Brendan Gregg, profile picture
Uploaded byBrendan Gregg
PDF, PPTX8,526 views

eBPF Perf Tools 2019

The document describes a biolatency tool that traces block device I/O latency using eBPF. It discusses how the tool was originally written in the bcc framework using C/BPF, but has since been rewritten in the bpftrace framework using a simpler one-liner script. It provides examples of the bcc and bpftrace implementations of biolatency.

Embed presentation

Download as PDF, PPTX
# biolatency.bt Attaching 3 probes... Tracing block device I/O... Hit Ctrl-C to end. ^C @usecs: [256, 512) 2 | | [512, 1K) 10 |@ | [1K, 2K) 426 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@| [2K, 4K) 230 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | [4K, 8K) 9 |@ | [8K, 16K) 128 |@@@@@@@@@@@@@@@ | [16K, 32K) 68 |@@@@@@@@ | [32K, 64K) 0 | | [64K, 128K) 0 | | [128K, 256K) 10 |@ | eBPF Perf Tools 2019 Brendan Gregg SCaLE Mar 2019
LIVE DEMO eBPF Minecraft Analysis
Enhanced BPF Kernel kprobeskprobes uprobesuprobes tracepointstracepoints socketssockets SDN ConfigurationSDN Configuration User-Defined BPF Programs … Event TargetsRuntime also known as just "BPF" Linux 4.* perf_eventsperf_events BPF actions BPF actions BPFBPF verifierverifier DDoS MitigationDDoS Mitigation Intrusion DetectionIntrusion Detection Container SecurityContainer Security ObservabilityObservability Firewalls (bpfilter)Firewalls (bpfilter) Device DriversDevice Drivers
eBPF bcc Linux 4.4+ https://github.com/iovisor/bcc
eBPF bpftrace (aka BPFtrace) Linux 4.9+ https://github.com/iovisor/bpftrace # Files opened by process bpftrace -e 't:syscalls:sys_enter_open { printf("%s %sn", comm, str(args->filename)) }' # Read size distribution by process bpftrace -e 't:syscalls:sys_exit_read { @[comm] = hist(args->ret) }' # Count VFS calls bpftrace -e 'kprobe:vfs_* { @[func]++ }' # Show vfs_read latency as a histogram bpftrace -e 'k:vfs_read { @[tid] = nsecs } kr:vfs_read /@[tid]/ { @ns = hist(nsecs - @[tid]); delete(@tid) }’ # Trace user-level function Bpftrace -e 'uretprobe:bash:readline { printf(“%sn”, str(retval)) }’ …
eBPF is solving new things: off-CPU + wakeup analysis
Raw BPF samples/bpf/sock_example.c 87 lines truncated
C/BPF samples/bpf/tracex1_kern.c 58 lines truncated
bcc/BPF (C & Python) bcc examples/tracing/bitehist.py entire program
bpftrace https://github.com/iovisor/bpftrace entire program bpftrace -e 'kr:vfs_read { @ = hist(retval); }'
The Tracing Landscape, Mar 2019 Scope & Capability Easeofuse sysdig perf ftrace C/BPF stap Stage of Development (my opinion) (brutal)(lessbrutal) (alpha) (mature) bcc/BPF ply/BPF Raw BPF LTTng (hist triggers) recent changes (many) bpftrace (eBPF) (0.9)
e.g., identify multimodal disk I/O latency and outliers with bcc/eBPF biolatency # biolatency -mT 10 Tracing block device I/O... Hit Ctrl-C to end. 19:19:04 msecs : count distribution 0 -> 1 : 238 |********* | 2 -> 3 : 424 |***************** | 4 -> 7 : 834 |********************************* | 8 -> 15 : 506 |******************** | 16 -> 31 : 986 |****************************************| 32 -> 63 : 97 |*** | 64 -> 127 : 7 | | 128 -> 255 : 27 |* | 19:19:14 msecs : count distribution 0 -> 1 : 427 |******************* | 2 -> 3 : 424 |****************** | […]
