Upgrade to Pro — share decks privately, control downloads, hide ads and more …

LTTng's trace filtering and beyond - A unified approach and eBPF's role

Suchakra Sharma
August 20, 2015
Technology
0
240

LTTng's trace filtering and beyond - A unified approach and eBPF's role

Embedded and distributed systems are getting increasingly complex and generate large number of high frequency events - both at userspace and kernel levels. Analysis of such huge trace data means that there would be a considerable amount of time spent in finding out what really interests users.

This talk discusses internals of LTTng's trace filtering and an experiment to see how eBPF as a runtime trace filtering system performs.

Venue : TracingSummit 2015, LinuxCon Seattle

Suchakra Sharma

August 20, 2015
Tweet

More Decks by Suchakra Sharma

See All by Suchakra Sharma
Configuration Driven Event Tracing with Traceleft and eBPF
tuxology
0
220
Visual Tooling for Advanced Systems Analysis
tuxology
5
730
Fixing Hardware Trace Reconstruction Issues for Runtime Code
tuxology
0
270
Instrumentation and Tracing of Systems
tuxology
0
1.5k
The BSD Packet Filter
tuxology
9
150k
Trace Aggregation and Collection with eBPF
tuxology
0
390
Low Level Tracing for Latency Analysis
tuxology
1
260
Kernel and Userspace Tracing with LTTng and Friends
tuxology
0
170

Other Decks in Technology

See All in Technology
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
120
開発パフォーマンスを最大化するための開発体制
ham0215
2
440
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
330
私が trocco を推す理由
__allllllllez__
1
250
GrafanaMeetup_AmazonManagedGrafanaのアクセス制御機能とマルチテナント環境下でのアクセス制御について
daitak
0
240
プラットフォームってつくることより計測することが重要なんじゃないかという話 / Platform Engineering Meetup #8
taishin
1
370
DMM.com アルファ室採用案内資料
hsugita
1
160
複雑な構成要素を持つUIとの向き合い方 〜新・支出グラフでの実例〜 / B43 TECH TALK
nakamuuu
0
140
Além do else! Categorizando Pokemóns com Pattern Matching no JavaScript
wmsbill
0
640
推しは推せるときに推せ! プロダクトにフィードバックしていこう
nakasho
0
320
家族アルバム みてねにおけるGrafana活用術 / Grafana Meetup Japan Vol.1 LT
isaoshimizu
1
770
require(ESM)とECMAScript仕様
uhyo
3
770

Featured

See All Featured
How to train your dragon (web standard)
notwaldorf
73
5.2k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
2
3.4k
Into the Great Unknown - MozCon
thekraken
10
990
Understanding Cognitive Biases in Performance Measurement
bluesmoon
7
1k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.6k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
Designing with Data
zakiwarfel
96
4.8k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
30
6k
Robots, Beer and Maslow
schacon
PRO
155
7.9k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.1k
We Have a Design System, Now What?
morganepeng
43
6.8k
Large-scale JavaScript Application Architecture
addyosmani
504
110k

Transcript

  1. LTTng's Trace Filtering and beyond (with some eBPF goodness, of

    course!) Suchakrapani Datt Sharma Aug 20, 2015 École Polytechnique de Montréal Laboratoire DORSAL

  2. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma whoami Suchakra • PhD

    student, Computer Engineering (Prof Michel Dagenais) DORSAL Lab, École Polytechnique de Montréal – UdeM • Works on debugging, tracing and trace analysis (LTTng), bytecode interpreters, JIT compilation, dynamic instrumentation • Loves poutine

  3. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Agenda LTTng's Trace Filter

    • Filtering primer • LTTng's trace filters eBPF • Mechanism, current status • BCC • A small eBPF trial with LTTng • Filtering performance with experimental userspace eBPF Beyond • KeBPF/UeBPF?

