- 1. ã¯ã˜ã‚ã«
- 2. 使用環境
- 3. コンパイル
- 4. opensnoopã¨ã¯
- 5. opensnoop.bpf.cã®è§£èª¬
- 6. opensnoop.cã®è§£èª¬
- 7. ãŠã‚ã‚Šã«
- 8. å‚考文献
執ç†è€…:稲葉貴æ˜
1. ã¯ã˜ã‚ã«
å‰å›žã®æ¦‚è«–ç·¨ã§ã¯ã€eBPF(以下ã€BPFã¨è¡¨è¨˜ï¼‰ãŒã©ã‚“ãªã‚‚ã®ã§ã©ã®ã‚ˆã†ã«å®Ÿç¾ã•ã‚Œã¦ã„ã‚‹ã‹ã‚’ä¸å¿ƒã«è§£èª¬ã„ãŸã—ã¾ã—ãŸã€‚ ã¾ãŸã€BCCã‚„BCC-Toolsã€CO-REã«ã¤ã„ã¦ã®è§£èª¬ã‚‚è¡Œã„ã¾ã—ãŸã€‚ 実装編ã¨ãªã‚‹ä»Šå›žã¯ã€BCC-Toolsã®å¾Œç¶™ã¨ãªã‚‹libbpf-toolsよりopensnoopコマンドã«ç€ç›®ã—㦠ソースコードレベルã®è§£èª¬ã‚’è¡Œã„ã¾ã™ã€‚
2. 使用環境
BPFã¯ã€2022å¹´8月ç¾åœ¨ã‚‚活発ã«é–‹ç™ºãŒé€²ã‚られã¦ã„ã‚‹ãŸã‚ã€ç†ç”±ãŒãªã‘ã‚Œã°æ–°ã—ã„カーãƒãƒ«ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚’使ã£ãŸã»ã†ãŒã„ã„ã§ã™ã€‚
特ã«CO-REã«ã¤ã„ã¦ã¯ã€libbpfã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã®é–¢ä¿‚ã§Ubuntuã ã¨20.10以é™ã«ã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚
今回ã®èª¿æŸ»ã¯ã€æœ€æ–°ã®LTS版ã§ã‚ã‚‹Ubuntu 22.04 LTSを使用ã—ã¾ã—ãŸã€‚
調査を行ã£ãŸã®ã¯ã€åŸ·ç†æ™‚点ã§æœ€æ–°ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã ã£ãŸBCC v0.24.0ã§ã™ã€‚*1
libbpf-toolsã®ãƒªãƒã‚¸ãƒˆãƒªã‚’見るã¨*.bpf.cã¨*.cã¨ã„ã†ãƒ•ã‚¡ã‚¤ãƒ«ãŒå¤§é‡ã«ã‚ã‚‹ã“ã¨ãŒã‚ã‹ã‚Šã¾ã™ã€‚
ファイルåãŒã€Œ*.bpf.cã€ã¨ãªã£ã¦ã„ã‚‹ã®ã¯ã€å‰å›žã®è¨˜äº‹ã«ãŠã‘ã‚‹BPFプãƒã‚°ãƒ©ãƒ ã«å½“ãŸã‚Šã¾ã™ã€‚
ã¾ãŸã€ãƒ•ã‚¡ã‚¤ãƒ«åãŒã€Œ*.cã€ã«ãªã£ã¦ã„ã‚‹ã®ã¯ã€å‰å›žã®è¨˜äº‹ã«ãŠã‘ã‚‹BPFアプリケーションã«ãªã‚Šã¾ã™ã€‚
ã•ã¦ã€æœ¬è¨˜äº‹ã§ã¯ã“れらコマンドã®ä¸ã‹ã‚‰opensnoopã¨ã„ã†ã‚³ãƒžãƒ³ãƒ‰ã®è§£èª¬ã‚’軸ã«ã—ã¾ã™ã€‚ ãŸã ã—ã€ã™ã¹ã¦ã®ã‚³ãƒ¼ãƒ‰ã«ã¤ã„ã¦è§£èª¬ã‚’ã„れるã¨ç›¸å½“ãªé‡ã«ãªã‚‹ãŸã‚ã€ç†è€…ãŒãƒã‚¤ãƒ³ãƒˆã«ãªã£ã¦ã„ã‚‹ã¨æ„Ÿã˜ãŸç®‡æ‰€ã®ã¿è§£èª¬ã™ã‚‹å½¢ã«ã„ãŸã—ã¾ã™ã€‚
3. コンパイル
以下ã®æ‰‹é †ã§cloneã¨ã‚³ãƒ³ãƒ‘イルãŒã§ãã¾ã™ã€‚
sudo apt install make gcc libelf-dev clang llvm git clone https://github.com/iovisor/bcc.git cd bcc git checkout -b v0.24.0 refs/tags/v0.24.0 git submodule update --init --recursive cd libbpf-tools make
4. opensnoopã¨ã¯
opensnoopã¯ã€openシステムコール
ãŒå‘¼ã°ã‚ŒãŸéš›ã«ã€ã©ã®ãƒ—ãƒã‚»ã‚¹ãŒã©ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’openã—ãŸã®ã‹ã‚’トレースã™ã‚‹ãŸã‚ã®ã‚³ãƒžãƒ³ãƒ‰ã§ã™ã€‚
usageã¯ä»¥ä¸‹ã®ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™ã€‚
Usage: opensnoop [OPTION...]
Trace open family syscalls
USAGE: opensnoop [-h] [-T] [-U] [-x] [-p PID] [-t TID] [-u UID] [-d DURATION]
[-n NAME] [-e]
EXAMPLES:
./opensnoop # trace all open() syscalls
./opensnoop -T # include timestamps
./opensnoop -U # include UID
./opensnoop -x # only show failed opens
./opensnoop -p 181 # only trace PID 181
./opensnoop -t 123 # only trace TID 123
./opensnoop -u 1000 # only trace UID 1000
./opensnoop -d 10 # trace for 10 seconds only
./opensnoop -n main # only print process names containing "main"
./opensnoop -e # show extended fields
-d, --duration=DURATION Duration to trace
-e, --extended-fields Print extended fields
-n, --name=NAME Trace process names containing this
-p, --pid=PID Process ID to trace
-t, --tid=TID Thread ID to trace
-T, --timestamp Print timestamp
-u, --uid=UID User ID to trace
-U, --print-uid Print UID
-v, --verbose Verbose debug output
-x, --failed Failed opens only
-?, --help Give this help list
--usage Give a short usage message
-V, --version Print program version
以下ã¯ã‚ªãƒ—ション指定ãªã—ã§å®Ÿè¡Œã—ãŸã¨ãã®å‡ºåŠ›çµæžœã§ã™ã€‚
実行ã«ã¯ç®¡ç†è€…権é™ãŒå¿…è¦ã«ãªã‚Šã¾ã™ã€‚
å·¦ã‹ã‚‰ã€ã€Œopenを呼んã プãƒã‚»ã‚¹IDã€ã€ã€Œãƒ—ãƒã‚»ã‚¹åã€ã€ã€Œopenã®æˆ»ã‚Šå€¤ã§ã‚るファイルディスクリプタã€ã€
「errnoã€ã€ã€Œopenã—ãŸãƒ•ã‚¡ã‚¤ãƒ«ãƒ‘スã€ã¨ãªã£ã¦ã„ã¾ã™ã€‚
PID COMM FD ERR PATH 2870 systemd-journal 39 0 /proc/618498/comm 2870 systemd-journal 39 0 /proc/618498/cmdline ... 618500 opensnoop 24 0 /etc/localtime 2870 systemd-journal 39 0 /proc/618498/loginuid 2870 systemd-journal 39 0 /proc/618498/cgroup ... 67345 tmux: server 9 0 /proc/618498/cmdline 24927 irqbalance 6 0 /proc/interrupts
5. opensnoop.bpf.cã®è§£èª¬
opensnoop.bpf.cã¯ã€opensnoopã«ãŠã‘ã‚‹BPFプãƒã‚°ãƒ©ãƒ ã«ã‚ãŸã‚‹éƒ¨åˆ†ã§ã™ã€‚
5.1 mapã®å®£è¨€
