BCC is a toolkit for creating efficient kernel tracing and manipulation programs, and includes several useful tools and examples. It makes use of extended BPF (Berkeley Packet Filters), formally known as eBPF, a new feature that was first added to Linux 3.15. Much of what BCC uses requires Linux 4.1 and above.
BCC 利用 eBPF 跟踪和操纵内核, 里面有很多工具。
Wiki eBPF:
eBPF was built on top of the Berkeley Packet Filter (cBPF). At the lowest level, it introduced the use of ten 64-bit registers (instead of two 32-bit long registers for cBPF), different jump semantics, a call instruction and corresponding register passing convention, new instructions, and a different encoding for these instructions.[12] A number of additional features were subsequently added.
eBPF 就是 BPF 的扩展版。
Wiki BPF 描述:
BPF supports filtering packets, allowing a userspace process to supply a filter program that specifies which packets it wants to receive. For example, a tcpdump process may want to receive only packets that initiate a TCP connection. BPF returns only packets that pass the filter that the process supplies. This avoids copying unwanted packets from the operating system kernel to the process, greatly improving performance. The filter program is in the form of instructions for a virtual machine, which are interpreted, or compiled into machine code by a just-in-time (JIT) mechanism and executed, in the kernel.
BPF 就是跑在内核里的虚拟机,使用 JIT 编译机制,最早用来过滤报文的。
Wiki JIT 编译解释:
In computing, just-in-time (JIT) compilation (also dynamic translation or run-time compilations)1 is a way of executing computer code that involves compilation during execution of a program (at run time) rather than before execution
JIT 是运行时编译。
JIT compilation is a combination of the two traditional approaches to translation to machine code—ahead-of-time compilation (AOT), and interpretation—and combines some advantages and drawbacks of both.[2]
Wiki AOT 编译:
In computer science, ahead-of-time compilation (AOT compilation) is the act of compiling an (often) higher-level programming language into an (often) lower-level language before execution of a program, usually at build-time, to reduce the amount of work needed to be performed at run time. AOT 编译是运行前编译 (like gcc)。
-- Detecting CXX compile features - done error: could not lock config file /home/tj/.gitconfig: No such file or directory CMake Warning at CMakeLists.txt:29 (message): Failed to add root source directory to safe.directory
这个半天没发现怎么 fix,转变思路,尝试直接从 BCC 源码编译,不过有如下错误:
/home/tj/code/bcc/src/cc/bpf_module.cc: In member function ‘virtual void ebpf::MyMemoryManager::notifyObjectLoaded(llvm::ExecutionEngine*, const llvm::object::ObjectFile&)’: /home/tj/code/bcc/src/cc/bpf_module.cc:121:46: error: no matching function for call to ‘llvm::object::SectionRef::getName() const’
root@localhost:/# opensnoop Traceback (most recent call last): File "/usr/share/bcc/tools/opensnoop", line 19, in <module> from bcc import ArgString, BPF ImportError: No module named bcc
deb http://mirrors.163.com/debian/ buster main non-free contrib deb http://mirrors.163.com/debian/ buster-updates main non-free contrib deb http://mirrors.163.com/debian/ buster-backports main non-free contrib deb http://mirrors.163.com/debian-security/ buster/updates main non-free contrib
deb-src http://mirrors.163.com/debian/ buster main non-free contrib deb-src http://mirrors.163.com/debian/ buster-updates main non-free contrib deb-src http://mirrors.163.com/debian/ buster-backports main non-free contrib deb-src http://mirrors.163.com/debian-security/ buster/updates main non-free contrib
Android 系统连上网络后 apt-get update 更新没错后安装:
apt-get install python-bpfcc
不过这个竟然有错误:
Err:1 http://mirrors.163.com/debian buster/main arm64 libbpfcc arm64 0.8.0-4 Temporary failure resolving 'mirrors.163.com' Get:2 http://mirrors.163.com/debian buster/main arm64 python-bpfcc all 0.8.0-4 [29.4 kB] Fetched 29.4 kB in 11s (2710 B/s) E: Failed to fetch http://mirrors.163.com/debian/pool/main/b/bpfcc/libbpfcc_0.8.0-4_arm64.deb Temporary failure resolving 'mirrors.163.com' E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
按提示用下面这个修复就好了。
apt-get install python-bpfcc --fix-missing
最近 chatgpt 比较火,我也问了下,相比 web search,还是比较高效的。
再次运行出错如下:
root@localhost:/# opensnoop Traceback (most recent call last): File "/usr/share/bcc/tools/opensnoop", line 19, in <module> from bcc import ArgString, BPF File "/usr/lib/python2.7/dist-packages/bcc/__init__.py", line 27, in <module> from .libbcc import lib, bcc_symbol, bcc_symbol_option, _SYM_CB_TYPE File "/usr/lib/python2.7/dist-packages/bcc/libbcc.py", line 20, in <module> lib.bpf_module_create_b.restype = ct.c_void_p File "/usr/lib/python2.7/ctypes/__init__.py", line 379, in __getattr__ func = self.__getitem__(name) File "/usr/lib/python2.7/ctypes/__init__.py", line 384, in __getitem__ func = self._FuncPtr((name_or_ordinal, self)) AttributeError: /usr/lib/aarch64-linux-gnu/libbcc.so.0: undefined symbol: bpf_module_create_b
是 python 默认版本 2.x 导致,切到 3.x:
root@localhost:/# update-alternatives --install /usr/bin/python python /usr/bin/python2 1 update-alternatives: using /usr/bin/python2 to provide /usr/bin/python (python) in auto mode root@localhost:/# update-alternatives --install /usr/bin/python python /usr/bin/python3 2 update-alternatives: using /usr/bin/python3 to provide /usr/bin/python (python) in auto mode root@localhost:/# update-alternatives --config python There are 2 choices for the alternative python (providing /usr/bin/python).
Press <enter> to keep the current choice[*], or type selection number: 2 root@localhost:/# root@localhost:/# python Python 3.7.3 (default, Jan 22 2021, 20:04:44) [GCC 8.3.0] on linux Type "help", "copyright", "credits" or "license"for more information. >>> quit()
再运行还有错:
root@localhost:/# filetop sh: modprobe: command not found Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module) or installing the kernel development package for your running kernel version. chdir(/lib/modules/4.14.xxx/build): No such file or directory Traceback (most recent call last): File "/usr/share/bcc/tools/filetop", line 164, in <module> b = BPF(text=bpf_text) File "/usr/lib/python3/dist-packages/bcc/__init__.py", line 475, in __init__ raise Exception("Failed to compile BPF module %s" % (src_file or "<text>")) Exception: Failed to compile BPF module <text>
modeprobe 命令找不到,安装:
apt-get install kmod
再跑出错:
root@localhost:/# opensnoop modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.14.xxx/modules.dep.bin' modprobe: FATAL: Module kheaders not found in directory /lib/modules/4.14.xxx Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module) or installing the kernel development package for your running kernel version. chdir(/lib/modules/4.14.xxx/build): No such file or directory Traceback (most recent call last): File "/usr/share/bcc/tools/opensnoop", line 261, in <module> b = BPF(text='') File "/usr/lib/python3/dist-packages/bcc/__init__.py", line 475, in __init__ raise Exception("Failed to compile BPF module %s" % (src_file or "<text>")) Exception: Failed to compile BPF module <text>
modprobe 找不到目录 /lib/modules/4.14.xxx,看提示我的板子内核已经使能 CONFIG_IKHEADERS, 而且 linux header package 按下面命令搜索也没有匹配的包:
root@localhost:/# ls /sys/kernel/kheaders.tar.xz /sys/kernel/kheaders.tar.xz
再运行出错:
root@localhost:/# opensnoop tar (child): xz: Cannot exec: No such file or directory tar (child): Error is not recoverable: exiting now tar: Child returned status 2 tar: Error is not recoverable: exiting now Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module) or installing the kernel development package for your running kernel version. chdir(/lib/modules/4.14.xxx/build): No such file or directory Traceback (most recent call last): File "/usr/share/bcc/tools/opensnoop", line 261, in <module> b = BPF(text='') File "/usr/lib/python3/dist-packages/bcc/__init__.py", line 475, in __init__ raise Exception("Failed to compile BPF module %s" % (src_file or "<text>")) Exception: Failed to compile BPF module <text>
