Zero‑Intrusion Go Instrumentation: Auto‑Inject Monitoring & Governance

In Go development, despite the language’s performance, application monitoring and service governance often require invasive code changes, increasing workload and complicating integration, especially in heterogeneous systems.

To address this, the Alibaba Cloud ARMS, compiler, and MSE teams jointly released an open‑source compile‑time automatic instrumentation solution for Go. It provides Java‑level monitoring capabilities with zero intrusion: developers simply replace the standard go build command with a custom build command to enable full monitoring and governance.

The open‑source version supports 16 mainstream frameworks (38 in the commercial version). For frameworks not on the list or for advanced custom needs, a modular instrumentation extension allows users to inject custom code into any target function via a simple JSON configuration, without modifying the original source repository.

Modular Extension Principle

Normally, go build performs six steps: source analysis, type checking, semantic analysis, compilation optimization, code generation, and linking. The auto‑instrumentation tool adds two extra steps before these: preprocessing and code injection.

Preprocess

The tool reads a user‑defined rule.json file that specifies which frameworks, versions, and functions should receive custom hook code. A typical configuration looks like:

[{ "ImportPath": "google.golang.org/grpc", "Function": "NewClient", "OnEnter": "grpcNewClientOnEnter", "OnExit": "grpcNewClientOnExit", "Path": "/path/to/my/code" }]

During preprocessing, the tool analyzes third‑party dependencies, matches them against the rules, and prepares any additional dependencies required by the rules. After preprocessing, the tool intercepts the normal compilation flow and inserts an extra code‑injection phase before each package is compiled.

Code Injection

In the injection phase, the tool inserts trampoline code for the target functions (e.g., NewClient). The trampoline acts as a logical jump point to execute user‑defined hook functions for monitoring or governance, while minimizing overhead through AST‑level optimizations.

Usage Examples

1. Record HTTP Request and Response Headers

Create a hook module, add hook.go with entry and exit hooks that marshal and print request/response headers, then configure rule.json to target net/http::(*Transport).RoundTrip. Build and run the demo with the custom build command to see the injected header logs.

package hook

import (
    "encoding/json"
    "fmt"
    "github.com/alibaba/opentelemetry-go-auto-instrumentation/pkg/api"
    "net/http"
)

func httpClientEnterHook(call api.CallContext, t *http.Transport, req *http.Request) {
    header, _ := json.Marshal(req.Header)
    fmt.Println("request header is ", string(header))
}

func httpClientExitHook(call api.CallContext, res *http.Response, err error) {
    header, _ := json.Marshal(res.Header)
    fmt.Println("response header is ", string(header))
}

[{ "ImportPath": "net/http", "Function": "RoundTrip", "OnEnter": "httpClientEnterHook", "ReceiverType": "*Transport", "OnExit": "httpClientExitHook", "Path": "/path/to/hook" }]

2. Replace the Standard Library Sort Algorithm

By injecting a custom quick‑sort implementation, developers can replace sort.Ints with a dual‑pivot quick sort. The hook sets call.SetSkipCall(true) to bypass the original sort.

package hook

import (
    "github.com/alibaba/opentelemetry-go-auto-instrumentation/pkg/api"
)

func dualPivotQuickSort(arr []int, low, high int) { /* implementation omitted */ }

func sortOnEnter(call api.CallContext, arr []int) {
    dualPivotQuickSort(arr, 0, len(arr)-1)
    call.SetSkipCall(true)
}

[{ "ImportPath": "sort", "Function": "Ints", "OnEnter": "sortOnEnter", "Path": "/path/to/hook" }]

3. Prevent SQL Injection

A hook inspects SQL queries for risky patterns and aborts execution if a potential injection is detected.

package hook

import (
    "database/sql"
    "errors"
    "github.com/alibaba/opentelemetry-go-auto-instrumentation/pkg/api"
    "log"
    "strings"
)

func checkSqlInjection(query string) error {
    patterns := []string{"--", ";", "/*", " or ", " and ", "'"}
    for _, p := range patterns {
        if strings.Contains(strings.ToLower(query), p) {
            return errors.New("potential SQL injection detected")
        }
    }
    return nil
}

func sqlQueryOnEnter(call api.CallContext, db *sql.DB, query string, args ...interface{}) {
    if err := checkSqlInjection(query); err != nil {
        log.Fatalf("sqlQueryOnEnter %v", err)
    }
}

[{ "ImportPath": "database/sql", "Function": "Query", "ReceiverType": "*DB", "OnEnter": "sqlQueryOnEnter", "Path": "/path/to/hook" }]

4. Add Traffic Protection to gRPC Clients

Using Sentinel‑Golang, a hook injects a unary client interceptor into grpc.NewClient to enforce outbound traffic control.

package hook

import (
    "context"
    "google.golang.org/grpc"
    sentinel "github.com/sentinel-golang/api"
    "github.com/sentinel-golang/core/base"
    pkgapi "github.com/alibaba/opentelemetry-go-auto-instrumentation/pkg/api"
)

func newClientOnEnter(call pkgapi.CallContext, target string, opts ...grpc.DialOption) {
    opts = append(opts, grpc.WithChainUnaryInterceptor(unaryClientInterceptor))
}

func unaryClientInterceptor(ctx context.Context, method string, req, reply interface{}, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, opts ...grpc.CallOption) error {
    entry, blockErr := sentinel.Entry(method, sentinel.WithResourceType(base.ResTypeRPC), sentinel.WithTrafficType(base.Outbound))
    defer func() { if entry != nil { entry.Exit() } }()
    if blockErr != nil { return blockErr }
    return invoker(ctx, method, req, reply, cc, opts...)
}

[{ "ImportPath": "google.golang.org/grpc", "Function": "NewClient", "OnEnter": "newClientOnEnter", "Path": "/path/to/hook" }]

Conclusion and Outlook

The compile‑time zero‑intrusion instrumentation solves the tedious manual tracing problem in micro‑service monitoring and has been commercialized on Alibaba Cloud. Its open‑source release to the OpenTelemetry community enables broader adoption and further exploration in areas such as service governance, code auditing, application security, and debugging.