[1] The sources for bpftool can be found in the Linux kernel repository. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/bpf/bpftool?h=v4.20 … To compile it: cd tools/bpf/bpftool; make; (make install; make doc; make doc-install)
-
-
Prikaži ovu nit
-
[2] "bpftool prog show" is used to list all BPF programs currently loaded on the system (loaded ⇏ attached). "bpftool prog show id 27" shows just the program of given id (ids are displayed on the left column on the list). "bpftool prog list" is an alias, does the same thing.pic.twitter.com/MFz5ZWYR59
Prikaži ovu nit -
[3] Load a BPF program from ELF file “foo.o” to the system and pin it under the BPF virtual file system as “bar”: # bpftool prog load foo.o /sys/fs/bpf/bar Pinning the program makes it persistent (and offers a handle for later management, e.g. to attach that program to a hook).
Prikaži ovu nit -
(To clear up any confusion: please note that in this thread “BPF” should be read as “eBPF”, and not as the legacy “classic BPF” version used with tcpdump.)
Prikaži ovu nit -
[4] Dump bytecode for a program loaded on the system, as “translated” instructions: # bpftool prog dump xlated id 40 “Translated” means after kernel rewrites (as opposed to “llvm-objdump -d my_program_objfile.o”). This is available for all programs, even if JIT-compiler is on.pic.twitter.com/U78Fsp7FiN
Prikaži ovu nit -
[5] Dump JIT-compiled instructions for a BPF program (here from its pinned handle): # bpftool prog dump jited pinned /sys/fs/bpf/foo Obviously, works only for programs loaded when JIT is on. Second picture is a dump from a sample used for HW offload with
@Netronome's SmartNICs.pic.twitter.com/nnSkI4SH1J
Prikaži ovu nit -
[6] bpftool is not just about BPF programs, you can also manage BPF maps. Here is how to list the maps on the system: # bpftool map show As for programs, the alias “bpftool map list” does the same. “bpftool map show id 7” shows info just for the map of given id.pic.twitter.com/9Gr3qvmKvu
Prikaži ovu nit -
[7] Let's inspect BPF maps. Retrieve one entry, here the second entry of an array map (note the use of host endianness for passing the key), with: # bpftool map lookup id 182 key 0x01 0x00 0x00 0x00 Or dump all entries of a given map: # bpftool map dump id 182pic.twitter.com/F0BnjeTJiw
Prikaži ovu nit -
[8] bpftool can print its output formatted as JSON. Use the “-j” (or “--json”) switch when typing commands to get a one-line JSON dump, or use “-p” (long option name: “--pretty”) to produce human-readable JSON with indent and line breaks. Here is an example for program info.pic.twitter.com/ne58oyOBph
Prikaži ovu nit -
[9] It is possible to use bpftool to create a map. The map is pinned under the BPF virtual file system (or it would be lost when bpftool exits, as no BPF program uses it yet). Example: # bpftool map create /sys/fs/bpf/stats_map type array key 4 value 32 entries 8 name stats_map
Prikaži ovu nit -
[10] Update an entry of a map: # bpftool map update id 7 key 3 0 0 0 value 1 1 168 192 For compatible map types, "bpftool map update" is also used to create new entries, and "bpftool map delete" to remove them. Hash maps support it, but fixed-length arrays can only be updated.
Prikaži ovu nit -
[11] bpftool has a “hex” keyword to conjure the use of hexadecimal numbers in command key/value. All the syntaxes below are equivalent: # bpftool map lookup id 7 ... ... key 3 15 32 64 ... key 0x3 0xf 0x20 0x40 ... key 0x03 0x0f 0x20 0x40 ... key hex 03 0f 20 40
Prikaži ovu nit -
[12] Let's pin a BPF program to the BPF virtual file system, e.g. to keep it loaded once detached: # bpftool prog pin id 27 /sys/fs/bpf/foo_prog Remove with “rm /sys/fs/bpf/foo_prog”. Also works for maps. Details on pinning and lifetime of BPF objects athttps://facebookmicrosites.github.io/bpf/blog/2018/08/31/object-lifetime.html …
Prikaži ovu nit -
[13] Once loaded, BPF programs of certain types can be attached with bpftool. This is the case of programs attached to sockets with: # bpftool prog attach <program> <attach type> <target map> Or to cgroups, with: # bpftool cgroup attach <cgroup> <attach type> <program> [flags]
Prikaži ovu nit -
[14] While we're at cgroups: bpftool can show the programs attached to a given cgroup. # bpftool cgroup show <cgroup> It can even iterate over cgroups and show all programs (with no argument it defaults to the cgroup v2 mountpoint, see pic): # bpftool cgroup tree [cgroup-root]pic.twitter.com/oJ2Xfxuega
Prikaži ovu nit -
[15] After cgroups, let's list all tracing BPF programs currently attached on the system (to tracepoints, raw_tracepoints, k[ret]probes, u[ret]probes). As simple as: # bpftool perf show (“bpftool perf list” or simply “bpftool perf” both produce the same output.)pic.twitter.com/K2TbdaBlRZ
Prikaži ovu nit -
[16] bpftool can be used to iterate over BPF map elements (this is especially useful with hash maps, with no predictable array indices): # bpftool map getnext id 27 key 1 0 0 10 Returns the key of the “next” entry. If no key is provided, it returns the “first” key from the map.
Prikaži ovu nit -
[17] It's Friday and you're feeling lazy? bpftool supports abbreviations. Try: # bpftool p d x i <id> It also has exhaustive bash completion, proposing contextual commands, options, or even items such as available program/map ids when relevant! Also works when it's not Friday.pic.twitter.com/Jy6VZEhyDj
Prikaži ovu nit -
[17.5] Sadly, there is no completion available for bpftool in Zsh yet. As always, contributions are welcome.
Prikaži ovu nit -
[18] Linux 5.1 introduces stats for attached BPF programs: total run time and run count. bpftool prints them with classic info dump: # bpftool prog show Gathering stats impacts perf (~10 to 30 nsecs/run) so defaults to off, activate with: # sysctl -w kernel.bpf_stats_enabled=1pic.twitter.com/Apkp3DM9Tp
Prikaži ovu nit -
[19] Similarly to “bpftool cgroup tree” or “bpftool perf show”, bpftool has a mode to dump programs related to network processing: # bpftool net show This lists programs attached to TC or XDP hooks. It is possible to filter on a given interface: # bpftool net show dev <iface>pic.twitter.com/7aR24DAQ5F
Prikaži ovu nit -
[20] Load a program, but reuse e.g. two existing maps (instead of automatically creating new ones): # bpftool prog load foo.o /sys/fs/bpf/foo_prog \ map idx 0 id 27 \ map name stats pinned /sys/fs/bpf/stats_map (“idx 0”: index of the map in the ELF program file)
Prikaži ovu nit -
[21] For object files with more than one BPF program, bpftool can load all of them at once: # bpftool prog loadall bpf_flow.o /sys/fs/bpf/flow type flow_dissector This is especially useful when working with BPF tail calls. Maps can be pinned by adding “pinmaps <path in bpffs>”.pic.twitter.com/rrNiOecIeb
Prikaži ovu nit -
[22] There is a batch mode in bpftool for running several commands at once: # bpftool batch file <file> It can read commands from standard input if <file> is “-” (dash): # echo 'prog show \n map show \n net show' | bpftool batch file -
Prikaži ovu nit -
[23] This tip was graciously provided by
@calavera (Thanks!): you can use “#” to have comments in bpftool batch files. See the Gist for a sample batch file.https://twitter.com/calavera/status/1112408664193658880 …Prikaži ovu nit -
[24] bpftool recently got support for converting and dumping the kernel image into BPF instructions: # bpftool kernel dump Then we can edit the BPF assembly and reload this new kernel, with all verifier checks as a benefit (no reboot required!): # bpftool kernel load <file>pic.twitter.com/TpAEEUBwrg
Prikaži ovu nit -
(In case there was any doubt, and for future readers, that last one ([24]) was published on the 1st of April and was obviously a joke. Ha. Ha.)
Prikaži ovu nit -
[25] A note on map updates: bpftool can update “prog_array” maps (holding references to BPF programs, for BPF tail calls). # bpftool map update pinned /sys/fs/bpf/my_prog_array_map \ key 0 0 0 0 value pinned /sys/fs/bpf/my_prog The map MUST be pinned for this to work.
Prikaži ovu nit -
[26] BTF support! As
@alexei_ast pointed out, bpftool can dump the C source code of a program in addition to BPF/jited insns. This requires: - Compiling the program with “-g” flag passed to clang. - Using a recent LLVM version, 8+ (older versions need some pahole tinkering).pic.twitter.com/hEtgCuGcY9
Prikaži ovu nit -
[27] BTF also provides info on the structure of map entries, printable with “bpftool map dump”. Requirements for program using the map: same as in [26], plus map declaration in C sources must be annotated with the “BPF_ANNOTATE_KV_PAIR(<map name>, <key type>, <val type>)” macro.pic.twitter.com/blqfSeI5E0
Prikaži ovu nit - Još 24 druga odgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.