This PR adds basic fork/exec probes, and reworks the ringbuf/perfbuf wire format into what (IMO) is a more intuitive format.
It's currently branched off #47 since that PR is not yet merged. Opening it up now anyways since it's done and feedback is needed.
The fork/exec probes are deliberately minimal (we can easily add more stuff to them later). This PR is intended to gain agreement on the wire format and other aspects of the fork/exec/ probes before we go any further.
The following information is collected by the fork/exec probes in this PR:
Fork:
parent tgid/sid
child tgid/sid
Exec:
tgid/sid
controlling tty device numbers
filename being exec'd
argv
The wire format has been reworked so that instead of events consisting of a struct ebpf_event and a specific event type that's nested in the data[] attribute, we just have one single struct per event type. Data common to all events has been moved into a struct ebpf_event_header, so, for instance, a fork event looks like this:
This simplifies event parsing and writing code. Instead of having to wrangle two structs and overlay one in the flexible-array of another, we just need one. IMO it fits better if we're going to use the "fixed size" format described in #43.
As a final cleanup, this PR reworks EventsTrace to spit out events as newline-delimited JSON. This allows for easy human and machine reading, and lets us output events with essentially exactly the same structure that they have as C struct definitions. Adding new fields should be trivial and we don't need to debate formatting.
I've been using EventsTrace as follows to nicely pretty-print all events that flow up:
This PR adds basic fork/exec probes, and reworks the ringbuf/perfbuf wire format into what (IMO) is a more intuitive format.
It's currently branched off #47 since that PR is not yet merged. Opening it up now anyways since it's done and feedback is needed.
The fork/exec probes are deliberately minimal (we can easily add more stuff to them later). This PR is intended to gain agreement on the wire format and other aspects of the fork/exec/ probes before we go any further.
The following information is collected by the fork/exec probes in this PR:
Fork:
Exec:
The wire format has been reworked so that instead of events consisting of a
struct ebpf_eventand a specific event type that's nested in thedata[]attribute, we just have one single struct per event type. Data common to all events has been moved into astruct ebpf_event_header, so, for instance, a fork event looks like this:With
hdrbeing defined as follows:This simplifies event parsing and writing code. Instead of having to wrangle two structs and overlay one in the flexible-array of another, we just need one. IMO it fits better if we're going to use the "fixed size" format described in #43.
As a final cleanup, this PR reworks
EventsTraceto spit out events as newline-delimited JSON. This allows for easy human and machine reading, and lets us output events with essentially exactly the same structure that they have as C struct definitions. Adding new fields should be trivial and we don't need to debate formatting.I've been using
EventsTraceas follows to nicely pretty-print all events that flow up:You'll get output like the following: