[WP] Implementation of Otel 4947 thread context

[Gui774ume]

What does this PR do?

Adds support for reading span/trace IDs from native applications using the OpenTelemetry Thread Local Context Record format (OTel spec PR #4947) in the CWS eBPF security module.

The implementation adds a new eBPF read path that:

1. Discovers the OTel TLSDESC TLS variable offset (registered by user-space via a new eRPC operation)
2. Reads the thread pointer (fsbase) from task_struct->thread.fsbase
3. Dereferences the TLS pointer to locate the OTel Thread Local Context Record
4. Validates the record (valid == 1) and converts W3C byte-order trace-id/span-id to the existing native-endian span_context_t format

The existing Datadog proprietary span TLS mechanism is preserved — fill_span_context() tries the Datadog path first, then falls back to OTel. All downstream code (event structs, unmarshallers, hooks) is unchanged since the output remains the same
24-byte span_context_t.

This targets native applications using ELF TLSDESC (C, C++, Rust, Java/JNI, .NET/FFI, Python native extensions). Support for additional runtimes (Go via pprof labels, Node.js via runtime internals) will be added separately. Currently x86_64 only
— ARM64 (tpidr_el0) is deferred.

Motivation

The OpenTelemetry specification defines a standard mechanism for SDKs to publish thread-level trace context (trace ID, span ID) through ELF Thread Local Storage so that out-of-process readers like eBPF probes can correlate security events with
distributed traces. Supporting this standard allows CWS to automatically pick up span context from any OTel-instrumented native application without requiring Datadog-specific instrumentation.

Describe how you validated your changes

• All modified Go packages (probe/erpc, probe/constantfetch, ebpf/probes, ptracer, probe) build cleanly
• The C syscall tester compiles successfully with the new otel-span-open command
• Added a functional test (TestOTelSpan) that:
  • Creates a __thread TLS variable in C, computes its offset from fsbase via arch_prctl(ARCH_GET_FS)
  • Registers the offset with eBPF via the new REGISTER_OTEL_TLS_OP eRPC operation
  • Fills an OTel Thread Local Context Record with a known trace ID and span ID in W3C byte order
  • Triggers an open() syscall and verifies the correct trace/span IDs appear in the captured security event
• Existing TestSpan test continues to work (Datadog proprietary path is unchanged)

Additional Notes

• The task_struct->thread.fsbase offset is resolved using two separate BTF lookups (task_struct.thread + thread_struct.fsbase) because the BTF constant fetcher only recurses into anonymous struct members, and thread is a named member
• Fallback offset functions return ErrorSentinel — BTF is strongly preferred for these offsets since task_struct.thread varies significantly with kernel config
• The OTel record's attrs-data field (custom attributes) is not read — only trace-id and span-id are extracted
• The fill_span_context() behavior has a minor semantic change: if the Datadog TLS is registered but returns all-zero context (no active span), it now falls through to try OTel before returning zeros

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5891c761c2

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Guard OTel fsbase reads behind resolved offsets

These offsets are consumed unconditionally, but the commit only requests them on amd64 (probe_ebpf.go) and the new fallback getters return ErrorSentinel (constantfetch/fallback.go), which is later materialized as 0 in constant editors. If a process sends REGISTER_OTEL_TLS_OP on an unsupported/missing-offset environment (e.g., arm64 or x86_64 kernels where BTF lookup fails), this path reads task + 0 instead of task->thread.fsbase, so OTel context extraction becomes incorrect and can mis-associate or drop span correlation. The OTel path should be disabled unless both offsets are successfully resolved.

Useful? React with 👍 / 👎.

[agent-platform-auto-pr]

Files inventory check summary

File checks results against ancestor a01a5c3e:

Results for datadog-agent_7.79.0~devel.git.200.5891c76.pipeline.104610626-1_amd64.deb:

Detected file changes:

1 Changed files:

• opt/datadog-agent/embedded/share/system-probe/ebpf/runtime-security-fentry.o:
  • Size changed: +10.76% (777.11 KiB) (7.05 MiB -> 7.81 MiB)

[agent-platform-auto-pr]

Static quality checks

❌ Please find below the results from static quality gates
Comparison made with ancestor a01a5c3
📊 Static Quality Gates Dashboard
🔗 SQG Job

Error

	Quality gate	Change	Size (prev → curr → max)
❌	agent_deb_amd64 (on disk)	+2.27 MiB (0.30% increase)	752.561 → 754.832 → 753.380
❌	agent_rpm_amd64 (on disk)	+2.27 MiB (0.30% increase)	752.545 → 754.816 → 753.350
❌	agent_suse_amd64 (on disk)	+2.27 MiB (0.30% increase)	752.545 → 754.816 → 753.350

Gate failure full details

Quality gate	Error type	Error message
agent_deb_amd64	StaticQualityGateFailed	static_quality_gate_agent_deb_amd64 failed! Disk size 754.8 MB exceeds limit of 753.4 MB by 1.5 MB
agent_rpm_amd64	StaticQualityGateFailed	static_quality_gate_agent_rpm_amd64 failed! Disk size 754.8 MB exceeds limit of 753.3 MB by 1.5 MB
agent_suse_amd64	StaticQualityGateFailed	static_quality_gate_agent_suse_amd64 failed! Disk size 754.8 MB exceeds limit of 753.3 MB by 1.5 MB

Static quality gates prevent the PR to merge!
You can check the static quality gates confluence page for guidance. We also have a toolbox page available to list tools useful to debug the size increase.

Successful checks

Info

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64_fips	+2.27 MiB (0.32% increase)	709.575 → 711.850 → 713.900
✅	agent_rpm_amd64_fips	+2.27 MiB (0.32% increase)	709.559 → 711.834 → 713.880
✅	agent_rpm_arm64	+2.28 MiB (0.31% increase)	730.984 → 733.259 → 735.290
✅	agent_rpm_arm64_fips	+2.27 MiB (0.33% increase)	691.007 → 693.278 → 696.840
✅	agent_suse_amd64_fips	+2.27 MiB (0.32% increase)	709.559 → 711.834 → 713.880
✅	agent_suse_arm64	+2.28 MiB (0.31% increase)	730.984 → 733.259 → 735.290
✅	agent_suse_arm64_fips	+2.27 MiB (0.33% increase)	691.007 → 693.278 → 696.840
✅	docker_agent_amd64	+2.27 MiB (0.28% increase)	812.864 → 815.135 → 815.700
✅	docker_agent_arm64	+2.28 MiB (0.28% increase)	816.073 → 818.348 → 821.970
✅	docker_agent_jmx_amd64	+2.27 MiB (0.23% increase)	1003.779 → 1006.050 → 1006.580
✅	docker_agent_jmx_arm64	+2.28 MiB (0.23% increase)	995.767 → 998.042 → 1001.570

16 successful checks with minimal change (< 2 KiB)

	Quality gate	Current Size
✅	agent_heroku_amd64	313.298 MiB
✅	docker_cluster_agent_amd64	203.942 MiB
✅	docker_cluster_agent_arm64	218.420 MiB
✅	docker_cws_instrumentation_amd64	7.142 MiB
✅	docker_cws_instrumentation_arm64	6.689 MiB
✅	docker_dogstatsd_amd64	39.238 MiB
✅	docker_dogstatsd_arm64	37.445 MiB
✅	dogstatsd_deb_amd64	29.881 MiB
✅	dogstatsd_deb_arm64	28.034 MiB
✅	dogstatsd_rpm_amd64	29.881 MiB
✅	dogstatsd_suse_amd64	29.881 MiB
✅	iot_agent_deb_amd64	43.278 MiB
✅	iot_agent_deb_arm64	40.324 MiB
✅	iot_agent_deb_armhf	41.076 MiB
✅	iot_agent_rpm_amd64	43.278 MiB
✅	iot_agent_suse_amd64	43.278 MiB

On-wire sizes (compressed)

	Quality gate	Change	Size (prev → curr → max)
❌	agent_deb_amd64	-55.73 KiB (0.03% reduction)	174.779 → 174.725 → 178.360
❌	agent_rpm_amd64	+17.21 KiB (0.01% increase)	177.533 → 177.550 → 181.830
❌	agent_suse_amd64	+17.21 KiB (0.01% increase)	177.533 → 177.550 → 181.830
✅	agent_deb_amd64_fips	+87.57 KiB (0.05% increase)	165.333 → 165.418 → 172.790
✅	agent_heroku_amd64	-5.48 KiB (0.01% reduction)	75.005 → 75.000 → 79.970
✅	agent_rpm_amd64_fips	+54.77 KiB (0.03% increase)	167.626 → 167.679 → 173.370
✅	agent_rpm_arm64	+80.74 KiB (0.05% increase)	159.494 → 159.573 → 163.060
✅	agent_rpm_arm64_fips	+93.72 KiB (0.06% increase)	151.352 → 151.444 → 156.170
✅	agent_suse_amd64_fips	+54.77 KiB (0.03% increase)	167.626 → 167.679 → 173.370
✅	agent_suse_arm64	+80.74 KiB (0.05% increase)	159.494 → 159.573 → 163.060
✅	agent_suse_arm64_fips	+93.72 KiB (0.06% increase)	151.352 → 151.444 → 156.170
✅	docker_agent_amd64	+223.83 KiB (0.08% increase)	268.108 → 268.327 → 272.480
✅	docker_agent_arm64	+220.72 KiB (0.08% increase)	255.298 → 255.514 → 261.060
✅	docker_agent_jmx_amd64	+221.34 KiB (0.06% increase)	336.761 → 336.977 → 341.100
✅	docker_agent_jmx_arm64	+217.06 KiB (0.07% increase)	319.942 → 320.154 → 325.620
✅	docker_cluster_agent_amd64	neutral	71.373 MiB → 72.920
✅	docker_cluster_agent_arm64	neutral	67.013 MiB → 68.220
✅	docker_cws_instrumentation_amd64	neutral	2.999 MiB → 3.330
✅	docker_cws_instrumentation_arm64	neutral	2.729 MiB → 3.090
✅	docker_dogstatsd_amd64	neutral	15.174 MiB → 15.820
✅	docker_dogstatsd_arm64	neutral	14.494 MiB → 14.830
✅	dogstatsd_deb_amd64	neutral	7.894 MiB → 8.790
✅	dogstatsd_deb_arm64	neutral	6.779 MiB → 7.710
✅	dogstatsd_rpm_amd64	neutral	7.903 MiB → 8.800
✅	dogstatsd_suse_amd64	neutral	7.903 MiB → 8.800
✅	iot_agent_deb_amd64	neutral	11.399 MiB → 12.040
✅	iot_agent_deb_arm64	-2.22 KiB (0.02% reduction)	9.704 → 9.702 → 10.450
✅	iot_agent_deb_armhf	neutral	9.940 MiB → 10.620
✅	iot_agent_rpm_amd64	+3.05 KiB (0.03% increase)	11.416 → 11.419 → 12.060
✅	iot_agent_suse_amd64	+3.05 KiB (0.03% increase)	11.416 → 11.419 → 12.060

