tracee-bench: tool to track performance information (#1985)

tracee-bench is a cli tool to track performance information of tracee based
apps exported through prometheus. Will be used as a performance probe as part
of EPIC #1986.

Author: NDStrahilevitz

Makefile

@@ -217,6 +217,7 @@ help:
 	@echo "    $$ make bpf-nocore           	# build ./dist/tracee.bpf.XXX.o"
 	@echo "    $$ make tracee-ebpf          	# build ./dist/tracee-ebpf"
 	@echo "    $$ make tracee-rules         	# build ./dist/tracee-rules"
+	@echo "    $$ make tracee-bench         	# build ./dist/tracee-bench"
 	@echo "    $$ make rules                	# build ./dist/rules"
 	@echo ""
 	@echo "# install"
@@ -231,6 +232,7 @@ help:
 	@echo "    $$ make clean-bpf-nocore     	# wipe ./dist/tracee.bpf.XXX.o"
 	@echo "    $$ make clean-tracee-ebpf    	# wipe ./dist/tracee-ebpf"
 	@echo "    $$ make clean-tracee-rules   	# wipe ./dist/tracee-rules"
+	@echo "    $$ make clean-tracee-bench   	# wipe ./dist/tracee-bench"
 	@echo "    $$ make clean-rules          	# wipe ./dist/rules"
 	@echo ""
 	@echo "# test"
@@ -694,6 +696,27 @@ check-staticcheck: \
 		-tags $(GO_TAGS_EBPF) \
 		./...
 
+#
+# tracee-bench
+#
+
+TRACEE_BENCH_SRC_DIRS = ./cmd/tracee-bench/
+TRACEE_BENCH_SRC = $(shell find $(TRACEE_BENCH_SRC_DIRS) -type f -name '*.go')
+.PHONY: tracee-bench
+tracee-bench: \
+	.checkver_$(CMD_GO) \
+	$(TRACEE_BENCH_SRC) \
+	| $(OUTPUT_DIR)
+#
+	$(CMD_GO) build \
+		-v -o $(OUTPUT_DIR)/tracee-bench \
+		./cmd/tracee-bench
+
+.PHONY: clean-tracee-bench
+clean-tracee-bench:
+#
+	$(CMD_RM) -rf $(OUTPUT_DIR)/tracee-bench
+
 #
 # clean
 #

