container proc

eBPF_Supermarket/CPU_Subsystem/eBPF_proc_image/bpf/syscall_image.bpf.c

@@ -23,8 +23,9 @@
 #include "proc_image.h"
 
 char LICENSE[] SEC("license") = "Dual BSD/GPL";
-
+#define MAX_NODENAME_LEN 64
 const volatile pid_t ignore_tgid = -1;
+const volatile char hostname[MAX_NODENAME_LEN] = "";
 const int key = 0;
 pid_t pre_target_pid = -1;//上一个监测的进程；
 int pre_target_tgid = -1;//上一个监测的进程组；
@@ -48,14 +49,69 @@ struct {
 	__uint(max_entries,256 * 10240);
 } syscall_rb SEC(".maps");
 
+struct {
+    __uint(type,BPF_MAP_TYPE_HASH);
+    __uint(max_entries, 8192);
+    __type(key, pid_t);
+    __type(value,struct container_id);   
+}container_id_map SEC(".maps");
+
+struct container_id{
+    char container_id[20];
+};
+
+struct data_t {
+    char nodename[MAX_NODENAME_LEN];
+};
+
+static bool is_container_task(const volatile char hostname[MAX_NODENAME_LEN]){
+    struct task_struct *task;
+    struct nsproxy *ns;
+    struct uts_namespace *uts;
+    struct data_t data = {};
+    // 获取当前任务的 task_struct
+    task = (struct task_struct *)bpf_get_current_task();
+    // 获取 nsproxy
+    bpf_probe_read_kernel(&ns, sizeof(ns), &task->nsproxy);
+    if (!ns) {
+        return false;
+    }
+    // 获取 uts_namespace
+    bpf_probe_read_kernel(&uts, sizeof(uts), &ns->uts_ns);
+    if (!uts) {
+        return false;
+    }
+    // 读取主机名
+    bpf_probe_read_kernel_str(&data.nodename, sizeof(data.nodename), uts->name.nodename);
+    // 打印主机名
+    bool is_equal = true;
+    for(int i = 0;i<MAX_NODENAME_LEN;i++){
+        if(data.nodename[i] != hostname[i]){
+            pid_t pid = bpf_get_current_pid_tgid();
+            bpf_map_update_elem(&container_id_map,&pid,&data.nodename,BPF_ANY);
+            is_equal = false;
+            break;
+        }
+        if(data.nodename[i]=='\0'||hostname[i]=='\0'){
+            break;
+        }
+    }
+    if (is_equal){
+        return false;
+    } else {
+        return true;
+    }
+}
 SEC("tracepoint/raw_syscalls/sys_enter")
 int sys_enter(struct trace_event_raw_sys_enter *args)
 {
     struct sc_ctrl *sc_ctrl;
 	sc_ctrl = bpf_map_lookup_elem(&sc_ctrl_map,&key);
-	if(!sc_ctrl || !sc_ctrl->sc_func)
+    if(!sc_ctrl || !sc_ctrl->sc_func)
 		return 0;
-
+    if(sc_ctrl->is_container)
+        if(!is_container_task(hostname))
+            return 0;
     pid_t pid = bpf_get_current_pid_tgid();
     int tgid = bpf_get_current_pid_tgid() >> 32;
 
@@ -104,7 +160,9 @@ int sys_exit(struct trace_event_raw_sys_exit *args)
 	sc_ctrl = bpf_map_lookup_elem(&sc_ctrl_map,&key);
 	if(!sc_ctrl || !sc_ctrl->sc_func)
 		return 0;
-
+    if(sc_ctrl->is_container)
+        if(!is_container_task(hostname))
+            return 0;
     pid_t pid = bpf_get_current_pid_tgid();
     int tgid = bpf_get_current_pid_tgid() >> 32;
 

eBPF_Supermarket/CPU_Subsystem/eBPF_proc_image/controller.c

@@ -49,6 +49,7 @@ static struct env {
     bool enable_lock;
     bool enable_syscall;
     bool enable_schedule;
+    bool is_container;
 }  env = {
     .usemode = 0,
     .pid = -1,
@@ -68,6 +69,7 @@ static struct env {
     .enable_lock = false,
     .enable_syscall = false,
     .enable_schedule = false,
+    .is_container = false,
 };
 
