[go: up one dir, main page]

CN119906757B - Method and system for optimizing eBPF monitoring services based on dynamic subscription mechanism - Google Patents

Method and system for optimizing eBPF monitoring services based on dynamic subscription mechanism Download PDF

Info

Publication number
CN119906757B
CN119906757B CN202510396819.2A CN202510396819A CN119906757B CN 119906757 B CN119906757 B CN 119906757B CN 202510396819 A CN202510396819 A CN 202510396819A CN 119906757 B CN119906757 B CN 119906757B
Authority
CN
China
Prior art keywords
ebpf
subscription
value
user
kernel
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202510396819.2A
Other languages
Chinese (zh)
Other versions
CN119906757A (en
Inventor
焦聪
刘明
段红涛
于珊珊
李蕾
杨诏钧
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kirin Software Co Ltd
Original Assignee
Kirin Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kirin Software Co Ltd filed Critical Kirin Software Co Ltd
Priority to CN202510396819.2A priority Critical patent/CN119906757B/en
Publication of CN119906757A publication Critical patent/CN119906757A/en
Application granted granted Critical
Publication of CN119906757B publication Critical patent/CN119906757B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/566Grouping or aggregating service requests, e.g. for unified processing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention provides a method and a system for optimizing eBPF monitoring services based on a dynamic subscription mechanism, wherein the method comprises the steps of newly adding an SDK encapsulation interface function for a user to subscribe to a topic event, setting a subscription value for monitoring other user subscription/cancellation events based on a GRPC framework comprising a GRPC server and a client component, newly adding a eBPF map object B for storing the subscription value for dynamic subscription state synchronization, optimizing a eBPF kernel program, setting execution logic triggered by the kernel hook function according to the subscription value, and dynamically updating eBPF map object B by a eBPF user state program through subscription value change to realize dynamic control. The invention reduces the system resource waste caused by unsubscribing topic, dynamically adjusts the processing logic of the kernel hook function, and ensures the flexibility and instantaneity of monitoring service.

Description

基于动态订阅机制优化eBPF监测服务的方法及系统Method and system for optimizing eBPF monitoring service based on dynamic subscription mechanism

技术领域Technical Field

本发明属于计算机信息技术领域,具体涉及到一种基于动态订阅机制优化eBPF的系统活动监测服务性能的方法及系统。The present invention belongs to the field of computer information technology, and specifically relates to a method and system for optimizing the system activity monitoring service performance of eBPF based on a dynamic subscription mechanism.

背景技术Background Art

当前市场上的基于eBPF的系统活动监测服务在安全感知业务中得到了广泛应用。通过订阅不同的活动信息(topic),可以实现对系统行为的精细化监测。然而,这种监测机制在性能优化方面存在明显不足。Currently, the eBPF-based system activity monitoring service on the market has been widely used in security-aware services. By subscribing to different activity information (topics), refined monitoring of system behavior can be achieved. However, this monitoring mechanism has obvious shortcomings in performance optimization.

现有技术中,基于eBPF的系统活动监测服务通常在系统启动时加载所有监测逻辑,无论topic是否被订阅,所有hook函数均会在触发时执行完整的处理流程,包括数据解析、过滤、格式化等操作。这种设计缺乏灵活性,当安全感知业务未订阅任何topic或仅订阅少量topic时,未被订阅的topic仍会触发内核中的eBPF程序和用户态的处理流程,导致未订阅topic的处理负担依然存在,引起系统资源的浪费,影响了系统的整体性能,尤其是在高频触发场景下,这种冗余处理对系统性能的影响尤为显著。In the prior art, the system activity monitoring service based on eBPF usually loads all monitoring logic when the system starts. Regardless of whether the topic is subscribed, all hook functions will execute the complete processing flow when triggered, including data parsing, filtering, formatting and other operations. This design lacks flexibility. When the security-aware service does not subscribe to any topic or only subscribes to a small number of topics, the unsubscribed topics will still trigger the eBPF program in the kernel and the user-mode processing flow, resulting in the processing burden of unsubscribed topics still existing, causing a waste of system resources and affecting the overall performance of the system. In particular, in high-frequency triggering scenarios, this redundant processing has a particularly significant impact on system performance.

发明内容Summary of the invention

本发明的目的在于提供一种基于动态订阅机制优化eBPF监测服务的方法及系统,减少未订阅topic带来的系统资源浪费,动态调整内核hook函数的处理逻辑,保证监测服务的灵活性和实时性。The purpose of the present invention is to provide a method and system for optimizing eBPF monitoring services based on a dynamic subscription mechanism, reduce the waste of system resources caused by unsubscribed topics, dynamically adjust the processing logic of kernel hook functions, and ensure the flexibility and real-time performance of monitoring services.

为了实现上述目的,本发明的技术方案是这样的:In order to achieve the above object, the technical solution of the present invention is as follows:

一种基于动态订阅机制优化eBPF监测服务的方法,包括:A method for optimizing eBPF monitoring service based on a dynamic subscription mechanism, comprising:

S1、新增SDK封装接口函数供用户进行topic的事件订阅,所述SDK基于GRPC框架,包括GRPC服务器和客户端组件;S1. Add SDK encapsulation interface functions for users to subscribe to topic events. The SDK is based on the GRPC framework and includes GRPC server and client components.