10 const volatile __u64 min_us = 0; 11 const volatile pid_t targ_pid = 0; 12 const volatile pid_t targ_tgid = 0; 13 const volatile uid_t targ_uid = 0; 14 const volatile bool targ_failed = false; 15 16 struct { 17 __uint(type, BPF_MAP_TYPE_HASH); 18 __uint(max_entries, 10240); 19 __type(key, u32); 20 __type(value, struct args_t); 21 } start SEC(".maps"); 22 23 struct { 24 __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); 25 __uint(key_size, sizeof(u32)); 26 __uint(value_size, sizeof(u32)); 27 } events SEC(".maps");
ã“ã“ã§ã¯ã€mapã®å®£è¨€ã‚’è¡Œã£ã¦ã„ã‚‹ã®ã§ã™ãŒã€BPF特有ã®C言語ã®æ›¸ãæ–¹ã«ãªã£ã¦ã„ã¾ã™ã€‚
ã¾ãšã€å…ˆé 4è¡Œã®å¤‰æ•°ã§ã™ãŒã€ã“れらã¯opensnoopã®-p/-t/-u/-fオプションを指定ã™ã‚‹ã¨ãã«ä½¿ç”¨ã•ã‚Œã‚‹ã‚‚ã®ã§ã™ã€‚
例ãˆã°ã€-pオプションã¯å¼•æ•°ã§æŒ‡å®šã—ãŸãƒ—ãƒã‚»ã‚¹IDãŒopenシステムコールを呼んã 時ã®ã¿å‡ºåŠ›ã™ã‚‹ã‚ªãƒ—ションãªã®ã§ã€
BPFアプリケーションã®å¼•æ•°è§£æžå‡¦ç†ãŒçµ‚ã‚ã£ãŸå¾Œã§å¼•æ•°æŒ‡å®šã—ãŸãƒ—ãƒã‚»ã‚¹IDãŒã‚»ãƒƒãƒˆã•ã‚Œã¾ã™ã€‚
C言語を知ã£ã¦ã„る人ã‹ã‚‰ã™ã‚Œã°ã€ã€Œconstã§å®£è¨€ã—ã¦ã„ã‚‹ã®ã«å¾Œã§æ›¸ãæ›ãˆã‚‹ï¼Ÿã€ã€ã€Œã‚³ãƒ³ãƒ‘イルå˜ä½ãŒé•ã†ãƒ—ãƒã‚°ãƒ©ãƒ ã§
値を書ãæ›ãˆã‚‹ï¼Ÿã€ã¨æ€ã‚れるã‹ã‚‚ã—ã‚Œã¾ã›ã‚“。
ã“ã®è¾ºã®ç–‘å•ã¯BPFアプリケーションã®è§£èª¬æ™‚ã«å¾Œè¿°ã™ã‚‹ã®ã§ã€ã“ã“ã§ã¯ã€Œconstã§å®£è¨€ã—ã¦ã„ã‚‹ã‹ã‚‰rodataセクションã«é…ç½®ã€
ã•ã‚Œã‚‹ã¨ã„ã†ã“ã¨ã ã‘ã”èªè˜ãã ã•ã„。
下ã®2ã¤ã®æ§‹é€ 体ã¯ã€mapã®å®£è¨€ã«ãªã‚Šã¾ã™ã€‚
startã¯ã€ãƒ—ãƒã‚»ã‚¹IDã‚’keyã«ã€openシステムコールã«æ¸¡ã—ã¦ã„ã‚‹filenameã€flagsã‚’valueã«ã—ãŸæœ€å¤§ã‚¨ãƒ³ãƒˆãƒªæ•°10240ã®hash mapã§ã€
引数を一時的ã«æ ¼ç´ã™ã‚‹ãŸã‚ã«ä½¿ç”¨ã•ã‚Œã¾ã™ã€‚
eventsã¯ã€BPFプãƒã‚°ãƒ©ãƒ ã®å‡¦ç†çµæžœã‚’BPFアプリケーションå´ã¨å…±æœ‰ã™ã‚‹ãŸã‚ã®ã‚‚ã®ã§ã™ã€‚
SEC()ã¯æŒ‡å®šã—ãŸã‚»ã‚¯ã‚·ãƒ§ãƒ³ã«å¤‰æ•°ã‚’é…ç½®ã™ã‚‹ãŸã‚ã®ãƒžã‚¯ãƒã§ã™ã€‚ SEC(".maps")ã¨ãªã£ã¦ã„ã‚‹ã®ã§ã€ELFã®.mapセクションã«é…ç½®ã•ã‚Œã‚‹ã“ã¨ã«ãªã‚Šã¾ã™ã€‚
5.2 BPFプãƒã‚°ãƒ©ãƒ ã®ãƒ¡ã‚¤ãƒ³å‡¦ç†
ã“ã“ã‹ã‚‰ã¯ã€opensnoop.bpf.cã®ãƒ¡ã‚¤ãƒ³å‡¦ç†ã§ã™ã€‚ opensnoopã¯ã€openシステムコールã¨openatシステムコールã®ä¸¡æ–¹ã‚’トレースã—ã¦ã„ã‚‹ã®ã§ã™ãŒã€ ã‚„ã£ã¦ã„ã‚‹ã“ã¨ã¯åŒã˜ãªã®ã§æœ¬è¨˜äº‹ã§ã¯openã«é–¢ã™ã‚‹éƒ¨åˆ†ã®ã¿è§£èª¬ã—ã¾ã™ã€‚
33 static __always_inline 34 bool trace_allowed(u32 tgid, u32 pid) 35 { 36 u32 uid; 37 38 /* filters */ 39 if (targ_tgid && targ_tgid != tgid) 40 return false; 41 if (targ_pid && targ_pid != pid) 42 return false; 43 if (valid_uid(targ_uid)) { 44 uid = (u32)bpf_get_current_uid_gid(); 45 if (targ_uid != uid) { 46 return false; 47 } 48 } 49 return true; 50 } 51 52 SEC("tracepoint/syscalls/sys_enter_open") 53 int tracepoint__syscalls__sys_enter_open(struct trace_event_raw_sys_enter* ctx) 54 { 55 u64 id = bpf_get_current_pid_tgid(); 56 /* use kernel terminology here for tgid/pid: */ 57 u32 tgid = id >> 32; 58 u32 pid = id; 59 60 /* store arg info for later lookup */ 61 if (trace_allowed(tgid, pid)) { 62 struct args_t args = {}; 63 args.fname = (const char *)ctx->args[0]; 64 args.flags = (int)ctx->args[1]; 65 bpf_map_update_elem(&start, &pid, &args, 0); 66 } 67 return 0; 68 } .... 88 static __always_inline 89 int trace_exit(struct trace_event_raw_sys_exit* ctx) 90 { 91 struct event event = {}; 92 struct args_t *ap; 93 int ret; 94 u32 pid = bpf_get_current_pid_tgid(); 95 96 ap = bpf_map_lookup_elem(&start, &pid); 97 if (!ap) 98 return 0; /* missed entry */ 99 ret = ctx->ret; 100 if (targ_failed && ret >= 0) 101 goto cleanup; /* want failed only */ 102 103 /* event data */ 104 event.pid = bpf_get_current_pid_tgid() >> 32; 105 event.uid = bpf_get_current_uid_gid(); 106 bpf_get_current_comm(&event.comm, sizeof(event.comm)); 107 bpf_probe_read_user_str(&event.fname, sizeof(event.fname), ap->fname); 108 event.flags = ap->flags; 109 event.ret = ret; 110 111 /* emit event */ 112 bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, 113 &event, sizeof(event)); 114 115 cleanup: 116 bpf_map_delete_elem(&start, &pid); 117 return 0; 118 } 119 120 SEC("tracepoint/syscalls/sys_exit_open") 121 int tracepoint__syscalls__sys_exit_open(struct trace_event_raw_sys_exit* ctx) 122 { 123 return trace_exit(ctx); 124 }
5.2.1 33-68行目
tracepoint__syscalls__sys_enter_openã¯ã€openシステムコールã®å‘¼ã³å‡ºã—をイベントã¨ã—ã¦å‘¼ã°ã‚Œã‚‹é–¢æ•°ã§ã™ã€‚
55行目ã®bpf_get_current_pid_tgidã¯BPFヘルパー関数ã®ï¼‘ã¤ã§ã€å‘¼ã³å‡ºã—ãŸæ™‚点ã§ã®ãƒ—ãƒã‚»ã‚¹ã®ã‚¹ãƒ¬ãƒƒãƒ‰IDã¨ãƒ—ãƒã‚»ã‚¹IDをカーãƒãƒ«ãŒæŒã¤ãƒ‡ãƒ¼ã‚¿æ§‹é€ ã‹ã‚‰å–å¾—ã—ã¾ã™ã€‚
処ç†ã®å®Ÿä½“ã¯ã€ã‚«ãƒ¼ãƒãƒ«å†…ã«å˜åœ¨ã—ã¦ã„ã¾ã™ã€‚
