SlideShare a Scribd company logo

Understanding eBPF in a Hurry!

Download as PPTX, PDF
R
Ray Jenkins

eBPF is an exciting new technology that is poised to transform Linux performance engineering. eBPF enables users to dynamically and programatically trace any kernel or user space code path, safely and efficiently. However, understanding eBPF is not so simple. The goal of this talk is to give audiences a fundamental understanding of eBPF, how it interconnects existing Linux tracing technologies, and provides a powerful aplatform to solve any Linux performance problem.

Software
1 of 77
Understanding eBPF in a Hurry! LinkedIn Performance Engineering Meetup June 2019 Ray Jenkins
Hi, I’m Ray @_rayjenkins github.com/rjenkins ray@segment.com
Let’s say you have a performance problem.
Examples ● A developer claims boxes have “slow” I/O ● Network connections are randomly terminated. ● Your service is crashing, you’re not sure why, maybe it getting OOM killed? ● You think some process might be getting starved.
Someone suggests you might be able to solve it with eBPF.
Now you got two problems.
Goal: Can we understand what eBPF is and how it works?
http://www.brendangregg.com/ebpf.html This is our map
What is eBPF? (Extended Berkeley Packet Filter) ● Fast and safe, in-kernel, register based, bytecode VM. ● Designed to be JITed with direct mapping to x86_64 and other modern architectures. ● eBPF programs are “attached” to code paths within the kernel or user space programs and are executed when the code path is traversed. ● Linux Kernel 3.18 (2014) - bpf(2) syscall ○ (4.1 for Kprobes)
What is eBPF? … cont. ● Programs are written in restricted C. eBPF backend for LLVM/Clang. ○ clang -O2 -emit-llvm -c bpf.c -o - | llc -march=bpf -filetype=obj -o bpf.o ● eBPF Verifier ○ Verified to finish (no loops), no unreachable instructions, reads to uninitialized registers, or memory access to arbitrary pointers restricted kernel func calls and data structure access. ● eBPF Maps / Perf Events Ring Buffer ○ Memory-Mapped, bi-directional data structures for storage. Allow sharing of data between eBPF kernel programs, and also between kernel and user-space applications. ● Helper Functions ○ Kernel functions exposed to eBPF programs. ○ Context sensitive to type of eBPF program.
https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md
Why do we need eBPF?
Dynamically and Programmatically Trace Kernel or User Space Functions and Events, Safely and Efficiently.
http://www.brendangregg.com/ebpf.html This is our map YOU ARE HERE
eBPF is appealing to different people for different reasons, but its power resides in what you can attach it to. For Performance Engineering we’re primarily interested in these hooks. ● Kprobes/Uprobes ● Tracepoints ● USDT ● PerfEvents https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/bpf.h#L145
Tracepoints (2.6.32) - 2009 ● Static places in the kernel where tracing is inserted. ● $ grep -ri TRACE_EVENT * ● https://github.com/brendangregg/perf-tools
K/J(ret)probes (2.6.9) - 2004 / U(ret)probes 3.15 - (2014) ● Probe any instruction, dynamically ● grep <func> /proc/kallsyms ● Register kprobes copies instruction, inserts breakpoint. (int3 on x86_64) ● Cpu hits breakpoints, trap occurs, registers saved and control passed to Kprobe. ● Pre-handler function called, Kprobes single steps instructions (Slow), Post-Handler called. ● CONFIG_OPTPROBES=Y (enabled on x86_64)
https://vjordan.info/log/fpga/how-linux-kprobes-works.html
https://vjordan.info/log/fpga/how-linux-kprobes-works.html
Perf events (2.6.31) - 2009 ● The “nearly un-googleable” - http://web.eece.maine.edu/~vweaver/projects/perf_events/ ● Trace and count tracepoints and lower level events, PMU, HW events (L1 cache store/load/miss etc). ● Accesses data from user space efficiently by accessing the perf_events ring buffer.
USDT (BCC March 2016) ● Userland Statically Defined Tracepoints ● sudo ./tplist -l <library name>
http://www.brendangregg.com/ebpf.html This is our map YOU ARE HERE
sudo apt-get install bpfcc- tools
Single Purpose Tools
Multi-Purpose Tools
So what does it look like?
https://github.com/torvalds/linux/blob/master/samples/bpf/sock_example.c
Ayyy, lol 😂 jk
https://github.com/iovisor/bcc https://github.com/iovisor/gobpf BPF Compiler Collection (BCC) Python, Lua, Golang
Let’s Talk about the VM, First Let’s Check our Map
YOU ARE IN 1992
https://www.tcpdump.org/papers/bpf-usenix93.pdf
tcpdump -ni eth0 ip and udp
tcpdump -ni eth0 ip and udp -d
tcpdump libpcap bpf Userspace Kernel tcp and udp bytecode packets packets
BPF - Berkeley Packet Filter ● Bytecode, register based VM, with a limited instruction set ● Runs in-kernel, designed for fast packet filtering ● 32-bit instructions (LOAD, STORE, ALU, BRANCH, RETURN) ● 2, 32-bit registers (A, X), hidden frame pointer