S2、设定用于监控其他用户订阅/取消事件的订阅值,新增一个保存订阅值的eBPFmap对象B,用于动态订阅状态同步;S2. Set the subscription value used to monitor other users’ subscription/cancellation events, and add a new eBPFmap object B to save the subscription value for dynamic subscription state synchronization;

S3、优化eBPF内核程序,根据所述订阅值设定内核hook函数触发后的执行逻辑;S3, optimize the eBPF kernel program, and set the execution logic after the kernel hook function is triggered according to the subscription value;

S4、eBPF用户态程序通过订阅值变化动态更新eBPF map对象B,实现动态控制。S4. The eBPF user-state program dynamically updates the eBPF map object B by subscribing to value changes to achieve dynamic control.

进一步的,步骤S1中所述接口函数包括订阅事件、取消订阅、发布事件、读取事件,所述接口函数直接映射到GRPC框架中的对应操作,供用户在连接到GRPC客户端后无缝调用。Furthermore, the interface function in step S1 includes subscribing to events, unsubscribing, publishing events, and reading events. The interface function is directly mapped to the corresponding operations in the GRPC framework for users to call seamlessly after connecting to the GRPC client.

进一步的,步骤S2中eBPF map对象B保存订阅值的方法包括:Furthermore, the method for eBPF map object B to save subscription value in step S2 includes:

S201、eBPF用户态程序启动后先订阅自身为系统用户,调用读取事件的接口函数等待获取其他用户订阅的事件信息;S201, after the eBPF user state program is started, it first subscribes itself as a system user, calls the interface function for reading events and waits to obtain event information subscribed by other users;

S202、当其他用户调用订阅事件或取消订阅的接口函数时,GRPC服务器调用发布事件的接口函数将用户信息、订阅事件或取消订阅的类型进行发布,此时eBPF用户态程序接收到订阅值;S202. When other users call the interface function for subscribing to events or unsubscribing, the GRPC server calls the interface function for publishing events to publish user information, subscription events, or types of unsubscriptions. At this time, the eBPF user-mode program receives the subscription value.

S203、eBPF用户态程序接收到订阅值后,写入新增的eBPF map对象B,供eBPF内核程序读取使用。S203. After receiving the subscription value, the eBPF user-mode program writes a newly added eBPF map object B for the eBPF kernel program to read and use.

进一步的,步骤S3中eBPF内核程序的优化包括:Furthermore, the optimization of the eBPF kernel program in step S3 includes:

S301、内核hook函数被触发后,eBPF内核程序执行,首先从eBPF map对象B中读取当前的订阅值并判断当前内核hook函数对应的订阅值是否处于订阅状态;S301, after the kernel hook function is triggered, the eBPF kernel program is executed, firstly reading the current subscription value from the eBPF map object B and determining whether the subscription value corresponding to the current kernel hook function is in the subscription state;

S302、若未被订阅,则直接结束eBPF内核程序并返回;S302, if not subscribed, directly terminate the eBPF kernel program and return;

S303、若被订阅,则继续后续的数据处理流程。S303: If subscribed, continue with the subsequent data processing flow.

进一步的,步骤S4包括:Further, step S4 includes:

当用户的订阅状态发生变化时,eBPF用户态程序通过GRPC服务器得到变化的订阅值,动态更新eBPF map对象B。When the user's subscription status changes, the eBPF user-state program obtains the changed subscription value through the GRPC server and dynamically updates the eBPF map object B.

本发明另一方面还提出了一种基于动态订阅机制优化eBPF监测服务的系统,包括:On the other hand, the present invention also proposes a system for optimizing eBPF monitoring services based on a dynamic subscription mechanism, comprising:

SDK模块:新增SDK封装接口函数供用户进行topic的事件订阅,所述SDK基于GRPC框架,包括GRPC服务器和客户端组件;SDK module: Added SDK encapsulation interface functions for users to subscribe to topic events. The SDK is based on the GRPC framework and includes GRPC server and client components.

订阅值模块:设定用于监控其他用户订阅/取消事件的订阅值,新增一个保存订阅值的eBPF map对象B,用于动态订阅状态同步;Subscription value module: sets the subscription value used to monitor other users' subscription/cancellation events, and adds an eBPF map object B to save the subscription value for dynamic subscription status synchronization;

优化模块:优化eBPF内核程序,根据所述订阅值设定内核hook函数触发后的执行逻辑;Optimization module: optimizes the eBPF kernel program and sets the execution logic after the kernel hook function is triggered according to the subscription value;

动态控制模块:eBPF用户态程序通过订阅值变化动态更新eBPF map对象B,实现动态控制。Dynamic control module: The eBPF user-state program dynamically updates the eBPF map object B by subscribing to value changes to achieve dynamic control.

进一步的,SDK模块中所述接口函数包括订阅事件、取消订阅、发布事件、读取事件,所述接口函数直接映射到GRPC框架中的对应操作,供用户在连接到GRPC客户端后无缝调用。Furthermore, the interface functions in the SDK module include subscribing to events, unsubscribing, publishing events, and reading events. The interface functions are directly mapped to corresponding operations in the GRPC framework for users to call seamlessly after connecting to the GRPC client.

