search

parca-dev / parca-agent

eBPF based always-on profiler auto-discovering targets in Kubernetes and systemd, zero code changes or restarts needed!
https://parca.dev/
Apache License 2.0
559 stars 68 forks source link

CO:RE Support: Add support for embedding and loading BTF for the running host #715

Open kakkoyun opened 2 years ago

kakkoyun commented 2 years ago

Using https://github.com/aquasecurity/btfhub, we can download the specific BTF definitions for the major kernel versions and embed those BTF definitions into the binaries.

CONFIG_DEBUG_INFO_BTF=y is enabled in the Kernel config; it's easy to find BTF definitions for the kernel under /sys/kernel/btf/vmlinux. However, if it's not there, we need a way to provide them if we claim that we're truly CO:RE.

BTF definitions for the major Kernel versions can be downloaded from the hub, embedded, and loaded with the correct definitions when initializing the libbpf loader.

Tracee does this, and this article explains the process in detail https://opensource.com/article/22/9/ebpf-monitor-traffic-tracee

v-thakkar commented 2 years ago

I think we should start with the 5.2 kernel requirement and add in the documentation that it's possible to support older kernels. We should only add this feature if we find the users that require it.

kakkoyun commented 2 years ago

I think we should start with the 5.2 kernel requirement and add in the documentation that it's possible to support older kernels. We should only add this feature if we find the users that require it.

I recently revisited what the supported features for the kernel version are. FWIW, BTF type format is supporter version 4.18, and above https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md I think we can have it since we claim to support 4.19 and above.

v-thakkar commented 2 years ago

While basic support for BTF indeed existed since 4.18, the more important thing to have the information about is when support for the BTF APIs we'll have in use with the stack unwinding feature landed in the kernel. And depending upon that we can decide if it's worth adding support for the CO-RE via BTF Hub(for the older versions) or not.

For example, some stuff from older BTF things might already be outdated anyway.

kakkoyun commented 2 years ago

Let's see how it goes. As of now, all the things we need for unwinding are in the perf_event context, so we might not need this.