[WIP] LD_PRELOAD based injection

Author: mmanciop

Makefile

@@ -6,6 +6,7 @@ OTELCOL_VERSION ?= "$(shell grep -v '\#' versions.txt | grep opentelemetry-colle
 OPERATOR_VERSION ?= "$(shell grep -v '\#' versions.txt | grep operator= | awk -F= '{print $$2}')"
 TARGETALLOCATOR_VERSION ?= $(shell grep -v '\#' versions.txt | grep targetallocator | awk -F= '{print $$2}')
 OPERATOR_OPAMP_BRIDGE_VERSION ?= "$(shell grep -v '\#' versions.txt | grep operator-opamp-bridge | awk -F= '{print $$2}')"
+AUTO_INSTRUMENTATION_INJECTOR_VERSION ?= "$(shell grep -v '\#' versions.txt | grep autoinstrumentation-injector | awk -F= '{print $$2}')"
 AUTO_INSTRUMENTATION_JAVA_VERSION ?= "$(shell grep -v '\#' versions.txt | grep autoinstrumentation-java | awk -F= '{print $$2}')"
 AUTO_INSTRUMENTATION_NODEJS_VERSION ?= "$(shell grep -v '\#' versions.txt | grep autoinstrumentation-nodejs | awk -F= '{print $$2}')"
 AUTO_INSTRUMENTATION_PYTHON_VERSION ?= "$(shell grep -v '\#' versions.txt | grep autoinstrumentation-python | awk -F= '{print $$2}')"
@@ -14,7 +15,7 @@ AUTO_INSTRUMENTATION_GO_VERSION ?= "$(shell grep -v '\#' versions.txt | grep aut
 AUTO_INSTRUMENTATION_APACHE_HTTPD_VERSION ?= "$(shell grep -v '\#' versions.txt | grep autoinstrumentation-apache-httpd | awk -F= '{print $$2}')"
 AUTO_INSTRUMENTATION_NGINX_VERSION ?= "$(shell grep -v '\#' versions.txt | grep autoinstrumentation-nginx | awk -F= '{print $$2}')"
 COMMON_LDFLAGS ?= -s -w
-OPERATOR_LDFLAGS ?= -X ${VERSION_PKG}.version=${VERSION} -X ${VERSION_PKG}.buildDate=${VERSION_DATE} -X ${VERSION_PKG}.otelCol=${OTELCOL_VERSION} -X ${VERSION_PKG}.targetAllocator=${TARGETALLOCATOR_VERSION} -X ${VERSION_PKG}.operatorOpAMPBridge=${OPERATOR_OPAMP_BRIDGE_VERSION} -X ${VERSION_PKG}.autoInstrumentationJava=${AUTO_INSTRUMENTATION_JAVA_VERSION} -X ${VERSION_PKG}.autoInstrumentationNodeJS=${AUTO_INSTRUMENTATION_NODEJS_VERSION} -X ${VERSION_PKG}.autoInstrumentationPython=${AUTO_INSTRUMENTATION_PYTHON_VERSION} -X ${VERSION_PKG}.autoInstrumentationDotNet=${AUTO_INSTRUMENTATION_DOTNET_VERSION} -X ${VERSION_PKG}.autoInstrumentationGo=${AUTO_INSTRUMENTATION_GO_VERSION} -X ${VERSION_PKG}.autoInstrumentationApacheHttpd=${AUTO_INSTRUMENTATION_APACHE_HTTPD_VERSION} -X ${VERSION_PKG}.autoInstrumentationNginx=${AUTO_INSTRUMENTATION_NGINX_VERSION}
+OPERATOR_LDFLAGS ?= -X ${VERSION_PKG}.version=${VERSION} -X ${VERSION_PKG}.buildDate=${VERSION_DATE} -X ${VERSION_PKG}.otelCol=${OTELCOL_VERSION} -X ${VERSION_PKG}.targetAllocator=${TARGETALLOCATOR_VERSION} -X ${VERSION_PKG}.operatorOpAMPBridge=${OPERATOR_OPAMP_BRIDGE_VERSION} -X ${VERSION_PKG}.autoInstrumentationJava=${AUTO_INSTRUMENTATION_JAVA_VERSION} -X ${VERSION_PKG}.autoInstrumentationInjector=${AUTO_INSTRUMENTATION_INJECTOR_VERSION} -X ${VERSION_PKG}.autoInstrumentationNodeJS=${AUTO_INSTRUMENTATION_NODEJS_VERSION} -X ${VERSION_PKG}.autoInstrumentationPython=${AUTO_INSTRUMENTATION_PYTHON_VERSION} -X ${VERSION_PKG}.autoInstrumentationDotNet=${AUTO_INSTRUMENTATION_DOTNET_VERSION} -X ${VERSION_PKG}.autoInstrumentationGo=${AUTO_INSTRUMENTATION_GO_VERSION} -X ${VERSION_PKG}.autoInstrumentationApacheHttpd=${AUTO_INSTRUMENTATION_APACHE_HTTPD_VERSION} -X ${VERSION_PKG}.autoInstrumentationNginx=${AUTO_INSTRUMENTATION_NGINX_VERSION}
 ARCH ?= $(shell go env GOARCH)
 ifeq ($(shell uname), Darwin)
   SED_INPLACE := sed -i ''

