Documentation ¶
Overview ¶
Package probes provides BPF features checks based on bpftool.
Index ¶
- Constants
- Variables
- func CreateHeaderFiles(headerDir string, probes *FeatureProbes) error
- func HaveAttachCgroup() error
- func HaveAttachType(pt ebpf.ProgramType, at ebpf.AttachType) (err error)
- func HaveBatchAPI() error
- func HaveBoundedLoops() error
- func HaveDeadCodeElim() error
- func HaveFibIfindex() error
- func HaveIPv6Support() error
- func HaveLargeInstructionLimit() error
- func HaveManagedNeighbors() error
- func HaveOuterSourceIPSupport() (err error)
- func HaveProgramHelper(pt ebpf.ProgramType, helper asm.BuiltinFunc) error
- func HaveSKBAdjustRoomL2RoomMACSupport() (err error)
- func HaveV2ISA() error
- func HaveV3ISA() error
- func Jiffies() (uint64, error)
- func KernelHZ() (uint16, error)
- type FeatureProbes
- type Features
- type KernelParam
- type MapTypes
- type ProbeManager
- type ProgramHelper
- type SystemConfig
Constants ¶
const ( NTF_EXT_LEARNED = netlink.NTF_EXT_LEARNED NTF_EXT_MANAGED = netlink.NTF_EXT_MANAGED )
Family type definitions
Variables ¶
var ErrNotSupported = errors.New("not supported")
ErrNotSupported indicates that a feature is not supported by the current kernel.
var HaveNetkit = sync.OnceValue(func() error { prog, err := ebpf.NewProgram(&ebpf.ProgramSpec{ Type: ebpf.SchedCLS, Instructions: asm.Instructions{ asm.Mov.Imm(asm.R0, 0), asm.Return(), }, License: "Apache-2.0", }) if err != nil { return err } defer prog.Close() ns, err := netns.New() if err != nil { return fmt.Errorf("create netns: %w", err) } defer ns.Close() return ns.Do(func() error { l, err := link.AttachNetkit(link.NetkitOptions{ Program: prog, Attach: ebpf.AttachNetkitPrimary, Interface: int(^uint32(0)), }) if errors.Is(err, unix.ENODEV) { return nil } if err != nil { return fmt.Errorf("creating link: %w", err) } if err := l.Close(); err != nil { return fmt.Errorf("closing link: %w", err) } return fmt.Errorf("unexpected success: %w", err) }) })
HaveNetkit returns nil if the running kernel supports attaching bpf programs to netkit devices.
var HaveTCX = sync.OnceValue(func() error { prog, err := ebpf.NewProgram(&ebpf.ProgramSpec{ Type: ebpf.SchedCLS, Instructions: asm.Instructions{ asm.Mov.Imm(asm.R0, 0), asm.Return(), }, License: "Apache-2.0", }) if err != nil { return err } defer prog.Close() ns, err := netns.New() if err != nil { return fmt.Errorf("create netns: %w", err) } defer ns.Close() return ns.Do(func() error { l, err := link.AttachTCX(link.TCXOptions{ Program: prog, Attach: ebpf.AttachTCXIngress, Interface: 1, Anchor: link.Tail(), }) if err != nil { return fmt.Errorf("creating link: %w", err) } if err := l.Close(); err != nil { return fmt.Errorf("closing link: %w", err) } return nil }) })
HaveTCX returns nil if the running kernel supports attaching bpf programs to tcx hooks.
Functions ¶
func CreateHeaderFiles ¶
func CreateHeaderFiles(headerDir string, probes *FeatureProbes) error
CreateHeaderFiles creates C header files with macros indicating which BPF features are available in the kernel.
func HaveAttachCgroup ¶
func HaveAttachCgroup() error
HaveAttachCgroup returns nil if the kernel is compiled with CONFIG_CGROUP_BPF.
It's only an approximation and doesn't execute a successful cgroup attachment under the hood. If any unexpected errors are encountered, the original error is returned.
func HaveAttachType ¶
func HaveAttachType(pt ebpf.ProgramType, at ebpf.AttachType) (err error)
HaveAttachType returns nil if the given program/attach type combination is supported by the underlying kernel. Returns ebpf.ErrNotSupported if loading a program with the given Program/AttachType fails. If the probe is inconclusive due to an unrecognized return code, the original error is returned.
