{"id":5373,"date":"2022-12-20T19:01:50","date_gmt":"2022-12-20T11:01:50","guid":{"rendered":"https:\/\/ixyzero.com\/blog\/?p=5373"},"modified":"2022-12-20T19:01:50","modified_gmt":"2022-12-20T11:01:50","slug":"ebpf%e7%ae%80%e5%8d%95%e4%ba%86%e8%a7%a3","status":"publish","type":"post","link":"https:\/\/ixyzero.com\/blog\/archives\/5373.html","title":{"rendered":"eBPF\u7b80\u5355\u4e86\u89e3"},"content":{"rendered":"\n<p>=Start=<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u7f18\u7531\uff1a<\/h4>\n\n\n\n<p>\u5f88\u65e9\u5c31\u60f3\u4e86\u89e3\u4e00\u4e0beBPF\u7684\u76f8\u5173\u6982\u5ff5\u4e86\uff0c\u4f46\u4e00\u76f4\u90fd\u6ca1\u6709\u65f6\u95f4\u4e5f\u6ca1\u6709\u52a8\u529b\uff0c\u8fd1\u671f\u8d81\u7740\u7a0d\u5fae\u6709\u70b9\u65f6\u95f4\uff0c\u901a\u8fc7\u68c0\u7d22\u5230\u7684\u4e00\u4e9b\u6587\u7ae0\u7b80\u5355\u4e86\u89e3\u5b66\u4e60\u4e00\u4e0beBPF\u7684\u76f8\u5173\u6982\u5ff5\uff0c\u65b9\u4fbf\u540e\u9762\u6709\u9700\u8981\u7684\u65f6\u5019\u518d\u6df1\u5165\u5b66\u4e60\u4e86\u89e3\u3002<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u6b63\u6587\uff1a<\/h4>\n\n\n\n<h5 class=\"wp-block-heading\">\u53c2\u8003\u89e3\u7b54\uff1a<\/h5>\n\n\n\n<h5 class=\"wp-block-heading\">1. BPF\u662f\u4ec0\u4e48\uff1f<\/h5>\n\n\n\n<p>BPF\uff08Berkeley Packet Filter\uff09\uff0c\u4e2d\u6587\u7ffb\u8bd1\u4e3a\u4f2f\u514b\u5229\u5305\u8fc7\u6ee4\u5668\uff0c\u662f\u7c7b Unix \u7cfb\u7edf\u4e0a\u6570\u636e\u94fe\u8def\u5c42\u7684\u4e00\u79cd\u539f\u59cb\u63a5\u53e3\uff0c\u63d0\u4f9b\u539f\u59cb\u94fe\u8def\u5c42\u5c01\u5305\u7684\u6536\u53d1\u30021992 \u5e74\uff0cSteven McCanne \u548c Van Jacobson \u5199\u4e86\u4e00\u7bc7\u540d\u4e3a\u300aBSD\u6570\u636e\u5305\u8fc7\u6ee4\uff1a\u4e00\u79cd\u65b0\u7684\u7528\u6237\u7ea7\u5305\u6355\u83b7\u67b6\u6784\u300b\u7684\u8bba\u6587\u3002\u5728\u6587\u4e2d\uff0c\u4f5c\u8005\u63cf\u8ff0\u4e86\u4ed6\u4eec\u5982\u4f55\u5728 Unix \u5185\u6838\u5b9e\u73b0\u7f51\u7edc\u6570\u636e\u5305\u8fc7\u6ee4\uff0c\u8fd9\u79cd\u65b0\u7684\u6280\u672f\u6bd4\u5f53\u65f6\u6700\u5148\u8fdb\u7684\u6570\u636e\u5305\u8fc7\u6ee4\u6280\u672f\u5feb 20 \u500d\u3002BPF \u5728\u6570\u636e\u5305\u8fc7\u6ee4\u4e0a\u5f15\u5165\u4e86\u4e24\u5927\u9769\u65b0\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u4e00\u4e2a\u65b0\u7684\u865a\u62df\u673a (VM) \u8bbe\u8ba1\uff0c\u53ef\u4ee5\u6709\u6548\u5730\u5de5\u4f5c\u5728\u57fa\u4e8e\u5bc4\u5b58\u5668\u7ed3\u6784\u7684 CPU \u4e4b\u4e0a\uff1b<\/li>\n\n\n\n<li>\u5e94\u7528\u7a0b\u5e8f\u4f7f\u7528\u7f13\u5b58\u53ea\u590d\u5236\u4e0e\u8fc7\u6ee4\u6570\u636e\u5305\u76f8\u5173\u7684\u6570\u636e\uff0c\u4e0d\u4f1a\u590d\u5236\u6570\u636e\u5305\u7684\u6240\u6709\u4fe1\u606f\u3002\u8fd9\u6837\u53ef\u4ee5\u6700\u5927\u7a0b\u5ea6\u5730\u51cf\u5c11BPF \u5904\u7406\u7684\u6570\u636e\uff1b<\/li>\n<\/ul>\n\n\n\n<p>\u7531\u4e8e\u8fd9\u4e9b\u5de8\u5927\u7684\u6539\u8fdb\uff0c\u6240\u6709\u7684 Unix \u7cfb\u7edf\u90fd\u9009\u62e9<strong>\u91c7\u7528 BPF \u4f5c\u4e3a\u7f51\u7edc\u6570\u636e\u5305\u8fc7\u6ee4\u6280\u672f<\/strong>\uff0c\u76f4\u5230\u4eca\u5929\uff0c\u8bb8\u591a Unix \u5185\u6838\u7684\u6d3e\u751f\u7cfb\u7edf\u4e2d\uff08\u5305\u62ec Linux \u5185\u6838\uff09\u4ecd\u4f7f\u7528\u8be5\u5b9e\u73b0\u3002<\/p>\n\n\n\n<p>\u6211\u4eec\u719f\u6089\u7684 tcpdump \u5c31\u662f\u57fa\u4e8e BPF \u6280\u672f\u3002<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">2. eBPF\u662f\u4ec0\u4e48\uff1f<\/h5>\n\n\n\n<p class=\"has-vivid-red-color has-text-color\"><strong>\u7b80\u800c\u8a00\u4e4b\uff0ceBPF\u662f\u4e00\u5957\u901a\u7528\u6267\u884c\u5f15\u64ce\uff0c\u63d0\u4f9b\u4e86\u4e00\u79cd\u5728\u5185\u6838\u4e8b\u4ef6\u548c\u7528\u6237\u7a0b\u5e8f\u4e8b\u4ef6\u53d1\u751f\u65f6\u5b89\u5168\u6ce8\u5165\u4ee3\u7801\u7684\u901a\u7528\u80fd\u529b<\/strong>\uff0c\u8ba9\u8fd9\u79cd\u901a\u7528\u80fd\u529b\u7684\u4f7f\u7528\u8005\u4e0d\u518d\u5c40\u9650\u4e8e\u5185\u6838\u5f00\u53d1\u8005\u3002<\/p>\n\n\n\n<p>eBPF \u6bd4\u8d77\u4f20\u7edf\u7684 BPF \u6765\u8bf4\uff0c\u4f20\u7edf\u7684 BPF \u53ea\u80fd\u7528\u4e8e\u7f51\u7edc\u8fc7\u6ee4\uff0c\u800c eBPF \u5219\u53ef\u4ee5\u7528\u4e8e\u66f4\u591a\u7684\u5e94\u7528\u573a\u666f\uff0c\u5305\u62ec\u7f51\u7edc\u76d1\u63a7\u3001\u5b89\u5168\u8fc7\u6ee4\u548c\u6027\u80fd\u5206\u6790\u7b49\u3002\u53e6\u5916\uff0ceBPF \u5141\u8bb8\u5e38\u89c4\u7528\u6237\u7a7a\u95f4\u5e94\u7528\u7a0b\u5e8f\u5c06\u8981\u5728 Linux \u5185\u6838\u4e2d\u6267\u884c\u7684\u903b\u8f91\u6253\u5305\u4e3a\u5b57\u8282\u7801\uff0c\u5f53\u67d0\u4e9b\u4e8b\u4ef6\uff08\u79f0\u4e3a\u6302\u94a9\uff09\u53d1\u751f\u65f6\uff0c\u5185\u6838\u4f1a\u8c03\u7528 eBPF \u7a0b\u5e8f\u3002\u6b64\u7c7b\u6302\u94a9\u7684\u793a\u4f8b\u5305\u62ec\u7cfb\u7edf\u8c03\u7528\u3001\u7f51\u7edc\u4e8b\u4ef6\u7b49\u3002<\/p>\n\n\n\n<p>2014 \u5e74\u521d\uff0cAlexei Starovoitov \u5b9e\u73b0\u4e86 eBPF\uff08extended Berkeley Packet Filter\uff09\u3002\u7ecf\u8fc7\u91cd\u65b0\u8bbe\u8ba1\uff0ceBPF \u6f14\u8fdb\u4e3a\u4e00\u4e2a\u901a\u7528\u6267\u884c\u5f15\u64ce\uff0c\u53ef\u57fa\u4e8e\u6b64\u5f00\u53d1\u6027\u80fd\u5206\u6790\u5de5\u5177\u3001\u8f6f\u4ef6\u5b9a\u4e49\u7f51\u7edc\u7b49\u8bf8\u591a\u573a\u666f\u3002eBPF \u6700\u65e9\u51fa\u73b0\u5728 3.18 \u5185\u6838\u4e2d\uff0c\u6b64\u540e\u539f\u6765\u7684 BPF \u5c31\u88ab\u79f0\u4e3a\u7ecf\u5178 BPF\uff0c\u7f29\u5199 cBPF\uff08classic BPF\uff09\uff0ccBPF \u73b0\u5728\u5df2\u7ecf\u57fa\u672c\u5e9f\u5f03\u3002\u73b0\u5728\uff0cLinux \u5185\u6838\u53ea\u8fd0\u884c eBPF\uff0c\u5185\u6838\u4f1a\u5c06\u52a0\u8f7d\u7684 cBPF \u5b57\u8282\u7801\u900f\u660e\u5730\u8f6c\u6362\u6210 eBPF \u518d\u6267\u884c\u3002<\/p>\n\n\n\n<p>eBPF \u65b0\u7684\u8bbe\u8ba1\u9488\u5bf9\u73b0\u4ee3\u786c\u4ef6\u8fdb\u884c\u4e86\u4f18\u5316\uff0c\u6240\u4ee5 eBPF \u751f\u6210\u7684\u6307\u4ee4\u96c6\u6bd4\u65e7\u7684 BPF \u89e3\u91ca\u5668\u751f\u6210\u7684\u673a\u5668\u7801\u6267\u884c\u5f97\u66f4\u5feb\u3002\u6269\u5c55\u7248\u672c\u4e5f\u589e\u52a0\u4e86\u865a\u62df\u673a\u4e2d\u7684\u5bc4\u5b58\u5668\u6570\u91cf\uff0c\u5c06\u539f\u6709\u7684 2 \u4e2a 32 \u4f4d\u5bc4\u5b58\u5668\u589e\u52a0\u5230 10 \u4e2a 64 \u4f4d\u5bc4\u5b58\u5668\u3002\u7531\u4e8e\u5bc4\u5b58\u5668\u6570\u91cf\u548c\u5bbd\u5ea6\u7684\u589e\u52a0\uff0c\u5f00\u53d1\u4eba\u5458\u53ef\u4ee5\u4f7f\u7528\u51fd\u6570\u53c2\u6570\u81ea\u7531\u4ea4\u6362\u66f4\u591a\u7684\u4fe1\u606f\uff0c\u7f16\u5199\u66f4\u590d\u6742\u7684\u7a0b\u5e8f\u3002\u603b\u4e4b\uff0c\u8fd9\u4e9b\u6539\u8fdb\u4f7f eBPF \u7248\u672c\u7684\u901f\u5ea6\u6bd4\u539f\u6765\u7684 BPF \u63d0\u9ad8\u4e86 4 \u500d\u3002<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">3. eBPF\u4e3a\u4ec0\u4e48\u4f1a\u51fa\u73b0\uff1f<\/h5>\n\n\n\n<p><strong>eBPF\u7684\u51fa\u73b0\u672c\u8d28\u4e0a\u662f\u4e3a\u4e86\u89e3\u51b3\u5185\u6838\u8fed\u4ee3\u901f\u5ea6\u6162\u548c\u7cfb\u7edf\u9700\u6c42\u5feb\u901f\u53d8\u5316\u7684\u77db\u76fe<\/strong>\uff0c\u5728eBPF\u9886\u57df\u5e38\u7528\u7684\u4e00\u4e2a\u4f8b\u5b50\u662feBPF\u76f8\u5bf9\u4e8eLinux Kernel\u7c7b\u4f3c\u4e8eJavascript\u76f8\u5bf9\u4e8eHTML\uff0c\u7a81\u51fa\u7684\u662f\u53ef\u7f16\u7a0b\u6027\u3002\u4e00\u822c\u6765\u8bf4\u53ef\u7f16\u7a0b\u6027\u7684\u652f\u6301\u901a\u5e38\u4f1a\u5e26\u6765\u4e00\u4e9b\u65b0\u7684\u95ee\u9898\uff0c\u6bd4\u5982\u5185\u6838\u6a21\u5757\u5176\u5b9e\u4e5f\u662f\u4e3a\u4e86\u89e3\u51b3\u8fd9\u4e2a\u95ee\u9898\uff0c\u4f46\u662f\u4ed6\u6ca1\u6709\u63d0\u4f9b\u5f88\u597d\u7684\u8fb9\u754c\uff0c\u5bfc\u81f4\u5185\u6838\u6a21\u5757\u4f1a\u5f71\u54cd\u5185\u6838\u672c\u8eab\u7684\u7a33\u5b9a\u6027\uff0c\u5728\u4e0d\u540c\u7684\u5185\u6838\u7248\u672c\u9700\u8981\u505a\u9002\u914d\u7b49\u3002eBPF\u91c7\u7528Verifier\u3001JIT\u7f16\u8bd1\u5668\u3001bpf Helpers\u9650\u5236\u3001maps\/per-event\u7b49\u7b56\u7565\uff0c\u4f7f\u5f97\u5176\u6210\u4e3a\u4e00\u79cd\u5b89\u5168\u9ad8\u6548\u5730\u5185\u6838\u53ef\u7f16\u7a0b\u6280\u672f\u3002<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">4. eBPF\u7684\u5e94\u7528\u573a\u666f\u662f\u4ec0\u4e48\uff1f<\/h5>\n\n\n\n<p>Networking &#8211; \u7f51\u7edc<\/p>\n\n\n\n<p>The combination of programmability and efficiency makes eBPF a natural fit for all packet processing requirements of networking solutions. The programmability of eBPF enables adding additional protocol parsers and easily program any forwarding logic to meet changing requirements without ever leaving the packet processing context of the Linux kernel. The efficiency provided by the JIT compiler provides execution performance close to that of natively compiled in-kernel code.<\/p>\n\n\n\n<p>Security &#8211; \u5b89\u5168<\/p>\n\n\n\n<p>Building on the foundation of seeing and understanding all system calls and combining that with a packet and socket-level view of all networking operations allows for revolutionary new approaches to securing systems. While aspects of system call filtering, network-level filtering, and process context tracing have typically been handled by completely independent systems, eBPF allows for combining the visibility and control of all aspects to create security systems operating on more context with better level of control.<\/p>\n\n\n\n<p>Observability &amp; Monitoring &#8211; \u53ef\u89c2\u6d4b\u6027\u548c\u76d1\u63a7<\/p>\n\n\n\n<p>Instead of relying on static counters and gauges exposed by the operating system, eBPF enables the collection &amp; in-kernel aggregation of custom metrics and generation of visibility events based on a wide range of possible sources. This extends the depth of visibility that can be achieved as well as reduces the overall system overhead significantly by only collecting the visibility data required and by generating histograms and similar data structures at the source of the event instead of relying on the export of samples.<\/p>\n\n\n\n<p>Tracing &amp; Profiling &#8211; \u8ddf\u8e2a\u548c\u4f18\u5316<\/p>\n\n\n\n<p>The ability to attach eBPF programs to trace points as well as kernel and user application probe points allows unprecedented visibility into the runtime behavior of applications and the system itself. By giving introspection abilities to both the application and system side, both views can be combined, allowing powerful and unique insights to troubleshoot system performance problems. Advanced statistical data structures allow to extract meaningful visibility data in an efficient manner, without requiring the export of vast amounts of sampling data as typically done by similar systems.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">5. eBPF\u7684\u67b6\u6784<\/h5>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"528\" src=\"https:\/\/ixyzero.com\/blog\/wp-content\/uploads\/2022\/12\/ebpf-arch-1024x528.jpeg\" alt=\"\" class=\"wp-image-5374\" srcset=\"https:\/\/ixyzero.com\/wp-content\/uploads\/2022\/12\/ebpf-arch-1024x528.jpeg 1024w, https:\/\/ixyzero.com\/wp-content\/uploads\/2022\/12\/ebpf-arch-300x155.jpeg 300w, https:\/\/ixyzero.com\/wp-content\/uploads\/2022\/12\/ebpf-arch-768x396.jpeg 768w, https:\/\/ixyzero.com\/wp-content\/uploads\/2022\/12\/ebpf-arch.jpeg 1169w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The important takeaway here is understanding that eBPF unlocks access to kernel level events without the typical restrictions found when changing kernel code directly. Summarizing, eBPF works by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Compiling eBPF programs into bytecode<\/li>\n\n\n\n<li>Verifying programs execute safely in a VM before being being loaded at the hook point<\/li>\n\n\n\n<li>Attaching programs to hook points within the kernel that are triggered by specified events<\/li>\n\n\n\n<li>Compiling at runtime for maximum efficiency<\/li>\n\n\n\n<li>Calling helper functions to manipulate data when a program is triggered<\/li>\n\n\n\n<li>Using maps (key-value pairs) to share data between the user space and kernel space and for keeping state.<\/li>\n<\/ul>\n\n\n\n<h5 class=\"wp-block-heading\">6. eBPF\u7684\u7b80\u5355\u793a\u4f8b<\/h5>\n\n\n\n<p>step1. \u51c6\u5907\u5de5\u4f5c\uff0c\u786e\u4fdd\u5185\u6838\u5df2\u7ecf\u652f\u6301 eBPF \u529f\u80fd\uff08\u5982\u679c\u8fd8\u4e0d\u652f\u6301\uff0c\u53ef\u80fd\u9700\u8981\u5347\u7ea7\u5185\u6838\u6216\u662f\u5728\u5185\u6838\u914d\u7f6e\u6587\u4ef6\u4e2d\u542f\u7528\u76f8\u5173\u914d\u7f6e\u5e76\u91cd\u65b0\u7f16\u8bd1\u5185\u6838\uff09<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ls \/sys\/fs\/bpf\nlsmod | grep bpf<\/code><\/pre>\n\n\n\n<p>step2. \u7f16\u5199 eBPF \u7a0b\u5e8f<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ cat py_tcp_sendmsg_stat.py\n#!