bcc/eBPF programs can be laborious: biolatency # define BPF program bpf_text = """ #include <uapi/linux/ptrace.h> #include <linux/blkdev.h> typedef struct disk_key { char disk[DISK_NAME_LEN]; u64 slot; } disk_key_t; BPF_HASH(start, struct request *); STORAGE // time block I/O int trace_req_start(struct pt_regs *ctx, struct request *req) { u64 ts = bpf_ktime_get_ns(); start.update(&req, &ts); return 0; } // output int trace_req_completion(struct pt_regs *ctx, struct request *req) { u64 *tsp, delta; // fetch timestamp and calculate delta tsp = start.lookup(&req); if (tsp == 0) { return 0; // missed issue } delta = bpf_ktime_get_ns() - *tsp; FACTOR // store as histogram STORE start.delete(&req); return 0; } """ # code substitutions if args.milliseconds: bpf_text = bpf_text.replace('FACTOR', 'delta /= 1000000;') label = "msecs" else: bpf_text = bpf_text.replace('FACTOR', 'delta /= 1000;') label = "usecs" if args.disks: bpf_text = bpf_text.replace('STORAGE', 'BPF_HISTOGRAM(dist, disk_key_t);') bpf_text = bpf_text.replace('STORE', 'disk_key_t key = {.slot = bpf_log2l(delta)}; ' + 'void *__tmp = (void *)req->rq_disk->disk_name; ' + 'bpf_probe_read(&key.disk, sizeof(key.disk), __tmp); ' + 'dist.increment(key);') else: bpf_text = bpf_text.replace('STORAGE', 'BPF_HISTOGRAM(dist);') bpf_text = bpf_text.replace('STORE', 'dist.increment(bpf_log2l(delta));') if debug or args.ebpf: print(bpf_text) if args.ebpf: exit() # load BPF program b = BPF(text=bpf_text) if args.queued: b.attach_kprobe(event="blk_account_io_start", fn_name="trace_req_start") else: b.attach_kprobe(event="blk_start_request", fn_name="trace_req_start") b.attach_kprobe(event="blk_mq_start_request", fn_name="trace_req_start") b.attach_kprobe(event="blk_account_io_completion", fn_name="trace_req_completion") print("Tracing block device I/O... Hit Ctrl-C to end.") # output exiting = 0 if args.interval else 1 dist = b.get_table("dist") while (1): try: sleep(int(args.interval)) except KeyboardInterrupt: exiting = 1 print() if args.timestamp: print("%-8sn" % strftime("%H:%M:%S"), end="") dist.print_log2_hist(label, "disk") dist.clear() countdown -= 1 if exiting or countdown == 0: exit()
… rewritten in bpftrace (launched Oct 2018)! #!/usr/local/bin/bpftrace BEGIN { printf("Tracing block device I/O... Hit Ctrl-C to end.n"); } kprobe:blk_account_io_start { @start[arg0] = nsecs; } kprobe:blk_account_io_completion /@start[arg0]/ { @usecs = hist((nsecs - @start[arg0]) / 1000); delete(@start[arg0]); }
… rewritten in bpftrace # biolatency.bt Attaching 3 probes... Tracing block device I/O... Hit Ctrl-C to end. ^C @usecs: [256, 512) 2 | | [512, 1K) 10 |@ | [1K, 2K) 426 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@| [2K, 4K) 230 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | [4K, 8K) 9 |@ | [8K, 16K) 128 |@@@@@@@@@@@@@@@ | [16K, 32K) 68 |@@@@@@@@ | [32K, 64K) 0 | | [64K, 128K) 0 | | [128K, 256K) 10 |@ |
bcc canned complex tools, agents bpftrace one-liners, custom scripts
bcc
eBPF bcc Linux 4.4+ https://github.com/iovisor/bcc
bpftrace
eBPF bpftrace Linux 4.9+ https://github.com/iovisor/bcc
Major Features (v1) Known Bug Fixes Packaging API Stability Stable Docs Oct 2018 v0.90 Mar?2019 v1.0 ?2019Dec 2016 More Bug Fixes v0.80 Jan-2019 Minor Features (v1) ... bpftrace Development
bpftrace Syntax bpftrace -e ‘k:do_nanosleep /pid > 100/ { @[comm]++ }’ Probe Filter (optional) Action
Probes
