Introduction
BPFTrace is a powerful tool for dynamic tracing in Linux, enabling developers and system engineers to observe kernel and user-space events in real time. While working with BPFTrace, you often encounter different probe types and kernel features like BTF (BPF Type Format). This blog explains what these probes mean, why BTF matters, and how to troubleshoot common issues.
What bpftrace probes mean
- Explain probe types like
tracepoint,rawtracepoint,kprobe, andfentry:- tracepoint: Stable kernel instrumentation points for syscalls and subsystems.
- rawtracepoint: Low-level hooks for tracepoints with minimal decoding.
- kprobe: Dynamic function entry probes for kernel symbols.
- fentry: Modern BPF function entry probes using BTF type info.
- Explain probe types like
What is BTF and why it matters
- BPF Type Format (BTF) provides kernel type metadata for BPF programs.
- Enables automatic argument decoding and advanced probes like
fentry. - How to check if BTF is present (
/sys/kernel/btf/vmlinux) and what to do if missing (useBPFTRACE_KERNEL_SOURCEor simpler probes).
Common errors and fixes
- Example error: error: field has incomplete type 'const enum landlock_rule_type'
- Cause: Incomplete type info due to missing or partial BTF.
- Fix: Use raw syscalls tracepoints or point bpftrace to kernel sources.
- Example error: error: field has incomplete type 'const enum landlock_rule_type'
Practical examples
bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("%s\n", comm); }'\ Meaning: Prints process names wheneveropenat()syscall is called.- Alternatives for PPC/RHEL when BTF is incomplete: bpftrace -e 'tracepoint:rawsyscalls:sysenter { @[comm] = count(); }interval:s:5 { print(@); clear(@); }'
Tips for running tests and scripts
- How to run bpftrace tests (
ctest) and functional one-liners. - How to handle duration (
intervalprobe or-c 'sleep N')
Background on BPF:
BPF (Berkeley Packet Filter) started as a packet filtering mechanism in Unix systems but has evolved into eBPF (Extended BPF) in modern Linux kernels. eBPF is a technology that allows you to run sandboxed programs inside the kernel without changing kernel source code or loading kernel modules.
- Key idea: eBPF programs are verified and JIT-compiled by the kernel, making them safe and efficient.
- Capabilities: Observability, networking, security, and performance monitoring.
What is bpftrace?
bpftrace is a high-level front-end for eBPF. It provides a simple scripting language to attach probes to kernel/user events and collect data. It’s similar to DTrace but for Linux.
Why is it needed?
- Traditional monitoring tools often lack deep kernel visibility.
- eBPF allows low-overhead, dynamic tracing without rebooting or patching the kernel.
- Useful for:
- Performance analysis (CPU, I/O, latency)
- Debugging production issues
- Security auditing
When is it applied?
- When you need real-time insights into kernel or application behavior.
- Examples:
- Trace system calls (
openat,read,write) - Monitor network packets
- Profile application performance without intrusive instrumentation
- Trace system calls (
Who can use this feature?
- System administrators: For troubleshooting and performance tuning.
- Kernel developers: For debugging kernel internals.
- SRE/DevOps engineers: For observability in production.
- Security teams: For detecting anomalies and enforcing policies.
openat() during tracing.comm: In bpftrace, comm is automatically populated with the command name of the current task (the process executing when the probe fires).{ printf("%s\n", comm); } runs for every event. At that instant, the kernel context is the process making the syscall, so comm reflects that process name.Conclusion
Understanding probe types and BTF is essential for effective bpftrace usage. When BTF is missing or incomplete, fallback strategies like raw tracepoints or kernel source paths ensure smooth tracing. These insights help troubleshoot errors and write efficient tracing scripts.
No comments:
Post a Comment