pkg/sensors: reduce socktrack map memory footprint

Resize the socktrack_map if needed to save memory.
Prevent ~2.8MB of unnecessary per-policy memory allocation when socktrack_map is unused.

Signed-off-by: Kyle Dong <[email protected]>

Author: kyledong-suse

bpf/process/types/basic.h

@@ -2052,7 +2052,7 @@ struct socket_owner {
 // socktrack_map maintains a mapping of sock to pid_tgid
 struct {
 	__uint(type, BPF_MAP_TYPE_LRU_HASH);
-	__uint(max_entries, 32000);
+	__uint(max_entries, 1); // will be resized by agent when needed
 	__type(key, __u64);
 	__type(value, struct socket_owner);
 } socktrack_map SEC(".maps");

pkg/selectors/kernel.go

@@ -1682,6 +1682,33 @@ func HasStackTrace(selectors []v1alpha1.KProbeSelector) bool {
 	return false
 }
 
+func HasSockTrack(spec *v1alpha1.KProbeSpec) bool {
+	// Check ReturnArgAction
+	if spec.ReturnArgAction != "" {
+		if a := ActionTypeFromString(spec.ReturnArgAction); a == ActionTypeTrackSock ||
+			a == ActionTypeUntrackSock {
+			return true
+		}
+	}
+
+	// Check selectors MatchActions and MatchReturnActions
+	for _, selector := range spec.Selectors {
+		for _, matchAction := range selector.MatchActions {
+			if a := ActionTypeFromString(matchAction.Action); a == ActionTypeTrackSock ||
+				a == ActionTypeUntrackSock {
+				return true
+			}
+		}
+		for _, matchReturnAction := range selector.MatchReturnActions {
+			if a := ActionTypeFromString(matchReturnAction.Action); a == ActionTypeTrackSock ||
+				a == ActionTypeUntrackSock {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 // parseCapabilitiesMask create a capabilities mask
 func parseCapabilitiesMask(s string) (uint64, error) {
 	mask, err := strconv.ParseUint(s, 0, 64)

pkg/sensors/tracing/consts.go

@@ -17,4 +17,5 @@ const (
 	enforcerMapMaxEntries      = 32768
 	overrideMapMaxEntries      = 32768
 	sleepableOffloadMaxEntries = 32768
+	socktrackMapMaxEntries     = 32000
 )

pkg/sensors/tracing/generickprobe.go

@@ -319,6 +319,9 @@ func createMultiKprobeSensor(polInfo *policyInfo, multiIDs []idtable.EntryID, ha
 
 	if config.EnableLargeProgs() {
 		socktrack := program.MapBuilderSensor("socktrack_map", load)
+		if has.sockTrack {
+			socktrack.SetMaxEntries(socktrackMapMaxEntries)
+		}
 		maps = append(maps, socktrack)
 	}
 
@@ -382,6 +385,9 @@ func createMultiKprobeSensor(polInfo *policyInfo, multiIDs []idtable.EntryID, ha
 		maps = append(maps, fdinstall)
 
 		socktrack := program.MapBuilderSensor("socktrack_map", loadret)
+		if has.sockTrack {
+			socktrack.SetMaxEntries(socktrackMapMaxEntries)
+		}
 		maps = append(maps, socktrack)
 
 		tailCalls := program.MapBuilderSensor("retkprobe_calls", loadret)
@@ -574,6 +580,7 @@ type hasMaps struct {
 	fdInstall  bool
 	enforcer   bool
 	override   bool
+	sockTrack  bool
 }
 
 // hasMapsSetup setups the has maps for the per policy maps. The per kprobe maps
@@ -584,6 +591,7 @@ func hasMapsSetup(spec *v1alpha1.TracingPolicySpec) hasMaps {
 		has.fdInstall = has.fdInstall || selectors.HasFDInstall(kprobe.Selectors)
 		has.enforcer = has.enforcer || len(spec.Enforcers) != 0
 		has.rateLimit = has.rateLimit || selectors.HasRateLimit(kprobe.Selectors)
+		has.sockTrack = has.sockTrack || selectors.HasSockTrack(&kprobe)
 	}
 	return has
 }
@@ -1041,6 +1049,9 @@ func createKprobeSensorFromEntry(polInfo *policyInfo, kprobeEntry *genericKprobe
 
 	if config.EnableLargeProgs() {
 		socktrack := program.MapBuilderSensor("socktrack_map", load)
+		if has.sockTrack {
+			socktrack.SetMaxEntries(socktrackMapMaxEntries)
+		}
 		maps = append(maps, socktrack)
 	}
 
@@ -1112,6 +1123,9 @@ func createKprobeSensorFromEntry(polInfo *policyInfo, kprobeEntry *genericKprobe
 
 		if config.EnableLargeProgs() {
 			socktrack := program.MapBuilderSensor("socktrack_map", loadret)
+			if has.sockTrack {
+				socktrack.SetMaxEntries(socktrackMapMaxEntries)
+			}
 			maps = append(maps, socktrack)
 		}
 	}