Operating Systems 2019W: Tutorial 7
This tutorial is still in development. Please do not work on this material just yet!
In this tutorial you will be working with bcc-tools, a set of tools that is part of the BPF Compiler Collection (BCC). BCC programs are a combination of C and Python. The C code is compiled at runtime into eBPF bytecode; this code is then uploaded to the kernel and interfaced with by a Python program.
Installation
To install bcc-tools on an Ubuntu 18.04 system (such as your openstack VM), do the following:
# become root, do the rest of the commands below as root sudo su - # update your system apt update apt dist-upgrade apt clean apt autoremove # import the key for the iovisor repository apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4052245BD4284CDD # add the iovisor repository to apt echo "deb https://repo.iovisor.org/apt/$(lsb_release -cs) $(lsb_release -cs) main" | tee /etc/apt/sources.list.d/iovisor.list # update the package list and install the necessary packages apt update apt install bcc-tools libbcc-examples linux-headers-$(uname -r) # add the bcc tools to root's path. Log out and log back in again as root to enable echo "export PATH=/usr/share/bcc/tools:\$PATH" >> /root/.profile
There is an older version of BCC the the standard Ubuntu repositories in the bpfcc-tools package. Please do not install this as it seems to have significant bugs. If you've previously uninstalled it, you'll need to uninstall before following the steps above. (Distributions newer than Ubuntu 18.04 may have a more up-to-date version of BCC, check your repositories.)
If you wish to install bcc-tools on a system running something other than Ubuntu 18.04, follow these directions.
Tools
opensnoop
opensnoop lets you see every every open on the system.
- Run "opensnoop". If you have the x2go server running you may see a lot of activity. Try running "service x2goserver stop" to turn it off (assuming you are not using x2go!).
- Run "opensnoop -x". Run some commands and see how many failed opens there are. Why do you think there are so many?
- Look at the code of opensnoop. What kernel events is it monitoring? Hint: look at the calls to attach_kprobe and attach_kretprobe.
bashreadline
ttysnoop
killsnoop
syscount
trace
Tasks
You'll need root access to upload eBPF scripts to the kernel. Thus, run all of the following as root