\/usr\/bin\/python3\n\nfrom bcc import BPF\nfrom time import sleep\n\n# \u5b9a\u4e49 eBPF \u7a0b\u5e8f\nbpf_text = \"\"\"\n#include &lt;uapi\/linux\/ptrace.h&gt;\n\nBPF_HASH(stats, u32);\n\nint count(struct pt_regs *ctx) {\n    u32 key = 0;\n    u64 *val, zero=0;\n    val = stats.lookup_or_init(&amp;key, &amp;zero);\n    (*val)++;\n    return 0;\n}\n\"\"\"\n\n# \u7f16\u8bd1 eBPF \u7a0b\u5e8f\nb = BPF(text=bpf_text, cflags=&#91;\"-Wno-macro-redefined\"])\n\n# \u52a0\u8f7d eBPF \u7a0b\u5e8f\nb.attach_kprobe(event=\"tcp_sendmsg\", fn_name=\"count\")\n\nname = {\n  0: \"tcp_sendmsg\"\n}\n# \u8f93\u51fa\u7edf\u8ba1\u7ed3\u679c\nwhile True:\n    try:\n        #print(\"Total packets: %d\" % b&#91;\"stats\"]&#91;0].value)\n        for k, v in b&#91;\"stats\"].items():\n           print(\"{}: {}\".format(name&#91;k.value], v.value))\n        sleep(1)\n    except KeyboardInterrupt:\n        exit()<\/code><\/pre>\n\n\n\n<p>step3. \u8fd0\u884c eBPF \u7a0b\u5e8f<br>\u8003\u8651\u5230\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u7684\u5185\u6838\u7248\u672c\u4ee5\u53ca\u7cfb\u7edf\u5b89\u88c5ISO\u955c\u50cf\u5927\u5c0f\uff0c\u6211\u6700\u540e\u8fd8\u662f\u4e0b\u8f7d\u4e86 ubuntu-22.04.1-desktop-amd64 \u6765\u4f5c\u4e3a\u5b66\u4e60\u6d4b\u8bd5\u73af\u5883\uff08\u672c\u6765\u662f\u60f3\u4e0b\u8f7dCentOS\u7684\uff09\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ sudo apt install python3-bpfcc\n\n$ chmod +x py_tcp_sendmsg_stat.py\n$ sudo .\/py_tcp_sendmsg_stat.py<\/code><\/pre>\n\n\n\n<p>\u4ece\u4e0a\u9762\u7684\u4ee3\u7801\u53ef\u4ee5\u5927\u6982\u7684\u770b\u51fa\u7f16\u5199 eBPF \u7a0b\u5e8f\u7684\u4e00\u4e2a\u57fa\u672c\u65b9\u6cd5\u2014\u2014\u5728Python\u91cc\u5411\u5185\u6838\u7684\u67d0\u4e9b\u4e8b\u4ef6\u6302\u8f7d\u4e00\u6bb5 \u201cC\u8bed\u8a00\u201d \u7684\u65b9\u5f0f\u5c31\u662f eBPF \u7684\u7f16\u7a0b\u65b9\u5f0f\u3002\u5b9e\u8bdd\u5b9e\u8bf4\uff0c\u8fd9\u6837\u7684\u4ee3\u7801\u5f88\u4e0d\u597d\u5199\uff0c\u53ef\u80fd\u4f1a\u51fa\u73b0\u5f88\u591a\u975e\u5e38\u8be1\u5f02\u7684\u4e1c\u897f\uff0c\u4e00\u822c\u4eba\u662f\u5f88\u96be\u9a7e\u9a6d\u7684\u3002\u597d\u5728\u8fd9\u6837\u7684\u4ee3\u7801\u5df2\u7ecf\u6709\u4eba\u5199\u4e86\uff0c\u6211\u4eec\u4e0d\u5fc5\u518d\u5199\u4e86\uff0c\u5728 Github \u4e0a\u7684 bcc \u5e93\u4e0b\u7684 tools \u76ee\u5f55\u6709\u5f88\u591a\u2026\u2026<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>bcc-tools\uff1a\u4e00\u4e2a\u5305\u542b\u8bb8\u591a\u5e38\u7528\u7684 BCC \u5de5\u5177\u7684\u8f6f\u4ef6\u5305\u3002<\/li>\n\n\n\n<li>bpftrace\uff1a\u4e00\u4e2a\u9ad8\u7ea7\u8bed\u8a00\uff0c\u7528\u4e8e\u7f16\u5199\u548c\u6267\u884c BPF \u7a0b\u5e8f\u3002<\/li>\n\n\n\n<li>tcptop\uff1a\u4e00\u4e2a\u5b9e\u65f6\u76d1\u63a7\u548c\u5206\u6790 TCP \u6d41\u91cf\u7684\u5de5\u5177\u3002<\/li>\n\n\n\n<li>execsnoop\uff1a\u4e00\u4e2a\u7528\u4e8e\u76d1\u63a7\u8fdb\u7a0b\u6267\u884c\u60c5\u51b5\u7684\u5de5\u5177\u3002<\/li>\n\n\n\n<li>filetop\uff1a\u4e00\u4e2a\u5b9e\u65f6\u76d1\u63a7\u548c\u5206\u6790\u6587\u4ef6\u7cfb\u7edf\u6d41\u91cf\u7684\u5de5\u5177\u3002<\/li>\n\n\n\n<li>trace\uff1a\u4e00\u4e2a\u7528\u4e8e\u8ddf\u8e2a\u548c\u5206\u6790\u51fd\u6570\u8c03\u7528\u7684\u5de5\u5177\u3002<\/li>\n\n\n\n<li>funccount\uff1a\u4e00\u4e2a\u7528\u4e8e\u7edf\u8ba1\u51fd\u6570\u8c03\u7528\u6b21\u6570\u7684\u5de5\u5177\u3002<\/li>\n\n\n\n<li>opensnoop\uff1a\u4e00\u4e2a\u7528\u4e8e\u76d1\u63a7\u6587\u4ef6\u6253\u5f00\u64cd\u4f5c\u7684\u5de5\u5177\u3002<\/li>\n\n\n\n<li>pidstat\uff1a\u4e00\u4e2a\u7528\u4e8e\u76d1\u63a7\u8fdb\u7a0b\u6027\u80fd\u7684\u5de5\u5177\u3002<\/li>\n\n\n\n<li>profile\uff1a\u4e00\u4e2a\u7528\u4e8e\u5206\u6790\u7cfb\u7edf CPU \u4f7f\u7528\u60c5\u51b5\u7684\u5de5\u5177\u3002<\/li>\n<\/ol>\n\n\n\n<p