进一步的,订阅值模块包括:Furthermore, the subscription value module includes:

等待单元:eBPF用户态程序启动后先订阅自身为系统用户,调用读取事件的接口函数等待获取其他用户订阅的事件信息;Waiting unit: After the eBPF user-mode program is started, it first subscribes itself as a system user, calls the interface function for reading events, and waits to obtain event information subscribed by other users;

接收单元:当其他用户调用订阅事件或取消订阅的接口函数时,GRPC服务器调用发布事件的接口函数将用户信息、订阅事件或取消订阅的类型进行发布,此时eBPF用户态程序接收到订阅值;Receiving unit: When other users call the interface function of subscribing to events or unsubscribing, the GRPC server calls the interface function of publishing events to publish user information, subscription events, or unsubscribe types. At this time, the eBPF user-mode program receives the subscription value.

写入单元:eBPF用户态程序接收到订阅值后,写入新增的eBPF map对象B,供eBPF内核程序读取使用。Writing unit: After receiving the subscription value, the eBPF user-mode program writes the newly added eBPF map object B for the eBPF kernel program to read and use.

进一步的,优化模块包括:Furthermore, the optimization module includes:

读取单元:内核hook函数被触发后,eBPF内核程序执行,首先从eBPF map对象B中读取当前的订阅值并判断当前内核hook函数对应的订阅值是否处于订阅状态;Reading unit: After the kernel hook function is triggered, the eBPF kernel program is executed. First, the current subscription value is read from the eBPF map object B and whether the subscription value corresponding to the current kernel hook function is in the subscription state;

返回单元:若未被订阅,则直接结束eBPF内核程序并返回;Return unit: If not subscribed, the eBPF kernel program ends directly and returns;

继续单元:若被订阅,则继续后续的数据处理流程。Continue unit: If subscribed, continue the subsequent data processing flow.

进一步的,动态控制模块包括:Furthermore, the dynamic control module includes:

当用户的订阅状态发生变化时,eBPF用户态程序通过GRPC服务器得到变化的订阅值,动态更新eBPF map对象B。When the user's subscription status changes, the eBPF user-state program obtains the changed subscription value through the GRPC server and dynamically updates the eBPF map object B.

与现有技术相比,本发明具有如下的有益效果:Compared with the prior art, the present invention has the following beneficial effects:

1.本发明减少冗余处理:未订阅topic对应的内核和用户态处理流程被即时中断,避免了不必要的CPU和内存消耗。1. The present invention reduces redundant processing: the kernel and user-mode processing flows corresponding to unsubscribed topics are immediately interrupted, thus avoiding unnecessary CPU and memory consumption.

2.本发明动态调整灵活性:订阅状态变化时,能即时调整内核行为,无需重启服务或手动干预。2. The present invention has dynamic adjustment flexibility: when the subscription status changes, the kernel behavior can be adjusted instantly without restarting the service or manual intervention.

3.本发明性能优化显著:在高频触发场景中,系统资源利用率显著提升,尤其对大规模监控场景具有较大优势。3. The performance of the present invention is significantly optimized: in high-frequency triggering scenarios, the utilization rate of system resources is significantly improved, especially for large-scale monitoring scenarios.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1是本发明实施例1的流程示意图。FIG1 is a schematic diagram of a flow chart of Embodiment 1 of the present invention.

图2是本发明实施例1的整体框架图。FIG. 2 is an overall framework diagram of Embodiment 1 of the present invention.

图3是本发明实施例1的动态控制流程示意图。FIG3 is a schematic diagram of the dynamic control flow of Example 1 of the present invention.

具体实施方式DETAILED DESCRIPTION

需要说明的是,在不冲突的情况下,本发明中的实施例及实施例中的特征可以相互组合。It should be noted that, in the absence of conflict, the embodiments of the present invention and the features in the embodiments may be combined with each other.

首先对实施例中涉及的专业术语进行说明。First, the professional terms involved in the embodiments are explained.

eBPF(Extended Berkeley Packet Filter):一种在内核中执行用户定义程序的高效机制,用于监控和调试系统行为。eBPF (Extended Berkeley Packet Filter): An efficient mechanism for executing user-defined programs in the kernel, used to monitor and debug system behavior.

GRPC:一种高性能、跨语言的远程过程调用框架,用于实现分布式系统中服务间的通信。GRPC: A high-performance, cross-language remote procedure call framework for communication between services in distributed systems.

hook函数:操作系统内核中的特定触发点,用于拦截系统事件并进行自定义处理。Hook function: A specific trigger point in the operating system kernel that is used to intercept system events and perform custom processing.

map对象:eBPF中的数据结构,用于在内核和用户态之间共享数据。Map object: A data structure in eBPF used to share data between the kernel and userland.

SDK(Software Development Kit):用于开发应用程序的软件开发工具包。SDK (Software Development Kit): Software development kit used to develop applications.

下面结合具体实施例和附图,对本发明进行具体说明。The present invention is described in detail below in conjunction with specific embodiments and drawings.