Probe Type Shortcuts tracepoint t Kernel static tracepoints usdt U User-level statically defined tracing kprobe k Kernel function tracing kretprobe kr Kernel function returns uprobe u User-level function tracing uretprobe ur User-level function returns profile p Timed sampling across all CPUs interval i Interval output software s Kernel software events hardware h Processor hardware events
Filters ● /pid == 181/ ● /comm != “sshd”/ ● /@ts[tid]/
Actions ● Per-event output – printf() – system() – join() – time() ● Map Summaries – @ = count() or @++ – @ = hist() – … The following is in the https://github.com/iovisor/bpftrace/blob/master/docs/reference_guide.md
Functions ● hist(n) Log2 histogram ● lhist(n, min, max, step) Linear hist. ● count() Count events ● sum(n) Sum value ● min(n) Minimum value ● max(n) Maximum value ● avg(n) Average value ● stats(n) Statistics ● str(s) String ● sym(p) Resolve kernel addr ● usym(p) Resolve user addr ● kaddr(n) Resolve kernel symbol ● uaddr(n) Resolve user symbol ● printf(fmt, ...) Print formatted ● print(@x[, top[, div]]) Print map ● delete(@x) Delete map element ● clear(@x) Delete all keys/values ● reg(n) Register lookup ● join(a) Join string array ● time(fmt) Print formatted time ● system(fmt) Run shell command ● exit() Quit bpftrace
Variable Types ● Basic Variables – @global – @thread_local[tid] – $scratch ● Associative Arrays – @array[key] = value ● Buitins – pid – ...
Builtin Variables ● pid Process ID (kernel tgid) ● tid Thread ID (kernel pid) ● cgroup Current Cgroup ID ● uid User ID ● gid Group ID ● nsecs Nanosecond timestamp ● cpu Processor ID ● comm Process name ● stack Kernel stack trace ● ustack User stack trace ● arg0, arg1, ... Function arguments ● retval Return value ● func Function name ● probe Full name of the probe ● curtask Current task_struct (u64) ● rand Random number (u32)
biolatency (again) #!/usr/local/bin/bpftrace BEGIN { printf("Tracing block device I/O... Hit Ctrl-C to end.n"); } kprobe:blk_account_io_start { @start[arg0] = nsecs; } kprobe:blk_account_io_completion /@start[arg0]/ { @usecs = hist((nsecs - @start[arg0]) / 1000); delete(@start[arg0]); }
bpftrace Internals
Issues ● All major capabilities exist ● Many minor things ● https://github.com/iovisor/bpftrace/issues
Other Tools
Netlfix Vector: BPF heat maps https://medium.com/netflix-techblog/extending-vector-with-ebpf-to-inspect-host-and-container-performance- 5da3af4c584b
Anticipated Worldwide Audience ● BPF Tool Developers: – Raw BPF: <20 – C (or C++) BPF: ~20 – bcc: >200 – bpftrace: >5,000 ● BPF Tool Users: – CLI tools (of any type): >20,000 – GUIs (fronting any type): >200,000
Other Tools ● kubectl-trace ● sysdig eBPF support
Take Aways Easily explore systems with bcc/bpftrace Contribute: see bcc/bpftrace issue list Share: posts, talks
URLs - https://github.com/iovisor/bcc - https://github.com/iovisor/bcc/blob/master/docs/tutorial.md - https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md - https://github.com/iovisor/bpftrace - https://github.com/iovisor/bpftrace/blob/master/docs/tutorial_one_liners.md - https://github.com/iovisor/bpftrace/blob/master/docs/reference_guide.md
Thanks ● bpftrace – Alastair Robertson (creator) – Netflix: myself so for – Sthima: Matheus Marchini, Willian Gaspar – Facebook: Jon Haslam, Dan Xu – Augusto Mecking Caringi, Dale Hamel, ... ● eBPF/bcc – Facebook: Alexei Starovoitov, Teng Qin, Yonghong Song, Martin Lau, Mark Drayton, … – Netlfix: myself – VMware: Brenden Blanco – Sasha Goldsthein, Paul Chaignon, ...

