The proper usage of `bpftool prog attach`

[kawhicurry]

I attempted to load my kprobe ebpf program with bpftool prog attach . It prompts that attach_type is needed. I found that following types valid:

static const bool attach_types[] = {
    [BPF_SK_SKB_STREAM_PARSER] = true,
    [BPF_SK_SKB_STREAM_VERDICT] = true,
    [BPF_SK_SKB_VERDICT] = true,
    [BPF_SK_MSG_VERDICT] = true,
    [BPF_FLOW_DISSECTOR] = true,
    [__MAX_BPF_ATTACH_TYPE] = false,
};

So what's the correct usage of bpftool prog attach? Does it support limited bpf_prog_type? Therer're few articles about the usage of it.

Thanks!

[qmonnet]

So what's the correct usage of bpftool prog attach?

The syntax for the command is:

bpftool prog attach PROG ATTACH_TYPE [MAP]

Where ATTACH_TYPE is mandatory and designates the type of attachment that you expect - one of the types that you listed above.

See the manual page, if you haven't found it already.

Does it support limited bpf_prog_type?

Yes, indeed. This command works for a very few numbers of program types - those that support the attach types listed above. In particular, it cannot attach programs to cgroups (there's bpftool cgroup attach instead), or to kprobes.

There is no dedicated command to attach kprobes. Historically, this was because it was not possible to keep the kprobe attached after bpftool exits. This has been solved with BPF links, but we still don't have this command in bpftool.

You mention that you want to load your kprobe program. This can be achieved with bpftool prog load .... At the end of this step, your program will be loaded in the kernel, and pinned to the provided path in the bpffs, but it won't be attached, so it won't trigger and run on the function you had in mind. And bpftool does not support attaching it from there (although you could write a program that does it).

If you want to load and attach your kprobe program, there's one way to do it with bpftool: you need to tell bpftool to attach it straight after loading it. You can do it by passing the keyword autoattach at the end of your bpftool prog load ... command. Bpftool does not take the details of the attach point from the command line, so this also requires that your object file contains all the info required for attaching your program: in particular, the ELF section name must be contain the name of the function to trace (SEC("kprobe/function_name")).

Therer're few articles about the usage of it.

I know... Working on it! :slightly_smiling_face:

[kawhicurry]

Thanks!

The autoattach is exactly what I need. And other information is also helpful for a newbie like me.

We do need better documents! It's strange there's so many types of attach, especially that there is a prog attach but cannot attach every program.

I can offer some examples for the documents in the future.