Bpf bytecode for ‘tcpdump ip and udp’ (000) ldh [12] (load 2 bytes from packet, at offset 12) (001) jeq #0x800 jt 2 jf 5 (002) ldb [23] (load byte at offset 23) (003) jeq #0x11 jt 4jf 5 (0x11 == 17) (004) ret #262144 (005) ret #0 https://blog.cloudflare.com/bpf-the-forgotten-bytecode/ http://www.networksorcery.com/enp/protocol/ip.htm
http://www.brendangregg.com/ebpf.html This is our map YOU ARE HERE
eBPF - Extended Berkeley Packet Filter ● Bytecode, register based VM, with a extended instruction set ○ Designed to be JITed with direct mapping to x86_64 ● 64-bit instructions, and 10 64-bit registers ○ R0 - return value from in-kernel function, and exit value for eBPF program ○ R1 - R5 - arguments from eBPF program to in-kernel function ○ R6 - R9 - callee saved registers that in-kernel function will preserve ○ R10 - read-only frame pointer to access stack ● BPF_CALL ○ hw register zero overhead calls to other kernel functions ● BPF_MAPS ○ Bi-directional data structures for storage. Allow sharing of data between eBPF kernel programs, and also between kernel and user-space applications. ● Helper Functions ○ https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md ← Very Important!
eBPF - Extended Berkeley Packet Filter… cont ● Load programs via bpf(2) syscall (see: man bpf) ○ int bpf(int cmd, union bpf_attr *attr, unsigned int size); ● Cmd: BPF_PROG_LOAD ○ Verify and load an eBPF program, returning a new file descriptor associated with the program. The close-on-exec file descriptor flag (see fcntl(2)) is automatically enabled for the new file descriptor.
Can we learn more about eBPF VM like we did with tcpdump?
http://www.brendangregg.com/ebpf.html This is our map YOU ARE HERE
https://github.com/iovisor/bpf-docs/blob/master/eBPF.md
0xb7 r1 imm: 72=114, 6c=108,64=100, (op) (dst) 0a=10 imm->ascii=”rldn”
0x63 r1 r10 offset (op) (src) (dst)
0x18 r1 imm (op) (dst) “hello wo”
As you can imagine the next 4 instructions copy the “hello wo” into a scratch space at offset -16. Copy a “0” into r1 and then copies “0” at offset -4. Finally we copy the address of the variable from the frame pointer at r10 into r1.
To prepare for the call to int bpf_trace_printk(const char *fmt, u32 fmt_size, ...) We need to point r1 to the variable (which is -16 bytes from the frame pointer) and in r2, we store the size of “hello worldn0” = 13 bytes.
0x85 Is a function call, with an imm of 6. We need to look that up in bpf.h in order to figure out what that is.
0 1 2 3 4 5 6
Lastly we set our return value in r0 = 0 and exit with opcode 0x95.
http://www.brendangregg.com/ebpf.html This is our map YOU ARE HERE
eBPF Maps
Helper Functions ● https://github.com/torvalds/linux/blob/master/include/uapi/linux/bpf.h ● https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md ● int bpf_probe_read(void *dst, int size, const void *src) ← all reads must call ● int bpf_probe_read_str(void *dst, int size, const void *src) ● u64 bpf_ktime_get_ns(void) ● u64 bpf_get_current_pid_tgid(void) ● bpf_get_current_comm(char *buf, int size_of_buf) ● BPF_PERF_OUTPUT(name) ● int perf_submit((void *)ctx, (void *)data, u32 data_size) ● Map Functions ○ *val map.lookup(&key), val lookup_or_init(&key, &zero), delete(&key), update(&key, &val), map.increment(key[, increment_amount])
Segment Use Cases
segmentio/netsniff - tw: @julien_fabre / gh: @pryz
segmentio/ebpf ● Golang eBPF “Collectors”. ● CLI + ebpfd agent processes configuration and starts eBPF programs. ● Stats aggregation, publishing to observers, 3rd party stats forwarding (datadog etc.). ● Docker / pid -> container/service resolution.
segmentio/ebpf
Thank You! Questions?
References ● https://lwn.net/Articles/740157/ - A thorough introduction to eBPF ● https://lwn.net/Articles/599755/ - BPF: the universal in-kernel virtual machine ● https://www.collabora.com/news-and-blog/blog/2019/04/15/an-ebpf-overview-part-2-machine-and-bytecode/ ● https://www.youtube.com/watch?v=2lbtr85Yrs4 - Kernel Tracing with eBPF ● https://www.kernel.org/doc/Documentation/networking/filter.txt - Linux Socket Filtering aka Berkeley Packet Filter ● http://www.brendangregg.com/ebpf.html - Linux Extended BPF (eBPF) Tracing Tools ● https://www.slideshare.net/vh21/meet-cutebetweenebpfandtracing - Meet cute between eBPF and tracing ● https://blog.cloudflare.com/bpf-the-forgotten-bytecode/ - BPF the forgotten bytecode ● https://www.oreilly.com/learning/using-linux-tracing-tools - Modern Linux Tracing Landscape ● https://lwn.net/Articles/742082/ - An introduction to the BPF Compiler Collection ● https://bolinfest.github.io/opensnoop-native/ - How I ended up writing opensnoop in pure C using eBPF ● https://lwn.net/Articles/753601/ - Using user-space tracepoints with BPF ● http://brendangregg.com/perf.html - Perf Examples

