pkg/sensors: exclude shared maps memory use on policies

Avoid to double count for shared maps, like the execve_maps for example. I decided keep a record of global maps for accounting. At first I implemented it by reading the global BPF fs directory, this might use too much CPU since we should be aware of what are the current global maps since we load them ourselves, so instead I hooked in the loading of global maps. Signed-off-by: Mahe Tardy <[email protected]>
cilium · Oct 8, 2024 · 4eb735a · 4eb735a
1 parent f842b0a
commit 4eb735a
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/pkg/sensors/program/map.go b/pkg/sensors/program/map.go
@@ -104,6 +104,10 @@ type Map struct {
 	Owner        bool
 }
 
+// GlobalMaps keeps a record of all global maps to exclude them from per policy
+// memory map accounting.
+var GlobalMaps map[string]bool
+
 // Map holds pointer to Program object as a source of its ebpf object
 // file. We assume all the programs sharing the map have same map
 // definition, so it's ok to use the first program if there's more.
@@ -118,6 +122,16 @@ type Map struct {
 //	...
 //	p.PinMap["mapX"] = &mapX
 func mapBuilder(name string, ty MapType, owner bool, lds ...*Program) *Map {
+	if ty == MapTypeGlobal {
+		if GlobalMaps == nil {
+			GlobalMaps = make(map[string]bool)
+		}
+		key := name
+		if len(name) > 15 {
+			key = name[:15]
+		}
+		GlobalMaps[key] = true
+	}
 	m := &Map{name, "", lds[0], Idle(), nil, MaxEntries{0, false}, MaxEntries{0, false}, ty, owner}
 	for _, ld := range lds {
 		ld.PinMap[name] = m

diff --git a/pkg/sensors/sensors.go b/pkg/sensors/sensors.go
@@ -101,8 +101,15 @@ func (s Sensor) TotalMemlock() int {
 
 	var total int
 	for _, info := range uniqueMap {
+		// we are using info.Name that is truncated to 15 chars to exclude
+		// global maps, a more resilient implementation could use ID but this
+		// should be enough.
+		if program.GlobalMaps[info.Name] {
+			continue
+		}
 		total += info.Memlock
 	}
+
 	return total
 }