Add embedded clang/llvm for runtime compilation of eBPF programs #6978

brycekahle · 2020-12-11T22:20:51Z

What does this PR do?

Adds a statically-linked, embedded clang/llvm for runtime compilation of eBPF programs. If enabled, these programs are compiled on-demand. The output object file is cached, such that if any of the following changes, it will be re-compiled:

Kernel version
Source file hash

Each runtime-compiled source file is pre-processed during CI build to be a concatenation of the .c and all user (non-kernel) .h files. Also during CI build, a hash is computed for the pre-processed file, such that any modifications on the host would result in refusing to compile the program.

The pre-processed .c file is distributed separately from the system-probe binary, like our .o files, since it must be GPL-licensed to use certain kernel BPF helper functions.

Motivation

Planned features for networks and/or the system-probe require access to kernel structures that are too difficult to access with offset guessing. Runtime compilation allows us to compile on each host so it is targeted for the running kernel.

Additional Notes

This PR does not address any kind of automatic kernel-header downloading/installation. It will attempt to automatically find compatible headers, but a path can be provided via a config option.
The compiler currently does not support in-memory buffers or bundled files. If we decide to keep bundling (currently up for discussion), then that support will be added later.
The arm64 system-probe build is currently failing, due to g++ being killed. I'm investigating why, but it was not happening before I rebased on master.
1. This is because of a 3GB memory limit on builds. This limit is being revisited.

Describe your test plan

The kitchen tests currently pass across a wide range of kernels/distros, but the runtime compilations tests only ensure that the programs can be compiled. The CI tests are run another time with the runtime compiler enabled.

Further testing with system_probe_config.enable_runtime_compiler turned on would be useful.

`inv deps` did not like it when these files were missing and not generated yet

This figures out the correct path if deployed in a similar repo structure to how it was built. Otherwise, it assumes you are running from the root directory.

xornivore

lgtm for container-integrations

sunhay · 2021-01-06T17:36:31Z

pkg/process/config/config.go

 	// defaultProxyPort is the default port used for proxies.
 	// This mirrors the configuration for the infrastructure agent.
 	defaultProxyPort = 3128

 	// defaultSystemProbeBPFDir is the default path for eBPF programs
 	defaultSystemProbeBPFDir = "/opt/datadog-agent/embedded/share/system-probe/ebpf"

+	// defaultRuntimeCompilerOutputDir is the default path for output from the system-probe runtime compiler
+	defaultRuntimeCompilerOutputDir = "/var/tmp/datadog-agent/system-probe/build"


This is also defined separately as a default in pkg/ebpf/config.go. Might be worth cleaning up so its defined once. Fine if this is done in a separate follow-up PR .

sunhay

LGTM on the Processes-side for configuration. I haven't dug into the actual runtime compilation pieces given its been thoroughly reviewed and approved.

This ensures we re-compile assets when config options change and/or we update the default flags.

…-compilation

This doesn't include DNS or HTTP tests at the moment because some refactoring is needed to make that possible.

…-compilation

See DataDog/datadog-agent#6978

…aDog#6978)

See DataDog/datadog-agent#6978

brycekahle added 30 commits December 11, 2020 15:30

Add basic clang 11 compiler

f04485c

Fix compiler to match local build

ec0c56f

Add quotes around KBUILD_MODNAME

d5d21d9

Whitespace fixes to compiler C++

a8e1257

Working bundled and non-bundled tests pass

6002415

Embedded stdarg.h with compiler

afa5afb

Working network tracer with runtime compiler

45d1ee9

Add config value for runtime compiler output directory

2d9d2b6

Rename runtime compiler enable setting

70de38e

Add env var for setting kernel header dirs

78ce2cf

Add preprocessor that replaces #include statements with header contents

104ae07

Fix default BPFDir value to be absolute

e1e88f2

Make sure to close non-bundled files that are opened

83b48fb

Add basic content integrity hash generator

21bb603

Extract compilation logic into runtime asset

2959477

Add runtime-compilation of runtime-security probe

f8bfa41

Improve output of go generate tools

c6d722d

Improve TestEbpfBytesCorrect

dce38d3

Fix import cycle

e24d382

Include content integrity generated files to prevent build problems

989dc5b

`inv deps` did not like it when these files were missing and not generated yet

Update security probe C path

a76847d

Add stub for runtime-compiled security probe on unsupported builds

8113565

Improve default config BPFDir logic

ab34c9c

This figures out the correct path if deployed in a similar repo structure to how it was built. Otherwise, it assumes you are running from the root directory.

