[usm] add regular and raw tracepoints /sched_process_exit

[yuri-lipnesh]

What does this PR do?

Adds eBPF programs for tracepoint/sched/sched_process_exit (kernel < 4.17) and
raw_tracepoint/sched_process_exit (kernel>=4.17)
These programs clean terminated processes from ssl_read_args and ssl_read_ex_args maps.

Motivation

Significant amount of E2BIG errors was observed on staging clusters in January, 2025

This error spike aligns with mongodb pod restarts, which were triggered by Kubernetes due to health check failures.
The issue was reproduced on a local VM by stressing a simple SSL server with frequent connections. Terminating the server mid-operation led to stale entries accumulating in the relevant kernel maps.

Describe how you validated your changes

This code was tested on the staging cluster oddish-c, which frequently exhibited E2BIG errors for the ssl_read_args map. After deploying the fix, no errors occurred for 16 hours. See this metrics.

Passed CI unit tests and e2e tests.
USM SSL load tests dashboard
shows slightly lower CPU and memory with new code compared to master:

The custom agent was deployed on staging cluster oddish-c between Feb 19, 2025 3pm and Feb 20, 8am, USM internal metrics in this dashboard.

Possible Drawbacks / Trade-offs

The system-probe runs periodic sync job each 30 seconds to detect loaded SSL shared ibraries.
This job also additionally will clean possible stale entries in SSL-related kernel maps on kernel < 4.17

Additional Notes

The codebase has two modes:

1. Running on kernel 4.17 or later - is covered by the load test & dogfooding
2. Running on kernels 4.14-4.16
   To test mode (2) I created a testing branch from the current one that emulates a lower kernel version and does periodic cleanup on any Linux version. Results of SSL load tests are available in this dashboard.
   There is no significant difference in CPU and memory usage compared to the main branch.

[agent-platform-auto-pr]

Uncompressed package size comparison

Comparison with ancestor c714131b8c1ae684dd2a10498b2d7de5b9d351d2

Diff per package

package	diff	status	size	ancestor	threshold
datadog-agent-arm64-deb	0.02MB	⚠️	813.97MB	813.95MB	0.50MB
datadog-agent-aarch64-rpm	0.02MB	⚠️	823.74MB	823.72MB	0.50MB
datadog-agent-amd64-deb	0.02MB	⚠️	823.47MB	823.45MB	0.50MB
datadog-agent-x86_64-rpm	0.02MB	⚠️	833.26MB	833.25MB	0.50MB
datadog-agent-x86_64-suse	0.02MB	⚠️	833.26MB	833.25MB	0.50MB
datadog-dogstatsd-amd64-deb	0.00MB	✅	39.42MB	39.42MB	0.50MB
datadog-dogstatsd-x86_64-rpm	0.00MB	✅	39.50MB	39.50MB	0.50MB
datadog-dogstatsd-x86_64-suse	0.00MB	✅	39.50MB	39.50MB	0.50MB
datadog-dogstatsd-arm64-deb	0.00MB	✅	37.96MB	37.96MB	0.50MB
datadog-heroku-agent-amd64-deb	0.00MB	✅	443.39MB	443.39MB	0.50MB
datadog-iot-agent-amd64-deb	0.00MB	✅	62.04MB	62.04MB	0.50MB
datadog-iot-agent-x86_64-rpm	0.00MB	✅	62.11MB	62.11MB	0.50MB
datadog-iot-agent-x86_64-suse	0.00MB	✅	62.10MB	62.10MB	0.50MB
datadog-iot-agent-arm64-deb	0.00MB	✅	59.27MB	59.27MB	0.50MB
datadog-iot-agent-aarch64-rpm	0.00MB	✅	59.34MB	59.34MB	0.50MB

Decision

⚠️ Warning

[agent-platform-auto-pr]

Test changes on VM

Use this command from test-infra-definitions to manually test this PR changes on a VM:

inv aws.create-vm --pipeline-id=57146343 --os-family=ubuntu

Note: This applies to commit 32f36b1

[cit-pr-commenter]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 61e20c37-9b92-4776-bb36-7bb192f8356b

