ebpf是什么?
eBPF 是一项革命性技术,它能在内核中运行沙箱程序,无需修改内核源码或者加载内核模块。
ebpf有啥用?
开发者在用户空间编写BPF程序,加载到内核空间执行,实现对内核行为的灵活管理和控制。
BPF程序加载到内核之前,验证器会检查程序是否安全,确保不会使内核崩溃,安全性很高。
支持用户态工具bcc,可以使用bcc脚本进行性能分析和网络流量控制。
内核态实现bpf jit即时编译功能,可以将bpf字节码转换成LoongArch机器码。
ebpf怎么用?
编写C语言BPF程序
内核目录samples/bpf下有大量示例程序,用户可以参考。
直接使用bcc脚本
1.下面是一个简单的bcc脚本,当在终端中执行任意程序时都会输出Hello, World!
#!/usr/bin/python
# Copyright (c) PLUMgrid, Inc.
# Licensed under the Apache License, Version 2.0 (the "License")
# run in project examples directory with:
# sudo ./hello_world.py"
# see trace_fields.py for a longer example
from bcc import BPF
# This may not work for 4.17 on x64, you need replace kprobe__sys_clone with kprobe____x64_sys_clone
BPF(text='int kprobe__sys_clone(void *ctx) { bpf_trace_printk("Hello, World!\\n"); return 0; }').trace_print()
2.当系统CPU使用率很高时,哪个系统调用的次数最多?
root@linux:/home/loongson# /usr/share/bcc/tools/syscount
Tracing syscalls, printing top 10... Ctrl+C to quit.
^C[20:20:09]
SYSCALL COUNT
recvmsg 123
ioctl 110
futex 74
ppoll 71
read 54
epoll_pwait 42
writev 33
write 25
setitimer 20
bpf 13
Detaching...
3.当系统CPU使用率很高时,哪个进程调用了很多系统调用?
root@linux:/home/loongson# /usr/share/bcc/tools/syscount -P
Tracing syscalls, printing top 10... Ctrl+C to quit.
^C[20:21:01]
PID COMM COUNT
3217 Xorg 1542
3545 marco 388
629 avahi-daemon 238
3970 mate-terminal 220
3604 clock-applet 120
3561 mate-panel 56
3538 mate-settings-d 33
3808 lbrowser 26
9520 lbrowser 22
4804 lbrowser 22
Detaching...
4.哪一个系统调用耗费了最长的时间?
root@linux:/home/loongson# /usr/share/bcc/tools/syscount -L
Tracing syscalls, printing top 10... Ctrl+C to quit.
^C[20:21:52]
SYSCALL COUNT TIME (us)
ppoll 96 2441645.097
epoll_pwait 128 2406866.182
pselect6 3 1229933.849
futex 107 809629.583
ioctl 175 3435.596
recvmsg 199 381.781
writev 47 252.391
read 160 239.480
write 51 158.802
setitimer 42 53.480
Detaching...
5.系统调用是否返回了一个特殊的错误值?
root@linux:/home/loongson# /usr/share/bcc/tools/syscount -e ENOENT -i 5
Tracing syscalls, printing top 10... Ctrl+C to quit.
[20:23:18]
SYSCALL COUNT
newfstatat 41
inotify_add_watch 9
[20:23:23]
SYSCALL COUNT
newfstatat 44
openat 17
inotify_add_watch 8
mkdirat 8
unlinkat 1
bpf 1
^C[20:23:25]
SYSCALL COUNT
inotify_add_watch 7
bpf 1
Detaching...
6.系统负载很高进程很多时如何跟踪短命进程?
root@linux:/home/loongson# /usr/share/bcc/tools/execsnoop
PCOMM PID PPID RET ARGS
gio-launch-desk 11887 3561 0 /usr/lib/loongarch64-linux-gnu/glib-2.0/gio-launch-desktop mate-terminal
mate-terminal 11887 3561 0 /usr/bin/mate-terminal
bash 11895 3970 0 /bin/bash
dircolors 11896 11895 0 /usr/bin/dircolors -b
^Croot@linux:/home/loongson# /usr/share/bcc/tools/opensnoop
PID COMM FD ERR PATH
3808 lbrowser 229 0 /proc/meminfo
609 irqbalance 6 0 /proc/interrupts
609 irqbalance 6 0 /proc/stat
7.bcc tools目录下有很多实用的脚本,可以直接使用:
loongson@linux:~$ ls /usr/share/bcc/tools/
argdist doc mdflush pythonstat tcpaccept
bashreadline drsnoop memleak readahead tcpconnect
bindsnoop execsnoop mountsnoop reset-trace tcpconnlat
biolatency exitsnoop mysqld_qslower rubycalls tcpdrop
biolatpcts ext4dist netqtop rubyflow tcplife
biosnoop ext4slower netqtop.c rubygc tcpretrans
biotop filelife nfsdist rubyobjnew tcprtt
bitesize fileslower nfsslower rubystat tcpstates
bpflist filetop nodegc runqlat tcpsubnet
btrfsdist funccount nodestat runqlen tcpsynbl
btrfsslower funcinterval offcputime runqslower tcptop
cachestat funclatency offwaketime shmsnoop tcptracer
cachetop funcslower old slabratetop threadsnoop
capable gethostlatency oomkill sofdsnoop tplist
cobjnew hardirqs opensnoop softirqs trace
compactsnoop inject perlcalls solisten ttysnoop
cpudist javacalls perlflow sslsniff vfscount
cpuunclaimed javaflow perlstat stackcount vfsstat
criticalstat javagc phpcalls statsnoop virtiostat
dbslower javaobjnew phpflow swapin wakeuptime
dbstat javastat phpstat syncsnoop xfsdist
dcsnoop javathreads pidpersec syscount xfsslower
dcstat killsnoop profile tclcalls zfsdist
deadlock klockstat pythoncalls tclflow zfsslower
deadlock.c lib pythonflow tclobjnew
dirtop llcstat pythongc tclstat