can we use iovisor tools for virtual machine introspection...

[TahirAhmed916]

Hi I am working on IOVIOSR. I have implemented IOVISOR tools and got the output. But my purpose is different. I am working on libvmi. I have a machine on KVM hyper-visor running on my Ubuntu machine. Is there possible to get information about machine running on KVM from my Ubuntu machine where i have IOVISOR. Kindly guide me in this sense. Thanks

[brendangregg]

This question isn't very clear: are you trying to observe a guest from the host? Host from the guest? Host kernel resource events (incl. block I/O) triggered by the guest? ... What information are you trying to see?

[TahirAhmed916]

I am trying to observe guest from host machine.

[brendangregg]

Ok, guest %CPU usage for the entire guest? Use top. If you mean something else, you're going to have to be more specific.

[TahirAhmed916]

Can i use HTTP filter to monitor guest OS HTTP traffic. I tried to check tcp-connections on guest OS from Host but no output found. And can i get info about processes running on guest OS or not.?

[brendangregg]

Guest HTTP traffic, at least 4 options:

1. Does the hypervisor handle the packets, or is it pass-through to the device? If it's the former, then I imagine one could use kprobes on the network device driver on the host, and parse packets in BPF (there was an example of such a parser in /examples).
2. Guest kernel tracing: you'll need a symbol dump of the guest kernel, and then could try uprobes of the KVM process. There's been lots of discussions about doing this, I don't know offhand if anyone has a working solution yet, but it's believed to be possible.
3. Guest user space tracing of the HTTP code: probably similar to (2), provided you can get a symbol dump, then uprobe that address.
4. SSH onto the guest and trace it there. Yes, it's cheating, but worth having on this list.

Processes running on the guest OS:

• Again, more than one person has looked into this using profiling of CR3 and mapping that to processes. (I think I even mentioned this in my last book (Systems Performance), when Robert Mustacchi did it.) BPF can access registers (struct pt_regs).

Is any of this possible? Probably. Are there canned tools or examples? Not yet.

[krkini16]

As a followup to this question, I am having issues making BCC play nicely with network namespaces (that is a virtual copy of the network stack within my machine running Ubuntu 14.04).

Is this expected behavior? I am investigating now, but insights are appreciated.

[williamtu]

Hi, I wonder if anyone tries the (2) mentioned above: Guest kernel tracing: you'll need a symbol dump of the guest kernel, and then could try uprobes of the KVM process. There's been lots of discussions about doing this, I don't know offhand if anyone has a working solution yet, but it's believed to be possible.

At host, I want to use 'trace' to trace a packet TX's sk_buff from VM to virtual switch in host and eventually to driver. I think it's a pretty cool feature and could replace the existing VMI tools. Thanks. --William