From: Andrey Ignatov <rdna@fb.com>
To: Andrii Nakryiko <andrii.nakryiko@gmail.com>
Cc: bpf <bpf@vger.kernel.org>, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>, <osandov@fb.com>,
Kernel Team <kernel-team@fb.com>
Subject: Re: [PATCH bpf-next] bpf: Add drgn script to list progs/maps
Date: Thu, 27 Feb 2020 09:38:04 -0800 [thread overview]
Message-ID: <20200227173804.GB29488@rdna-mbp> (raw)
In-Reply-To: <CAEf4BzZo7rmZejxJCT-s3OSiYqMxzP71Q9Xg+x=WFN00Yca0Sw@mail.gmail.com>
Andrii Nakryiko <andrii.nakryiko@gmail.com> [Wed, 2020-02-26 22:28 -0800]:
> On Wed, Feb 26, 2020 at 6:33 PM Andrey Ignatov <rdna@fb.com> wrote:
> >
> > drgn is a debugger that reads kernel memory and uses DWARF to get types
> > and symbols. See [1], [2] and [3] for more details on drgn.
> >
> > Since drgn operates on kernel memory it has access to kernel internals
> > that user space doesn't. It allows to get extended info about various
> > kernel data structures.
> >
> > Introduce bpf.py drgn script to list BPF programs and maps and their
> > properties unavailable to user space via kernel API.
> >
> > The main use-case bpf.py covers is to show BPF programs attached to
> > other BPF programs via freplace/fentry/fexit mechanisms introduced
> > recently. There is no user-space API to get this info and e.g. bpftool
> > can only show all BPF programs but can't show if program A replaces a
> > function in program B.
> >
> > Example:
> >
> > % sudo tools/bpf/bpf.py p | grep test_pkt_access
> > 650: BPF_PROG_TYPE_SCHED_CLS test_pkt_access
> > 654: BPF_PROG_TYPE_TRACING test_main linked:[650->25: BPF_TRAMP_FEXIT test_pkt_access->test_pkt_access()]
> > 655: BPF_PROG_TYPE_TRACING test_subprog1 linked:[650->29: BPF_TRAMP_FEXIT test_pkt_access->test_pkt_access_subprog1()]
> > 656: BPF_PROG_TYPE_TRACING test_subprog2 linked:[650->31: BPF_TRAMP_FEXIT test_pkt_access->test_pkt_access_subprog2()]
> > 657: BPF_PROG_TYPE_TRACING test_subprog3 linked:[650->21: BPF_TRAMP_FEXIT test_pkt_access->test_pkt_access_subprog3()]
> > 658: BPF_PROG_TYPE_EXT new_get_skb_len linked:[650->16: BPF_TRAMP_REPLACE test_pkt_access->get_skb_len()]
> > 659: BPF_PROG_TYPE_EXT new_get_skb_ifindex linked:[650->23: BPF_TRAMP_REPLACE test_pkt_access->get_skb_ifindex()]
> > 660: BPF_PROG_TYPE_EXT new_get_constant linked:[650->19: BPF_TRAMP_REPLACE test_pkt_access->get_constant()]
> >
> > It can be seen that there is a program test_pkt_access, id 650 and there
> > are multiple other tracing and ext programs attached to functions in
> > test_pkt_access.
> >
> > For example the line:
> >
> > 658: BPF_PROG_TYPE_EXT new_get_skb_len linked:[650->16: BPF_TRAMP_REPLACE test_pkt_access->get_skb_len()]
> >
> > means that BPF program new_get_skb_len, id 658, type BPF_PROG_TYPE_EXT
> > replaces (BPF_TRAMP_REPLACE) function get_skb_len() that has BTF id 16
> > in BPF program test_pkt_access, prog id 650.
> >
> > Just very simple output is supported now but it can be extended in the
> > future if needed.
> >
> > The script is extendable and currently implements two subcommands:
> > * prog (alias: p) to list all BPF programs;
> > * map (alias: m) to list all BPF maps;
> >
> > Developer can simply tweak the script to print interesting pieces of programs
> > or maps.
> >
> > The name bpf.py is not super authentic. I'm open to better options.
>
> Just to throw another name into consideration: bpf_inspect.py?
bpf_inspect.py is good as well. That's probably better than bpfshow.py
since "inspect" better describes the goal of the script.
I'll use this name unless someone proposes a better one.