Move dst_port to prevent unused variable warning

5d0d146

security-agent doesn't need linux_bpf tag

a4e5122

Use updated sysprobe build images

924884a

Fix compiler build on arm64

4c47b61

We don't need terminfo for our use of clang/llvm

380461d

Add clang build output tarball to artifacts so we can download it

4c47633

Use $CI_PROJECT_DIR/.tmp as temp dir

0a81a72

xornivore approved these changes Jan 4, 2021

View reviewed changes

xornivore added need-change/helm-chart Add this label if your change require also a change in the datadog helm chart need-change/operator Add this label if you change request also a change in the datadog-operator labels Jan 4, 2021

brycekahle added 3 commits January 5, 2021 13:19

Fix potential deadlock in http monitor

e90cd3b

Allow compiler to compile files OR buffers

62295ee

Merge branch 'master' into bryce.kahle/runtime-compilation

e721c25

sunhay reviewed Jan 6, 2021

View reviewed changes

ogaca-dd approved these changes Jan 6, 2021

View reviewed changes

sunhay approved these changes Jan 6, 2021

View reviewed changes

brycekahle added 9 commits January 7, 2021 12:11

Include hash of cflags in output filename

7fe6084

This ensures we re-compile assets when config options change and/or we update the default flags.

Merge branch 'master' into bryce.kahle/runtime-compilation

4e83d96

Merge branch 'master' into bryce.kahle/runtime-compilation

5709e34

Merge remote-tracking branch 'origin/master' into bryce.kahle/runtime…

13339b9

…-compilation

Update runtime assets

1640dac

Run kitchen tests another time using the runtime compiled probes

57fdc94

This doesn't include DNS or HTTP tests at the moment because some refactoring is needed to make that possible.

Merge remote-tracking branch 'origin/master' into bryce.kahle/runtime…

a9d0730

…-compilation

Passthrough wait_thr to check_output

b3f8dfb

Make it clear which version of tests are running

4cbf304

brycekahle force-pushed the bryce.kahle/runtime-compilation branch from 4442771 to 4cbf304 Compare January 21, 2021 16:46

brycekahle merged commit 28e19ac into master Jan 21, 2021

brycekahle deleted the bryce.kahle/runtime-compilation branch January 21, 2021 18:38

brycekahle added a commit to DataDog/helm-charts that referenced this pull request Jan 21, 2021

Add configuration for runtime compiler in system-probe

51de4df

See DataDog/datadog-agent#6978

brycekahle mentioned this pull request Jan 21, 2021

Add configuration for runtime compiler in system-probe DataDog/helm-charts#146

Closed

4 tasks

brycekahle added a commit to DataDog/helm-charts that referenced this pull request Jan 21, 2021

Add configuration for runtime compiler in system-probe

fbcb596

See DataDog/datadog-agent#6978

brycekahle added a commit to DataDog/helm-charts that referenced this pull request Jan 22, 2021

Add configuration for runtime compiler in system-probe

d2ad44f

See DataDog/datadog-agent#6978

brycekahle added a commit to DataDog/helm-charts that referenced this pull request Jan 22, 2021

Add configuration for runtime compiler in system-probe

c020fa7

See DataDog/datadog-agent#6978

brycekahle added a commit to DataDog/helm-charts that referenced this pull request Mar 2, 2021

Add configuration for runtime compiler in system-probe

0157d0e

See DataDog/datadog-agent#6978

sergei-deliveroo pushed a commit to deliveroo/datadog-agent that referenced this pull request Mar 24, 2021

Add embedded clang/llvm for runtime compilation of eBPF programs (Dat…

b1467f6

…aDog#6978)

brycekahle added a commit to DataDog/helm-charts that referenced this pull request Apr 20, 2021

Add configuration for runtime compiler in system-probe

242d92b

See DataDog/datadog-agent#6978

brycekahle added a commit to DataDog/helm-charts that referenced this pull request Apr 22, 2021

Add configuration for runtime compiler in system-probe

10bebfc

See DataDog/datadog-agent#6978

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add embedded clang/llvm for runtime compilation of eBPF programs #6978

Add embedded clang/llvm for runtime compilation of eBPF programs #6978

brycekahle commented Dec 11, 2020 •

edited

Loading

xornivore left a comment

sunhay Jan 6, 2021

sunhay left a comment

Add embedded clang/llvm for runtime compilation of eBPF programs #6978

Add embedded clang/llvm for runtime compilation of eBPF programs #6978

Conversation

brycekahle commented Dec 11, 2020 • edited Loading

What does this PR do?

Motivation

Additional Notes

Describe your test plan

xornivore left a comment

Choose a reason for hiding this comment

sunhay Jan 6, 2021

Choose a reason for hiding this comment

sunhay left a comment

Choose a reason for hiding this comment

brycekahle commented Dec 11, 2020 •

edited

Loading