Show HN: eBPF tool to monitor disk usage, perform actions (opens in new tab)

(github.com)

22 pointsgiis2y ago7 comments

7 comments

Why use eBPF for this? Seems like massive overkill just to trigger a script based on a disk usage percentage. It seems this could be done with a bash cron one liner.

livueta2y ago

The disk alert stuff seems like a PoC for making sure the tracepoint works as expected, but I think you can get a lot more info from the tracepoint they're using than just the utilization info that is exposed/highlighted by the current frontend.

Look at what they're actually tracing in the kernel (https://github.com/Lakshmipathi/ebpf-diskalert/blob/main/src... / https://elixir.bootlin.com/linux/v5.6/source/block/bio.c#L18...). One of those things is devid, so you can see what disk a write is going to and correlate that to a PID. I did something similar-ish in DTrace on FreeBSD to track down a rogue writer (https://gridfi.re/blog/dtrace-filesystem-from-fd.html). You can probably dig around in the bio struct (https://elixir.bootlin.com/linux/v5.6/source/include/linux/b...) and/or execution context to find cool stuff about the filesystem operation in question.

If anyone reading this knows about eBPF: I'm curious how you'd go about translating a bio struct and/or execution context structs to an actual filesystem path, not just reading the devid. Or, is that the wrong question because at this point we're already down at the block level?

Thinking more about it, I bet there's a probe higher in the vfs stack that'd be better suited for that kind of thing. I really need to sit down and eBPF-ify my DTrace knowledge.

giisOP2y ago

I find not much storage based epbf stuffs out there, so want to start somewhere :D Nice work on Dtrace, I'll check it out. Reg bio to fs path, If I'm not wrong, I think we already reached block level and vfs layer is the best bet. But then there has to be filter on vfs layer to track specific path.

giisOP2y ago

I'm exploring eBPF tech, that's the main reason. Yes, more like POC with eBPF.

peddling-brink2y ago

It's very cool, nice work!

nickstinemates2y ago

What is your experience with using bpf2go?

giisOP2y ago

IMo,it provides smooth development experience. I had some trouble while trying to pass initialize global variable which seems more easier in C (eg: skel->bss->mypid) than go

j / k navigate · click thread line to collapse

7 comments

peddling-brink2y ago

Why use eBPF for this? Seems like massive overkill just to trigger a script based on a disk usage percentage. It seems this could be done with a bash cron one liner.

livueta2y ago

Thinking more about it, I bet there's a probe higher in the vfs stack that'd be better suited for that kind of thing. I really need to sit down and eBPF-ify my DTrace knowledge.

giisOP2y ago

I'm exploring eBPF tech, that's the main reason. Yes, more like POC with eBPF.

peddling-brink2y ago

It's very cool, nice work!

nickstinemates2y ago

What is your experience with using bpf2go?

giisOP2y ago

IMo,it provides smooth development experience. I had some trouble while trying to pass initialize global variable which seems more easier in C (eg: skel->bss->mypid) than go

j / k navigate · click thread line to collapse