Feature #TASK_QT-21110 【私有发版v8.5】Euspace 添加根据进程信息进行无效事件过滤

containers/container.go

@@ -1448,7 +1448,7 @@ func (c *Container) AttachUprobes(tracer *ebpftracer.Tracer, pid uint32) error {
 		err = c.attachNetCoreUprobes(tracer, pid)
 	}
 	if err != nil {
-		c.DetachUprobes(pid, APP_UPROBE_ERROR)
+		c.DetachUprobes(tracer, pid, APP_UPROBE_ERROR)
 		return err
 	}
 	return nil
@@ -1545,7 +1545,12 @@ func (c *Container) attachJVMUprobes(tracer *ebpftracer.Tracer, pid uint32) erro
 		p.uprobes = append(p.uprobes, libNetProbes...)
 		//p.jvmUprobesChecked = true
 		c.l7AttachSuccess()
-		tracer.InitKProcInfo(pid, &c.AppInfo)
+		err = tracer.InitKProcInfo(pid, &c.AppInfo)
+		if err != nil {
+			klog.Errorf("[attach] InitKProcInfo failed pid:[%d] ;%s.", err.Error(), pid)
+		} else {
+			klog.Infof("[attach] InitKProcInfo succeed! pid:[%d]", pid)
+		}
 	} else {
 		klog.Infof("[attach] %s-%d already attach status:%v", codeType.String(), pid, c.Isl7AttachSuccess())
 	}

containers/container_apm.go

@@ -665,12 +665,12 @@ func (c *Container) verifyAttachConditions(r *Registry, pid uint32) (bool, int)
 }
 
 // 1.卸载入口
-func (c *Container) Detach(pid uint32, detachType APP_TYPE) {
+func (c *Container) Detach(tracer *ebpftracer.Tracer, pid uint32, detachType APP_TYPE) {
 	c.lock.Lock()
 	defer c.lock.Unlock()
 
 	if p := c.processes[pid]; p != nil {
-		err := c.DetachUprobes(pid, detachType)
+		err := c.DetachUprobes(tracer, pid, detachType)
 		if err != nil {
 			klog.WithError(err).Errorln("DetachUprobes Error.")
 		}
@@ -689,7 +689,7 @@ func (c *Container) Detach(pid uint32, detachType APP_TYPE) {
 }
 
 // 1.1卸载uprobe
-func (c *Container) DetachUprobes(pid uint32, detachType APP_TYPE) error {
+func (c *Container) DetachUprobes(tracer *ebpftracer.Tracer, pid uint32, detachType APP_TYPE) error {
 	// close uprobe
 	if p := c.processes[pid]; p != nil {
 		for _, u := range p.uprobes {
@@ -700,8 +700,7 @@ func (c *Container) DetachUprobes(pid uint32, detachType APP_TYPE) error {
 		}
 		p.uprobes = []link.Link{}
 		switch detachType {
-		case APP_UNINSTALL:
-		case APP_FUSE:
+		case APP_UNINSTALL, APP_FUSE:
 			codeType := c.GetCodeTypeFromCache(pid)
 			switch codeType {
 			case CodeTypeJava:
@@ -715,6 +714,13 @@ func (c *Container) DetachUprobes(pid uint32, detachType APP_TYPE) error {
 			klog.Infof("[DetachUprobes] ERROR_DETACH for pid %d", pid)
 		default:
 		}
+		//delete the proc info form proc_info_map(for kernel) when the uprobe detached
+		if err := tracer.DelKProcInfo(pid); err != nil {
+			return fmt.Errorf("[DetachUprobes] failed to delete KProcInfo for pid %d,detachType:%d", pid, detachType)
+		} else {
+			klog.Infof("[DetachUprobes] delete KProcInfo success for pid %d,detachType:%d", pid, detachType)
+			c.AppInfo.EBPFProcInfo = nil
+		}
 	} else {
 		return fmt.Errorf("[DetachUprobes] cannot find uprobe for pid %d", pid)
 	}
@@ -812,13 +818,13 @@ func (c *Container) AgentCtrl(r *Registry, pid uint32) {
 