More Related Content

PDF
Introduction to eBPF and XDP
bylcplcp1
 
PDF
LinuxCon 2015 Linux Kernel Networking Walkthrough
byThomas Graf
 
PDF
eBPF Trace from Kernel to Userspace
bySUSE Labs Taipei
 
PDF
Building Network Functions with eBPF & BCC
byKernel TLV
 
PPTX
Understanding eBPF in a Hurry!
byRay Jenkins
 
PDF
UM2019 Extended BPF: A New Type of Software
byBrendan Gregg
 
PDF
Meet cute-between-ebpf-and-tracing
byViller Hsiao
 
PPTX
eBPF Basics
byMichael Kehoe
 
Introduction to eBPF and XDP
bylcplcp1
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
byThomas Graf
 
eBPF Trace from Kernel to Userspace
bySUSE Labs Taipei
 
Building Network Functions with eBPF & BCC
byKernel TLV
 
Understanding eBPF in a Hurry!
byRay Jenkins
 
UM2019 Extended BPF: A New Type of Software
byBrendan Gregg
 
Meet cute-between-ebpf-and-tracing
byViller Hsiao
 
eBPF Basics
byMichael Kehoe
 

What's hot

PDF
Linux Networking Explained
byThomas Graf
 
PDF
BPF Internals (eBPF)
byBrendan Gregg
 
PDF
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
byAdrian Huang
 
ODP
eBPF maps 101
bySUSE Labs Taipei
 
PDF
Introduction to eBPF
byRogerColl2
 
PDF
Linux 4.x Tracing: Performance Analysis with bcc/BPF
byBrendan Gregg
 
PDF
eBPF - Rethinking the Linux Kernel
byThomas Graf
 
PDF
BPF: Tracing and more
byBrendan Gregg
 
PDF
BPF - in-kernel virtual machine
byAlexei Starovoitov
 
PPTX
Linux Network Stack
byAdrien Mahieux
 
PDF
Faster packet processing in Linux: XDP
byDaniel T. Lee
 
PDF
Performance Wins with eBPF: Getting Started (2021)
byBrendan Gregg
 
PDF
Page cache in Linux kernel
byAdrian Huang
 
PPTX
The TCP/IP Stack in the Linux Kernel
byDivye Kapoor
 
PDF
Fun with Network Interfaces
byKernel TLV
 
PDF
Linux kernel tracing
byViller Hsiao
 
ODP
Dpdk performance
byStephen Hemminger
 
PDF
Security Monitoring with eBPF
byAlex Maestretti
 
PDF
[232] 성능어디까지쥐어짜봤니 송태웅
byNAVER D2
 
PDF
Container Performance Analysis
byBrendan Gregg
 
Linux Networking Explained
byThomas Graf
 
BPF Internals (eBPF)
byBrendan Gregg
 
Vmlinux: anatomy of bzimage and how x86 64 processor is booted
byAdrian Huang
 
eBPF maps 101
bySUSE Labs Taipei
 
Introduction to eBPF
byRogerColl2
 
Linux 4.x Tracing: Performance Analysis with bcc/BPF
byBrendan Gregg
 
eBPF - Rethinking the Linux Kernel
byThomas Graf
 
BPF: Tracing and more
byBrendan Gregg
 
BPF - in-kernel virtual machine
byAlexei Starovoitov
 
Linux Network Stack
byAdrien Mahieux
 
Faster packet processing in Linux: XDP
byDaniel T. Lee
 
Performance Wins with eBPF: Getting Started (2021)
byBrendan Gregg
 
Page cache in Linux kernel
byAdrian Huang
 
The TCP/IP Stack in the Linux Kernel
byDivye Kapoor
 
Fun with Network Interfaces
byKernel TLV
 
Linux kernel tracing
byViller Hsiao
 
Dpdk performance
byStephen Hemminger
 
Security Monitoring with eBPF
byAlex Maestretti
 
[232] 성능어디까지쥐어짜봤니 송태웅
byNAVER D2
 
Container Performance Analysis
byBrendan Gregg
 

Similar to eBPF Perf Tools 2019

PDF
BPF Tools 2017
byBrendan Gregg
 
PDF
bcc/BPF tools - Strategy, current tools, future challenges
byIO Visor Project
 
PDF
Efficient System Monitoring in Cloud Native Environments
byGergely Szabó
 
PDF
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
byBrendan Gregg
 
PDF
Systems@Scale 2021 BPF Performance Getting Started
byBrendan Gregg
 
PDF
Using eBPF Off-CPU Sampling to See What Your DBs are Really Waiting For by Ta...
byScyllaDB
 
PDF
Linux 4.x Tracing Tools: Using BPF Superpowers
byBrendan Gregg
 
PDF
ATO Linux Performance 2018
byBrendan Gregg
 
PDF
Linux BPF Superpowers
byBrendan Gregg
 
PDF
Performance Wins with BPF: Getting Started
byBrendan Gregg
 
PDF
Kernel Recipes 2019 - BPF at Facebook
byAnne Nicolas
 
PDF
LSFMM 2019 BPF Observability
byBrendan Gregg
 
PDF
Kernel bug hunting
byAndrea Righi
 
PDF
Velocity 2017 Performance analysis superpowers with Linux eBPF
byBrendan Gregg
 
