rbbcc 0.11.6 → 0.11.7

data/docs/answers/11-vfsreadlat.rb

@@ -1,66 +0,0 @@
-#!/usr/bin/env ruby
-#
-# Original: from vfsreadlat.py
-# Copyright (c) 2015 Brendan Gregg.
-# Licensed under the Apache License, Version 2.0 (the "License")
-# Ruby version follows.
-#
-# vfsreadlat.rb		VFS read latency distribution.
-#			For Linux, uses BCC, eBPF. See .c file.
-#
-# Written as a basic example of a function latency distribution histogram.
-#
-# USAGE: vfsreadlat.rb [interval [count]]
-#
-# The default interval is 5 seconds. A Ctrl-C will print the partially
-# gathered histogram then exit.
-
-require "rbbcc"
-include RbBCC
-
-def usage
-  puts("USAGE: %s [interval [count]]" % $0)
-  exit
-end
-
-# arguments
-interval = 5
-count = -1
-if ARGV.size > 0
-  begin
-    interval = ARGV[0].to_i
-    raise if interval == 0
-    count = ARGV[1].to_i if ARGV[1]
-  rescue	=> e # also catches -h, --help
-    usage()
-  end
-end
-
-# load BPF program
-b = BCC.new(src_file: "11-vfsreadlat.c")
-b.attach_kprobe(event: "vfs_read", fn_name: "do_entry")
-b.attach_kretprobe(event: "vfs_read", fn_name: "do_return")
-
-# header
-print("Tracing... Hit Ctrl-C to end.")
-
-# output
-cycle = 0
-do_exit = false
-loop do
-  if count > 0
-    cycle += 1
-    exit if cycle > count
-  end
-
-  begin
-    sleep(interval)
-  rescue Interrupt
-    do_exit = true
-  end
-
-  puts
-  b["dist"].print_log2_hist("usecs")
-  b["dist"].clear
-  exit if do_exit
-end

data/docs/answers/12-urandomread.rb

@@ -1,38 +0,0 @@
-#!/usr/bin/env ruby
-#
-# urandomread.rb Example of instrumenting a kernel tracepoint.
-#                For Linux, uses BCC, BPF. Embedded C.
-#
-# REQUIRES: Linux 4.7+ (BPF_PROG_TYPE_TRACEPOINT support).
-#
-# Test by running this, then in another shell, run:
-#     dd if=/dev/urandom of=/dev/null bs=1k count=5
-#
-# Original urandomread.py Copyright 2016 Netflix, Inc.
-# Licensed under the Apache License, Version 2.0 (the "License")
-# Ruby version follows.
-
-require 'rbbcc'
-include RbBCC
-
-b = BCC.new(text: <<BPF)
-TRACEPOINT_PROBE(random, urandom_read) {
-    // args is from /sys/kernel/debug/tracing/events/random/urandom_read/format
-    bpf_trace_printk("%d\\n", args->got_bits);
-    return 0;
-}
-BPF
-
-# header
-puts("%-18s %-16s %-6s %s" % ["TIME(s)", "COMM", "PID", "GOTBITS"])
-
-# format output
-loop do
-  begin
-    b.trace_fields do |task, pid, cpu, flags, ts, msg|
-      puts("%-18.9f %-16s %-6d %s" % [ts, task, pid, msg])
-    end
-  rescue Interrupt
-    exit
-  end
-end