class=\"has-vivid-red-color has-text-color\">\u5982\u679c\u4f60\u60f3\u81ea\u5df1\u4ece\u5934\u5199 eBPF \u7a0b\u5e8f\uff0c\u8981\u4e48\u5c31\u662f\u7528 Python + bcc \uff0c\u8981\u4e48\u5c31\u662f\u7528 C\/C++ + libbpf \uff0c\u5f53\u7136\u4e5f\u53ef\u4ee5\u9009\u62e9 Golang + ebpf-go\/libbpfgo \uff0c\u6216\u591a\u6216\u5c11\u90fd\u8fd8\u662f\u6709\u4e00\u5b9a\u5b66\u4e60\u95e8\u69db\u7684\uff0c\u4f46\u80fd\u529b\u548c\u7ecf\u9a8c\u4e5f\u662f\u5728\u8e29\u5751\u548c\u586b\u5751\u7684\u8fc7\u7a0b\u4e2d\u5f97\u5230\u6210\u957f\u7684\uff0c\u5982\u679c\u8bf4\u4f60\u7684\u5de5\u4f5c\u5185\u5bb9\u5c31\u662f\u548c\u8fd9\u4e2a\u975e\u5e38\u76f8\u5173\uff0c\u6216\u8005\u4f60\u5f53\u524d\u6709\u989d\u5916\u7684\u65f6\u95f4\u548c\u7cbe\u529b\u5c31\u662f\u60f3\u8981\u5b66\u4e60\u8fd9\u95e8\u6280\u672f\uff0c\u8fd8\u662f\u975e\u5e38\u63a8\u8350\u7684\uff0c\u4f46\u5177\u4f53\u5230\u6211\u81ea\u5df1\u8eab\u4e0a\uff0c\u597d\u50cf\u8fd92\u70b9\u90fd\u4e0d\u662f\uff0c\u90a3\u5c31\u53ea\u80fd\u5148\u6d45\u6d45\u7684\u4e86\u89e3\u4e00\u4e0b\u2014\u2014\u5927\u6982\u77e5\u9053eBPF\u662f\u4ec0\u4e48\u3001\u80fd\u505a\u4ec0\u4e48\u3001\u5927\u6982\u9700\u8981\u505a\u54ea\u4e9b\u624d\u80fd\u5b9e\u73b0\u76f8\u5173\u7684\u529f\u80fd\u3002\u4ee5\u540e\u5982\u679c\u771f\u7684\u6709\u673a\u4f1a\uff0c\u518d\u597d\u597d\u6df1\u5165\u5b66\u4e60\u4e00\u4e0b\u5427\u3002<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">7. eBPF\u7684\u6700\u4f73\u5b9e\u8df5\u662f\u4ec0\u4e48\uff1f<\/h5>\n\n\n\n<h6 class=\"wp-block-heading\"><strong>\u5bfb\u627e\u5185\u6838\u7684\u63d2\u6869\u70b9<\/strong><\/h6>\n\n\n\n<p>1\u3001\u5185\u6838\u4e2d\u90fd\u6709\u54ea\u4e9b\u5185\u6838\u51fd\u6570\u3001\u5185\u6838\u8ddf\u8e2a\u70b9\u6216\u6027\u80fd\u4e8b\u4ef6\uff1f<br>2\u3001\u5bf9\u4e8e\u5185\u6838\u51fd\u6570\u548c\u5185\u6838\u8ddf\u8e2a\u70b9\uff0c\u5728\u9700\u8981\u8ddf\u8e2a\u5b83\u4eec\u7684\u4f20\u5165\u53c2\u6570\u548c\u8fd4\u56de\u503c\u7684\u65f6\u5019\uff0c\u53c8\u8be5\u5982\u4f55\u67e5\u8be2\u8fd9\u4e9b\u6570\u636e\u7ed3\u6784\u7684\u5b9a\u4e49\u683c\u5f0f\u5462\uff1f<\/p>\n\n\n\n<h6 class=\"wp-block-heading\"><strong>\u5bfb\u627e\u5e94\u7528\u7684\u63d2\u6869\u70b9<\/strong><\/h6>\n\n\n\n<p>1\u3001\u5982\u4f55\u67e5\u8be2\u7528\u6237\u8fdb\u7a0b\u7684\u8ddf\u8e2a\u70b9\uff1f<br>\u9759\u6001\u7f16\u8bd1\u8bed\u8a00<br>\u975e\u9759\u6001\u7f16\u8bd1\u8bed\u8a00\u2014\u2014\u89e3\u91ca\u578b\u8bed\u8a00<br>\u975e\u9759\u6001\u7f16\u8bd1\u8bed\u8a00\u2014\u2014\u5373\u65f6\u7f16\u8bd1\u578b\u8bed\u8a00<\/p>\n\n\n\n<p>2\u3001\u9009\u62e9\u8ddf\u8e2a\u70b9\u65f6\u7684\u6ce8\u610f\u4e8b\u9879\u6709\u54ea\u4e9b\uff1f<br>\u53ef\u4ee5\u53c2\u8003BCC\u7684\u5e94\u7528\u7a0b\u5e8f\u8ddf\u8e2a\uff0c\u7528\u6237\u8fdb\u7a0b\u7684\u8ddf\u8e2a\uff0c\u672c\u8d28\u4e0a\u662f\u901a\u8fc7\u65ad\u70b9\u53bb\u6267\u884c uprobe \u5904\u7406\u7a0b\u5e8f\u3002\u867d\u7136\u5185\u6838\u793e\u533a\u5df2\u7ecf\u5bf9 BPF \u505a\u4e86\u5f88\u591a\u7684\u6027\u80fd\u8c03\u4f18\uff0c\u8ddf\u8e2a\u7528\u6237\u6001\u51fd\u6570\uff08\u7279\u522b\u662f\u9501\u4e89\u7528\u3001\u5185\u5b58\u5206\u914d\u4e4b\u7c7b\u7684\u9ad8\u9891\u51fd\u6570\uff09\u8fd8\u662f\u6709\u53ef\u80fd\u5e26\u6765\u5f88\u5927\u7684\u6027\u80fd\u5f00\u9500\u3002\u56e0\u6b64\uff0c\u6211\u4eec\u5728\u4f7f\u7528 uprobe \u65f6\uff0c\u5e94\u8be5\u5c3d\u91cf\u907f\u514d\u8ddf\u8e2a\u9ad8\u9891\u51fd\u6570\u3002<\/p>\n\n\n\n<h6 class=\"wp-block-heading\"><strong>\u5173\u8054\u95ee\u9898\u4e0e\u63d2\u6869\u70b9<\/strong><\/h6>\n\n\n\n<p>\u4e00\u4e2a\u7406\u60f3\u7684\u72b6\u6001\u662f\u6240\u6709\u95ee\u9898\u90fd\u6e05\u695a\u5e94\u5f53\u89c2\u5bdf\u54ea\u4e9b\u63d2\u6869\u70b9\uff0c\u4f46\u662f\u8fd9\u4e2a\u8981\u6c42\u6280\u672f\u4eba\u5458\u5bf9\u7aef\u5230\u7aef\u7684\u8f6f\u4ef6\u6808\u7ec6\u8282\u90fd\u4e86\u89e3\u5341\u5206\u900f\u5f7b\uff0c\u5b9e\u9645\u60c5\u51b5\u662f\u5f88\u96be\u6ee1\u8db3\u7684\uff0c\u4e00\u4e2a\u66f4\u52a0\u5408\u7406\u7684\u65b9\u6cd5\u662f\u4e8c\u516b\u6cd5\u5219\uff0c\u5c06\u8f6f\u4ef6\u6808\u6570\u636e\u6d41\u7684\u6700\u6838\u5fc3\u768480%\u8109\u7edc\u6293\u4f4f\uff0c\u4fdd\u969c\u51fa\u73b0\u95ee\u9898\u4e00\u5b9a\u4f1a\u5728\u8fd9\u4e2a\u8109\u7edc\u88ab\u53d1\u73b0\u5373\u53ef\u3002\u6b64\u65f6\u518d\u4f7f\u7528\u5185\u6838\u6808\u548c\u7528\u6237\u6808\u6765\u67e5\u770b\u5177\u4f53\u7684\u8c03\u7528\u6808\u5373\u53ef\u53d1\u73b0\u6838\u5fc3\u95ee\u9898\u3002<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">x. \u5199\u5728\u6700\u540e<\/h5>\n\n\n\n<h6 class=\"wp-block-heading\">\u7528\u597deBPF\u7684\u524d\u63d0\u662f\u5bf9\u9700\u6c42\u548c\u76ee\u6807\u73af\u5883\u7684\u7406\u89e3<\/h6>\n\n\n\n<p>\u901a\u8fc7\u4e0a\u9762\u7684\u4ecb\u7ecd\uff0c\u5bf9eBPF\u5df2\u7ecf\u6709\u4e86\u4e00\u5b9a\u7684\u7406\u89e3\uff0c<strong>eBPF\u63d0\u4f9b\u7684\u53ea\u662f\u4e00\u4e2a\u6846\u67b6\u548c\u673a\u5236\uff0c\u6838\u5fc3\u8fd8\u662f\u9700\u8981\u7528eBPF\u7684\u4eba\u5bf9\u9700\u6c42\u548c\u76ee\u6807\u73af\u5883\u7684\u7406\u89e3\uff0c\u627e\u5230\u5408\u9002\u7684\u63d2\u6869\u70b9\uff0c\u80fd\u591f\u548c\u5e94\u7528\u95ee\u9898\u8fdb\u884c\u5173\u8054\u3002<\/strong><\/p>\n\n\n\n<h6 class=\"wp-block-heading\">eBPF\u7684\u6740\u624b\u950f\u662f\u5168\u8986\u76d6\uff0c\u65e0\u4fb5\u5165\uff0c\u53ef\u7f16\u7a0b<\/h6>\n\n\n\n<p>1\u3001\u5168\u8986\u76d6<br>\u5185\u6838\uff0c\u5e94\u7528\u7a0b\u5e8f\u63d2\u6869\u70b9\u5168\u8986\u76d6\u3002<br>2\u3001\u65e0\u4fb5\u5165<br>\u4e0d\u9700\u8981\u4fee\u6539\u4efb\u4f55\u88abhook\u7684\u4ee3\u7801\u3002<br>3\u3001\u53ef\u7f16\u7a0b<br>\u52a8\u6001\u4e0b\u53d1eBPF\u7a0b\u5e8f\uff0c\u8fb9\u7f18\u52a8\u6001\u6267\u884c\u6307\u4ee4\uff0c\u52a8\u6001\u805a\u5408\u5206\u6790\u3002<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">\u53c2\u8003\u94fe\u63a5\uff1a<\/h5>\n\n\n\n<p>\u4e00\u6587\u641e\u61c2 | eBPF\u7684\u6765\u9f99\u53bb\u8109<br><a href=\"https:\/\/mp.weixin.qq.com\/s\/Rma1sKFzee3WvStl8t8hZA\">https:\/\/mp.weixin.qq.com\/s\/Rma1sKFzee3WvStl8t8hZA<\/a><\/p>\n\n\n\n<p>\u4e00\u6587\u8bfb\u61c2eBPF\u7684\u524d\u4e16\u4eca\u751f<br><a href=\"https:\/\/mp.weixin.qq.com\/s\/ww510TUdLG8jd6VzfQnjxw\">https:\/\/mp.weixin.qq.com\/s\/ww510TUdLG8jd6VzfQnjxw<\/a><\/p>\n\n\n\n<p>EBPF \u4ecb\u7ecd<br><a href=\"https:\/\/coolshell.cn\/articles\/22320.html\">https:\/\/coolshell.cn\/articles\/22320.html<\/a><\/p>\n\n\n\n<p>A Gentle Introduction to eBPF<br><a href=\"https:\/\/www.infoq.com\/articles\/gentle-linux-ebpf-introduction\/\">https:\/\/www.infoq.com\/articles\/gentle-linux-ebpf-introduction\/<\/a><\/p>\n\n\n\n<p>Linux bcc\/bpf tracing tools<br><a href=\"https:\/\/raw.githubusercontent.com\/iovisor\/bcc\/master\/images\/bcc_tracing_tools_2019.png\">https:\/\/raw.githubusercontent.com\/iovisor\/bcc\/master\/images\/bcc_tracing_tools_2019.png<\/a><\/p>\n\n\n\n<p>A curated list of awesome projects related to eBPF.