Upgrade to Pro — share decks privately, control downloads, hide ads and more …

LTTng's trace filtering and beyond - A unified ...

Suchakra Sharma
August 20, 2015
Technology
0
260

LTTng's trace filtering and beyond - A unified approach and eBPF's role

Embedded and distributed systems are getting increasingly complex and generate large number of high frequency events - both at userspace and kernel levels. Analysis of such huge trace data means that there would be a considerable amount of time spent in finding out what really interests users.

This talk discusses internals of LTTng's trace filtering and an experiment to see how eBPF as a runtime trace filtering system performs.

Venue : TracingSummit 2015, LinuxCon Seattle

Suchakra Sharma

August 20, 2015
Tweet

More Decks by Suchakra Sharma

See All by Suchakra Sharma
Configuration Driven Event Tracing with Traceleft and eBPF
tuxology
0
230
Visual Tooling for Advanced Systems Analysis
tuxology
5
820
Fixing Hardware Trace Reconstruction Issues for Runtime Code
tuxology
0
280
Instrumentation and Tracing of Systems
tuxology
0
1.6k
The BSD Packet Filter
tuxology
9
150k
Trace Aggregation and Collection with eBPF
tuxology
0
410
Low Level Tracing for Latency Analysis
tuxology
1
330
Kernel and Userspace Tracing with LTTng and Friends
tuxology
0
200

Other Decks in Technology

See All in Technology
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
Terraform未経験の御様に対してどの ように導⼊を進めていったか
tkikuchi
2
430
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
220
スクラムチームを立ち上げる〜チーム開発で得られたもの・得られなかったもの〜
ohnoeight
2
350
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
2
300
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
210
Amazon Personalizeの レコメンドシステム構築、実際何するの? 〜大体10分で具体的なイメージをつかむ〜
kniino
1
100
Adopting Jetpack Compose in Your Existing Project - GDG DevFest Bangkok 2024
akexorcist
0
100
Can We Measure Developer Productivity?
ewolff
1
150
B2B SaaSから見た最近のC#/.NETの進化
sansantech
PRO
0
740
テストコード品質を高めるためにMutation Testingライブラリ・Strykerを実戦導入してみた話
ysknsid25
7
2.6k
Engineer Career Talk
lycorp_recruit_jp
0
140

Featured

See All Featured
Adopting Sorbet at Scale
ufuk
73
9.1k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
YesSQL, Process and Tooling at Scale
rocio
169
14k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
89
It's Worth the Effort
3n
183
27k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Navigating Team Friction
lara
183
14k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
KATA
mclloyd
29
14k

Transcript

  1. LTTng's Trace Filtering and beyond (with some eBPF goodness, of

    course!) Suchakrapani Datt Sharma Aug 20, 2015 École Polytechnique de Montréal Laboratoire DORSAL

  2. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma whoami Suchakra • PhD

    student, Computer Engineering (Prof Michel Dagenais) DORSAL Lab, École Polytechnique de Montréal – UdeM • Works on debugging, tracing and trace analysis (LTTng), bytecode interpreters, JIT compilation, dynamic instrumentation • Loves poutine

  3. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Agenda LTTng's Trace Filter

    • Filtering primer • LTTng's trace filters eBPF • Mechanism, current status • BCC • A small eBPF trial with LTTng • Filtering performance with experimental userspace eBPF Beyond • KeBPF/UeBPF?

  4. Filters POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma

  5. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma filter

  6. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma filter

  7. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma filter

  8. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma

  9. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Predicates Packets

  10. Filters POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Evaluating

  11. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma

  12. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma TRUE / FALSE Foo

    Evaluator Take whole string expression and start parsing and evaluating by hand

  13. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Foo Evaluator Take whole

    string expression and start parsing and evaluating by hand TRUE / FALSE 42 billion runs

  14. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma TRUE / FALSE Bar

    Generator Parser → AST → IR → Bytecode Bar Interpreter Bytecode

  15. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma TRUE / FALSE Bar

    Generator Parser → AST → IR → Bytecode Bar Interpreter Bytecode

  16. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma TRUE / FALSE Bar

    Generator Parser → AST → IR → Bytecode Bar Interpreter Bytecode

  17. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma TRUE / FALSE Bar

    Generator Parser → AST → IR → Bytecode Bar Interpreter Bytecode

  18. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma TRUE / FALSE Bar

    Generator Parser → AST → IR → Bytecode JIT Compiler Bytecode → Native Code Native Code (x86/ARM)

  19. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma TRUE / FALSE Bar

    Generator Parser → AST → IR → Bytecode JIT Compiler Bytecode → Native Code Native Code (x86/ARM)

  20. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Why do we need

    these blazingly FAST filters?