PDF
USENIX ATC 2017 Performance Superpowers with Enhanced BPF
byBrendan Gregg
 
PDF
eBPF in the view of a storage developer
byRichárd Kovács
 
PDF
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
byValeriy Kravchuk
 
PDF
Andrea Righi - Spying on the Linux kernel for fun and profit
bylinuxlab_conf
 
PDF
Spying on the Linux kernel for fun and profit
byAndrea Righi
 
PPTX
Always-on Profiling of All Linux Threads, On-CPU and Off-CPU, with eBPF & Con...
byScyllaDB
 
BPF Tools 2017
byBrendan Gregg
 
bcc/BPF tools - Strategy, current tools, future challenges
byIO Visor Project
 
Efficient System Monitoring in Cloud Native Environments
byGergely Szabó
 
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
byBrendan Gregg
 
Systems@Scale 2021 BPF Performance Getting Started
byBrendan Gregg
 
Using eBPF Off-CPU Sampling to See What Your DBs are Really Waiting For by Ta...
byScyllaDB
 
Linux 4.x Tracing Tools: Using BPF Superpowers
byBrendan Gregg
 
ATO Linux Performance 2018
byBrendan Gregg
 
Linux BPF Superpowers
byBrendan Gregg
 
Performance Wins with BPF: Getting Started
byBrendan Gregg
 
Kernel Recipes 2019 - BPF at Facebook
byAnne Nicolas
 
LSFMM 2019 BPF Observability
byBrendan Gregg
 
Kernel bug hunting
byAndrea Righi
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
byBrendan Gregg
 
USENIX ATC 2017 Performance Superpowers with Enhanced BPF
byBrendan Gregg
 
eBPF in the view of a storage developer
byRichárd Kovács
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
byValeriy Kravchuk
 
Andrea Righi - Spying on the Linux kernel for fun and profit
bylinuxlab_conf
 
Spying on the Linux kernel for fun and profit
byAndrea Righi
 
Always-on Profiling of All Linux Threads, On-CPU and Off-CPU, with eBPF & Con...
byScyllaDB
 

