bpftrace chapter (#1)

bpftrace chapter

Author: fntlnz

Diff for: content/10-welcome.md

@@ -12,5 +12,5 @@ Linux <i><b>e</b>xtended <b>B</b>erkeley <b>P</b>acket <b>F</b>ilters</i>
 *Be kind with others*<br/>
 *Thank you!*
 
-**Slides: https://bpf.sh/workshop**
+**Slides: https://workshop.bpf.sh/**
 ]

Diff for: content/30-pre-requirements.md

@@ -16,3 +16,4 @@ class: extra-details
 
   - a little bit of bash-fu (environment variables, loops)
 
+

Diff for: content/bpftrace/501-bpftrace.md

@@ -7,9 +7,19 @@ weight: 501
 
 On GitHub https://github.com/iovisor/bpftrace
 
-- Built from the ground-up for BPF and Linux
-- Used in production at Netflix, Facebook, etc
-- Custom one-liners
-- Tools
+*What it is*:
+
+- Higher level language to write eBPF programs;
+- Built from the ground-up for BPF and Linux;
+- Used in production at Netflix, Facebook, etc;
+- Custom one-liners;
+- Comes with tools;
+- It is just for tracing;
+
+*What it is NOT*:
+
+- A framework to build your loaders;
+- You can't do classic bpf with it (like seccomp programs or socket probe types);
+- It does not support traffic control and XDP;
 
 

Diff for: content/bpftrace/504-bpftrace-oneliners.md

@@ -1,19 +1,20 @@
 ---
-title:  "bpftrace-actions"
-weight: 516
+title:  "bpftrace-functions"
+weight: 517
 ---
 
-# bpftrace: Actions
-
-**Per-event output**
-
-- printf()
-- system()
-- join()
-- time()
-
-**Map Summaries**
-
-- @ = count() or @++
-- @ = hist()
+# bpftrace: Functions
 
+| function                                 | description                                            |
+|------------------------------------------|--------------------------------------------------------|
+| hist(int n)                              | Produce a log2 histogram of values of n                |
+| lhist(int n# int min# int max# int step) | Produce a linear histogram of values of n              |
+| count()                                  | Count the number of times this function is called      |
+| sum(int n)                               | Sum this value                                         |
+| min(int n)                               | Record the minimum value seen                          |
+| max(int n)                               | Record the maximum value seen                          |
+| avg(int n)                               | Average this value                                     |
+| stats(int n)                             | Return the count# average# and total for this value    |
+| delete(@x)                               | Delete the map element passed in as an argument        |
+| str(char *s [# int length])              | Returns the string pointed to by s                     |
+| printf(char *fmt# ...)                   | Print formatted to stdout                              |

Diff for: content/bpftrace/517-bpftrace-functions.md

@@ -0,0 +1,22 @@
+---
+title:  "bpftrace-functions-contd"
+weight: 518
+---
+
+# bpftrace: Functions (cont'd)
+
+| function                                 | description                                            |
+|------------------------------------------|--------------------------------------------------------|
+| print(@x[# int top [# int div]])         | Print a map# with optional top entry count and divisor |
+| clear(@x)                                | Delete all key/values from a map                       |
+| sym(void *p)                             | Resolve kernel address                                 |
+| usym(void *p)                            | Resolve user space address                             |
+| ntop([int af# ]int|char[4|16] addr)      | Resolve ip address                                     |
+| kaddr(char *name)                        | Resolve kernel symbol name                             |
+| uaddr(char *name)                        | Resolve user space symbol name                         |
+| reg(char *name)                          | Returns the value stored in the named register         |
+| join(char *arr[] [# char *delim])        | Prints the string array                                |
+| time(char *fmt)                          | Print the current time                                 |
+| cat(char *filename)                      | Print file content                                     |
+| system(char *fmt)                        | Execute shell command                                  |
+| exit()                                   | Quit bpftrace                                          |

Diff for: content/bpftrace/518-bpftrace-functions-cont.md

@@ -0,0 +1,21 @@
+---
+title:  "bpftrace-variable-types"
+weight: 519
+---
+
+# bpftrace: Variable types
+
+**Basic Variables**
+
+- @global
+- @thread_local[tid]
+- $scratch
+
+**Associative Arrays**
+
+- @array[key] = value
+
+**Buitins**
+
+- pid
+- ...