实施例1:Embodiment 1:

本实施例中提出基于动态订阅机制优化eBPF的系统活动监测服务性能的方法,如图1所示,包括:In this embodiment, a method for optimizing the performance of the eBPF system activity monitoring service based on a dynamic subscription mechanism is proposed, as shown in FIG1 , including:

步骤一:新增SDK供用户进行事件订阅。Step 1: Add a new SDK for users to subscribe to events.

本步骤中提供了一套新增的软件开发工具包SDK,允许用户通过简单的接口函数与基于GRPC框架构建的服务进行交互。所述SDK支持C/C++、Python等主流编程语言,并封装了以下四个核心功能的接口函数:This step provides a new set of software development kits (SDKs) that allow users to interact with services built on the GRPC framework through simple interface functions. The SDK supports mainstream programming languages such as C/C++ and Python, and encapsulates the following four core interface functions:

1. 订阅事件subscribe():用户可以通过此接口订阅特定的topic事件,以便接收相关通知。1. Subscribe to events subscribe(): Users can subscribe to specific topic events through this interface to receive relevant notifications.

2. 取消订阅unsubscribe():允许用户停止接收之前订阅的事件通知。2. Unsubscribe(): Allows the user to stop receiving previously subscribed event notifications.

3. 发布事件publish_events():用于向系统发送新事件,使其他订阅者能够接收到这些事件。3. Publish events publish_events(): used to send new events to the system so that other subscribers can receive these events.

4. 读取事件read_events():用户可以通过此接口查询和获取已发生的事件记录。4. Read events read_events(): Users can query and obtain event records that have occurred through this interface.

所述SDK内部实现了一套完整的GRPC框架,包括GRPC服务器和客户端组件,确保了高效可靠的消息传递。如图2的整体框架图所示,SDK每个接口函数直接映射到GRPC框架中的对应操作,使得用户在连接到GRPC客户端后可以无缝调用这些功能。The SDK implements a complete GRPC framework, including GRPC server and client components, to ensure efficient and reliable message delivery. As shown in the overall framework diagram of Figure 2, each interface function of the SDK is directly mapped to the corresponding operation in the GRPC framework, so that users can call these functions seamlessly after connecting to the GRPC client.

此外,SDK的设计旨在简化用户的开发流程,让用户无需深入了解GRPC的具体实现细节,即可轻松集成事件处理功能到自己的应用程序中。In addition, the SDK is designed to simplify the user's development process, allowing users to easily integrate event processing functions into their own applications without having to deeply understand the specific implementation details of GRPC.

步骤二:新增eBPF map对象B用于动态订阅状态同步。Step 2: Add a new eBPF map object B for dynamic subscription state synchronization.

首先,本实施例中每一个系统调用分配一个订阅值,例如文件读取0x01,文件写入0x02,文件创建0x04,文件删除0x08,进程创建0x10,网络连接0x100等,后续操作都会传递此订阅值来决定不同的处理。First, in this embodiment, each system call is assigned a subscription value, such as file reading 0x01, file writing 0x02, file creation 0x04, file deletion 0x08, process creation 0x10, network connection 0x100, etc. Subsequent operations will pass this subscription value to determine different processing.

设置一个特殊的订阅值:0,用于监控其他用户订阅/取消事件的类型。Set a special subscription value: 0, which is used to monitor other users' subscription/cancellation events.

接下来,用户态程序通过eBPF map对象B保存订阅值的逻辑包括:Next, the logic of the user-mode program saving the subscription value through the eBPF map object B includes:

(1)eBPF用户态程序启动后先订阅自身为系统用户(订阅值:0),调用读取事件的接口函数(read_events)等待获取其他用户订阅的事件信息,如图2的整体框架图所示。(1) After the eBPF user-mode program is started, it first subscribes itself as a system user (subscription value: 0), calls the interface function for reading events (read_events) and waits to obtain event information subscribed by other users, as shown in the overall framework diagram of Figure 2.

(2)当其他用户调用订阅事件(subscribe)/取消订阅(unsubscribe)的接口函数时,GRPC服务器会调用发布事件 (publish_events)接口函数将用户信息、订阅/取消类型事件进行发布,此时eBPF用户态程序便可接收到订阅值。(2) When other users call the subscription event (subscribe)/unsubscription (unsubscribe) interface function, the GRPC server will call the publish event (publish_events) interface function to publish user information and subscription/unsubscription type events. At this time, the eBPF user-mode program can receive the subscription value.

(3)eBPF用户态程序接收到订阅值后,写入新增的eBPF map对象B。(3) After receiving the subscription value, the eBPF user-mode program writes the newly added eBPF map object B.

(4)eBPF map对象B是由eBPF提供的数据结构map,在内核程序中定义后可以在用户态程序和内核程序之间共享数据,是eBPF最主要的数据交换方式。eBPF map对象B用于保存用户的订阅值,保存的订阅值将在内核程序中读取并使用。(4) eBPF map object B is a data structure map provided by eBPF. After being defined in the kernel program, it can share data between user-mode programs and kernel programs. It is the main data exchange method of eBPF. eBPF map object B is used to save the user's subscription value, which will be read and used in the kernel program.

步骤三:优化内核hook函数触发后的执行逻辑。Step 3: Optimize the execution logic after the kernel hook function is triggered.

(1)eBPF内核程序使用kprobe,fentry,Tracepoints等方式与内核中的hook函数建立连接,可以在内核中hook函数被触发时捕获到并执行自定义的逻辑。(1) The eBPF kernel program uses kprobe, fentry, tracepoints, etc. to establish a connection with the hook function in the kernel. It can capture and execute custom logic when the hook function in the kernel is triggered.

(2)当对应的事件来临引起hook函数被触发后,eBPF内核程序也将执行,首先从eBPF map对象B中读取当前的订阅值,判断当前hook函数对应的订阅值是否处于订阅状态。(2) When the corresponding event occurs and the hook function is triggered, the eBPF kernel program will also be executed. First, it reads the current subscription value from the eBPF map object B to determine whether the subscription value corresponding to the current hook function is in the subscribed state.

(3)若当前hook函数对应的订阅值未处于订阅状态,则直接结束eBPF内核程序,返回系统原始处理流程,继续等待捕获hook函数被触发。(3) If the subscription value corresponding to the current hook function is not in the subscription state, the eBPF kernel program is terminated directly, and the system returns to the original processing flow, and continues to wait for the capture hook function to be triggered.

(4)若当前hook函数对应的订阅值处于订阅状态,则继续后续的数据处理流程,包括解析、过滤,以及通过map A发送到eBPF用户态程序,实现与用户态交互等。(4) If the subscription value corresponding to the current hook function is in the subscribed state, the subsequent data processing flow continues, including parsing, filtering, and sending to the eBPF user-mode program through map A to achieve interaction with the user-mode.

步骤四:动态控制流程。Step 4: Dynamic control process.

当订阅状态发生变化时,eBPF用户态程序通过GRPC服务器接收到变更的订阅值,动态更新eBPF map对象B。When the subscription status changes, the eBPF user-mode program receives the changed subscription value through the GRPC server and dynamically updates the eBPF map object B.

该机制保证未订阅topic事件的数据处理即时中断,无需重启服务或重新加载eBPF程序。This mechanism ensures that data processing of unsubscribed topic events is interrupted immediately without restarting the service or reloading the eBPF program.

完整的动态控制流程如图3所示,包括:The complete dynamic control process is shown in Figure 3, including:

1.eBPF用户态程序启动后先订阅自身为系统用户;1. After the eBPF user-mode program is started, it first subscribes itself as a system user;

2.调用读取事件的接口函数(read_events)等待获取其他用户订阅的事件信息;2. Call the event reading interface function (read_events) to wait for event information subscribed by other users;

3.用户A调用subscribe()接口函数订阅了文件读取(0x01)事件,或调用了unsubscribe()接口函数取消了订阅文件读取事件;3. User A calls the subscribe() interface function to subscribe to the file read (0x01) event, or calls the unsubscribe() interface function to cancel the subscription to the file read event;

4.GRPC服务器将(用户A, 0x01)或(用户A, 0x0)发送给eBPF用户程序;4. The GRPC server sends (user A, 0x01) or (user A, 0x0) to the eBPF user program;

5.eBPF用户态程序将0x01或0x0保存到map B中;5. The eBPF user-mode program saves 0x01 or 0x0 to map B;

6.当系统中触发了读取文件这个系统调用,内核中的vfs_read函数将会执行,此时eBPF内核程序中对应的fentry_vfs_read函数也会执行,fentry_vfs_read函数首先从map B中读取订阅值;当判断订阅值是0x0和对应的0x01不一致,将直接退出;当判断订阅值是0x01时,将继续处理,收集当前进程的uid,exe,文件的文件名等信息,通过其他方式传给用户程序。如果有文件写入事件发生时,hook函数vfs_write被触发,在fentry_vfs_write函数中也去读取map B中的值0x01,和对应的文件写入的值(0x02)不符,所以也会直接退出。6. When the system call to read a file is triggered in the system, the vfs_read function in the kernel will be executed, and the corresponding fentry_vfs_read function in the eBPF kernel program will also be executed. The fentry_vfs_read function first reads the subscription value from map B; when the subscription value is 0x0 and the corresponding 0x01 is inconsistent, it will exit directly; when the subscription value is 0x01, it will continue to process, collect the uid, exe, file name and other information of the current process, and pass it to the user program through other means. If a file write event occurs, the hook function vfs_write is triggered, and the value 0x01 in map B is also read in the fentry_vfs_write function, which is inconsistent with the corresponding file write value (0x02), so it will also exit directly.

本实施例的方法中也可通过其他跨进程通信机制(如管道,信号量,socket通信等)替代GRPC。In the method of this embodiment, GRPC may also be replaced by other cross-process communication mechanisms (such as pipelines, semaphores, socket communication, etc.).

本实施例所述方法解决了如何减少未订阅topic带来的系统资源浪费问题,解决了如何动态调整内核hook函数的处理逻辑,以适应订阅状态的变化问题,以及解决了如何在减少系统负担的同时,保证监测服务的灵活性和实时性的问题。The method described in this embodiment solves the problem of how to reduce the waste of system resources caused by unsubscribed topics, solves the problem of how to dynamically adjust the processing logic of the kernel hook function to adapt to changes in subscription status, and solves the problem of how to ensure the flexibility and real-time performance of the monitoring service while reducing the system burden.