trace_allowedを使ã£ã¦åˆ¤å®šï¼ˆ61行目)ã—ã€ãƒˆãƒ¬ãƒ¼ã‚¹å¯¾è±¡ã§ã‚ã‚Œã°openシステムコールã®å¼•æ•°ã§ã‚るファイルåã¨ãƒ•ãƒ©ã‚°ã‚’BPFヘルパー関数ã®
bpf_map_update_elemを使ã£ã¦mapã«æ ¼ç´ã—ã¾ã™ã€‚
5.2.2 88-124行目
tracepoint__syscalls__sys_exit_openã¯ã€openシステムコールãŒçµ‚了ã™ã‚‹ã¨ãã«å‘¼ã°ã‚Œã‚‹é–¢æ•°ã§ã™ã€‚
trace_exitã§ã¯ã€tracepoint__syscalls__sys_enter_openã§mapã«æ ¼ç´ã—ãŸãƒ‡ãƒ¼ã‚¿ã‚’å–り出ã—(96行目)ã€
ã•ã‚‰ã«BPFアプリケーションå´ã§å¿…è¦ã«ãªã‚‹æƒ…å ±ã‚’eventæ§‹é€ ä½“ã«ã‚³ãƒ”ーã—ã¦ã„ã¾ã™ï¼ˆ104-109行目)。
最終的ã«ã€BPFヘルパー関数ã§ã‚ã‚‹bpf_perf_event_outputを呼ã³å‡ºã—ã€BPFアプリケーションã‹ã‚‰ãƒ‡ãƒ¼ã‚¿ãŒèªã¿ã ã›ã‚‹ã‚ˆã†ã«ã—ã¾ã™ã€‚
5.2.3 プãƒã‚°ãƒ©ãƒ タイプã¨ã‚³ãƒ³ãƒ†ã‚スト
BPFプãƒã‚°ãƒ©ãƒ ãŒå‘¼ã°ã‚ŒãŸã¨ãã«ã‚«ãƒ¼ãƒãƒ«å´ã‹ã‚‰æ¸¡ã•ã‚Œã‚‹å¼•æ•°ã®ã“ã¨ã‚’コンテã‚ストã¨å‘¼ã³ã¾ã™ã€‚
tracepoint__syscalls__sys_exit_openã¨tracepoint__syscalls__sys_enter_openã«æ¸¡ã•ã‚Œã¦ã„ã‚‹ctxãŒãã‚Œã«ã‚ãŸã‚Šã¾ã™ã€‚
ã“ã®ã‚³ãƒ³ãƒ†ã‚ストã§ã™ãŒã€ä½•ãŒæ¸¡ã•ã‚Œã‚‹ã‹ã¯ãƒ—ãƒã‚°ãƒ©ãƒ タイプã«ã‚ˆã£ã¦æ±ºã¾ã‚Šã¾ã™ã€‚
プãƒã‚°ãƒ©ãƒ タイプã¯ã€ãƒ¦ãƒ¼ã‚¶ãŒä½œæˆã—ãŸBPFプãƒã‚°ãƒ©ãƒ ã®ç¨®åˆ¥ã‚’表ã™ã‚‚ã®ã§ã€
カーãƒãƒ«å†…ã«å®šç¾©å€¤ãŒã‚ã‚Šã€BPFアプリケーションã§BPFプãƒã‚°ãƒ©ãƒ ã‚’ãƒãƒ¼ãƒ‰ã™ã‚‹éš›ã«æŒ‡å®šã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚
プãƒã‚°ãƒ©ãƒ タイプã¯ã€BPFプãƒã‚°ãƒ©ãƒ ã‹ã‚‰å‘¼ã³å‡ºã›ã‚‹BPFヘルパー関数ã®ç¨®é¡žã‚„ã€ãã‚‚ãã‚‚ã©ã®ã‚¿ã‚¤ãƒŸãƒ³ã‚°ã§BPFプãƒã‚°ãƒ©ãƒ ãŒã‚«ãƒ¼ãƒãƒ«ã‹ã‚‰å‘¼ã°ã‚Œã‚‹ã‹ã«ã‚‚影響ã—ã¾ã™ã€‚
プãƒã‚°ãƒ©ãƒ タイプã”ã¨ã«å‘¼ã³å‡ºã—å¯èƒ½ãªBPFヘルパー関数ã¯ã€BCCã®ãƒ‰ã‚ュメントã«ã¾ã¨ã‚られã¦ã„ã¾ã™ã€‚
BPFアプリケーションãŒã©ã®ã‚ˆã†ã«ãƒ—ãƒã‚°ãƒ©ãƒ タイプを指定ã—ã¦ã„ã‚‹ã®ã‹ã¯å¾Œè¿°ã—ã¾ã™ãŒã€å…ˆã«çµè«–ã‚’
書ãã¨opensnoopã¯ã€ŒBPF_PROG_TYPE_TRACEPOINTã€ã‚’使用ã—ã¦ã„ã¾ã™ã€‚
opensnoopã®ã‚ˆã†ã«ã‚·ã‚¹ãƒ†ãƒ コールã«å¯¾ã—ã¦ã€ŒBPF_PROG_TYPE_TRACEPOINTã€ã‚’指定ã—ãŸå ´åˆã€
BPFプãƒã‚°ãƒ©ãƒ ã«æ¸¡ã•ã‚Œã‚‹ã‚³ãƒ³ãƒ†ã‚ストã¯ä»¥ä¸‹ã®ã‚³ãƒžãƒ³ãƒ‰ã§èª¿ã¹ã‚‹ã“ã¨ãŒã§ãã¾ã™ã€‚
ã¾ãŸã€sys_exit_openã«æ¸¡ã•ã‚Œã‚‹ã‚³ãƒ³ãƒ†ã‚ストã¯ã€sys_enter_openã®éƒ¨åˆ†ã‚’sys_exit_openã«å¤‰æ›´ã™ã‚‹ã“ã¨ã§èª¿ã¹ã‚‰ã‚Œã¾ã™ã€‚
sudo cat /sys/kernel/debug/tracing/events/syscalls/sys_enter_open/format
5.3 opensnoop.bpf.cã®ã‚³ãƒ³ãƒ‘イル
「make opensnoopã€ã¨å®Ÿè¡Œã™ã‚‹ã¨ã€ä»¥ä¸‹ã®æµã‚Œã§opensnoopã®å®Ÿè¡Œå½¢å¼ãƒ•ã‚¡ã‚¤ãƒ«ãŒç”Ÿæˆã•ã‚Œã¾ã™ã€‚
clang -g -O2 -Wall -target bpf -D__TARGET_ARCH_x86 -Ix86/ -I.output -I../src/cc/libbpf/include/uapi -c opensnoop.bpf.c -o .output/opensnoop.bpf.o && llvm-strip -g .output/opensnoop.bpf.o bin/bpftool gen skeleton .output/opensnoop.bpf.o > .output/opensnoop.skel.h cc -g -O2 -Wall -I.output -I../src/cc/libbpf/include/uapi -c opensnoop.c -o .output/opensnoop.o cc -g -O2 -Wall .output/opensnoop.o bcc/libbpf-tools/.output/libbpf.a .output/trace_helpers.o .output/syscall_helpers.o .output/errno_helpers.o .output/map_helpers.o .output/uprobe_helpers.o -lelf -lz -o opensnoop
1行目ã¯ã€Clang/LLVMã§opensnoop.bpf.cã‚’BPFãƒã‚¤ãƒˆã‚³ãƒ¼ãƒ‰ã¨ã—ã¦ã‚³ãƒ³ãƒ‘イルã—ã¦ã„ã¾ã™ã€‚
2行目ã¯ã€bpftoolã¨ã„ã†BPFã®é–‹ç™ºãƒ„ールを使ã£ã¦ã€opensnoop.bpf.oã‹ã‚‰opensnoop.skel.hã¨ã„ã†ãƒ˜ãƒƒãƒ€ãƒ•ã‚¡ã‚¤ãƒ«ã‚’
生æˆã—ã¦ã„ã¾ã™ã€‚ã“ã®*.skel.hã¨ã„ã†ã®ã¯ã€ã‚¹ã‚±ãƒ«ãƒˆãƒ³ãƒ˜ãƒƒãƒ€ã¨è¨€ã‚ã‚Œopensnoop.bpf.oã®éª¨çµ„ã¿ã‚’抽出ã—ãŸã‚‚ã®ã«ãªã‚Šã¾ã™ã€‚
3行目ã§opensnoop.cをコンパイルã—ã€4行目ã§libbpfãªã©ã¨ãƒªãƒ³ã‚¯ã—ã¦opensnoopãŒå®Œæˆã—ã¾ã™ã€‚
BPFプãƒã‚°ãƒ©ãƒ ã¯ã‚«ãƒ¼ãƒãƒ«ã«ãƒãƒ¼ãƒ‰ã™ã‚‹å¿…è¦ãŒã‚ã‚‹ãŸã‚ã€opensnoop自体ã«ãƒªãƒ³ã‚¯ã¯ã•ã‚Œã¦ã„ã¾ã›ã‚“。
BPFアプリケーション(opensnoop.c)ãŒã©ã†ã‚„ã£ã¦BPFプãƒã‚°ãƒ©ãƒ ã‚’èªã¿è¾¼ã‚€ã‹ã¯ã€2行目ã§ç”Ÿæˆã•ã‚Œã‚‹ã‚¹ã‚±ãƒ«ãƒˆãƒ³ãƒ˜ãƒƒãƒ€
ãŒé–¢ä¿‚ã—ã¦ã„ã¾ã™ã€‚
6. opensnoop.cã®è§£èª¬
opensnoop.cã¯ã€opensnoopã«ãŠã‘ã‚‹BPFアプリケーションã«ã‚ãŸã‚‹éƒ¨åˆ†ã§ã™ã€‚
6.1ã€6.2ç« ã§BPFアプリケーションã®ãƒ¡ã‚¤ãƒ³å‡¦ç†ã§ã‚ã‚‹opensnoop.cã®è‡ªä½“ã®è§£èª¬ã‚’è¡Œã„ã€
以é™ã¯ãƒ¡ã‚¤ãƒ³å‡¦ç†ã‹ã‚‰å‘¼ã°ã‚Œã‚‹å„種処ç†ã«ã¤ã„ã¦æ·±è¿½ã„ã—ã¦ã„ãã¾ã™ã€‚
自動生æˆã®ã‚¹ã‚±ãƒ«ãƒˆãƒ³éƒ¨åˆ†ã¨libbpf内部ã®é–¢æ•°ãŒå…¥ã‚Šä¹±ã‚Œã¦ã—ã¾ã„ã¾ã™ãŒã€
見分ã‘æ–¹ã¨ã—ã¦ã¯é–¢æ•°åãŒã€Œopensnoop_ã€ã§å§‹ã¾ã‚‹ã‚‚ã®ãŒã‚¹ã‚±ãƒ«ãƒˆãƒ³ãƒ˜ãƒƒãƒ€å†…ã«å˜åœ¨ã—ã¦ã„ã‚‹ã‚‚ã®ã§ã€
「bpf_ã€ã§å§‹ã¾ã‚‹ã‚‚ã®ãŒlibbpf内ã«å˜åœ¨ã—ã¦ã„ã‚‹ã‚‚ã®ã«ãªã‚Šã¾ã™ã€‚
6.1 ヘッダファイルã®ã‚¤ãƒ³ã‚¯ãƒ«ãƒ¼ãƒ‰
17 #include "opensnoop.h" 18 #include "opensnoop.skel.h" 19 #include "trace_helpers.h"
17行目ã§BPFプãƒã‚°ãƒ©ãƒ ã¨å…±æœ‰ã™ã‚‹æ§‹é€ 体ãŒå®šç¾©ã•ã‚Œã¦ã„ã‚‹opensnoop.hをインクルードã—ã¦ã„ã¾ã™ã€‚