data/docs/answers/13-disksnoop_fixed.rb

@@ -1,108 +0,0 @@
-#!/usr/bin/env ruby
-#
-# disksnoop_fixed.rb	Trace block device I/O: basic version of iosnoop.
-#		For Linux, uses BCC, eBPF. Embedded C.
-# This is ported from original disksnoop.py
-#
-# Written as a basic example of tracing latency.
-#
-# Licensed under the Apache License, Version 2.0 (the "License")
-#
-# 11-Aug-2015	Brendan Gregg	Created disksnoop.py
-
-=begin
-name: block_rq_issue
-ID: 1093
-format:
-        field:unsigned short common_type;       offset:0;       size:2; signed:0;
-        field:unsigned char common_flags;       offset:2;       size:1; signed:0;
-        field:unsigned char common_preempt_count;       offset:3;       size:1; signed:0;
-        field:int common_pid;   offset:4;       size:4; signed:1;
-
-        field:dev_t dev;        offset:8;       size:4; signed:0;
-        field:sector_t sector;  offset:16;      size:8; signed:0;
-        field:unsigned int nr_sector;   offset:24;      size:4; signed:0;
-        field:unsigned int bytes;       offset:28;      size:4; signed:0;
-        field:char rwbs[8];     offset:32;      size:8; signed:1;
-        field:char comm[16];    offset:40;      size:16;        signed:1;
-        field:__data_loc char[] cmd;    offset:56;      size:4; signed:1;
-
-print fmt: "%d,%d %s %u (%s) %llu + %u [%s]", ((unsigned int) ((REC->dev) >> 20)), ((unsigned int) ((REC->dev) & ((1U << 20) - 1))), REC->rwbs, REC->bytes, __get_str(cmd), (unsigned long long)REC->sector, REC->nr_sector, REC->comm
-
-name: block_rq_complete
-ID: 1095
-format:
-        field:unsigned short common_type;       offset:0;       size:2; signed:0;
-        field:unsigned char common_flags;       offset:2;       size:1; signed:0;
-        field:unsigned char common_preempt_count;       offset:3;       size:1; signed:0;
-        field:int common_pid;   offset:4;       size:4; signed:1;
-
-        field:dev_t dev;        offset:8;       size:4; signed:0;
-        field:sector_t sector;  offset:16;      size:8; signed:0;
-        field:unsigned int nr_sector;   offset:24;      size:4; signed:0;
-        field:int error;        offset:28;      size:4; signed:1;
-        field:char rwbs[8];     offset:32;      size:8; signed:1;
-        field:__data_loc char[] cmd;    offset:40;      size:4; signed:1;
-
-print fmt: "%d,%d %s (%s) %llu + %u [%d]", ((unsigned int) ((REC->dev) >> 20)), ((unsigned int) ((REC->dev) & ((1U << 20) - 1))), REC->rwbs, __get_str(cmd), (unsigned long long)REC->sector, REC->nr_sector, REC->error
-
-in kernel 5.0.
-This implementation shows the count of sector.
-=end
-
-require 'rbbcc'
-include RbBCC
-
-# load BPF program
-b = BCC.new(text: <<CLANG)
-#include <uapi/linux/ptrace.h>
-#include <linux/blkdev.h>
-
-BPF_HASH(start, u32);
-
-TRACEPOINT_PROBE(block, block_rq_issue) {
-  // stash start timestamp by request ptr
-  u64 ts = bpf_ktime_get_ns();
-  u32 tid = bpf_get_current_pid_tgid();
-
-  start.update(&tid, &ts);
-  return 0;
-}
-
-TRACEPOINT_PROBE(block, block_rq_complete) {
-  u64 *tsp, delta;
-  u32 tid = bpf_get_current_pid_tgid();
-
-  tsp = start.lookup(&tid);
-  if (tsp != 0) {
-    char dst[8];
-    int i;
-    delta = bpf_ktime_get_ns() - *tsp;
-    if (bpf_probe_read_str(dst, sizeof(dst), args->rwbs) < 0) {
-      dst[0] = '?';
-      for(i = 1; i < sizeof(dst); ++i)
-        dst[i] = 0;
-    }
-    bpf_trace_printk("%d %s %d\\n", args->nr_sector,
-        dst, delta / 1000);
-    start.delete(&tid);
-  }
-  return 0;
-}
-CLANG
-
-# header
-puts("%-18s %-8s %-7s %8s" % ["TIME(s)", "RWBS", "SECTORS", "LAT(ms)"])
-
-# format output
-loop do
-  begin
-    task, pid, cpu, flags, ts, msg = b.trace_fields
-    sector_s, rwbs, us_s = msg.split
-    ms = us_s.to_i.to_f / 1000
-
-    puts("%-18.9f %-8s %-7s %8.2f" % [ts, rwbs, sector_s, ms])
-  rescue Interrupt
-    exit
-  end
-end