cmd/tracee-bench/main.go

@@ -0,0 +1,186 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+	"os"
+	"os/signal"
+	"strconv"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+
+	"github.com/prometheus/client_golang/api"
+	v1 "github.com/prometheus/client_golang/api/prometheus/v1"
+	"github.com/urfave/cli/v2"
+)
+
+const (
+	prometheusAddressFlag = "prometheus"
+	periodFlag            = "period"
+	outputFlag            = "output"
+)
+
+type measurement struct {
+	AvgEbpfRate       float64 `json:"avgEbpfRate"`
+	AvgLostEventsRate float64 `json:"avgLostEventsRate"`
+	LostEvents        int     `json:"lostEvents"`
+}
+
+func (m measurement) Print() {
+	log.Printf("\n")
+	fmt.Printf("Events/Sec:     %f\n", m.AvgEbpfRate)
+	fmt.Printf("EventsLost/Sec: %f\n", m.AvgLostEventsRate)
+	fmt.Printf("Events Lost:    %d\n", m.LostEvents)
+	fmt.Println("===============================================")
+}
+func (m measurement) PrintJson() {
+	res, _ := json.Marshal(m)
+	fmt.Println(string(res))
+}
+
+type OutputMode string
+
+const (
+	jsonOutput   OutputMode = "json"
+	prettyOutput OutputMode = "pretty"
+)
+
+func main() {
+	app := cli.App{
+		Name:  "tracee-bench",
+		Usage: "A prometheus based performance probe for tracee",
+		Flags: []cli.Flag{
+			&cli.StringFlag{
+				Name:  prometheusAddressFlag,
+				Usage: "address of a prometheus instance tracking tracee",
+				Value: "http://localhost:9090",
+			},
+			&cli.IntFlag{
+				Name:  periodFlag,
+				Usage: "period of scraping in seconds",
+				Value: 5,
+			},
+			&cli.StringFlag{
+				Name:  outputFlag,
+				Usage: "set output format (options: pretty, json)",
+				Value: "pretty",
+			},
+		},
+		Action: func(ctx *cli.Context) error {
+			address := ctx.String(prometheusAddressFlag)
+
+			if address == "" {
+				return fmt.Errorf("prometheus address required for tracee-er")
+			}
+
+			client, err := api.NewClient(api.Config{
+				Address: address,
+			})
+
+			if err != nil {
+				return err
+			}
+
+			done := sigHandler()
+			prom := v1.NewAPI(client)
+			ticker := time.NewTicker(time.Duration(ctx.Int(periodFlag)) * time.Second)
+
+			// promql queries
+			const (
+				eventspersec = "events/sec"
+				lostpersec   = "lost/sec"
+				rulespersec  = "rules/sec"
+				lostoverall  = "lost_events"
+			)
+			queries := map[string]struct {
+				queryName string
+				query     string
+			}{
+				eventspersec: {queryName: "average ebpf_events/sec", query: "rate(tracee_ebpf_events_total[1m])"},
+				lostpersec:   {queryName: "average ebpf_lostevents/sec", query: "rate(tracee_ebpf_lostevents_total[1m])"},
+				lostoverall:  {queryName: "lost events", query: "tracee_ebpf_lostevents_total"},
+			}
+
+			outputMode := OutputMode(ctx.String(outputFlag))
+			if outputMode == prettyOutput {
+				fmt.Println("===================TRACEE-ER===================")
+			}
+			go func() {
+				for {
+					select {
+					case <-done:
+						{
+							return
+						}
+					case now := <-ticker.C:
+						{
+
+							measurement := measurement{}
+							wg := sync.WaitGroup{}
+							wg.Add((len(queries)))
+							for field, query := range queries {
+								go func(queryField string, queryName string, query string) {
+									defer wg.Done()
+									res, _, err := prom.Query(context.Background(), query, now)
+									if err != nil {
+										log.Printf("failed to fetch %s: %v\n", queryName, err)
+										return
+									}
+
+									queryResString := res.String()
+									if queryResString == "" {
+										log.Printf("failed to fetch %s: empty\n", queryName)
+										return
+									}
+									val, _ := parseQueryResString(queryResString)
+									switch queryField {
+									case eventspersec:
+										measurement.AvgEbpfRate = val
+									case lostpersec:
+										measurement.AvgLostEventsRate = val
+									case lostoverall:
+										measurement.LostEvents = int(val)
+									}
+								}(field, query.queryName, query.query)
+							}
+							wg.Wait()
+							switch outputMode {
+							case prettyOutput:
+								measurement.Print()
+							case jsonOutput:
+								measurement.PrintJson()
+							}
+						}
+					}
+				}
+			}()
+			<-done
+			return nil
+		},
+	}
+	err := app.Run(os.Args)
+	if err != nil {
+		log.Fatal(err)
+	}
+}
+
+func parseQueryResString(queryRes string) (float64, error) {
+	startIndex := strings.LastIndex(queryRes, "=> ") + 3
+	lastIndex := strings.LastIndex(queryRes, "@[") - 1
+	return strconv.ParseFloat(queryRes[startIndex:lastIndex], 64)
+}
+
+func sigHandler() chan bool {
+	sigs := make(chan os.Signal, 1)
+	done := make(chan bool, 1)
+	signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)
+	go func() {
+		<-sigs
+		done <- true
+	}()
+	return done
+}