  4. Filters POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma

  5. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma filter

  6. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma filter

  7. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma filter

  8. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma

  9. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Predicates Packets

  10. Filters POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Evaluating

  11. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma

  12. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma TRUE / FALSE Foo

    Evaluator Take whole string expression and start parsing and evaluating by hand

  13. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Foo Evaluator Take whole

    string expression and start parsing and evaluating by hand TRUE / FALSE 42 billion runs

  14. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma TRUE / FALSE Bar

    Generator Parser → AST → IR → Bytecode Bar Interpreter Bytecode

  15. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma TRUE / FALSE Bar

    Generator Parser → AST → IR → Bytecode Bar Interpreter Bytecode

  16. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma TRUE / FALSE Bar

    Generator Parser → AST → IR → Bytecode Bar Interpreter Bytecode

  17. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma TRUE / FALSE Bar

    Generator Parser → AST → IR → Bytecode Bar Interpreter Bytecode

  18. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma TRUE / FALSE Bar

    Generator Parser → AST → IR → Bytecode JIT Compiler Bytecode → Native Code Native Code (x86/ARM)

  19. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma TRUE / FALSE Bar

    Generator Parser → AST → IR → Bytecode JIT Compiler Bytecode → Native Code Native Code (x86/ARM)

  20. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Why do we need

    these blazingly FAST filters?

  21. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Network • Sustain network

    throughput • Effect is visible on embedded devices which work uninterrupted Tracing • Filtering huge event flood at runtime reliably • High frequency events long-running trace events in production systems with limited resources to defer analysis

  22. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma ?

  23. LTTng's Trace Filtering POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma

  24. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma LTTng-UST Instrumented Userspace Application

    UST listener thread LTTng Session Daemon LTTng Consumer Daemon SHM CTF Trace

  25. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma LTTng-UST Instrumented Userspace Application

    UST listener thread LTTng Session Daemon LTTng Consumer Daemon Register Event Setup Event Consumption SHM Ring buffer CTF Trace

  26. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma LTTng-UST Instrumented Userspace Application

    UST listener thread LTTng Session Daemon LTTng Consumer Daemon SHM CTF Trace

  27. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma LTTng-UST Instrumented Userspace Application

    UST listener thread LTTng Session Daemon

  28. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma LTTng-UST Filtering Instrumented Userspace

    Application LTTng Session Daemon New Event

  29. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma LTTng-UST Filtering Instrumented Userspace

    Application LTTng Session Daemon Check for Filter Parse → AST → IR Generate Bytecode New Event User sets filter Basic IR Validation

  30. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma LTTng-UST Filtering Instrumented Userspace

    Application LTTng Session Daemon Check for Filter Parse → AST → IR Generate Bytecode Send Bytecode Validate → Link → Interpret New Event Filtered Events User sets filter interpret for every event Basic IR Validation

  31. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma LTTng's Trace Filtering A

    filtered session $ lttng create mysession $ lttng enable-event --filter '(foo == 42) && (bar == "baz")' -a -u Filter '(foo == 42) && (bar == "baz")' successfully set $ lttng start <do some science> $ lttng stop $ lttng view

  32. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma LTTng's Trace Filtering A

    filtered session $ lttng create mysession $ lttng enable-event --filter '(foo == 42) && (bar == "baz")' -a -u Filter '(foo == 42) && (bar == "baz")' successfully set $ lttng start <do some science> $ lttng stop $ lttng view

  33. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Generating Bytecode

  34. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Filter Bytecode Generation generate_filter()

    • Flex-Bison generated lexer-parser • Custom tokens and grammar ctx = filter_parser_ctx_alloc(fmem); • Allocate/initialize parser, AST, create root node filter_parser_ctx_append_ast(ctx); filter_visitor_set_parent(ctx); • Run yyparse(), yylex() • Generate syntax tree

  35. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Filter Bytecode Generation Syntax