实施例2:Embodiment 2:

本实施例2提出一种基于动态订阅机制优化eBPF监测服务的系统,包括:This embodiment 2 proposes a system for optimizing eBPF monitoring services based on a dynamic subscription mechanism, including:

SDK模块:新增SDK封装接口函数供用户进行topic的事件订阅,所述SDK基于GRPC框架,包括GRPC服务器和客户端组件;SDK module: Added SDK encapsulation interface functions for users to subscribe to topic events. The SDK is based on the GRPC framework and includes GRPC server and client components.

订阅值模块:设定用于监控其他用户订阅/取消事件的订阅值,新增一个保存订阅值的eBPF map对象B,用于动态订阅状态同步;Subscription value module: sets the subscription value used to monitor other users' subscription/cancellation events, and adds an eBPF map object B to save the subscription value for dynamic subscription status synchronization;

优化模块:优化eBPF内核程序,根据所述订阅值设定内核hook函数触发后的执行逻辑;Optimization module: optimizes the eBPF kernel program and sets the execution logic after the kernel hook function is triggered according to the subscription value;

动态控制模块:eBPF用户态程序通过订阅值变化动态更新eBPF map对象B,实现动态控制。Dynamic control module: The eBPF user-state program dynamically updates the eBPF map object B by subscribing to value changes to achieve dynamic control.

SDK模块中所述接口函数包括订阅事件、取消订阅、发布事件、读取事件,所述接口函数直接映射到GRPC框架中的对应操作,供用户在连接到GRPC客户端后无缝调用。The interface functions in the SDK module include subscribing to events, unsubscribing, publishing events, and reading events. The interface functions are directly mapped to the corresponding operations in the GRPC framework for users to call seamlessly after connecting to the GRPC client.

订阅值模块包括:Subscription value modules include:

等待单元:eBPF用户态程序启动后先订阅自身为系统用户,调用读取事件的接口函数等待获取其他用户订阅的事件信息;Waiting unit: After the eBPF user-mode program is started, it first subscribes itself as a system user, calls the interface function for reading events, and waits to obtain event information subscribed by other users;

接收单元:当其他用户调用订阅事件或取消订阅的接口函数时,GRPC服务器调用发布事件的接口函数将用户信息、订阅事件或取消订阅的类型进行发布,此时eBPF用户态程序接收到订阅值;Receiving unit: When other users call the interface function of subscribing to events or unsubscribing, the GRPC server calls the interface function of publishing events to publish user information, subscription events, or unsubscribe types. At this time, the eBPF user-mode program receives the subscription value.

写入单元:eBPF用户态程序接收到订阅值后,写入新增的eBPF map对象B,供eBPF内核程序读取使用。Writing unit: After receiving the subscription value, the eBPF user-mode program writes the newly added eBPF map object B for the eBPF kernel program to read and use.

优化模块包括:The optimization modules include:

读取单元:内核hook函数被触发后,eBPF内核程序执行,首先从eBPF map对象B中读取当前的订阅值并判断当前内核hook函数对应的订阅值是否处于订阅状态;Reading unit: After the kernel hook function is triggered, the eBPF kernel program is executed. First, the current subscription value is read from the eBPF map object B and whether the subscription value corresponding to the current kernel hook function is in the subscription state;

返回单元:若未被订阅,则直接结束eBPF内核程序并返回;Return unit: If not subscribed, the eBPF kernel program ends directly and returns;

继续单元:若被订阅,则继续后续的数据处理流程。Continue unit: If subscribed, continue the subsequent data processing flow.

动态控制模块包括:The dynamic control module includes:

当用户的订阅状态发生变化时,eBPF用户态程序通过GRPC服务器得到变化的订阅值,动态更新eBPF map对象B。When the user's subscription status changes, the eBPF user-state program obtains the changed subscription value through the GRPC server and dynamically updates the eBPF map object B.

本实施例提出的基于动态订阅机制优化eBPF监测服务的系统,能够实现实施例1所述基于动态订阅机制优化eBPF监测服务的方法,具有与实施例1同样的技术效果。The system for optimizing the eBPF monitoring service based on the dynamic subscription mechanism proposed in this embodiment can implement the method for optimizing the eBPF monitoring service based on the dynamic subscription mechanism described in Embodiment 1, and has the same technical effect as Embodiment 1.

以上所述实施例仅是本发明的优选实施方式,只是用于帮助理解本申请的方法及其核心思想,本发明的保护范围并不仅局限于上述实施例,凡属于本发明思路下的技术方案均属于本发明的保护范围。应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明原理前提下的若干改进和润饰,这些改进和润饰也应视为本发明的保护范围。The above-mentioned embodiments are only preferred implementations of the present invention, and are only used to help understand the method and core ideas of the present application. The protection scope of the present invention is not limited to the above-mentioned embodiments. All technical solutions under the idea of the present invention belong to the protection scope of the present invention. It should be pointed out that for ordinary technicians in this technical field, some improvements and modifications without departing from the principle of the present invention should also be regarded as the protection scope of the present invention.