<br><a href=\"https:\/\/github.com\/zoidbergwill\/awesome-ebpf\">https:\/\/github.com\/zoidbergwill\/awesome-ebpf<\/a><\/p>\n\n\n\n<p>\u6df1\u5165\u6d45\u51faeBPF\uff5c\u4f60\u8981\u4e86\u89e3\u76847\u4e2a\u6838\u5fc3\u95ee\u9898<br><a href=\"https:\/\/mp.weixin.qq.com\/s\/Xr8ECrS_fR3aCT1vKJ9yIg\">https:\/\/mp.weixin.qq.com\/s\/Xr8ECrS_fR3aCT1vKJ9yIg<\/a><\/p>\n\n\n\n<p>\u4e00\u6587\u8be6\u89e3\u7528eBPF\u89c2\u6d4bHTTP<br><a href=\"https:\/\/mp.weixin.qq.com\/s\/2ncM-PvN06lSwScvc2Zueg\">https:\/\/mp.weixin.qq.com\/s\/2ncM-PvN06lSwScvc2Zueg<\/a><\/p>\n\n\n\n<p>\u5982\u4f55\u4f7f\u7528eBPF\u89c2\u6d4b\u7528\u6237\u7a7a\u95f4\u5e94\u7528\u7a0b\u5e8f<br><a href=\"https:\/\/mp.weixin.qq.com\/s\/7SRHUPer58KlJZhn9y8kDg\">https:\/\/mp.weixin.qq.com\/s\/7SRHUPer58KlJZhn9y8kDg<\/a><\/p>\n\n\n\n<p>\u4e00\u6587\u770b\u61c2eBPF\uff5ceBPF\u7684\u7b80\u5355\u4f7f\u7528<br><a href=\"https:\/\/mp.weixin.qq.com\/s\/V-5k1mX5JRA0lWLXJ2AxpA\">https:\/\/mp.weixin.qq.com\/s\/V-5k1mX5JRA0lWLXJ2AxpA<\/a><\/p>\n\n\n\n<p>\u4e00\u6587\u770b\u61c2eBPF\uff5ceBPF\u5b9e\u73b0\u539f\u7406<br><a href=\"https:\/\/mp.weixin.qq.com\/s\/rvXIC96iDclB0tRX2JirUg\">https:\/\/mp.weixin.qq.com\/s\/rvXIC96iDclB0tRX2JirUg<\/a><\/p>\n\n\n\n<p>eBPF \u6280\u672f\u62a5\u544a\uff08\u4e0a\uff09<br><a href=\"https:\/\/mp.weixin.qq.com\/s\/rQ8paKRhS9RTSk2zR1cAEg\">https:\/\/mp.weixin.qq.com\/s\/rQ8paKRhS9RTSk2zR1cAEg<\/a><\/p>\n\n\n\n<p>Tetragon \u2013 \u76ef\u5411\u5185\u6838\u7684\u773c\u775b<br><a href=\"https:\/\/mp.weixin.qq.com\/s\/0IXlHu0LdQi1ttlcfSz1fg\">https:\/\/mp.weixin.qq.com\/s\/0IXlHu0LdQi1ttlcfSz1fg<\/a><\/p>\n\n\n\n<p>=END=<\/p>\n","protected":false},"excerpt":{"rendered":"<p>=Start= \u7f18\u7531\uff1a \u5f88\u65e9\u5c31\u60f3\u4e86\u89e3\u4e00\u4e0beBPF\u7684\u76f8\u5173\u6982\u5ff5\u4e86\uff0c\u4f46\u4e00\u76f4\u90fd\u6ca1\u6709\u65f6\u95f4\u4e5f\u6ca1\u6709\u52a8\u529b\uff0c\u8fd1\u671f\u8d81\u7740\u7a0d\u5fae\u6709\u70b9\u65f6\u95f4 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23,11,25],"tags":[1891,1890,820,30,37],"class_list":["post-5373","post","type-post","status-publish","format-standard","hentry","category-knowledgebase-2","category-linux","category-security","tag-bpf","tag-ebpf","tag-hook","tag-linux","tag-security"],"views":3112,"_links":{"self":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/5373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/comments?post=5373"}],"version-history":[{"count":1,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/5373\/revisions"}],"predecessor-version":[{"id":5375,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/5373\/revisions\/5375"}],"wp:attachment":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/media?parent=5373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/categories?post=5373"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/tags?post=5373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}