    Tree op(&&) op(==) op(==) id(foo) c(42) id(bar) str(“bar”) Predicates

  36. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Filter Bytecode Generation filter_visitor_ir_generate(ctx);

    • Hand written IR generator • Go through each node recursively, classify them • No binary arithmetic supported for now. Only logic and comparisons filter_visitor_ir_check_binary_op_nesting(ctx); filter_visitor_ir_validate_string(ctx); • Basic IR Validation • Except logical operators, operator nesting not allowed • Validate string as literal part – No wildcard in between strings, no unsupported characters

  37. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Filter Bytecode Generation filter_visitor_bytecode_generate(ctx);

    • Traverse tree post-order • Based on node type, start emitting instructions • Save the bytecode in ctx • Add symbol table data to bytecode. • We are done, lets send it to lttng-sessiond!

  38. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Interpreting Bytecode

  39. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Filter Bytecode Interpretation lttng_filter_event_link_bytecode()

    • Link bytecode to the event and create bytecode runtime • Copy original bytecode to runtime • Apply field and context relocations lttng_filter_validate_bytecode(runtime); • Check unsupported bytecodes (eg. arithmetic) • Check range overflow for different insn classes • Validate current context and merge points for all insn lttng_filter_specialize_bytecode(runtime); • We know event field types now • Lets specialize operations based on that

  40. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Filter Bytecode Interpretation lttng_filter_interpret_bytecode()

    • Hybrid virtual machine • 2 registers (ax & bx) aliased to top of stack • Functions like register machine – flexible like stack • Threaded instruction dispatch/normal dispatch (fallback) ax bx . . . top top - 1 OP(FILTER_OP_NE_S64): { int res; res = (estack_bx_v != estack_ax_v); estack_pop(stack, top, ax, bx); estack_ax_v = res; next_pc += sizeof(struct binary_op); PO; } Stack

  41. eBPF Filters & More POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma

  42. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma eBPF Berkeley Packet Filter

    (BPF) • Filter expressions → Bytecode → Interpret • Fast, small, in-kernel packet & syscall filtering • Register based, switch-dispatch interpreter Current Status of BPF • Extensions for trace filtering (Kprobes!! Kprobes!!) • More than just filtering. JITed programs – FAST! • Evolved to extended BPF (eBPF) • BPF maps, bpf syscall – aggregation and userspace access • More registers (64 bit), back jumps, tail-calls, safety

  43. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example eBPF Session foo_kern.c

    Kernel Userspace

  44. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example eBPF Session foo_kern.c

    BPF LLVM backend foo_kern.bpf Kernel Userspace

  45. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example eBPF Session foo_kern.c

    BPF LLVM backend foo_kern.bpf foo_user.c foo_kern.bpf Load Kernel Userspace

  46. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example eBPF Session foo_kern.c

    BPF LLVM backend foo_kern.bpf foo_user.c foo_kern.bpf Load Bytecode Kernel Userspace

  47. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example eBPF Session eBPF

    foo_kern.c BPF LLVM backend foo_kern.bpf BPF Bytecode bpf() Syscalls foo_user.c foo_kern.bpf Load BPF Maps Bytecode Kernel Userspace

  48. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example eBPF Session eBPF

    foo_kern.c BPF LLVM backend foo_kern.bpf BPF Bytecode bpf() Syscalls foo_user.c foo_kern.bpf Load BPF Maps Bytecode void blk_start_request (struct request *req) { blk_dequeue_request(req); . . } block/blk-core.c Kprobe Kernel Userspace

  49. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example eBPF Session eBPF

    foo_kern.c BPF LLVM backend foo_kern.bpf BPF Bytecode bpf() Syscalls foo_user.c foo_kern.bpf Load BPF Maps Bytecode Read Maps void blk_start_request (struct request *req) { blk_dequeue_request(req); . . } block/blk-core.c Kprobe Kernel Userspace