Claims (8)

1. A method for optimizing eBPF a monitoring service based on a dynamic subscription mechanism, comprising:
S1, a newly added SDK packaging interface function is used for a user to subscribe to a topic event, and the SDK is based on a GRPC framework and comprises a GRPC server and a client component;
S2, setting a subscription value for monitoring subscription/cancellation events of other users, and adding a eBPF map object B for storing the subscription value for dynamic subscription state synchronization;
s3, optimizing eBPF kernel programs, and setting execution logic triggered by a kernel hook function according to the subscription value;
S4, the eBPF user mode program dynamically updates eBPF map object B through subscription value change to realize dynamic control;
The step S2 comprises the following steps:
each system call is distributed with a subscription value, and the subsequent operation transmits the subscription value to determine different treatments, including file reading 0x01 and file writing 0x02;
the optimizing of eBPF kernel in step S3 includes:
s301, after a kernel hook function is triggered, eBPF kernel program execution is performed, firstly, a current subscription value is read from a eBPF map object B, and whether the subscription value corresponding to the current kernel hook function is in a subscription state or not is judged;
S302, if not subscribed, directly ending eBPF the kernel program and returning;
s303, if subscribed, continuing the subsequent data processing flow;
The step S4 includes:
When the system call of reading the file is triggered in the system, the vfs_read function in the kernel is executed, at the moment, the corresponding fentry _vfs_read function in the eBPF kernel program is also executed, the fentry _vfs_read function firstly reads the subscription value from the map B, when the subscription value is judged to be 0x0 and the corresponding 0x01 are inconsistent, the processing is directly exited, when the subscription value is judged to be 0x01, the processing is continued, the uid of the current process and the file name information of the exe file are collected and are transmitted to the user program in other modes, if a file writing event occurs, the hook function vfs_write is triggered, the value 0x01 in the map B is also read in the fentry _vfs_write function, and the corresponding file writing value 0x02 is inconsistent, and the processing is directly exited.
2. The method of claim 1, wherein the interface functions in step S1 include subscription events, unsubscribe, publish events, read events, and the interface functions are mapped directly to corresponding operations in the GRPC framework for seamless invocation by the user after connecting to the GRPC client.
3. The method for optimizing eBPF monitoring services based on dynamic subscription mechanism according to claim 1, wherein the method for storing the subscription value for eBPF map object B in step S2 includes:
S201, after a eBPF user mode program is started, subscribing the user as a system user, and calling an interface function for reading an event to wait for acquiring event information subscribed by other users;
S202, when other users call a subscription event or an interface function for unsubscribing, the GRPC server calls the interface function for publishing the event to publish the user information, the subscription event or the type for unsubscribing, and then eBPF user mode programs receive subscription values;
And S203, after the eBPF user mode program receives the subscription value, writing a newly added eBPF map object B for the eBPF kernel program to read.
4. The method for optimizing eBPF monitoring services based on dynamic subscription mechanisms as claimed in claim 1, wherein step S4 includes:
when the subscription state of the user changes, the eBPF user mode program obtains the changed subscription value through the GRPC server and dynamically updates eBPF map object B.
5. A system for optimizing eBPF monitoring services based on a dynamic subscription mechanism, comprising:
The SDK module is used for newly adding an SDK packaging interface function for a user to subscribe to the event of the topic, and the SDK is based on a GRPC framework and comprises a GRPC server and a client component;
The subscription value module is used for setting subscription values for monitoring subscription/cancellation events of other users, and adding a eBPF map object B for storing the subscription values for dynamic subscription state synchronization;
the optimizing module optimizes eBPF the kernel program, and sets execution logic triggered by the kernel hook function according to the subscription value;
the dynamic control module is used for dynamically updating eBPF map the object B through subscription value change by eBPF user mode programs to realize dynamic control;
The subscription value module comprises:
each system call is distributed with a subscription value, and the subsequent operation transmits the subscription value to determine different treatments, including file reading 0x01 and file writing 0x02;
The optimization module comprises:
the reading unit is used for reading the current subscription value from the eBPF map object B and judging whether the subscription value corresponding to the current core hook function is in a subscription state or not after the core hook function is triggered and eBPF core program execution is performed;
if not subscribed, directly ending eBPF the kernel program and returning;
If the data is subscribed, continuing the subsequent data processing flow;
The dynamic control module comprises:
When the system call of reading the file is triggered in the system, the vfs_read function in the kernel is executed, at the moment, the corresponding fentry _vfs_read function in the eBPF kernel program is also executed, the fentry _vfs_read function firstly reads the subscription value from the map B, when the subscription value is judged to be 0x0 and the corresponding 0x01 are inconsistent, the processing is directly exited, when the subscription value is judged to be 0x01, the processing is continued, the uid of the current process and the file name information of the exe file are collected and are transmitted to the user program in other modes, if a file writing event occurs, the hook function vfs_write is triggered, the value 0x01 in the map B is also read in the fentry _vfs_write function, and the corresponding file writing value 0x02 is inconsistent, and the processing is directly exited.
6. The system for optimizing eBPF monitoring services based on a dynamic subscription mechanism of claim 5 wherein the interface functions in the SDK module include subscribe events, unsubscribe, publish events, read events, and the interface functions map directly to corresponding operations in the GRPC framework for seamless invocation by a user after connecting to the GRPC client.
7. The system for optimizing eBPF monitoring services based on a dynamic subscription mechanism of claim 5, wherein the subscription value module comprises:
The waiting unit is used for subscribing the user as a system user after the eBPF user mode program is started, calling an interface function for reading the event and waiting for acquiring event information subscribed by other users;
When other users call the interface function of subscribing event or unsubscribing, the GRPC server calls the interface function of publishing event to publish the user information, subscribing event or unsubscribing type, and then eBPF user mode program receives the subscribing value;
And the writing unit is used for writing the newly added eBPF map object B for the eBPF kernel program to read after the eBPF user mode program receives the subscription value.
8. The system for optimizing eBPF monitoring services based on a dynamic subscription mechanism of claim 5, wherein the dynamic control module comprises:
when the subscription state of the user changes, the eBPF user mode program obtains the changed subscription value through the GRPC server and dynamically updates eBPF map object B.
CN202510396819.2A 2025-04-01 2025-04-01 Method and system for optimizing eBPF monitoring services based on dynamic subscription mechanism Active CN119906757B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202510396819.2A CN119906757B (en) 2025-04-01 2025-04-01 Method and system for optimizing eBPF monitoring services based on dynamic subscription mechanism