  21. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Network • Sustain network

    throughput • Effect is visible on embedded devices which work uninterrupted Tracing • Filtering huge event flood at runtime reliably • High frequency events long-running trace events in production systems with limited resources to defer analysis

  22. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma ?

  23. LTTng's Trace Filtering POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma

  24. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma LTTng-UST Instrumented Userspace Application

    UST listener thread LTTng Session Daemon LTTng Consumer Daemon SHM CTF Trace

  25. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma LTTng-UST Instrumented Userspace Application

    UST listener thread LTTng Session Daemon LTTng Consumer Daemon Register Event Setup Event Consumption SHM Ring buffer CTF Trace

  26. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma LTTng-UST Instrumented Userspace Application

    UST listener thread LTTng Session Daemon LTTng Consumer Daemon SHM CTF Trace

  27. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma LTTng-UST Instrumented Userspace Application

    UST listener thread LTTng Session Daemon

  28. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma LTTng-UST Filtering Instrumented Userspace

    Application LTTng Session Daemon New Event

  29. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma LTTng-UST Filtering Instrumented Userspace

    Application LTTng Session Daemon Check for Filter Parse → AST → IR Generate Bytecode New Event User sets filter Basic IR Validation

  30. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma LTTng-UST Filtering Instrumented Userspace

    Application LTTng Session Daemon Check for Filter Parse → AST → IR Generate Bytecode Send Bytecode Validate → Link → Interpret New Event Filtered Events User sets filter interpret for every event Basic IR Validation

  31. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma LTTng's Trace Filtering A

    filtered session $ lttng create mysession $ lttng enable-event --filter '(foo == 42) && (bar == "baz")' -a -u Filter '(foo == 42) && (bar == "baz")' successfully set $ lttng start <do some science> $ lttng stop $ lttng view

  32. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma LTTng's Trace Filtering A

    filtered session $ lttng create mysession $ lttng enable-event --filter '(foo == 42) && (bar == "baz")' -a -u Filter '(foo == 42) && (bar == "baz")' successfully set $ lttng start <do some science> $ lttng stop $ lttng view

  33. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Generating Bytecode

  34. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Filter Bytecode Generation generate_filter()

    • Flex-Bison generated lexer-parser • Custom tokens and grammar ctx = filter_parser_ctx_alloc(fmem); • Allocate/initialize parser, AST, create root node filter_parser_ctx_append_ast(ctx); filter_visitor_set_parent(ctx); • Run yyparse(), yylex() • Generate syntax tree

  35. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Filter Bytecode Generation Syntax

    Tree op(&&) op(==) op(==) id(foo) c(42) id(bar) str(“bar”) Predicates

  36. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Filter Bytecode Generation filter_visitor_ir_generate(ctx);

    • Hand written IR generator • Go through each node recursively, classify them • No binary arithmetic supported for now. Only logic and comparisons filter_visitor_ir_check_binary_op_nesting(ctx); filter_visitor_ir_validate_string(ctx); • Basic IR Validation • Except logical operators, operator nesting not allowed • Validate string as literal part – No wildcard in between strings, no unsupported characters

  37. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Filter Bytecode Generation filter_visitor_bytecode_generate(ctx);

    • Traverse tree post-order • Based on node type, start emitting instructions • Save the bytecode in ctx • Add symbol table data to bytecode. • We are done, lets send it to lttng-sessiond!

  38. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Interpreting Bytecode

  39. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Filter Bytecode Interpretation lttng_filter_event_link_bytecode()

    • Link bytecode to the event and create bytecode runtime • Copy original bytecode to runtime • Apply field and context relocations lttng_filter_validate_bytecode(runtime); • Check unsupported bytecodes (eg. arithmetic) • Check range overflow for different insn classes • Validate current context and merge points for all insn lttng_filter_specialize_bytecode(runtime); • We know event field types now • Lets specialize operations based on that

  40. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Filter Bytecode Interpretation lttng_filter_interpret_bytecode()

    • Hybrid virtual machine • 2 registers (ax & bx) aliased to top of stack • Functions like register machine – flexible like stack • Threaded instruction dispatch/normal dispatch (fallback) ax bx . . . top top - 1 OP(FILTER_OP_NE_S64): { int res; res = (estack_bx_v != estack_ax_v); estack_pop(stack, top, ax, bx); estack_ax_v = res; next_pc += sizeof(struct binary_op); PO; } Stack

  41. eBPF Filters & More POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma

  42. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma eBPF Berkeley Packet Filter

    (BPF) • Filter expressions → Bytecode → Interpret • Fast, small, in-kernel packet & syscall filtering • Register based, switch-dispatch interpreter Current Status of BPF • Extensions for trace filtering (Kprobes!! Kprobes!!) • More than just filtering. JITed programs – FAST! • Evolved to extended BPF (eBPF) • BPF maps, bpf syscall – aggregation and userspace access • More registers (64 bit), back jumps, tail-calls, safety

