|
| 1 | +# Custom Path-Specific Metrics for GVisor |
| 2 | + |
| 3 | +## Motivation |
| 4 | + |
| 5 | +Current GVisor metrics provide general filesystem and network access information, but lack path-specific granularity that is crucial for understanding application behavior. Many use cases require tracking access patterns to specific directories or file systems to optimize performance, ensure security compliance, and enable better observability. |
| 6 | + |
| 7 | +For example, organizations need to: |
| 8 | +- Monitor access patterns to sensitive directories |
| 9 | +- Track filesystem usage by application components |
| 10 | +- Understand data flow patterns for optimization |
| 11 | +- Enable fine-grained debugging of filesystem bottlenecks |
| 12 | + |
| 13 | +The existing GVisor metrics system provides excellent general visibility but cannot answer questions like "how often are specific paths being accessed?" or "which applications are reading/writing to particular directories?" This gap limits the effectiveness of performance analysis and security monitoring. |
| 14 | + |
| 15 | +## Proposed Solutions |
| 16 | + |
| 17 | +We propose two approaches to extend GVisor's metrics system with path-specific tracking capabilities: |
| 18 | + |
| 19 | +### Solution 1: Full Syscall Configuration (Recommended) |
| 20 | + |
| 21 | +**Overview**: Implement a new `--path-metrics-config` flag that accepts a YAML configuration file specifying both path prefixes to monitor AND which specific syscalls to track for each path. |
| 22 | + |
| 23 | +**Implementation**: |
| 24 | +- Add command-line flag for runtime configuration |
| 25 | +- YAML config format for specifying monitored paths and specific syscalls |
| 26 | +- Filesystem layer modifications to intercept and track configured syscalls |
| 27 | +- Emit separate metrics counters for each path-syscall combination |
| 28 | + |
| 29 | +**Usage**: |
| 30 | +```bash |
| 31 | +# Runtime integration |
| 32 | +runsc create --path-metrics-config=/etc/gvisor/path-metrics.yaml container_id |
| 33 | + |
| 34 | +# Docker integration |
| 35 | +docker run --runtime=runsc \ |
| 36 | + --runtime-arg="--path-metrics-config=/etc/gvisor/path-metrics.yaml" \ |
| 37 | + --name=container image |
| 38 | +``` |
| 39 | + |
| 40 | +**Configuration Example**: |
| 41 | +```yaml |
| 42 | +path_metrics: |
| 43 | + - path_prefix: "/mnt/data" |
| 44 | + syscalls: ["open", "openat", "read", "write", "pread", "pwrite", "stat", "fstat", "close"] |
| 45 | + - path_prefix: "/app/storage" |
| 46 | + syscalls: ["open", "read", "write", "stat"] |
| 47 | + - path_prefix: "/tmp" |
| 48 | + syscalls: ["open", "write", "close"] |
| 49 | +``` |
| 50 | +
|
| 51 | +**Usage**: |
| 52 | +```bash |
| 53 | +# Export all metrics including path-specific ones |
| 54 | +sudo runsc --root=/var/run/docker/runtime-runc/moby export-metrics container_id | grep "runsc_path_" |
| 55 | +``` |
| 56 | + |
| 57 | +**Expected Output**: |
| 58 | +``` |
| 59 | +# HELP runsc_path_syscall_opens Number of open syscalls for specific path. |
| 60 | +# TYPE runsc_path_syscall_opens counter |
| 61 | +runsc_path_syscall_opens{sandbox="c7ce77796e0ece4c",path="/mnt/data"} 142 1674690410469 |
| 62 | +runsc_path_syscall_opens{sandbox="c7ce77796e0ece4c",path="/app/storage"} 67 1674690410469 |
| 63 | +
|
| 64 | +# HELP runsc_path_syscall_reads Number of read syscalls for specific path. |
| 65 | +# TYPE runsc_path_syscall_reads counter |
| 66 | +runsc_path_syscall_reads{sandbox="c7ce77796e0ece4c",path="/mnt/data"} 1057 1674690410469 |
| 67 | +runsc_path_syscall_reads{sandbox="c7ce77796e0ece4c",path="/app/storage"} 234 1674690410469 |
| 68 | +
|
| 69 | +# HELP runsc_path_syscall_writes Number of write syscalls for specific path. |
| 70 | +# TYPE runsc_path_syscall_writes counter |
| 71 | +runsc_path_syscall_writes{sandbox="c7ce77796e0ece4c",path="/mnt/data"} 89 1674690410469 |
| 72 | +``` |
| 73 | + |
