当前位置: 首页 > 工具软件 > BCC > 使用案例 >

bpf-bcc加载代码分析

司寇研
2023-12-01

BCC简介

bcc作为bpf的api库,提供了加载、编译,运行bpf代码功能,其核心功能是对bpf的系统调用进行封装,降低bpf使用门槛。

BCC源码介绍

[root@localhost bcc]# ls
build  CMakeLists.txt  CONTRIBUTING-SCRIPTS.md  Dockerfile.debian  Dockerfile.ubuntu  examples  images      introspection  LICENSE.txt  man            README.md  snap   src    tools
cmake  CODEOWNERS      debian                   Dockerfile.tests   docs               FAQ.txt   INSTALL.md  libbpf-tools   LINKS.md     QUICKSTART.md  scripts    SPECS  tests
[root@localhost bcc]# 

src目录提供了c++、python和lua api接口文件,tools目录提供了示例工具以及示例工具的使用说明,tools目录的工具使用python api编码,sample目录有c++、lua api工具示例,INSTALL.md文件提供了不同平台的安装说明,包括ubuntu、centos、fedora等,具体介绍可以通过README.md和docs文件查看。

Python BPF分析

class BPF(object):
    # From bpf_prog_type in uapi/linux/bpf.h
    SOCKET_FILTER = 1
    KPROBE = 2
    SCHED_CLS = 3
    SCHED_ACT = 4
    TRACEPOINT = 5
    XDP = 6
    PERF_EVENT = 7
    CGROUP_SKB = 8
    CGROUP_SOCK = 9
    LWT_IN = 10
    LWT_OUT = 11
    LWT_XMIT = 12
    SOCK_OPS = 13
    SK_SKB = 14
    CGROUP_DEVICE = 15
    SK_MSG = 16
    RAW_TRACEPOINT = 17
    CGROUP_SOCK_ADDR = 18
    TRACING = 26
    LSM = 29
    ............
    ............
    def __init__(self, src_file=b"", hdr_file=b"", text=None, debug=0,
            cflags=[], usdt_contexts=[], allow_rlimit=True, device=None):
        """Create a new BPF module with the given source code.

        Note:
            All fields are marked as optional, but either `src_file` or `text`
            must be supplied, and not both.

        Args:
            src_file (Optional[str]): Path to a source file for the module
            hdr_file (Optional[str]): Path to a helper header file for the `src_file`
            text (Optional[str]): Contents of a source file for the module
            debug (Optional[int]): Flags used for debug prints, can be |'d together
                                   See "Debug flags" for explanation
        """

Python API 以BPF类为核心进行编码设计,BPF_init_ 方法可以通过源文件、obj文件、text文本方式加载bpf程序,提供了5种DEBUG模式:

# Debug output compiled LLVM IR.
DEBUG_LLVM_IR = 0x1
# Debug output loaded BPF bytecode and register state on branches.
DEBUG_BPF = 0x2
# Debug output pre-processor result.
DEBUG_PREPROCESSOR = 0x4
# Debug output ASM instructions embedded with source.
DEBUG_SOURCE = 0x8
# Debug output register state on all instructions in addition to DEBUG_BPF.
DEBUG_BPF_REGISTER_STATE = 0x10
# Debug BTF.
DEBUG_BTF = 0x20

BPF嵌入类型点目前有20种,SOCKET_FILTER、KPROBE等,LSM需要kernel 5.18以上版本才能支持。

BPF类底层实现是BPF的系统调用,API接口层主要负责组织内核程序,包括预加载、编译、加载到内核过程。

def __init__(self, src_file=b"", hdr_file=b"", text=None, debug=0,
            cflags=[], usdt_contexts=[], allow_rlimit=True, device=None):
    	............
    	............	
        if src_file:
            src_file = BPF._find_file(src_file)
            hdr_file = BPF._find_file(hdr_file)

