|
| 1 | +# Custom Path-Specific Metrics for GVisor |
| 2 | + |
| 3 | +## Motivation |
| 4 | + |
| 5 | +Current GVisor metrics provide general filesystem and network access information, but lack path-specific granularity that is crucial for understanding application behavior. Many use cases require tracking access patterns to specific directories or file systems to optimize performance, ensure security compliance, and enable better observability. |
| 6 | + |
| 7 | +For example, organizations need to: |
| 8 | +- Monitor access patterns to sensitive directories |
| 9 | +- Track filesystem usage by application components |
| 10 | +- Understand data flow patterns for optimization |
| 11 | +- Enable fine-grained debugging of filesystem bottlenecks |
| 12 | + |
| 13 | +The existing GVisor metrics system provides excellent general visibility but cannot answer questions like "how often are specific paths being accessed?" or "which applications are reading/writing to particular directories?" This gap limits the effectiveness of performance analysis and security monitoring. |
| 14 | + |
| 15 | +## Proposed Solutions |
| 16 | + |
| 17 | +We propose two approaches to extend GVisor's metrics system with path-specific tracking capabilities: |
| 18 | + |
| 19 | +### Solution 1: Full Syscall Configuration (Recommended) |
| 20 | + |
| 21 | +**Overview**: Implement a new `--path-metrics-config` flag that accepts a YAML configuration file specifying both path prefixes to monitor AND which specific syscalls to track for each path. |
| 22 | + |
| 23 | +**Implementation**: |
| 24 | +- Add command-line flag for runtime configuration |
| 25 | +- YAML config format for specifying monitored paths and specific syscalls |
| 26 | +- Filesystem layer modifications to intercept and track configured syscalls |
| 27 | +- Emit separate metrics counters for each path-syscall combination |
| 28 | + |
| 29 | +**Usage**: |
| 30 | +```bash |
| 31 | +# Runtime integration |
| 32 | +runsc create --path-metrics-config=/etc/gvisor/path-metrics.yaml container_id |
| 33 | + |
| 34 | +# Docker integration |
| 35 | +docker run --runtime=runsc \ |
| 36 | + --runtime-arg="--path-metrics-config=/etc/gvisor/path-metrics.yaml" \ |
| 37 | + --name=container image |
| 38 | +``` |
| 39 | + |
| 40 | +**Configuration Example**: |
| 41 | +```yaml |
| 42 | +path_metrics: |
| 43 | + - path_prefix: "/mnt/data" |
| 44 | + syscalls: ["open", "openat", "read", "write", "pread", "pwrite", "stat", "fstat", "close"] |
| 45 | + - path_prefix: "/app/storage" |
| 46 | + syscalls: ["open", "read", "write", "stat"] |
| 47 | + - path_prefix: "/tmp" |
| 48 | + syscalls: ["open", "write", "close"] |
| 49 | +``` |
| 50 | +
|
| 51 | +**Benefits**: |
| 52 | +- Maximum flexibility for different monitoring needs |
| 53 | +- Can track any syscall pattern for specific paths |
| 54 | +- Extensible to new paths and syscall combinations |
| 55 | +- Upstream acceptance potential due to comprehensive utility |
| 56 | +- Fine-grained control over performance impact |
| 57 | +
|
| 58 | +**Trade-offs**: |
| 59 | +- More complex configuration management |
| 60 | +- Higher implementation complexity |
| 61 | +- Requires deeper syscall interception |
| 62 | +
|
| 63 | +### Solution 2: Simplified Path-Only Configuration |
| 64 | +
|
| 65 | +**Overview**: Implement a streamlined configuration approach that only requires specifying path prefixes, automatically tracking the most commonly needed metrics (read and write operations) for those paths. |
| 66 | +
|
| 67 | +**Implementation**: |
| 68 | +- Same `--path-metrics-config` flag but simplified config format |
| 69 | +- Automatically tracks read/write operations and byte counts |
| 70 | +- Focus on the most popular use case (file access patterns) |
| 71 | +- Simpler filesystem layer modifications |
| 72 | + |
| 73 | +**Configuration Example**: |
| 74 | +```yaml |
| 75 | +monitored_paths: |
| 76 | + - "/mnt/data" |
| 77 | + - "/app/storage" |
| 78 | + - "/tmp" |
| 79 | +``` |
| 80 | + |
| 81 | +**Automatic Metrics Emitted**: |
| 82 | +- `read_operations_count` |
| 83 | +- `write_operations_count` |
| 84 | +- `bytes_read` |
| 85 | +- `bytes_written` |
| 86 | + |
| 87 | +**Benefits**: |
| 88 | +- Simple configuration - just specify paths |
| 89 | +- Covers most common monitoring needs (read/write patterns) |
| 90 | +- Easier to deploy and maintain |
| 91 | +- Lower implementation complexity |
| 92 | +- Still configurable and flexible for path selection |
| 93 | + |
| 94 | +**Trade-offs**: |
| 95 | +- Less granular than full syscall tracking |
| 96 | +- Fixed to read/write metrics only |
| 97 | +- Cannot track other syscalls like stat, open patterns |
| 98 | + |
| 99 | +## Next Steps |
| 100 | + |
| 101 | +Both solutions use the same flag mechanism and can be implemented incrementally. We'd appreciate feedback on: |
| 102 | + |
| 103 | +1. Which approach better aligns with GVisor's design philosophy |
| 104 | +2. Any concerns about the proposed configuration formats |
| 105 | +3. Preferred implementation approach for the filesystem layer modifications |
| 106 | +4. Interest in upstream contribution and collaboration |
0 commit comments