ebpf是什么?

eBPF 是一项革命性技术,它能在内核中运行沙箱程序,无需修改内核源码或者加载内核模块。

ebpf有啥用?

开发者在用户空间编写BPF程序,加载到内核空间执行,实现对内核行为的灵活管理和控制。
BPF程序加载到内核之前,验证器会检查程序是否安全,确保不会使内核崩溃,安全性很高。
支持用户态工具bcc,可以使用bcc脚本进行性能分析和网络流量控制。
内核态实现bpf jit即时编译功能,可以将bpf字节码转换成LoongArch机器码。

ebpf怎么用?

编写C语言BPF程序

内核目录samples/bpf下有大量示例程序,用户可以参考。

直接使用bcc脚本

1.下面是一个简单的bcc脚本,当在终端中执行任意程序时都会输出Hello, World!

#!/usr/bin/python
# Copyright (c) PLUMgrid, Inc.
# Licensed under the Apache License, Version 2.0 (the "License")

# run in project examples directory with:
# sudo ./hello_world.py"
# see trace_fields.py for a longer example

from bcc import BPF

# This may not work for 4.17 on x64, you need replace kprobe__sys_clone with kprobe____x64_sys_clone
BPF(text='int kprobe__sys_clone(void *ctx) { bpf_trace_printk("Hello, World!\\n"); return 0; }').trace_print()

2.当系统CPU使用率很高时,哪个系统调用的次数最多?

root@linux:/home/loongson# /usr/share/bcc/tools/syscount
Tracing syscalls, printing top 10... Ctrl+C to quit.
^C[20:20:09]
SYSCALL                   COUNT
recvmsg                     123
ioctl                       110
futex                        74
ppoll                        71
read                         54
epoll_pwait                  42
writev                       33
write                        25
setitimer                    20
bpf                          13

Detaching...

3.当系统CPU使用率很高时,哪个进程调用了很多系统调用?

root@linux:/home/loongson# /usr/share/bcc/tools/syscount -P
Tracing syscalls, printing top 10... Ctrl+C to quit.
^C[20:21:01]
PID    COMM               COUNT
3217   Xorg                1542
3545   marco                388
629    avahi-daemon         238
3970   mate-terminal        220
3604   clock-applet         120
3561   mate-panel            56
3538   mate-settings-d       33
3808   lbrowser              26
9520   lbrowser              22
4804   lbrowser              22

Detaching...

4.哪一个系统调用耗费了最长的时间?

root@linux:/home/loongson# /usr/share/bcc/tools/syscount -L
Tracing syscalls, printing top 10... Ctrl+C to quit.
^C[20:21:52]
SYSCALL                   COUNT        TIME (us)
ppoll                        96      2441645.097
epoll_pwait                 128      2406866.182
pselect6                      3      1229933.849
futex                       107       809629.583
ioctl                       175         3435.596
recvmsg                     199          381.781
writev                       47          252.391
read                        160          239.480
write                        51          158.802
setitimer                    42           53.480

Detaching...

5.系统调用是否返回了一个特殊的错误值?

root@linux:/home/loongson# /usr/share/bcc/tools/syscount -e ENOENT -i 5
Tracing syscalls, printing top 10... Ctrl+C to quit.
[20:23:18]
SYSCALL                   COUNT
newfstatat                   41
inotify_add_watch             9

[20:23:23]
SYSCALL                   COUNT
newfstatat                   44
openat                       17
inotify_add_watch             8
mkdirat                       8
unlinkat                      1
bpf                           1

^C[20:23:25]
SYSCALL                   COUNT
inotify_add_watch             7
bpf                           1

Detaching...

6.系统负载很高进程很多时如何跟踪短命进程?

root@linux:/home/loongson# /usr/share/bcc/tools/execsnoop
PCOMM            PID    PPID   RET ARGS
gio-launch-desk  11887  3561     0 /usr/lib/loongarch64-linux-gnu/glib-2.0/gio-launch-desktop mate-terminal
mate-terminal    11887  3561     0 /usr/bin/mate-terminal
bash             11895  3970     0 /bin/bash
dircolors        11896  11895    0 /usr/bin/dircolors -b
^Croot@linux:/home/loongson# /usr/share/bcc/tools/opensnoop
PID    COMM               FD ERR PATH
3808   lbrowser          229   0 /proc/meminfo
609    irqbalance          6   0 /proc/interrupts
609    irqbalance          6   0 /proc/stat

7.bcc tools目录下有很多实用的脚本,可以直接使用:

loongson@linux:~$ ls /usr/share/bcc/tools/
argdist       doc             mdflush         pythonstat   tcpaccept
bashreadline  drsnoop         memleak         readahead    tcpconnect
bindsnoop     execsnoop       mountsnoop      reset-trace  tcpconnlat
biolatency    exitsnoop       mysqld_qslower  rubycalls    tcpdrop
biolatpcts    ext4dist        netqtop         rubyflow     tcplife
biosnoop      ext4slower      netqtop.c       rubygc       tcpretrans
biotop        filelife        nfsdist         rubyobjnew   tcprtt
bitesize      fileslower      nfsslower       rubystat     tcpstates
bpflist       filetop         nodegc          runqlat      tcpsubnet
btrfsdist     funccount       nodestat        runqlen      tcpsynbl
btrfsslower   funcinterval    offcputime      runqslower   tcptop
cachestat     funclatency     offwaketime     shmsnoop     tcptracer
cachetop      funcslower      old             slabratetop  threadsnoop
capable       gethostlatency  oomkill         sofdsnoop    tplist
cobjnew       hardirqs        opensnoop       softirqs     trace
compactsnoop  inject          perlcalls       solisten     ttysnoop
cpudist       javacalls       perlflow        sslsniff     vfscount
cpuunclaimed  javaflow        perlstat        stackcount   vfsstat
criticalstat  javagc          phpcalls        statsnoop    virtiostat
dbslower      javaobjnew      phpflow         swapin       wakeuptime
dbstat        javastat        phpstat         syncsnoop    xfsdist
dcsnoop       javathreads     pidpersec       syscount     xfsslower
dcstat        killsnoop       profile         tclcalls     zfsdist
deadlock      klockstat       pythoncalls     tclflow      zfsslower
deadlock.c    lib             pythonflow      tclobjnew
dirtop        llcstat         pythongc        tclstat