More from Brendan Gregg

PDF
YOW2021 Computing Performance
byBrendan Gregg
 
PDF
IntelON 2021 Processor Benchmarking
byBrendan Gregg
 
PDF
Computing Performance: On the Horizon (2021)
byBrendan Gregg
 
PDF
YOW2020 Linux Systems Performance
byBrendan Gregg
 
PDF
re:Invent 2019 BPF Performance Analysis at Netflix
byBrendan Gregg
 
PDF
LISA2019 Linux Systems Performance
byBrendan Gregg
 
PDF
LPC2019 BPF Tracing Tools
byBrendan Gregg
 
PDF
YOW2018 CTO Summit: Working at netflix
byBrendan Gregg
 
PDF
YOW2018 Cloud Performance Root Cause Analysis at Netflix
byBrendan Gregg
 
PDF
NetConf 2018 BPF Observability
byBrendan Gregg
 
PDF
FlameScope 2018
byBrendan Gregg
 
PDF
Linux Performance 2018 (PerconaLive keynote)
byBrendan Gregg
 
PDF
How Netflix Tunes EC2 Instances for Performance
byBrendan Gregg
 
PDF
LISA17 Container Performance Analysis
byBrendan Gregg
 
PDF
Kernel Recipes 2017: Using Linux perf at Netflix
byBrendan Gregg
 
PDF
Kernel Recipes 2017: Performance Analysis with BPF
byBrendan Gregg
 
PDF
EuroBSDcon 2017 System Performance Analysis Methodologies
byBrendan Gregg
 
PDF
USENIX ATC 2017: Visualizing Performance with Flame Graphs
byBrendan Gregg
 
YOW2021 Computing Performance
byBrendan Gregg
 
IntelON 2021 Processor Benchmarking
byBrendan Gregg
 
Computing Performance: On the Horizon (2021)
byBrendan Gregg
 
YOW2020 Linux Systems Performance
byBrendan Gregg
 
re:Invent 2019 BPF Performance Analysis at Netflix
byBrendan Gregg
 
LISA2019 Linux Systems Performance
byBrendan Gregg
 
LPC2019 BPF Tracing Tools
byBrendan Gregg
 
YOW2018 CTO Summit: Working at netflix
byBrendan Gregg
 
YOW2018 Cloud Performance Root Cause Analysis at Netflix
byBrendan Gregg
 
NetConf 2018 BPF Observability
byBrendan Gregg
 
FlameScope 2018
byBrendan Gregg
 
Linux Performance 2018 (PerconaLive keynote)
byBrendan Gregg
 
How Netflix Tunes EC2 Instances for Performance
byBrendan Gregg
 
LISA17 Container Performance Analysis
byBrendan Gregg
 
Kernel Recipes 2017: Using Linux perf at Netflix
byBrendan Gregg
 
Kernel Recipes 2017: Performance Analysis with BPF
byBrendan Gregg
 
EuroBSDcon 2017 System Performance Analysis Methodologies
byBrendan Gregg
 
USENIX ATC 2017: Visualizing Performance with Flame Graphs
byBrendan Gregg
 

Recently uploaded

PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PPTX
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPTX
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
cybercrime in Information security .pptx
byismaeelsahib032
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PPTX
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PDF
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Chapter 3 Introduction to number system.pptx
byGetachewAbera9
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
AI's Impact on Cybersecurity - Challenges and Opportunities
byYasir Naveed Riaz
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
cybercrime in Information security .pptx
byismaeelsahib032
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Conversational Agents – Building Intelligent Assistants [Virtual Hands-on Wor...
byUiPathCommunity
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Day 2 - Network Security ~ 2nd Sight Lab ~ Cloud Security Class ~ 2020
by2nd Sight Lab
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 

eBPF Perf Tools 2019

  • 1.
    # biolatency.bt Attaching 3probes... Tracing block device I/O... Hit Ctrl-C to end. ^C @usecs: [256, 512) 2 | | [512, 1K) 10 |@ | [1K, 2K) 426 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@| [2K, 4K) 230 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | [4K, 8K) 9 |@ | [8K, 16K) 128 |@@@@@@@@@@@@@@@ | [16K, 32K) 68 |@@@@@@@@ | [32K, 64K) 0 | | [64K, 128K) 0 | | [128K, 256K) 10 |@ | eBPF Perf Tools 2019 Brendan Gregg SCaLE Mar 2019
  • 2.
  • 3.
    Enhanced BPF Kernel kprobeskprobes uprobesuprobes tracepointstracepoints socketssockets SDN ConfigurationSDNConfiguration User-Defined BPF Programs … Event TargetsRuntime also known as just "BPF" Linux 4.* perf_eventsperf_events BPF actions BPF actions BPFBPF verifierverifier DDoS MitigationDDoS Mitigation Intrusion DetectionIntrusion Detection Container SecurityContainer Security ObservabilityObservability Firewalls (bpfilter)Firewalls (bpfilter) Device DriversDevice Drivers
  • 4.
    eBPF bcc Linux4.4+ https://github.com/iovisor/bcc
  • 5.
    eBPF bpftrace (akaBPFtrace) Linux 4.9+ https://github.com/iovisor/bpftrace # Files opened by process bpftrace -e 't:syscalls:sys_enter_open { printf("%s %sn", comm, str(args->filename)) }' # Read size distribution by process bpftrace -e 't:syscalls:sys_exit_read { @[comm] = hist(args->ret) }' # Count VFS calls bpftrace -e 'kprobe:vfs_* { @[func]++ }' # Show vfs_read latency as a histogram bpftrace -e 'k:vfs_read { @[tid] = nsecs } kr:vfs_read /@[tid]/ { @ns = hist(nsecs - @[tid]); delete(@tid) }’ # Trace user-level function Bpftrace -e 'uretprobe:bash:readline { printf(“%sn”, str(retval)) }’ …
  • 6.
    eBPF is solvingnew things: off-CPU + wakeup analysis
  • 7.
  • 8.
  • 9.
    bcc/BPF (C &Python) bcc examples/tracing/bitehist.py entire program
  • 10.
  • 11.
    The Tracing Landscape,Mar 2019 Scope & Capability Easeofuse sysdig perf ftrace C/BPF stap Stage of Development (my opinion) (brutal)(lessbrutal) (alpha) (mature) bcc/BPF ply/BPF Raw BPF LTTng (hist triggers) recent changes (many) bpftrace (eBPF) (0.9)
  • 12.
    e.g., identify multimodaldisk I/O latency and outliers with bcc/eBPF biolatency # biolatency -mT 10 Tracing block device I/O... Hit Ctrl-C to end. 19:19:04 msecs : count distribution 0 -> 1 : 238 |********* | 2 -> 3 : 424 |***************** | 4 -> 7 : 834 |********************************* | 8 -> 15 : 506 |******************** | 16 -> 31 : 986 |****************************************| 32 -> 63 : 97 |*** | 64 -> 127 : 7 | | 128 -> 255 : 27 |* | 19:19:14 msecs : count distribution 0 -> 1 : 427 |******************* | 2 -> 3 : 424 |****************** | […]
  • 13.
    bcc/eBPF programs canbe laborious: biolatency # define BPF program bpf_text = """ #include <uapi/linux/ptrace.h> #include <linux/blkdev.h> typedef struct disk_key { char disk[DISK_NAME_LEN]; u64 slot; } disk_key_t; BPF_HASH(start, struct request *); STORAGE // time block I/O int trace_req_start(struct pt_regs *ctx, struct request *req) { u64 ts = bpf_ktime_get_ns(); start.update(&req, &ts); return 0; } // output int trace_req_completion(struct pt_regs *ctx, struct request *req) { u64 *tsp, delta; // fetch timestamp and calculate delta tsp = start.lookup(&req); if (tsp == 0) { return 0; // missed issue } delta = bpf_ktime_get_ns() - *tsp; FACTOR // store as histogram STORE start.delete(&req); return 0; } """ # code substitutions if args.milliseconds: bpf_text = bpf_text.replace('FACTOR', 'delta /= 1000000;') label = "msecs" else: bpf_text = bpf_text.replace('FACTOR', 'delta /= 1000;') label = "usecs" if args.disks: bpf_text = bpf_text.replace('STORAGE', 'BPF_HISTOGRAM(dist, disk_key_t);') bpf_text = bpf_text.replace('STORE', 'disk_key_t key = {.slot = bpf_log2l(delta)}; ' + 'void *__tmp = (void *)req->rq_disk->disk_name; ' + 'bpf_probe_read(&key.disk, sizeof(key.disk), __tmp); ' + 'dist.increment(key);') else: bpf_text = bpf_text.replace('STORAGE', 'BPF_HISTOGRAM(dist);') bpf_text = bpf_text.replace('STORE', 'dist.increment(bpf_log2l(delta));') if debug or args.ebpf: print(bpf_text) if args.ebpf: exit() # load BPF program b = BPF(text=bpf_text) if args.queued: b.attach_kprobe(event="blk_account_io_start", fn_name="trace_req_start") else: b.attach_kprobe(event="blk_start_request", fn_name="trace_req_start") b.attach_kprobe(event="blk_mq_start_request", fn_name="trace_req_start") b.attach_kprobe(event="blk_account_io_completion", fn_name="trace_req_completion") print("Tracing block device I/O... Hit Ctrl-C to end.") # output exiting = 0 if args.interval else 1 dist = b.get_table("dist") while (1): try: sleep(int(args.interval)) except KeyboardInterrupt: exiting = 1 print() if args.timestamp: print("%-8sn" % strftime("%H:%M:%S"), end="") dist.print_log2_hist(label, "disk") dist.clear() countdown -= 1 if exiting or countdown == 0: exit()
  • 14.