Recommended

BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
Viller Hsiao
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf
 
eBPF/XDP
eBPF/XDP eBPF/XDP
eBPF/XDP
Netronome
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
SUSE Labs Taipei
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF Basics
Michael Kehoe
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
SUSE Labs Taipei
 

Recommended

BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
Viller Hsiao
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf
 
eBPF/XDP
eBPF/XDP eBPF/XDP
eBPF/XDP
Netronome
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
SUSE Labs Taipei
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF Basics
Michael Kehoe
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
SUSE Labs Taipei
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
Alexei Starovoitov
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
Xdp and ebpf_maps
Xdp and ebpf_mapsXdp and ebpf_maps
Xdp and ebpf_maps
lcplcp1
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF Abyss
Sasha Goldshtein
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDP
lcplcp1
 
Introduction to eBPF
Introduction to eBPFIntroduction to eBPF
Introduction to eBPF
RogerColl2
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
Linux BPF Superpowers
Linux BPF SuperpowersLinux BPF Superpowers
Linux BPF Superpowers
Brendan Gregg
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
Kernel TLV
 
UM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of SoftwareUM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of Software
Brendan Gregg
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
Alex Maestretti
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracing
Viller Hsiao
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
Adrien Mahieux
 
Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology
Jace Liang
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
ScyllaDB
 
Using eBPF to Measure the k8s Cluster Health
Using eBPF to Measure the k8s Cluster HealthUsing eBPF to Measure the k8s Cluster Health
Using eBPF to Measure the k8s Cluster Health
ScyllaDB
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
Kernel TLV
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
Taeung Song
 
Kernel bug hunting
Kernel bug huntingKernel bug hunting
Kernel bug hunting
Andrea Righi
 
Spying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profitSpying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profit
Andrea Righi
 

More Related Content

What's hot

Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
Michal Rostecki
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF Abyss
Sasha Goldshtein
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
Linux BPF Superpowers
Linux BPF SuperpowersLinux BPF Superpowers
Linux BPF Superpowers
Brendan Gregg
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
Kernel TLV
 
UM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of SoftwareUM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of Software
Brendan Gregg
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
ScyllaDB
 
Using eBPF to Measure the k8s Cluster Health
Using eBPF to Measure the k8s Cluster HealthUsing eBPF to Measure the k8s Cluster Health
Using eBPF to Measure the k8s Cluster Health
ScyllaDB
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
Kernel TLV
 

What's hot (20)

BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
 
Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
 
Xdp and ebpf_maps
Xdp and ebpf_mapsXdp and ebpf_maps
Xdp and ebpf_maps
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF Abyss
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDP
 
Introduction to eBPF
Introduction to eBPFIntroduction to eBPF
Introduction to eBPF
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
 
Linux BPF Superpowers
Linux BPF SuperpowersLinux BPF Superpowers
Linux BPF Superpowers
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
 
UM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of SoftwareUM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of Software
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracing
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
 
Using eBPF to Measure the k8s Cluster Health
Using eBPF to Measure the k8s Cluster HealthUsing eBPF to Measure the k8s Cluster Health
Using eBPF to Measure the k8s Cluster Health
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
 

Similar to Understanding eBPF in a Hurry!

Andrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitAndrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profit
linuxlab_conf
 
Not breaking userspace: the evolving Linux ABI
Not breaking userspace: the evolving Linux ABINot breaking userspace: the evolving Linux ABI
Not breaking userspace: the evolving Linux ABI
Alison Chaiken
 
Performance Optimization of SPH Algorithms for Multi/Many-Core Architectures
Performance Optimization of SPH Algorithms for Multi/Many-Core ArchitecturesPerformance Optimization of SPH Algorithms for Multi/Many-Core Architectures
Performance Optimization of SPH Algorithms for Multi/Many-Core Architectures
Dr. Fabio Baruffa
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
Andrea Righi
 
HKG18-411 - Introduction to OpenAMP which is an open source solution for hete...
HKG18-411 - Introduction to OpenAMP which is an open source solution for hete...HKG18-411 - Introduction to OpenAMP which is an open source solution for hete...
HKG18-411 - Introduction to OpenAMP which is an open source solution for hete...
Linaro
 

Similar to Understanding eBPF in a Hurry! (20)

Kernel bug hunting
Kernel bug huntingKernel bug hunting
Kernel bug hunting
 
Spying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profitSpying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profit
 
Andrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitAndrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profit
 
Understanding of linux kernel memory model
Understanding of linux kernel memory modelUnderstanding of linux kernel memory model
Understanding of linux kernel memory model
 
Not breaking userspace: the evolving Linux ABI
Not breaking userspace: the evolving Linux ABINot breaking userspace: the evolving Linux ABI
Not breaking userspace: the evolving Linux ABI
 
Performance Optimization of SPH Algorithms for Multi/Many-Core Architectures
Performance Optimization of SPH Algorithms for Multi/Many-Core ArchitecturesPerformance Optimization of SPH Algorithms for Multi/Many-Core Architectures
Performance Optimization of SPH Algorithms for Multi/Many-Core Architectures
 
eBPF in the view of a storage developer
eBPF in the view of a storage developereBPF in the view of a storage developer
eBPF in the view of a storage developer
 
Debugging Python with gdb
Debugging Python with gdbDebugging Python with gdb
Debugging Python with gdb
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
 
lecture16-recap-questions-and-answers.pdf
lecture16-recap-questions-and-answers.pdflecture16-recap-questions-and-answers.pdf
lecture16-recap-questions-and-answers.pdf
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!
 
Revelation pyconuk2016
Revelation pyconuk2016Revelation pyconuk2016
Revelation pyconuk2016
 
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation GuideBKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
 
HKG18-411 - Introduction to OpenAMP which is an open source solution for hete...
HKG18-411 - Introduction to OpenAMP which is an open source solution for hete...HKG18-411 - Introduction to OpenAMP which is an open source solution for hete...
HKG18-411 - Introduction to OpenAMP which is an open source solution for hete...
 
Continuous Go Profiling & Observability
Continuous Go Profiling & ObservabilityContinuous Go Profiling & Observability
Continuous Go Profiling & Observability
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native Environments
 
Customize and Secure the Runtime and Dependencies of Your Procedural Language...
Customize and Secure the Runtime and Dependencies of Your Procedural Language...Customize and Secure the Runtime and Dependencies of Your Procedural Language...
Customize and Secure the Runtime and Dependencies of Your Procedural Language...
 
Debugging Hung Python Processes With GDB
Debugging Hung Python Processes With GDBDebugging Hung Python Processes With GDB
Debugging Hung Python Processes With GDB
 
Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...
Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...
Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...
 

Recently uploaded

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
masabamasaba
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 

Recently uploaded (20)

WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 

Understanding eBPF in a Hurry!