[cit-pr-commenter-54b7da]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: fd08072f-13ae-4406-ab96-93b22751c527

Baseline: a01a5c3
Comparison: 5891c76
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	+3.61	[+0.54, +6.67]	1	Logs

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	+3.61	[+0.54, +6.67]	1	Logs
➖	quality_gate_logs	% cpu utilization	+2.40	[+0.77, +4.04]	1	Logs bounds checks dashboard
➖	tcp_syslog_to_blackhole	ingress throughput	+0.41	[+0.27, +0.54]	1	Logs
➖	ddot_metrics_sum_cumulativetodelta_exporter	memory utilization	+0.34	[+0.11, +0.56]	1	Logs
➖	file_tree	memory utilization	+0.19	[+0.14, +0.24]	1	Logs
➖	ddot_metrics	memory utilization	+0.14	[-0.03, +0.31]	1	Logs
➖	docker_containers_memory	memory utilization	+0.13	[+0.06, +0.20]	1	Logs
➖	quality_gate_metrics_logs	memory utilization	+0.11	[-0.12, +0.34]	1	Logs bounds checks dashboard
➖	quality_gate_idle	memory utilization	+0.05	[+0.00, +0.10]	1	Logs bounds checks dashboard
➖	file_to_blackhole_0ms_latency	egress throughput	+0.02	[-0.47, +0.51]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	+0.01	[-0.10, +0.11]	1	Logs
➖	uds_dogstatsd_to_api_v3	ingress throughput	+0.00	[-0.20, +0.20]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	-0.00	[-0.20, +0.20]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	-0.03	[-0.45, +0.39]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	-0.03	[-0.43, +0.36]	1	Logs
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	-0.04	[-0.10, +0.02]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	-0.04	[-0.14, +0.05]	1	Logs
➖	otlp_ingest_logs	memory utilization	-0.07	[-0.18, +0.03]	1	Logs
➖	ddot_metrics_sum_delta	memory utilization	-0.29	[-0.47, -0.12]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	-0.30	[-0.34, -0.27]	1	Logs bounds checks dashboard
➖	ddot_metrics_sum_cumulative	memory utilization	-0.48	[-0.62, -0.34]	1	Logs
➖	otlp_ingest_metrics	memory utilization	-0.57	[-0.73, -0.41]	1	Logs
➖	ddot_logs	memory utilization	-0.58	[-0.64, -0.52]	1	Logs

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	observed_value	links
✅	docker_containers_cpu	simple_check_run	10/10	548 ≥ 26
✅	docker_containers_memory	memory_usage	10/10	277.06MiB ≤ 370MiB
✅	docker_containers_memory	simple_check_run	10/10	709 ≥ 26
✅	file_to_blackhole_0ms_latency	memory_usage	10/10	0.19GiB ≤ 1.20GiB
✅	file_to_blackhole_0ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10	0.24GiB ≤ 1.20GiB
✅	file_to_blackhole_1000ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_100ms_latency	memory_usage	10/10	0.20GiB ≤ 1.20GiB
✅	file_to_blackhole_100ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_500ms_latency	memory_usage	10/10	0.21GiB ≤ 1.20GiB
✅	file_to_blackhole_500ms_latency	missed_bytes	10/10	0B = 0B
✅	quality_gate_idle	intake_connections	10/10	3 = 3	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	174.41MiB ≤ 175MiB	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	3 = 3	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	507.76MiB ≤ 550MiB	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	3 ≤ 6	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	205.00MiB ≤ 220MiB	bounds checks dashboard
✅	quality_gate_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	356.79 ≤ 2000	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	4 ≤ 6	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	427.62MiB ≤ 475MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.