kvm_container_syscall

eBPF_Supermarket/kvm_watcher/include/bpf/container.h

@@ -24,18 +24,29 @@
 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_core_read.h>
 #include <bpf/bpf_tracing.h>
+#define MAX_NODENAME_LEN 64
 struct {
     __uint(type,BPF_MAP_TYPE_HASH);
     __uint(max_entries, 8192);
     __type(key, pid_t);
     __type(value, u64);
 }time_info SEC(".maps");
+
 struct {
     __uint(type,BPF_MAP_TYPE_HASH);
     __uint(max_entries, 8192);
     __type(key, pid_t);
     __type(value, u64);
 }id SEC(".maps");
+
+struct {
+    __uint(type,BPF_MAP_TYPE_HASH);
+    __uint(max_entries, 8192);
+    __type(key, pid_t);
+    __type(value,struct container_id);   
+}container_id_map SEC(".maps");
+
+
 static int trace_container_sys_entry(struct trace_event_raw_sys_enter *args){
     u64 st = bpf_ktime_get_ns();
     pid_t pid = bpf_get_current_pid_tgid();
@@ -47,7 +58,6 @@ static int trace_container_sys_entry(struct trace_event_raw_sys_enter *args){
 static int trace_container_sys_exit(struct trace_event_raw_sys_exit *args,void *rb,struct common_event *e){
     u64 exit_time = bpf_ktime_get_ns();
     pid_t pid = bpf_get_current_pid_tgid();
-    //bpf_printk("pid=%15d\n",pid);
     u64 delay,start_time,syscallid;
     u64 *st = bpf_map_lookup_elem(&time_info,&pid);
     if( st !=0){
@@ -58,43 +68,36 @@ static int trace_container_sys_exit(struct trace_event_raw_sys_exit *args,void *
 		return 0;
 	}
     u64 *sc_id = bpf_map_lookup_elem(&id,&pid);
-    if( sc_id !=0){
+    if( sc_id != 0){
         syscallid = *sc_id;
 		bpf_map_delete_elem(&id, &pid);
 	}else{ 
 		return 0;
 	}
+    const void *contain_id = bpf_map_lookup_elem(&container_id_map,&pid);
+    if(contain_id != NULL){
+        bpf_printk("hostname=%s\n",contain_id);
+    }else{
+        return 0;
+    }
     RESERVE_RINGBUF_ENTRY(rb, e);
     e->syscall_data.delay = delay;
-    //bpf_get_current_comm(&e->syscall_data.comm, sizeof(e->syscall_data.comm));
+    bpf_get_current_comm(&e->syscall_data.comm, sizeof(e->syscall_data.comm));
     e->syscall_data.pid = pid;
+    bpf_probe_read_kernel_str(&(e->syscall_data.container_id),sizeof(e->syscall_data.container_id),contain_id);
     e->syscall_data.syscall_id = syscallid;
     bpf_ringbuf_submit(e, 0);
     return 0;
 }
-#define MAX_NODENAME_LEN 64
+
 struct data_t {
     char nodename[MAX_NODENAME_LEN];
 };
-// 字符串比较函数
-static bool str_not_equal(const char *s1, const char *s2) {
-    #pragma clang loop unroll(full)
-    for (int i = 0; i < MAX_NODENAME_LEN; i++) {
-        if (s1[i] != s2[i]) {
-            return true;
-        }
-        if (s1[i] == '\0') {
-            break;
-        }
-    }
-    return false;
-}
-static bool is_container_task(){
+static bool is_container_task(const volatile char hostname[MAX_NODENAME_LEN]){
     struct task_struct *task;
     struct nsproxy *ns;
     struct uts_namespace *uts;
     struct data_t data = {};
-
     // 获取当前任务的 task_struct
     task = (struct task_struct *)bpf_get_current_task();
 
@@ -109,19 +112,25 @@ static bool is_container_task(){
     if (!uts) {
         return false;
     }
-
     // 读取主机名
     bpf_probe_read_kernel_str(&data.nodename, sizeof(data.nodename), uts->name.nodename);
-
     // 打印主机名
-    //bpf_printk("Hostname: %s\n", data.nodename);
-    const char target_nodename[] = "yys-virtual-machine";
-    if (str_not_equal(data.nodename, target_nodename)) {
-        bpf_printk("Hostname: %s\n", data.nodename);
-        return true;
-    } else {
+    bool is_equal = true;
+    for(int i = 0;i<MAX_NODENAME_LEN;i++){
+        if(data.nodename[i] != hostname[i]){
+            pid_t pid = bpf_get_current_pid_tgid();
+            bpf_map_update_elem(&container_id_map,&pid,&data.nodename,BPF_ANY);
+            is_equal = false;
+            break;
+        }
+        if(data.nodename[i]=='\0'||hostname[i]=='\0'){
+            break;
+        }
+    }
+    if (is_equal){
         return false;
+    } else {
+        return true;
     }
-
 }
 #endif /* __CONTAINER_H */

eBPF_Supermarket/kvm_watcher/include/common.h

@@ -1,4 +1,4 @@
-// Copyright 2023 The LMP Authors.#define TASK_COMM_
+// Copyright 2023 The LMP Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -191,7 +191,9 @@ struct exit_value {
     __u32 count;
     __u32 pad;
 };
-
+struct container_id{
+    char container_id[20];
+};
 struct dirty_page_info {
     __u64 gfn;
     __u64 rel_gfn;
@@ -350,7 +352,8 @@ struct common_event {
             __u64 pid;
             __u64 syscall_id;
             __u64 delay;
-
+            char comm[20];
+            char container_id[20];
         } syscall_data;
     };
 };

eBPF_Supermarket/kvm_watcher/src/kvm_watcher.bpf.c

@@ -32,6 +32,7 @@
 char LICENSE[] SEC("license") = "Dual BSD/GPL";
 
 const volatile pid_t vm_pid = -1;
+const volatile char hostname[64] = "";
 static struct common_event *e;
 
 // 定义环形缓冲区maps
@@ -249,18 +250,17 @@ int BPF_KPROBE(kp_start_sw_timer, struct kvm_lapic *apic) {
 SEC("tracepoint/raw_syscalls/sys_enter")
 int tp_container_sys_entry(struct trace_event_raw_sys_enter *args){
     //过滤进程
-    bool is_container = is_container_task();
+    bool is_container = is_container_task(hostname);
     if(is_container){
         return trace_container_sys_entry(args);
     }else{
         return 0;
     }
-
 }
 SEC("tracepoint/raw_syscalls/sys_exit")
 int tracepoint__syscalls__sys_exit(struct trace_event_raw_sys_exit *args){
     //过滤进程
-    bool is_container = is_container_task();
+    bool is_container = is_container_task(hostname);
     if(is_container){
         return trace_container_sys_exit(args,&rb,e);
     }else{

eBPF_Supermarket/kvm_watcher/src/kvm_watcher.c

@@ -332,6 +332,7 @@ static struct env {
     bool execute_container_syscall;
     int monitoring_time;
     pid_t vm_pid;
+    char hostname[64];
     enum EventType event_type;
 } env = {
     .execute_vcpu_wakeup = false,
@@ -349,6 +350,7 @@ static struct env {
     .verbose = false,
     .monitoring_time = 0,
     .vm_pid = -1,
+    .hostname = "",
     .show = false,
     .execute_container_syscall = false,
     .event_type = NONE_TYPE,
@@ -553,8 +555,8 @@ static int handle_event(void *ctx, void *data, size_t data_sz) {
             break;
         }
         case CONTAINER_SYSCALL:{
-            printf("%-15u %-15lld %-15lld \n",
-            e->syscall_data.pid,e->syscall_data.delay,e->syscall_data.syscall_id);
+            printf("%-8u %-22s %-10lld %-10lld %-16s\n",
+            e->syscall_data.pid,e->syscall_data.container_id,e->syscall_data.delay,e->syscall_data.syscall_id,e->syscall_data.comm);
             break;
         }
         case HALT_POLL: {
@@ -768,8 +770,8 @@ static int print_event_head(struct env *env) {
                    "VAILD?");
             break;
         case CONTAINER_SYSCALL:
-            printf("%-8s %-18s %6s %15s\n", "PID",
-                   "DELAY(ns)", "SyscallID", "COMM");
+            printf("%-8s %-22s %-9s %10s %-16s\n", "PID","CONTAINER_ID",
+                   "DELAY(us)", "SYSCALLID", "COMM");
             break;
         case EXIT:
             //可视化调整输出格式
@@ -1241,7 +1243,15 @@ int attach_probe(struct kvm_watcher_bpf *skel) {
     }
     return kvm_watcher_bpf__attach(skel);
 }
-
+void get_hostname() {
+    char hostname[64];
+    int result = gethostname(hostname, sizeof(hostname));
+    if (result == 0) {
+        strcpy(env.hostname,hostname); 
+    } else {
+        perror("gethostname");
+    }
+}
 int main(int argc, char **argv) {
     // 定义一个环形缓冲区
     struct ring_buffer *rb = NULL;
@@ -1253,7 +1263,8 @@ int main(int argc, char **argv) {
         return err;
     /*设置libbpf的错误和调试信息回调*/
     libbpf_set_print(libbpf_print_fn);
-
+    //获取hostname
+    get_hostname();
     /* Cleaner handling of Ctrl-C */
     signal(SIGINT, sig_handler);
     signal(SIGTERM, sig_handler);
@@ -1267,7 +1278,7 @@ int main(int argc, char **argv) {
 
     /* Parameterize BPF code with parameter */
     skel->rodata->vm_pid = env.vm_pid;
-
+    strcpy(skel->rodata->hostname,env.hostname);
     /* 禁用或加载内核挂钩函数 */
     set_disable_load(skel);