  • 1. Understanding eBPF in a Hurry! LinkedIn Performance Engineering Meetup June 2019 Ray Jenkins
  • 3. Let’s say you have a performance problem.
  • 4. Examples ● A developer claims boxes have “slow” I/O ● Network connections are randomly terminated. ● Your service is crashing, you’re not sure why, maybe it getting OOM killed? ● You think some process might be getting starved.
  • 5. Someone suggests you might be able to solve it with eBPF.
  • 6. Now you got two problems.
  • 7. Goal: Can we understand what eBPF is and how it works?
  • 9. What is eBPF? (Extended Berkeley Packet Filter) ● Fast and safe, in-kernel, register based, bytecode VM. ● Designed to be JITed with direct mapping to x86_64 and other modern architectures. ● eBPF programs are “attached” to code paths within the kernel or user space programs and are executed when the code path is traversed. ● Linux Kernel 3.18 (2014) - bpf(2) syscall ○ (4.1 for Kprobes)
  • 10.
  • 11.
  • 12. What is eBPF? … cont. ● Programs are written in restricted C. eBPF backend for LLVM/Clang. ○ clang -O2 -emit-llvm -c bpf.c -o - | llc -march=bpf -filetype=obj -o bpf.o ● eBPF Verifier ○ Verified to finish (no loops), no unreachable instructions, reads to uninitialized registers, or memory access to arbitrary pointers restricted kernel func calls and data structure access. ● eBPF Maps / Perf Events Ring Buffer ○ Memory-Mapped, bi-directional data structures for storage. Allow sharing of data between eBPF kernel programs, and also between kernel and user-space applications. ● Helper Functions ○ Kernel functions exposed to eBPF programs. ○ Context sensitive to type of eBPF program.
  • 14. Why do we need eBPF?
  • 15. Dynamically and Programmatically Trace Kernel or User Space Functions and Events, Safely and Efficiently.
  • 17. eBPF is appealing to different people for different reasons, but its power resides in what you can attach it to. For Performance Engineering we’re primarily interested in these hooks. ● Kprobes/Uprobes ● Tracepoints ● USDT ● PerfEvents https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/bpf.h#L145
  • 18. Tracepoints (2.6.32) - 2009 ● Static places in the kernel where tracing is inserted. ● $ grep -ri TRACE_EVENT * ● https://github.com/brendangregg/perf-tools
  • 19. K/J(ret)probes (2.6.9) - 2004 / U(ret)probes 3.15 - (2014) ● Probe any instruction, dynamically ● grep <func> /proc/kallsyms ● Register kprobes copies instruction, inserts breakpoint. (int3 on x86_64) ● Cpu hits breakpoints, trap occurs, registers saved and control passed to Kprobe. ● Pre-handler function called, Kprobes single steps instructions (Slow), Post-Handler called. ● CONFIG_OPTPROBES=Y (enabled on x86_64)
  • 22.
  • 23.
  • 24. Perf events (2.6.31) - 2009 ● The “nearly un-googleable” - http://web.eece.maine.edu/~vweaver/projects/perf_events/ ● Trace and count tracepoints and lower level events, PMU, HW events (L1 cache store/load/miss etc). ● Accesses data from user space efficiently by accessing the perf_events ring buffer.
  • 25. USDT (BCC March 2016) ● Userland Statically Defined Tracepoints ● sudo ./tplist -l <library name>
  • 26.
  • 28. sudo apt-get install bpfcc- tools
  • 30.
  • 31.
  • 33.
  • 34. So what does it look like?
  • 38.
  • 39.
  • 40.
  • 41. Let’s Talk about the VM, First Let’s Check our Map
  • 42. YOU ARE IN 1992
  • 44. tcpdump -ni eth0 ip and udp
  • 45.
  • 46. tcpdump -ni eth0 ip and udp -d
  • 48. BPF - Berkeley Packet Filter ● Bytecode, register based VM, with a limited instruction set ● Runs in-kernel, designed for fast packet filtering ● 32-bit instructions (LOAD, STORE, ALU, BRANCH, RETURN) ● 2, 32-bit registers (A, X), hidden frame pointer
  • 49. Bpf bytecode for ‘tcpdump ip and udp’ (000) ldh [12] (load 2 bytes from packet, at offset 12) (001) jeq #0x800 jt 2 jf 5 (002) ldb [23] (load byte at offset 23) (003) jeq #0x11 jt 4jf 5 (0x11 == 17) (004) ret #262144 (005) ret #0 https://blog.cloudflare.com/bpf-the-forgotten-bytecode/ http://www.networksorcery.com/enp/protocol/ip.htm