        # files that end in ".b" are treated as B files. Everything else is a (BPF-)C file
        if src_file.endswith(b".b"):
            self.module = lib.bpf_module_create_b(src_file, hdr_file, self.debug, device)
        else:
            if src_file:
                # Read the BPF C source file into the text variable. This ensures,
                # that files and inline text are treated equally.
                with open(src_file, mode="rb") as file:
                    text = file.read()

            ctx_array = (ct.c_void_p * len(usdt_contexts))()
            for i, usdt in enumerate(usdt_contexts):
                ctx_array[i] = ct.c_void_p(usdt.get_context())
            usdt_text = lib.bcc_usdt_genargs(ctx_array, len(usdt_contexts))
            if usdt_text is None:
                raise Exception("can't generate USDT probe arguments; " +
                                "possible cause is missing pid when a " +
                                "probe in a shared object has multiple " +
                                "locations")
            text = usdt_text + text


            self.module = lib.bpf_module_create_c_from_string(text,
                                                              self.debug,
                                                              cflags_array, len(cflags_array),
                                                              allow_rlimit, device)
        if not self.module:
            raise Exception("Failed to compile BPF module %s" % (src_file or "<text>"))

        for usdt_context in usdt_contexts:
            usdt_context.attach_uprobes(self)

        # If any "kprobe__" or "tracepoint__" or "raw_tracepoint__"
        # prefixed functions were defined,
        # they will be loaded and attached here.
        self._trace_autoload()

加载过程主要由lib.bpf_module_create_c_from_string函数执行,bpf_module_create_c_from_string是bcc中C++的库函数

void * bpf_module_create_c_from_string(const char *text, unsigned flags, const char *cflags[],
                                       int ncflags, bool allow_rlimit, const char *dev_name) {
  auto mod = new ebpf::BPFModule(flags, nullptr, true, "", allow_rlimit, dev_name);
  if (mod->load_string(text, cflags, ncflags) != 0) {
    delete mod;
    return nullptr;
  }
  return mod;
}

最终调用到BPFModule类的load_string方法

// load a C text string
int BPFModule::load_string(const string &text, const char *cflags[], int ncflags) {
  if (!sections_.empty()) {
    fprintf(stderr, "Program already initialized\n");
    return -1;
  }
  if (int rc = load_cfile(text, true, cflags, ncflags))
    return rc;
  if (rw_engine_enabled_) {
    if (int rc = annotate())
      return rc;
  } else {
    annotate_light();
  }

  if (int rc = finalize())
    return rc;
  return 0;
}

load_cfile会使用clang+llvm编译bpf程序(bcc可以在初始化BPF类时自定义编译选项),最终调用到clang api完成编译过程,编译后的内容存储在ebpf::BPFModule对象,并通过指针返回python环境。

BPF最后通过自动加载方式加载ebpf::BPFModule对象到系统,完成bpf程序注入内核工作

    def _trace_autoload(self):
        for i in range(0, lib.bpf_num_functions(self.module)):
            func_name = lib.bpf_function_name(self.module, i)
            print(func_name)
            if func_name.startswith(b"kprobe__"):
                fn = self.load_func(func_name, BPF.KPROBE)
                self.attach_kprobe(
                    event=self.fix_syscall_fnname(func_name[8:]),
                    fn_name=fn.name)
            elif func_name.startswith(b"kretprobe__"):
                fn = self.load_func(func_name, BPF.KPROBE)
                self.attach_kretprobe(
                    event=self.fix_syscall_fnname(func_name[11:]),
                    fn_name=fn.name)
            elif func_name.startswith(b"tracepoint__"):
                fn = self.load_func(func_name, BPF.TRACEPOINT)
                tp = fn.name[len(b"tracepoint__"):].replace(b"__", b":")
                self.attach_tracepoint(tp=tp, fn_name=fn.name)
            elif func_name.startswith(b"raw_tracepoint__"):
                fn = self.load_func(func_name, BPF.RAW_TRACEPOINT)
                tp = fn.name[len(b"raw_tracepoint__"):]
                self.attach_raw_tracepoint(tp=tp, fn_name=fn.name)
            elif func_name.startswith(b"kfunc__"):
                self.attach_kfunc(fn_name=func_name)
            elif func_name.startswith(b"kretfunc__"):
                self.attach_kretfunc(fn_name=func_name)
            elif func_name.startswith(b"lsm__"):
                self.attach_lsm(fn_name=func_name)