  43. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example eBPF Session foo_kern.c

    Kernel Userspace

  44. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example eBPF Session foo_kern.c

    BPF LLVM backend foo_kern.bpf Kernel Userspace

  45. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example eBPF Session foo_kern.c

    BPF LLVM backend foo_kern.bpf foo_user.c foo_kern.bpf Load Kernel Userspace

  46. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example eBPF Session foo_kern.c

    BPF LLVM backend foo_kern.bpf foo_user.c foo_kern.bpf Load Bytecode Kernel Userspace

  47. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example eBPF Session eBPF

    foo_kern.c BPF LLVM backend foo_kern.bpf BPF Bytecode bpf() Syscalls foo_user.c foo_kern.bpf Load BPF Maps Bytecode Kernel Userspace

  48. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example eBPF Session eBPF

    foo_kern.c BPF LLVM backend foo_kern.bpf BPF Bytecode bpf() Syscalls foo_user.c foo_kern.bpf Load BPF Maps Bytecode void blk_start_request (struct request *req) { blk_dequeue_request(req); . . } block/blk-core.c Kprobe Kernel Userspace

  49. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example eBPF Session eBPF

    foo_kern.c BPF LLVM backend foo_kern.bpf BPF Bytecode bpf() Syscalls foo_user.c foo_kern.bpf Load BPF Maps Bytecode Read Maps void blk_start_request (struct request *req) { blk_dequeue_request(req); . . } block/blk-core.c Kprobe Kernel Userspace

  50. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Sample eBPF Filter eBPF

    Filter on LTTng Kernel Event eBPF Bytecode : static struct bpf_insn insn_prog[] = { BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 0), BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_2, 0), /* ctx->arg1 */ BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 8), /* ctx->arg2 */ BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_4, 3), /* compare arg1 & arg2 */ BPF_LD_IMM64(BPF_REG_0, 0), /* FALSE */ BPF_EXIT_INSN(), BPF_LD_IMM64(BPF_REG_0, 1), /* TRUE */ BPF_EXIT_INSN(), }; R2 = ctx R2 = ctx R3 = *(dev->name) R4 = 0x6f6c R3 = *(dev->name) R4 = 0x6f6c if ((dev->name[0] == “l”) && (dev->name[1] == “o”)) { trace_netif_receive_skb_filter(skb); }

  51. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Sample eBPF Filter eBPF

    JITed : One-to-one direct method JIT. eBPF is close to modern architectures 0: push %rbp 1: mov %rsp,%rbp 4: sub $0x228,%rsp b: mov %rbx,-0x228(%rbp) 12: mov %r13,-0x220(%rbp) 19: mov %r14,-0x218(%rbp) 20: mov %r15,-0x210(%rbp) 27: xor %eax,%eax 29: xor %r13,%r13 2c: mov 0x0(%rdi),%rsi 30: mov 0x0(%rsi),%rdx 34: mov 0x8(%rdi),%rcx 38: cmp %rcx,%rdx Clear A and X Clear A and X Compare R3, R4 Compare R3, R4 3b: je 0x0000000000000049 3d: movabs $0x0,%rax ;FALSE 47: jmp 0x0000000000000053 49: movabs $0x1,%rax ;TRUE 53: mov -0x228(%rbp),%rbx 5a: mov -0x220(%rbp),%r13 61: mov -0x218(%rbp),%r14 68: mov -0x210(%rbp),%r15 6f: leaveq 70: retq Make some space on stack Make some space on stack Save callee saved regs Save callee saved regs Restore regs Restore regs Jump to TRUE Jump to TRUE Load ctx args to R3 and R4 Load ctx args to R3 and R4

  52. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example eBPF Session eBPF

    foo_kern.c BPF LLVM backend foo_kern.bpf BPF Bytecode bpf() Syscalls foo_user.c foo_kern.bpf Load BPF Maps Bytecode Read Maps void blk_start_request (struct request *req) { blk_dequeue_request(req); . . } block/blk-core.c Kprobe Kernel Userspace

  53. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma

  54. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Yes, 'bcc' exists! https://github.com/iovisor/bcc

  55. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example bcc Session eBPF

    foo_kern.c BPF Bytecode bpf() Syscalls foo_user.py load_func() BPF Maps get_table() void blk_start_request (struct request *req) { blk_dequeue_request(req); . . } block/blk-core.c Kprobe Kernel Userspace attach_kprobe()

  56. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example bcc Session #include

    <uapi/linux/ptrace.h> #include <linux/sched.h> struct key_t { u32 prev_pid; u32 curr_pid; }; BPF_TABLE("hash", struct key_t, u64, stats, 1024); int count_sched(struct pt_regs *ctx, struct task_struct *prev) { struct key_t key = {}; u64 zero = 0, *val; key.curr_pid = bpf_get_current_pid_tgid(); key.prev_pid = prev->pid; val = stats.lookup_or_init(&key, &zero); (*val)++; return 0; } task_switch.c from bpf import BPF from time import sleep b = BPF(src_file="task_switch.c") fn = b.load_func("count_sched", BPF.KPROBE) stats = b.get_table("stats") BPF.attach_kprobe(fn, "finish_task_switch") # generate many schedule events for i in range(0, 100): sleep(0.01) for k, v in stats.items(): print("task_switch[%5d->%5d]=%u" % (k.prev_pid, k.curr_pid, v.value)) Kernel side BPF program task_switch.py

  57. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma eBPF Why eBPF in

    Tracing • Primarily for filters & script driven tracing - FAST, very FAST! • Add sophisticated features to tracing, at low cost • Fast stateful kernel event filtering/data aggregation • Record system wide sched_wakeup only when target process is blocked to reduce overhead • Utilize side-effects for assisted-tracing • A more uniform way of filtering events across userspace and kernel

  58. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Experiments Userspace eBPF (UeBPF)

    • Experimental libebpf to provide filtering in userspace tracing • Includes side-effects through communication with modified KeBPF • Easy switch between JIT/interpret for performance analysis • Includes LLVM BPF backend. • Load bytecode from eBPF binaries Performance Analysis • Apply LTTng, eBPF, eBPF+JIT, hardcoded filters • Measure t execution + t tracepoint

  59. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Experiments Performance Analysis •

    Pure filter evaluation. • TRUE/FALSE biased AND chain with varying predicates • Measure t e + t t with varying DoE (Biased TRUE)

  60. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Experiments Performance Analysis •

    Steady gain in 3x range for JIT vs Interpreted with increasing events (3.1x to 3.3x) 1018 ns/event 305 ns/event

  61. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Experiments Performance Analysis •

    eBPF JITed filter is 3.1x faster than LTTng's interpreted bytecode and eBPF's interpreted filter is 1.8x faster than LTTng's interpreted version 325 ns/event 325 ns/event 1 54 ns/event

  62. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Learnings Inferences from Experiments

    • JIT is so fast it makes everything slow • Next thing after “throw some cores” and “add some cache” • Small specialized interpreters can be quite fast too (LTTng) • For the tracing use-case, LTTng's filter works remarkably well • Integrate with LTTng and real life benchmarks on specialized hardware

  63. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Beyond KeBPF  UeBPF

    Extensions • Syscall latency tracking use-case. • Latency threshold is defined statically and manually • In real life, it may need to be set dynamically – different machines can have different normal levels for syscalls • We may need to adaptively set thresholds per syscall based on user's criteria as well as tracking the normal behaviour. • We can use eBPF side-effects to provide dynamic and adaptive thresholds

  64. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Beyond KeBPF  UeBPF

    Extensions • Side-effects? • eBPF can do more complex things like perform internal actions in addition to decisions • Use it to make decisions in kernel BPF based on userspace BPF inputs • Access shared data from KeBPF/UeBPF

  65. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Beyond KeBPF  UeBPF

    Syscall Latency Tracking UeBPF FILTER reg_ioctl() bpf_set_threshold() KeBPF FILTER threshold {predicate} Kernel Userspace PID 42 Latency Tracker Module Register 42 latency() tracepoint()

  66. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Beyond KeBPF  UeBPF

    Syscall Latency Tracking UeBPF FILTER reg_pid() bpf_set_threshold() KeBPF FILTER threshold proc_state {predicate} Kernel Userspace PID 42 Latency Tracker Module latency() tracepoint() Shared Mem proc_state threshold

  67. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma References • Graphics and

    text on slide 24-26 have been adapted from David Goulet's talk at FOSDEM '14. • Example for 'bcc' on slide 54 : https://github.com/iovisor/bcc • Experimental libebpf : https://github.com/tuxology/libebpf • BPF Internals • Part - I : http://ur1.ca/nheth • Part – II : http://ur1.ca/nheto All the images in this presentation drawn by the author are released under Creative Commons. All other graphics have been taken from OpenClipArt and are under public domain.

  68. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Acknowledgments Thanks to EfficiOS,

    Ericsson Montréal and DORSAL Lab, Polytechnique Montreal for the awesome work on LTTng/UST, TraceCompass and LTTngTop. Thanks to DiaMon Workgroup for the opportunity to present.

  69. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Questions? [email protected] suchakra on

    #lttng (irc.oftc.net) @tuxology http://suchakra.in