ã¾ãŸã€18行目ã§BPFプãƒã‚°ãƒ©ãƒ を使ã£ã¦è‡ªå‹•ç”Ÿæˆã—ãŸã‚¹ã‚±ãƒ«ãƒˆãƒ³ãƒ˜ãƒƒãƒ€ã‚’インクルードã™ã‚‹ã“ã¨ã§ã€
スケルトンヘッダ内ã®ãƒã‚¤ãƒˆã‚³ãƒ¼ãƒ‰ã‚’メモリã«èªã¿è¾¼ã¿ã¾ã™ã€‚
6.2 BPFアプリケーションã®ãƒ¡ã‚¤ãƒ³å‡¦ç†
BPFアプリケーションã®ãƒ¡ã‚¤ãƒ³å‡¦ç†ã¯ä»¥ä¸‹ã®ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™ã€‚ 処ç†æ¦‚è¦ã¨ã—ã¦ã¯ä»¥ä¸‹ã®ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™ã€‚
opensnoop_bpf__open:スケルトンヘッダã®èªã¿è¾¼ã¿ã€å„ç¨®æ§‹é€ ä½“ã®å®Ÿä½“化ã€ãƒ—ãƒã‚°ãƒ©ãƒ タイプã®è¨å®šopensnoop_bpf__load:mapã®ä½œæˆã€BPFプãƒã‚°ãƒ©ãƒ ã®ã‚«ãƒ¼ãƒãƒ«ã¸ã®ãƒãƒ¼ãƒ‰opensnoop_bpf__attach:BPFプãƒã‚°ãƒ©ãƒ をイベントã«ã‚¢ã‚¿ãƒƒãƒperf_buffer__poll:BPFプãƒã‚°ãƒ©ãƒ ãŒmapã«æ›¸ãè¾¼ã¿ã‚’ã—ãŸã“ã¨ã‚’契機ã«ãƒãƒ³ãƒ‰ãƒ©ã‚’実行
215 int main(int argc, char **argv) 216 { ... 231 libbpf_set_strict_mode(LIBBPF_STRICT_ALL); 232 libbpf_set_print(libbpf_print_fn); 233 234 obj = opensnoop_bpf__open(); ... 241 obj->rodata->targ_tgid = env.pid; 242 obj->rodata->targ_pid = env.tid; 243 obj->rodata->targ_uid = env.uid; 244 obj->rodata->targ_failed = env.failed; ... 256 err = opensnoop_bpf__load(obj); ... 262 err = opensnoop_bpf__attach(obj); ... 278 /* setup event callbacks */ 279 pb = perf_buffer__new(bpf_map__fd(obj->maps.events), PERF_BUFFER_PAGES, 280 handle_event, handle_lost_events, NULL, NULL); ... 297 /* main: poll */ 298 while (!exiting) { 299 err = perf_buffer__poll(pb, PERF_POLL_TIMEOUT_MS); ... 308 } ... 315 }
6.3 231-232行目
231行目ã®libbpf_set_strict_modeã¯ã€è¿‘ã„å°†æ¥è¡Œã‚れるlibbpfã®å¤§è¦æ¨¡å¤‰æ›´ã«ã‚らã‹ã˜ã‚é©åˆã™ã‚‹ãŸã‚ã®ã‚‚ã®ã§ã™ã€‚ libbpfã¯2022å¹´8月ç¾åœ¨ã®æœ€æ–°ç‰ˆãŒv0.8.1ã§ã™ãŒã€v1.0ã§ã¯å¤§è¦æ¨¡ãªå¤‰æ›´ãŒè¡Œã‚れるã¨ã‚¢ãƒŠã‚¦ãƒ³ã‚¹ã•ã‚Œã¦ã„ã¾ã™ã€‚
232行目ã¯ã€opensnoopã®å‡ºåŠ›é–¢æ•°ã®å·®ã—替ãˆã‚’è¡Œã£ã¦ã„ã¾ã™ã€‚ libbpf_print_fnã¯ã€vfprintfを使ã„標準エラー出力ã«å‡ºåŠ›ã—ã¦ã„ã¾ã™ã€‚
6.4 opensnoop_bpf__open
opensnoop_bpf__openã¯ã€ã‚¹ã‚±ãƒ«ãƒˆãƒ³ãƒ˜ãƒƒãƒ€ã®èªã¿è¾¼ã¿ã€å„ç¨®æ§‹é€ ä½“ã®å®Ÿä½“化ã€ãƒ—ãƒã‚°ãƒ©ãƒ タイプã®è¨å®šãªã©æ§˜ã€…ãªå‡¦ç†ã‚’è¡Œã„ã€opensnoop_bpfæ§‹é€ ä½“ã‚’æ§‹ç¯‰ã—ã¾ã™ã€‚
opensnoop_bpfæ§‹é€ ä½“ã®å®šç¾©ã¯opensnoop.skel.hã«ã‚ã‚Šã¾ã™ã€‚
11 struct opensnoop_bpf { 12 struct bpf_object_skeleton *skeleton; 13 struct bpf_object *obj; 14 struct { 15 struct bpf_map *start; 16 struct bpf_map *events; 17 struct bpf_map *rodata; 18 } maps; 19 struct { 20 struct bpf_program *tracepoint__syscalls__sys_enter_open; 21 struct bpf_program *tracepoint__syscalls__sys_enter_openat; 22 struct bpf_program *tracepoint__syscalls__sys_exit_open; 23 struct bpf_program *tracepoint__syscalls__sys_exit_openat; 24 } progs; 25 struct { 26 struct bpf_link *tracepoint__syscalls__sys_enter_open; 27 struct bpf_link *tracepoint__syscalls__sys_enter_openat; 28 struct bpf_link *tracepoint__syscalls__sys_exit_open; 29 struct bpf_link *tracepoint__syscalls__sys_exit_openat; 30 } links; 31 struct opensnoop_bpf__rodata { 32 __u64 min_us; 33 pid_t targ_pid; 34 pid_t targ_tgid; 35 uid_t targ_uid; 36 bool targ_failed; 37 } *rodata; 38 };
å‰è¿°ã®é€šã‚Šã€ã‚¹ã‚±ãƒ«ãƒˆãƒ³ãƒ˜ãƒƒãƒ€ã¯bpftoolã«ã‚ˆã‚ŠBPFプãƒã‚°ãƒ©ãƒ ã‹ã‚‰è‡ªå‹•ç”Ÿæˆã•ã‚Œã‚‹ã‚‚ã®ã§ã‚ã‚‹ãŸã‚ã€æ§‹é€ 体メンãƒã®åå‰ã®å¤šããŒBPFプãƒã‚°ãƒ©ãƒ ã§è¨å®šã—ãŸã‚‚ã®ã«ãªã£ã¦ã„ã¾ã™ã€‚
ãã‚Œãžã‚Œã®ãƒ¡ãƒ³ãƒã®å½¹å‰²ã¯å¿…è¦ã«å¿œã˜ã¦å¾Œè¿°ã—ã¾ã™ãŒã€opensnoop_bpf__openã¯ã€opensnoop_bpfæ§‹é€ ä½“ã‚’ä½œæˆã—ã¦ã€å€¤ã‚’セットã™ã‚‹ã®ãŒã²ã¨ã¤ã®å½¹å‰²ã«ãªã£ã¦ã„ã¾ã™ã€‚
opensnoop_bpf__openã¯ã€ä»¥ä¸‹ã®ã‚ˆã†ã«opensnoop_bpf__open_optsを呼ã³å‡ºã™ã ã‘ã§ã™ã€‚
53 static inline struct opensnoop_bpf * 54 opensnoop_bpf__open_opts(const struct bpf_object_open_opts *opts) 55 { ... 59 obj = (struct opensnoop_bpf *)calloc(1, sizeof(*obj)); ... 65 err = opensnoop_bpf__create_skeleton(obj); ... 69 err = bpf_object__open_skeleton(obj->skeleton, opts); ... 78 } 79 80 static inline struct opensnoop_bpf * 81 opensnoop_bpf__open(void) 82 { 83 return opensnoop_bpf__open_opts(NULL); 84 }
59行目ã§opensnoop_bpfæ§‹é€ ä½“ã‚’ã‚¢ãƒã‚±ãƒ¼ãƒˆã—ã€65行目ã§opensnoop_bpf__create_skeletonを呼ã³å‡ºã—ã€ã‚¹ã‚±ãƒ«ãƒˆãƒ³æ§‹é€ 体を構築ã—ã¾ã™ã€‚
opensnoop_bpf__create_skeletonã¯ä»¥ä¸‹ã®ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™ã€‚
124 static inline int 125 opensnoop_bpf__create_skeleton(struct opensnoop_bpf *obj) 126 { 127 struct bpf_object_skeleton *s; 128 129 s = (struct bpf_object_skeleton *)calloc(1, sizeof(*s)); 130 if (!s) 131 goto err; 132 obj->skeleton = s; 133 134 s->sz = sizeof(*s); 135 s->name = "opensnoop_bpf"; 136 s->obj = &obj->obj; 137 138 /* maps */ 139 s->map_cnt = 3; 140 s->map_skel_sz = sizeof(*s->maps); 141 s->maps = (struct bpf_map_skeleton *)calloc(s->map_cnt, s->map_skel_sz); 142 if (!s->maps) 143 goto err; 144 145 s->maps[0].name = "start"; 146 s->maps[0].map = &obj->maps.start; 147 148 s->maps[1].name = "events"; 149 s->maps[1].map = &obj->maps.events; 150 151 s->maps[2].name = "opensnoo.rodata"; 152 s->maps[2].map = &obj->maps.rodata; 153 s->maps[2].mmaped = (void **)&obj->rodata; ... 158 s->progs = (struct bpf_prog_skeleton *)calloc(s->prog_cnt, s->prog_skel_sz); 159 if (!s->progs) 160 goto err; 161 162 s->progs[0].name = "tracepoint__syscalls__sys_enter_open"; 163 s->progs[0].prog = &obj->progs.tracepoint__syscalls__sys_enter_open; 164 s->progs[0].link = &obj->links.tracepoint__syscalls__sys_enter_open; ... 170 s->progs[2].name = "tracepoint__syscalls__sys_exit_open"; 171 s->progs[2].prog = &obj->progs.tracepoint__syscalls__sys_exit_open; 172 s->progs[2].link = &obj->links.tracepoint__syscalls__sys_exit_open; ... 178 s->data = (void *)opensnoop_bpf__elf_bytes(&s->data_sz); ... 186 static inline const void *opensnoop_bpf__elf_bytes(size_t *sz) 187 { 188 *sz = 12752; 189 return (const void *) " 190 \x7f\x45\x4c\x46\x02\x01\x01\0\0\0\0\0\0\0\0\0\x01\0\xf7\0\x01\0\0\0\0\0\0\0\0\ 191 \0\0\0\0\0\0\0\0\0\0\0\xd0\x2c\0\0\0\0\0\0\0\0\0\0\x40\0\0\0\0\0\x40\0\x14\0\ 192 \x01\0\xbf\x16\0\0\0\0\0\0\x85\0\0\0\x0e\0\0\0\x63\x0a\xfc\xff\0\0\0\0\x18\x01\
opensnoop_bpf__elf_bytesã§returnã—ã¦ã„ã‚‹ãƒã‚¤ãƒˆåˆ—ãŒBPFプãƒã‚°ãƒ©ãƒ ã®ãƒã‚¤ãƒˆã‚³ãƒ¼ãƒ‰ã«ãªã‚Šã¾ã™ã€‚
後ã®å·¥ç¨‹ã§ã“ã®ELFãƒã‚¤ãƒŠãƒªã‚’libelfã§è§£æžã—ã¦ã€å¿…è¦ãªæ§‹é€ 体ã«ç§»ã—替ãˆãŸã‚Šã—ã¦æœ€çµ‚çš„ã«
カーãƒãƒ«ã«ãƒãƒ¼ãƒ‰ã™ã‚‹ã‚ˆã†ãªæ§‹é€ ã«ãªã£ã¦ã„ã¾ã™ã€‚
opensnoopã®ãƒªãƒ³ã‚¯ã§-lelfを指定ã—ã¦ã„ã‚‹ã®ã¯ãã®ãŸã‚ã§ã™ã€‚
ã•ã¦ã€opensnoop_bpf__create_skeletonを呼ã³å‡ºã—ãŸçµæžœã€opensnoop_bpfæ§‹é€ ä½“ã¯å›³1ã®ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚
図1ã®é€šã‚Šã€bpf_object_skeletonæ§‹é€ ä½“ã®ä¸èº«ã¯ã»ã¨ã‚“ã©ãŒopensnoop_bpfæ§‹é€ ä½“ã¸ã®å‚ç…§ã«ãªã£ã¦ã„ã¾ã™ãŒã€ ã“ã‚Œã¯ä»¥é™ã®å·¥ç¨‹ã§libbpfã®å‡¦ç†ã«å…¥ã£ã¦ã„ããŸã‚ã€opensnoop_bpfæ§‹é€ ä½“ã¨ã„ã†opensnoopã«ç‰¹åŒ–ã—ãŸæ§‹é€ 体ã‹ã‚‰bpf_object_skeletonæ§‹é€ ä½“ã¨ã„ã†æ±Žç”¨çš„ãªæ§‹é€ 体ã¸ãƒ‡ãƒ¼ã‚¿ã‚’関連付ã‘ã‚‹ãŸã‚ã§ã™ã€‚
bpf_object__open_skeletonã¯ã€ä»¥ä¸‹ã®ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™ã€‚
6957 static struct bpf_object *bpf_object_open(const char *path, const void *obj_buf, size_t obj_buf_sz, 6958 const struct bpf_object_open_opts *opts) 6959 { ... 6997 obj = bpf_object__new(path, obj_buf, obj_buf_sz, obj_name); ... 7032 err = err ? : bpf_object__init_maps(obj, opts); 7033 err = err ? : bpf_object_init_progs(obj, opts); ... 7044 } ... 7087 struct bpf_object * 7088 bpf_object__open_mem(const void *obj_buf, size_t obj_buf_sz, 7089 const struct bpf_object_open_opts *opts) 7090 { ... 7094 return libbpf_ptr(bpf_object_open(NULL, obj_buf, obj_buf_sz, opts)); 7095 } ... 11643 int bpf_object__open_skeleton(struct bpf_object_skeleton *s, 11644 const struct bpf_object_open_opts *opts) 11645 { ... 11664 obj = bpf_object__open_mem(s->data, s->data_sz, &skel_opts); ... 11672 *s->obj = obj; ... 11699 } ...
libbpfã®ä¸ã¯ã‚³ãƒ¼ãƒ‰é‡ãŒå¤šã„ãŸã‚ã€è§£èª¬ã‚’è¡Œã‚ãªã„箇所ã¯å¤§èƒ†ã«å‰²æ„›ã—ã¦ã„ã¾ã™ã€‚
bpf_object__open_skeletonã¯ã€
bpf_object__open_mem→bpf_object_openを呼ã³bpf_objectæ§‹é€ ä½“ã‚’ä½œæˆã—ã¾ã™ã€‚
bpf_objectæ§‹é€ ä½“ã¯ã€æœ€çµ‚çš„ã«ã¯bpfシステムコールを呼ã¶ã¨ãã«ã‚«ãƒ¼ãƒãƒ«ã«æ¸¡ã™å¼•æ•°ã‚’å«ã‚“ã§ã„ã‚‹é‡è¦ãªæ§‹é€ 体ã§ã™ã€‚
11672行目ã§ã€opensnoop_bpfæ§‹é€ ä½“ã‹ã‚‰å‚ç…§ã§ãるよã†ã«ã‚»ãƒƒãƒˆã•ã‚Œã¦ã„ã¾ã™ã€‚
6997行目ã®bpf_object__newã§ã¯bpf_objectæ§‹é€ ä½“ã‚’ã‚¢ãƒã‚±ãƒ¼ãƒˆã¨opensnoop.bpf.oã®ELFãƒã‚¤ãƒŠãƒªã®ãƒã‚¤ãƒˆåˆ—ã®å‚ç…§ã®ã‚»ãƒƒãƒˆãªã©ã‚’è¡Œã£ã¦ã„ã¾ã™ã€‚
6.4.1 bpf_object__init_maps
