Add support for other container engines

With this change, quark k8s awareness works on non-docker runtimes.  Spotted
when running quark on GKE which uses containerd like most modern k8s
deployments.

We only support the systemd scheme, meaning foo-<id>.scope.

Co-authored-by: Christiano Haesbaert <[email protected]>

Author: stanek-michal

quark-test.c

@@ -1220,6 +1220,47 @@ t_dns(const struct test *t, struct quark_queue_attr *qa)
 	return (0);
 }
 
+static int
+t_cgroup_parse(const struct test *t, struct quark_queue_attr *qa)
+{
+	char	cid[NAME_MAX];
+	int	i, r;
+
+	struct {
+		const char	*in;
+		const char	*out;
+		int		 expected_ret;	/* -1 fail, 0 found, any other fail */
+	} cases[] = {
+		{ "foo/docker-f6aa2e3fa923d32f4d7905727cf1011148e4da0fd101492e98a27e8c55c5c829.scope",
+		  "docker://f6aa2e3fa923d32f4d7905727cf1011148e4da0fd101492e98a27e8c55c5c829",
+		  0 },
+		{ "foo/cri-containerd-abc123def456.scope", "containerd://abc123def456", 0 },
+		{ "foo/containerd-abc123def456.scope", "containerd://abc123def456", 0 },
+		{ "foo/crio-0123456789abcdef.scope", "cri-o://0123456789abcdef", 0 },
+		/* negative cases */
+		{ "crio-0123456789abcdef.scope", "cri-o://0123456789abcdef", -1 },
+		{ "docker-.scope", NULL, -1 },
+		{ "containerd-.scope", NULL, -1 },
+		{ "crio-.scope", NULL, -1 },
+		{ "nothex", NULL, -1 },
+		{ "ABCDEF", NULL, -1 },
+		{ "something-abcdef.scope", NULL, -1 },
+		{ "docker-abcdef.scopeX", NULL, -1 },
+		{ NULL, NULL, -1 }
+	};
+
+	for (i = 0; cases[i].in != NULL; i++) {
+		bzero(cid, sizeof(cid));
+
+		r = parse_kube_cgroup(cases[i].in, cid, sizeof(cid));
+		assert(r == cases[i].expected_ret);
+		if (r == 0)
+			assert(!strcmp(cid, cases[i].out));
+	}
+
+	return (0);
+}
+
 /*
  * Try to order by increasing order of complexity
  */
@@ -1239,6 +1280,7 @@ struct test all_tests[] = {
 	T_EBPF(t_tty),
 	T_EBPF(t_sock_conn),
 	T_EBPF(t_dns),
+	T_EBPF(t_cgroup_parse),
 	T(t_namespace),
 	T(t_cache_grace),
 	T(t_min_agg),

quark.c

@@ -1227,36 +1227,86 @@ read_kube_events(struct quark_queue *qq)
 	}
 }
 
+/*
+ * Build the kubernetes container_id from a cgroup
+ * cgroup is what we get from the kernel, like docker-<id>.scope.
+ * container_id is how kubernetes sees it, like docker://<id>.
+ * Returns 0 if container_id is filled, -1 otherwise.
+ * Keep this function non static so we can test it.
+ */
+int
+parse_kube_cgroup(const char *cgroup, char *container_id, size_t container_id_len)
+{
+	char		*name, *dot, *id;
+	const char	*lookup_prefix;
+	int		 r, id_skip;
+
+	if ((name = strrchr(cgroup, '/')) == NULL)
+		return (-1);
+	name++;
+
+	/*
+	 * Atm we only accept the systemd format, foo-<id>.scope
+	 * docker-<id>.scope                 -> docker://<id>
+	 * crio-<id>.scope|libpod-<id>.scope -> cri-o://<id>
+	 * cri-containerd-<id>.scope         -> containerd://<id>
+	 * containerd-<id>.scope             -> containerd://<id>
+	 */
+	id_skip = 0;
+
+	lookup_prefix = NULL;
+	if (!strncmp(name, "docker-", 7)) {
+		id_skip = 7;
+		lookup_prefix = "docker";
+	} else if (!strncmp(name, "crio-", 5)) {
+		id_skip = 5;
+		lookup_prefix = "cri-o";
+	} else if (!strncmp(name, "libpod-", 7)) {
+		id_skip = 7;
+		lookup_prefix = "cri-o";
+	} else if (!strncmp(name, "cri-containerd-", 15)) {
+		id_skip = 15;
+		lookup_prefix = "containerd";
+	} else if (!strncmp(name, "containerd-", 11)) {
+		id_skip = 11;
+		lookup_prefix = "containerd";
+	} else
+		return (-1);
+
+	/*
+	 * id starts after the foo- prefix, we still need to chomp the trailing
+	 * .scope
+	 */
+	id = name + id_skip;
+
+	/* copy the whole thing with the lookup_prefix, and then chomp .scope */
+	r = snprintf(container_id, container_id_len,
+	    "%s://%s", lookup_prefix, id);
+	if (r < 0 || r >= (int)container_id_len)
+		return (-1);
+	dot = strrchr(container_id, '.');
+	if (dot == NULL)
+		return (-1);
+	*dot = 0;
+
+	return (0);
+}
+
 static void
 link_kube_data(struct quark_queue *qq, struct quark_process *qp)
 {
-	struct quark_container		*container;
-	char				*name, *dot;
-	char				 container_id[NAME_MAX];
-	int				 r;
+	struct quark_container	*container;
+	char			 cid[NAME_MAX];
 
 	if (qp == NULL)
 		return;
 	if ((qp->flags & QUARK_F_CONTAINER) || qp->container != NULL)
 		return;
 	if (!(qp->flags & QUARK_F_CGROUP))
 		return;
-	if ((name = strrchr(qp->cgroup, '/')) == NULL)
-		return;
-	name++;
-	/* docker-f6aa2e3fa923d32f4d7905727cf1011148e4da0fd101492e98a27e8c55c5c829.scope */
-	/* "containerID": "docker://f6aa2e3fa923d32f4d7905727cf1011148e4da0fd101492e98a27e8c55c5c829", */
-	if (strncmp(name, "docker-", 7))
-		return;
-	name += 7;
-	r = snprintf(container_id, sizeof(container_id), "docker://%s", name);
-	if (r < 0 || r >= (int)(sizeof(container_id)))
+	if (parse_kube_cgroup(qp->cgroup, cid, sizeof(cid)) == -1)
 		return;
-	dot = strrchr(container_id, '.');
-	if (dot == NULL)
-		return;
-	*dot = 0;
-	if ((container = container_lookup(qq, container_id)) == NULL)
+	if ((container = container_lookup(qq, cid)) == NULL)
 		return;
 
 	qp->container = container;

quark.h

@@ -61,6 +61,8 @@ void	 quark_socket_iter_init(struct quark_socket_iter *, struct quark_queue *);
 const struct quark_socket *quark_socket_iter_next(struct quark_socket_iter *);
 const struct quark_socket *quark_socket_lookup(struct quark_queue *,
     struct quark_sockaddr *, struct quark_sockaddr *);
+/* quark.c: These are exported for testing only */
+int	 parse_kube_cgroup(const char *, char *, size_t);
 
 /* btf.c */
 struct quark_btf_target {