> > The script can be sent to drgn repo where it's easier to maintain its
> > "drgn-ness", but in kernel tree it should be easier to maintain BPF
> > functionality itself what can be more important in this case.
>
> Unless it's regularly exercised as part of selftests, it will still break, IMO.
Yep, it may break especially since it relies on kernel internals. At
the same time I'm not sure it's worth spending time on selftest for the
script _now_:
* I don't know how useful the script will be for folks in general, if it
turns out to be useful, I can follow up with a test later.
* It will bring drgn dependency into the tests that will need to be
figured out separately (e.g. it can be optional but in this case the
test will be skipped most of the time).
But we can come back to it in the future.
> > The script depends on drgn revision [4] where BPF helpers were added.
> >
> > More examples of output:
> >
> > % sudo tools/bpf/bpf.py p | shuf -n 3
> > 81: BPF_PROG_TYPE_CGROUP_SOCK_ADDR tw_ipt_bind
> > 94: BPF_PROG_TYPE_CGROUP_SOCK_ADDR tw_ipt_bind
> > 43: BPF_PROG_TYPE_KPROBE kprobe__tcp_reno_cong_avoid
> >
> > % sudo tools/bpf/bpf.py m | shuf -n 3
> > 213: BPF_MAP_TYPE_HASH errors
> > 30: BPF_MAP_TYPE_ARRAY sslwall_setting
> > 41: BPF_MAP_TYPE_LRU_HASH flow_to_snd
> >
> > Help:
> >
> > % sudo tools/bpf/bpf.py
> > usage: bpf.py [-h] {prog,p,map,m} ...
> >
> > drgn script to list BPF programs or maps and their properties
> > unavailable via kernel API.
> >
> > See https://github.com/osandov/drgn/ for more details on drgn.
> >
> > optional arguments:
> > -h, --help show this help message and exit
> >
> > subcommands:
> > {prog,p,map,m}
> > prog (p) list BPF programs
> > map (m) list BPF maps
> >
> > [1] https://github.com/osandov/drgn/
> > [2] https://urldefense.proofpoint.com/v2/url?u=https-3A__drgn.readthedocs.io_en_latest_index.html&d=DwIBaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=3jAokpHyGuCuJ834j-tttQ&m=-2VO-M__tHrQ5sFnwPDqT5b28akZ_J1zEqXg9uejcL8&s=HlNywgEgwjqMVZo67TSoHZtynK-CsqLnbh7cYLH5znI&e=
> > [3] https://urldefense.proofpoint.com/v2/url?u=https-3A__lwn.net_Articles_789641_&d=DwIBaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=3jAokpHyGuCuJ834j-tttQ&m=-2VO-M__tHrQ5sFnwPDqT5b28akZ_J1zEqXg9uejcL8&s=uZSwKs3POR6r0nammsbhxvPur0RXFMa9w2cAnjq4Q_A&e=
> > [4] https://github.com/osandov/drgn/commit/c8ef841768032e36581d45648e42fc2a5489d8f2
> >
> > Signed-off-by: Andrey Ignatov <rdna@fb.com>
> > ---
> > tools/bpf/bpf.py | 149 +++++++++++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 149 insertions(+)
> > create mode 100755 tools/bpf/bpf.py
> >
>
> [...]
--
Andrey Ignatov
next prev parent reply other threads:[~2020-02-27 17:38 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-27 2:32 [PATCH bpf-next] bpf: Add drgn script to list progs/maps Andrey Ignatov
2020-02-27 5:45 ` Song Liu
2020-02-27 17:01 ` Andrey Ignatov
2020-02-27 6:27 ` Andrii Nakryiko
2020-02-27 17:38 ` Andrey Ignatov [this message]
2020-02-27 18:01 ` Stanislav Fomichev
2020-02-27 18:26 ` Andrey Ignatov
2020-02-27 21:11 ` Daniel Borkmann
2020-02-27 21:32 ` Daniel Borkmann
2020-02-27 22:19 ` Omar Sandoval
2020-02-28 20:11 ` Andrey Ignatov
2020-02-28 21:29 ` Andrey Ignatov
2020-02-28 12:51 ` Quentin Monnet
2020-02-28 20:15 ` Andrey Ignatov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200227173804.GB29488@rdna-mbp \
--to=rdna@fb.com \
--cc=andrii.nakryiko@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kernel-team@fb.com \
--cc=osandov@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox