diff --git a/collector/CMakeLists.txt b/collector/CMakeLists.txt index 67a9f197cb..52555fb6ec 100644 --- a/collector/CMakeLists.txt +++ b/collector/CMakeLists.txt @@ -62,29 +62,7 @@ add_definitions("-DINTERESTING_SUBSYS=\"perf_event\", \"cpu\", \"cpuset\", \"mem add_definitions(-DASSERT_TO_LOG) -file(GLOB COLLECTOR_LIB_SRC_FILES ${PROJECT_SOURCE_DIR}/lib/*.cpp) -add_library(collector_lib ${DRIVER_HEADERS} ${COLLECTOR_LIB_SRC_FILES}) -add_dependencies(collector_lib sinsp) -target_link_libraries(collector_lib sinsp) -target_link_libraries(collector_lib stdc++fs) # This is needed for GCC-8 to link against the filesystem library -target_link_libraries(collector_lib cap-ng) -target_link_libraries(collector_lib uuid) -target_link_libraries(collector_lib libgrpc++.a libgrpc.a libgpr.a libupb.a libabsl_bad_optional_access.a libabsl_base.a libabsl_log_severity.a libabsl_spinlock_wait.a libabsl_str_format_internal.a libabsl_strings.a libabsl_strings_internal.a libabsl_throw_delegate.a libabsl_int128.a libabsl_raw_logging_internal.a libaddress_sorting.a) -target_link_libraries(collector_lib civetweb-cpp civetweb) - -target_link_libraries(collector_lib rox-proto) - -if(DEFINED ENV{WITH_RHEL_RPMS}) - target_link_libraries(collector_lib protobuf cares) -else() - target_link_libraries(collector_lib libprotobuf.a libcares.a) -endif() - -if(NOT DISABLE_PROFILING) - target_link_libraries(collector_lib profiler tcmalloc) -endif() - -target_link_libraries(collector_lib z ssl crypto CURL::libcurl bpf) +add_subdirectory(lib) add_executable(collector collector.cpp) target_link_libraries(collector collector_lib) diff --git a/collector/lib/CMakeLists.txt b/collector/lib/CMakeLists.txt new file mode 100644 index 0000000000..38f153ca7c --- /dev/null +++ b/collector/lib/CMakeLists.txt @@ -0,0 +1,27 @@ +file(GLOB COLLECTOR_LIB_SRC_FILES + ${CMAKE_CURRENT_SOURCE_DIR}/*.cpp + ${CMAKE_CURRENT_SOURCE_DIR}/system-inspector/*.cpp +) + +add_library(collector_lib ${DRIVER_HEADERS} ${COLLECTOR_LIB_SRC_FILES}) +add_dependencies(collector_lib sinsp) +target_link_libraries(collector_lib sinsp) +target_link_libraries(collector_lib stdc++fs) # This is needed for GCC-8 to link against the filesystem library +target_link_libraries(collector_lib cap-ng) +target_link_libraries(collector_lib uuid) +target_link_libraries(collector_lib libgrpc++.a libgrpc.a libgpr.a libupb.a libabsl_bad_optional_access.a libabsl_base.a libabsl_log_severity.a libabsl_spinlock_wait.a libabsl_str_format_internal.a libabsl_strings.a libabsl_strings_internal.a libabsl_throw_delegate.a libabsl_int128.a libabsl_raw_logging_internal.a libaddress_sorting.a) +target_link_libraries(collector_lib civetweb-cpp civetweb) + +target_link_libraries(collector_lib rox-proto) + +if(DEFINED ENV{WITH_RHEL_RPMS}) + target_link_libraries(collector_lib protobuf cares) +else() + target_link_libraries(collector_lib libprotobuf.a libcares.a) +endif() + +if(NOT DISABLE_PROFILING) + target_link_libraries(collector_lib profiler tcmalloc) +endif() + +target_link_libraries(collector_lib z ssl crypto CURL::libcurl bpf) diff --git a/collector/lib/CollectorService.cpp b/collector/lib/CollectorService.cpp index 7591b8af5a..855c57a19e 100644 --- a/collector/lib/CollectorService.cpp +++ b/collector/lib/CollectorService.cpp @@ -17,9 +17,9 @@ extern "C" { #include "LogLevel.h" #include "NetworkStatusNotifier.h" #include "ProfilerHandler.h" -#include "SysdigService.h" #include "Utility.h" #include "prometheus/exposer.h" +#include "system-inspector/Service.h" extern unsigned char g_bpf_drop_syscalls[]; // defined in libscap @@ -40,7 +40,7 @@ void CollectorService::RunForever() { std::shared_ptr conn_tracker; - GetStatus getStatus(config_.Hostname(), &sysdig_); + GetStatus getStatus(config_.Hostname(), &system_inspector_); std::shared_ptr registry = std::make_shared(); @@ -54,7 +54,7 @@ void CollectorService::RunForever() { prometheus::Exposer exposer("9090"); exposer.RegisterCollectable(registry); - CollectorStatsExporter exporter(registry, &config_, &sysdig_); + CollectorStatsExporter exporter(registry, &config_, &system_inspector_); std::unique_ptr net_status_notifier; @@ -75,7 +75,7 @@ void CollectorService::RunForever() { // up and use stdout instead. std::shared_ptr process_store; if (config_.IsProcessesListeningOnPortsEnabled()) { - process_store = std::make_shared(&sysdig_); + process_store = std::make_shared(&system_inspector_); } std::shared_ptr conn_scraper = std::make_shared(config_.HostProc(), process_store); conn_tracker = std::make_shared(); @@ -99,12 +99,12 @@ void CollectorService::RunForever() { CLOG(FATAL) << "Unable to start collector stats exporter"; } - sysdig_.Init(config_, conn_tracker); - sysdig_.Start(); + system_inspector_.Init(config_, conn_tracker); + system_inspector_.Start(); ControlValue cv; while ((cv = control_->load(std::memory_order_relaxed)) != STOP_COLLECTOR) { - sysdig_.Run(*control_); + system_inspector_.Run(*control_); CLOG(DEBUG) << "Interrupted collector!"; } @@ -117,15 +117,15 @@ void CollectorService::RunForever() { CLOG(INFO) << "Shutting down collector."; if (net_status_notifier) net_status_notifier->Stop(); - // Shut down these first since they access the sysdig object. + // Shut down these first since they access the system inspector object. exporter.stop(); server.close(); - sysdig_.CleanUp(); + system_inspector_.CleanUp(); } bool CollectorService::InitKernel(const DriverCandidate& candidate) { - return sysdig_.InitKernel(config_, candidate); + return system_inspector_.InitKernel(config_, candidate); } bool CollectorService::WaitForGRPCServer() { diff --git a/collector/lib/CollectorService.h b/collector/lib/CollectorService.h index db3cf6367b..4f909b56ef 100644 --- a/collector/lib/CollectorService.h +++ b/collector/lib/CollectorService.h @@ -1,18 +1,13 @@ #ifndef _COLLECTOR_SERVICE_H_ #define _COLLECTOR_SERVICE_H_ -#include - #include "CollectorConfig.h" -#include "CollectorStats.h" #include "Control.h" #include "DriverCandidates.h" -#include "SysdigService.h" +#include "system-inspector/Service.h" namespace collector { -class SysdigService; - class CollectorService { public: CollectorService(const CollectorConfig& config, std::atomic* control, const std::atomic* signum); @@ -29,7 +24,7 @@ class CollectorService { std::atomic* control_; const std::atomic& signum_; - SysdigService sysdig_; + system_inspector::Service system_inspector_; }; bool SetupKernelDriver(CollectorService& collector, const std::string& GRPCServer, const CollectorConfig& config); diff --git a/collector/lib/CollectorStatsExporter.cpp b/collector/lib/CollectorStatsExporter.cpp index 4d81b0bb05..5d13dc1182 100644 --- a/collector/lib/CollectorStatsExporter.cpp +++ b/collector/lib/CollectorStatsExporter.cpp @@ -7,10 +7,10 @@ #include "Containers.h" #include "EventNames.h" #include "Logging.h" -#include "SysdigService.h" #include "Utility.h" #include "prometheus/gauge.h" #include "prometheus/summary.h" +#include "system-inspector/Service.h" namespace collector { @@ -58,10 +58,10 @@ class CollectorConnectionStatsPrometheus : public CollectorConnectionStats { } }; -CollectorStatsExporter::CollectorStatsExporter(std::shared_ptr registry, const CollectorConfig* config, SysdigService* sysdig) +CollectorStatsExporter::CollectorStatsExporter(std::shared_ptr registry, const CollectorConfig* config, system_inspector::Service* si) : registry_(std::move(registry)), config_(config), - sysdig_(sysdig), + system_inspector_(si), connections_total_reporter_(std::make_shared>( registry_, "rox_connections_total", @@ -206,8 +206,8 @@ void CollectorStatsExporter::run() { } while (thread_.Pause(std::chrono::seconds(5))) { - SysdigStats stats; - if (!sysdig_->GetStats(&stats)) { + system_inspector::Stats stats; + if (!system_inspector_->GetStats(&stats)) { continue; } diff --git a/collector/lib/CollectorStatsExporter.h b/collector/lib/CollectorStatsExporter.h index 16693c31da..60d2547481 100644 --- a/collector/lib/CollectorStatsExporter.h +++ b/collector/lib/CollectorStatsExporter.h @@ -6,14 +6,14 @@ #include "CollectorConfig.h" #include "CollectorStats.h" #include "StoppableThread.h" -#include "SysdigService.h" #include "prometheus/registry.h" +#include "system-inspector/Service.h" namespace collector { class CollectorStatsExporter { public: - CollectorStatsExporter(std::shared_ptr registry, const CollectorConfig* config, SysdigService* sysdig); + CollectorStatsExporter(std::shared_ptr registry, const CollectorConfig* config, system_inspector::Service* si); bool start(); void run(); @@ -25,7 +25,7 @@ class CollectorStatsExporter { private: std::shared_ptr registry_; const CollectorConfig* config_; - SysdigService* sysdig_; + system_inspector::Service* system_inspector_; std::shared_ptr> connections_total_reporter_; std::shared_ptr> connections_rate_reporter_; StoppableThread thread_; diff --git a/collector/lib/Control.h b/collector/lib/Control.h index 899a07eac3..1460dd0cbc 100644 --- a/collector/lib/Control.h +++ b/collector/lib/Control.h @@ -4,9 +4,8 @@ namespace collector { enum ControlValue { - RUN = 0, // Keep running - INTERRUPT_SYSDIG, // Stop running sysdig, but resume collector operation (e.g., for chisel update) - STOP_COLLECTOR, // Stop the collector (e.g., SIGINT or SIGTERM received). + RUN = 0, // Keep running + STOP_COLLECTOR, // Stop the collector (e.g., SIGINT or SIGTERM received). }; } diff --git a/collector/lib/DriverCandidates.cpp b/collector/lib/DriverCandidates.cpp index 49c5fdd6ba..d91887d9f3 100644 --- a/collector/lib/DriverCandidates.cpp +++ b/collector/lib/DriverCandidates.cpp @@ -5,15 +5,15 @@ #include #include "HostInfo.h" -#include "SysdigService.h" #include "Utility.h" +#include "system-inspector/Service.h" namespace collector { namespace { std::string driverFullName(const std::string& shortName) { - return std::string{SysdigService::kProbeName} + "-" + shortName + ".o"; + return std::string{system_inspector::Service::kProbeName} + "-" + shortName + ".o"; } // Retrieves the ubuntu backport version from the host kernel's release diff --git a/collector/lib/GetKernelObject.cpp b/collector/lib/GetKernelObject.cpp index d3c6dbd8ea..d3bd89b7da 100644 --- a/collector/lib/GetKernelObject.cpp +++ b/collector/lib/GetKernelObject.cpp @@ -14,8 +14,8 @@ extern "C" { #include "FileDownloader.h" #include "FileSystem.h" #include "Logging.h" -#include "SysdigService.h" #include "Utility.h" +#include "system-inspector/Service.h" namespace collector { @@ -177,7 +177,7 @@ bool GetKernelObject(const std::string& hostname, const Json::Value& tls_config, std::string expected_path = candidate.GetPath() + "/" + candidate.GetName(); std::string expected_path_compressed = expected_path + ".gz"; - std::string module_path = candidate.GetCollectionMethod() == CollectionMethod::EBPF ? SysdigService::kProbePath : SysdigService::kModulePath; + std::string module_path = candidate.GetCollectionMethod() == CollectionMethod::EBPF ? system_inspector::Service::kProbePath : system_inspector::Service::kModulePath; struct stat sb; // first check for an existing compressed kernel object in the diff --git a/collector/lib/GetStatus.cpp b/collector/lib/GetStatus.cpp index 81a4a02e4a..12e2abc182 100644 --- a/collector/lib/GetStatus.cpp +++ b/collector/lib/GetStatus.cpp @@ -11,8 +11,8 @@ bool GetStatus::handleGet(CivetServer* server, struct mg_connection* conn) { Json::Value status(Json::objectValue); - SysdigStats stats; - bool ready = sysdig_->GetStats(&stats); + system_inspector::Stats stats; + bool ready = system_inspector_->GetStats(&stats); if (ready) { status["status"] = "ok"; diff --git a/collector/lib/GetStatus.h b/collector/lib/GetStatus.h index d1f0a15b37..9497237414 100644 --- a/collector/lib/GetStatus.h +++ b/collector/lib/GetStatus.h @@ -4,19 +4,19 @@ #include #include "CivetServer.h" -#include "Sysdig.h" +#include "system-inspector/SystemInspector.h" namespace collector { class GetStatus : public CivetHandler { public: - GetStatus(std::string node_name, const Sysdig* sysdig) - : node_name_(std::move(node_name)), sysdig_(sysdig) {} + GetStatus(std::string node_name, const system_inspector::SystemInspector* si) + : node_name_(std::move(node_name)), system_inspector_(si) {} bool handleGet(CivetServer* server, struct mg_connection* conn); private: std::string node_name_; - const Sysdig* sysdig_; + const system_inspector::SystemInspector* system_inspector_; }; } /* namespace collector */ diff --git a/collector/lib/KernelDriver.h b/collector/lib/KernelDriver.h index 81b54c8a3f..6b050ab670 100644 --- a/collector/lib/KernelDriver.h +++ b/collector/lib/KernelDriver.h @@ -14,8 +14,8 @@ extern "C" { #include "EventNames.h" #include "FileSystem.h" #include "Logging.h" -#include "SysdigService.h" #include "Utility.h" +#include "system-inspector/Service.h" extern const struct syscall_evt_pair g_syscall_table[]; // defined in libscap static const unsigned long DRIVER_BUFFER_DIM = 16UL * 1024UL * 1024UL; @@ -63,9 +63,9 @@ class KernelDriverEBPF : public IKernelDriver { KernelDriverEBPF() = default; bool Setup(const CollectorConfig& config, sinsp& inspector) override { - FDHandle fd = FDHandle(open(SysdigService::kProbePath, O_RDONLY)); + FDHandle fd = FDHandle(open(system_inspector::Service::kProbePath, O_RDONLY)); if (!fd.valid()) { - CLOG(ERROR) << "Cannot open eBPF probe at " << SysdigService::kProbePath; + CLOG(ERROR) << "Cannot open eBPF probe at " << system_inspector::Service::kProbePath; return false; } @@ -73,7 +73,7 @@ class KernelDriverEBPF : public IKernelDriver { std::unordered_set ppm_sc = GetSyscallList(config); try { - inspector.open_bpf(SysdigService::kProbePath, + inspector.open_bpf(system_inspector::Service::kProbePath, config.GetSinspBufferSize(), ppm_sc); } catch (const sinsp_exception& ex) { diff --git a/collector/lib/NetworkSignalHandler.cpp b/collector/lib/NetworkSignalHandler.cpp index 554003b389..1a87bbb56b 100644 --- a/collector/lib/NetworkSignalHandler.cpp +++ b/collector/lib/NetworkSignalHandler.cpp @@ -51,7 +51,7 @@ std::optional NetworkSignalHandler::GetConnection(sinsp_evt* evt) { // With collect_connection_status_ set, we can prevent reporting of asynchronous // connections which fail. if (collect_connection_status_) { - // note: connection status tracking enablement is managed in SysdigService + // note: connection status tracking enablement is managed in system_inspector::Service if (fd_info->is_socket_failed()) { // connect() failed or getsockopt(SO_ERROR) returned a failure return std::nullopt; diff --git a/collector/lib/NetworkSignalHandler.h b/collector/lib/NetworkSignalHandler.h index 66994d58a0..c4dd95ec6e 100644 --- a/collector/lib/NetworkSignalHandler.h +++ b/collector/lib/NetworkSignalHandler.h @@ -5,14 +5,14 @@ #include "ConnTracker.h" #include "SignalHandler.h" -#include "SysdigEventExtractor.h" -#include "SysdigService.h" +#include "system-inspector/EventExtractor.h" +#include "system-inspector/SystemInspector.h" namespace collector { class NetworkSignalHandler final : public SignalHandler { public: - explicit NetworkSignalHandler(sinsp* inspector, std::shared_ptr conn_tracker, SysdigStats* stats) + explicit NetworkSignalHandler(sinsp* inspector, std::shared_ptr conn_tracker, system_inspector::Stats* stats) : conn_tracker_(std::move(conn_tracker)), stats_(stats), collect_connection_status_(true) { event_extractor_.Init(inspector); } @@ -27,9 +27,9 @@ class NetworkSignalHandler final : public SignalHandler { private: std::optional GetConnection(sinsp_evt* evt); - SysdigEventExtractor event_extractor_; + system_inspector::EventExtractor event_extractor_; std::shared_ptr conn_tracker_; - SysdigStats* stats_; + system_inspector::Stats* stats_; bool collect_connection_status_; }; diff --git a/collector/lib/Process.cpp b/collector/lib/Process.cpp index da840f5aa4..217b1eee37 100644 --- a/collector/lib/Process.cpp +++ b/collector/lib/Process.cpp @@ -3,13 +3,13 @@ #include #include "CollectorStats.h" -#include "SysdigService.h" +#include "system-inspector/Service.h" namespace collector { const std::string Process::NOT_AVAILABLE("N/A"); -ProcessStore::ProcessStore(SysdigService* falco_instance) : falco_instance_(falco_instance) { +ProcessStore::ProcessStore(system_inspector::Service* instance) : instance_(instance) { cache_ = std::make_shared>>(); } @@ -20,7 +20,7 @@ const std::shared_ptr ProcessStore::Fetch(uint64_t pid) { return cached_process_pair_iter->second.lock(); } - std::shared_ptr cached_process = std::make_shared(pid, cache_, falco_instance_); + std::shared_ptr cached_process = std::make_shared(pid, cache_, instance_); cache_->emplace(pid, cached_process); return cached_process; @@ -29,8 +29,8 @@ const std::shared_ptr ProcessStore::Fetch(uint64_t pid) { std::string Process::container_id() const { WaitForProcessInfo(); - if (falco_threadinfo_) { - return falco_threadinfo_->m_container_id; + if (system_inspector_threadinfo_) { + return system_inspector_threadinfo_->m_container_id; } return NOT_AVAILABLE; @@ -39,8 +39,8 @@ std::string Process::container_id() const { std::string Process::comm() const { WaitForProcessInfo(); - if (falco_threadinfo_) { - return falco_threadinfo_->get_comm(); + if (system_inspector_threadinfo_) { + return system_inspector_threadinfo_->get_comm(); } return NOT_AVAILABLE; @@ -49,8 +49,8 @@ std::string Process::comm() const { std::string Process::exe() const { WaitForProcessInfo(); - if (falco_threadinfo_) { - return falco_threadinfo_->get_exe(); + if (system_inspector_threadinfo_) { + return system_inspector_threadinfo_->get_exe(); } return NOT_AVAILABLE; @@ -59,8 +59,8 @@ std::string Process::exe() const { std::string Process::exe_path() const { WaitForProcessInfo(); - if (falco_threadinfo_) { - return falco_threadinfo_->get_exepath(); + if (system_inspector_threadinfo_) { + return system_inspector_threadinfo_->get_exepath(); } return NOT_AVAILABLE; @@ -69,18 +69,18 @@ std::string Process::exe_path() const { std::string Process::args() const { WaitForProcessInfo(); - if (!falco_threadinfo_) { + if (!system_inspector_threadinfo_) { return NOT_AVAILABLE; } - if (falco_threadinfo_->m_args.empty()) { + if (system_inspector_threadinfo_->m_args.empty()) { return ""; } std::ostringstream args; - for (auto it = falco_threadinfo_->m_args.begin(); it != falco_threadinfo_->m_args.end();) { + for (auto it = system_inspector_threadinfo_->m_args.begin(); it != system_inspector_threadinfo_->m_args.end();) { args << *it++; - if (it != falco_threadinfo_->m_args.end()) args << " "; + if (it != system_inspector_threadinfo_->m_args.end()) args << " "; } return args.str(); } @@ -88,16 +88,16 @@ std::string Process::args() const { Process::Process( uint64_t pid, ProcessStore::MapRef cache, - SysdigService* falco_instance) + system_inspector::Service* instance) : pid_(pid), cache_(cache), process_info_pending_resolution_(false), - falco_callback_( + system_inspector_callback_( new std::function)>( std::bind(&Process::ProcessInfoResolved, this, std::placeholders::_1))) { - if (falco_instance) { + if (instance) { process_info_pending_resolution_ = true; - falco_instance->GetProcessInformation(pid, falco_callback_); + instance->GetProcessInformation(pid, system_inspector_callback_); } } @@ -116,7 +116,7 @@ void Process::ProcessInfoResolved(std::shared_ptr process_info CLOG(WARNING) << "Process-info request failed. PID: " << pid(); } - falco_threadinfo_ = process_info; + system_inspector_threadinfo_ = process_info; process_info_pending_resolution_ = false; process_info_condition_.notify_all(); diff --git a/collector/lib/Process.h b/collector/lib/Process.h index 9a12ece331..92ce3ddf69 100644 --- a/collector/lib/Process.h +++ b/collector/lib/Process.h @@ -14,17 +14,21 @@ class sinsp_threadinfo; namespace collector { class IProcess; class Process; -class SysdigService; +class Service; } // namespace collector +namespace collector::system_inspector { +class Service; +} + namespace collector { /* A Process object store used to deduplicate process information. Processes are kept in the store as long as they are referenced from the outside. When a process cannot be found in the store, it is fetched as a side-effect. */ class ProcessStore { public: - /* falco_instance is the source of process information */ - ProcessStore(SysdigService* falco_instance); + /* system-inspector is the source of process information */ + ProcessStore(system_inspector::Service* instance); /* Get a Process by PID. Returns a reference to the cached Process entry, which may have just been created @@ -34,7 +38,7 @@ class ProcessStore { typedef std::shared_ptr>> MapRef; private: - SysdigService* falco_instance_; + system_inspector::Service* instance_; MapRef cache_; }; @@ -65,8 +69,8 @@ class Process : public IProcess { std::string args() const override; /* - when 'cache' is provided, this process will remove itself from it upon deletion. - * - 'falco_instance' is used to request the process information from the system. */ - Process(uint64_t pid, ProcessStore::MapRef cache = 0, SysdigService* falco_instance = 0); + * - 'instance' is used to request the process information from the system. */ + Process(uint64_t pid, ProcessStore::MapRef cache = 0, system_inspector::Service* instance = 0); ~Process(); private: @@ -80,12 +84,12 @@ class Process : public IProcess { mutable std::mutex process_info_mutex_; mutable std::condition_variable process_info_condition_; - // Underlying thread info provided asynchronously by Falco via falco_callback_ - mutable std::shared_ptr falco_threadinfo_; + // Underlying thread info provided asynchronously by system-inspector via system_inspector_callback_ + mutable std::shared_ptr system_inspector_threadinfo_; // use a shared pointer here to handle deletion while the callback is pending - std::shared_ptr)>> falco_callback_; + std::shared_ptr)>> system_inspector_callback_; - // entry-point when Falco resolved the requested process info + // entry-point when system inspector resolved the requested process info void ProcessInfoResolved(std::shared_ptr process_info); // block until process information is available, or timeout @@ -96,4 +100,4 @@ std::ostream& operator<<(std::ostream& os, const IProcess& process); } // namespace collector -#endif \ No newline at end of file +#endif diff --git a/collector/lib/ProcessSignalFormatter.h b/collector/lib/ProcessSignalFormatter.h index 39e990450f..d97cb47892 100644 --- a/collector/lib/ProcessSignalFormatter.h +++ b/collector/lib/ProcessSignalFormatter.h @@ -8,7 +8,7 @@ #include "CollectorStats.h" #include "EventNames.h" #include "ProtoSignalFormatter.h" -#include "SysdigEventExtractor.h" +#include "system-inspector/EventExtractor.h" namespace collector { @@ -40,7 +40,7 @@ class ProcessSignalFormatter : public ProtoSignalFormatter& lineage); const EventNames& event_names_; - SysdigEventExtractor event_extractor_; + system_inspector::EventExtractor event_extractor_; }; } // namespace collector diff --git a/collector/lib/ProcessSignalHandler.h b/collector/lib/ProcessSignalHandler.h index 206854abd9..581147b943 100644 --- a/collector/lib/ProcessSignalHandler.h +++ b/collector/lib/ProcessSignalHandler.h @@ -10,13 +10,13 @@ #include "ProcessSignalFormatter.h" #include "RateLimit.h" #include "SignalHandler.h" -#include "SysdigService.h" +#include "system-inspector/Service.h" namespace collector { class ProcessSignalHandler : public SignalHandler { public: - ProcessSignalHandler(sinsp* inspector, ISignalServiceClient* client, SysdigStats* stats) + ProcessSignalHandler(sinsp* inspector, ISignalServiceClient* client, system_inspector::Stats* stats) : client_(client), formatter_(inspector), stats_(stats) {} bool Start() override; @@ -29,7 +29,7 @@ class ProcessSignalHandler : public SignalHandler { private: ISignalServiceClient* client_; ProcessSignalFormatter formatter_; - SysdigStats* stats_; + system_inspector::Stats* stats_; RateLimitCache rate_limiter_; }; diff --git a/collector/lib/SelfCheckHandler.h b/collector/lib/SelfCheckHandler.h index 9790c4aea3..9682c1348f 100644 --- a/collector/lib/SelfCheckHandler.h +++ b/collector/lib/SelfCheckHandler.h @@ -6,7 +6,7 @@ #include "SelfChecks.h" #include "SignalHandler.h" -#include "SysdigEventExtractor.h" +#include "system-inspector/EventExtractor.h" namespace collector { @@ -22,7 +22,7 @@ class SelfCheckHandler : public SignalHandler { protected: sinsp* inspector_; - SysdigEventExtractor event_extractor_; + system_inspector::EventExtractor event_extractor_; std::chrono::time_point start_; std::chrono::seconds timeout_; diff --git a/collector/lib/Utility.h b/collector/lib/Utility.h index 8653af5964..bb35beacc3 100644 --- a/collector/lib/Utility.h +++ b/collector/lib/Utility.h @@ -32,7 +32,7 @@ std::unique_ptr MakeUnique(Args&&... args) { // Return string decoded from base 64 std::string Base64Decode(std::string const& encoded_string); -// Get path using host prefix from SYSDIG_HOST_ROOT env var +// Get path using host prefix from COLLECTOR_HOST_ROOT env var std::string GetHostPath(const std::string& file); // Get SNI hostname from SNI_HOSTNAME env var diff --git a/collector/lib/SysdigEventExtractor.cpp b/collector/lib/system-inspector/EventExtractor.cpp similarity index 66% rename from collector/lib/SysdigEventExtractor.cpp rename to collector/lib/system-inspector/EventExtractor.cpp index 0fbd0970f1..471a986030 100644 --- a/collector/lib/SysdigEventExtractor.cpp +++ b/collector/lib/system-inspector/EventExtractor.cpp @@ -1,11 +1,8 @@ +#include "EventExtractor.h" -#include "SysdigEventExtractor.h" +namespace collector::system_inspector { -#include "Logging.h" - -namespace collector { - -void SysdigEventExtractor::Init(sinsp* inspector) { +void EventExtractor::Init(sinsp* inspector) { for (auto* wrapper : wrappers_) { sinsp_filter_check* check = g_filterlist.new_filter_check_from_fldname(wrapper->event_name, inspector, true); check->parse_field_name(wrapper->event_name, true, false); @@ -13,7 +10,7 @@ void SysdigEventExtractor::Init(sinsp* inspector) { } } -void SysdigEventExtractor::ClearWrappers() { +void EventExtractor::ClearWrappers() { for (FilterCheckWrapper* wrapper : wrappers_) { if (wrapper) { wrapper->filter_check.reset(); @@ -22,4 +19,4 @@ void SysdigEventExtractor::ClearWrappers() { wrappers_.clear(); } -} // namespace collector +} // namespace collector::system_inspector diff --git a/collector/lib/SysdigEventExtractor.h b/collector/lib/system-inspector/EventExtractor.h similarity index 87% rename from collector/lib/SysdigEventExtractor.h rename to collector/lib/system-inspector/EventExtractor.h index 2dc71a7ee7..9c9280a2f5 100644 --- a/collector/lib/SysdigEventExtractor.h +++ b/collector/lib/system-inspector/EventExtractor.h @@ -1,5 +1,5 @@ -#ifndef _SYSDIG_EVENT_EXTRACTOR_H_ -#define _SYSDIG_EVENT_EXTRACTOR_H_ +#ifndef _SYSTEM_INSPECTOR_EVENT_EXTRACTOR_H_ +#define _SYSTEM_INSPECTOR_EVENT_EXTRACTOR_H_ #include #include @@ -9,17 +9,17 @@ #include "Logging.h" -namespace collector { +namespace collector::system_inspector { -// This class allows extracting a predefined set of Sysdig event fields in an efficient manner. -class SysdigEventExtractor { +// This class allows extracting a predefined set of system_inspector event fields in an efficient manner. +class EventExtractor { public: void Init(sinsp* inspector); void ClearWrappers(); private: struct FilterCheckWrapper { - FilterCheckWrapper(SysdigEventExtractor* extractor, const char* event_name) : event_name(event_name) { + FilterCheckWrapper(EventExtractor* extractor, const char* event_name) : event_name(event_name) { extractor->wrappers_.push_back(this); } @@ -81,9 +81,9 @@ class SysdigEventExtractor { // Fields can be made available for querying by using a number of macros: // - TINFO_FIELD_RAW(id, fieldname, type): exposes the m_ field of threadinfo via get_() // - TINFO_FIELD(name): exposes the m_ field of threadinfo via get_() - // - FIELD_CSTR(id, fieldname): exposes the sysdig field via get_(), returning a null-terminated + // - FIELD_CSTR(id, fieldname): exposes the system inspector field via get_(), returning a null-terminated // const char*. - // - FIELD_RAW(id, fieldname, type): exposes the sysdig field via get_(), returning a const *. + // - FIELD_RAW(id, fieldname, type): exposes the system inspector field via get_(), returning a const *. // - EVT_ARG(argname): shorthand for FIELD_CSTR(evt_arg_, "evt.arg.") // - EVT_ARG_RAW(argname, type): shorthand for FIELD_RAW(evt_arg_, "evt.rawarg.", ) // @@ -116,6 +116,6 @@ class SysdigEventExtractor { #undef DECLARE_FILTER_CHECK }; -} // namespace collector +} // namespace collector::system_inspector -#endif // _SYSDIG_EVENT_EXTRACTOR_H_ +#endif // _SYSTEM_INSPECTOR_EVENT_EXTRACTOR_H_ diff --git a/collector/lib/SysdigService.cpp b/collector/lib/system-inspector/Service.cpp similarity index 89% rename from collector/lib/SysdigService.cpp rename to collector/lib/system-inspector/Service.cpp index c4e7de90f5..c27e584f96 100644 --- a/collector/lib/SysdigService.cpp +++ b/collector/lib/system-inspector/Service.cpp @@ -1,4 +1,4 @@ -#include "SysdigService.h" +#include "Service.h" #include #include @@ -25,14 +25,14 @@ #include "Utility.h" #include "logger.h" -namespace collector { +namespace collector::system_inspector { -constexpr char SysdigService::kModulePath[]; -constexpr char SysdigService::kModuleName[]; -constexpr char SysdigService::kProbePath[]; -constexpr char SysdigService::kProbeName[]; +constexpr char Service::kModulePath[]; +constexpr char Service::kModuleName[]; +constexpr char Service::kProbePath[]; +constexpr char Service::kProbeName[]; -void SysdigService::Init(const CollectorConfig& config, std::shared_ptr conn_tracker) { +void Service::Init(const CollectorConfig& config, std::shared_ptr conn_tracker) { // The self-check handlers should only operate during start up, // so they are added to the handler list first, so they have access // to self-check events before the network and process handlers have @@ -64,7 +64,7 @@ void SysdigService::Init(const CollectorConfig& config, std::shared_ptr lock(libsinsp_mutex_); sinsp_evt* event = nullptr; @@ -158,13 +158,13 @@ sinsp_evt* SysdigService::GetNext() { return event; } -bool SysdigService::FilterEvent(sinsp_evt* event) { +bool Service::FilterEvent(sinsp_evt* event) { const auto* tinfo = event->get_thread_info(); return FilterEvent(tinfo); } -bool SysdigService::FilterEvent(const sinsp_threadinfo* tinfo) { +bool Service::FilterEvent(const sinsp_threadinfo* tinfo) { if (tinfo == nullptr) { return false; } @@ -185,11 +185,11 @@ bool SysdigService::FilterEvent(const sinsp_threadinfo* tinfo) { return exepath_sv.rfind("/proc/self", 0) != 0; } -void SysdigService::Start() { +void Service::Start() { std::lock_guard libsinsp_lock(libsinsp_mutex_); if (!inspector_) { - throw CollectorException("Invalid state: SysdigService was not initialized"); + throw CollectorException("Invalid state: system inspector was not initialized"); } for (auto& signal_handler : signal_handlers_) { @@ -228,9 +228,9 @@ void LogUnreasonableEventTime(int64_t time_micros, sinsp_evt* evt) { } } -void SysdigService::Run(const std::atomic& control) { +void Service::Run(const std::atomic& control) { if (!inspector_) { - throw CollectorException("Invalid state: SysdigService was not initialized"); + throw CollectorException("Invalid state: system inspector was not initialized"); } while (control.load(std::memory_order_relaxed) == ControlValue::RUN) { @@ -265,11 +265,11 @@ void SysdigService::Run(const std::atomic& control) { } } -bool SysdigService::SendExistingProcesses(SignalHandler* handler) { +bool Service::SendExistingProcesses(SignalHandler* handler) { std::lock_guard lock(libsinsp_mutex_); if (!inspector_) { - throw CollectorException("Invalid state: SysdigService was not initialized"); + throw CollectorException("Invalid state: system inspector was not initialized"); } auto threads = inspector_->m_thread_manager->get_threads(); @@ -291,7 +291,7 @@ bool SysdigService::SendExistingProcesses(SignalHandler* handler) { }); } -void SysdigService::CleanUp() { +void Service::CleanUp() { std::lock_guard libsinsp_lock(libsinsp_mutex_); std::lock_guard running_lock(running_mutex_); running_ = false; @@ -319,7 +319,7 @@ void SysdigService::CleanUp() { } } -bool SysdigService::GetStats(SysdigStats* stats) const { +bool Service::GetStats(system_inspector::Stats* stats) const { std::lock_guard libsinsp_lock(libsinsp_mutex_); std::lock_guard running_lock(running_mutex_); if (!running_ || !inspector_) return false; @@ -335,7 +335,7 @@ bool SysdigService::GetStats(SysdigStats* stats) const { return true; } -void SysdigService::AddSignalHandler(std::unique_ptr signal_handler) { +void Service::AddSignalHandler(std::unique_ptr signal_handler) { std::bitset event_filter; const auto& relevant_events = signal_handler->GetRelevantEvents(); if (relevant_events.empty()) { @@ -353,13 +353,13 @@ void SysdigService::AddSignalHandler(std::unique_ptr signal_handl signal_handlers_.emplace_back(std::move(signal_handler), event_filter); } -void SysdigService::GetProcessInformation(uint64_t pid, ProcessInfoCallbackRef callback) { +void Service::GetProcessInformation(uint64_t pid, ProcessInfoCallbackRef callback) { std::lock_guard lock(process_requests_mutex_); pending_process_requests_.emplace_back(pid, callback); } -void SysdigService::ServePendingProcessRequests() { +void Service::ServePendingProcessRequests() { std::lock_guard lock(process_requests_mutex_); while (!pending_process_requests_.empty()) { @@ -375,4 +375,4 @@ void SysdigService::ServePendingProcessRequests() { } } -} // namespace collector +} // namespace collector::system_inspector diff --git a/collector/lib/SysdigService.h b/collector/lib/system-inspector/Service.h similarity index 84% rename from collector/lib/SysdigService.h rename to collector/lib/system-inspector/Service.h index d2c95d42c0..3cb043166f 100644 --- a/collector/lib/SysdigService.h +++ b/collector/lib/system-inspector/Service.h @@ -1,5 +1,5 @@ -#ifndef _SYSDIG_SERVICE_H_ -#define _SYSDIG_SERVICE_H_ +#ifndef _SYSTEM_INSPECTOR_SERVICE_H_ +#define _SYSTEM_INSPECTOR_SERVICE_H_ #include #include @@ -15,12 +15,12 @@ #include "DriverCandidates.h" #include "SignalHandler.h" #include "SignalServiceClient.h" -#include "Sysdig.h" +#include "SystemInspector.h" #include "threadinfo.h" -namespace collector { +namespace collector::system_inspector { -class SysdigService : public Sysdig { +class Service : public SystemInspector { public: static constexpr char kModulePath[] = "/module/collector.ko"; static constexpr char kModuleName[] = "collector"; @@ -29,14 +29,14 @@ class SysdigService : public Sysdig { static constexpr int kMessageBufferSize = 8192; static constexpr int kKeyBufferSize = 48; - SysdigService() = default; + Service() = default; void Init(const CollectorConfig& config, std::shared_ptr conn_tracker) override; void Start() override; void Run(const std::atomic& control) override; void CleanUp() override; - bool GetStats(SysdigStats* stats) const override; + bool GetStats(Stats* stats) const override; bool InitKernel(const CollectorConfig& config, const DriverCandidate& candidate) override; @@ -45,7 +45,7 @@ class SysdigService : public Sysdig { void GetProcessInformation(uint64_t pid, ProcessInfoCallbackRef callback); private: - FRIEND_TEST(SysdigServiceTest, FilterEvent); + FRIEND_TEST(SystemInspectorServiceTest, FilterEvent); struct SignalHandlerEntry { std::unique_ptr handler; @@ -72,7 +72,7 @@ class SysdigService : public Sysdig { std::unique_ptr default_formatter_; std::unique_ptr signal_client_; std::vector signal_handlers_; - SysdigStats userspace_stats_; + Stats userspace_stats_; std::bitset