search

cilium / tetragon

eBPF-based Security Observability and Runtime Enforcement
https://tetragon.io
Apache License 2.0
3.67k stars 370 forks source link

loader: refactor/tighten up loader codepaths #189

Open willfindlay opened 2 years ago

willfindlay commented 2 years ago

Right now our program loading/unloading logic is a bit messy and could probably be cleaned up quite significantly. In particular, it would be nice to have one shared codepath for program loading and one for map loading that takes care of any shared logic common to all program/map types. This would benefit things like #172 where we want to start keeping better track of what programs/maps sensors and loading and unloading over time.

Such changes could either be part of the cilium/ebpf refactor or happen afterwards. In the meantime, I'm filing this as a tracking issue so we can discuss it.

Forsworns commented 2 years ago

Such changes could either be part of the cilium/ebpf refactor or happen afterwards.

It's a good idea, I read the codes of Tetragon recently and found it a mixture of legacy codes with the new ones based on cilium/ebpf. E.g., the

https://github.com/cilium/tetragon/blob/c0ae0e67ebb85fd13dc5131f79f86dbd0a2999f3/pkg/observer/observer.go#L172

and

https://github.com/cilium/tetragon/blob/c0ae0e67ebb85fd13dc5131f79f86dbd0a2999f3/pkg/observer/observer.go#L182

I'd like to help if possible :)

olsajiri commented 2 years ago

the useCiliumEbpfReader was there to make sure we can easily switch back if there are problems with the new code.. which seems to be ok by now ;-)

you could try to cut out runEvents code and let's see how it looks