eBPF and bcc

eBPF和bcc的介紹文件已經有不少了，多寫介紹實在是浪費資源
直接紀錄架構和該怎麼用，先有個概念，日後如果有需要的話再仔細研究

The artitecture of eBPF

一圖勝千文

What is bcc?

• 由於直接編寫eBPF難度很高，bcc提供了一個Python library，簡化eBPF的開發過程
• bcc也納入了很多可以直接拿來用的Application

以下是bcc Tracking Tools的示意圖

Write a bcc program

只是個Hello World的範例

#!/usr/bin/python3

from bcc import BPF
from bcc.utils import printb

# define BPF program
prog = """
int hello(void *ctx) {
    bpf_trace_printk("Hello, World!\\n");
    return 0;
}
"""

# load BPF program
b = BPF(text=prog)
b.attach_kprobe(event=b.get_syscall_fnname("clone"), fn_name="hello")

# header
print("%-18s %-16s %-6s %s" % ("TIME(s)", "COMM", "PID", "MESSAGE"))

# format output
while 1:
    try:
        (task, pid, cpu, flags, ts, msg) = b.trace_fields()
    except ValueError:
        continue
    except KeyboardInterrupt:
        exit()
    printb(b"%-18.9f %-16s %-6d %s" % (ts, task, pid, msg))

Reference

• ebpf.io
• BPF and XDP Reference Guide
• HOWTO interact with BPF subsystem
• eBPF 技术简介
• 学习Linux BPF/eBPF 编程
• Linux Extended BPF (eBPF) Tracing Tools
• bcc
• bcc Python Developer Tutorial
• bcc Reference Guide

書籍

• Linux Observability with BPF
• BPF Performance Tools
• Systems Performance: Enterprise and the Cloud, 2nd Edition