data/docs/answers/14-strlen_count.rb

@@ -1,46 +0,0 @@
-require 'rbbcc'
-include RbBCC
-
-# load BPF program
-b = BCC.new(text: <<BPF)
-#include <uapi/linux/ptrace.h>
-
-struct key_t {
-    char c[80];
-};
-BPF_HASH(counts, struct key_t);
-
-int count(struct pt_regs *ctx) {
-    if (!PT_REGS_PARM1(ctx))
-        return 0;
-
-    struct key_t key = {};
-    u64 zero = 0, *val;
-
-    bpf_probe_read(&key.c, sizeof(key.c), (void *)PT_REGS_PARM1(ctx));
-    // could also use `counts.increment(key)`
-    val = counts.lookup_or_try_init(&key, &zero);
-    if (val) {
-      (*val)++;
-    }
-    return 0;
-};
-BPF
-b.attach_uprobe(name: "c", sym: "strlen", fn_name: "count")
-
-# header
-print("Tracing strlen()... Hit Ctrl-C to end.")
-
-# sleep until Ctrl-C
-begin
-  sleep(99999999)
-rescue Interrupt
-  puts
-end
-
-# print output
-puts("%10s %s" % ["COUNT", "STRING"])
-counts = b.get_table("counts")
-counts.items.sort_by{|k, v| v.to_bcc_value }.each do |k, v|
-  puts("%10d %s" % [v.to_bcc_value, k.to_bcc_value.c])
-end

data/docs/answers/15-nodejs_http_server.rb

@@ -1,44 +0,0 @@
-require 'rbbcc'
-include RbBCC
-
-if ARGV.size != 1
-  print("USAGE: #{$0} PID")
-  exit()
-end
-pid = ARGV[0]
-debug = !!ENV['DEBUG']
-
-# load BPF program
-bpf_text = <<BPF
-#include <uapi/linux/ptrace.h>
-int do_trace(struct pt_regs *ctx) {
-    uint64_t addr;
-    char path[128]={0};
-    bpf_usdt_readarg(6, ctx, &addr);
-    bpf_probe_read(&path, sizeof(path), (void *)addr);
-    bpf_trace_printk("path:%s\\n", path);
-    return 0;
-};
-BPF
-
-# enable USDT probe from given PID
-u = USDT.new(pid: pid.to_i)
-u.enable_probe(probe: "http__server__request", fn_name: "do_trace")
-if debug
-  puts(u.get_text)
-  puts(bpf_text)
-end
-
-# initialize BPF
-b = BCC.new(text: bpf_text, usdt_contexts: [u])
-
-puts("%-18s %-16s %-6s %s" % ["TIME(s)", "COMM", "PID", "ARGS"])
-loop do
-  begin
-    b.trace_fields do |task, pid, cpu, flags, ts, msg|
-      puts("%-18.9f %-16s %-6d %s" % [ts, task, pid, msg])
-    end
-  rescue Interrupt
-    exit
-  end
-end

data/docs/answers/16-task_switch.c

@@ -1,23 +0,0 @@
-#include <uapi/linux/ptrace.h>
-#include <linux/sched.h>
-
-struct key_t {
-    u32 prev_pid;
-    u32 curr_pid;
-};
-
-BPF_HASH(stats, struct key_t, u64, 1024);
-int count_sched(struct pt_regs *ctx, struct task_struct *prev) {
-    struct key_t key = {};
-    u64 zero = 0, *val;
-
-    key.curr_pid = bpf_get_current_pid_tgid();
-    key.prev_pid = prev->pid;
-
-    // could also use `stats.increment(key);`
-    val = stats.lookup_or_try_init(&key, &zero);
-    if (val) {
-      (*val)++;
-    }
-    return 0;
-}