| 74 | +**Benefits**: |
| 75 | +- Maximum flexibility for different monitoring needs |
| 76 | +- Can track any syscall pattern for specific paths |
| 77 | +- Extensible to new paths and syscall combinations |
| 78 | +- Upstream acceptance potential due to comprehensive utility |
| 79 | +- Fine-grained control over performance impact |
| 80 | + |
| 81 | +**Trade-offs**: |
| 82 | +- More complex configuration management |
| 83 | +- Higher implementation complexity |
| 84 | +- Requires deeper syscall interception |
| 85 | + |
| 86 | +### Solution 2: Simplified Path-Only Configuration |
| 87 | + |
| 88 | +**Overview**: Implement a streamlined configuration approach that only requires specifying path prefixes, automatically tracking the most commonly needed metrics (read and write operations) for those paths. |
| 89 | + |
| 90 | +**Implementation**: |
| 91 | +- Same `--path-metrics-config` flag but simplified config format |
| 92 | +- Automatically tracks read/write operations and byte counts |
| 93 | +- Focus on the most popular use case (file access patterns) |
| 94 | +- Simpler filesystem layer modifications |
| 95 | + |
| 96 | +**Configuration Example**: |
| 97 | +```yaml |
| 98 | +monitored_paths: |
| 99 | + - "/mnt/data" |
| 100 | + - "/app/storage" |
| 101 | + - "/tmp" |
| 102 | +``` |
| 103 | +
|
| 104 | +**Usage**: |
| 105 | +```bash |
| 106 | +# Export path-specific read/write metrics |
| 107 | +sudo runsc --root=/var/run/docker/runtime-runc/moby export-metrics container_id | grep "runsc_path_" |
| 108 | +``` |
| 109 | + |
| 110 | +**Expected Output**: |
| 111 | +``` |
| 112 | +# HELP runsc_path_read_operations Number of read operations for specific path. |
| 113 | +# TYPE runsc_path_read_operations counter |
| 114 | +runsc_path_read_operations{sandbox="c7ce77796e0ece4c",path="/mnt/data"} 1057 1674690410469 |
| 115 | +runsc_path_read_operations{sandbox="c7ce77796e0ece4c",path="/app/storage"} 234 1674690410469 |
| 116 | +
|
| 117 | +# HELP runsc_path_write_operations Number of write operations for specific path. |
| 118 | +# TYPE runsc_path_write_operations counter |
| 119 | +runsc_path_write_operations{sandbox="c7ce77796e0ece4c",path="/mnt/data"} 89 1674690410469 |
| 120 | +
|
| 121 | +# HELP runsc_path_bytes_read Total bytes read from specific path. |
| 122 | +# TYPE runsc_path_bytes_read counter |
| 123 | +runsc_path_bytes_read{sandbox="c7ce77796e0ece4c",path="/mnt/data"} 2847392 1674690410469 |
| 124 | +runsc_path_bytes_read{sandbox="c7ce77796e0ece4c",path="/app/storage"} 1024768 1674690410469 |
| 125 | +
|
| 126 | +# HELP runsc_path_bytes_written Total bytes written to specific path. |
| 127 | +# TYPE runsc_path_bytes_written counter |
| 128 | +runsc_path_bytes_written{sandbox="c7ce77796e0ece4c",path="/mnt/data"} 156432 1674690410469 |
| 129 | +``` |
| 130 | + |
| 131 | +**Benefits**: |
| 132 | +- Simple configuration - just specify paths |
| 133 | +- Covers most common monitoring needs (read/write patterns) |
| 134 | +- Easier to deploy and maintain |
| 135 | +- Lower implementation complexity |
| 136 | +- Still configurable and flexible for path selection |
| 137 | + |
| 138 | +**Trade-offs**: |
| 139 | +- Less granular than full syscall tracking |
| 140 | +- Fixed to read/write metrics only |
| 141 | +- Cannot track other syscalls like stat, open patterns |
| 142 | + |
| 143 | + |
| 144 | +## Next Steps |
| 145 | + |
| 146 | +Both solutions use the same flag mechanism and can be implemented incrementally. We'd appreciate feedback on: |
| 147 | + |
| 148 | +1. Which approach better aligns with GVisor's design philosophy |
| 149 | +2. Any concerns about the proposed configuration formats |
| 150 | +3. Preferred implementation approach for the filesystem layer modifications |
| 151 | +4. Feedback on the proposed metric naming conventions and output format |
| 152 | +5. Interest in upstream contribution and collaboration |
0 commit comments