Documentation
¶
Overview ¶
Package bpf provides the eBPF program loaders and Go event types.
Each eBPF program has:
- A .c source file compiled by clang to BPF bytecode
- A Go loader file with a //go:generate bpf2go directive
- Typed Go event structs matching the C structs in kerno.h
The Loader interface abstracts eBPF program lifecycle management.
Index ¶
- Constants
- type DiskEvent
- type DiskIOLoader
- type EventType
- type FDEvent
- type FDOp
- type FDTrackLoader
- type FileEvent
- type Loader
- type LoaderSet
- type OOMEvent
- type OOMTrackLoader
- type RawEvent
- type SchedDelayLoader
- type SchedEvent
- type SyscallEvent
- type SyscallLatencyLoader
- type TCPEvent
- type TCPEventType
- type TCPMonitorLoader
Constants ¶
const MaxFilenameLen = 256
MaxFilenameLen matches MAX_FILENAME_LEN in kerno.h.
const TaskCommLen = 16
TaskCommLen matches TASK_COMM_LEN in kerno.h.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type DiskEvent ¶
type DiskEvent struct {
TimestampNs uint64
LatencyNs uint64
Sector uint64
Dev uint32
NrBytes uint32
PID uint32
Op byte
Pad0 [3]byte // padding to align Comm
Comm [TaskCommLen]byte
}
DiskEvent matches struct disk_event in kerno.h.
func DecodeDiskEvent ¶
DecodeDiskEvent decodes a raw event into a typed DiskEvent.
func (*DiskEvent) CommString ¶
CommString returns the process name as a Go string.
type DiskIOLoader ¶
type DiskIOLoader struct {
// contains filtered or unexported fields
}
DiskIOLoader manages the disk_io eBPF program.
func NewDiskIOLoader ¶
func NewDiskIOLoader(logger *slog.Logger) *DiskIOLoader
NewDiskIOLoader creates a new loader.
func (*DiskIOLoader) Events ¶
func (l *DiskIOLoader) Events(ctx context.Context) (<-chan RawEvent, error)
Events implements Loader.
type FDEvent ¶
type FDEvent struct {
TimestampNs uint64
CgroupID uint64
PID uint32
FD int32
Op FDOp
Pad0 [7]byte // padding to align Comm
Comm [TaskCommLen]byte
}
FDEvent matches struct fd_event in kerno.h.
func DecodeFDEvent ¶
DecodeFDEvent decodes a raw event into a typed FDEvent.
func (*FDEvent) CommString ¶
CommString returns the process name.
type FDTrackLoader ¶
type FDTrackLoader struct {
// contains filtered or unexported fields
}
FDTrackLoader manages the fd_track eBPF program.
func NewFDTrackLoader ¶
func NewFDTrackLoader(logger *slog.Logger) *FDTrackLoader
NewFDTrackLoader creates a new loader.
func (*FDTrackLoader) Events ¶
func (l *FDTrackLoader) Events(ctx context.Context) (<-chan RawEvent, error)
Events implements Loader.
type FileEvent ¶
type FileEvent struct {
TimestampNs uint64
CgroupID uint64
PID uint32
UID uint32
Flags uint32
Pad0 uint32 // padding to 8-byte alignment
Comm [TaskCommLen]byte
Filename [MaxFilenameLen]byte
}
FileEvent matches struct file_event in kerno.h.
func (*FileEvent) CommString ¶
CommString returns the process name.
func (*FileEvent) FilenameString ¶
FilenameString returns the filename.
type Loader ¶
type Loader interface {
// Name returns a human-readable identifier for this loader (e.g., "syscall_latency").
Name() string
// Load loads the eBPF program into the kernel and attaches to hook points.
// The returned io.Closer detaches and unloads the program when closed.
Load() (io.Closer, error)
// Events returns a channel that emits raw events from the eBPF ring buffer.
// The channel is closed when the context is canceled or the loader is closed.
Events(ctx context.Context) (<-chan RawEvent, error)
}
Loader is the interface that all eBPF program loaders must implement. Each loader manages the lifecycle of one eBPF program: loading it into the kernel, attaching to hook points, and reading events from ring buffers.
type LoaderSet ¶
type LoaderSet struct {
// contains filtered or unexported fields
}
LoaderSet manages the lifecycle of multiple eBPF program loaders.
func NewLoaderSet ¶
NewLoaderSet creates a new set of eBPF program loaders.
type OOMEvent ¶
type OOMEvent struct {
TimestampNs uint64
CgroupID uint64
TotalPages uint64
RSSPages uint64
PID uint32
TriggeredPID uint32
OOMScore int32
Pad0 uint32 // padding to align Comm
Comm [TaskCommLen]byte
}
OOMEvent matches struct oom_event in kerno.h.
func DecodeOOMEvent ¶
DecodeOOMEvent decodes a raw event into a typed OOMEvent.
func (*OOMEvent) CommString ¶
CommString returns the victim process name.
type OOMTrackLoader ¶
type OOMTrackLoader struct {
// contains filtered or unexported fields
}
OOMTrackLoader manages the oom_track eBPF program.
func NewOOMTrackLoader ¶
func NewOOMTrackLoader(logger *slog.Logger) *OOMTrackLoader
NewOOMTrackLoader creates a new loader.
func (*OOMTrackLoader) Events ¶
func (l *OOMTrackLoader) Events(ctx context.Context) (<-chan RawEvent, error)
Events implements Loader.
type RawEvent ¶
type RawEvent struct {
// Type is the event discriminator (EVENT_SYSCALL_LATENCY, etc.).
Type EventType
// Data is the raw bytes of the event struct.
Data []byte
}
RawEvent is an untyped event read from the ring buffer. The Type field identifies which event struct to decode into.
type SchedDelayLoader ¶
type SchedDelayLoader struct {
// contains filtered or unexported fields
}
SchedDelayLoader manages the sched_delay eBPF program.
func NewSchedDelayLoader ¶
func NewSchedDelayLoader(logger *slog.Logger) *SchedDelayLoader
NewSchedDelayLoader creates a new loader.
func (*SchedDelayLoader) Events ¶
func (l *SchedDelayLoader) Events(ctx context.Context) (<-chan RawEvent, error)
Events implements Loader.
type SchedEvent ¶
type SchedEvent struct {
TimestampNs uint64
RunqDelayNs uint64
CgroupID uint64
PID uint32
CPU uint32
Comm [TaskCommLen]byte
}
SchedEvent matches struct sched_event in kerno.h.
func DecodeSchedEvent ¶
func DecodeSchedEvent(data []byte) (*SchedEvent, error)
DecodeSchedEvent decodes a raw event into a typed SchedEvent.
func (*SchedEvent) CommString ¶
func (e *SchedEvent) CommString() string
CommString returns the process name.
func (*SchedEvent) RunqDelay ¶
func (e *SchedEvent) RunqDelay() time.Duration
RunqDelay returns the run queue delay as a time.Duration.
type SyscallEvent ¶
type SyscallEvent struct {
TimestampNs uint64
LatencyNs uint64
CgroupID uint64
PID uint32
TID uint32
SyscallNr uint32
Ret uint32
Comm [TaskCommLen]byte
}
SyscallEvent matches struct syscall_event in kerno.h. Field order and sizes MUST be identical to the C struct.
func DecodeSyscallEvent ¶
func DecodeSyscallEvent(data []byte) (*SyscallEvent, error)
DecodeSyscallEvent decodes a raw event into a typed SyscallEvent.
func (*SyscallEvent) CommString ¶
func (e *SyscallEvent) CommString() string
CommString returns the process name as a Go string.
func (*SyscallEvent) Latency ¶
func (e *SyscallEvent) Latency() time.Duration
Latency returns the syscall latency as a time.Duration.
type SyscallLatencyLoader ¶
type SyscallLatencyLoader struct {
// contains filtered or unexported fields
}
SyscallLatencyLoader manages the syscall_latency eBPF program.
func NewSyscallLatencyLoader ¶
func NewSyscallLatencyLoader(logger *slog.Logger) *SyscallLatencyLoader
NewSyscallLatencyLoader creates a new loader.
func (*SyscallLatencyLoader) Events ¶
func (l *SyscallLatencyLoader) Events(ctx context.Context) (<-chan RawEvent, error)
Events implements Loader.
func (*SyscallLatencyLoader) Load ¶
func (l *SyscallLatencyLoader) Load() (io.Closer, error)
Load implements Loader.
func (*SyscallLatencyLoader) Name ¶
func (l *SyscallLatencyLoader) Name() string
Name implements Loader.
type TCPEvent ¶
type TCPEvent struct {
TimestampNs uint64
CgroupID uint64
PID uint32
SAddr uint32 // network byte order
DAddr uint32 // network byte order
SPort uint16
DPort uint16
Family uint16
EventType TCPEventType
State uint8
RTTUs uint32
Retransmits uint32
Comm [TaskCommLen]byte
}
TCPEvent matches struct tcp_event in kerno.h.
func DecodeTCPEvent ¶
DecodeTCPEvent decodes a raw event into a typed TCPEvent.
func (*TCPEvent) CommString ¶
CommString returns the process name as a Go string.
type TCPEventType ¶
type TCPEventType uint8
TCPEventType is the subtype of a TCP event.
const ( TCPEventConnect TCPEventType = 1 TCPEventClose TCPEventType = 2 TCPEventRetransmit TCPEventType = 3 TCPEventRTT TCPEventType = 4 )
func (TCPEventType) String ¶
func (t TCPEventType) String() string
String returns a human-readable name.
type TCPMonitorLoader ¶
type TCPMonitorLoader struct {
// contains filtered or unexported fields
}
TCPMonitorLoader manages the tcp_monitor eBPF program.
func NewTCPMonitorLoader ¶
func NewTCPMonitorLoader(logger *slog.Logger) *TCPMonitorLoader
NewTCPMonitorLoader creates a new loader.
func (*TCPMonitorLoader) Events ¶
func (l *TCPMonitorLoader) Events(ctx context.Context) (<-chan RawEvent, error)
Events implements Loader.
Source Files