Note that program types that don't use attach types will silently succeed if an attach type is specified.
Probe results are cached by the package and shouldn't be memoized by the caller.
func HaveBatchAPI ¶ added in v1.16.0
func HaveBatchAPI() error
HaveBatchAPI checks if kernel supports batched bpf map lookup API.
func HaveBoundedLoops ¶
func HaveBoundedLoops() error
HaveBoundedLoops is a wrapper around features.HaveBoundedLoops() to check if the kernel supports bounded loops in BPF programs. On unexpected probe results this function will terminate with log.Fatal().
func HaveDeadCodeElim ¶ added in v1.16.0
func HaveDeadCodeElim() error
HaveDeadCodeElim tests whether the kernel supports dead code elimination.
func HaveFibIfindex ¶
func HaveFibIfindex() error
HaveFibIfindex checks if kernel has d1c362e1dd68 ("bpf: Always return target ifindex in bpf_fib_lookup") which is 5.10+. This got merged in the same kernel as the new redirect helpers.
func HaveIPv6Support ¶
func HaveIPv6Support() error
HaveIPv6Support tests whether kernel can open an IPv6 socket. This will also implicitly auto-load IPv6 kernel module if available and not yet loaded.
func HaveLargeInstructionLimit ¶
func HaveLargeInstructionLimit() error
HaveLargeInstructionLimit is a wrapper around features.HaveLargeInstructions() to check if the kernel supports the 1 Million instruction limit. On unexpected probe results this function will terminate with log.Fatal().
func HaveManagedNeighbors ¶
func HaveManagedNeighbors() error
HaveManagedNeighbors returns nil if the host supports managed neighbor entries (NTF_EXT_MANAGED). On unexpected probe results this function will terminate with log.Fatal().
func HaveOuterSourceIPSupport ¶
func HaveOuterSourceIPSupport() (err error)
HaveOuterSourceIPSupport tests whether the kernel support setting the outer source IP address via the bpf_skb_set_tunnel_key BPF helper. We can't rely on the verifier to reject a program using the new support because the verifier just accepts any argument size for that helper; non-supported fields will simply not be used. Instead, we set the outer source IP and retrieve it with bpf_skb_get_tunnel_key right after. If the retrieved value equals the value set, we have a confirmation the kernel supports it.
func HaveProgramHelper ¶
func HaveProgramHelper(pt ebpf.ProgramType, helper asm.BuiltinFunc) error
HaveProgramHelper is a wrapper around features.HaveProgramHelper() to check if a certain BPF program/helper copmbination is supported by the kernel. On unexpected probe results this function will terminate with log.Fatal().
func HaveSKBAdjustRoomL2RoomMACSupport ¶ added in v1.15.0
func HaveSKBAdjustRoomL2RoomMACSupport() (err error)
HaveSKBAdjustRoomL2RoomMACSupport tests whether the kernel supports the `bpf_skb_adjust_room` helper with the `BPF_ADJ_ROOM_MAC` mode. To do so, we create a program that requests the passed in SKB to be expanded by 20 bytes. The helper checks the `mode` argument and will return -ENOSUPP if the mode is unknown. Otherwise it should resize the SKB by 20 bytes and return 0.
func HaveV2ISA ¶
func HaveV2ISA() error
HaveV2ISA is a wrapper around features.HaveV2ISA() to check if the kernel supports the V2 ISA. On unexpected probe results this function will terminate with log.Fatal().
func HaveV3ISA ¶
func HaveV3ISA() error
HaveV3ISA is a wrapper around features.HaveV3ISA() to check if the kernel supports the V3 ISA. On unexpected probe results this function will terminate with log.Fatal().
func Jiffies ¶
Jiffies returns the kernel's internal timestamp in jiffies read from /proc/schedstat.
func KernelHZ ¶
KernelHZ attempts to estimate the kernel's CONFIG_HZ compile-time value by making snapshots of the kernel timestamp with a time interval in between.
Blocks for at least 100ms while the measurement is in progress. Can block significantly longer under some hypervisors like VirtualBox due to buggy clocks, interrupt coalescing and low timer resolution.