README.md

@@ -597,6 +597,7 @@ Language support can be disabled by passing the flag with a value of `false`.
 | ApacheHttpD | `enable-apache-httpd-instrumentation` | `true`        |
 | Go          | `enable-go-instrumentation`           | `false`       |
 | Nginx       | `enable-nginx-instrumentation`        | `false`       |
+| Injector    | `enable-injector-instrumentation`     | `false`       |
 
 
 OpenTelemetry Operator allows to instrument multiple containers using multiple language specific instrumentations.

apis/v1alpha1/instrumentation_types.go

@@ -38,6 +38,10 @@ type InstrumentationSpec struct {
 	// +optional
 	Env []corev1.EnvVar `json:"env,omitempty"`
 
+	// Injector defines configuration for the injector-based auto-instrumentation.
+	// +optional
+	Injector Injector `json:"injector,omitempty"`
+
 	// Java defines configuration for java auto-instrumentation.
 	// +optional
 	Java Java `json:"java,omitempty"`
@@ -144,6 +148,30 @@ type Defaults struct {
 	UseLabelsForResourceAttributes bool `json:"useLabelsForResourceAttributes,omitempty"`
 }
 
+type Injector struct {
+	// Image is a container image with auto-instrumentation injector.
+	// +optional
+	Image string `json:"image,omitempty"`
+
+	// VolumeClaimTemplate defines a ephemeral volume used for auto-instrumentation.
+	// If omitted, an emptyDir is used with size limit VolumeSizeLimit
+	VolumeClaimTemplate corev1.PersistentVolumeClaimTemplate `json:"volumeClaimTemplate,omitempty"`
+
+	// VolumeSizeLimit defines size limit for volume used for auto-instrumentation.
+	// The default size is 200Mi.
+	VolumeSizeLimit *resource.Quantity `json:"volumeLimitSize,omitempty"`
+
+	// Env defines instrumentation specific env vars. There are four layers for env vars' definitions and
+	// the precedence order is: `original container env vars` > `language specific env vars` > `common env vars` > `instrument spec configs' vars`.
+	// If the former var had been defined, then the other vars would be ignored.
+	// +optional
+	Env []corev1.EnvVar `json:"env,omitempty"`
+
+	// Resources describes the compute resource requirements.
+	// +optional
+	Resources corev1.ResourceRequirements `json:"resources,omitempty"`
+}
+
 // Java defines Java SDK and instrumentation configuration.
 type Java struct {
 	// Image is a container image with javaagent auto-instrumentation JAR.

apis/v1alpha1/instrumentation_webhook.go

@@ -81,6 +81,21 @@ func (w InstrumentationWebhook) defaulter(r *Instrumentation) error {
 	if r.Labels == nil {
 		r.Labels = map[string]string{}
 	}
+	if r.Spec.Injector.Image == "" {
+		r.Spec.Injector.Image = w.cfg.AutoInstrumentationInjectorImage()
+	}
+	if r.Spec.Injector.Resources.Limits == nil {
+		r.Spec.Injector.Resources.Limits = corev1.ResourceList{
+			corev1.ResourceCPU:    resource.MustParse("500m"),
+			corev1.ResourceMemory: resource.MustParse("64Mi"),
+		}
+	}
+	if r.Spec.Injector.Resources.Requests == nil {
+		r.Spec.Injector.Resources.Requests = corev1.ResourceList{
+			corev1.ResourceCPU:    resource.MustParse("50m"),
+			corev1.ResourceMemory: resource.MustParse("64Mi"),
+		}
+	}
 	if r.Spec.Java.Image == "" {
 		r.Spec.Java.Image = w.cfg.AutoInstrumentationJavaImage()
 	}
@@ -187,6 +202,7 @@ func (w InstrumentationWebhook) defaulter(r *Instrumentation) error {
 	if r.Annotations == nil {
 		r.Annotations = map[string]string{}
 	}
+	r.Annotations[constants.AnnotationDefaultAutoInstrumentationInjector] = w.cfg.AutoInstrumentationInjectorImage()
 	r.Annotations[constants.AnnotationDefaultAutoInstrumentationJava] = w.cfg.AutoInstrumentationJavaImage()
 	r.Annotations[constants.AnnotationDefaultAutoInstrumentationNodeJS] = w.cfg.AutoInstrumentationNodeJSImage()
 	r.Annotations[constants.AnnotationDefaultAutoInstrumentationPython] = w.cfg.AutoInstrumentationPythonImage()
@@ -244,6 +260,10 @@ func (w InstrumentationWebhook) validate(r *Instrumentation) (admission.Warnings
 	if err != nil {
 		return warnings, fmt.Errorf("spec.java.volumeClaimTemplate and spec.java.volumeSizeLimit cannot both be defined: %w", err)
 	}
+	err = validateInstrVolume(r.Spec.Injector.VolumeClaimTemplate, r.Spec.Injector.VolumeSizeLimit)
+	if err != nil {
+		return warnings, fmt.Errorf("spec.injector.volumeClaimTemplate and spec.injector.volumeSizeLimit cannot both be defined: %w", err)
+	}
 	err = validateInstrVolume(r.Spec.Nginx.VolumeClaimTemplate, r.Spec.Nginx.VolumeSizeLimit)
 	if err != nil {
 		return warnings, fmt.Errorf("spec.nginx.volumeClaimTemplate and spec.nginx.volumeSizeLimit cannot both be defined: %w", err)

apis/v1alpha1/instrumentation_webhook_test.go

@@ -21,6 +21,7 @@ func TestInstrumentationDefaultingWebhook(t *testing.T) {
 	inst := &Instrumentation{}
 	err := InstrumentationWebhook{
 		cfg: config.New(
+			config.WithAutoInstrumentationInjectorImage("injector-img:1"),
 			config.WithAutoInstrumentationJavaImage("java-img:1"),
 			config.WithAutoInstrumentationNodeJSImage("nodejs-img:1"),
 			config.WithAutoInstrumentationPythonImage("python-img:1"),
@@ -30,6 +31,7 @@ func TestInstrumentationDefaultingWebhook(t *testing.T) {
 		),
 	}.Default(context.Background(), inst)
 	assert.NoError(t, err)
+	assert.Equal(t, "injector-img:1", inst.Spec.Injector.Image)
 	assert.Equal(t, "java-img:1", inst.Spec.Java.Image)
 	assert.Equal(t, "nodejs-img:1", inst.Spec.NodeJS.Image)
 	assert.Equal(t, "python-img:1", inst.Spec.Python.Image)

apis/v1alpha1/zz_generated.deepcopy.go

@@ -0,0 +1,42 @@
+### Injector + Instrumentations image
+#
+# The injector image container both the LD_PRELOAD object, as well as
+# all the supported instrumentations (as it needs to copy them into
+# the emptyDir volume)
+
+# Java agent
+FROM busybox AS java-agent
+
+ARG javaagentversion
+
+ADD https://github.com/open-telemetry/opentelemetry-java-instrumentation/releases/download/v$javaagentversion/opentelemetry-javaagent.jar /javaagent.jar
+
+RUN chmod -R go+r /javaagent.jar
+
+# build injector
+FROM ubuntu:24.04 AS build-injector
+
+RUN apt-get update && apt-get install --no-install-recommends build-essential -y
+
+COPY ./src /injector/src
+WORKDIR /injector
+RUN gcc \
+  -shared \
+  -nostdlib \
+  -fPIC \
+  -Wl,--version-script=src/injector.exports.map \
+  /injector/src/injector.c \
+  -o /injector/injector.so
+
+# injector_build_end - do not remove this line (see images/instrumentation/injector/test/scripts/test-all.sh)
+
+# build final image
+FROM busybox
+WORKDIR /
+
+COPY copy-instrumentation.sh /
+
+COPY --from=build-injector /injector/injector.so /instrumentation/injector.so
+COPY --from=java-agent /javaagent.jar /instrumentation/jvm/javaagent.jar
+
+CMD ["/copy-instrumentation.sh"]

autoinstrumentation/injector/Dockerfile

@@ -0,0 +1,15 @@
+# Open questions
+
+* How can the injector "inherit" features of other instrumentations, e.g.:
+  * Specific versions
+  * JavaAgent extensions
+* Detect libc (Python, .NET) -> Will need likely a zig injector
+
+$ TODOs
+
+* C Lint
+* Swap default off
+* Injector Image CI build
+* Documentation
+* OTep
+* Versioning scheme

autoinstrumentation/injector/TODOs

@@ -0,0 +1,32 @@
+#!/bin/sh
+
+# SPDX-FileCopyrightText: Copyright 2025 The OpenTelemetry authors
+# SPDX-License-Identifier: Apache-2.0
+
+set -eu
+
+if [ "${OTEL_LOG_LEVEL:-}" = "debug" ]; then
+  set -x
+fi
+
+cd -P -- "$(dirname -- "$0")"
+
+if [ -z "${INSTRUMENTATION_FOLDER_SOURCE:-}" ]; then
+  INSTRUMENTATION_FOLDER_SOURCE=/instrumentation
+fi
+if [ ! -d "${INSTRUMENTATION_FOLDER_SOURCE}" ]; then
+  >&2 echo "[OTel injector] Instrumentation source directory ${INSTRUMENTATION_FOLDER_SOURCE} does not exist."
+  exit 1
+fi
+
+if [ -z "${INSTRUMENTATION_FOLDER_DESTINATION:-}" ]; then
+  INSTRUMENTATION_FOLDER_DESTINATION=/
+fi
+
+# We deliberately do not create the base directory for $INSTRUMENTATION_FOLDER_DESTINATION via mkdir, it needs
+# be an existing mount point provided externally.
+cp -R "${INSTRUMENTATION_FOLDER_SOURCE}"/ "${INSTRUMENTATION_FOLDER_DESTINATION}"
+
+if [ "${OTEL_DEBUG_DEBUG:-}" = "debug" ]; then
+  >&2 echo "[OTel injector] Status of '${INSTRUMENTATION_FOLDER_DESTINATION}' after copying instrumentation files: $(find ${INSTRUMENTATION_FOLDER_DESTINATION})"
+fi

autoinstrumentation/injector/copy-instrumentation.sh

@@ -0,0 +1 @@
+2.13.1

autoinstrumentation/injector/java-version.txt

@@ -0,0 +1,111 @@
+#include <stdint.h>
+#include <unistd.h>
+
+#define ALIGN (sizeof(size_t))
+#define UCHAR_MAX 255
+#define ONES ((size_t)-1 / UCHAR_MAX)
+#define HIGHS (ONES * (UCHAR_MAX / 2 + 1))
+#define HASZERO(x) ((x) - ONES & ~(x) & HIGHS)
+
+#define JAVA_TOOL_OPTIONS_ENV_VAR_NAME "JAVA_TOOL_OPTIONS"
+#define JAVA_TOOL_OPTIONS_REQUIRE                                        \
+  "-javaagent:"                                                          \
+  "/otel-auto-instrumentation-injector/instrumentation/jvm/javaagent.jar"
+
+extern char **__environ;
+
+size_t __strlen(const char *s) {
+  const char *a = s;
+  const size_t *w;
+  for (; (uintptr_t)s % ALIGN; s++)
+    if (!*s)
+      return s - a;
+  for (w = (const void *)s; !HASZERO(*w); w++)
+    ;
+  for (s = (const void *)w; *s; s++)
+    ;
+  return s - a;
+}
+
+char *__strchrnul(const char *s, int c) {
+  size_t *w, k;
+
+  c = (unsigned char)c;
+  if (!c)
+    return (char *)s + __strlen(s);
+
+  for (; (uintptr_t)s % ALIGN; s++)
+    if (!*s || *(unsigned char *)s == c)
+      return (char *)s;
+  k = ONES * c;
+  for (w = (void *)s; !HASZERO(*w) && !HASZERO(*w ^ k); w++)
+    ;
+  for (s = (void *)w; *s && *(unsigned char *)s != c; s++)
+    ;
+  return (char *)s;
+}
+
+char *__strcpy(char *restrict dest, const char *restrict src) {
+  const unsigned char *s = src;
+  unsigned char *d = dest;
+  while ((*d++ = *s++))
+    ;
+  return dest;
+}
+
+char *__strcat(char *restrict dest, const char *restrict src) {
+  __strcpy(dest + __strlen(dest), src);
+  return dest;
+}
+
+int __strcmp(const char *l, const char *r) {
+  for (; *l == *r && *l; l++, r++)
+    ;
+  return *(unsigned char *)l - *(unsigned char *)r;
+}
+
+int __strncmp(const char *_l, const char *_r, size_t n) {
+  const unsigned char *l = (void *)_l, *r = (void *)_r;
+  if (!n--)
+    return 0;
+  for (; *l && *r && n && *l == *r; l++, r++, n--)
+    ;
+  return *l - *r;
+}
+
+char *__getenv(const char *name) {
+  size_t l = __strchrnul(name, '=') - name;
+  if (l && !name[l] && __environ)
+    for (char **e = __environ; *e; e++)
+      if (!__strncmp(name, *e, l) && l[*e] == '=')
+        return *e + l + 1;
+  return 0;
+}
+
+/*
+ * Buffers of statically-allocated memory that we can use to safely return to
+ * the program manipulated values of env vars without dynamic allocations.
+ */
+char cachedModifiedRuntimeOptionsValue[1012];
+
+char *getenv(const char *name) {
+  char *origValue = __getenv(name);
+  int l = __strlen(name);
+
+  char *javaToolOptionsVarName = JAVA_TOOL_OPTIONS_ENV_VAR_NAME;
+  if (__strcmp(name, javaToolOptionsVarName) == 0) {
+    if (__strlen(cachedModifiedRuntimeOptionsValue) == 0) {
+      // No runtime environment variable has been requested before,
+      // calculate the modified value and cache it.
+
+      // Prepend our --require as the first item to the JAVA_TOOL_OPTIONS
+      // string.
+      char *javaToolOptionsRequire = JAVA_TOOL_OPTIONS_REQUIRE;
+      __strcat(cachedModifiedRuntimeOptionsValue, javaToolOptionsRequire);
+    }
+
+    return cachedModifiedRuntimeOptionsValue;
+  }
+
+  return origValue;
+}

autoinstrumentation/injector/src/injector.c

@@ -0,0 +1,6 @@
+{
+    global:
+        getenv;
+    local:
+        *;
+};