Quentin Monnet

@qeole

eBPF tooling and hardware offload. Fast networking, with a pinch of salt. One day I'll be the first human to pass the kernel verifier.

Hiding in a BPF map
Vrijeme pridruživanja: lipanj 2012.

Medijski sadržaj

  1. 2. velj

    Congrats to for a very clear and interesting talk on strace --seccomp-bpf, earlier today at . His contribution based on seccomp-BPF helps filtering traced syscalls, and improves performance by a factor of up to 25 (for “dd” tool)!

  2. 15. sij

    [50] bpftool can generate a “skeleton” header file from a BPF program for inclusion in user space apps managing this BPF prog. Pass the BPF object file to bpftool: $ bpftool gen skeleton bpf_prog.o > user_prog.h Then include "user_prog.h". Details in “bpftool-gen” man page.

    Prikaži ovu nit
  3. 5. ruj 2019.

    [47] Like “ip link”, bpftool can attach programs to the XDP hook (and later detach them). The program must be loaded already, and then we would type: # bpftool net attach xdp id 42 dev eth0 # bpftool net detach xdp dev eth0 (xdpgeneric/xdpdrv/xdpoffload variants also supported)

    Prikaži ovu nit
  4. 5. ruj 2019.

    [45] We can now list all BTF objects loaded in the system with bpftool (in addition to seeing BTF object attached to a given program or map): # bpftool btf [show|list]

    Prikaži ovu nit
  5. 8. srp 2019.

    [44] bpftool can run programs with BPF_PROG_TEST_RUN command available for some prog types. Manually trigger a run for a program loaded in the kernel, on input data/context provided by the user: # bpftool prog run PROG data_in <file> data_out <file> (More options in man page)

    Prikaži ovu nit
  6. 20. lip 2019.
  7. 3. lip 2019.

    [42] bpftool now has a “-d|--debug” option to print debug-level information from libbpf and (when attempting to load BPF programs) from kernel verifier, even when all steps succeed.

    Prikaži ovu nit
  8. 25. tra 2019.

    [40] When listing BPF programs and maps, bpftool has a “--bpffs” option (short name: “-f”) to print the path(s), if any, where those objects are pinned in the virtual file system. For example: # bpftool prog show --bpffs # bpftool -f map

    Prikaži ovu nit
  9. 18. tra 2019.

    [37] Avoid grepping plain output from bpftool, esp. in scripts. Prefer JSON output (more stable/consistent). Use jq: for example, get IDs of XDP programs attached to eth0 with: # bpftool -j net show | \ jq '.[].xdp[]|select(.devname == "eth0")|.id // .multi_attachments[].id'

    Prikaži ovu nit
  10. 17. tra 2019.

    [36] In addition to plain output and JSON, the list of BPF features supported on the system can be dumped by bpftool as a set of macros, ready for inclusion in a C header file. After all, BPF is about programming! # bpftool feature probe kernel macros [prefix <namespace_prefix>]

    Prikaži ovu nit
  11. 16. tra 2019.

    [35] Want to check what BPF features are supported on your system? # bpftool feature probe kernel Dumps a list of BPF-related kernel config options and sysctl values, as well as availability of bpf() syscall, supported BPF program and map types and supported helper functions.

    Prikaži ovu nit
  12. 15. tra 2019.

    [34] Linux 4.20 brought stack and queue maps to BPF. We can use bpftool to manipulate them. Because such maps don't rely on keys (only values), it differs somewhat from “bpftool map lookup/update”: # bpftool map pop/dequeue/peek <map> # bpftool map push/enqueue <map> value <val>

    Prikaži ovu nit
  13. 11. tra 2019.

    [32] When BTF is available for a program (to dump the C insns), adding the “linum” keyword also prints the name of the C source file, and the line numbers related to the converted instructions. Helpful to trace where a program comes from. # bpftool prog dump xlated id <id> linum

    Prikaži ovu nit
  14. 10. tra 2019.

    [31] With the “visual” keyword, bpftool can dump the control flow graph of a program in a format compatible with dot. Use dot on the output to generate a graph showing the possible paths of execution. # bpftool prog dump xlated id <id> visual

    Prikaži ovu nit
  15. 9. tra 2019.

    [30] More complex than bpf_trace_printk(), but more flexible and much faster, perf events can be used to stream data to user space. And yes, bpftool can dump this data: # bpftool map event_pipe <MAP> [cpu <N> index <M>] See also bpf_perf_event_output()

    Prikaži ovu nit
  16. 8. tra 2019.

    [29] bpftool can dump the trace pipe, used by BPF helper bpf_trace_printk() to print debug output. For the record, it is based after a similar feature in iproute2, “tc exec bpf dbg”. With bpftool: # bpftool prog tracelog Shorter than “cat /sys/kernel/debug/tracing/trace_pipe”.

    Prikaži ovu nit
  17. 4. tra 2019.

    [27] BTF also provides info on the structure of map entries, printable with “bpftool map dump”. Requirements for program using the map: same as in [26], plus map declaration in C sources must be annotated with the “BPF_ANNOTATE_KV_PAIR(<map name>, <key type>, <val type>)” macro.

    Prikaži ovu nit
  18. 3. tra 2019.

    [26] BTF support! As pointed out, bpftool can dump the C source code of a program in addition to BPF/jited insns. This requires: - Compiling the program with “-g” flag passed to clang. - Using a recent LLVM version, 8+ (older versions need some pahole tinkering).

    Prikaži ovu nit
  19. 1. tra 2019.

    [24] bpftool recently got support for converting and dumping the kernel image into BPF instructions: # bpftool kernel dump Then we can edit the BPF assembly and reload this new kernel, with all verifier checks as a benefit (no reboot required!): # bpftool kernel load <file>

    Prikaži ovu nit
  20. 28. ožu 2019.

    [21] For object files with more than one BPF program, bpftool can load all of them at once: # bpftool prog loadall bpf_flow.o /sys/fs/bpf/flow type flow_dissector This is especially useful when working with BPF tail calls. Maps can be pinned by adding “pinmaps <path in bpffs>”.

    Prikaži ovu nit

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·