global_event_filter_; mutable std::mutex running_mutex_; @@ -84,6 +84,6 @@ class SysdigService : public Sysdig { std::list> pending_process_requests_; }; -} // namespace collector +} // namespace collector::system_inspector -#endif // _SYSDIG_SERVICE_H_ +#endif // _SYSTEM_INSPECTOR_SERVICE_H_ diff --git a/collector/lib/Sysdig.h b/collector/lib/system-inspector/SystemInspector.h similarity index 87% rename from collector/lib/Sysdig.h rename to collector/lib/system-inspector/SystemInspector.h index e91d3cd00b..0fe0cd2611 100644 --- a/collector/lib/Sysdig.h +++ b/collector/lib/system-inspector/SystemInspector.h @@ -1,5 +1,5 @@ -#ifndef _SYSDIG_ -#define _SYSDIG_ +#ifndef _SYSTEM_INSPECTOR_ +#define _SYSTEM_INSPECTOR_ #include #include @@ -11,9 +11,9 @@ #include "DriverCandidates.h" #include "ppm_events_public.h" -namespace collector { +namespace collector::system_inspector { -struct SysdigStats { +struct Stats { using uint64_t = std::uint64_t; // stats gathered in kernel space @@ -39,9 +39,9 @@ struct SysdigStats { volatile uint64_t event_process_micros[PPM_EVENT_MAX] = {0}; // total microseconds spent processing event type (correlates w/ nFilteredevents) }; -class Sysdig { +class SystemInspector { public: - virtual ~Sysdig() = default; + virtual ~SystemInspector() = default; virtual void Init(const CollectorConfig& config, std::shared_ptr conn_tracker) = 0; virtual bool InitKernel(const CollectorConfig& config, const DriverCandidate& candidate) = 0; @@ -49,9 +49,9 @@ class Sysdig { virtual void Run(const std::atomic& control) = 0; virtual void CleanUp() = 0; - virtual bool GetStats(SysdigStats* stats) const = 0; + virtual bool GetStats(Stats* stats) const = 0; }; -} /* namespace collector */ +} // namespace collector::system_inspector -#endif /* _SYSDIG_ */ +#endif /* _SYSTEM_INSPECTOR_ */ diff --git a/collector/test/SysdigServiceTest.cpp b/collector/test/SystemInspectorServiceTest.cpp similarity index 78% rename from collector/test/SysdigServiceTest.cpp rename to collector/test/SystemInspectorServiceTest.cpp index 86b194bab8..a15adf9a8e 100644 --- a/collector/test/SysdigServiceTest.cpp +++ b/collector/test/SystemInspectorServiceTest.cpp @@ -1,10 +1,9 @@ -#include "SysdigService.h" -#include "gmock/gmock.h" #include "gtest/gtest.h" +#include "system-inspector/Service.h" -namespace collector { +namespace collector::system_inspector { -TEST(SysdigServiceTest, FilterEvent) { +TEST(SystemInspectorServiceTest, FilterEvent) { std::unique_ptr inspector(new sinsp()); sinsp_threadinfo regular_process(inspector.get()); @@ -35,8 +34,8 @@ TEST(SysdigServiceTest, FilterEvent) { }; for (const auto& t : tests) { - ASSERT_EQ(SysdigService::FilterEvent(t.tinfo), t.expected); + ASSERT_EQ(system_inspector::Service::FilterEvent(t.tinfo), t.expected); } } -} // namespace collector +} // namespace collector::system_inspector diff --git a/docs/design-overview.md b/docs/design-overview.md index aaf1f97e62..b599d800d1 100644 --- a/docs/design-overview.md +++ b/docs/design-overview.md @@ -18,6 +18,10 @@ working option, the `KERNEL_CANDIDATES` environment variable can be used to bypass this mechanism altogether. ## Falco libraries integration +The aforementioned data gathering from the kernel is powered by the +[Falco libraries](https://github.com/falcosecurity/libs/), an abstraction named +`system_inspector` is put around them in order to have a better separation +between the two, while also making it easier to integrate into our code base. ## Resource consumption breakdown diff --git a/docs/troubleshooting.md b/docs/troubleshooting.md index c2714609ca..22057181e5 100644 --- a/docs/troubleshooting.md +++ b/docs/troubleshooting.md @@ -246,7 +246,7 @@ Units: microseconds | net_fetch_state | Time spent to build a delta message content (connections + endpoints) to send to Sensor | | net_create_message | Time spent to serialize the delta message and store the resulting state for next computation. | | net_write_message | Time spent sending the raw message content. | -| process_info_wait | Time spent blocked waiting for process info to be resolved by Falco. | +| process_info_wait | Time spent blocked waiting for process info to be resolved by system_inspector. | ### Network status notifier counters @@ -278,10 +278,10 @@ Units: occurence \[1\] the process lineage information contains the ancestors list of a process. This attribute is formatted as a list of the process exec file paths. -### Falco counters +### system_inspector counters ``` -Component: SysdigStats +Component: system_inspector::Stats Prometheus name: rox_collector_events Units: occurence ``` @@ -315,10 +315,10 @@ Note that the `[syscall]` suffix in a metric name means that it is instanciated Note that if ProcfsScraper is unable to open /proc it is not able to open any of the subdirectories, but only procfs_could_not_open_proc_dir will be incremented in that case. -### Falco timers per syscall +### system_inspector timers per syscall ``` -Component: SysdigStats +Component: system_inspector::Stats Prometheus name: rox_collector_events_typed Units: microseconds ```