1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#### 04节
###### bpftool,用它可以查看 eBPF 程序的运行状态
# 查询系统中正在运行的 eBPF 程序
sudo bpftool prog list  
# 导出这个 eBPF 程序的指令
sudo bpftool prog dump xlated id 89

sudo bpftool prog dump jited id 89


# 跟踪系统调用 -ebpf表示只跟踪bpf系统调用
strace -v -f -ebpf ./hello-opennat.py

strace -v -f ./hello-opennat.py


用高级语言开发的 eBPF 程序,需要首先编译为 BPF 字节码(即 BPF 指令),然后借助 bpf 系统调用加载到内核中,最后再通过性能监控等接口,与具体的内核事件进行绑定。这样,内核的性能监控模块才会在内核事件发生时,自动执行我们开发的 eBPF 程序。


环境信息

1
2
3
4
5
6
7
8
9
10
11
12
[root@ubuntu-22 ~]# uname -a
Linux ubuntu-22 5.15.0-58-generic #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

[root@ubuntu-22 ~]# uname -r
5.15.0-58-generic

[root@ubuntu-22 ~]# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.1 LTS
Release:        22.04
Codename:       jammy

操作

BPF 指令是什么样的?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
[root@ubuntu-22 geektime]# sudo bpftool prog list
...
170: kprobe  name hello_world  tag 38dd440716c4900f  gpl
        loaded_at 2023-01-29T22:53:07+0800  uid 0
        xlated 104B  jited 74B  memlock 4096B
        btf_id 103


[root@ubuntu-22 geektime]# sudo bpftool prog dump xlated id 170
int hello_world(void * ctx):
; int hello_world(void *ctx)
   0: (b7) r1 = 33
; ({ char _fmt[] = "Hello, World!"; bpf_trace_printk_(_fmt, sizeof(_fmt)); });  // 最常用的 BPF 辅助函数,它的作用是输出一段字符串。不过,由于 eBPF 运行在内核中,它的输出并不是通常的标准输出(stdout),而是内核调试文件 /sys/kernel/debug/tracing/trace_pipe
   1: (6b) *(u16 *)(r10 -4) = r1
   2: (b7) r1 = 1684828783
   3: (63) *(u32 *)(r10 -8) = r1
   4: (18) r1 = 0x57202c6f6c6c6548
   6: (7b) *(u64 *)(r10 -16) = r1
   7: (bf) r1 = r10
;
   8: (07) r1 += -16
; ({ char _fmt[] = "Hello, World!"; bpf_trace_printk_(_fmt, sizeof(_fmt)); });  // 最常用的 BPF 辅助函数,它的作用是输出一段字符串。不过,由于 eBPF 运行在内核中,它的输出并不是通常的标准输出(stdout),而是内核调试文件 /sys/kernel/debug/tracing/trace_pipe
   9: (b7) r2 = 14
  10: (85) call bpf_trace_printk#-65424
; return 0;
  11: (b7) r0 = 0
  12: (95) exit


[root@ubuntu-22 geektime]# sudo bpftool prog dump jited id 170
Error: No libbfd support

[root@ubuntu-22 geektime]# sudo bpftool version -p
{
    "version": "5.15.74",
    "features": {
        "libbfd": false,
        "skeletons": false
    }
}

eBPF 程序是什么时候执行的?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
[root@ubuntu-22 geektime]# sudo strace -v -f -ebpf ./hello.py
strace: exec: Permission denied
+++ exited with 1 +++