    … rewritten inbpftrace (launched Oct 2018)! #!/usr/local/bin/bpftrace BEGIN { printf("Tracing block device I/O... Hit Ctrl-C to end.n"); } kprobe:blk_account_io_start { @start[arg0] = nsecs; } kprobe:blk_account_io_completion /@start[arg0]/ { @usecs = hist((nsecs - @start[arg0]) / 1000); delete(@start[arg0]); }
  • 15.
    … rewritten inbpftrace # biolatency.bt Attaching 3 probes... Tracing block device I/O... Hit Ctrl-C to end. ^C @usecs: [256, 512) 2 | | [512, 1K) 10 |@ | [1K, 2K) 426 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@| [2K, 4K) 230 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | [4K, 8K) 9 |@ | [8K, 16K) 128 |@@@@@@@@@@@@@@@ | [16K, 32K) 68 |@@@@@@@@ | [32K, 64K) 0 | | [64K, 128K) 0 | | [128K, 256K) 10 |@ |
  • 16.
    bcc canned complex tools,agents bpftrace one-liners, custom scripts
  • 17.
  • 18.
    eBPF bcc Linux4.4+ https://github.com/iovisor/bcc
  • 19.
  • 20.
    eBPF bpftrace Linux4.9+ https://github.com/iovisor/bcc
  • 21.
    Major Features (v1) KnownBug Fixes Packaging API Stability Stable Docs Oct 2018 v0.90 Mar?2019 v1.0 ?2019Dec 2016 More Bug Fixes v0.80 Jan-2019 Minor Features (v1) ... bpftrace Development
  • 22.
    bpftrace Syntax bpftrace -e‘k:do_nanosleep /pid > 100/ { @[comm]++ }’ Probe Filter (optional) Action
  • 23.
  • 24.
    Probe Type Shortcuts tracepointt Kernel static tracepoints usdt U User-level statically defined tracing kprobe k Kernel function tracing kretprobe kr Kernel function returns uprobe u User-level function tracing uretprobe ur User-level function returns profile p Timed sampling across all CPUs interval i Interval output software s Kernel software events hardware h Processor hardware events
  • 25.
    Filters ● /pid ==181/ ● /comm != “sshd”/ ● /@ts[tid]/
  • 26.
    Actions ● Per-event output – printf() –system() – join() – time() ● Map Summaries – @ = count() or @++ – @ = hist() – … The following is in the https://github.com/iovisor/bpftrace/blob/master/docs/reference_guide.md
  • 27.
    Functions ● hist(n) Log2 histogram ● lhist(n,min, max, step) Linear hist. ● count() Count events ● sum(n) Sum value ● min(n) Minimum value ● max(n) Maximum value ● avg(n) Average value ● stats(n) Statistics ● str(s) String ● sym(p) Resolve kernel addr ● usym(p) Resolve user addr ● kaddr(n) Resolve kernel symbol ● uaddr(n) Resolve user symbol ● printf(fmt, ...) Print formatted ● print(@x[, top[, div]]) Print map ● delete(@x) Delete map element ● clear(@x) Delete all keys/values ● reg(n) Register lookup ● join(a) Join string array ● time(fmt) Print formatted time ● system(fmt) Run shell command ● exit() Quit bpftrace
  • 28.
    Variable Types ● Basic Variables –@global – @thread_local[tid] – $scratch ● Associative Arrays – @array[key] = value ● Buitins – pid – ...
  • 29.
    Builtin Variables ● pidProcess ID (kernel tgid) ● tid Thread ID (kernel pid) ● cgroup Current Cgroup ID ● uid User ID ● gid Group ID ● nsecs Nanosecond timestamp ● cpu Processor ID ● comm Process name ● stack Kernel stack trace ● ustack User stack trace ● arg0, arg1, ... Function arguments ● retval Return value ● func Function name ● probe Full name of the probe ● curtask Current task_struct (u64) ● rand Random number (u32)
  • 30.
    biolatency (again) #!/usr/local/bin/bpftrace BEGIN { printf("Tracing blockdevice I/O... Hit Ctrl-C to end.n"); } kprobe:blk_account_io_start { @start[arg0] = nsecs; } kprobe:blk_account_io_completion /@start[arg0]/ { @usecs = hist((nsecs - @start[arg0]) / 1000); delete(@start[arg0]); }
  • 31.
  • 32.
    Issues ● All major capabilitiesexist ● Many minor things ● https://github.com/iovisor/bpftrace/issues
  • 33.
  • 34.
    Netlfix Vector: BPFheat maps https://medium.com/netflix-techblog/extending-vector-with-ebpf-to-inspect-host-and-container-performance- 5da3af4c584b
  • 35.
    Anticipated Worldwide Audience ● BPFTool Developers: – Raw BPF: <20 – C (or C++) BPF: ~20 – bcc: >200 – bpftrace: >5,000 ● BPF Tool Users: – CLI tools (of any type): >20,000 – GUIs (fronting any type): >200,000
  • 36.
  • 37.
    Take Aways Easily exploresystems with bcc/bpftrace Contribute: see bcc/bpftrace issue list Share: posts, talks
  • 38.
    URLs - https://github.com/iovisor/bcc - https://github.com/iovisor/bcc/blob/master/docs/tutorial.md -https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md - https://github.com/iovisor/bpftrace - https://github.com/iovisor/bpftrace/blob/master/docs/tutorial_one_liners.md - https://github.com/iovisor/bpftrace/blob/master/docs/reference_guide.md
  • 39.
    Thanks ● bpftrace – Alastair Robertson(creator) – Netflix: myself so for – Sthima: Matheus Marchini, Willian Gaspar – Facebook: Jon Haslam, Dan Xu – Augusto Mecking Caringi, Dale Hamel, ... ● eBPF/bcc – Facebook: Alexei Starovoitov, Teng Qin, Yonghong Song, Martin Lau, Mark Drayton, … – Netlfix: myself – VMware: Brenden Blanco – Sasha Goldsthein, Paul Chaignon, ...