(ctx context.Context, opts agent.HookCfg, setupOpts config.Agent)
| 109 | } |
| 110 | |
| 111 | func (h *Hooks) load(ctx context.Context, opts agent.HookCfg, setupOpts config.Agent) error { |
| 112 | // Allow the current process to lock memory for eBPF resources. |
| 113 | if err := rlimit.RemoveMemlock(); err != nil { |
| 114 | utils.LogError(h.logger, err, "failed to lock memory for eBPF resources") |
| 115 | return err |
| 116 | } |
| 117 | |
| 118 | // Load pre-compiled programs and maps into the kernel. |
| 119 | objs := bpfObjects{} |
| 120 | bpfopts := &ebpf.CollectionOptions{ |
| 121 | Programs: ebpf.ProgramOptions{ |
| 122 | LogLevel: ebpf.LogLevelInstruction | ebpf.LogLevelBranch, |
| 123 | LogSizeStart: 1 * 1024 * 1024, |
| 124 | }, |
| 125 | } |
| 126 | |
| 127 | spec, err := loadBpf() |
| 128 | if err != nil { |
| 129 | utils.LogError(h.logger, err, "failed to load BPF spec") |
| 130 | return err |
| 131 | } |
| 132 | |
| 133 | programs := []struct { |
| 134 | name string |
| 135 | pType ebpf.ProgramType |
| 136 | aType ebpf.AttachType |
| 137 | }{ |
| 138 | {"k_sockops", ebpf.SockOps, ebpf.AttachCGroupSockOps}, |
| 139 | } |
| 140 | |
| 141 | for _, p := range programs { |
| 142 | if prog, ok := spec.Programs[p.name]; ok { |
| 143 | prog.Type = p.pType |
| 144 | prog.AttachType = p.aType |
| 145 | } |
| 146 | } |
| 147 | |
| 148 | // Now load and assign into the kernel with the corrected spec |
| 149 | if err := spec.LoadAndAssign(&objs, bpfopts); err != nil { |
| 150 | var ve *ebpf.VerifierError |
| 151 | if errors.As(err, &ve) { |
| 152 | fmt.Printf("VERIFIER FAILURE:\n%s\n", strings.Join(ve.Log, "\n")) |
| 153 | } else { |
| 154 | fmt.Printf("SYSCALL FAILURE: %v\n", err) |
| 155 | } |
| 156 | return err |
| 157 | } |
| 158 | //getting all the ebpf maps with proper synchronization |
| 159 | h.objectsMutex.Lock() |
| 160 | h.clientRegistrationMap = objs.KeployClientRegistrationMap |
| 161 | h.agentRegistrationMap = objs.KeployAgentRegistrationMap |
| 162 | h.objects = objs |
| 163 | h.objectsMutex.Unlock() |
| 164 | // --------------- |
| 165 | |
| 166 | // In DaemonSet mode the CRD-scoped SessionReconciler is the SOLE owner of |
| 167 | // target_namespace_pids — it arms exactly the recorded pods' TGIDs, and the |
| 168 | // proxyless capture reads that map. The sys_enter_socket tracepoint, by |
no test coverage detected