This document discusses Linux tracing tools and the evolution from DTrace on BSD to eBPF on Linux. It begins with an overview of DTrace and its capabilities on BSD, then discusses the limitations of early Linux tracing tools. It introduces eBPF and the BCC compiler collection, which make it easier to write and use eBPF programs. Examples are given showing how BCC can be used to trace system calls, file opens, and command executions. The document argues that BCC and eBPF help address the problems of early Linux tracing by making the tools more approachable and powerful for production use.
9. I realized at a relatively
young age (~19)
that I love debugging.
Brian Cantril
10.
11. The greatest satisfaction that I have had
is nailing a nasty bug —
it's an experience that (for me, anyway)
is so visceral as to be nearly primal.
Brian Cantril
24. $ dtrace -n 'proc:::exec-success { trace(curpsinfo->pr_psargs); }'
dtrace: description 'proc:::exec-success ' matched 1 probe
CPU ID FUNCTION:NAME
0 3297 exec_common:exec-success man ls
0 3297 exec_common:exec-success tbl /usr/share/man/man1/ls.1
0 3297 exec_common:exec-success neqn /usr/share/lib/pub/eqnchar -
0 3297 exec_common:exec-success nroff -u0 -Tlp -man -
0 3297 exec_common:exec-success col -x
0 3297 exec_common:exec-success sh -c more -s /tmp/mpzIaOZF
0 3297 exec_common:exec-success more -s /tmp/mpzIaOZF
25.
26.
27.
28. dtrace -l
dtrace: system integrity protection is on, some features will not be available
dtrace: failed to initialize dtrace: DTrace requires additional privileges
113. 1. Write your BPF program in C... inline or in a separate file
2. Write a python script that loads and interacts with your
BPF program
3. Attach to kprobes, socket, etc.
4. Read/update maps
5. Configuration, complex calculation/correlations
6. Iterate on above and re-try...in seconds
114. from bpf import BPF
from subprocess import call
prog = """
int hello(void *ctx) {
bpf_trace_printk("Hello, World!n");
return 0;
};
“""
b = BPF(text=prog)
fn = b.load_func("hello", BPF.KPROBE)
BPF.attach_kprobe(fn, “sys_clone")
try:
call(["cat", "/sys/kernel/debug/tracing/trace_pipe"])
except KeyboardInterrupt:
pass
146. # ./bashreadline
TIME PID COMMAND
05:28:25 21176 ls -l
05:28:28 21176 date
05:28:35 21176 echo hello world
05:28:43 21176 foo this command failed
05:28:45 21176 df -h
05:29:04 3059 echo another shell
05:29:13 21176 echo first shell again