  50. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Sample eBPF Filter eBPF

    Filter on LTTng Kernel Event eBPF Bytecode : static struct bpf_insn insn_prog[] = { BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, 0), BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_2, 0), /* ctx->arg1 */ BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 8), /* ctx->arg2 */ BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_4, 3), /* compare arg1 & arg2 */ BPF_LD_IMM64(BPF_REG_0, 0), /* FALSE */ BPF_EXIT_INSN(), BPF_LD_IMM64(BPF_REG_0, 1), /* TRUE */ BPF_EXIT_INSN(), }; R2 = ctx R2 = ctx R3 = *(dev->name) R4 = 0x6f6c R3 = *(dev->name) R4 = 0x6f6c if ((dev->name[0] == “l”) && (dev->name[1] == “o”)) { trace_netif_receive_skb_filter(skb); }

  51. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Sample eBPF Filter eBPF

    JITed : One-to-one direct method JIT. eBPF is close to modern architectures 0: push %rbp 1: mov %rsp,%rbp 4: sub $0x228,%rsp b: mov %rbx,-0x228(%rbp) 12: mov %r13,-0x220(%rbp) 19: mov %r14,-0x218(%rbp) 20: mov %r15,-0x210(%rbp) 27: xor %eax,%eax 29: xor %r13,%r13 2c: mov 0x0(%rdi),%rsi 30: mov 0x0(%rsi),%rdx 34: mov 0x8(%rdi),%rcx 38: cmp %rcx,%rdx Clear A and X Clear A and X Compare R3, R4 Compare R3, R4 3b: je 0x0000000000000049 3d: movabs $0x0,%rax ;FALSE 47: jmp 0x0000000000000053 49: movabs $0x1,%rax ;TRUE 53: mov -0x228(%rbp),%rbx 5a: mov -0x220(%rbp),%r13 61: mov -0x218(%rbp),%r14 68: mov -0x210(%rbp),%r15 6f: leaveq 70: retq Make some space on stack Make some space on stack Save callee saved regs Save callee saved regs Restore regs Restore regs Jump to TRUE Jump to TRUE Load ctx args to R3 and R4 Load ctx args to R3 and R4

  52. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example eBPF Session eBPF

    foo_kern.c BPF LLVM backend foo_kern.bpf BPF Bytecode bpf() Syscalls foo_user.c foo_kern.bpf Load BPF Maps Bytecode Read Maps void blk_start_request (struct request *req) { blk_dequeue_request(req); . . } block/blk-core.c Kprobe Kernel Userspace

  53. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma

  54. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Yes, 'bcc' exists! https://github.com/iovisor/bcc

  55. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example bcc Session eBPF

    foo_kern.c BPF Bytecode bpf() Syscalls foo_user.py load_func() BPF Maps get_table() void blk_start_request (struct request *req) { blk_dequeue_request(req); . . } block/blk-core.c Kprobe Kernel Userspace attach_kprobe()

  56. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Example bcc Session #include

    <uapi/linux/ptrace.h> #include <linux/sched.h> struct key_t { u32 prev_pid; u32 curr_pid; }; BPF_TABLE("hash", struct key_t, u64, stats, 1024); int count_sched(struct pt_regs *ctx, struct task_struct *prev) { struct key_t key = {}; u64 zero = 0, *val; key.curr_pid = bpf_get_current_pid_tgid(); key.prev_pid = prev->pid; val = stats.lookup_or_init(&key, &zero); (*val)++; return 0; } task_switch.c from bpf import BPF from time import sleep b = BPF(src_file="task_switch.c") fn = b.load_func("count_sched", BPF.KPROBE) stats = b.get_table("stats") BPF.attach_kprobe(fn, "finish_task_switch") # generate many schedule events for i in range(0, 100): sleep(0.01) for k, v in stats.items(): print("task_switch[%5d->%5d]=%u" % (k.prev_pid, k.curr_pid, v.value)) Kernel side BPF program task_switch.py