Types ¶
type FeatureProbes ¶
type FeatureProbes struct { ProgramHelpers map[ProgramHelper]bool Misc miscFeatures }
func ExecuteHeaderProbes ¶
func ExecuteHeaderProbes() *FeatureProbes
ExecuteHeaderProbes probes the kernel for a specific set of BPF features which are currently used to generate various feature macros for the datapath. The probe results returned in FeatureProbes are then used in the respective function that writes the actual C macro definitions. Further needed probes should be added here, while new macro strings need to be added in the correct `write*Header()` function.
type Features ¶
type Features struct { SystemConfig `json:"system_config"` MapTypes `json:"map_types"` }
Features contains BPF feature checks returned by bpftool.
type KernelParam ¶
type KernelParam string
KernelParam is a type based on string which represents CONFIG_* kernel parameters which usually have values "y", "n" or "m".
func (KernelParam) Enabled ¶
func (kp KernelParam) Enabled() bool
Enabled checks whether the kernel parameter is enabled.
func (KernelParam) Module ¶
func (kp KernelParam) Module() bool
Module checks whether the kernel parameter is enabled as a module.
type MapTypes ¶
type MapTypes struct { HaveHashMapType bool `json:"have_hash_map_type"` HaveArrayMapType bool `json:"have_array_map_type"` HaveProgArrayMapType bool `json:"have_prog_array_map_type"` HavePerfEventArrayMapType bool `json:"have_perf_event_array_map_type"` HavePercpuHashMapType bool `json:"have_percpu_hash_map_type"` HavePercpuArrayMapType bool `json:"have_percpu_array_map_type"` HaveStackTraceMapType bool `json:"have_stack_trace_map_type"` HaveCgroupArrayMapType bool `json:"have_cgroup_array_map_type"` HaveLruHashMapType bool `json:"have_lru_hash_map_type"` HaveLruPercpuHashMapType bool `json:"have_lru_percpu_hash_map_type"` HaveLpmTrieMapType bool `json:"have_lpm_trie_map_type"` HaveArrayOfMapsMapType bool `json:"have_array_of_maps_map_type"` HaveHashOfMapsMapType bool `json:"have_hash_of_maps_map_type"` HaveDevmapMapType bool `json:"have_devmap_map_type"` HaveSockmapMapType bool `json:"have_sockmap_map_type"` HaveCpumapMapType bool `json:"have_cpumap_map_type"` HaveXskmapMapType bool `json:"have_xskmap_map_type"` HaveSockhashMapType bool `json:"have_sockhash_map_type"` HaveCgroupStorageMapType bool `json:"have_cgroup_storage_map_type"` HaveReuseportSockarrayMapType bool `json:"have_reuseport_sockarray_map_type"` HavePercpuCgroupStorageMapType bool `json:"have_percpu_cgroup_storage_map_type"` HaveQueueMapType bool `json:"have_queue_map_type"` HaveStackMapType bool `json:"have_stack_map_type"` }
MapTypes contains bools indicating which types of BPF maps the currently running kernel supports.
type ProbeManager ¶
type ProbeManager struct {
// contains filtered or unexported fields
}
ProbeManager is a manager of BPF feature checks.
func NewProbeManager ¶
func NewProbeManager() *ProbeManager
NewProbeManager returns a new instance of ProbeManager - a manager of BPF feature checks.
func (*ProbeManager) GetOptionalConfig ¶
func (p *ProbeManager) GetOptionalConfig() map[KernelParam]kernelOption
GetOptionalConfig performs a check of *optional* kernel configuration options. It returns a map indicating which optional/non-mandatory kernel parameters are enabled. GetOptionalConfig is being used by CLI "cilium kernel-check".
func (*ProbeManager) GetRequiredConfig ¶
func (p *ProbeManager) GetRequiredConfig() map[KernelParam]kernelOption
GetRequiredConfig performs a check of mandatory kernel configuration options. It returns a map indicating which required kernel parameters are enabled - and which are not. GetRequiredConfig is being used by CLI "cilium kernel-check".
func (*ProbeManager) KernelConfigAvailable ¶
func (p *ProbeManager) KernelConfigAvailable() bool
KernelConfigAvailable checks if the Kernel Config is available on the system or not.
func (*ProbeManager) Probe ¶
func (*ProbeManager) Probe() Features
Probe probes the underlying kernel for features.
func (*ProbeManager) SystemConfigProbes ¶
func (p *ProbeManager) SystemConfigProbes() error
SystemConfigProbes performs a check of kernel configuration parameters. It returns an error when parameters required by Cilium are not enabled. It logs warnings when optional parameters are not enabled.