cmd/tracee-bench/main_test.go

@@ -0,0 +1,29 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestParseQueryResString(t *testing.T) {
+	testCases := []struct {
+		resultString   string
+		expectedResult float64
+	}{
+		{
+			resultString:   `{instance="localhost:3366", job="prometheus"} => 4485.236363636363 @[1648131101.208]`,
+			expectedResult: 4485.236363636363,
+		},
+		{
+			resultString:   `{instance="localhost:3366", job="prometheus"} => 4544.054545454545 @[1648131106.208]`,
+			expectedResult: 4544.054545454545,
+		},
+	}
+
+	for _, tc := range testCases {
+		res, err := parseQueryResString(tc.resultString)
+		assert.NoError(t, err)
+		assert.Equal(t, tc.expectedResult, res)
+	}
+}

cmd/tracee-bench/prometheus.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+docker run -d --rm \
+    -p 9090:9090 \
+    --net=host \
+    --mount type=bind,source="$(pwd)"/prometheus.yml,target=/etc/prometheus/prometheus.yml \
+    prom/prometheus

cmd/tracee-bench/prometheus.yml

@@ -0,0 +1,6 @@
+# A scrape configuration containing exactly one endpoint to scrape:
+scrape_configs:
+  - job_name: 'tracee'
+    scrape_interval: 5s
+    static_configs:
+      - targets: ['localhost:3366', 'localhost:4466']

cmd/tracee-bench/readme.md

@@ -0,0 +1,18 @@
+# Documentation
+
+`tracee-bench` is a promQL based tool to query `tracee-ebpf` runtime performance metrics.
+It can be used to benchmark tracee's event pipeline's (see [here](https://aquasecurity.github.io/tracee/dev/architecture/)) performance on your environment.
+
+## Enabling Prometheus
+
+In order to use prometheus with tracee see [this](https://aquasecurity.github.io/tracee/dev/integrating/prometheus/) documentation.
+A simple script for running a prometheus container scraping tracee is available in this repository in `prometheus.sh`.
+
+## Metrics tracked
+
+`tracee-bench` tracks three important stats about tracee's performance in your environment:1
+1. Avg rate of events emitted per second
+2. Avg rate of events lost per second
+3. Overall events lost
+
+Ideal performance of tracee should have a stable throughput of events emitted with minimal event loss. If heavy event loss occurs, consider tuning tracee either through [filtering](https://aquasecurity.github.io/tracee/dev/tracing/event-filtering/) or allocating additional CPU (if running on kubernetes).

go.mod

@@ -60,6 +60,7 @@ require (
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/huandu/xstrings v1.3.1 // indirect
 	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.13.6 // indirect
 	github.com/magiconair/properties v1.8.5 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
@@ -70,6 +71,8 @@ require (
 	github.com/moby/sys/mountinfo v0.5.0 // indirect
 	github.com/moby/sys/signal v0.6.0 // indirect
 	github.com/moby/term v0.0.0-20210610120745-9d4ed1856297 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.3-0.20211202183452-c5a74bcca799 // indirect

go.sum

@@ -638,11 +638,13 @@ github.com/joefitzgerald/rainbow-reporter v0.1.0/go.mod h1:481CNgqmVHQZzdIbN52Cu
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/jonboulle/clockwork v0.2.2/go.mod h1:Pkfl5aHPm1nk2H9h0bjmnJD/BcgbGXUBGnn1kMkgxc8=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
@@ -732,9 +734,11 @@ github.com/moby/term v0.0.0-20201216013528-df9cb8a40635/go.mod h1:FBS0z0QWA44HXy
 github.com/moby/term v0.0.0-20210610120745-9d4ed1856297 h1:yH0SvLzcbZxcJXho2yh7CqdENGMQe73Cw3woZBpPli0=
 github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/morikuni/aec v0.0.0-20170113033406-39771216ff4c/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
@@ -743,6 +747,7 @@ github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2
 github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f h1:KUppIJq7/+SVif2QVs3tOP0zanoHgBEVAwHxUSIzRqU=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM=
@@ -1203,6 +1208,7 @@ golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 h1:RerP+noqYHUQ8CMRcPlC2nvTa4dcBIjegkuWdcUDuqg=
 golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1446,6 +1452,7 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/cloud v0.0.0-20151119220103-975617b05ea8/go.mod h1:0H1ncTHf11KCFhTc/+EFRbzSCOZx+VUbRMk55Yv5MYk=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=