  57. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma eBPF Why eBPF in

    Tracing • Primarily for filters & script driven tracing - FAST, very FAST! • Add sophisticated features to tracing, at low cost • Fast stateful kernel event filtering/data aggregation • Record system wide sched_wakeup only when target process is blocked to reduce overhead • Utilize side-effects for assisted-tracing • A more uniform way of filtering events across userspace and kernel

  58. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Experiments Userspace eBPF (UeBPF)

    • Experimental libebpf to provide filtering in userspace tracing • Includes side-effects through communication with modified KeBPF • Easy switch between JIT/interpret for performance analysis • Includes LLVM BPF backend. • Load bytecode from eBPF binaries Performance Analysis • Apply LTTng, eBPF, eBPF+JIT, hardcoded filters • Measure t execution + t tracepoint

  59. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Experiments Performance Analysis •

    Pure filter evaluation. • TRUE/FALSE biased AND chain with varying predicates • Measure t e + t t with varying DoE (Biased TRUE)

  60. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Experiments Performance Analysis •

    Steady gain in 3x range for JIT vs Interpreted with increasing events (3.1x to 3.3x) 1018 ns/event 305 ns/event

  61. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Experiments Performance Analysis •

    eBPF JITed filter is 3.1x faster than LTTng's interpreted bytecode and eBPF's interpreted filter is 1.8x faster than LTTng's interpreted version 325 ns/event 325 ns/event 1 54 ns/event

  62. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Learnings Inferences from Experiments

    • JIT is so fast it makes everything slow • Next thing after “throw some cores” and “add some cache” • Small specialized interpreters can be quite fast too (LTTng) • For the tracing use-case, LTTng's filter works remarkably well • Integrate with LTTng and real life benchmarks on specialized hardware

  63. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Beyond KeBPF  UeBPF

    Extensions • Syscall latency tracking use-case. • Latency threshold is defined statically and manually • In real life, it may need to be set dynamically – different machines can have different normal levels for syscalls • We may need to adaptively set thresholds per syscall based on user's criteria as well as tracking the normal behaviour. • We can use eBPF side-effects to provide dynamic and adaptive thresholds

  64. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Beyond KeBPF  UeBPF

    Extensions • Side-effects? • eBPF can do more complex things like perform internal actions in addition to decisions • Use it to make decisions in kernel BPF based on userspace BPF inputs • Access shared data from KeBPF/UeBPF

  65. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Beyond KeBPF  UeBPF

    Syscall Latency Tracking UeBPF FILTER reg_ioctl() bpf_set_threshold() KeBPF FILTER threshold {predicate} Kernel Userspace PID 42 Latency Tracker Module Register 42 latency() tracepoint()

  66. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Beyond KeBPF  UeBPF

    Syscall Latency Tracking UeBPF FILTER reg_pid() bpf_set_threshold() KeBPF FILTER threshold proc_state {predicate} Kernel Userspace PID 42 Latency Tracker Module latency() tracepoint() Shared Mem proc_state threshold

  67. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma References • Graphics and

    text on slide 24-26 have been adapted from David Goulet's talk at FOSDEM '14. • Example for 'bcc' on slide 54 : https://github.com/iovisor/bcc • Experimental libebpf : https://github.com/tuxology/libebpf • BPF Internals • Part - I : http://ur1.ca/nheth • Part – II : http://ur1.ca/nheto All the images in this presentation drawn by the author are released under Creative Commons. All other graphics have been taken from OpenClipArt and are under public domain.

  68. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Acknowledgments Thanks to EfficiOS,

    Ericsson Montréal and DORSAL Lab, Polytechnique Montreal for the awesome work on LTTng/UST, TraceCompass and LTTngTop. Thanks to DiaMon Workgroup for the opportunity to present.

  69. POLYTECHNIQUE MONTREAL – Suchakrapani Datt Sharma Questions? [email protected] suchakra on

    #lttng (irc.oftc.net) @tuxology http://suchakra.in