7032行目ã®bpf_object__init_mapsã§ã¯ã€mapã®åˆæœŸåŒ–ã®éŽç¨‹ã§BPFプãƒã‚°ãƒ©ãƒ 内ã®SEC(".maps")を使ã£ã¦å®£è¨€ã—ãŸå¤‰æ•°ã«å¯¾ã™ã‚‹å‡¦ç†ã‚’以下ã®æµã‚Œã§è¡Œã£ã¦ã„ã¾ã™ã€‚
bpf_object__init_maps→bpf_object__init_user_btf_maps→bpf_object__init_user_btf_map→parse_btf_map_def
最終的ã«ã¯ã€BPFプãƒã‚°ãƒ©ãƒ 内ã§å®£è¨€ã—ãŸstartã‚„eventsã¯ã€bpf_objectæ§‹é€ ä½“ã®mapsé…列ã«æ ¼ç´ã•ã‚Œã€å¾Œå·¥ç¨‹ã§bpfシステムコールを呼んã§mapを作æˆã™ã‚‹éš›ã«ä½¿ã‚ã‚Œã¾ã™ã€‚
ã¾ãŸã€ä»¥ä¸‹ã®æµã‚Œã§BPFプãƒã‚°ãƒ©ãƒ 内ã§const付ãã§å®£è¨€ã—ã¦ã„ãŸã‚°ãƒãƒ¼ãƒãƒ«å¤‰æ•°ã«é–¢ã™ã‚‹å‡¦ç†ã‚‚è¡Œã£ã¦ã„ã¾ã™ã€‚
bpf_object__init_maps→bpf_object__init_global_data_maps→bpf_object__init_internal_map
BPFプãƒã‚°ãƒ©ãƒ 内ã§ã‚°ãƒãƒ¼ãƒãƒ«å¤‰æ•°ã«ä»£å…¥ã—ã¦ã„ãŸåˆæœŸå€¤ã¯ã€1579行目ã§mmapシステムコールã§ç¢ºä¿ã—ãŸé ˜åŸŸã«ã‚³ãƒ”ーã•ã‚Œã¦ã„ã¾ã™ã€‚
6.4.2 bpf_object_init_progs
6931行目ã§ã‚«ãƒ¼ãƒãƒ«ã«ãƒãƒ¼ãƒ‰ã™ã‚‹ãƒ—ãƒã‚°ãƒ©ãƒ ã®ãƒ—ãƒã‚°ãƒ©ãƒ タイプをセットã—ã¦ã„ã¾ã™ã€‚
å‰è¿°ã®é€šã‚Šã€opensnoopã¯ã€ŒBPF_PROG_TYPE_TRACEPOINTã€ã‚’セットã™ã‚‹ã‚ã‘ã§ã™ãŒã€
ã“ã‚Œã¯å®Ÿã¯BPFプãƒã‚°ãƒ©ãƒ 内ã«ã‚ã‚‹SEC("tracepoint/syscalls/sys_enter_open")ã¨ã„ã†æŒ‡å®šæ–¹æ³•ãŒé–¢ä¿‚ã—ã¦ã„ã¾ã™ã€‚
6923行目ã®find_sec_defã§ã¯ã€ä»¥ä¸‹ã®section_defsテーブルを探索ã—セクションåãŒsection_defsテーブルã«æŒ‡å®šã—ãŸæ–‡å—列リテラルã¨ä¸€è‡´ã™ã‚‹ã‚ªãƒ–ジェクトを探索ã—ã¦ã„ã¾ã™ã€‚ ãã®çµæžœã€ä»¥ä¸‹ã®ãƒ†ãƒ¼ãƒ–ルã®8585行目ã«ä¸€è‡´ã—ã€prog->sec_def->prog_typeãŒã€ŒBPF_PROG_TYPE_TRACEPOINTã€ã«ãªã‚‹ã¨ã„ã†ã‚ã‘ã§ã™ã€‚
8558 #define SEC_DEF(sec_pfx, ptype, atype, flags, ...) { \ 8559 .sec = sec_pfx, \ 8560 .prog_type = BPF_PROG_TYPE_##ptype, \ 8561 .expected_attach_type = atype, \ 8562 .cookie = (long)(flags), \ 8563 .preload_fn = libbpf_preload_prog, \ 8564 __VA_ARGS__ \ 8565 } ... 8574 static const struct bpf_sec_def section_defs[] = { 8575 SEC_DEF("socket", SOCKET_FILTER, 0, SEC_NONE | SEC_SLOPPY_PFX), ... 8578 SEC_DEF("kprobe/", KPROBE, 0, SEC_NONE, attach_kprobe), 8579 SEC_DEF("uprobe/", KPROBE, 0, SEC_NONE), 8580 SEC_DEF("kretprobe/", KPROBE, 0, SEC_NONE, attach_kprobe), 8581 SEC_DEF("uretprobe/", KPROBE, 0, SEC_NONE), ... 8585 SEC_DEF("tracepoint/", TRACEPOINT, 0, SEC_NONE, attach_tp), 8586 SEC_DEF("tp/", TRACEPOINT, 0, SEC_NONE, attach_tp), ...
6.5 241-245行目
ユーザãŒå¼•æ•°ã§æŒ‡å®šã—ãŸãƒ•ã‚£ãƒ«ã‚¿ã®ã‚ªãƒ—ション値を代入ã—ã¦ã„ã¾ã™ã€‚
BPFプãƒã‚°ãƒ©ãƒ 内ã§targ_tgidã‚„targ_pidãªã©ã‚’å‚ç…§ã—ã¦ã„ã¾ã™ãŒã€æœ€çµ‚çš„ã«ã¯ã“ã“ã§è¨å®šã—ãŸå€¤ã‚’å‚ç…§ã—ã¦ã„ã¾ã™ã€‚
BPFプãƒã‚°ãƒ©ãƒ ã®ã‚³ãƒ³ãƒ‘イルå˜ä½ã§ã¯ã€const付ãã§å®£è¨€ã—ã¦ã„ãŸã®ã§å¤‰æ›´ä¸å¯ã§ã™ãŒ
obj->rodataã§å‚ç…§ã™ã‚‹ã®ã¯ã€bpf_object__init_internal_map内ã§mmapãŒç¢ºä¿ã—ãŸé ˜åŸŸã«ãªã£ã¦ã„ã‚‹ãŸã‚ã€å¤‰æ›´ãŒã§ãã‚‹ã¨ã„ã†ã‚ã‘ã§ã™ã€‚
ãŸã ã‚°ãƒãƒ¼ãƒãƒ«å¤‰æ•°ã®å¤‰æ›´ãŒæœ‰åŠ¹ãªã®ã¯opensnoop_bpf__open後ã€opensnoop_bpf__loadå‰ã®åŒºé–“ã ã‘ã«ãªã‚Šã¾ã™ã€‚
opensnoop_bpf__load以é™ã¯ã€BPFプãƒã‚°ãƒ©ãƒ ã¯ã‚«ãƒ¼ãƒãƒ«ã«ãƒãƒ¼ãƒ‰ã•ã‚Œã‚‹ãŸã‚ã€BPFプãƒã‚°ãƒ©ãƒ 内ã§å‚ç…§ã—ã¦ã„る変数ã®å¤‰æ›´ãŒã§ããªã„ãŸã‚ã§ã™ã€‚
6.6 opensnoop_bpf__load
opensnoop_bpf__loadã¯ã€ã‚¹ã‚±ãƒ«ãƒˆãƒ³ãƒ˜ãƒƒãƒ€ãƒ•ã‚¡ã‚¤ãƒ«ã®ä¸ã«å‡¦ç†ãŒã‚ã‚Šã¾ã™ãŒã€
ã‚„ã£ã¦ã„ã‚‹ã“ã¨ã¯ä»¥ä¸‹ã®ã‚ˆã†ã«libbpfã®bpf_object__load_skeletonを呼ã¶ã ã‘ã§ã™ã€‚
86 static inline int 87 opensnoop_bpf__load(struct opensnoop_bpf *obj) 88 { 89 return bpf_object__load_skeleton(obj->skeleton); 90 }
bpf_object__load_skeleton㯠bpf_object__load→bpf_object_loadを呼ã³ã¾ã™ã€‚
7464 static int bpf_object_load(struct bpf_object *obj, int extra_log_level, const char *target_btf_path) 7465 { ... 7485 err = err ? : bpf_object__create_maps(obj); ... 7487 err = err ? : bpf_object__load_progs(obj, extra_log_level); ... 7530 }
6.6.1 bpf_object__create_maps
bpf_object_loadã§ã¯ã€7485行目ã§bpfシステムコールを使ã£ã¦mapを作æˆã—ã¦ã„ã¾ã™ã€‚
bpf_object__create_maps→bpf_object__create_map→bpf_map_create→sys_bpf_fd→sys_bpf
ã¨ã„ã†æµã‚Œã§å‡¦ç†ã•ã‚Œã€æœ€çµ‚çš„ã«ã¯bpfシステムコールをcmd=BPF_MAP_CREATEã§å‘¼ã³å‡ºã™ã“ã¨ã§ã€mapを作æˆã—ã¦ã„ã¾ã™ã€‚
ã¡ãªã¿ã«rodataセクションã«é…ç½®ã•ã‚ŒãŸmapã«ã¤ã„ã¦ã¯ã€
ã“ã“ã§bpf_object__populate_internal_mapを呼ã³å‡ºã—ã€BPF_MAP_FREEZEã§bpfシステムコールを呼ã³å‡ºã™ã“ã¨ã§ã€read onlyã«ã—ã¦ã„ã¾ã™ã€‚
6.6.2 bpf_object__load_progs
bpf_object__load_progsã§ã¯ã€tracepoint__syscalls__sys_enter_openãªã©ã®BPFプãƒã‚°ãƒ©ãƒ ã®ãƒã‚¸ãƒƒã‚¯éƒ¨åˆ†ã‚’カーãƒãƒ«ã«ãƒãƒ¼ãƒ‰ã—ã¾ã™ã€‚
bpf_object__load_progs→bpf_object_load_prog→bpf_object_load_prog_instance→bpf_prog_load→sys_bpf_prog_load
ã®æµã‚Œã§å‡¦ç†ã•ã‚Œã€æœ€çµ‚çš„ã«ã¯bpfシステムコールをcmd=BPF_PROG_LOADã§å‘¼ã³å‡ºã™ã“ã¨ã§ã€ãƒ—ãƒã‚°ãƒ©ãƒ 部分をカーãƒãƒ«ã«ãƒãƒ¼ãƒ‰ã—ã¦ã„ã¾ã™ã€‚
6.7 opensnoop_bpf__attach
opensnoop_bpf__loadã§bpfシステムコールを呼ã³å‡ºã—ã€Verifierã§æ¤œè¨¼ã•ã‚ŒãŸå¾Œã§JITコンパイルãŒè¡Œã‚ã‚Œãƒã‚¤ãƒ†ã‚£ãƒ–コードã«ãªã‚Šã‚«ãƒ¼ãƒãƒ«ã®ãƒãƒ¼ãƒ‰ãŒå®Œäº†ã—ã¾ã™ã€‚
イベント発生時ã«BPFプãƒã‚°ãƒ©ãƒ を動作ã•ã›ã‚‹ã«ã¯ã€ãƒãƒ¼ãƒ‰ã—ãŸBPFプãƒã‚°ãƒ©ãƒ をフックãƒã‚¤ãƒ³ãƒˆã«ã‚¢ã‚¿ãƒƒãƒã™ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚
ã“れを行ã†ã®ãŒopensnoop_bpf__attachã§ã™ã€‚
opensnoop_bpf__attachã®ã‚³ãƒ¼ãƒ‰ã¯ã€ã‚¹ã‚±ãƒ«ãƒˆãƒ³ãƒ˜ãƒƒãƒ€ã«å˜åœ¨ã—ã€ä»¥ä¸‹ã®ã‚ˆã†ã«libbpfã®bpf_object__attach_skeletonを呼ã¶ã ã‘ã§ã™ã€‚
110 static inline int 111 opensnoop_bpf__attach(struct opensnoop_bpf *obj) 112 { 113 return bpf_object__attach_skeleton(obj->skeleton); 114 }
bpf_object__attach_skeletonã¯ã‚«ãƒ¼ãƒãƒ«ã«ãƒãƒ¼ãƒ‰ã—ãŸå€‹ã€…ã®BPFプãƒã‚°ãƒ©ãƒ ã«ã¤ã„ã¦ã€bpf_program__attachを呼ã³ã¾ã™ã€‚
attach_fnã¯ã€ã“ã“ã§å®£è¨€ã•ã‚Œã¦ãŠã‚Šã€BPFプãƒã‚°ãƒ©ãƒ ã‚’ã©ã“ã®ã‚»ã‚¯ã‚·ãƒ§ãƒ³ã«é…ç½®ã—ãŸã‹ã§å¤‰ã‚ã‚Šã¾ã™ã€‚
tracepointセクションã«é…ç½®ã•ã‚ŒãŸå ´åˆã«å‘¼ã°ã‚Œã‚‹attach_tpã¯ã€å†…部ã§
bpf_program__attach_tracepoint→bpf_program__attach_tracepoint_optsã¨å‡¦ç†ãŒé€²ã‚られã¾ã™ã€‚
bpf_program__attach_tracepoint_optsãŒã‚¢ã‚¿ãƒƒãƒå‡¦ç†ã®ãƒ¡ã‚¤ãƒ³éƒ¨åˆ†ã«ãªã£ã¦ã„ã¦ã€ä»¥ä¸‹ã®ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™ã€‚
10318 struct bpf_link *bpf_program__attach_tracepoint_opts(const struct bpf_program *prog, 10319 const char *tp_category, 10320 const char *tp_name, 10321 const struct bpf_tracepoint_opts *opts) 10322 { ... 10333 pfd = perf_event_open_tracepoint(tp_category, tp_name); ... 10340 link = bpf_program__attach_perf_event_opts(prog, pfd, &pe_opts); ... 10350 }
perf_event_open_tracepointã§perf_event_openシステムコールを呼ã³å‡ºã—ã€PERF_TYPE_TRACEPOINTã«å¯¾å¿œã—ãŸãƒ•ã‚¡ã‚¤ãƒ«ãƒ‡ã‚£ã‚¹ã‚¯ãƒªãƒ—タを作æˆã—ã¾ã™ã€‚
perfã¨ã¯ã€Linuxã«ãŠã‘るパフォーマンスモニタリングを行ã†ãŸã‚ã®ä»•çµ„ã¿ã§ã™ã€‚
CPUã®ã‚«ã‚¦ãƒ³ã‚¿å€¤ã‚’å–å¾—ã™ã‚‹éš›ãªã©ã«ä½¿ç”¨ã™ã‚‹perfコマンドã¯ã€å†…部ã§perf_event_openシステムコールを呼ã³å‡ºã—ã¦ã„るよã†ã§ã™ã€‚
上記ã®é€šã‚Šã€BPFã§tracepointã«ã‚¢ã‚¿ãƒƒãƒã™ã‚‹å ´åˆã ã¨ã€perfã®ä»•çµ„ã¿ã‚’利用ã—ã¦ã„ã¾ã™ãŒã€
例ãˆã°BPFプãƒã‚°ãƒ©ãƒ 内ã®SEC()ã§"kprobe/"ã®ã‚ˆã†ã«æŒ‡å®šã—ãŸå ´åˆã¯ã€kprobeã®ä»•çµ„ã¿ã‚’利用ã—ã¾ã™ã€‚
libbpf-toolsã ã¨ã€ä¾‹ãˆã°bindsnoopãªã©ãŒkprobeã®ä»•çµ„ã¿ã‚’使用ã—ã¦ã„ã¾ã™ã€‚
bpf_program__attach_perf_event_opts→bpf_link_createã¨å‡¦ç†ãŒè¡Œã‚ã‚Œã€æœ€çµ‚çš„ã«ã¯bpfシステムコールをcmd=BPF_LINK_CREATEã§å‘¼ã³å‡ºã—ã¦ã‚¢ã‚¿ãƒƒãƒã—ã¦ã„ã¾ã™ã€‚ ãŸã ã—ã€ã‚«ãƒ¼ãƒãƒ«å´ãŒBPF_LINK_CREATEã«å¯¾å¿œã—ã¦ã„ãªã„å ´åˆã¯ã€ioctl(PERF_EVENT_IOC_SET_BPF)ã§ã‚¢ã‚¿ãƒƒãƒã™ã‚‹ã‚ˆã†ã§ã™ã€‚ ãã®å¾Œã€ioctl(PERF_EVENT_IOC_ENABLE)ã§perfイベントを有効ã™ã‚‹ã“ã¨ã§ã€perfイベントãŒç™ºç”Ÿã—ãŸã¨ãã«BPFプãƒã‚°ãƒ©ãƒ ãŒå®Ÿè¡Œã•ã‚Œã‚‹ã‚ˆã†ã«ã—ã¦ã„ã¾ã™ã€‚
6.8 279-308行目
アタッãƒãŒå®Œäº†ã™ã‚Œã°ã€ã‚ã¨ã¯BPFプãƒã‚°ãƒ©ãƒ ãŒmapã«å‡ºåŠ›ã™ã‚‹å†…容をBPFアプリケーションå´ã§èªã¿å–ã£ã¦å‡ºåŠ›ã™ã‚‹ã ã‘ã§ã™ã€‚
perf_buffer__newã¨perf_buffer__pollã¯ã€ã¾ã•ã«ãれを行ã£ã¦ãŠã‚Šã€
perf_buffer__newã§ãƒãƒ¼ãƒªãƒ³ã‚°ã™ã‚‹mapã¨ã‚¤ãƒ™ãƒ³ãƒˆãŒç™ºç”Ÿã—ãŸã¨ãã«å‘¼ã³å‡ºã•ã‚Œã‚‹ãƒãƒ³ãƒ‰ãƒ©ï¼ˆhandle_event)をセットã—ã€
終了æ¡ä»¶ã‚’満ãŸã™ã¾ã§perf_buffer__pollã§ã‚¤ãƒ™ãƒ³ãƒˆï¼ˆmapã¸ã®æ›¸ãè¾¼ã¿ï¼‰ã‚’å¾…ã£ã¦ã„ã¾ã™ã€‚
ç”»é¢å‡ºåŠ›éƒ¨åˆ†ã¯ã€ç·ã˜ã¦é›£ã—ã„ã“ã¨ã¯è¡Œã£ã¦ã„ãªã„ã®ã§å‰²æ„›ã—ã¾ã™ã€‚
ã¾ãŸä½™è«‡ã§ã™ãŒã€ç¾åœ¨ã§ã¯opensnoopã§ä½¿ç”¨ã—ã¦ã„ã‚‹perf_bufferを使ã£ãŸã‚„り方よりもã€ringbufを使ã†æ–¹ãŒã„ã„ã¿ãŸã„ã§ã™ã€‚本記事ã¯opensnoopã®è§£èª¬ãŒãƒ†ãƒ¼ãƒžãªã®ã§ringbufã¯è¿½åŠã—ã¾ã›ã‚“。
ã•ã¦ã€perf_buffer__newã¯é–¢æ•°ãƒžã‚¯ãƒã«ãªã£ã¦ãŠã‚Šã€å®Ÿéš›ã«ã¯perf_buffer__new_v0_6_0ãŒå‘¼ã°ã‚Œã€ãã“ã‹ã‚‰ãƒ¡ã‚¤ãƒ³å‡¦ç†ã§ã‚ã‚‹
