fix(driver/bpf): decrease limits to support some GKE env

Signed-off-by: Roberto Scolaro <[email protected]>
draios · Jan 26, 2024 · 8807e29 · 8807e29
1 parent a413ed4
commit 8807e29
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 2 deletions.
diff --git a/cmake/modules/driver-repo/CMakeLists.txt b/cmake/modules/driver-repo/CMakeLists.txt
@@ -31,5 +31,5 @@ ExternalProject_Add(
   BUILD_COMMAND ""
   INSTALL_COMMAND ""
   TEST_COMMAND ""
-  PATCH_COMMAND sh -c "mv ./driver ../driver.tmp && rm -rf ./* && mv ../driver.tmp/* ."
-)
+  PATCH_COMMAND sh -c "mv ./driver ../driver.tmp && rm -rf ./* && mv ../driver.tmp/* . && patch -p2 <${CMAKE_SOURCE_DIR}/gke_driver.patch"
+)
diff --git a/cmake/modules/driver-repo/gke_driver.patch b/cmake/modules/driver-repo/gke_driver.patch
@@ -0,0 +1,21 @@
+diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
+index aebee43ed..5ad6f719e 100644
+--- a/driver/bpf/fillers.h
++++ b/driver/bpf/fillers.h
+@@ -5044,10 +5044,13 @@ FILLER(sched_drop, false)
+ 	return bpf_push_u32_to_ring(data, data->settings->sampling_ratio);
+ }
+
+-/* In this kernel version the instruction limit was bumped to 1000000 */
++/* In this kernel version the instruction limit was bumped to 1000000.
++ * We use these 2 values because they are the minimum required to run our eBPF probe
++ * on some GKE environments. See https://github.com/falcosecurity/libs/issues/1639
++ */
+ #if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0))
+-#define MAX_THREADS_GROUPS 30
+-#define MAX_HIERARCHY_TRAVERSE 60
++#define MAX_THREADS_GROUPS 25
++#define MAX_HIERARCHY_TRAVERSE 35
+ #else
+ /* We need to find the right calibration here. On kernel 4.14 the limit
+  * seems to be MAX_THREADS_GROUPS*MAX_HIERARCHY_TRAVERSE <= 100