Fix ksymbols mem consumption #4095
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
yanivagman
force-pushed
the
fix_ksymbols_mem_consumption_2
branch
from
fa45261
to
16e19b5
Compare
yanivagman
force-pushed
the
fix_ksymbols_mem_consumption_2
branch
from
16e19b5
to
b210980
Compare
This was referenced Jun 2, 2024
NDStrahilevitz
previously requested changes
Jun 3, 2024
| @@ -862,6 +890,104 @@ func (t *Tracee) newConfig(cfg *policy.PoliciesConfig, version uint16) *Config { | |||
| } | |||
| } | |||
|
|
|||
| func (t *Tracee) initKsymTableRequiredSyms() error { | |||
There was a problem hiding this comment.
We need to make sure we always initialize the text segment in relevant events. Perhaps we may want it as a symbol always present. WDYT?
There was a problem hiding this comment.
Shouldn't this be handled by event dependencies?
There was a problem hiding this comment.
It should, that's why the first part was about double-checking that.
|
Tested and the args from Related to the memory footprint this clearly brings a smaller initial mem consumption (RSS): This PRmain branch |
geyslan
force-pushed
the
fix_ksymbols_mem_consumption_2
branch
from
b210980
to
c111214
Compare
|
@NDStrahilevitz I addressed some of your comments. The remainder is left for further consideration. |
My last comment still seems rather critical IMO, @yanivagman WDYT? I fear that if we don't address it we will introduce a performance regression while a |
geyslan
force-pushed
the
fix_ksymbols_mem_consumption_2
branch
2 times, most recently
from
0636aa9
to
ef12be7
Compare
NDStrahilevitz
approved these changes
Jun 3, 2024
The hooked_syscalls and do_init_module events require CAP_SYSLOG in order to refresh its symbol table when reading /proc/kallsyms. Add these missing dependencies.
yanivagman
force-pushed
the
fix_ksymbols_mem_consumption_2
branch
from
ef12be7
to
6913d6b
Compare
|
@yanivagman @NDStrahilevitz ignore the wip (3cacd03). It can be overridden. |
yanivagman
force-pushed
the
fix_ksymbols_mem_consumption_2
branch
from
3cacd03
to
c81d337
Compare
NDStrahilevitz
force-pushed
the
fix_ksymbols_mem_consumption_2
branch
from
86bd02a
to
29b75af
Compare
NDStrahilevitz
force-pushed
the
fix_ksymbols_mem_consumption_2
branch
2 times, most recently
from
2e1871a
to
646578f
Compare
pkg/ebpf/c/tracee.bpf.c
Outdated
| kernel_new_mod_t new_mod = {.insert_time = insert_time}; | ||
| u64 mod_addr = (u64) mod; | ||
| // new_module_map - must be after the module is added to modules list, | ||
| // otherwise there's a risk for race condition | ||
| bpf_map_update_elem(&new_module_map, &mod_addr, &new_mod, BPF_ANY); |
There was a problem hiding this comment.
@OriGlassman Proposed this internally afaik, should we keep this?
NDStrahilevitz
force-pushed
the
fix_ksymbols_mem_consumption_2
branch
from
646578f
to
425af51
Compare
Use modified ksymbols implementation. The new implementation may take a list of required symbols and addresses to track. If the list is given, symbol scanning will only save those symbols or addresses which were given in the list. If a new symbol is queried, then a rescan is needed. Refactor tracee initialization to find all necessary symbols to track ahead of runtime. Co-authored-by: Geyslan Gregório <geyslan@gmail.com> Co-authored-by: Yaniv Agman <yanivagman@gmail.com>
This commit refactors the refresh logic of KernelSymbolTable to be sequential, removing the use of goroutines and channels. The decision to simplify the code was made for the following reasons: 1. Simplicity: The sequential approach simplifies the codebase, making it easier to understand, maintain, and debug. 2. Less Relevant Concurrency: With the introduction of "required symbols", the need for concurrency has been reduced. We now skip memory allocation for symbols that are not required, which constitutes the majority of the symbols in /proc/kallsyms.
yanivagman
force-pushed
the
fix_ksymbols_mem_consumption_2
branch
2 times, most recently
from
f436739
to
3879a21
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
1. Explain what the PR does
2. Explain how to test it
3. Other comments