[root@ubuntu-22 geektime]# chmod +x hello.py

[root@ubuntu-22 geektime]# sudo strace -v -f -ebpf ./hello.py
In file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
In file included from include/linux/types.h:6:
In file included from include/uapi/linux/types.h:14:
In file included from include/uapi/linux/posix_types.h:5:
In file included from include/linux/stddef.h:5:
In file included from include/uapi/linux/stddef.h:5:
In file included from include/linux/compiler_types.h:80:
include/linux/compiler-clang.h:41:9: warning: '__HAVE_BUILTIN_BSWAP32__' macro redefined [-Wmacro-redefined]
#define __HAVE_BUILTIN_BSWAP32__
        ^
<command line>:4:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP32__ 1
        ^
In file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
In file included from include/linux/types.h:6:
In file included from include/uapi/linux/types.h:14:
In file included from include/uapi/linux/posix_types.h:5:
In file included from include/linux/stddef.h:5:
In file included from include/uapi/linux/stddef.h:5:
In file included from include/linux/compiler_types.h:80:
include/linux/compiler-clang.h:42:9: warning: '__HAVE_BUILTIN_BSWAP64__' macro redefined [-Wmacro-redefined]
#define __HAVE_BUILTIN_BSWAP64__
        ^
<command line>:5:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP64__ 1
        ^
In file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
In file included from include/linux/types.h:6:
In file included from include/uapi/linux/types.h:14:
In file included from include/uapi/linux/posix_types.h:5:
In file included from include/linux/stddef.h:5:
In file included from include/uapi/linux/stddef.h:5:
In file included from include/linux/compiler_types.h:80:
include/linux/compiler-clang.h:43:9: warning: '__HAVE_BUILTIN_BSWAP16__' macro redefined [-Wmacro-redefined]
#define __HAVE_BUILTIN_BSWAP16__
        ^
<command line>:3:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP16__ 1
        ^
3 warnings generated.
bpf(BPF_BTF_LOAD, {btf="\237\353\1\0\30\0\0\0\0\0\0\0\230\2\0\0\230\2\0\0\315\t\0\0\0\0\0\0\0\0\0\2"..., btf_log_buf=NULL, btf_size=3197, btf_log_size=0, btf_log_level=0}, 128) = 3
bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE, insn_cnt=13, insns=[{code=BPF_ALU64|BPF_K|BPF_MOV, dst_reg=BPF_REG_1, src_reg=BPF_REG_0, off=0, imm=0x21}, {code=BPF_STX|BPF_H|BPF_MEM, dst_reg=BPF_REG_10, src_reg=BPF_REG_1, off=-4, imm=0}, {code=BPF_ALU64|BPF_K|BPF_MOV, dst_reg=BPF_REG_1, src_reg=BPF_REG_0, off=0, imm=0x646c726f}, {code=BPF_STX|BPF_W|BPF_MEM, dst_reg=BPF_REG_10, src_reg=BPF_REG_1, off=-8, imm=0}, {code=BPF_LD|BPF_DW|BPF_IMM, dst_reg=BPF_REG_1, src_reg=BPF_REG_0, off=0, imm=0x6c6c6548}, {code=BPF_LD|BPF_W|BPF_IMM, dst_reg=BPF_REG_0, src_reg=BPF_REG_0, off=0, imm=0x57202c6f}, {code=BPF_STX|BPF_DW|BPF_MEM, dst_reg=BPF_REG_10, src_reg=BPF_REG_1, off=-16, imm=0}, {code=BPF_ALU64|BPF_X|BPF_MOV, dst_reg=BPF_REG_1, src_reg=BPF_REG_10, off=0, imm=0}, {code=BPF_ALU64|BPF_K|BPF_ADD, dst_reg=BPF_REG_1, src_reg=BPF_REG_0, off=0, imm=0xfffffff0}, {code=BPF_ALU64|BPF_K|BPF_MOV, dst_reg=BPF_REG_2, src_reg=BPF_REG_0, off=0, imm=0xe}, {code=BPF_JMP|BPF_K|BPF_CALL, dst_reg=BPF_REG_0, src_reg=BPF_REG_0, off=0, imm=0x6}, {code=BPF_ALU64|BPF_K|BPF_MOV, dst_reg=BPF_REG_0, src_reg=BPF_REG_0, off=0, imm=0}, {code=BPF_JMP|BPF_K|BPF_EXIT, dst_reg=BPF_REG_0, src_reg=BPF_REG_0, off=0, imm=0}], license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(5, 15, 74), prog_flags=0, prog_name="hello_world", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=3, func_info_rec_size=8, func_info=0x55cd34bb8700, func_info_cnt=1, line_info_rec_size=16, line_info=0x55cd34b42800, line_info_cnt=5, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 128) = 4
b'            head-165284  [000] d...1 27977.168992: bpf_trace_printk: Hello, World!'
b'            head-165284  [000] d...1 27977.169022: bpf_trace_printk: Hello, World!'
b'            head-165284  [000] d...1 27977.169047: bpf_trace_printk: Hello, World!'
b'            head-165284  [000] d...1 27977.169050: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27978.006685: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27978.006702: bpf_trace_printk: Hello, World!'
b'             who-165294  [000] d...1 27978.193472: bpf_trace_printk: Hello, World!'
b'             who-165294  [000] d...1 27978.193486: bpf_trace_printk: Hello, World!'
b'             who-165294  [000] d...1 27978.193505: bpf_trace_printk: Hello, World!'
b'             who-165294  [000] d...1 27978.193505: bpf_trace_printk: Hello, World!'
b'             who-165294  [000] d...1 27978.193711: bpf_trace_printk: Hello, World!'
b'             who-165294  [000] d...1 27978.193712: bpf_trace_printk: Hello, World!'
b'             who-165294  [000] d...1 27978.193806: bpf_trace_printk: Hello, World!'
b'             who-165294  [000] d...1 27978.193807: bpf_trace_printk: Hello, World!'
b'             who-165294  [000] d...1 27978.193900: bpf_trace_printk: Hello, World!'
b'             who-165294  [000] d...1 27978.193902: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27978.257082: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27978.257119: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27978.506782: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27978.506819: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27978.757435: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27978.757476: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.006600: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.006637: bpf_trace_printk: Hello, World!'
b'            head-165297  [000] d...1 27979.203999: bpf_trace_printk: Hello, World!'
b'            head-165297  [000] dN..1 27979.204040: bpf_trace_printk: Hello, World!'
b'            head-165297  [000] d...1 27979.204324: bpf_trace_printk: Hello, World!'
b'            head-165297  [000] dN..1 27979.204347: bpf_trace_printk: Hello, World!'
b'            head-165297  [000] d...1 27979.204716: bpf_trace_printk: Hello, World!'
b'            head-165297  [000] dN..1 27979.204729: bpf_trace_printk: Hello, World!'
b'            head-165297  [000] d...1 27979.205191: bpf_trace_printk: Hello, World!'
b'            head-165297  [000] dN..1 27979.205215: bpf_trace_printk: Hello, World!'
b'            tail-165298  [001] d...1 27979.212232: bpf_trace_printk: Hello, World!'
b'            tail-165298  [001] dN..1 27979.212317: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257070: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257121: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257315: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257323: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257356: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257357: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257426: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257428: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257496: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257497: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257515: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257516: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257626: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257627: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257699: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257700: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257716: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257717: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257732: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257733: bpf_trace_printk: Hello, World!'
b'    systemd-oomd-636     [001] d...1 27979.257748: bpf_trace_printk: Hello, World!'

ebpf
http://example.com/2023/10/31/ebpf/04/
作者
ningan123
发布于
2023年10月31日
许可协议