[EBPF] Common uprobe attacher

[gjulianm]

What does this PR do?

This PR adds a new type, UprobeAttacher, that generalizes the process of attaching uprobes to processes in the system, independently of whether the uprobes need to attach to executables directly or to shared libraries. The caller can control how to attach the uprobes via a list of AttachRule objects, that define which probes to add to which targets.

This PR does not change the behavior of existing features, it just adds the new attacher type to be used by subsequent PRs.

This type is based on the USM monitors found in pkg/network/usm/ebpf_{ssl,gotls}.go, and reuses as much code as possible. The only changes in the USM code from this PR are necessary to export certain structures and types that were not exported previously. If needed, separate PR that changes USM code to use this attacher would move those types to the appropriate places. The FileRegistry and ProcessMonitor types are used directly. The Watcher has not been reused in its entirety, only the sharedlibraries/EbpfProgram type has been, to avoid having multiple goroutines listening to events unnecessarily.

Some interfaces have been defined to allow better testing coverage of this new type, so that we can use mocks to test certain functions separately without depending on the actual attachment of the uprobe.

The retrieval of symbols from the binaries is done via separate objects implementing BinaryInspector interfaces. This allows to patch the behavior for certain types of binaries (e.g., Go libraries) and inspect the symbols in a different manner.

The GoBinaryInspector that should be used to inspect Go binaries will be developed in the followup PR.

Motivation

Generalize the uprobe attachment process for existing and future features that might need it.

Additional Notes

Followup PR with the refactor of USM code: #28241

Right now, the attacher will not work properly if two different monitors try to attach to shared libraries. Right now it doesn't present a problem: that problem is present in the existing Watcher code but there's only one monitor that attaches to shared libraries. A followup PR will be made fixing this problem.

Possible Drawbacks / Trade-offs

Describe how to test/QA your changes

This PR includes unit tests for the added code. It has also been tested in other PRs that make use of the new attacher code.

[pr-commenter]

Test changes on VM

Use this command from test-infra-definitions to manually test this PR changes on a VM:

inv create-vm --pipeline-id=44279541 --os-family=ubuntu

Note: This applies to commit 4d7927f

[pr-commenter]

Regression Detector

Regression Detector Results

Run ID: ac9891c2-7361-4bc1-a832-ea2478654313 Metrics dashboard Target profiles

Baseline: 9faa31b
Comparison: 4d7927f

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

No significant changes in experiment optimization goals

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	idle	memory utilization	+0.01	[-0.03, +0.05]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	+0.00	[-0.00, +0.00]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	-0.00	[-0.01, +0.01]	1	Logs
➖	otel_to_otel_logs	ingress throughput	-0.24	[-1.07, +0.58]	1	Logs
➖	uds_dogstatsd_to_api_cpu	% cpu utilization	-0.56	[-1.31, +0.19]	1	Logs
➖	tcp_syslog_to_blackhole	ingress throughput	-0.59	[-0.64, -0.54]	1	Logs
➖	file_tree	memory utilization	-0.61	[-0.72, -0.51]	1	Logs
➖	pycheck_lots_of_tags	% cpu utilization	-0.67	[-3.22, +1.88]	1	Logs
➖	basic_py_check	% cpu utilization	-0.67	[-3.42, +2.07]	1	Logs

Bounds Checks

perf	experiment	bounds_check_name	replicates_passed
❌	idle	memory_usage	8/10

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

[guyarb]

for shared libraries, we have a "best effort" approach for some of the probes (like SSL_readex in openssl). How is it represented in uprobe attacher?

[gjulianm]

As these are libraries, you'd have a rule that matches the library file, and then a ProbesSelector that selects the probes to use, with manager.BestEffort/manager.AllOf to signal which ones are optional and which aren't. The idea is to fully reuse the selections you have such as openSSLProbes.

That comment refers more to what to do when two rules match the same executable/library. I think the optimal way to do this is to design the rules so that only one rule might match each file, but I'm not sure whether it's worth it to enforce that in code.

[guyarb]

LGTM
please note the ci pipelines are failing and some tests are not passing

[gjulianm]

/trigger-ci -v RUN_KMT_TESTS=on

[dd-devflow]

🚂 Gitlab pipeline started

Started pipeline #44178196

[gjulianm]

/merge

[dd-devflow]

🚂 MergeQueue: pull request added to the queue

The median merge time in main is 23m.

Use /merge -c to cancel this operation!