data/docs/answers/16-task_switch.rb

@@ -1,17 +0,0 @@
-#!/usr/bin/env ruby
-# Original task_switch.rb Copyright (c) PLUMgrid, Inc.
-# Licensed under the Apache License, Version 2.0 (the "License")
-
-require 'rbbcc'
-include RbBCC
-
-b = BCC.new(src_file: "16-task_switch.c")
-b.attach_kprobe(event: "finish_task_switch", fn_name: "count_sched")
-
-# generate many schedule events
-100.times { sleep 0.01 }
-
-b["stats"].each do |_k, v|
-  k = _k[0, 8].unpack("i! i!") # Handling pointer without type!!
-  puts("task_switch[%5d->%5d]=%u" % [k[0], k[1], v.to_bcc_value])
-end

data/docs/answers/node-server.js

@@ -1,11 +0,0 @@
-var http = require("http");
-
-var server = http.createServer(function (req, res) {
-    res.writeHead(200, {"Content-Type": "text/plain"});
-    res.end("Sample node.js server, returns contents in any path.\n");
-});
-
-var port = process.env.PORT || 8081;
-server.listen(port, function() {
-    console.log("Do curl http://localhost:" + port);
-});

data/docs/getting_started.md

@@ -1,154 +0,0 @@
-# Getting Started
-
-RbBCC is a project to utilize the power of eBPF/BCC from Ruby.
-
-## Setup
-
-RbBCC requires `libbcc.so` version **0.11.0 or 0.10.0**(we plan to support newer version of libbcc, such as 0.12.0; but it may be done after rbbcc 1.0...).
-
-BTW we do not need to install header files, becuase current version of RbBCC uses the functionality of libbcc via ffi(We use MRI's standard library **fiddle**, not external gems).
-
-We can install this shared library via package `libbcc` from official iovisor project repo:
-
-```console
-# e.g. In Ubuntu:
-$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4052245BD4284CDD
-$ echo "deb https://repo.iovisor.org/apt/$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/iovisor.list
-$ sudo apt-get update
-$ sudo apt-get install libbcc
-```
-
-For more imformation, see [bcc's official doc](https://github.com/iovisor/bcc/blob/master/INSTALL.md).
-
-After installed libbcc, you can create project hierarchy like:
-
-```
-.
-├── Gemfile
-└── tools
-    └── hello_world.rb
-```
-
-with `Gemfile` below:
-
-```ruby
-source "https://rubygems.org"
-
-gem "rbbcc"
-```
-
-Then run `bundle install`.
-
-### With docker
-
-_TBD_
-
-## Hello world from Linux kernel!
-
-Creating `tools/hello_world.rb` as:
-
-```ruby
-#!/usr/bin/env ruby
-
-require 'rbbcc'
-include RbBCC
-
-text = <<CLANG
-int kprobe__sys_clone(void *ctx)
-{
-  bpf_trace_printk("Hello, World!\\n");
-  return 0;
-}
-CLANG
-
-b = BCC.new(text: text)
-printf("%-18s %-16s %-6s %s\n", "TIME(s)", "COMM", "PID", "value")
-
-b.trace_fields do |task, pid, cpu, flags, ts, msg|
-  printf("%-18.9f %-16s %-6d %s", ts, task, pid, msg)
-end
-```
-
-Then invoke this Ruby script. BCC requires to run as a priveleged user.
-
-```console
-$ sudo bundle exec ruby tools/hello_world.rb                                       
-Found fnc: kprobe__sys_clone
-Attach: p___x64_sys_clone
-TIME(s)            COMM             PID    value
-```
-
-Open another terminal and hit commands, like `curl https://www.ruby-lang.org/`.
-
-Then RbBCC process displays what kind of program invokes another program with message `Hello, World`.
-
-```console
-TIME(s)            COMM             PID    value
-109979.625639000   bash             7591   Hello, World!
-109979.632267000   curl             29098  Hello, World!
-109981.467914000   bash             7591   Hello, World!
-109981.474290000   curl             29100  Hello, World!
-109984.913358000   bash             7591   Hello, World!
-109984.921165000   curl             29102  Hello, World!
-...
-```
-
-These lines are displayed by a kernel hook of `clone(2)(internally: sys_clone)` call. The bash command like `curl, grep, ping...` internally call `sys_clone` to fork new processes, and RbBCC traces these kernel calls with a very small cost.
-
-Then, change the Ruby(and internal C) codes into this like:
-
-```ruby
-#!/usr/bin/env ruby
-
-require 'rbbcc'
-include RbBCC
-
-text = <<CLANG
-#include <uapi/linux/ptrace.h>
-
-int printret(struct pt_regs *ctx) {
-  char str[80] = {};
-  u32 pid;
-  if (!PT_REGS_RC(ctx))
-      return 0;
-  pid = bpf_get_current_pid_tgid();
-  bpf_probe_read(&str, sizeof(str), (void *)PT_REGS_RC(ctx));
-  bpf_trace_printk("[%d]input: %s\\n", pid, str);
-
-  return 0;
-};
-CLANG
-
-b = BCC.new(text: text)
-b.attach_uretprobe(name: "/bin/bash", sym: "readline", fn_name: "printret")
-
-printf("%-18s %-16s %s\n", "TIME(s)", "COMM", "value")
-b.trace_fields do |task, pid, cpu, flags, ts, msg|
-  printf("%-18.9f %-16s %s", ts, task, msg)
-end
-```
-
-Run again:
-
-```console
-$ sudo bundle exec ruby tools/hello_world.rb                                       
-Found fnc: printret
-Attach: p__bin_bash_0xad900
-TIME(s)            COMM             value
-```
-
-And open another "bash" terminal again. When you hit a command to this bash in any session, any input strings are snooped and shown in the tracing process. This is all of the trace result of return in `readline()` function from user program "bash". RbBCC can detect where and how it occurs.
-
-```console
-TIME(s)            COMM             value
-1554.284390000     bash             [5457]input: curl localhost
-1559.425699000     bash             [5457]input: ping 8.8.8.8
-1565.805870000     bash             [5457]input: sudo cat /etc/passwd
-...
-```
-
-----
-
-For more use case and information. Please see [`examples`](../examples/) directory and (especially for C API) BCC's official document.
-
-* [bcc Reference Guide](https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md)

