Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(ebpf): optimize filldir64 program #4183

Merged
merged 1 commit into from
Jul 16, 2024
Merged

chore(ebpf): optimize filldir64 program #4183

merged 1 commit into from
Jul 16, 2024

Conversation

NDStrahilevitz
Copy link
Collaborator

1. Explain what the PR does

0aa855c chore(ebpf): optimize filldir64 program

The filldir64 program runs very frequently, and as such incurs great
overhead. However, its usecase only requires the submission of events
from non 0 process inodes. Since this filter is faster than scope
evaluation, move this condition check before program data initialization
and scope evaluation.

Optimization reduces the average runtime to ~18% of the previous
overhead. Note, that even for more run amounts, the overall runtime is
now 27% from the previous version.

Before:
PROGRAM: filldir64 (type: kprobe, runtime: 61047110 ns, amount: 53135 times, average: 1148 ns)
After:
PROGRAM: filldir64 (type: kprobe, runtime: 16507056 ns, amount: 80350 times, average: 205 ns)

2. Explain how to test it

hidden_inodes event should work the same.

3. Other comments

@NDStrahilevitz NDStrahilevitz self-assigned this Jul 10, 2024
@geyslan
Copy link
Member

geyslan commented Jul 10, 2024

Awesome. ❤️

I have only one question: as evaluate_scope_filters() updates p, it could somehow jeopardise some expected behaviour?

Doubt:

Commit says:

However, its usecase only requires the submission of events from non 0 process inodes.

Wouldn't it be the opposite? ... only ... from 0 process...?

yanivagman
yanivagman approved these changes Jul 11, 2024
View reviewed changes
Copy link
Collaborator

@yanivagman yanivagman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@NDStrahilevitz
chore(ebpf): optimize filldir64 program
0785d75 
The filldir64 program runs very frequently, and as such incurs great
overhead. However, its usecase only requires the submission of events
from pid 0 inodes. Since this filter is faster than scope evaluation,
the condition check is moved before program data initialization and
scope evaluation.

Optimization reduces the average runtime to ~18% of the previous
overhead. Note, that even for more run amounts, the overall runtime is
now 27% from the previous version.

Before:
PROGRAM: filldir64 (type: kprobe, runtime: 61047110 ns, amount: 53135 times, average: 1148 ns)
After:
PROGRAM: filldir64 (type: kprobe, runtime: 16507056 ns, amount: 80350 times, average: 205 ns)
@NDStrahilevitz
Copy link
Collaborator Author

NDStrahilevitz commented Jul 16, 2024
edited
Loading

I have only one question: as evaluate_scope_filters() updates p, it could somehow jeopardise some expected behaviour?

I don't think so, since this isn't a program_data struct which is shared later on.

However, its usecase only requires the submission of events from non 0 process inodes.
Wouldn't it be the opposite? ... only ... from 0 process...?

You're right, changed the commit message accordingly. Will merge once e2e passes again.

@NDStrahilevitz NDStrahilevitz merged commit acd8ca1 into aquasecurity:main Jul 16, 2024
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yanivagman yanivagman yanivagman approved these changes

@OriGlassman OriGlassman OriGlassman approved these changes

Assignees

@NDStrahilevitz NDStrahilevitz

Labels
area/ebpf kind/chore milestone/v0.22.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@NDStrahilevitz @geyslan @yanivagman @OriGlassman