Refactor eBPF logger for modularity

desaivaishnavi25 · desaivaishnavi25 · commit ca21918394cf · 2025-06-01T17:32:07.000+05:30
diff --git a/cmd/listener/main.go b/cmd/listener/main.go
@@ -1,90 +1,82 @@
+// main.go
 package main
 
 import (
-	"bytes"
-	"encoding/binary"
+	"flag"
+	"fmt"
 	"log"
 	"os"
 	"os/signal"
 	"syscall"
 
-	"go-ebp-logger/internal/event"
+	"go-ebp-logger/internal/bpfmanager" 
+	"go-ebp-logger/internal/event"     
 
-	"github.com/cilium/ebpf"
-	"github.com/cilium/ebpf/link"
-	"github.com/cilium/ebpf/ringbuf"
+	"github.com/cilium/ebpf/ringbuf" 
 )
 
 func main() {
-	bpfObj := "monitor.bpf.o"
-	spec, err := ebpf.LoadCollectionSpec(bpfObj)
-	if err != nil {
-		log.Fatalf("Failed to load BPF spec: %v", err)
+	
+	done := make(chan struct{})
+	flag.Usage = func() {
+		fmt.Fprintf(os.Stderr, "Usage: %s <bpf-object-file>\n", os.Args[0])
+	}
+	flag.Parse()
+	if flag.NArg() < 1 {
+		flag.Usage()
+		os.Exit(1)
 	}
+	bpfObjPath := flag.Arg(0) 
 
-	coll, err := ebpf.NewCollection(spec)
+	bpfManager, err := bpfmanager.NewBPFManager(bpfObjPath)
 	if err != nil {
-		log.Fatalf("Failed to load BPF collection: %v", err)
+		log.Fatalf("Failed to initialize BPF manager: %v", err)
 	}
-	defer coll.Close()
+	defer bpfManager.Close()
 
-	prog := coll.Programs["trace_read"]
-	if prog == nil {
-		log.Fatalf("Program 'trace_read' not found")
-	}
 
-	kp, err := link.Kprobe("vfs_read", prog, nil)
-	if err != nil {
-		log.Fatalf("Failed to attach kprobe: %v", err)
+	if err := bpfManager.AttachKprobe("vfs_read", "trace_read"); err != nil {
+		log.Fatalf("Failed to attach kprobe for vfs_read: %v", err)
 	}
-	defer kp.Close()
-
-	monitoredInodeMap := coll.Maps["monitored_inodes"]
-    if monitoredInodeMap == nil {
-        log.Printf("Map 'monitored_inode' not found in collection. Skipping pinning.")
-    } else {
-        pinPath := "/sys/fs/bpf/monitored_inode"
-        if err := os.Remove(pinPath); err != nil && !os.IsNotExist(err) {
-            log.Printf("Warning: failed to remove existing pin at %s: %v", pinPath, err)
-        }
-
-        if err := monitoredInodeMap.Pin(pinPath); err != nil {
-            log.Fatalf("Failed to pin map 'monitored_inode' to %s: %v", pinPath, err)
-        }
-        log.Printf("Map 'monitored_inode' pinned to %s", pinPath)
-    }
-
-
-	events := coll.Maps["events"]
-	if events == nil {
-		log.Fatalf("Map 'events' not found")
+
+
+	if err := bpfManager.PinMap("monitored_inodes", "/sys/fs/bpf/monitored_inode"); err != nil {
+		log.Fatalf("Failed to pin 'monitored_inodes' map: %v", err)
 	}
 
-	rd, err := ringbuf.NewReader(events)
-	if err != nil {
-		log.Fatalf("Failed to create ring buffer reader: %v", err)
+
+	if err := bpfManager.InitRingBufferReader("events"); err != nil {
+		log.Fatalf("Failed to initialize event reader: %v", err)
 	}
-	defer rd.Close()
+	rd := bpfManager.GetEventReader()
+
+	fmt.Println("Waiting for events... Press Ctrl+C to stop.")
+
 
-	log.Println("Listening for events... Press Ctrl+C to stop.")
 	sigCh := make(chan os.Signal, 1)
 	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
 
-loop:
-	for {
-		select {
-		case <-sigCh:
-			break loop
-		default:
-			record, err := rd.Read()
-			if err != nil {
-				log.Printf("Failed to read from ring buffer: %v", err)
-				continue
-			}
-			var e event.Data
-			if err := binary.Read(bytes.NewReader(record.RawSample), binary.LittleEndian, &e); err == nil {
-				event.Print(e)
+	go func() {
+		for {
+			select {
+			case <-done: 
+				return 
+			default:
+				record, err := rd.Read()
+				if err != nil {
+					if ringbuf.Is  (err) {
+						log.Println("Ring buffer reader closed, exiting event processing goroutine.")
+						return 
+					}
+					log.Printf("Failed to read from ring buffer: %v", err)
+					continue 
+				}
+				event.Print(record.RawSample)
 			}
 		}
-	}
-}
+	}()
+
+	<-sigCh
+	close(done)
+	fmt.Println("\nExiting...")
+}
diff --git a/internal/ebpfmanager/bpfmanager.go b/internal/ebpfmanager/bpfmanager.go
@@ -0,0 +1,109 @@
+package bpfmanager
+
+import (
+	"fmt"
+	"log"
+	"os"
+
+	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/link"
+	"github.com/cilium/ebpf/ringbuf"
+)
+
+type BPFManager struct {
+	collection *ebpf.Collection
+	reader     *ringbuf.Reader
+	links      []link.Link 
+}
+
+
+func NewBPFManager(bpfObjPath string) (*BPFManager, error) {
+	spec, err := ebpf.LoadCollectionSpec(bpfObjPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load BPF spec from %s: %w", bpfObjPath, err)
+	}
+	coll, err := ebpf.NewCollection(spec)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load BPF collection: %w", err)
+	}
+	return &BPFManager{
+		collection: coll,
+		links: make([]link.Link, 0), 
+	}, nil
+}
+
+
+
+func (bm *BPFManager) AttachKprobe(kernelSymbol string, programName string) error {
+	prog := bm.collection.Programs[programName]
+	if prog == nil {
+		return fmt.Errorf("eBPF program '%s' not found in collection", programName)
+	}
+	kp, err := link.Kprobe(kernelSymbol, prog, nil)
+	if err != nil {
+		return fmt.Errorf("failed to attach kprobe to '%s' using program '%s': %w", kernelSymbol, programName, err)
+	}
+	bm.links = append(bm.links, kp) 
+	log.Printf("Successfully attached kprobe: %s -> %s", kernelSymbol, programName)
+	return nil
+}
+
+
+
+func (bm *BPFManager) InitRingBufferReader(mapName string) error {
+	eventsMap := bm.collection.Maps[mapName]
+	if eventsMap == nil {
+		return fmt.Errorf("eBPF map '%s' not found in collection", mapName)
+	}
+	rd, err := ringbuf.NewReader(eventsMap)
+	if err != nil {
+		return fmt.Errorf("failed to create ring buffer reader for map '%s': %w", mapName, err)
+	}
+	bm.reader = rd 
+	log.Printf("Initialized ring buffer reader for map: %s", mapName)
+	return nil
+}
+
+
+
+func (bm *BPFManager) GetEventReader() *ringbuf.Reader {
+	return bm.reader
+}
+
+
+
+func (bm *BPFManager) PinMap(mapName string, pinPath string) error {
+	bpfMap := bm.collection.Maps[mapName]
+	if bpfMap == nil {
+		log.Printf("Map '%s' not found in collection. Skipping pinning.", mapName)
+		return nil
+	}
+	if err := os.Remove(pinPath); err != nil && !os.IsNotExist(err) {
+		log.Printf("Warning: failed to remove existing pin at %s: %v", pinPath, err)
+	}
+	if err := bpfMap.Pin(pinPath); err != nil {
+		return fmt.Errorf("failed to pin map '%s' to %s: %w", mapName, pinPath, err)
+	}
+	log.Printf("Map '%s' pinned to %s", mapName, pinPath)
+	return nil
+}
+
+
+func (bm *BPFManager) Close() {
+	for _, l := range bm.links {
+		if err := l.Close(); err != nil {
+			log.Printf("Error closing BPF link: %v", err)
+		}
+	}
+	if bm.reader != nil {
+		if err := bm.reader.Close(); err != nil {
+			log.Printf("Error closing ring buffer reader: %v", err)
+		}
+	}
+	if bm.collection != nil {
+		if err := bm.collection.Close(); err != nil {
+			log.Printf("Error closing BPF collection: %v", err)
+		}
+	}
+	log.Println("All eBPF resources released.")
+}
