Operating Systems 2019W: Tutorial 7

From Soma-notes
Revision as of 13:47, 16 March 2019 by Soma (talk | contribs) (→‎Tools)

This tutorial is still in development. Please do not work on this material just yet!

In this tutorial you will be working with bcc-tools, a set of tools that is part of the BPF Compiler Collection (BCC). BCC programs are a combination of C and Python. The C code is compiled at runtime into eBPF bytecode; this code is then uploaded to the kernel and interfaced with by a Python program.

Installation

To install bcc-tools on an Ubuntu 18.04 system (such as your openstack VM), do the following:

# become root, do the rest of the commands below as root
sudo su -

# update your system
apt update
apt dist-upgrade
apt clean
apt autoremove

# import the key for the iovisor repository
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4052245BD4284CDD

# add the iovisor repository to apt
echo "deb https://repo.iovisor.org/apt/$(lsb_release -cs) $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/iovisor.list

# update the package list and install the necessary packages
apt update
apt install bcc-tools libbcc-examples linux-headers-$(uname -r)

# add the bcc tools to root's path.  Log out and log back in again as root to enable
echo "export PATH=/usr/share/bcc/tools:\$PATH" >> /root/.profile

There is an older version of BCC the the standard Ubuntu repositories in the bpfcc-tools package. Please do not install this as it seems to have significant bugs. If you've previously uninstalled it, you'll need to uninstall before following the steps above. (Distributions newer than Ubuntu 18.04 may have a more up-to-date version of BCC, check your repositories.)

If you wish to install bcc-tools on a system running something other than Ubuntu 18.04, follow these directions.

Tools

You'll need root access to upload eBPF scripts to the kernel. Thus, run all of the following as root, either using "sudo" or a root shell you got via "sudo su -".

opensnoop

opensnoop lets you see every every open on the system.

  • Run "opensnoop". If you have the x2go server running you may see a lot of activity. Try running "service x2goserver stop" to turn it off (assuming you are not using x2go!).
  • Run "opensnoop -x". Run some commands and see how many failed opens there are. Why do you think there are so many?
  • Look at the code of opensnoop. What kernel events is it monitoring? Hint: look at the calls to attach_kprobe and attach_kretprobe.

bashreadline

bashreadline lets you see what commands are typed in to bash on any process on the system. It does so by intercepting calls to readline.

  • Run "bashreadline" and observe the commands that are entered in other terminals (you'll have to have multiple shells running on your VM).
  • Can you trivially modify bashreadline to observe what is entered in other programs that use readline, such as bc and gdb? You may need to specify the location of the readline shared library (remember ldd!).

ttysnoop

ttysnoop allows you to observe what is being entered on other tty's.


killsnoop

syscount

trace

Tasks