fix(dropreason): Check ftrace_enabled required for fexit programs (#1926)

SRodi · web-flow · commit cbfce9b40ec1 · 2025-11-05T14:02:21.000Z
# Description Adds a check for `/proc/sys/kernel/ftrace_enabled` before deciding to use fexit eBPF programs. When ftrace is disabled, the plugin will fall back to kprobes. ## Changes - Added `IsFtraceEnabled()` helper function in `pkg/plugin/common/common_linux.go` that reads `/proc/sys/kernel/ftrace_enabled` - Updated `getEbpfPayload()` to check ftrace status and log it - Modified `resolvePayload()` to accept `ftraceEnabled` parameter and only use fexit programs when ftrace is enabled (in addition to existing kernel version/architecture requirements) - Updated documentation to clarify that fexit programs require ftrace to be enabled ## Behavior - **Before**: Plugin would attempt to use fexit programs based only on kernel version and architecture, potentially failing when ftrace is disabled - **After**: Plugin checks ftrace status and gracefully falls back to kprobes when ftrace is disabled ## Related Issue If this pull request is related to any issue, please mention it here. Additionally, make sure that the issue is assigned to you before submitting this pull request. ## Checklist - [x] I have read the [contributing documentation](https://retina.sh/docs/Contributing/overview). - [x] I signed and signed-off the commits (`git commit -S -s ...`). See [this documentation](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification) on signing commits. - [x] I have correctly attributed the author(s) of the code. - [x] I have tested the changes locally. - [x] I have followed the project's style guidelines. - [x] I have updated the documentation, if necessary. - [x] I have added tests, if applicable. ## Screenshots (if applicable) or Testing Completed Verified on kernel 6.6.0 with both ftrace enabled and disabled scenarios. When ftrace is enabled fexit programs are used. When ftrace is disabled, the plugin uses kprobes/kretprobes. <img width="1739" height="677" alt="image" src="https://github.com/user-attachments/assets/39ae49f2-7600-4ab0-aa68-8abd0c6d0472" /> <img width="1743" height="806" alt="image" src="https://github.com/user-attachments/assets/25aef3cf-fc27-4dae-8328-4d4e50d43ca9" /> ## Additional Notes Add any additional notes or context about the pull request here. --- Please refer to the [CONTRIBUTING.md](../CONTRIBUTING.md) file for more information on how to contribute to this project.
diff --git a/pkg/plugin/common/common_linux.go b/pkg/plugin/common/common_linux.go
@@ -138,3 +138,13 @@ func readIDField(path string) string {
 	}
 	return ""
 }
+
+// IsFtraceEnabled checks if ftrace is enabled in the kernel.
+// This is required for fexit/fentry programs to work.
+func IsFtraceEnabled() bool {
+	data, err := os.ReadFile("/proc/sys/kernel/ftrace_enabled")
+	if err != nil {
+		return false
+	}
+	return strings.TrimSpace(string(data)) == "1"
+}
diff --git a/pkg/plugin/dropreason/dropreason_linux_test.go b/pkg/plugin/dropreason/dropreason_linux_test.go
@@ -484,6 +484,7 @@ func TestResolveEbpfPayload(t *testing.T) {
 		kv                semver.Version
 		isMariner         bool
 		isPodLevel        bool
+		ftraceEnabled     bool
 		wantType          string
 		wantSupportsFexit bool
 	}{
@@ -493,6 +494,7 @@ func TestResolveEbpfPayload(t *testing.T) {
 			kv:                mustVersion("5.4.0"),
 			isMariner:         false,
 			isPodLevel:        false,
+			ftraceEnabled:     true,
 			wantType:          "*dropreason.allKprobeObjects",
 			wantSupportsFexit: false,
 		},
@@ -502,6 +504,7 @@ func TestResolveEbpfPayload(t *testing.T) {
 			kv:                mustVersion("5.10.0"),
 			isMariner:         false,
 			isPodLevel:        false,
+			ftraceEnabled:     true,
 			wantType:          "*dropreason.allFexitObjects",
 			wantSupportsFexit: true,
 		},
@@ -511,6 +514,7 @@ func TestResolveEbpfPayload(t *testing.T) {
 			kv:                mustVersion("5.10.0"),
 			isMariner:         true,
 			isPodLevel:        false,
+			ftraceEnabled:     true,
 			wantType:          "*dropreason.marinerObjects",
 			wantSupportsFexit: true,
 		},
@@ -520,6 +524,7 @@ func TestResolveEbpfPayload(t *testing.T) {
 			kv:                mustVersion("5.8.0"),
 			isMariner:         true,
 			isPodLevel:        false,
+			ftraceEnabled:     true,
 			wantType:          "*dropreason.allKprobeObjects",
 			wantSupportsFexit: false,
 		},
@@ -529,6 +534,7 @@ func TestResolveEbpfPayload(t *testing.T) {
 			kv:                mustVersion("6.1.0"),
 			isMariner:         true,
 			isPodLevel:        false,
+			ftraceEnabled:     true,
 			wantType:          "*dropreason.marinerObjects",
 			wantSupportsFexit: true,
 		},
@@ -538,14 +544,35 @@ func TestResolveEbpfPayload(t *testing.T) {
 			kv:                mustVersion("5.15.0"),
 			isMariner:         false,
 			isPodLevel:        true,
+			ftraceEnabled:     true,
+			wantType:          "*dropreason.allKprobeObjects",
+			wantSupportsFexit: false,
+		},
+		{
+			name:              "mariner with ftrace disabled - fallback to kprobes",
+			arch:              "amd64",
+			kv:                mustVersion("5.15.0"),
+			isMariner:         true,
+			isPodLevel:        false,
+			ftraceEnabled:     false,
+			wantType:          "*dropreason.allKprobeObjects",
+			wantSupportsFexit: false,
+		},
+		{
+			name:              "ubuntu with ftrace disabled - fallback to kprobes",
+			arch:              "amd64",
+			kv:                mustVersion("6.6.0"),
+			isMariner:         false,
+			isPodLevel:        false,
+			ftraceEnabled:     false,
 			wantType:          "*dropreason.allKprobeObjects",
 			wantSupportsFexit: false,
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			objs, _, isFexit := resolvePayload(tt.arch, tt.kv, tt.isMariner, tt.isPodLevel)
+			objs, _, isFexit := resolvePayload(tt.arch, tt.kv, tt.isMariner, tt.isPodLevel, tt.ftraceEnabled)
 
 			if isFexit != tt.wantSupportsFexit {
 				t.Errorf("isFexit = %v, want %v", isFexit, tt.wantSupportsFexit)
diff --git a/pkg/plugin/dropreason/ebpfsetup_linux.go b/pkg/plugin/dropreason/ebpfsetup_linux.go
@@ -28,6 +28,7 @@ eBPF Program Support Matrix
 
 Program Type Selection:
 - If:
+  - Ftrace is enabled AND
   - Arch == amd64 and kernel >= 5.5
   - Arch == arm64 and kernel >= 6.0
     → Use `fexit`
@@ -44,13 +45,15 @@ Scope Selection:
 +-----------+------------------------+--------------+--------+
 | Distro    | Arch + Kernel          | Prog         | Scope  |
 +-----------+------------------------+--------------+--------+
-| Mariner   | amd64, kernel >= 5.5   | fexit        | core   |
-| Mariner   | arm64, kernel >= 6.0   | fexit        | core   |
-| Non-Marin | amd64, kernel >= 5.5   | fexit        | all    |
-| Non-Marin | arm64, kernel >= 6.0   | fexit        | all    |
+| Mariner   | amd64, kernel >= 5.5   | fexit*       | core   |
+| Mariner   | arm64, kernel >= 6.0   | fexit*       | core   |
+| Non-Marin | amd64, kernel >= 5.5   | fexit*       | all    |
+| Non-Marin | arm64, kernel >= 6.0   | fexit*       | all    |
 | *         | (otherwise)            | kprobe       | per OS |
 +-----------+------------------------+--------------+--------+
 
+* fexit requires ftrace to be enabled in the kernel
+
 core kernel funcs:
 - tcp_v4_connect
 - inet_csk_accept
@@ -74,16 +77,21 @@ func (dr *dropReason) getEbpfPayload() (objs interface{}, maps *kprobeMaps, supp
 	}
 	dr.l.Info("Detected kernel", zap.String("version", kv.String()))
 
-	objs, maps, supportsFexit = resolvePayload(runtime.GOARCH, kv, isMariner, dr.cfg.EnablePodLevel)
+	// Check if ftrace is enabled (required for fexit programs)
+	ftraceEnabled := plugincommon.IsFtraceEnabled()
+	dr.l.Info("Ftrace status", zap.Bool("enabled", ftraceEnabled))
+
+	objs, maps, supportsFexit = resolvePayload(runtime.GOARCH, kv, isMariner, dr.cfg.EnablePodLevel, ftraceEnabled)
 	return objs, maps, supportsFexit, nil
 }
 
-func resolvePayload(arch string, kv semver.Version, isMariner, isPodLevel bool) (interface{}, *kprobeMaps, bool) {
+func resolvePayload(arch string, kv semver.Version, isMariner, isPodLevel, ftraceEnabled bool) (interface{}, *kprobeMaps, bool) {
 	minVersionAmd64, _ := versioncheck.Version(MinAmdVersionNum)
 	minVersionArm64, _ := versioncheck.Version(MinArmVersionNum)
 
-	supportsFexit := (arch == "amd64" && kv.GTE(minVersionAmd64)) ||
-		(arch == "arm64" && kv.GTE(minVersionArm64))
+	supportsFexit := ftraceEnabled &&
+		((arch == "amd64" && kv.GTE(minVersionAmd64)) ||
+			(arch == "arm64" && kv.GTE(minVersionArm64)))
 
 	var objs interface{}
 	var maps *kprobeMaps
diff --git a/test/plugin/dropreason/main_linux.go b/test/plugin/dropreason/main_linux.go
@@ -30,7 +30,7 @@ func main() {
 
 	cfg := &kcfg.Config{
 		MetricsInterval: 1 * time.Second,
-		EnablePodLevel:  true,
+		EnablePodLevel:  true, // Set to false to test fexit programs
 	}
 
 	// Filtermanager.

Original file line number	Diff line number	Diff line change
`@@ -138,3 +138,13 @@ func readIDField(path string) string {`
`138`	`138`	`}`
`139`	`139`	`return ""`
`140`	`140`	`}`
	`141`	`+`
	`142`	`+// IsFtraceEnabled checks if ftrace is enabled in the kernel.`
	`143`	`+// This is required for fexit/fentry programs to work.`
	`144`	`+func IsFtraceEnabled() bool {`
	`145`	`+ data, err := os.ReadFile("/proc/sys/kernel/ftrace_enabled")`
	`146`	`+ if err != nil {`
	`147`	`+ return false`
	`148`	`+ }`
	`149`	`+ return strings.TrimSpace(string(data)) == "1"`
	`150`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ func main() {`
`30`	`30`
`31`	`31`	`cfg := &kcfg.Config{`
`32`	`32`	`MetricsInterval: 1 * time.Second,`
`33`		`- EnablePodLevel: true,`
	`33`	`+ EnablePodLevel: true, // Set to false to test fexit programs`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`// Filtermanager.`