Merge branch 'kmesh-net:main' into main

kwb0523 · Jul 12, 2024 · 8c14624 · 8c14624
2 parents d1c4285 + 8dce347
commit 8c14624
Show file tree

Hide file tree

Showing 149 changed files with 2,527 additions and 333 deletions.
diff --git a/.codecov.yml b/.codecov.yml
@@ -0,0 +1,11 @@
+coverage:
+  status:
+    project: #add everything under here, more options at https://docs.codecov.com/docs/commit-status
+      default:
+        # basic
+        target: auto #default
+        threshold: 50%
+        base: auto 
+comment:                  # this is a top-level key
+  layout: "header, files, footer" # remove "new" from "header" and "footer"
+  hide_project_coverage: false # set to false
diff --git a/.github/ISSUE_TEMPLATE/enhancement.md b/.github/ISSUE_TEMPLATE/enhancement.md
@@ -1,7 +1,7 @@
 ---
 name: Enhancement Request
 about: Suggest an enhancement to the project
-labels: kind/feature
+labels: kind/enhancement
 
 ---
 <!-- Please only use this template for submitting enhancement requests -->

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -3,6 +3,10 @@ name: Kmesh CI Workflow
 on:
   pull_request:
   merge_group: # enable merge queue
+  workflow_call:
+    secrets:
+      CODECOV_TOKEN:
+        required: true
 
 jobs:
 
@@ -24,6 +28,10 @@ jobs:
       run: |
         make gen-check
 
+    - name: Run Copyright-check
+      run : |
+        make ./hack/copyright-check.sh
+
     - name: Build Kmesh
       shell: bash
       run: |
@@ -45,9 +53,13 @@ jobs:
         sudo env LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib:$GITHUB_WORKSPACE/api/v2-c:$GITHUB_WORKSPACE/bpf/deserialization_to_bpf_map PKG_CONFIG_PATH=$GITHUB_WORKSPACE/mk go test -race -v -vet=off -coverprofile=coverage.out ./pkg/...
 
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@v4.0.1
+      uses: codecov/codecov-action@v4
       with:
-        token: ${{ secrets.CODECOV_TOKEN }}
-        files: coverage.out
-        flags: unittests
-        fail_ci_if_error: false
+          # Even though token upload token is not required for public repos,
+          # but adding a token might increase successful uploads as per:
+          # https://community.codecov.com/t/upload-issues-unable-to-locate-build-via-github-actions-api/3954
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./coverage.out
+          flags: unittests
+          fail_ci_if_error: false
+          verbose: true
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1 @@
+For further details please see [Security Policy](https://github.com/kmesh-net/community/blob/main/security-team/SECURITY.md) for our security process and how to report vulnerabilities.
diff --git a/bpf/include/bpf_common.h b/bpf/include/bpf_common.h
@@ -46,9 +46,22 @@ struct {
     __type(key, struct manager_key);
     __type(value, manager_value_t);
     __uint(max_entries, MAP_SIZE_OF_MANAGER);
-    __uint(map_flags, 0);
+    __uint(map_flags, BPF_F_NO_PREALLOC);
 } map_of_manager SEC(".maps");
 
+struct sock_storage_data {
+    __u64 connect_ns;
+    __u8 direction;
+    __u8 connect_success;
+};
+
+struct {
+    __uint(type, BPF_MAP_TYPE_SK_STORAGE);
+    __uint(map_flags, BPF_F_NO_PREALLOC);
+    __type(key, int);
+    __type(value, struct sock_storage_data);
+} map_of_sock_storage SEC(".maps");
+
 /*
  * From v5.4, bpf_get_netns_cookie can be called for bpf cgroup hooks, from v5.15, it can be called for bpf sockops
  * hook. Therefore, ensure that function is correctly used.
@@ -81,7 +94,7 @@ static inline void set_netns_bypass_value(struct bpf_sock_addr *ctx, int new_byp
 
     current_value->is_bypassed = new_bypass_value;
 
-    int err = bpf_map_update_elem(&map_of_manager, &key, current_value, BPF_EXIST);
+    int err = bpf_map_update_elem(&map_of_manager, &key, current_value, BPF_ANY);
     if (err)
         BPF_LOG(ERR, KMESH, "set netcookie failed!, err is %d\n", err);
 }

diff --git a/bpf/include/bpf_log.h b/bpf/include/bpf_log.h
@@ -16,6 +16,7 @@
 #define BPF_LOGTYPE_SOCKOPS BPF_DEBUG_OFF
 #define BPF_LOGTYPE_XDP     BPF_DEBUG_OFF
 #define BPF_LOGTYPE_SENDMSG BPF_DEBUG_OFF
+#define BPF_LOGTYPE_PROBE   BPF_DEBUG_ON
 #define MAX_MSG_LEN         255
 
 enum bpf_loglevel {

diff --git a/bpf/kmesh/ads/include/cluster.h b/bpf/kmesh/ads/include/cluster.h
@@ -47,7 +47,7 @@ struct {
     __uint(max_entries, 1);
 } map_of_cluster_eps_data SEC(".maps");
 
-static inline Cluster__Cluster *map_lookup_cluster_eps_data()
+static inline struct cluster_endpoints *map_lookup_cluster_eps_data()
 {
     int location = 0;
     return kmesh_map_lookup_elem(&map_of_cluster_eps_data, &location);

diff --git a/bpf/kmesh/ads/include/kmesh_common.h b/bpf/kmesh/ads/include/kmesh_common.h
@@ -37,7 +37,7 @@ struct bpf_mem_ptr {
 };
 
 #if !ENHANCED_KERNEL
-static inline int bpf__strncmp(char *dst, int n, const char *src)
+static inline int bpf__strncmp(const char *dst, int n, const char *src)
 {
     if (dst == NULL || src == NULL)
         return -1;

diff --git a/bpf/kmesh/bpf2go/bpf2go.go b/bpf/kmesh/bpf2go/bpf2go.go
@@ -1,5 +1,18 @@
-// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
-/* Copyright Authors of Kmesh */
+/*
+ * Copyright The Kmesh Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 
 //go:build tools
 // +build tools
@@ -13,9 +26,9 @@ import (
 
 // go run github.com/cilium/ebpf/cmd/bpf2go --help
 //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang  --cflags $EXTRA_CFLAGS --cflags $EXTRA_CDEFINE KmeshCgroupSock ../ads/cgroup_sock.c -- -I../ads/include -I../../include -I../../../api/v2-c -DCGROUP_SOCK_MANAGE
-//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang  --cflags $EXTRA_CFLAGS --cflags $EXTRA_CDEFINE KmeshCgroupSockWorkload ../workload/cgroup_sock.c -- -I../workload/include -I../../include
+//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang  --cflags $EXTRA_CFLAGS --cflags $EXTRA_CDEFINE KmeshCgroupSockWorkload ../workload/cgroup_sock.c -- -I../workload/include -I../../include -I../probes
 //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang  --cflags $EXTRA_CFLAGS --cflags $EXTRA_CDEFINE KmeshSockops ../ads/sockops.c -- -I../ads/include -I../../include -I../../../api/v2-c
 //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang  --cflags $EXTRA_CFLAGS --cflags $EXTRA_CDEFINE KmeshTracePoint ../ads/tracepoint.c -- -I../ads/include -I../../include
-//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang  --cflags $EXTRA_CFLAGS --cflags $EXTRA_CDEFINE KmeshSockopsWorkload ../workload/sockops.c -- -I../workload/include -I../../include
+//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang  --cflags $EXTRA_CFLAGS --cflags $EXTRA_CDEFINE KmeshSockopsWorkload ../workload/sockops.c -- -I../workload/include -I../../include -I../probes
 //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang  --cflags $EXTRA_CFLAGS --cflags $EXTRA_CDEFINE KmeshXDPAuth ../workload/xdp.c -- -I../workload/include -I../../include
 //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang  --cflags $EXTRA_CFLAGS --cflags $EXTRA_CDEFINE KmeshSendmsg ../workload/sendmsg.c -- -I../workload/include -I../../include
diff --git a/bpf/kmesh/probes/access_log.h b/bpf/kmesh/probes/access_log.h
@@ -0,0 +1,72 @@
+// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+/* Copyright Authors of Kmesh */
+
+#ifndef __KMESH_BPF_ACCESS_LOG_H__
+#define __KMESH_BPF_ACCESS_LOG_H__
+
+#include "bpf_common.h"
+
+// access log
+enum {
+    INVALID_DIRECTION = 0,
+    INBOUND = 1,
+    OUTBOUND = 2,
+};
+
+struct access_log {
+    struct bpf_sock_tuple tuple;
+    __u64 duration; // ns
+    __u64 close_ns;
+    __u32 family;
+    __u32 protocol;
+    __u8 direction;
+    __u32 sent_bytes;
+    __u32 received_bytes;
+    __u32 conn_success;
+};
+
+struct {
+    __uint(type, BPF_MAP_TYPE_RINGBUF);
+    __uint(max_entries, RINGBUF_SIZE);
+} map_of_access_log SEC(".maps");
+
+static inline void constuct_tuple(struct bpf_sock *sk, struct bpf_sock_tuple *tuple)
+{
+    if (sk->family == AF_INET) {
+        tuple->ipv4.saddr = sk->src_ip4;
+        tuple->ipv4.daddr = sk->dst_ip4;
+        tuple->ipv4.sport = sk->src_port;
+        tuple->ipv4.dport = sk->dst_port;
+    } else {
+        bpf_memcpy(tuple->ipv6.saddr, sk->src_ip6, IPV6_ADDR_LEN);
+        bpf_memcpy(tuple->ipv6.daddr, sk->dst_ip6, IPV6_ADDR_LEN);
+        tuple->ipv6.sport = sk->src_port;
+        tuple->ipv6.dport = sk->dst_port;
+    }
+    return;
+}
+
+static inline void
+report_access_log(struct bpf_sock *sk, struct bpf_tcp_sock *tcp_sock, struct sock_storage_data *storage)
+{
+    struct access_log *log = NULL;
+
+    // store tuple
+    log = bpf_ringbuf_reserve(&map_of_access_log, sizeof(struct access_log), 0);
+    if (!log) {
+        BPF_LOG(ERR, PROBE, "bpf_ringbuf_reserve access_log failed\n");
+        return;
+    }
+
+    constuct_tuple(sk, &log->tuple);
+    log->direction = storage->direction;
+    log->close_ns = bpf_ktime_get_ns();
+    log->duration = log->close_ns - storage->connect_ns;
+    log->sent_bytes = tcp_sock->delivered;
+    log->received_bytes = tcp_sock->bytes_received;
+    log->conn_success = storage->connect_success;
+
+    bpf_ringbuf_submit(log, 0);
