BCC入门
简介
BPF编译器集合(BPF Compiler Collection,简称BCC)。项目地址https://github.com/iovisor/bcc,是一个用于创建高效内核跟踪和操作程序的工具包,包括几个有用的工具和示例。它利用了扩展的 BPF(伯克利包过滤器),正式名称为 eBPF。
BCC 使 BPF 程序更易于编写,使用 C 中的内核工具(并包括围绕 LLVM 的 C 包装器),以及 Python 和 lua 中的前端。它适用于许多任务,包括性能分析和网络流量控制。
BCC还包含多个可以直接使用的BPF性能分析和故障定位工具。
BCC结构
BCCde目录结构如图
# lsCMakeLists.txt FAQ.txt LINKS.mdSPECS docker images man srcCODEOWNERS INSTALL.md QUICKSTART.md cmake docs introspection scripts testsCONTRIBUTING-SCRIPTS.md LICENSE.txt README.md debian examples libbpf-tools snap tools
- tools:包含BCC提供的工具及其示例。
- man:包含工具的帮助文档。
- src:包含Python、C++、Lua的BCC库
安装BCC
内核要求
BCC推荐使用最新的内核,并且内核需要开启选项
- CONFIG_BPF=y
- CONFIG_BPF_SYSCALL=y
- CONFIG_BPF_EVENTS=y
- CONFIG_BPF_JIT=y
- CONFIG_HAVE_EBPF_JIT=y
Ubuntu
BCC已经被打包到Ubuntu的仓库中,包名为bpfcc-tools
,可以直接使用命令安装
apt-get install bpfcc-tools linux-headers-$(uname -r)
执行完成后BCC工具会安装到/sbin目录下,并带有-bpfcc
后缀
ls /sbin/*-bpfcc/sbin/argdist-bpfcc/sbin/fileslower-bpfcc /sbin/perlcalls-bpfcc /sbin/syncsnoop-bpfcc/sbin/bashreadline-bpfcc /sbin/filetop-bpfcc /sbin/perlflow-bpfcc /sbin/syscount-bpfcc/sbin/bindsnoop-bpfcc /sbin/funccount-bpfcc/sbin/perlstat-bpfcc /sbin/tclcalls-bpfcc/sbin/biolatency-bpfcc /sbin/funcinterval-bpfcc /sbin/phpcalls-bpfcc /sbin/tclflow-bpfcc/sbin/biolatpcts-bpfcc /sbin/funclatency-bpfcc /sbin/phpflow-bpfcc /sbin/tclobjnew-bpfcc/sbin/biosnoop-bpfcc /sbin/funcslower-bpfcc /sbin/phpstat-bpfcc /sbin/tclstat-bpfcc/sbin/biotop-bpfcc /sbin/gethostlatency-bpfcc /sbin/pidpersec-bpfcc /sbin/tcpaccept-bpfcc/sbin/bitesize-bpfcc /sbin/hardirqs-bpfcc /sbin/profile-bpfcc /sbin/tcpconnect-bpfcc/sbin/bpflist-bpfcc/sbin/inject-bpfcc /sbin/pythoncalls-bpfcc /sbin/tcpconnlat-bpfcc/sbin/btrfsdist-bpfcc /sbin/javacalls-bpfcc/sbin/pythonflow-bpfcc /sbin/tcpdrop-bpfcc/sbin/btrfsslower-bpfcc /sbin/javaflow-bpfcc /sbin/pythongc-bpfcc /sbin/tcplife-bpfcc/sbin/cachestat-bpfcc /sbin/javagc-bpfcc /sbin/pythonstat-bpfcc /sbin/tcpretrans-bpfcc/sbin/cachetop-bpfcc /sbin/javaobjnew-bpfcc /sbin/readahead-bpfcc /sbin/tcprtt-bpfcc/sbin/capable-bpfcc/sbin/javastat-bpfcc /sbin/reset-trace-bpfcc /sbin/tcpstates-bpfcc/sbin/cobjnew-bpfcc/sbin/javathreads-bpfcc /sbin/rubycalls-bpfcc /sbin/tcpsubnet-bpfcc/sbin/compactsnoop-bpfcc /sbin/killsnoop-bpfcc/sbin/rubyflow-bpfcc /sbin/tcpsynbl-bpfcc/sbin/cpudist-bpfcc/sbin/klockstat-bpfcc/sbin/rubygc-bpfcc/sbin/tcptop-bpfcc/sbin/cpuunclaimed-bpfcc /sbin/llcstat-bpfcc /sbin/rubyobjnew-bpfcc /sbin/tcptracer-bpfcc/sbin/criticalstat-bpfcc /sbin/mdflush-bpfcc /sbin/rubystat-bpfcc /sbin/threadsnoop-bpfcc/sbin/dbslower-bpfcc /sbin/memleak-bpfcc /sbin/runqlat-bpfcc /sbin/tplist-bpfcc/sbin/dbstat-bpfcc /sbin/mountsnoop-bpfcc /sbin/runqlen-bpfcc /sbin/trace-bpfcc/sbin/dcsnoop-bpfcc/sbin/mysqld_qslower-bpfcc /sbin/runqslower-bpfcc /sbin/ttysnoop-bpfcc/sbin/dcstat-bpfcc /sbin/netqtop-bpfcc /sbin/shmsnoop-bpfcc /sbin/vfscount-bpfcc/sbin/deadlock-bpfcc /sbin/nfsdist-bpfcc /sbin/slabratetop-bpfcc /sbin/vfsstat-bpfcc/sbin/dirtop-bpfcc /sbin/nfsslower-bpfcc/sbin/sofdsnoop-bpfcc /sbin/wakeuptime-bpfcc/sbin/drsnoop-bpfcc/sbin/nodegc-bpfcc /sbin/softirqs-bpfcc /sbin/xfsdist-bpfcc/sbin/execsnoop-bpfcc /sbin/nodestat-bpfcc /sbin/solisten-bpfcc /sbin/xfsslower-bpfcc/sbin/exitsnoop-bpfcc /sbin/offcputime-bpfcc /sbin/sslsniff-bpfcc /sbin/zfsdist-bpfcc/sbin/ext4dist-bpfcc /sbin/offwaketime-bpfcc /sbin/stackcount-bpfcc /sbin/zfsslower-bpfcc/sbin/ext4slower-bpfcc /sbin/oomkill-bpfcc /sbin/statsnoop-bpfcc/sbin/filelife-bpfcc /sbin/opensnoop-bpfcc/sbin/swapin-bpfcc
或者你也可以从仓库拉取最新的包
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4052245BD4284CDDecho "deb https://repo.iovisor.org/apt/$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/iovisor.listsudo apt-get updatesudo apt-get install bcc-tools libbcc-examples linux-headers-$(uname -r)
Ubuntu 从源码构建
要从源代码构建工具链,需要:
- LLVM 3.7.1 或更高版本,编译时支持 BPF(默认=on)
- Clang,由与 LLVM 相同的树构建
- cmake (>=3.1)、gcc (>=4.7)、flex、bison
- LuaJIT,如果你想要 Lua 支持
安装依赖项
# Trusty (14.04 LTS) and olderVER=trustyecho "deb http://llvm.org/apt/$VER/ llvm-toolchain-$VER-3.7 maindeb-src http://llvm.org/apt/$VER/ llvm-toolchain-$VER-3.7 main" | \ sudo tee /etc/apt/sources.list.d/llvm.listwget -O - http://llvm.org/apt/llvm-snapshot.gpg.key | sudo apt-key add -sudo apt-get update# For Bionic (18.04 LTS)sudo apt-get -y install bison build-essential cmake flex git libedit-dev \ libllvm6.0 llvm-6.0-dev libclang-6.0-dev python zlib1g-dev libelf-dev libfl-dev python3-distutils# For Eoan (19.10) or Focal (20.04.1 LTS)sudo apt install -y bison build-essential cmake flex git libedit-dev \ libllvm7 llvm-7-dev libclang-7-dev python zlib1g-dev libelf-dev libfl-dev python3-distutils # For Hirsute (21.04) or Impish (21.10)sudo apt install -y bison build-essential cmake flex git libedit-dev libllvm11 llvm-11-dev libclang-11-dev python zlib1g-dev libelf-dev libfl-dev python3-distutils# For other versionssudo apt-get -y install bison build-essential cmake flex git libedit-dev \ libllvm3.7 llvm-3.7-dev libclang-3.7-dev python zlib1g-dev libelf-dev python3-distutils# For Lua supportsudo apt-get -y install luajit luajit-5.1-dev
编译和安装BCC
git clone https://github.com/iovisor/bcc.gitmkdir bcc/build; cd bcc/buildcmake ..makesudo make installcmake -DPYTHON_CMD=python3 .. # build python3 bindingpushd src/python/makesudo make installpopd
BCC工具
下表列出了一些BCC工具及其用途
用途 | 工具名 |
---|---|
调试/多方面 | trace、argdist、funccount、stackcount、opensnoop |
CPU相关 | execsnoop、runqlat、runqlen、cpudist、profile、offcputime、syscount、softirq、hardiq |
内存相关 | memleak |
文件系统相关 | opensnoop、filelife、vfsstatt、filelower、cachestat、writeback、dcstat、xfsslower、xfsdist、ext4dist |
磁盘IO相关 | biolatency、biosnoop、biotop、bitesize |
网络相关 | tcpconnect、tcpaccept、tcplife、tcpretrans |
安全 | capable |
JAVA | javastat、javacalls、javathreads、javaflow、javagc |
应用程序 | mysqld_qslower、signals、killnoop |
内核相关 | wakeuptime、offwaketime |
推荐一个零声学院免费公开课程,个人觉得老师讲得不错,分享给大家:
Linux,Nginx,ZeroMQ,MySQL,Redis,fastdfs,MongoDB,ZK,流媒体,CDN,P2P,K8S,Docker,TCP/IP,协程,DPDK等技术内容,立即学习