irthomasthomas / undecidability

13 stars 2 forks source link

bcc: BPF Compiler Collection using eBPF #730

Open irthomasthomas opened 8 months ago

irthomasthomas commented 8 months ago

bcc/README.md at master · iovisor/bcc

BCC Logo

BPF Compiler Collection (BCC)

BCC is a toolkit for creating efficient kernel tracing and manipulation programs, and includes several useful tools and examples. It makes use of extended BPF (Berkeley Packet Filters), formally known as eBPF, a new feature that was first added to Linux 3.15. Much of what BCC uses requires Linux 4.1 and above.

eBPF was described by Ingo Molnár as:

One of the more interesting features in this cycle is the ability to attach eBPF programs (user-defined, sandboxed bytecode executed by the kernel) to kprobes. This allows user-defined instrumentation on a live kernel image that can never crash, hang or interfere with the kernel negatively.

BCC makes BPF programs easier to write, with kernel instrumentation in C (and includes a C wrapper around LLVM), and front-ends in Python and lua. It is suited for many tasks, including performance analysis and network traffic control.

Screenshot

This example traces a disk I/O kernel function, and populates an in-kernel power-of-2 histogram of the I/O size. For efficiency, only the histogram summary is returned to user-level.

# ./bitehist.py
Tracing... Hit Ctrl-C to end.
^C
     kbytes          : count     distribution
       0 -> 1        : 3        |                                      |
       2 -> 3        : 0        |                                      |
       4 -> 7        : 211      |**********                            |
       8 -> 15       : 0        |                                      |
      16 -> 31       : 0        |                                      |
      32 -> 63       : 0        |                                      |
      64 -> 127      : 1        |                                      |
     128 -> 255      : 800      |**************************************|

The above output shows a bimodal distribution, where the largest mode of 800 I/O was between 128 and 255 Kbytes in size.

See the source: bitehist.py. What this traces, what this stores, and how the data is presented, can be entirely customized. This shows only some of many possible capabilities.

Installing

See INSTALL.md for installation steps on your platform.

FAQ

See FAQ.txt for the most common troubleshoot questions.

Reference guide

See docs/reference_guide.md for the reference guide to the bcc and bcc/BPF APIs.

Contents

Some of these are single files that contain both C and Python, others have a pair of .c and .py files, and some are directories of files.

Tracing

Examples

Tools

Memory and Process Tools
Performance and Time Tools
CPU and Scheduler Tools

Suggested labels

{'label-name': 'BPF-Toolkit', 'label-description': 'Tools and examples for efficient kernel tracing and manipulation using extended BPF (Berkeley Packet Filters).', 'gh-repo': 'https://github.com/iovisor/bcc/blob/master/README.md?plain=1', 'confidence': 52.11}

irthomasthomas commented 8 months ago

Related content

690

Similarity score: 0.89

678

Similarity score: 0.86

134

Similarity score: 0.86

702

Similarity score: 0.86

625

Similarity score: 0.86

543

Similarity score: 0.85