bpf_trace_printk
bcc 中可以通过 bpf_trace_printk 来打印输出 , 同时有个非常有用的功能, 同时输出到 /sys/kernel/tracing/trace 文件中
比如bcc代码
// read_trace.c(eBPF 内核态代码)
#include <vmlinux.h>
#include <bpf/bpf_helpers.h>// 跟踪 sys_read 进入事件
SEC("tracepoint/syscalls/sys_enter_read")
int tracepoint_sys_enter_read(struct trace_event_raw_sys_enter *ctx) {long fd = ctx->args[0]; // 第一个参数:文件描述符long count = ctx->args[2]; // 第三个参数:读取字节数// 使用 bpf_trace_printk 输出调试信息bpf_trace_printk("sys_read: fd=%d, count=%ld\n", fd, count);return 0;
}char _license[] SEC("license") = "GPL";
问题?
我想通过 bpftrace 将内核中采集的数据实时输出到trace_pipe 文件, 然后随着 perfetto 运行,最终输出到 perfetto中去, 方便后续做 ebpf采集的数据通过perfetto可视化.
但是 bpftrace工具 没有 bpf_trace_printk 这个工具, 这样就需要稍微麻烦些 写bcc代码.
后续发现 其实 bpftrace中有一个命令 debugf 可以输出 日志到 trace_pipe 中去
参考此 issue Add support for bpf_trace_printk
demo
root@ubuntu:/usr/sbin# cat ./execsnoop.bt
#!/usr/bin/env bpftrace
/** execsnoop.bt Trace new processes via exec() syscalls.* For Linux, uses bpftrace and eBPF.** This traces when processes call exec(). It is handy for identifying new* processes created via the usual fork()->exec() sequence. Note that the* return value is not currently traced, so the exec() may have failed.** TODO: switch to tracepoints args. Support more args. Include retval.** This is a bpftrace version of the bcc tool of the same name.** 15-Nov-2017 Brendan Gregg Created this.* 11-Sep-2018 " " Switched to use join().*/#ifndef BPFTRACE_HAVE_BTF
#include <linux/sched.h>
#endifBEGIN
{printf("%-15s %-7s %-7s %s\n", "TIME", "PID", "PPID", "ARGS");
}tracepoint:syscalls:sys_enter_exec*
{$task = (struct task_struct *)curtask;printf("%15s %-7d %-7d ", strftime("%H:%M:%S.%f", nsecs), pid, $task->real_parent->pid);debugf("%15s %-7d %-7d ", strftime("%H:%M:%S.%f", nsecs), pid, $task->real_parent->pid);join(args.argv);
}
root@ubuntu:/usr/sbin#
root@ubuntu:/usr/sbin#
root@ubuntu:/usr/sbin#
root@ubuntu:/usr/sbin#
root@ubuntu:/usr/sbin#
root@ubuntu:/usr/sbin#
root@ubuntu:/usr/sbin# ./execsnoop.bt
./execsnoop.bt:31:2-89: WARNING: The debugf() builtin is not recommended for production use. For more information see bpf_trace_printk in bpf-helpers(7).debugf("%15s %-7d %-7d ", strftime("%H:%M:%S.%f", nsecs), pid, $task->real_parent->pid);~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attaching 3 probes...
TIME PID PPID ARGS
18:17:17.673759 14314 2529 /bin/sh -c which ps
18:17:17.675398 14315 14314 which ps
18:17:17.677677 14316 2529 /bin/sh -c /usr/bin/ps -ax -o pid=,ppid=,pcpu=,pmem=,command=
18:17:17.678727 14317 14316 /usr/bin/ps -ax -o pid=,ppid=,pcpu=,pmem=,command=
18:17:17.690633 14318 2529 /bin/sh -c "/home/lucas/.vscode-server/cli/servers/Stable-2fc07b811f760549dab9be9d2bedd06c51dfcb9a/server/out/vs/base/node/cpuUsage.sh" 2589 11178 11179 11180 11181 14305
18:17:17.691955 14319 14318 /home/lucas/.vscode-server/cli/servers/Stable-2fc07b811f760549dab9be9d2bedd06c51dfcb9a/server/out/vs/base/node/cpuUsage.sh 2589 11178 11179 11180 11181 14305
18:17:17.693714 14320 14319 sed -n s/^cpu\s//p /proc/stat
18:17:17.695494 14321 14319 cat /proc/2589/stat
18:17:17.697076 14322 14319 cat /proc/11178/stat
18:17:17.698526 14323 14319 cat /proc/11179/stat
18:17:17.699908 14324 14319 cat /proc/11180/stat
然后再 trace_pipe 中
root@ubuntu:/sys/kernel/tracing# cat trace_pipesed-11694 [006] ...21 1142.986227: bpf_trace_printk: 11694 11680 cat-11695 [005] ...21 1142.988071: bpf_trace_printk: 11695 11680 cat-11697 [004] ...21 1142.989799: bpf_trace_printk: 11697 11680 node-11699 [003] ...21 1143.063668: bpf_trace_printk: 11699 2529 sh-11700 [003] ...21 1143.065349: bpf_trace_printk: 11700 11699 node-11701 [003] ...21 1143.068664: bpf_trace_printk: 11701 2529 sh-11702 [003] ...21 1143.070832: bpf_trace_printk: 11702 11701 node-11703 [003] ...21 1143.081343: bpf_trace_printk: 11703 2529 sh-11704 [003] ...21 1143.082961: bpf_trace_printk: 11704 11703 cpuUsage.sh-11705 [003] ...21 1143.085420: bpf_trace_printk: 11705 11704 cpuUsage.sh-11706 [003] ...21 1143.087973: bpf_trace_printk: 11706 11704 cpuUsage.sh-11707 [003] ...21 1143.090004: bpf_trace_printk: 11707 11704
:移动零·(双指针算法))