data/docs/projects_using_rbbcc.md

@@ -1,43 +0,0 @@
-# Projects Using RbBCC
-
-## bpfql
-
-[bpfql](https://github.com/udzura/bpfql) is a tool to run an eBPF tracing query, using YAML or Ruby DSL.
-
-```ruby
-BPFQL do
-  select "*"
-  from "tracepoint:random:urandom_read"
-  where "comm", is: "ruby"
-end
-```
-
-```console
-$ sudo bundle exec bpfql examples/random.rb
-Found fnc: tracepoint__random__urandom_read
-Attach: random:urandom_read
-TS                 COMM             PID    GOT_BITS POOL_LEFT INPUT_LEFT
-0.000000000        ruby             32485  128      0        2451
-0.002465663        ruby             32485  128      0        2451
-^CExiting bpfql...
-```
-
-See [its repo](https://github.com/udzura/bpfql) for more details.
-
-## rack-ebpf and rack application tracing
-
-[rack-ebpf](https://github.com/udzura/rack-ebpf) is a rack middleware that invoke USDT probes every time start/end the requests.
-
-Combine this rack middleware and `rack-ebpf-run` command, we can trace and analyze system stats per request.
-
-e.g.
-
-* Count of syscall invocations(like read, write) per request
-* Consumed time for syscall ops(like read, write) per request
-* Created Ruby objects per request, using Ruby itself's USDT (this requires ruby itself as `--enable-dtrace` build)
-
-For detailed usage, see [rack-ebpf's repo](https://github.com/udzura/rack-ebpf)
-
-----
-
-Also we're going to prepare some BCC tools made with Ruby. TBA!