When kernel config file is not found, bpftool can't probe kernel configuration parameter real setting, so only return error log when kernel config file exists and kernel configuration parameter setting is disabled
type ProgramHelper ¶
type ProgramHelper struct { Program ebpf.ProgramType Helper asm.BuiltinFunc }
type SystemConfig ¶
type SystemConfig struct { UnprivilegedBpfDisabled int `json:"unprivileged_bpf_disabled"` BpfJitEnable int `json:"bpf_jit_enable"` BpfJitHarden int `json:"bpf_jit_harden"` BpfJitKallsyms int `json:"bpf_jit_kallsyms"` BpfJitLimit int `json:"bpf_jit_limit"` ConfigBpf KernelParam `json:"CONFIG_BPF"` ConfigBpfSyscall KernelParam `json:"CONFIG_BPF_SYSCALL"` ConfigHaveEbpfJit KernelParam `json:"CONFIG_HAVE_EBPF_JIT"` ConfigBpfJit KernelParam `json:"CONFIG_BPF_JIT"` ConfigBpfJitAlwaysOn KernelParam `json:"CONFIG_BPF_JIT_ALWAYS_ON"` ConfigCgroups KernelParam `json:"CONFIG_CGROUPS"` ConfigCgroupBpf KernelParam `json:"CONFIG_CGROUP_BPF"` ConfigCgroupNetClassID KernelParam `json:"CONFIG_CGROUP_NET_CLASSID"` ConfigSockCgroupData KernelParam `json:"CONFIG_SOCK_CGROUP_DATA"` ConfigBpfEvents KernelParam `json:"CONFIG_BPF_EVENTS"` ConfigKprobeEvents KernelParam `json:"CONFIG_KPROBE_EVENTS"` ConfigUprobeEvents KernelParam `json:"CONFIG_UPROBE_EVENTS"` ConfigTracing KernelParam `json:"CONFIG_TRACING"` ConfigFtraceSyscalls KernelParam `json:"CONFIG_FTRACE_SYSCALLS"` ConfigFunctionErrorInjection KernelParam `json:"CONFIG_FUNCTION_ERROR_INJECTION"` ConfigBpfKprobeOverride KernelParam `json:"CONFIG_BPF_KPROBE_OVERRIDE"` ConfigNet KernelParam `json:"CONFIG_NET"` ConfigXdpSockets KernelParam `json:"CONFIG_XDP_SOCKETS"` ConfigLwtunnelBpf KernelParam `json:"CONFIG_LWTUNNEL_BPF"` ConfigNetActBpf KernelParam `json:"CONFIG_NET_ACT_BPF"` ConfigNetClsBpf KernelParam `json:"CONFIG_NET_CLS_BPF"` ConfigNetClsAct KernelParam `json:"CONFIG_NET_CLS_ACT"` ConfigNetSchIngress KernelParam `json:"CONFIG_NET_SCH_INGRESS"` ConfigXfrm KernelParam `json:"CONFIG_XFRM"` ConfigIPRouteClassID KernelParam `json:"CONFIG_IP_ROUTE_CLASSID"` ConfigIPv6Seg6Bpf KernelParam `json:"CONFIG_IPV6_SEG6_BPF"` ConfigBpfLircMode2 KernelParam `json:"CONFIG_BPF_LIRC_MODE2"` ConfigBpfStreamParser KernelParam `json:"CONFIG_BPF_STREAM_PARSER"` ConfigNetfilterXtMatchBpf KernelParam `json:"CONFIG_NETFILTER_XT_MATCH_BPF"` ConfigBpfilter KernelParam `json:"CONFIG_BPFILTER"` ConfigBpfilterUmh KernelParam `json:"CONFIG_BPFILTER_UMH"` ConfigTestBpf KernelParam `json:"CONFIG_TEST_BPF"` ConfigKernelHz KernelParam `json:"CONFIG_HZ"` }
SystemConfig contains kernel configuration and sysctl parameters related to BPF functionality.