 	// UNINSTALL
 	if r.isFusing && c.Isl7AttachSuccess() {
-		c.Detach(pid, APP_FUSE)
+		c.Detach(r.tracer, pid, APP_FUSE)
 		return
 	}
 
 	// verify UNINSTALL
 	if !verifyAttachConditions && c.Isl7AttachSuccess() {
-		c.Detach(pid, APP_UNINSTALL)
+		c.Detach(r.tracer, pid, APP_UNINSTALL)
 		return
 	}
 

containers/registry.go

@@ -205,7 +205,7 @@ func (r *Registry) Close() {
 func (r *Registry) CloseContainers() {
 	for pid, c := range r.containersByPid {
 		if c.Isl7AttachSuccess() {
-			c.Detach(pid, APP_UNINSTALL)
+			c.Detach(r.tracer, pid, APP_UNINSTALL)
 		}
 	}
 }

ebpftracer/ebpf/l7/l7.c

@@ -401,6 +401,13 @@ int trace_enter_write(void *ctx, __u64 fd, __u16 is_tls, char *buf, __u64 size,
 
     if (is_http_response(payload, &http_status))
     {
+        //处理http请求之前，确认进程信息是否存在
+        struct ebpf_proc_info *proc_info = bpf_map_lookup_elem(&proc_info_map, &pid);
+        if (!proc_info) {
+            cw_bpf_debug("[Trace End in l7][Response][HTTP]:no proc info. pid:%d \n",k.pid);
+            return 0;
+        }
+
 	    struct apm_trace_info_t * start_trace_info = get_trace_info_by_fd(pid, fd);
 	    if (!start_trace_info) {
 		    return -1;
@@ -789,6 +796,14 @@ int trace_exit_read(void *ctx, __u64 id, __u32 pid, __u16 is_tls, long int ret)
     // 被调用方http入口
     // 作为服务端在走。coroot 原有逻辑是没有的
     if (is_http_request(payload)) {
+
+        //处理http请求之前，确认进程信息是否存在
+        struct ebpf_proc_info *proc_info = bpf_map_lookup_elem(&proc_info_map, &pid);
+        if (!proc_info) {
+            cw_bpf_debug("[Receive][HTTP]:no proc info. pid:%d",k.pid);
+            return 0;
+        }
+
         struct l7_request *req = bpf_map_lookup_elem(&l7_request_heap, &zero);
         if (!req)
         {
@@ -852,31 +867,9 @@ int trace_exit_read(void *ctx, __u64 id, __u32 pid, __u16 is_tls, long int ret)
         //     __sync_fetch_and_add(&accept_conn->bytes_received, total_size);
         // }
 
-#if __KERNEL_FROM >= 512
-    // ---------- 在http请求入口生成 横向串联的trace_id start ----------
-            __u32 key = 0;
-            __u32 offset = has_cw_header(req->payload);
-    //        cw_bpf_debug("pid:[%d],offset:[%d]\n",tid,offset);
-            struct apm_span_context *cw_parent_span_context = bpf_map_lookup_elem(&apm_span_context_heap3, &key);
-             if (cw_parent_span_context == NULL) {
-                 return -1;
-             }
-             __builtin_memset(cw_parent_span_context, 0, sizeof(struct apm_span_context));
-
-             if (offset >0) {
-                 cw_string_to_span_context(&req->payload[offset], cw_parent_span_context);
-             } else {
-                 generate_random_bytes(cw_parent_span_context->trace_id, TRACE_ID_SIZE);
-             }
-            // 保存 trace_id 到psc
-            cw_save_parent_tracking_span(cw_parent_span_context);
-            cw_bpf_debug("[Trace Start in l7][HTTP]pid:[%d] trace_id:[%llu]\n", tid, cw_parent_span_context->trace_id);
-    // ---------- 在http请求入口生成 横向串联的trace_id end ----------
-#else
-           //bpf_tail_call PROGUP(l7_http_request)
-           cw_bpf_debug("======== PROG_DATA_L7_HTTP_TRACE_ID_UP_IDX ========== __KERNEL_FROM < 512 pid:[%d] ",tid);
-           bpf_tail_call(ctx, &NAME(progs_jmp_tp_map), PROG_DATA_L7_HTTP_TRACE_ID_TP_IDX);
-#endif
+        //bpf_tail_call PROGUP(l7_http_request)
+        cw_bpf_debug("======== PROG_DATA_L7_HTTP_TRACE_ID_UP_IDX ========== __KERNEL_FROM < 512 pid:[%d] ",tid);
+        bpf_tail_call(ctx, &NAME(progs_jmp_tp_map), PROG_DATA_L7_HTTP_TRACE_ID_TP_IDX);
          return 0;
     }
 