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202510396819.2A CN119906757B (en) 2025-04-01 2025-04-01 Method and system for optimizing eBPF monitoring services based on dynamic subscription mechanism

Publications (2)

Publication Number Publication Date
CN119906757A CN119906757A (en) 2025-04-29
CN119906757B true CN119906757B (en) 2025-07-04

Family

ID=95466728

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202510396819.2A Active CN119906757B (en) 2025-04-01 2025-04-01 Method and system for optimizing eBPF monitoring services based on dynamic subscription mechanism

Country Status (1)

Country Link
CN (1) CN119906757B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116760593A (en) * 2023-06-13 2023-09-15 南京磐优信息科技有限公司 Access control system based on attribute in DDS and method thereof
CN119645544A (en) * 2024-11-08 2025-03-18 创优数字科技(广东)有限公司 Data state updating method and device, storage medium and computer equipment

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9596122B2 (en) * 2010-12-03 2017-03-14 International Business Machines Corporation Identity provider discovery service using a publish-subscribe model
CN103092582B (en) * 2011-10-31 2016-01-20 国际商业机器公司 For the treatment of the method and system of the event of issue with the event of subscription
CN114189455B (en) * 2021-12-08 2023-06-06 兴业银行股份有限公司 Container network traffic monitoring and statistics method and system based on ebpf technology
CN117768362A (en) * 2023-12-18 2024-03-26 浙江大学 Network diagnosis and early warning method, device and medium based on eBPF
CN118659976A (en) * 2024-06-14 2024-09-17 山东浪潮智慧建筑科技有限公司 A dynamic MQTT Topic intelligent subscription and traffic optimization system and method for IoT gateways
CN119094533A (en) * 2024-08-12 2024-12-06 杭州高新区(滨江)区块链与数据安全研究院 Blockchain event subscription method, device, system and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116760593A (en) * 2023-06-13 2023-09-15 南京磐优信息科技有限公司 Access control system based on attribute in DDS and method thereof
CN119645544A (en) * 2024-11-08 2025-03-18 创优数字科技(广东)有限公司 Data state updating method and device, storage medium and computer equipment

Also Published As

Publication number Publication date
CN119906757A (en) 2025-04-29

Similar Documents

Publication Publication Date Title
CN101651698B (en) Transmission method for publish/subscribe system based on NIO and IO
CN103902390A (en) Inter-process communication method based on Android application layer and basis application communication system
CN102035893A (en) Method and system for pushing data actively by server
CN112256246A (en) A Microservice Integration Architecture Supporting Cross-Language Calling in Power System
CN113626208B (en) Server communication method based on NIO asynchronous thread model
CN107391274B (en) Offline message processing method and device
CN119906757B (en) Method and system for optimizing eBPF monitoring services based on dynamic subscription mechanism
CN103905498B (en) Service information management method and service information management system
CN109800035B (en) Algorithm integrated service framework system
CN1878206B (en) Event subscription method and system
WO2011035659A1 (en) Method and apparatus for secondary development of function mobile phone
WO2025077111A1 (en) Method and middleware for collection and distribution of industrial data, and storage medium
CN109783066B (en) A Realization Method of Data Association and Processing of Internal Entity in DDS
WO2010130131A1 (en) System and method for parallel processing of equipment management tasks
CN113141387B (en) Service subscription method, device and system
CN116136860A (en) An event forwarding method, device, electronic equipment and storage medium
CN115412500A (en) Asynchronous communication method, system, medium and device supporting load balancing strategy
CN107566515A (en) A kind of document down loading method and relevant apparatus
CN114296809B (en) Object model construction method based on operating system and system call interface thereof
WO2021078176A1 (en) Storage process running method and apparatus, database system, and storage medium
CN115914330A (en) NIO asynchronous thread model-based heterogeneous application-to-application communication method
CN118509466B (en) High concurrency game server architecture
CN110572271A (en) A method and system for managing a voice chat room
CN114866605B (en) Network change proxy method, device, electronic device and storage medium
CN114915837B (en) Triggering method and device for video rendering, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant