BPF-BCC 培训深入

[heidsoft]

https://github.com/brendangregg/FlameGraph

[heidsoft]

(base) heidsoft@dev01:/usr/sbin$ sudo bpftrace -e 'tracepoint:raw_syscalls:sys_enter {@[pid,comm]=count();}'
[sudo] password for heidsoft: 
Attaching 1 probe...
^C

@[594, wpa_supplicant]: 2
@[917, ib_srv_mon]: 2
@[917, ib_dict_stats]: 2
@[3412, update-notifier]: 4
@[3004, ssh-agent]: 4
@[3232, gsd-xsettings]: 4
@[3224, evolution-alarm]: 4
@[3077, ibus-extension-]: 4
@[3174, gsd-color]: 4
@[3218, gsd-wacom]: 4
@[3178, gsd-keyboard]: 4
@[3079, ibus-x11]: 4
@[3181, gsd-media-keys]: 4
@[917, ib_fts_opt]: 6
@[3187, gsd-power]: 6
@[3414, gnome-software]: 6

[heidsoft]

bpftrace 是一种强大的跟踪和分析工具，用于理解和调试 Linux 内核和应用程序的性能问题。它使用 eBPF（Extended Berkeley Packet Filter）技术，eBPF 是 Linux 内核中的一个新型功能，可以在内核空间运行用户定义的沙箱程序。

bpftrace -e 'tracepoint:syscalls:sys_enter_* {@[probe]=count();}' 命令的含义如下：

• -e：指定要执行的 bpftrace 脚本。

• tracepoint:syscalls:sys_enter_*：这里定义了一个 tracepoint（跟踪点）探针，该探针将匹配所有以 sys_enter_ 开头的系统调用。这些调用代表了进入系统调用的点。

• @[probe]=count();：这是一个 map（映射）表达式，它将为每个触发的探针计数。probe 是一个内置变量，代表当前触发的探针名称。count() 是一个函数，用于计算触发的次数。

总的来说，这个命令的作用是追踪并计数所有进入系统调用的点，最后会输出每个系统调用被触发的次数。这对于理解系统的行为和性能调优非常有用。

[heidsoft]

(base) heidsoft@dev01:/usr/sbin$ sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat {printf("%s -> %s\n",comm,str(args->filename));}'
Attaching 1 probe...
vmtoolsd -> /proc/meminfo
vmtoolsd -> /proc/vmstat
vmtoolsd -> /proc/stat
vmtoolsd -> /proc/zoneinfo
vmtoolsd -> /proc/uptime
vmtoolsd -> /proc/diskstats
^[Avmtoolsd -> /etc/mtab
vmtoolsd -> /proc/devices
vmtoolsd -> /sys/class/block/sda1/../device/../../../class
vmtoolsd -> /sys/class/block/sda1/../device/../../../label
vmtoolsd -> /run/systemd/resolve/resolv.conf
vmtoolsd -> /proc/net/route
vmtoolsd -> /proc/net/ipv6_route
vmtoolsd -> /proc/uptime
irqbalance -> /proc/interrupts
irqbalance -> /proc/stat
irqbalance -> /proc/irq/16/smp_affinity
irqbalance -> /proc/irq/16/smp_affinity
irqbalance -> /proc/irq/57/smp_affinity
irqbalance -> /proc/irq/57/smp_affinity
irqbalance -> /proc/irq/19/smp_affinity
irqbalance -> /proc/irq/19/smp_affinity

[heidsoft]

(base) heidsoft@dev01:/usr/sbin$ sudo  bpftrace --unsafe -e 't:syscalls:sys_enter_nanosleep { system("ps -p %d\n", pid); }'
Attaching 1 probe...
    PID TTY          TIME CMD
    685 ?        00:00:15 containerd
    PID TTY          TIME CMD
    685 ?        00:00:15 containerd
    PID TTY          TIME CMD
    685 ?        00:00:15 containerd
    PID TTY          TIME CMD
    685 ?        00:00:15 containerd
    PID TTY          TIME CMD
    685 ?        00:00:15 containerd
    PID TTY          TIME CMD
    685 ?        00:00:15 containerd

[heidsoft]

root@dev01:~#  bpftrace -d -e 'k:vfs_read {@[pid]=count();}'
Program
 kprobe:vfs_read
  =
   map: @
    builtin: pid
   call: count

; ModuleID = 'bpftrace'
source_filename = "bpftrace"
target datalayout = "e-m:e-p:64:64-i64:64-n32:64-S128"
target triple = "bpf-pc-linux"

; Function Attrs: nounwind
declare i64 @llvm.bpf.pseudo(i64, i64) #0

; Function Attrs: argmemonly nounwind
declare void @llvm.lifetime.start.p0i8(i64 immarg, i8* nocapture) #1

define i64 @"kprobe:vfs_read"(i8* nocapture readnone) local_unnamed_addr section "s_kprobe:vfs_read_1" {
entry:
  %"@_val" = alloca i64, align 8
  %"@_key" = alloca [8 x i8], align 8
  %get_pid_tgid = tail call i64 inttoptr (i64 14 to i64 ()*)()
  %1 = lshr i64 %get_pid_tgid, 32
  %2 = getelementptr inbounds [8 x i8], [8 x i8]* %"@_key", i64 0, i64 0
  call void @llvm.lifetime.start.p0i8(i64 -1, i8* nonnull %2)
  store i64 %1, [8 x i8]* %"@_key", align 8
  %pseudo = tail call i64 @llvm.bpf.pseudo(i64 1, i64 1)
  %lookup_elem = call i8* inttoptr (i64 1 to i8* (i64, [8 x i8]*)*)(i64 %pseudo, [8 x i8]* nonnull %"@_key")
  %map_lookup_cond = icmp eq i8* %lookup_elem, null
  br i1 %map_lookup_cond, label %lookup_merge, label %lookup_success

lookup_success:                                   ; preds = %entry
  %cast = bitcast i8* %lookup_elem to i64*
  %3 = load i64, i64* %cast, align 8
  %phitmp = add i64 %3, 1
  br label %lookup_merge

lookup_merge:                                     ; preds = %entry, %lookup_success
  %lookup_elem_val.0 = phi i64 [ %phitmp, %lookup_success ], [ 1, %entry ]
  %4 = bitcast i64* %"@_val" to i8*
  call void @llvm.lifetime.start.p0i8(i64 -1, i8* nonnull %4)
  store i64 %lookup_elem_val.0, i64* %"@_val", align 8
  %pseudo1 = call i64 @llvm.bpf.pseudo(i64 1, i64 1)
  %update_elem = call i64 inttoptr (i64 2 to i64 (i64, [8 x i8]*, i64*, i64)*)(i64 %pseudo1, [8 x i8]* nonnull %"@_key", i64* nonnull %"@_val", i64 0)
  call void @llvm.lifetime.end.p0i8(i64 -1, i8* nonnull %2)
  call void @llvm.lifetime.end.p0i8(i64 -1, i8* nonnull %4)
  ret i64 0
}

; Function Attrs: argmemonly nounwind
declare void @llvm.lifetime.end.p0i8(i64 immarg, i8* nocapture) #1

attributes #0 = { nounwind }
attributes #1 = { argmemonly nounwind }