Operating Systems 2019W: Tutorial 7

From Soma-notes
Revision as of 21:41, 12 March 2019 by Soma (talk | contribs) (→‎opensnoop)

This tutorial is still in development. Please do not work on this material just yet!

In this tutorial you will be working with bcc-tools, a set of tools that is part of the BPF Compiler Collection (BCC). BCC programs are a combination of C and Python. The C code is compiled at runtime into eBPF bytecode; this code is then uploaded to the kernel and interfaced with by a Python program.

Installation

To install bcc-tools on an Ubuntu 18.04 system (such as your openstack VM), do the following:

# become root, do the rest of the commands below as root
sudo su -

# update your system
apt update
apt dist-upgrade
apt clean
apt autoremove

# import the key for the iovisor repository
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4052245BD4284CDD

# add the iovisor repository to apt
echo "deb https://repo.iovisor.org/apt/$(lsb_release -cs) $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/iovisor.list

# update the package list and install the necessary packages
apt update
apt install bcc-tools libbcc-examples linux-headers-$(uname -r)

# add the bcc tools to root's path.  Log out and log back in again as root to enable
echo "export PATH=/usr/share/bcc/tools:\$PATH" >> /root/.profile

There is an older version of BCC the the standard Ubuntu repositories in the bpfcc-tools package. Please do not install this as it seems to have significant bugs. If you've previously uninstalled it, you'll need to uninstall before following the steps above. (Distributions newer than Ubuntu 18.04 may have a more up-to-date version of BCC, check your repositories.)

If you wish to install bcc-tools on a system running something other than Ubuntu 18.04, follow these directions.

Tools

opensnoop

opensnoop lets you see every every open on the system.

  • Run "opensnoop". If you have the x2go server running you may see a lot of activity. Try running "service x2goserver stop" to turn it off (assuming you are not using x2go!).
  • Run "opensnoop -x". Run some commands and see how many failed opens there are. Why do you think there are so many?
  • Look at the code of opensnoop. What kernel events is it monitoring? Hint: look at the calls to attach_kprobe and attach_kretprobe.

bashreadline

ttysnoop

killsnoop

syscount

trace

Tasks

You'll need root access to upload eBPF scripts to the kernel. Thus, run all of the following as root