Diff for: content/bpftrace/519-variable-types.md

@@ -0,0 +1,17 @@
+---
+title:  "bpftrace-builtin-variables"
+weight: 520
+---
+
+# bpftrace: Builtin Variables
+
+| variable             | description                                        |
+|----------------------|----------------------------------------------------|
+| tid                  | Thread ID (kernel pid)                             |
+| cgroup               | Cgroup ID of the current process                   |
+| uid                  | User ID                                            |
+| gid                  | Group ID                                           |
+| nsecs                | Nanosecond timestamp                               |
+| elapsed              | Nanosecond timestamp since bpftrace initialization |
+| cpu                  | Processor ID                                       |
+| comm                 | Process name                                       |

Diff for: content/bpftrace/520-builtin-variables.md

@@ -0,0 +1,19 @@
+---
+title:  "bpftrace-builtin-variables-contd"
+weight: 521
+---
+
+# bpftrace: Builtin Variables (cont'd)
+
+| variable             | description                                        |
+|----------------------|----------------------------------------------------|
+| pid                  | Process ID (kernel tgid)                           |
+| stack                | Kernel stack trace                                 |
+| ustack               | User stack trace                                   |
+| arg0, arg1, ... etc. | Arguments to the function being traced             |
+| retval               | Return value from function being traced            |
+| func                 | Name of the function currently being traced        |
+| probe                | Full name of the probe                             |
+| curtask              | Current task_struct as a u64                       |
+| rand                 | Random number of type u32                          |
+| $1, $2, ... etc.     | Positional parameters to the bpftrace program      |

Diff for: content/bpftrace/521-builtin-variables-contd.md

@@ -0,0 +1,18 @@
+---
+title:  "bpftrace-exercise-tools"
+weight: 523
+class: extra-details
+---
+
+## bpftrace hands on: Tools!
+
+1. We will clone the bpftrace repository in our Linux machine;
+2. We are not cloning it to install bpftrace itself, but to get all the tools under the `tools` folder
+
+.exercise[
+- Clone the bpftrace repo
+```bash
+  git clone https://github.com/iovisor/bpftrace.git
+  cd bpftrace/tools
+```
+]

Diff for: content/bpftrace/523-bpftrace-exercise-tools.md

@@ -0,0 +1,18 @@
+---
+title:  "bpftrace-exercise-tools-tcpretrans"
+weight: 524
+class: extra-details
+---
+
+## bpftrace hands on: Trace or count TCP retransmits
+
+- In the bpftrace tools folder, there's a tool called `tcpretrans.bt`;
+- TCP wants to make sure that your packet is received with the *guarantee* that all the received bytes will be identical and in the same order as those sent,
+this technique is called **positive acknowledgement with re-transmission**;
+- What happens when there are many retransmits is that your system can have a significant overhead, then you want to know when a retransmit occurs, `tcpretrans.bt` does just that
+- Retransmits are usually a sign of poor network health, and this tool is
+useful for their investigation. Unlike using tcpdump, this tool has very
+low overhead, as it only traces the retransmit function. It also prints
+additional kernel details: the state of the TCP session at the time of the
+retransmit.
+

Diff for: content/bpftrace/524-bpftrace-exercise-tools-tcpretrans.md

@@ -0,0 +1,23 @@
+---
+title:  "bpftrace-exercise-tools-tcpretrans-contd"
+weight: 525
+class: extra-details
+---
+
+## bpftrace hands on: Trace or count TCP retransmits (cont'd)
+
+.exercise[
+- In the `bpftrace/tools` folder;
+- With root permissions;
+- Execute the `tcpretrans.bt` tool;
+
+```bash
+  bpftrace tcpretrans.bt
+```
+- Once it's started, the best way to trigger some retransmits is to try to connect to a closed port;
+- Try it on a new terminal while leaving `tcpretrans.bt` active!
+
+```bash
+  telnet bpf.sh 9090
+```
+]

Diff for: content/bpftrace/525-bpftrace-exercise-tools-tcpretrans-contd.md

@@ -0,0 +1,24 @@
+
+---
+title:  "bpftrace-oneliners-read-kernel-tracing-vfs"
+weight: 526
+class: extra-details
+---
+
+# bpftrace hands on: tracing read bytes using a kretprobe
+
+- We will use the capability of bpftrace to instrument the `vfs_read` function in the kernel using a `kretprobe`;
+- We will create an array called `bytes` that will dump a linear histogram  where the arguments are: value, min, max, step. The first argument (retval) of vfs_read() is the return value: the number of bytes read;
+
+.exercise[
+- Execute this one liner using bpftrace, then let it run for a while then use `Ctrl-C` to dump the results
+```bash
+bpftrace -e 'kretprobe:vfs_read { @bytes = lhist(retval, 0, 2000, 200); }'
+```
+]
+
+.footnote[.smaller[
+In Linux, all files are accessed through the Virtual Filesystem Switch, or VFS, a layer of code which implements generic filesystem actions and vectors requests to the correct specific code to handle the request.
+]]
+
+