Baseline: c714131
Comparison: 32f36b1
Diff

Optimization Goals: ✅ No significant changes detected

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	quality_gate_logs	% cpu utilization	+0.70	[-2.18, +3.58]	1	Logs
➖	file_tree	memory utilization	+0.57	[+0.51, +0.63]	1	Logs
➖	tcp_syslog_to_blackhole	ingress throughput	+0.22	[+0.15, +0.28]	1	Logs
➖	file_to_blackhole_1000ms_latency_linear_load	egress throughput	+0.21	[-0.26, +0.68]	1	Logs
➖	uds_dogstatsd_to_api_cpu	% cpu utilization	+0.19	[-0.67, +1.05]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	+0.13	[+0.08, +0.18]	1	Logs bounds checks dashboard
➖	file_to_blackhole_0ms_latency_http1	egress throughput	+0.03	[-0.80, +0.85]	1	Logs
➖	quality_gate_idle	memory utilization	+0.01	[-0.02, +0.04]	1	Logs bounds checks dashboard
➖	file_to_blackhole_100ms_latency	egress throughput	+0.01	[-0.64, +0.66]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	+0.00	[-0.30, +0.30]	1	Logs
➖	file_to_blackhole_300ms_latency	egress throughput	+0.00	[-0.63, +0.63]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	+0.00	[-0.01, +0.02]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	-0.00	[-0.79, +0.78]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	-0.01	[-0.81, +0.79]	1	Logs
➖	file_to_blackhole_0ms_latency_http2	egress throughput	-0.01	[-0.82, +0.81]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	-0.10	[-0.87, +0.67]	1	Logs

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	links
✅	file_to_blackhole_0ms_latency	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency	memory_usage	10/10
✅	file_to_blackhole_0ms_latency_http1	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency_http1	memory_usage	10/10
✅	file_to_blackhole_0ms_latency_http2	lost_bytes	10/10
✅	file_to_blackhole_0ms_latency_http2	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10
✅	file_to_blackhole_1000ms_latency_linear_load	memory_usage	10/10
✅	file_to_blackhole_100ms_latency	lost_bytes	10/10
✅	file_to_blackhole_100ms_latency	memory_usage	10/10
✅	file_to_blackhole_300ms_latency	lost_bytes	10/10
✅	file_to_blackhole_300ms_latency	memory_usage	10/10
✅	file_to_blackhole_500ms_latency	lost_bytes	10/10
✅	file_to_blackhole_500ms_latency	memory_usage	10/10
✅	quality_gate_idle	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10
✅	quality_gate_logs	lost_bytes	10/10
✅	quality_gate_logs	memory_usage	10/10

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_logs, bounds check lost_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.

[agent-platform-auto-pr]

Static quality checks ✅

Please find below the results from static quality gates

Successful checks

Info

Result	Quality gate	On disk size	On disk size limit	On wire size	On wire size limit
✅	static_quality_gate_agent_deb_amd64	797.2MiB	801.8MiB	194.75MiB	202.62MiB
✅	static_quality_gate_agent_deb_arm64	788.05MiB	793.14MiB	176.24MiB	184.51MiB
✅	static_quality_gate_agent_rpm_amd64	797.19MiB	801.79MiB	196.63MiB	205.03MiB
✅	static_quality_gate_agent_rpm_arm64	788.1MiB	793.09MiB	178.44MiB	186.44MiB
✅	static_quality_gate_agent_suse_amd64	797.14MiB	801.81MiB	196.63MiB	205.03MiB
✅	static_quality_gate_agent_suse_arm64	788.06MiB	793.14MiB	178.44MiB	186.44MiB
✅	static_quality_gate_dogstatsd_deb_amd64	37.67MiB	47.67MiB	9.78MiB	19.78MiB
✅	static_quality_gate_dogstatsd_deb_arm64	36.28MiB	46.27MiB	8.48MiB	18.49MiB
✅	static_quality_gate_dogstatsd_rpm_amd64	37.67MiB	47.67MiB	9.79MiB	19.79MiB
✅	static_quality_gate_dogstatsd_suse_amd64	37.67MiB	47.67MiB	9.79MiB	19.79MiB
✅	static_quality_gate_iot_agent_deb_amd64	59.24MiB	69.0MiB	14.88MiB	24.8MiB
✅	static_quality_gate_iot_agent_deb_arm64	56.6MiB	66.4MiB	12.84MiB	22.8MiB
✅	static_quality_gate_iot_agent_rpm_amd64	59.24MiB	69.0MiB	14.9MiB	24.8MiB
✅	static_quality_gate_iot_agent_rpm_arm64	56.6MiB	66.4MiB	12.85MiB	22.8MiB
✅	static_quality_gate_iot_agent_suse_amd64	59.24MiB	69.0MiB	14.9MiB	24.8MiB
✅	static_quality_gate_docker_agent_amd64	881.47MiB	886.12MiB	296.74MiB	304.21MiB
✅	static_quality_gate_docker_agent_arm64	895.67MiB	900.79MiB	282.77MiB	290.47MiB
✅	static_quality_gate_docker_agent_jmx_amd64	1.05GiB	1.06GiB	371.84MiB	379.33MiB
✅	static_quality_gate_docker_agent_jmx_arm64	1.06GiB	1.06GiB	353.84MiB	361.55MiB
✅	static_quality_gate_docker_dogstatsd_amd64	45.82MiB	55.78MiB	17.28MiB	27.28MiB
✅	static_quality_gate_docker_dogstatsd_arm64	44.45MiB	54.45MiB	16.16MiB	26.16MiB
✅	static_quality_gate_docker_cluster_agent_amd64	264.95MiB	274.78MiB	106.36MiB	116.28MiB
✅	static_quality_gate_docker_cluster_agent_arm64	280.91MiB	290.82MiB	101.19MiB	111.12MiB

[agent-platform-auto-pr]

Static quality checks ❌

Please find below the results from static quality gates

Error

Result	Quality gate	On disk size	On disk size limit	On wire size	On wire size limit
❌	static_quality_gate_agent_rpm_arm64	DataNotFound	836.66MiB	DataNotFound	194.24MiB

Gate failure full details

Quality gate	Error type	Error message
static_quality_gate_agent_rpm_arm64	StackTrace	Traceback (most recent call last): File "/go/src/github.com/DataDog/datadog-agent/tasks/quality_gates.py", line 121, in parse_and_trigger_gates gate_mod.entrypoint(**gate_inputs) File "/go/src/github.com/DataDog/datadog-agent/tasks/static_quality_gates/static_quality_gate_agent_rpm_arm64.py", line 5, in entrypoint generic_package_agent_quality_gate( File "/go/src/github.com/DataDog/datadog-agent/tasks/static_quality_gates/lib/package_agent_lib.py", line 69, in generic_package_agent_quality_gate package_on_wire_size, package_on_disk_size = calculate_package_size( ^^^^^^^^^^^^^^^^^^^^^^^ File "/go/src/github.com/DataDog/datadog-agent/tasks/static_quality_gates/lib/package_agent_lib.py", line 10, in calculate_package_size extract_package(ctx=ctx, package_os=package_os, package_path=package_path, extract_dir=extract_dir) File "/go/src/github.com/DataDog/datadog-agent/tasks/libs/package/size.py", line 72, in extract_package return extract_rpm_package(ctx, package_path, extract_dir) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/go/src/github.com/DataDog/datadog-agent/tasks/libs/package/size.py", line 65, in extract_rpm_package ctx.run(f"rpm2cpio {package_path}

Successful checks

Info

Result	Quality gate	On disk size	On disk size limit	On wire size	On wire size limit
✅	static_quality_gate_agent_deb_amd64	839.54MiB	847.49MiB	202.94MiB	212.33MiB
✅	static_quality_gate_agent_deb_arm64	829.36MiB	836.66MiB	183.32MiB	192.5MiB
✅	static_quality_gate_agent_rpm_amd64	839.53MiB	847.82MiB	206.29MiB	215.76MiB
✅	static_quality_gate_agent_suse_amd64	839.53MiB	847.82MiB	206.29MiB	215.76MiB
✅	static_quality_gate_agent_suse_arm64	829.35MiB	836.66MiB	185.34MiB	194.24MiB
✅	static_quality_gate_dogstatsd_deb_amd64	39.52MiB	49.7MiB	10.54MiB	20.6MiB
✅	static_quality_gate_dogstatsd_deb_arm64	37.86MiB	48.1MiB	9.12MiB	19.1MiB
✅	static_quality_gate_dogstatsd_rpm_amd64	39.52MiB	49.7MiB	10.55MiB	20.6MiB
✅	static_quality_gate_dogstatsd_suse_amd64	39.52MiB	49.7MiB	10.55MiB	20.6MiB
✅	static_quality_gate_iot_agent_deb_amd64	59.01MiB	69.0MiB	14.83MiB	24.8MiB
✅	static_quality_gate_iot_agent_deb_arm64	56.39MiB	66.4MiB	12.8MiB	22.8MiB
✅	static_quality_gate_iot_agent_rpm_amd64	59.01MiB	69.0MiB	14.85MiB	24.8MiB
✅	static_quality_gate_iot_agent_rpm_arm64	56.39MiB	66.4MiB	12.81MiB	22.8MiB
✅	static_quality_gate_iot_agent_suse_amd64	59.01MiB	69.0MiB	14.85MiB	24.8MiB
✅	static_quality_gate_docker_agent_amd64	924.35MiB	931.7MiB	308.91MiB	318.67MiB
✅	static_quality_gate_docker_agent_arm64	937.46MiB	944.08MiB	293.9MiB	303.0MiB
✅	static_quality_gate_docker_agent_jmx_amd64	1.1GiB	1.1GiB	384.0MiB	393.75MiB
✅	static_quality_gate_docker_agent_jmx_arm64	1.1GiB	1.1GiB	364.98MiB	373.71MiB
✅	static_quality_gate_docker_dogstatsd_amd64	47.67MiB	57.88MiB	18.25MiB	28.29MiB
✅	static_quality_gate_docker_dogstatsd_arm64	46.05MiB	56.27MiB	17.01MiB	27.06MiB
✅	static_quality_gate_docker_cluster_agent_amd64	264.79MiB	274.78MiB	106.27MiB	116.28MiB
✅	static_quality_gate_docker_cluster_agent_arm64	280.76MiB	290.82MiB	101.12MiB	111.12MiB

[guyarb]

BatchDeleteAPI is supported from kernel 5.6
How did you ensure this code runs only when it can?

[yuri-lipnesh]

fixed

[guyarb]

there's a back and forth here
Original comment asking - why don't you use batch-delete-api when possible
This comment highlighting you didn't handle kernels older than 5.6
and now you got back to deletion on key at a time
I missing the clarity of the reasoning why you didn't use batch-delete-api when it is possible

[yuri-lipnesh]

The system-probe calls this function only if kernel is <4.17, in that case batch deletion is not supported. Unit test may call it on any kernel, but unit tests are not so time critical. Am I missing something?

[guyarb]

why isn't it part of the constructor?
passing variables to store in the struct, should pass in the c'tor

[yuri-lipnesh]

the ssl program constructor newSSLProgramProtocolFactory initializes watcher before sslProgram is allocated. Moving map cleaner to constructor would require refactoring newSSLProgramProtocolFactory, is it worth it?

[guyarb]

Suggested change

	if err != nil {
	require.NoError(t, err)
	}
	require.NoError(t, err)

[yuri-lipnesh]

fixed

[guyarb]

Shouldn't we fail here?

[yuri-lipnesh]

fixed

[guyarb]

have you tried getting a failure in lines 154-156? If so, did you see the log?

[yuri-lipnesh]

fixed, replaced require with assert

[guyarb]

why don't you use unsafe.Pointer on the variables?

[yuri-lipnesh]

fixed

[guyarb]

why do you need the monitor? can't you just use the watcher?

[yuri-lipnesh]

monitor is necessary to dump maps

[guyarb]

no it's not

[guyarb]

you only need an ebpf manager

[yuri-lipnesh]

I cannot use watcher because it uses separate program manager and loads programs from shared-libraries/probes.h (generated shared-libraries.c) and runs appropriate manager while all SSL maps are located in usm.c module and are not accessible from shared-libraries.c

[guyarb]

Suggested change

	// find maps by names
	maps := getMaps(t, monitor, sslPidKeyMaps)
	require.Equal(t, len(maps), 6)
	// find maps by names
	maps := getMaps(t, monitor, sslPidKeyMaps)
	require.Equal(t, len(maps), len(sslPidKeyMaps))

[yuri-lipnesh]

fixed

[guyarb]

Suggested change

	"github.com/DataDog/datadog-agent/pkg/ebpf/ebpftest"
	"github.com/cilium/ebpf"
	"github.com/stretchr/testify/require"
	"github.com/DataDog/datadog-agent/pkg/network/protocols/http/testutil"
	"github.com/cilium/ebpf"
	"github.com/stretchr/testify/require"
	"github.com/DataDog/datadog-agent/pkg/ebpf/ebpftest"
	"github.com/DataDog/datadog-agent/pkg/network/protocols/http/testutil"

[yuri-lipnesh]

fixed

[guyarb]

move back to line 23

[yuri-lipnesh]

shouldn't it be part of Datadog section?

[yuri-lipnesh]

moved back

[guyarb]

you don't need to get m as you already have that in o.ebpfManager

[yuri-lipnesh]

fixed

[guyarb]

you don't need to get m as you already have that in o.ebpfManager

[yuri-lipnesh]

fixed

[guyarb]

Suggested change

	if features.HaveProgramType(ebpf.RawTracepoint) != nil {
	o.watcher.Start(o.cleanupDeadPids)
	} else {
	o.watcher.Start(nil)
	}
	cleanerCB := nil
	if features.HaveProgramType(ebpf.RawTracepoint) != nil {
	cleanerCB = o.cleanupDeadPids
	}
	o.watcher.Start(cleanerCB)

[yuri-lipnesh]

fixed

[guyarb]

if you are calling cleanupDeadPids, you already know features.HaveProgramType(ebpf.RawTracepoint) != nil
and o.ebpfManager == nil can never happen
so the condition is not needed

[yuri-lipnesh]

fixed

[guyarb]

Suggested change

	log.Debugf("SSL maps %q cleanup error: %v", mapName, err)
	log.Debugf("SSL map %q cleanup error: %v", mapName, err)

[yuri-lipnesh]

fixed

[guyarb]

what's the performance impact of this method?

[yuri-lipnesh]

I will check

[yuri-lipnesh]

I tested a modified branch with periodic cleaning for all kernel versions and included the performance results in the description.

[guyarb]

The codebase has two modes -

1. Running on kernel 4.17 or later - should be covered by the load test & dogfooding
2. Running on kernels 4.14-4.16 - how did you verify the performance looks good here?