search

eunomia-bpf / bpftime

Userspace eBPF runtime for fast Uprobe & Syscall hook & Extensions
https://eunomia.dev/bpftime/
MIT License
744 stars 73 forks source link

[FEATURE] Add remote attach and detach support #156

Closed yunwei37 closed 5 months ago

yunwei37 commented 7 months ago

Is your feature request related to a problem? Please describe.

After the bpftime-agent.so dyn lib is loaded, the remote libbpf should be able to control to detach of uprobe. Currently we have it support in bpftime-agent.so, but not syscall server.

Describe the solution you'd like

We need a mechanism to pass message and better control the states of eBPF runtime.

Describe alternatives you've considered

Provide usage examples

Additional context

Officeyutong commented 7 months ago

Attach or detach?

yunwei37 commented 7 months ago

I think that's both attach or detach.

Maybe we can use a signal to notify the process, the bpftime-agent.so can register a signal handler and do the attach and detach based on the information in the share memory.

Officeyutong commented 7 months ago

I think that's both attach or detach.

Maybe we can use a signal to notify the process, the bpftime-agent.so can register a signal handler and do the attach and detach based on the information in the share memory.

May be a suitable IPC implementation is better. Signals are too limited

yunwei37 commented 7 months ago

Is there any other ways can interrupt the running process, give the control flow to the bpf runtime?

We may only use signal for interrupt, the information and attach/detached states should be stored in the shared memory

Officeyutong commented 7 months ago

Is there any other ways can interrupt the running process, give the control flow to the bpf runtime?

We may only use signal for interrupt, the information and attach/detached states should be stored in the shared memory

This would be a suitable solution now. I think we could try it. But would listening IPC requests in a separate thread be also a suitable way?

yunwei37 commented 7 months ago

I don't think so. The problems is not getting message, since the share memory is already a IPC methods.

The problem is you need to stop the function we want to trace from exec.

Officeyutong commented 7 months ago

Sounds good. But note that we may need some flags to avoid the detaching process being interrupted by another detaching signal. And the signal we used may not be utilized by the hooked user space program

云微 @.***>于2024年1月25日 周四下午8:29写道:

I don't think so. The problems is not getting message, since the share memory is already a IPC methods.

The problem is you need to stop the function we want to trace from exec.

— Reply to this email directly, view it on GitHub https://github.com/eunomia-bpf/bpftime/issues/156#issuecomment-1910105444, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACEWIGS6QFLQ62L765KYSWLYQJFYZAVCNFSM6AAAAABCIS3PGWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJQGEYDKNBUGQ . You are receiving this because you commented.Message ID: @.***>

Officeyutong commented 7 months ago

Some extra discussions:

Officeyutong commented 5 months ago

Done by #261