+}
+
+#endif
diff --git a/bpf/kmesh/probes/metrics.h b/bpf/kmesh/probes/metrics.h
@@ -0,0 +1,119 @@
+// SPDX-License-Identifier: (GPL-2.0-only OR BSD-2-Clause)
+/* Copyright Authors of Kmesh */
+
+#ifndef __KMESH_BPF_METRICS_H__
+#define __KMESH_BPF_METRICS_H__
+#include "bpf_common.h"
+
+// metrics
+struct metric_key {
+    struct ip_addr src_ip;
+    struct ip_addr dst_ip;
+};
+
+struct metric_data {
+    __u32 direction;      // update on connect
+    __u32 conn_open;      // update on connect
+    __u32 conn_close;     // update on close
+    __u32 conn_failed;    // update on close
+    __u32 sent_bytes;     // update on close
+    __u32 received_bytes; // update on close
+};
+
+#define MAP_SIZE_OF_METRICS 100000
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __type(key, struct metric_key);
+    __type(value, struct metric_data);
+    __uint(max_entries, MAP_SIZE_OF_METRICS);
+    __uint(map_flags, BPF_F_NO_PREALLOC);
+} map_of_metrics SEC(".maps");
+
+struct {
+    __uint(type, BPF_MAP_TYPE_RINGBUF);
+    __uint(max_entries, RINGBUF_SIZE);
+} map_of_metric_notify SEC(".maps");
+
+static inline void construct_metric_key(struct bpf_sock *sk, struct metric_key *key)
+{
+    if (sk->family == AF_INET) {
+        key->src_ip.ip4 = sk->src_ip4;
+        key->dst_ip.ip4 = sk->dst_ip4;
+    } else {
+        bpf_memcpy(key->src_ip.ip6, sk->src_ip6, IPV6_ADDR_LEN);
+        bpf_memcpy(key->dst_ip.ip6, sk->dst_ip6, IPV6_ADDR_LEN);
+    }
+    return;
+}
+
+static inline void report_metrics(struct bpf_sock *sk)
+{
+    struct metric_key *key = bpf_ringbuf_reserve(&map_of_metric_notify, sizeof(struct metric_key), 0);
+    if (!key) {
+        BPF_LOG(ERR, PROBE, "report_metrics bpf_ringbuf_reserve failed\n");
+        return;
+    }
+
+    construct_metric_key(sk, key);
+    bpf_ringbuf_submit(key, 0);
+    return;
+}
+
+static inline void
+metric_on_connect(struct bpf_sock *sk, struct bpf_tcp_sock *tcp_sock, struct sock_storage_data *storage)
+{
+    struct metric_key key = {0};
+    struct metric_data data = {0};
+    struct metric_data *metric = NULL;
+
+    construct_metric_key(sk, &key);
+    metric = (struct metric_data *)bpf_map_lookup_elem(&map_of_metrics, &key);
+    if (!metric) {
+        data.conn_open++;
+        data.direction = storage->direction;
+        int err = bpf_map_update_elem(&map_of_metrics, &key, &data, BPF_NOEXIST);
+        if (err) {
+            BPF_LOG(ERR, PROBE, "metric_on_connect update failed, err is %d\n", err);
+            return;
+        }
+        goto notify;
+    }
+
+    metric->conn_open++;
+    metric->direction = storage->direction;
+notify:
+    report_metrics(sk);
+    return;
+}
+
+static inline void
+metric_on_close(struct bpf_sock *sk, struct bpf_tcp_sock *tcp_sock, struct sock_storage_data *storage)
+{
+    struct metric_key key = {0};
+    struct metric_data data = {0};
+    struct metric_data *metric = NULL;
+
+    construct_metric_key(sk, &key);
+    metric = (struct metric_data *)bpf_map_lookup_elem(&map_of_metrics, &key);
+    if (!metric) {
+        // connect failed
+        data.direction = storage->direction;
+        data.conn_failed++;
+        int err = bpf_map_update_elem(&map_of_metrics, &key, &data, BPF_NOEXIST);
+        if (err) {
+            BPF_LOG(ERR, PROBE, "metric_on_close update failed, err is %d\n", err);
+            return;
+        }
+        goto notify;
+    }
+
+    // connect successed & closed
+    metric->conn_close++;
+    metric->sent_bytes += tcp_sock->delivered;
+    metric->received_bytes += tcp_sock->bytes_received;
+notify:
+    report_metrics(sk);
+    return;
+}
+
+#endif
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		For further details please see [Security Policy](https://github.com/kmesh-net/community/blob/main/security-team/SECURITY.md) for our security process and how to report vulnerabilities.