  • 51. eBPF - Extended Berkeley Packet Filter ● Bytecode, register based VM, with a extended instruction set ○ Designed to be JITed with direct mapping to x86_64 ● 64-bit instructions, and 10 64-bit registers ○ R0 - return value from in-kernel function, and exit value for eBPF program ○ R1 - R5 - arguments from eBPF program to in-kernel function ○ R6 - R9 - callee saved registers that in-kernel function will preserve ○ R10 - read-only frame pointer to access stack ● BPF_CALL ○ hw register zero overhead calls to other kernel functions ● BPF_MAPS ○ Bi-directional data structures for storage. Allow sharing of data between eBPF kernel programs, and also between kernel and user-space applications. ● Helper Functions ○ https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md ← Very Important!
  • 52. eBPF - Extended Berkeley Packet Filter… cont ● Load programs via bpf(2) syscall (see: man bpf) ○ int bpf(int cmd, union bpf_attr *attr, unsigned int size); ● Cmd: BPF_PROG_LOAD ○ Verify and load an eBPF program, returning a new file descriptor associated with the program. The close-on-exec file descriptor flag (see fcntl(2)) is automatically enabled for the new file descriptor.
  • 53.
  • 54. Can we learn more about eBPF VM like we did with tcpdump?
  • 56.
  • 57.
  • 58.
  • 59.
  • 61. 0xb7 r1 imm: 72=114, 6c=108,64=100, (op) (dst) 0a=10 imm->ascii=”rldn”
  • 62. 0x63 r1 r10 offset (op) (src) (dst)
  • 63. 0x18 r1 imm (op) (dst) “hello wo”
  • 64. As you can imagine the next 4 instructions copy the “hello wo” into a scratch space at offset -16. Copy a “0” into r1 and then copies “0” at offset -4. Finally we copy the address of the variable from the frame pointer at r10 into r1.
  • 65. To prepare for the call to int bpf_trace_printk(const char *fmt, u32 fmt_size, ...) We need to point r1 to the variable (which is -16 bytes from the frame pointer) and in r2, we store the size of “hello worldn0” = 13 bytes.
  • 66. 0x85 Is a function call, with an imm of 6. We need to look that up in bpf.h in order to figure out what that is.
  • 68. Lastly we set our return value in r0 = 0 and exit with opcode 0x95.
  • 71. Helper Functions ● https://github.com/torvalds/linux/blob/master/include/uapi/linux/bpf.h ● https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md ● int bpf_probe_read(void *dst, int size, const void *src) ← all reads must call ● int bpf_probe_read_str(void *dst, int size, const void *src) ● u64 bpf_ktime_get_ns(void) ● u64 bpf_get_current_pid_tgid(void) ● bpf_get_current_comm(char *buf, int size_of_buf) ● BPF_PERF_OUTPUT(name) ● int perf_submit((void *)ctx, (void *)data, u32 data_size) ● Map Functions ○ *val map.lookup(&key), val lookup_or_init(&key, &zero), delete(&key), update(&key, &val), map.increment(key[, increment_amount])
  • 73. segmentio/netsniff - tw: @julien_fabre / gh: @pryz
  • 74. segmentio/ebpf ● Golang eBPF “Collectors”. ● CLI + ebpfd agent processes configuration and starts eBPF programs. ● Stats aggregation, publishing to observers, 3rd party stats forwarding (datadog etc.). ● Docker / pid -> container/service resolution.
  • 77. References ● https://lwn.net/Articles/740157/ - A thorough introduction to eBPF ● https://lwn.net/Articles/599755/ - BPF: the universal in-kernel virtual machine ● https://www.collabora.com/news-and-blog/blog/2019/04/15/an-ebpf-overview-part-2-machine-and-bytecode/ ● https://www.youtube.com/watch?v=2lbtr85Yrs4 - Kernel Tracing with eBPF ● https://www.kernel.org/doc/Documentation/networking/filter.txt - Linux Socket Filtering aka Berkeley Packet Filter ● http://www.brendangregg.com/ebpf.html - Linux Extended BPF (eBPF) Tracing Tools ● https://www.slideshare.net/vh21/meet-cutebetweenebpfandtracing - Meet cute between eBPF and tracing ● https://blog.cloudflare.com/bpf-the-forgotten-bytecode/ - BPF the forgotten bytecode ● https://www.oreilly.com/learning/using-linux-tracing-tools - Modern Linux Tracing Landscape ● https://lwn.net/Articles/742082/ - An introduction to the BPF Compiler Collection ● https://bolinfest.github.io/opensnoop-native/ - How I ended up writing opensnoop in pure C using eBPF ● https://lwn.net/Articles/753601/ - Using user-space tracepoints with BPF ● http://brendangregg.com/perf.html - Perf Examples

Editor's Notes

  1. We’re going to refer back to the slide several time in our presentation
  2. Kprobe tcp_set_state We check subnet for whether it’s an AWS hosted service docker