Bpftime: Userspace eBPF runtime for fast Uprobe and Syscall hook and Plugins (opens in new tab)

(github.com)

94 pointsdnsmichi2y ago12 comments

12 comments

We talked about it in LPC 23 today, and the slides: https://lpc.events/event/17/contributions/1639

Stream: https://youtube.com/watch?v=zDNZY0HQOMw&t=1765s

The draft paper: https://arxiv.org/abs/2311.07923

Thanks for the additional details :) I found bpftime through a social share [0], where it is shown to run bpftrace without root permissions [1], and added it to my newsletter into my eBPF learning series [2].

[0] https://twitter.com/yunwei37/status/1717990094810862045

[1] https://github.com/eunomia-bpf/bpftime/blob/master/example/b...

[2] https://opsindev.news/archive/2023-11-14/#the-inner-dev-lear...

lathiat2y ago

I have been talking about someone needing to do this recently, uprobes are largely quite slow for tracing (e.g. with bpftrace) because it has to trap into the kernel every single time, unlike tracing anything in the kernel because you're already in the kernel - so no context switch is needed.

It was always possible to do something like this, to inject the bpf code to run in-process and only export data occasionally just like the kernel side version - and the pieces already existed but no one had put all the pieces together, now someone has. Awesome!

Just need someone to implement this seamlessly into bpftrace :) That would be amazing!

If you want to understand why it's slow without this, I recently did a talk explaining the difference in tracing speed between strace and bpftrace (when tracing things in the kernel) that may help! In this case (which I didn't really cover), most function uprobes have to trap into the kernel and back twice (once on function entry and once on return, I explain why) - not as bad as the full strace example I explain in detail in the video - but still comparatively expensive.

https://www.youtube.com/watch?v=ZDTfcrp9pJI "bpftrace recipes: 5 real problems solved"

I re-ran this talk (mostly the same, a few minor updates) at the Riga Ubuntu Summit a couple of weeks ago but the videos aren't up yet. But the version above is mostly the same and was a pretty good recording :)

yunwei372y ago

Thanks for sharing your talk and insights! bpftrace is a wonderful tool, and the talk is great!

In fact, bpftime can already run bpftrace in userspace for uprobes, without any modification: https://github.com/eunomia-bpf/bpftime/tree/master/example/b...

(There might still need some bug fixes in some cases, e.g. the signal handler to stop the bpf program…

Maybe we can integrate the bpftime agent and attach mechanism in bpftrace, so it can be released together?

lathiat2y ago

Wow, that's amazing :) I will watch the talk today but.. amazing work! :)

victoryang002y ago

A full version of the preliminary descriptions and results can be found here http://arxiv.org/abs/2311.07923. Thanks for the advise for cross boundary communication brought on the LPC, we will integrate!

rendaw2y ago

This looks really cool. Like all eBPF though, what sort of eBPF verification is it doing and is it possible to do the verification in CI?

With eBPF the common gotcha is you can compile totally invalid eBPF code, with no compile errors, only to find out at go time (and only to be able to find out at go time).

brancz2y ago

I happen to work on a system-wide profiler[1] that is eBPF-based, and what we do is load our bpf programs on various kernels[2] using qemu. This is important as the jit and verifier change significantly across kernel versions and we want to make sure we maintain compatibility.

[1] https://github.com/parca-dev/parca-agent

[2] https://github.com/parca-dev/parca-agent/blob/54434c02773a8a...

yunwei372y ago

Thanks!

This project can use a standalone eBPF verifier in this project: https://github.com/vbpf/ebpf-verifier

It can also use kernel verifier to verify the programs, then “offload”the BPF byte code from kernel, and runs it in userspace.

cryptonector2y ago

Sounds a lot like DTrace user defined probe tracing.

ahl2y ago

Uprobes has—I believe—DTrace USDT-like functionality. This seems interesting and different: sending the tracing facility into the traced/victim process. Whereas DTrace and ePBF typically trap into the kernel to execute and event, this approach allows for potentially much less overhead.

How important is enabled probe effect? Of that I’m less sure.

cryptonector2y ago

Oh, thanks, yes, that does sound interesting. I gave it too cursory a look earlier, ay!

j / k navigate · click thread line to collapse

12 comments

yunwei372y ago

We talked about it in LPC 23 today, and the slides: https://lpc.events/event/17/contributions/1639

Stream: https://youtube.com/watch?v=zDNZY0HQOMw&t=1765s

The draft paper: https://arxiv.org/abs/2311.07923

dnsmichiOP2y ago

[0] https://twitter.com/yunwei37/status/1717990094810862045

[1] https://github.com/eunomia-bpf/bpftime/blob/master/example/b...

[2] https://opsindev.news/archive/2023-11-14/#the-inner-dev-lear...

lathiat2y ago

Just need someone to implement this seamlessly into bpftrace :) That would be amazing!

https://www.youtube.com/watch?v=ZDTfcrp9pJI "bpftrace recipes: 5 real problems solved"

yunwei372y ago

Thanks for sharing your talk and insights! bpftrace is a wonderful tool, and the talk is great!

In fact, bpftime can already run bpftrace in userspace for uprobes, without any modification: https://github.com/eunomia-bpf/bpftime/tree/master/example/b...

(There might still need some bug fixes in some cases, e.g. the signal handler to stop the bpf program…

Maybe we can integrate the bpftime agent and attach mechanism in bpftrace, so it can be released together?

lathiat2y ago

Wow, that's amazing :) I will watch the talk today but.. amazing work! :)

victoryang002y ago

rendaw2y ago

This looks really cool. Like all eBPF though, what sort of eBPF verification is it doing and is it possible to do the verification in CI?

With eBPF the common gotcha is you can compile totally invalid eBPF code, with no compile errors, only to find out at go time (and only to be able to find out at go time).

brancz2y ago

[1] https://github.com/parca-dev/parca-agent

[2] https://github.com/parca-dev/parca-agent/blob/54434c02773a8a...

yunwei372y ago

Thanks!

This project can use a standalone eBPF verifier in this project: https://github.com/vbpf/ebpf-verifier

It can also use kernel verifier to verify the programs, then “offload”the BPF byte code from kernel, and runs it in userspace.

cryptonector2y ago

Sounds a lot like DTrace user defined probe tracing.

ahl2y ago

How important is enabled probe effect? Of that I’m less sure.

cryptonector2y ago

Oh, thanks, yes, that does sound interesting. I gave it too cursory a look earlier, ay!

j / k navigate · click thread line to collapse