Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Refactor kprobe tracing functionality out of system/socket #21011

Closed
wants to merge 2 commits into from

Conversation

adriansr
Copy link
Contributor

@adriansr adriansr commented Sep 7, 2020

What does this PR do?

Refactors the high-level kprobe-tracing functionality out of Auditbeat's system/socket into x-pack/auditbeat/tracing/kprobes.

Why is it important?

This makes it easier to build new functionality based on kprobe tracing.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • [ ] I have added tests that prove my fix is effective or that my feature works
  • [ ] I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Example

An example of reusing this code:
https://github.com/adriansr/beats/tree/poc_auditd_syscall_overhead/x-pack/auditbeat/module/auditd/monitoring/

@adriansr adriansr added enhancement in progress Pull request is currently in progress. Auditbeat labels Sep 7, 2020
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Sep 7, 2020
@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Sep 7, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Sep 7, 2020

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #21011 updated]

  • Start Time: 2020-09-16T09:19:56.643+0000

  • Duration: 43 min 25 sec

Test stats 🧪

Test Results
Failed 0
Passed 250
Skipped 49
Total 299

@adriansr adriansr force-pushed the refactor_kprobes branch 2 times, most recently from 08e02bb to 9694e06 Compare September 8, 2020 14:00
This creates a new package, x-pack/auditbeat/tracing/kprobes, which provides
high-level functionality to create kprobe-tracing based solutions.

It extracts the kprobe-templating and guessing functionality out of the
system/socket dataset and integrates it into an easier to use interface.
@adriansr adriansr added review and removed in progress Pull request is currently in progress. labels Sep 8, 2020
@adriansr adriansr requested a review from a team September 8, 2020 15:25
@adriansr adriansr marked this pull request as ready for review September 8, 2020 15:25
@adriansr adriansr requested a review from a team as a code owner September 8, 2020 15:25
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

// KProbes shared with IPv4 and IPv6.
var sharedKProbes = []helper.ProbeDef{
var sharedKProbes = []kprobes.ProbeDef{

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Though not necessary in this commit, it'd probably be worth splitting these into their own files similar to the other guess-based files, just for easier management.

func (g *guessDeref) Probes() ([]helper.ProbeDef, error) {
return []helper.ProbeDef{
func (g *guessDeref) Probes() ([]kprobes.ProbeDef, error) {
return []kprobes.ProbeDef{
{
Probe: tracing.Probe{

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wondering why keep the package different for kprobes v. tracing? Are we planning on doing some other types of tracing (i.e. tracepoint, uprobe, etc?)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really. Makes sense to merge the packages.

@adriansr adriansr added in progress Pull request is currently in progress. and removed review labels Oct 9, 2020
@adriansr adriansr marked this pull request as draft October 9, 2020 08:06
@adriansr
Copy link
Contributor Author

adriansr commented Oct 9, 2020

Turning it into a draft for now as it needs more changes:

  • Rebase on top of current socket dataset
  • Better guess instantiation to avoid globals

@botelastic
Copy link

botelastic bot commented Nov 8, 2020

Hi!
We just realized that we haven't looked into this PR in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it in as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Nov 8, 2020
@botelastic
Copy link

botelastic bot commented Dec 8, 2020

Hi!
This PR has been stale for a while and we're going to close it as part of our cleanup procedure.
We appreciate your contribution and would like to apologize if we have not been able to review it, due to the current heavy load of the team.
Feel free to re-open this PR if you think it should stay open and is worth rebasing.
Thank you for your contribution!

@botelastic botelastic bot closed this Dec 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Auditbeat enhancement in progress Pull request is currently in progress. Stalled
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants