Operating Systems 2019W: Tutorial 7

From Soma-notes
Jump to navigation Jump to search

In this tutorial you will be working with bcc-tools, a set of tools that is part of the BPF Compiler Collection (BCC). BCC programs are a combination of C and Python. The C code is compiled at runtime into eBPF bytecode; this code is then uploaded to the kernel and interfaced with by a Python program.


To install bcc-tools on an Ubuntu 18.04 system (such as your openstack VM), do the following:

# become root, do the rest of the commands below as root
sudo su -

# update your system
apt update
apt dist-upgrade
apt clean
apt autoremove

# import the key for the iovisor repository
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4052245BD4284CDD

# add the iovisor repository to apt
echo "deb https://repo.iovisor.org/apt/$(lsb_release -cs) $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/iovisor.list

# update the package list and install the necessary packages
apt update
apt install bcc-tools libbcc-examples linux-headers-$(uname -r)

# add the bcc tools to root's path.  Log out and log back in again as root to enable
# for example, type exit (to become a regular user) and then run "sudo su -"
echo "export PATH=/usr/share/bcc/tools:\$PATH" >> /root/.profile

There is an older version of BCC the the standard Ubuntu repositories in the bpfcc-tools package. Please do not install this as it seems to have significant bugs. If you've previously uninstalled it, you'll need to uninstall before following the steps above. (Distributions newer than Ubuntu 18.04 may have a more up-to-date version of BCC, check your repositories.)

If you wish to install bcc-tools on a system running something other than Ubuntu 18.04, follow these directions.

UNIX command review

Don't forget about these commands!

  • which
  • tty
  • ps aux (shows tty's for processes)


You'll need root access to upload eBPF scripts to the kernel. Thus, run all of the following as root, either using "sudo" or a root shell you got via "sudo su -".


opensnoop lets you see every every open on the system.

  • Run "opensnoop". If you have the x2go server running you may see a lot of activity. Try running "service x2goserver stop" to turn it off (assuming you are not using x2go!).
  • Run "opensnoop -x". Run some commands and see how many failed opens there are. Why do you think there are so many?
  • Look at the code of opensnoop. What kernel events is it monitoring? Hint: look at the calls to attach_kprobe and attach_kretprobe.


bashreadline lets you see what commands are typed in to bash on any process on the system. It does so by intercepting calls to readline.

  • Run "bashreadline" and observe the commands that are entered in other terminals (you'll have to have multiple shells running on your VM).
  • Can you trivially modify bashreadline to observe what is entered in other programs that use readline, such as bc and gdb? You may need to specify the location of the readline shared library (remember ldd!).


ttysnoop allows you to observe what is being entered on other tty's.

  • How do you figure out the tty associated with another ssh connection or window? How can you find out all of the pseudo tty's that have been allocated on the system?
  • Notice how the output of some programs (e.g., top) are truncated. Looking at the code of ttysnoop and doing an strace of the program, can you figure out why output is being truncated?
  • Can you (easily) reduce or eliminate the truncation? Why or why not?


killsnoop reports on calls to the kill system call.

  • Send a process a signal using "kill". Try sending the TERM, STOP, and KILL signals. Are these all picked up by killsnoop?
  • Type Ctrl-C at the command line. Note that sometimes it generates a signal, sometimes it doesn't. What happens when your own program gets Ctrl-C? Can you change whether or not typing Ctrl-C generates a signal?
  • Put a process into the background using Ctrl-Z and bring it back to the foreground using fg. Were there any calls to kill?
  • strace a process. Do you see any kill system calls?


syscount counts system calls

  • What are the frequent system calls when the system is idle (you aren't doing anything on the command line)?
  • What programs are generating the most system calls?
  • What system calls are slow (have high latency)?
  • Are there many system calls failing?

Note that you may want to connect to your VM using x2go for this part as then you'll have a desktop's worth of processes to observe.


trace allows you to write simple eBPF scripts on the command line.

  • Run the man page example of trace that imitates opensnoop.
  • Run the man page example of trace that imitates bashreadline.
  • Get the user stack when intercepting calls to readline in bash.
  • Get the kernel stack when intercepting calls to readline in bash.
  • Use trace to implement a version of killsnoop.