Diff for: content/bpftrace/526-bpftrace-oneliner-read-kernel-tracing-vfs.md

@@ -0,0 +1,26 @@
+
+---
+title:  "bpftrace-oneliners-read-syscall"
+weight: 527
+class: extra-details
+---
+
+# bpftrace hands on: tracing read bytes using a tracepoint
+
+- We want to do the same thing we did with the `kretprobe` in the previous exercise
+
+.exercise[
+- Execute this one liner using bpftrace
+```bash
+bpftrace -e 'tracepoint:syscalls:sys_exit_read  { @bytes = lhist(args->ret, 0, 2000, 200); }'
+```
+- Let it run for a while then use `Ctrl-C` to dump the results
+]
+
+**What's the difference?**
+While being very powerful (it can trace any kernel function), `kretprobe` approach can't be considered "stable", because internal 
+kernel functions can change between kernels. On the other hand using a tracepoint is a much more stable approach because tracepoints
+are considered as a user facing feature and not an internal one by kernel developers.
+Whenever possible use tracepoints instead of kprobe/kretprobe.
+
+

Diff for: content/bpftrace/527-bpftrace-oneliner-read-syscall.md

@@ -0,0 +1,28 @@
+
+---
+title:  "bpftrace-oneliners-uretprobe"
+weight: 528
+class: extra-details
+---
+
+# bpftrace hands on: reading userspace returns
+
+We have a Go program that prints a random number every second.
+```go
+package main
+import(
+  "time"
+  "fmt"
+  "math/rand"
+)
+func main() {
+  for {
+    time.Sleep(time.Second * 1)
+    fmt.Printf("%d\n", giveMeNumber())
+  }
+}
+func giveMeNumber() int {
+  return rand.Intn(100) + rand.Intn(900)
+}
+```
+We want to get the random number out of it using a bpftrace program.

Diff for: content/bpftrace/528-bpftrace-oneliner-uretprobe.md

@@ -0,0 +1,26 @@
+
+---
+title:  "bpftrace-oneliners-uretprobe-contd"
+weight: 528
+class: extra-details
+---
+
+# bpftrace hands on: reading userspace returns
+.exercise[
+- Create a file named `main.go` with the code from [previous slide](#bpftrace-oneliners-uretprobe);
+- Then, compile it with: 
+```bash
+  go build -o randomnumbers main.go
+```
+- This will create a binary named `randomnumbers` in the current folder;
+- Once that is done, we just start the program `./randomnumbers`;
+- Now, in a new terminal, we instrument the program using bpftrace and a `uretprobe`:
+
+```bash
+bpftrace -e \
+  'uretprobe:./randomnumbers:"main.giveMeNumber"
+  { printf("%d\n", retval) }'
+```
+Bonus point, try to do an `objdump -t randomnumbers | grep -i giveMe`, what do you notice?
+]
+

Diff for: content/bpftrace/529-bpftrace-oneliner-uretprobe-contd.md

@@ -0,0 +1,11 @@
+
+---
+title:  "bpftrace-internals"
+weight: 590
+---
+
+# bpftrace: Internals
+
+.pic[
+![supported bpf probe types](/img/bpftrace-internals.png)
+] 

Diff for: content/bpftrace/590-bpftrace-internals.md

@@ -0,0 +1,12 @@
+
+---
+title:  "bpftrace-credits"
+weight: 599
+---
+
+# Takeaways
+
+- There's an higher level language to use eBPF, called `bpftrace`;
+- `bpftrace` can be used only for eBPF based tracing;
+- It's pretty magic;
+- There are a **LOT** of premade tools you can use in the `bpftrace/tools` folder, saves a lot of time;

Diff for: content/bpftrace/598-takeaways.md

@@ -8,3 +8,6 @@ weight: 599
 
 - [Brendan Gregg's presentation on bpftrace](https://github.com/iovisor/bpf-docs/blob/master/bpftrace_public_template_jun2019.odp)
 - [IOVisor's bpftrace reference guide](https://github.com/iovisor/bpftrace/blob/master/docs/reference_guide.md)
+- [IOVisor's bpftrace repository](https://github.com/iovisor/bpftrace)
+- [Wikipedia article on TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol)
+- [IOVisor's bpftrace one liner's tutorial](https://github.com/iovisor/bpftrace/blob/b6c4136fabf2527fc736bc08ee875625156b5431/docs/tutorial_one_liners.md)

Diff for: content/bpftrace/599-bpftrace-credits.md

@@ -0,0 +1,2 @@
+*.log
+.vagrant/