Collect linux bpf stats

Question

Collect linux bpf stats

tomershafir opened this issue 5 months ago · comments

Since linux 5.1 the kernel can collect some bpf stats: https://github.com/torvalds/linux/blob/master/tools/bpf/bpftool/Documentation/bpftool-prog.rst?plain=1#L80

It seems possible to get the stats from anon_inode, or bpftool indirectly, I didnt test yet. However, I'm not sure how much its stable, or what permissions are needed.

I would like to know wdyt about monitoring system-wide bpf by node-exporter. Need to check the issues above if you think it fits.

Johannes 'fish' Ziemke · Answer 1 · Mon Jan 29 2024 19:13:37 GMT+0800 (China Standard Time)

Makes sense but as usual, needs to go into https://github.com/prometheus/procfs first

Tomer Shafir · Answer 2 · Sun Mar 10 2024 17:50:01 GMT+0800 (China Standard Time)

it requires CAP_SYS_ADMIN - see https://github.com/torvalds/linux/blob/master/include/uapi/linux/capability.h#L406 on linux master, which only improves upon previous state with CAP_BPF (CAP_BPF patch on LWN).
As mentioned, stats collection is possible since 5.1. We should use bpf_prog_get_next_id, bpf_prog_get_fd_by_id, bpf_prog_get_info_by_fd (since 4.13) syscalls to implement the collector, like Netflix/bpftop do with libbpf/libbpf-rs.
We can use cilium/ebpf that supports the above method, though I see procfs has very minimal deps.

@discordianfish wdyt?

Ben Kochie · Answer 3 · Mon Mar 11 2024 15:59:54 GMT+0800 (China Standard Time)

Unfortunately we don't allow collectors that require CAP_SYS_ADMIN. We have a policy against requiring users to need root access.

Johannes 'fish' Ziemke · Answer 4 · Thu Mar 21 2024 19:31:49 GMT+0800 (China Standard Time)

@SuperQ some reasonable use cases require CAP_SYS_ADMIN, maybe we should support this somehow?
Maybe some 'admin mode' where the node-exporter:

is suppose to run with CAP_SYS_ADMIN and errors out if not
only provides metrics from collectors that require CAP_SYS_ADMIN

Then you could run two node-exporters, one unprivileged and one with CAP_SYS_ADMIN. Dunno.. but writing a textfile script for each of these seems meh..

Tomer Shafir · Answer 5 · Thu Mar 21 2024 19:50:11 GMT+0800 (China Standard Time)

A client cant avoid CAP_SYS_ADMIN, and node_exporter can help. I would prefer not to force have 2 daemons instead of 1, with some admin mode as suggested and indicating telemetry.

Jonathan Davies · Answer 6 · Wed Apr 03 2024 21:05:35 GMT+0800 (China Standard Time)

Isn't this already handled by https://github.com/cloudflare/ebpf_exporter ?

Tomer Shafir · Answer 7 · Wed Apr 03 2024 22:36:29 GMT+0800 (China Standard Time)

https://github.com/cloudflare/ebpf_exporter does export the metrics (it can do much more, though I think the extended capabilities less fit the ebpf model with userspace controller).
I don't know why they don't require CAP_SYS_ADMIN for those metrics in docs.
I would like to have only node exporter.
I think its actually tricky for node_exporter, as it may treat bpf progs like processes and let them be out of scope, and possible aggregation should take place at query time. However, they are part of the loaded kernel, so it may monitor them.

Ben Kochie · Answer 8 · Wed Apr 03 2024 22:42:32 GMT+0800 (China Standard Time)

The Prometheus project does not have a "single node agent" data model. Having everything in the node_exporter is not something we ever plan to support. There are different exporters for different things.

So, again, this is not a feature we can support at this time due to the privileges necessary to implement it. As well as the fact that Go does not have any kind of privilege dropping support.