Share bpf maps internally and remove pinning / bpffs requirement

[rafaelroquetto]

Leverage the fact that pinning/PinType is an uint and introduce a new PinType called PinInternal, which shares the corresponding maps inside the same userspace process (i.e. all of the maps sharing the same name refer to the same ebpf map object, but no actual bpffs pinning is given).

All bpf filesystem mounting code has been removed.

Resolves #1249

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 63.88889% with 13 lines in your changes missing coverage. Please review.

Project coverage is 81.82%. Comparing base (ac3b137) to head (df95555).

Files with missing lines	Patch %	Lines
pkg/internal/ebpf/tracer_linux.go	61.76%	8 Missing and 5 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1251      +/-   ##
==========================================
+ Coverage   81.78%   81.82%   +0.03%     
==========================================
  Files         135      135              
  Lines       11416    11384      -32     
==========================================
- Hits         9337     9315      -22     
+ Misses       1544     1543       -1     
+ Partials      535      526       -9     

Flag	Coverage Δ
integration-test	60.54% <63.88%> (-0.15%)	⬇️
k8s-integration-test	59.21% <63.88%> (+0.07%)	⬆️
oats-test	36.46% <63.88%> (-0.15%)	⬇️
unittests	53.60% <0.00%> (+0.13%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[rafaelroquetto]

I have decided to do this mainly so that we don't introduce a header that will need to be included everywhere, containing a single constant define.

I reckon this should be refactored if or when we decide to resplit the tracers.

[marctc]

I'm not sure if i understand what are you saying here. What do you mean resplit the tracers?

[mariomac]

I'd add this explanation to a comment on LIBBPF_PIN_INTERNAL so we don't forget the context it in the future

[grcevski]

I think we need to move this into a header of our own, since we might copy - paste a new version of libbpf headers here and cause an compile error. To the person that does this it may not be obvious what caused the build break.

[rafaelroquetto]

@marctc I was under the impression everything was grouped together so that we could share the maps, but perhaps I am missing a part of the history. I intend to split the tc programs off generic_tracer to allow them to be loaded separately - it will be possible to do the same now for other programs if we conclude it's desirable.

@grcevski @mariomac I will move this constant elsewhere to avoid confusion.

[rafaelroquetto]

cilium/ebpf will clone internalMap when processing MapReplacements, meaning both clones can be safely closed irrespective of each other (clones still share the underlying map object though, it's just the underlying file descriptor that is dup'd)

[rafaelroquetto]

It would be prudent to get a second pair of eyes on these changes

[marctc]

We probably could do it in a separate PR IMO

[rafaelroquetto]

@marctc ok, I will revert this part

[marctc]

LGTM amazing find @rafaelroquetto. Did you notice if this impacted the peformance? Personally i'd had removed the unprivileged stuff in a different PR (also to document how to run Beyla without privileges), but overall looks good!

[mariomac]

Amazing! I love removing code :)

As Marc says, I would let the changes in the helm chart for another PR, so we can focus on merging this feature and later test the unconfinement requirements.

[mariomac]

I'd add this explanation to a comment on LIBBPF_PIN_INTERNAL so we don't forget the context it in the future

[mariomac]

Actually we set this when the container is NOT privileged, so we can add the required capabilities. I don't remember if this was required only for SYS_ADMIN capability, or setting the rest of capabilities require it too.

[grcevski]

From what I remember we had to use this "unconfined" because App Armour prevents us from mounting file systems or writing to /sys/fs. So if we don't have to mount anymore we don't need to remove this restriction.

However we shouldn't remove this in this PR. It should be a follow-up and we should probably confirm this is works now with real k8s install, since we have no tests for this.

[grcevski]

LGTM! Great work, minor comments :).

[grcevski]

I think we need to move this into a header of our own, since we might copy - paste a new version of libbpf headers here and cause an compile error. To the person that does this it may not be obvious what caused the build break.

[grcevski]

From what I remember we had to use this "unconfined" because App Armour prevents us from mounting file systems or writing to /sys/fs. So if we don't have to mount anymore we don't need to remove this restriction.

However we shouldn't remove this in this PR. It should be a follow-up and we should probably confirm this is works now with real k8s install, since we have no tests for this.

[rafaelroquetto]

@marctc Thanks. I will remove the changes to the helm chart, but I intend to keep the documentation changes (i.e. removing the mentions to the ebpf filesystem since they are no longer relevant). I will take care of a "how to run beyla unprivileged" in a separate PR, as this will mostly boil down to capabilities and these changes are "backwards compatible".

[rafaelroquetto]

@grcevski @marctc @mariomac I have removed the helm charts changed, but kept the documentation ones. Let me know if you'd like me to revert the doc changes as well.