ebpftracer/tracer.go

@@ -881,6 +881,14 @@ func (t *Tracer) InitKProcInfo(pid uint32, appInfo *AppInfo) error {
 	return err
 }
 
+func (t *Tracer) DelKProcInfo(pid uint32) error {
+	_, err := tracer.DelProcInfoFromMap(t.collection, pid)
+	if err != nil {
+		klog.Error("failed to delete proc info", err)
+	}
+	return err
+}
+
 // TODO check language
 func (t *Tracer) DisableL7Tracing() bool {
 	return t.disableL7Tracing

ebpftracer/tracer/btf_vmlinux.go

@@ -101,6 +101,20 @@ func bpf_table_set_value(collection *ebpf.Collection, mapName string, key uint32
 	return ETR_OK, nil
 }
 
+func bpf_table_delete_key(collection *ebpf.Collection, mapName string, key uint32) (int, error) {
+	m, ok := collection.Maps[mapName]
+	if ok {
+		k := make([]byte, 4)                  // Assuming int k size is 4 bytes
+		binary.LittleEndian.PutUint32(k, key) // Assuming the key is an integer
+		if err := m.Delete(k); err != nil && !errors.Is(err, ebpf.ErrKeyNotExist) {
+			return ETR_MAP_DELETE_KEY_FAILD, err
+		}
+	} else {
+		return ETR_MAP_DELETE_KEY_FAILD, errors.New("cannot find map " + mapName)
+	}
+	return ETR_OK, nil
+}
+
 func test(collectionSpec *ebpf.CollectionSpec, opts *ebpf.CollectionOptions) {
 	fmt.Println("collectionSpec.Maps start --")
 	var newMap *ebpf.Map

ebpftracer/tracer/offset.go

@@ -194,3 +194,7 @@ func GetOffset(id ID, path string) (uint64, bool) {
 func UpdateProcInfoToMap(collection *ebpf.Collection, pid uint32, proc any) (int, error) {
 	return bpf_table_set_value(collection, MAP_PROC_INFO_MAP_NAME, pid, proc)
 }
+
+func DelProcInfoFromMap(collection *ebpf.Collection, pid uint32) (int, error) {
+	return bpf_table_delete_key(collection, MAP_PROC_INFO_MAP_NAME, pid)
+}

utils/modelse/bpf_struct.go

@@ -1,10 +1,11 @@
 package modelse
 
 const (
-	ETR_OK               = 0
-	ETR_NOTEXIST         = -4
-	ETR_UPDATE_MAP_FAILD = -9 /* update map failed */
-	ETR_NOTSUPP          = -14
+	ETR_OK                   = 0
+	ETR_NOTEXIST             = -4
+	ETR_UPDATE_MAP_FAILD     = -9 /* update map failed */
+	ETR_NOTSUPP              = -14
+	ETR_MAP_DELETE_KEY_FAILD = -2 /* map delete key failed */
 )
 
 const (