bpftrace
bcc
bpftrace | bcc | |
---|---|---|
24 | 79 | |
7,647 | 20,904 | |
- | 0.6% | |
0.0 | 9.0 | |
about 1 year ago | 8 days ago | |
C++ | C | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
bpftrace
- Why would you still want to use strace in 2023? [video]
- Ask HN: How to measure the latency numbers every programmer should know?
-
Securing PyTorch Models with eBPF
In this blog, I will present secimport — a toolkit for creating and running sandboxed applications in Python that utilizes eBPF (bpftrace) to secure Python runtimes.
-
Tag Systems
I haven't come across of any project like that, but in case anyone wants to implement this and doesn't know where to start, here's a way to do it on a freedesktop-compatible linux:
Make a userspace daemon process that adds eBPF tracepoints[0] to open{,_at} etc syscalls which match files of your user directories with specific extensions (e.g. .docx).
Associate PIDs that open those files with their .desktop entries[1]
Store results in some database like sqlite3.[2]
Search this database with your favorite interface, like a CLI script or a GNOME shell search provider[3].
I have seen this Rust project on HN which does something similar but with file attribute syscalls, you can use it as reference: https://github.com/javierhonduco/sweeper
[0]: https://github.com/iovisor/bpftrace
- eBGP tracing for newbie
-
[beetrace]Trace your python process line by line with low overhead!
I develop a python tool that allows you to trace a Python process line by line or the functions' entries and returns. It uses USDT(User Statically-Defined Tracing) probes with bpftrace.
-
How to check is a linux server is compromised or rooted?
bpftrace and/or bpfcc-tools can also be useful (dpkg -L bpftrace to see available tools). You can monitor files being opened/written at kernel level (opensnoop*, filelife*, filetop*), connections being established (tcp*bpfcc), etc.
- Beginner questions
-
Getting notified when a process runs
Similar to this method is bpftrace: https://github.com/iovisor/bpftrace/blob/master/tools/execsnoop.bt
-
Regarding bpftrace vfs_unlink, why can't I monitor the uid, and the obtained value is 0
uname -a Linux ying 5.18.5-200.fc36.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jun 16 14:51:11 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
bcc
-
Httptap: View HTTP/HTTPS requests made by any Linux program
It is quite simple to use eBPF with uprobes to hook library calls, for example: https://github.com/iovisor/bcc/blob/master/tools/sslsniff.py
The downside is this doesn't work with anything not using OpenSSL, there are projects like https://github.com/gojue/ecapture which have interceptors for many common libraries, but the downside is that needs different code for each library.
I think providing a TLS certificate is fine for the use cases of the tool; most tools won't be doing certificate pinning, but ecapture does support Android where this is more likely.
-
Snooping on your GPU: Using eBPF to Build Zero-instrumentation CUDA Monitoring
Enter BCC-memleak. This is an eBPF-based tool that allows the user to find leaking memory by attaching it to a running process. All it took was compiling the leaking library with a debug flag, attaching memleak to my process, and voila. Within 30 minutes I had found the exact function call that was leaking memory, identified how much memory was leaking per call, and opened a PR for a one-line patch.
- Intentrace: Strace for Everyone
-
Measuring Function Latency with eBPF
If you are looking for a production-ready tool for function latency measurement, you might want to check out the full implementation available in the BCC repository.
- Capturing SSL/TLS plaintext without a CA certificate using eBPF
-
Show HN: Xcapture-bpf – like Linux top, but with x-ray vision
Yeah, I already see limitations, the last one was yesterday when I installed earlier Ubuntu versions to see how far back this can go - and even Ubuntu 22.04 didn't work out of the box, ended up with some BCC/kernel header mismatch issue [1] although the kernel itself supported it. A workaround was to download & compile the latest BCC yourself, but I don't want to go there as the customers/systems I work on wouldn't go there anyway.
But libbpf with CO-RE will solve these issues as I understand, so as long as the kernel supports what you need, the CO-RE binary will work.
This raises another issue for me though, it's not easy, but easier, for enterprises to download and run a single python + single C source file (with <500 code lines to review) than a compiled CO-RE binary, but my long term plan/hope is that I (we) get the RedHats and AWSes of this world to just provide the eventual mature release as a standard package.
[1] https://github.com/iovisor/bcc/issues/3993
-
Decoding Network Traffic: The Vital Role of Telemetry in Understanding Network Activity
git clone https://github.com/iovisor/bcc.git mkdir bcc/build; cd bcc/build cmake .. make sudo make install cmake -DPYTHON_CMD=python3 .. # build python3 binding pushd src/python/ make sudo make install popd
-
eBPF: Unleashing Kernel Magic for Modern Infrastructure
But wait, there's more! Enter the BCC toolkit and library, your trusty sidekick in simplifying the arcane art of writing eBPF applications. With BCC by your side, you'll be wielding eBPF like a seasoned pro in no time.
-
Linux: Easy Keylogger with eBPF (2018)
Nice - I normally use [bash-readline](https://github.com/iovisor/bcc/blob/master/tools/bashreadlin...) when coworking/co-inhabiting a server or training someone.
-
eBPF Documentary
One of the big wins is not so much “build and run your own stuff” but there are very nice low-cost (in terms of compute) performance utilities built on eBPF
https://github.com/iovisor/bcc
There are so many utilities in that list; there’s a diagram midway down the readme which tries to help show their uses. bcc-tools should be available in any distro.
Also, Brendan Gregg does a ton of performance stuff that is worth knowing about if you check out his other work. Not eBPF only. Flame graphs are useful.
What are some alternatives?
ebpf_exporter - Prometheus exporter for custom eBPF metrics
libbpf - Automated upstream mirror for libbpf stand-alone build.
gyeeta - Gyeeta - An Open Source eBPF based Observability Product for your Infrastructure, Services and Processes. This repository is for the Agent and Server C++ code.
flamegraph - Easy flamegraphs for Rust projects and everything else, without Perl or pipes <3
el7-bpf-specs - RPM specs for building bpf related tools on CentOS 7
ebpf-for-windows - eBPF implementation that runs on top of Windows
OpenCSD - OpenCSD: eBPF Computational Storage Device (CSD) for Zoned Namespace (ZNS) SSDs in QEMU
libbpf-bootstrap - Scaffolding for BPF application development with libbpf and BPF CO-RE
awesome-ebpf - A curated list of awesome projects related to eBPF.
zfs - OpenZFS on Linux and FreeBSD
kubectl-trace - Schedule bpftrace programs on your kubernetes cluster using the kubectl
lexbor - Lexbor is development of an open source HTML Renderer library. https://lexbor.com