BPF Binaries: BTF, CO-RE and the Future of BPF Performance Measurement Tools

, BTF CO-RE, BPF . BPF (eBPF) , , ( ), LLVM, Clang (kernel-headers), 100 , . BTF CO-RE , BPF Linux, .

:

• BTF: BPF Type Format, Clang.

  
  
  
  
  

• CO-RE: BPF Compile-Once Run-Everywhere, - BPF , LLVM.

  
  
  
  
  

Clang LLVM - , ELF-, BPF - . BCC , libbpf tools. opensnoop(8):

# ./opensnoop
PID    COMM              FD ERR PATH
27974  opensnoop         28   0 /etc/localtime
1482   redis-server       7   0 /proc/1482/stat
1657   atlas-system-ag    3   0 /proc/stat
[…]
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

opensnoop(8) - ELF-, libLLVM libclang:

# file opensnoop
opensnoop: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 3.2.0, BuildID[sha1]=b4b5320c39e5ad2313e8a371baf5e8241bb4e4ed, with debuginfo, not stripped

# ldd opensnoop
    linux-vdso.so.1 (0x00007ffddf3f1000)
    libelf.so.1 => /usr/lib/x8664-linux-gnu/libelf.so.1 (0x00007f9fb7836000)
    libz.so.1 => /lib/x8664-linux-gnu/libz.so.1 (0x00007f9fb7619000)
    libc.so.6 => /lib/x8664-linux-gnu/libc.so.6 (0x00007f9fb7228000)
    /lib64/ld-linux-x86-64.so.2 (0x00007f9fb7c76000)

# ls -lh opensnoop opensnoop.stripped
-rwxr-xr-x 1 root root 645K Feb 28 23:18 opensnoop
-rwxr-xr-x 1 root root 151K Feb 28 23:33 opensnoop.stripped
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

… stripped 151 .

BPF-: , ( ) , BPF- , , BTF.

.

, BPF - ELF . BPF- (kernel structs), . BPF - - , ! opensnoop(8) , , .

, BTF CO-RE BPF-. BTF , , CO-RE , BPF- . CO-RE , : « BPF» « CO-RE BTF».

CONFIG_DEBUG_INFO_BTF=y

BPF- , . 1,5 ( DWARF debuginfo, ). Ubuntu 20.10 , . : pahole >= 1.16.

BPF, BCC Python bpftrace

BPF (BPF performance tools) BCC bpftrace, bpftrace-. BCC Python libbpf C - . BCC Python , libbpf C BTF CO-RE ( , , USDT, Python- ). , BCC, Python-; BPF iovisor-dev.

BPF Performance Tools BCC bpftrace-, . Python C . . , 15 880- .

bpftrace? BTF, ( 29 , , ). libbpf 229 ( libbpf, stripped) bpftrace 1 ( ), bpftrace bpftrace , libbpf. , bpftrace . libbpf , .

, BPF :

# ls /usr/share/bcc/tools /usr/sbin/*.bt
argdist       drsnoop         mdflush         pythongc     tclobjnew
bashreadline  execsnoop       memleak         pythonstat   tclstat
[…]
/usr/sbin/bashreadline.bt    /usr/sbin/mdflush.bt    /usr/sbin/tcpaccept.bt
/usr/sbin/biolatency.bt      /usr/sbin/naptime.bt    /usr/sbin/tcpconnect.bt
[…]
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

… :

# bpftrace -e 'BEGIN { printf("Hello, World!\n"); }'
Attaching 1 probe…
Hello, World!
^C
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

… :

#!/usr/bin/python

from bcc import BPF
from bcc.utils import printb

prog = """
int hello(void *ctx) {
    bpftrace_printk("Hello, World!\n");
    return 0;
}
"""
[…]
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

Yonghong Song (Facebook) BTF, Andrii Nakryiko (Facebook) CO-RE , .

---

" ". - : " Performance center".

---