 const char argp_program_doc[] ="Trace process to get process image.\n";
@@ -78,6 +80,7 @@ static const struct argp_option opts[] = {
     { "finish", 'f', NULL, 0, "Finish to run eBPF tool" },
 	{ "pid", 'p', "PID", 0, "Process ID to trace" },
     { "tgid", 'P', "TGID", 0, "Thread group to trace" },
+    { "containerproc", 'o', NULL, 0, "Thread of containerproc to trace" },
     { "cpuid", 'c', "CPUID", 0, "Set For Tracing  per-CPU Process(other processes don't need to set this parameter)" },
     { "time", 't', "TIME-SEC", 0, "Max Running Time(0 for infinite)" },
     { "myproc", 'm', NULL, 0, "Trace the process of the tool itself (not tracked by default)" },
@@ -143,6 +146,9 @@ static error_t parse_arg(int key, char *arg, struct argp_state *state)
 		case 'm':
 				env.enable_myproc = true;
 				break;
+        case 'o':
+				env.is_container = true;
+				break;
 		case 'r':
 				env.enable_resource = true;
 				break;
@@ -201,7 +207,7 @@ int deactivate_mode(){
     }
 
     if(env.enable_syscall){
-        struct sc_ctrl sc_ctrl = {false,false,-1,-1,0};
+        struct sc_ctrl sc_ctrl = {false,false,false,-1,-1,0};
         err = update_sc_ctrl_map(sc_ctrl);
         if(err < 0) return err;
     }
@@ -257,7 +263,7 @@ int main(int argc, char **argv)
         }
 
         if(env.enable_syscall){
-            struct sc_ctrl sc_ctrl = {true,env.enable_myproc,env.pid,env.tgid,env.syscalls};
+            struct sc_ctrl sc_ctrl = {true,env.enable_myproc, env.is_container,env.pid,env.tgid,env.syscalls};
             err = update_sc_ctrl_map(sc_ctrl);
             if(err < 0) return err;
         }

eBPF_Supermarket/CPU_Subsystem/eBPF_proc_image/include/proc_image.h

@@ -65,6 +65,7 @@ struct total_rsc{
 struct sc_ctrl {
     bool sc_func;
     bool enable_myproc;
+	bool is_container;
     pid_t target_pid;
     pid_t target_tgid;
     int syscalls;

eBPF_Supermarket/CPU_Subsystem/eBPF_proc_image/proc_image.c

@@ -65,6 +65,7 @@ static struct env {
 	int lock_prev_tgid;
 	int sched_prev_tgid;
 	int sc_prev_tgid;
+	char hostname[64];
 } env = {
 	.output_resourse = false,
 	.output_schedule = false,
@@ -88,6 +89,7 @@ static struct env {
 	.lock_prev_tgid = 0,
 	.sched_prev_tgid = 0,
 	.sc_prev_tgid = 0,
+	.hostname = "",
 };
 
 struct hashmap *map = NULL;
@@ -723,6 +725,16 @@ static void sig_handler(int signo)
 	exiting = true;
 }
 
+void get_hostname() {
+    char hostname[64];
+    int result = gethostname(hostname, sizeof(hostname));
+    if (result == 0) {
+        strcpy(env.hostname,hostname); 
+    } else {
+        perror("gethostname");
+    }
+}
+
 int main(int argc, char **argv)
 {
 	struct resource_image_bpf *resource_skel = NULL;
@@ -802,7 +814,9 @@ int main(int argc, char **argv)
 		}
 
 		syscall_skel->rodata->ignore_tgid = env.ignore_tgid;
-
+		get_hostname();
+		strcpy(syscall_skel->rodata->hostname,env.hostname);
+
 		err = syscall_image_bpf__load(syscall_skel);
 		if (err) {
 			fprintf(stderr, "Failed to load and verify BPF syscall skeleton\n");