BCC加载bpf程序时使用的是c++的bcc_func_load方法,最后通过sys_bpf(BPF_PROG_LOAD, attr, size);系统调用把bpf程序加载到内核

def load_func(self, func_name, prog_type, device = None):
        func_name = _assert_is_bytes(func_name)
        if func_name in self.funcs:
            return self.funcs[func_name]
        if not lib.bpf_function_start(self.module, func_name):
            raise Exception("Unknown program %s" % func_name)
        log_level = 0
        if (self.debug & DEBUG_BPF_REGISTER_STATE):
            log_level = 2
        elif (self.debug & DEBUG_BPF):
            log_level = 1
        fd = lib.bcc_func_load(self.module, prog_type, func_name,
                lib.bpf_function_start(self.module, func_name),
                lib.bpf_function_size(self.module, func_name),
                lib.bpf_module_license(self.module),
                lib.bpf_module_kern_version(self.module),
                log_level, None, 0, device);

        if fd < 0:
            atexit.register(self.donothing)
            if ct.get_errno() == errno.EPERM:
                raise Exception("Need super-user privileges to run")

            errstr = os.strerror(ct.get_errno())
            raise Exception("Failed to load BPF program %s: %s" %
                            (func_name, errstr))

        fn = BPF.Function(self, func_name, fd)
        self.funcs[func_name] = fn

        return fn
int bcc_func_load(void *program, int prog_type, const char *name,
                  const struct bpf_insn *insns, int prog_len,
                  const char *license, unsigned kern_version,
                  int log_level, char *log_buf, unsigned log_buf_size,
                  const char *dev_name) {
  auto mod = static_cast<ebpf::BPFModule *>(program);
  if (!mod) return -1;
  return mod->bcc_func_load(prog_type, name, insns, prog_len,
                            license, kern_version, log_level,
                            log_buf, log_buf_size, dev_name);

}

int BPFModule::bcc_func_load(int prog_type, const char *name,
                const struct bpf_insn *insns, int prog_len,
                const char *license, unsigned kern_version,
                int log_level, char *log_buf, unsigned log_buf_size,
                const char *dev_name) {
  struct bpf_load_program_attr attr = {};
  unsigned func_info_cnt, line_info_cnt, finfo_rec_size, linfo_rec_size;
  void *func_info = NULL, *line_info = NULL;
  int ret;

  attr.prog_type = (enum bpf_prog_type)prog_type;
  attr.name = name;
  attr.insns = insns;
  attr.license = license;
  if (attr.prog_type != BPF_PROG_TYPE_TRACING &&
      attr.prog_type != BPF_PROG_TYPE_EXT) {
    attr.kern_version = kern_version;
  }
  attr.log_level = log_level;
  if (dev_name)
    attr.prog_ifindex = if_nametoindex(dev_name);

  if (btf_) {
    int btf_fd = btf_->get_fd();
    char secname[256];

    ::snprintf(secname, sizeof(secname), ".bpf.fn.%s", name);
    ret = btf_->get_btf_info(secname, &func_info, &func_info_cnt,
                             &finfo_rec_size, &line_info,
                             &line_info_cnt, &linfo_rec_size);
    if (!ret) {
      attr.prog_btf_fd = btf_fd;
      attr.func_info = func_info;
      attr.func_info_cnt = func_info_cnt;
      attr.func_info_rec_size = finfo_rec_size;
      attr.line_info = line_info;
      attr.line_info_cnt = line_info_cnt;
      attr.line_info_rec_size = linfo_rec_size;
    }
  }

  ret = bcc_prog_load_xattr(&attr, prog_len, log_buf, log_buf_size, allow_rlimit_);
  if (btf_) {
    free(func_info);
    free(line_info);
  }

  return ret;
}

static inline int sys_bpf_prog_load(union bpf_attr *attr, unsigned int size)
{
	int fd;

	do {
		fd = sys_bpf(BPF_PROG_LOAD, attr, size);
	} while (fd < 0 && errno == EAGAIN);

	return fd;
}
 类似资料: