summaryrefslogtreecommitdiffstats
path: root/collectors/ebpf.plugin/integrations/ebpf_socket.md
blob: 3d621f439cb759d517942211cfd7ecb71743713f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
<!--startmeta
custom_edit_url: "https://github.com/netdata/netdata/edit/master/collectors/ebpf.plugin/integrations/ebpf_socket.md"
meta_yaml: "https://github.com/netdata/netdata/edit/master/collectors/ebpf.plugin/metadata.yaml"
sidebar_label: "eBPF Socket"
learn_status: "Published"
learn_rel_path: "Data Collection/eBPF"
message: "DO NOT EDIT THIS FILE DIRECTLY, IT IS GENERATED BY THE COLLECTOR'S metadata.yaml FILE"
endmeta-->

# eBPF Socket


<img src="https://netdata.cloud/img/ebpf.jpg" width="150"/>


Plugin: ebpf.plugin
Module: socket

<img src="https://img.shields.io/badge/maintained%20by-Netdata-%2300ab44" />

## Overview

Monitor bandwidth consumption per application for protocols TCP and UDP.

Attach tracing (kprobe, trampoline) to internal kernel functions according options used to compile kernel.

This collector is only supported on the following platforms:

- Linux

This collector supports collecting metrics from multiple instances of this integration, including remote instances.

The plugin needs setuid because it loads data inside kernel. Netada sets necessary permission during installation time.

### Default Behavior

#### Auto-Detection

The plugin checks kernel compilation flags (CONFIG_KPROBES, CONFIG_BPF, CONFIG_BPF_SYSCALL, CONFIG_BPF_JIT) and presence of BTF files to decide which eBPF program will be attached.

#### Limits

The default configuration for this integration does not impose any limits on data collection.

#### Performance Impact

This thread will add overhead every time that an internal kernel function monitored by this thread is called. The estimated additional period of time is between 90-200ms per call on kernels that do not have BTF technology.


## Metrics

Metrics grouped by *scope*.

The scope defines the instance that the metric belongs to. An instance is uniquely identified by a set of labels.



### Per eBPF Socket instance

These metrics show total number of calls to functions inside kernel.

This scope has no labels.

Metrics:

| Metric | Dimensions | Unit |
|:------|:----------|:----|
| ip.inbound_conn | connection_tcp | connections/s |
| ip.tcp_outbound_conn | received | connections/s |
| ip.tcp_functions | received, send, closed | calls/s |
| ip.total_tcp_bandwidth | received, send | kilobits/s |
| ip.tcp_error | received, send | calls/s |
| ip.tcp_retransmit | retransmited | calls/s |
| ip.udp_functions | received, send | calls/s |
| ip.total_udp_bandwidth | received, send | kilobits/s |
| ip.udp_error | received, send | calls/s |

### Per apps

These metrics show grouped information per apps group.

This scope has no labels.

Metrics:

| Metric | Dimensions | Unit |
|:------|:----------|:----|
| apps.outbound_conn_v4 | a dimension per app group | connections/s |
| apps.outbound_conn_v6 | a dimension per app group | connections/s |
| apps.total_bandwidth_sent | a dimension per app group | kilobits/s |
| apps.total_bandwidth_recv | a dimension per app group | kilobits/s |
| apps.bandwidth_tcp_send | a dimension per app group | calls/s |
| apps.bandwidth_tcp_recv | a dimension per app group | calls/s |
| apps.bandwidth_tcp_retransmit | a dimension per app group | calls/s |
| apps.bandwidth_udp_send | a dimension per app group | calls/s |
| apps.bandwidth_udp_recv | a dimension per app group | calls/s |
| services.net_conn_ipv4 | a dimension per systemd service | connections/s |

### Per cgroup



This scope has no labels.

Metrics:

| Metric | Dimensions | Unit |
|:------|:----------|:----|
| cgroup.net_conn_ipv4 | connected_v4 | connections/s |
| cgroup.net_conn_ipv6 | connected_v6 | connections/s |
| cgroup.net_bytes_recv | received | calls/s |
| cgroup.net_bytes_sent | sent | calls/s |
| cgroup.net_tcp_recv | received | calls/s |
| cgroup.net_tcp_send | sent | calls/s |
| cgroup.net_retransmit | retransmitted | calls/s |
| cgroup.net_udp_send | sent | calls/s |
| cgroup.net_udp_recv | received | calls/s |
| services.net_conn_ipv6 | a dimension per systemd service | connections/s |
| services.net_bytes_recv | a dimension per systemd service | kilobits/s |
| services.net_bytes_sent | a dimension per systemd service | kilobits/s |
| services.net_tcp_recv | a dimension per systemd service | calls/s |
| services.net_tcp_send | a dimension per systemd service | calls/s |
| services.net_tcp_retransmit | a dimension per systemd service | calls/s |
| services.net_udp_send | a dimension per systemd service | calls/s |
| services.net_udp_recv | a dimension per systemd service | calls/s |



## Alerts

There are no alerts configured by default for this integration.


## Setup

### Prerequisites

#### Compile kernel

Check if your kernel was compiled with necessary options (CONFIG_KPROBES, CONFIG_BPF, CONFIG_BPF_SYSCALL, CONFIG_BPF_JIT) in `/proc/config.gz` or inside /boot/config file. Some cited names can be different accoring preferences of Linux distributions.
When you do not have options set, it is necessary to get the kernel source code from https://kernel.org or a kernel package from your distribution, this last is preferred. The kernel compilation has a well definedd pattern, but distributions can deliver their configuration files
with different names.

Now follow steps:
1. Copy the configuration file to /usr/src/linux/.config.
2. Select the necessary options: make oldconfig
3. Compile your kernel image: make bzImage
4. Compile your modules: make modules
5. Copy your new kernel image for boot loader directory
6. Install the new modules: make modules_install
7. Generate an initial ramdisk image (`initrd`) if it is necessary.
8. Update your boot loader



### Configuration

#### File

The configuration file name for this integration is `ebpf.d/network.conf`.


You can edit the configuration file using the `edit-config` script from the
Netdata [config directory](https://github.com/netdata/netdata/blob/master/docs/configure/nodes.md#the-netdata-config-directory).

```bash
cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
sudo ./edit-config ebpf.d/network.conf
```
#### Options

All options are defined inside section `[global]`. Options inside `network connections` are ignored for while.


<details><summary>Config options</summary>

| Name | Description | Default | Required |
|:----|:-----------|:-------|:--------:|
| update every | Data collection frequency. | 5 | False |
| ebpf load mode | Define whether plugin will monitor the call (`entry`) for the functions or it will also monitor the return (`return`). | entry | False |
| apps | Enable or disable integration with apps.plugin | no | False |
| cgroups | Enable or disable integration with cgroup.plugin | no | False |
| bandwidth table size | Number of elements stored inside hash tables used to monitor calls per PID. | 16384 | False |
| ipv4 connection table size | Number of elements stored inside hash tables used to monitor calls per IPV4 connections. | 16384 | False |
| ipv6 connection table size | Number of elements stored inside hash tables used to monitor calls per IPV6 connections. | 16384 | False |
| udp connection table size | Number of temporary elements stored inside hash tables used to monitor UDP connections. | 4096 | False |
| ebpf type format | Define the file type to load an eBPF program. Three options are available: `legacy` (Attach only `kprobe`), `co-re` (Plugin tries to use `trampoline` when available), and `auto` (plugin check OS configuration before to load). | auto | False |
| ebpf co-re tracing | Select the attach method used by plugin when `co-re` is defined in previous option. Two options are available: `trampoline` (Option with lowest overhead), and `probe` (the same of legacy code). | trampoline | False |
| maps per core | Define how plugin will load their hash maps. When enabled (`yes`) plugin will load one hash table per core, instead to have centralized information. | yes | False |
| lifetime | Set default lifetime for thread when enabled by cloud. | 300 | False |

</details>

#### Examples
There are no configuration examples.