENTS64_E},
    {"syscall_exit-getdents64", PPME_SYSCALL_GETDENTS64_X},
    {"syscall_enter-setns", PPME_SYSCALL_SETNS_E},
    {"syscall_exit-setns", PPME_SYSCALL_SETNS_X},
    {"syscall_enter-flock", PPME_SYSCALL_FLOCK_E},
    {"syscall_exit-flock", PPME_SYSCALL_FLOCK_X},
    {"syscall_enter-semop", PPME_SYSCALL_SEMOP_E},
    {"syscall_exit-semop", PPME_SYSCALL_SEMOP_X},
    {"syscall_enter-semctl", PPME_SYSCALL_SEMCTL_E},
    {"syscall_exit-semctl", PPME_SYSCALL_SEMCTL_X},
    {"syscall_enter-mount", PPME_SYSCALL_MOUNT_E},
    {"syscall_exit-mount", PPME_SYSCALL_MOUNT_X},
    {"syscall_enter-umount", PPME_SYSCALL_UMOUNT_E},
    {"syscall_exit-umount", PPME_SYSCALL_UMOUNT_X},
    {"syscall_enter-semget", PPME_SYSCALL_SEMGET_E},
    {"syscall_exit-semget", PPME_SYSCALL_SEMGET_X},
    {"syscall_enter-access", PPME_SYSCALL_ACCESS_E},
    {"syscall_exit-access", PPME_SYSCALL_ACCESS_X},
    {"syscall_enter-chroot", PPME_SYSCALL_CHROOT_E},
    {"syscall_exit-chroot", PPME_SYSCALL_CHROOT_X},
    {"syscall_enter-setsid", PPME_SYSCALL_SETSID_E},
    {"syscall_exit-setsid", PPME_SYSCALL_SETSID_X},
    {"syscall_enter-setpgid", PPME_SYSCALL_SETPGID_E},
    {"syscall_exit-setpgid", PPME_SYSCALL_SETPGID_X},
    {"syscall_enter-unshare", PPME_SYSCALL_UNSHARE_E},
    {"syscall_exit-unshare", PPME_SYSCALL_UNSHARE_X},
    {"syscall_enter-bpf", PPME_SYSCALL_BPF_E},
    {"syscall_exit-bpf", PPME_SYSCALL_BPF_X},
    {"syscall_enter-seccomp", PPME_SYSCALL_SECCOMP_E},
    {"syscall_exit-seccomp", PPME_SYSCALL_SECCOMP_X},
    {"syscall_enter-fchmodat", PPME_SYSCALL_FCHMODAT_E},
    {"syscall_exit-fchmodat", PPME_SYSCALL_FCHMODAT_X},
    {"syscall_enter-chmod", PPME_SYSCALL_CHMOD_E},
    {"syscall_exit-chmod", PPME_SYSCALL_CHMOD_X},
    {"syscall_enter-fchmod", PPME_SYSCALL_FCHMOD_E},
    {"syscall_exit-fchmod", PPME_SYSCALL_FCHMOD_X},
    {"tracepoint-sched_switch", PPME_SCHEDSWITCH_6_E},
    {"tracepoint-signaldeliver", PPME_SIGNALDELIVER_E},
    {"tracepoint-signaldeliver", PPME_SIGNALDELIVER_X},
    {"syscall_enter-alarm", PPME_GENERIC_E},
    {"syscall_exit-alarm", PPME_GENERIC_X},
    {"syscall_enter-epoll_create", PPME_GENERIC_E},
    {"syscall_exit-epoll_create", PPME_GENERIC_X},
    {"syscall_enter-epoll_ctl", PPME_GENERIC_E},
    {"syscall_exit-epoll_ctl", PPME_GENERIC_X},
    {"syscall_enter-lchown", PPME_GENERIC_E},
    {"syscall_exit-lchown", PPME_GENERIC_X},
    {"syscall_enter-old_select", PPME_GENERIC_E},
    {"syscall_exit-old_select", PPME_GENERIC_X},
    {"syscall_enter-pause", PPME_GENERIC_E},
    {"syscall_exit-pause", PPME_GENERIC_X},
    {"syscall_enter-process_vm_readv", PPME_GENERIC_E},
    {"syscall_exit-process_vm_readv", PPME_GENERIC_X},
    {"syscall_enter-process_vm_writev", PPME_GENERIC_E},
    {"syscall_exit-process_vm_writev", PPME_GENERIC_X},
    {"syscall_enter-pselect6", PPME_GENERIC_E},
    {"syscall_exit-pselect6", PPME_GENERIC_X},
    {"syscall_enter-sched_getparam", PPME_GENERIC_E},
    {"syscall_exit-sched_getparam", PPME_GENERIC_X},
    {"syscall_enter-sched_setparam", PPME_GENERIC_E},
    {"syscall_exit-sched_setparam", PPME_GENERIC_X},
    {"syscall_enter-syslog", PPME_GENERIC_E},
    {"syscall_exit-syslog", PPME_GENERIC_X},
    {"syscall_enter-uselib", PPME_GENERIC_E},
    {"syscall_exit-uselib", PPME_GENERIC_X},
    {"syscall_enter-utime", PPME_GENERIC_E},
    {"syscall_exit-utime", PPME_GENERIC_X},
    {"tracepoint-ingress", PPME_NETIF_RECEIVE_SKB_E},
    {"tracepoint-egress", PPME_NET_DEV_XMIT_E},
    {"kprobe-tcp_close", PPME_TCP_CLOSE_E},
    {"kprobe-tcp_rcv_established", PPME_TCP_RCV_ESTABLISHED_E},
    {"kprobe-tcp_drop", PPME_TCP_DROP_E},
    {"kprobe-tcp_retransmit_skb", PPME_TCP_RETRANCESMIT_SKB_E},
    {"kretprobe-tcp_connect", PPME_TCP_CONNECT_X},
    {"kprobe-tcp_set_state", PPME_TCP_SET_STATE_E},
    {"tracepoint-tcp_send_reset", PPME_TCP_SEND_RESET_E},
    {"tracepoint-tcp_receive_reset", PPME_TCP_RECEIVE_RESET_E},
    {"tracepoint-cpu_analysis", PPME_CPU_ANALYSIS_E},
    {"tracepoint-procexit", PPME_PROCEXIT_1_E},
};

 

 
文章来自个人专栏
k8s技术
2 文章 | 1 订阅
0条评论
0 / 1000
请输入你的评论
1
1