__perf_buffer__newãŒå‘¼ã°ã‚Œã¾ã™ã€‚
__perf_buffer__newã§ã¯ã€cpu*ã¨ã„ã†å¤‰æ•°åãŒã‚ã‚Šã¾ã™ãŒã€ã“ã‚Œã¯perf_bufferãŒCPUã”ã¨ã«æŒã¤ãƒãƒƒãƒ•ã‚¡ã®ãŸã‚ã§ã™ã€‚
__perf_buffer__newã¯ä»¥ä¸‹ã®ã‚ˆã†ã«ãªã£ã¦ã„ã¾ã™ã€‚
10945 static struct perf_buffer *__perf_buffer__new(int map_fd, size_t page_cnt, 10946 struct perf_buffer_params *p) 10947 { ... 10965 err = bpf_obj_get_info_by_fd(map_fd, &map, &map_info_len); ... 10991 pb->sample_cb = p->sample_cb; ... 10999 pb->epoll_fd = epoll_create1(EPOLL_CLOEXEC); ... 11038 for (i = 0, j = 0; i < pb->cpu_cnt; i++) { ... 11050 11051 cpu_buf = perf_buffer__open_cpu_buf(pb, p->attr, cpu, map_key); ... 11059 err = bpf_map_update_elem(pb->map_fd, &map_key, 11060 &cpu_buf->fd, 0); ... 11068 11069 pb->events[j].events = EPOLLIN; 11070 pb->events[j].data.ptr = cpu_buf; 11071 if (epoll_ctl(pb->epoll_fd, EPOLL_CTL_ADD, cpu_buf->fd, 11072 &pb->events[j]) < 0) { ... 11078 } ... 11080 } ... 11091 }
10965行目ã§ã‚«ãƒ¼ãƒãƒ«å†…ã«ä½œæˆã—ãŸmapã®ãƒ•ã‚¡ã‚¤ãƒ«ãƒ‡ã‚£ã‚¹ã‚¯ãƒªãƒ—ã‚¿ã‚’å–å¾—ã—ã¦ã„ã¾ã™ã€‚
ã“ã®mapã¯BPFプãƒã‚°ãƒ©ãƒ ã§eventsã¨ã—ã¦å®£è¨€ã—ã¦ã„ãŸã‚‚ã®ã§ã™ã€‚
ãã®å¾Œã€pb(perf_bufferæ§‹é€ ä½“ï¼‰ã‚’ã‚¢ãƒã‚±ãƒ¼ãƒˆã—ã€10991行目ã§p->sample_cbを代入ã—ã¦ã„ã¾ã™ãŒã€
ã“ã®sample_cbãŒopensnoop.cã‹ã‚‰æ¸¡ã•ã‚Œã‚‹handle_eventã«ãªã‚Šã¾ã™ã€‚
10999行目ã§epollã®ãƒ•ã‚¡ã‚¤ãƒ«ãƒ‡ã‚£ã‚¹ã‚¯ãƒªãƒ—タを作æˆã—ã¦ã„ã¾ã™ãŒã€ã“ã®ãƒ•ã‚¡ã‚¤ãƒ«ãƒ‡ã‚£ã‚¹ã‚¯ãƒªãƒ—ã‚¿ãŒå¾Œã§perf_buffer__pollã™ã‚‹ã¨ãã«ã‚¤ãƒ™ãƒ³ãƒˆå¾…ã¡ã«ä½¿ã‚れるもã®ã§ã™ã€‚
11051行目ã§perf_buffer__open_cpu_bufを呼ã³ã€CPU数分ãƒãƒƒãƒ•ã‚¡ã®ä½œæˆã¨perf_event_openシステムコールã®å‘¼ã³å‡ºã—ãªã©ã‚’è¡Œã£ã¦ã„ã¾ã™ã€‚
perf_buffer__open_cpu_bufã§ã‚„ã£ã¦ã„ã‚‹ã“ã¨ã¯ã€BPFプãƒã‚°ãƒ©ãƒ å´ã§å‘¼ã‚“ã§ã„ã‚‹bpf_perf_event_outputを使ã†ãŸã‚ã«å¿…è¦ãªã“ã¨ã®ã‚ˆã†ã§ã™ã€‚
bpf_perf_event_outputã®ãƒžãƒ‹ãƒ¥ã‚¢ãƒ«ã«ãƒ¦ãƒ¼ã‚¶ç©ºé–“ã§èªã¿ã ã™ãŸã‚ã«ã¯ã©ã®ã‚ˆã†ãªæ‰‹ç¶šããŒå¿…è¦ã‹ã®è¨˜è¼‰ãŒã‚ã‚Šã¾ã™ã€‚
11059行目ã§eventsã¨CPUã”ã¨ã®ãƒãƒƒãƒ•ã‚¡ã‚’ç´ã¥ã‘ã¦ã„ã¾ã™ã€‚keyã¯ã€ãƒ«ãƒ¼ãƒ—ã®ã‚¤ãƒ³ãƒ‡ãƒƒã‚¯ã‚¹ï¼ˆi)ã§ã™ã€‚
11071行目ã§epoll_ctlを呼ã³ã€CPUã”ã¨ã®ãƒãƒƒãƒ•ã‚¡ã‚’epollã®ç›£è¦–対象ã«ã—ã¾ã™ã€‚
次ã«perf_buffer__pollã§ã™ãŒã€ä»¥ä¸‹ã®ã‚ˆã†ãªã‚³ãƒ¼ãƒ‰ã«ãªã£ã¦ã„ã¾ã™ã€‚
11106 static enum bpf_perf_event_ret 11107 perf_buffer__process_record(struct perf_event_header *e, void *ctx) 11108 { 11109 struct perf_cpu_buf *cpu_buf = ctx; 11110 struct perf_buffer *pb = cpu_buf->pb; 11111 void *data = e; ... 11117 switch (e->type) { 11118 case PERF_RECORD_SAMPLE: { 11119 struct perf_sample_raw *s = data; 11120 11121 if (pb->sample_cb) 11122 pb->sample_cb(pb->ctx, cpu_buf->cpu, s->data, s->size); 11123 break; 11124 } ... 11135 } 11136 return LIBBPF_PERF_EVENT_CONT; 11137 } ... 11139 static int perf_buffer__process_records(struct perf_buffer *pb, 11140 struct perf_cpu_buf *cpu_buf) 11141 { ... 11144 ret = perf_event_read_simple(cpu_buf->base, pb->mmap_size, 11145 pb->page_size, &cpu_buf->buf, 11146 &cpu_buf->buf_size, 11147 perf_buffer__process_record, cpu_buf); ... 11151 } ... 11158 int perf_buffer__poll(struct perf_buffer *pb, int timeout_ms) 11159 { ... 11162 cnt = epoll_wait(pb->epoll_fd, pb->events, pb->cpu_cnt, timeout_ms); ... 11165 11166 for (i = 0; i < cnt; i++) { 11167 struct perf_cpu_buf *cpu_buf = pb->events[i].data.ptr; 11168 11169 err = perf_buffer__process_records(pb, cpu_buf); ... 11174 } ... 11176 }
11162行目ã§epoll_waitã§CPUã”ã¨ã®ãƒãƒƒãƒ•ã‚¡ãŒèªã¿å‡ºã—å¯èƒ½ã«ãªã‚‹ã‹ã‚¿ã‚¤ãƒ アウト(100ミリ秒)ã«ãªã‚‹ã¾ã§ãƒ–ãƒãƒƒã‚¯ã—ã¾ã™ã€‚
ãƒãƒƒãƒ•ã‚¡ã«æ›¸ãè¾¼ã¿ãŒç™ºç”Ÿã—ãŸã‚‰ã€11167行目ã§ãƒãƒƒãƒ•ã‚¡ã¸ã®ãƒã‚¤ãƒ³ã‚¿ã‚’å–り出ã—ã¦perf_buffer__process_recordsを呼ã³å‡ºã—ã¾ã™ã€‚
__perf_buffer__newã§ä½œæˆã—ãŸãƒãƒƒãƒ•ã‚¡ã¯ã€ãƒªãƒ³ã‚°ãƒãƒƒãƒ•ã‚¡ã¨ã—ã¦ä½¿ç”¨ã•ã‚Œã¦ãŠã‚Šã€perf_event_read_simpleã§ã¯ã€å®Ÿéš›ã«ãƒãƒƒãƒ•ã‚¡ã«æ›¸ãè¾¼ã¾ã‚ŒãŸãƒ‡ãƒ¼ã‚¿ã‚’å–り出ã—ã€
perf_buffer__process_recordã«æ¸¡ã—ã¾ã™ã€‚
最終的ã«ã¯ã€ã“ã¡ã‚‰ã§å‘¼ã°ã‚Œã‚‹sample_cbã®å‘¼ã³å‡ºã—ãŒã€opensnoop.cã§æ¸¡ã—ãŸhandle_eventã«ãªã£ã¦ãŠã‚Šã€BPFプãƒã‚°ãƒ©ãƒ ã‹ã‚‰æ¸¡ã•ã‚ŒãŸãƒ‡ãƒ¼ã‚¿ã®å‡ºåŠ›ãŒè¡Œã‚ã‚Œã¾ã™ã€‚
7. ãŠã‚ã‚Šã«
BPFã¯ã€ãƒ„ールもå«ã‚ã¾ã ã¾ã 絶賛開発ä¸ã®æŠ€è¡“ã§ã™ã€‚
昨年ã¯ã€Windowsã§BPFをサãƒãƒ¼ãƒˆã™ã‚‹ã“ã¨ã‚’マイクãƒã‚½ãƒ•ãƒˆãŒç™ºè¡¨ã™ã‚‹ãªã©Linux以外ã®OSã§ã‚‚BPFã®ä»•çµ„ã¿ã¯åºƒãŒã‚Šã¤ã¤ã‚ã‚Šã¾ã™ã€‚
ã¡ãªã¿ã«BPFãŒã©ã®ã‚ˆã†ãªæ–¹å‘ã«é€²ã‚“ã§ã„ã£ã¦ã„ã‚‹ã®ã‹ã¯ã€
Linux Kernel Developers' bpfconf 2022ã®è³‡æ–™ãŒå‚考ã«ãªã‚‹ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“。
8. å‚考文献
Liz Rice. What is eBPF? . O'Reilly Media, Inc, April 2022,
*1:2022å¹´8月11æ—¥ã«v0.25.0ãŒãƒªãƒªãƒ¼ã‚¹ã•ã‚Œã¾ã—ãŸãŒã€æœ¬è¨˜äº‹ã§ã¯åŸ·ç†æ™‚点ã§æœ€æ–°ã ã£ãŸv0.24.0を対象ã«ã—ã¦ã„ã¾ã™
