Shulou(Shulou.com)06/01 Report--

Today, the editor will share with you the relevant knowledge about how to use Bpftrace under Linux. The content is detailed and the logic is clear. I believe most people still know too much about this knowledge, so share this article for your reference. I hope you can get something after reading this article. Let's take a look at it.

Bpftrace is a new open source tracker from Linux for analyzing production performance problems and troubleshooting software. Its users and contributors include Netflix,Facebook,Red Hat,Shopify, which was founded by Alastair Robertson, and Alastair Robertson, a talented British developer that has won various coding competitions.

Installation and getting started

From the terminal, use sudo to execute the following command to install bpftrace:

$sudo dnf install bpftrace

Experiment with "hello world":

$sudo bpftrace-e 'BEGIN {printf ("hello world\ n");}'

Note that for the sake of privilege, you must run bpftrace using root, using the-e option to specify a program to build a so-called "one-line program." This example will only print "hello world" and then wait for you to press Ctrl+C.

BEGIN is a special probe name that takes effect only once at the beginning of the execution; each time the probe hits, the operation in the curly braces {} (in this case, just a printf)

Will be carried out.

Now let's turn to a more useful example:

$sudo bpftrace-e 't:syscalls:sys_enter_execve {printf ("% s called% s\ n", comm, str (args- > filename));}'

This example prints the name of the parent process (comm) and the name of each new process being created in the system. T:syscalls:sys_enter_execve is a kernel trace point, short for tracepoint:syscalls:sys_enter_execve, and can be used in both forms. The next section will show you how to list all available tracking points.

Comm is a bpftrace built-in directive that represents the process name; filename is a field of the t:syscalls:sys_enter_execve trace point that can be accessed through the args built-in directive.

All available fields for the trace point can be listed with this command:

Bpftrace-lv "t:syscalls:sys_enter_execve"

Sample usage

One of the core concepts of bpftrace is probe points, that is, measurement points in code (kernel or user space) that eBPF programs can connect to, which can be divided into the following broad categories:

At the beginning of the kprobe-- kernel function, at the beginning of the kretprobe-- kernel function, at the beginning of the uprobe-- user-level function, at the return place of the uretprobe-- user-level function, at the tracepoint-- kernel static trackpoint usdt-- user-level static trackpoint profile-- time-based sampling interval-- time-based output software-- kernel software events hardware-- processor-level events

All available kprobe / kretprobe, tracepoints, software, and hardware probes can be listed with this command:

$sudo bpftrace-l

Uprobe / uretprobe and usdt are user-space probes that are specific to an executable. To use these probes, use the special syntax below. Profile and interval probes are triggered at fixed intervals; fixed intervals are beyond the scope of this article.

Statistics of system calls

Mapping is a special BPF data type that holds counts, statistics, and histograms. You can use mapping to count the number of times each system call is being called:

$sudo bpftrace-e'tcount syscallsSyscallsSyscallsSyscalls enterprising * {@ [probe] = SysCallsSys ();}'

Some probe types allow you to match multiple probes with wildcards, or you can use a comma-separated list to indicate multiple connection points for an operation block. In the above example, the action block is connected to all tracepoints whose names begin with t _, that is, all available system calls.

Bpftrace's built-in function count () counts the number of system calls called; @ [] represents a mapping (an associative array). The mapped key probe is another built-in instruction that represents the full probe name.

In this example, the same operation block is connected to each system call, and then each time a system call is called, the mapping is updated and the items corresponding to the system call are added. When the program terminates, all declared mappings are automatically printed.

The following example counts all system calls, and then uses the bpftrace filtering syntax to filter out the system calls for a particular process call using PID:

$sudo bpftrace-e't probe syscallsSysCallsSyscallsSyscalls enterprising * / pid = = 1234 / {@ [probe] = count ();}'

Number of bytes written by the process

Let's use the above concept to analyze the number of bytes being written by each process:

$sudo bpftrace-e 't:syscalls:sys_exit_write / args- > ret > 0 / {@ [comm] = sum (args- > ret);}'

Bpftrace connects the operation block to the return probe (t:syscalls:sys_exit_write) that writes the system call, and then uses a filter to drop the negative value that represents the error code (/ arg- > ret > 0 /).

The mapped key comm represents the process name of the calling system call; the built-in function sum () accumulates the number of bytes written by each mapping item or process; and args is a bpftrace built-in instruction that accesses the parameters and return values of the trace point. If the execution is successful, the write system call returns the number of bytes written, arg- > ret

Used to access this number of bytes.

Read size distribution of the process (bar chart):

Bpftrace supports the creation of bar charts. Let's analyze an example of a bar chart that creates the read size distribution of a process:

Sudo bpftrace-e 't:syscalls:sys_exit_read {@ [comm] = hist (args- > ret);}'

The bar chart is a BPF map, so it must be saved as a map (@), in this case the mapping key is comm.

This example causes bpftrace to generate a bar chart for each process that calls the read system call. To generate a global histogram, save the hist () function directly to @ (without using any keys).

When the program terminates, bpftrace automatically prints out a declared bar chart. The base value for creating a bar chart is the number of bytes read through args- > ret.

Tracking user space program

You can also track user space programs through uprobes / uretprobes and USDT (statically defined tracking at the user level). The next example uses the uretprobe at the end of the probe user-level function to get the command line issued by each bash running in the system:

$sudo bpftrace-e 'uretprobe:/bin/bash:readline {printf ("readline:\"% s\ "\ n", str (retval));}'

To list all available uprobes / uretprobes for the executable file bash, execute this command:

$sudo bpftrace-l "uprobe:/bin/bash"

Uprobe points to the beginning of user-level function execution, uretprobe points to the end of execution (return); readline () is a function of / bin/bash that returns the command line typed; retval is the return value of the probed instruction and can only be accessed in uretprobe.

When using uprobes, you can use arg0..argN to access parameters. You need to call str () to convert the char * pointer to a string.

Bring your own script

The bpftrace package comes with many useful scripts, which can be found in the / usr/share/bpftrace/tools/ directory.

Among these scripts, you can find:

Killsnoop.bt-- tracking signals from kill () system calls tcpconnect.bt-- tracks all TCP network connections pidpersec.bt-- statistics per second (via fork) New process opensnoop.bt-- tracking open () system calls bfsstat.bt-- tracks some VFS calls, statistics per second

You can use these scripts directly, such as:

$sudo / usr/share/bpftrace/tools/killsnoop.bt

You can also refer to these scripts when creating new tools.

These are all the contents of the article "how to use Bpftrace under Linux". Thank you for reading! I believe you will gain a lot after reading this article. The editor will update different knowledge for you every day. If you want to learn more knowledge, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.