What does HackerNews think of bcc?

BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more

Language: C

In Linux you can use eBPF. See https://github.com/iovisor/bcc for an easy way to write eBPF, or look for something in the tools/ dir that does what you want. You distro might have these packaged in bcc-tools or similar.
The whole BPF verifier and development process is so botched, it's ridiculous. It's like maintainers decided to make this as hard as possible out of pettiness and "they have to use C APIs instead" or something.

- Loading an eBPF module without the CAP_BPF (and in some cases without the CAP_NET_ADMIN which you need for XDP) capabilities will generate a "unknown/invalid memory access" error which is super useless as an error message.

- In my personal opinion a bytecode format for both little endian (bpfel) and big endian (bpfeb) machines is kinda unnecessary. I mean, it's a virtual bytecode format for a reason, right!?

- Compiling eBPF via clang to the bpf bytecode format without debug symbols will make every following error message down the line utterly useless. Took me a while to figure out what "unknown scalar" really means. If you forget that "-g" flag you're totally fucked.

- Anything pointer related that eBPF verifier itself doesn't support will lead to "unknown scalar" errors which are actually out of bounds errors most of the time (e.g. have to use if pointer < size(packet) around it), which only happen in the verification process and can only be shown using the bpftool. If you miss them, good luck getting a better error message out of the kernel while loading the module.

- The bpftool maintainer is kind of unfriendly, he's telling you to read a book about the bytecode format if your code doesn't compile and you're asking about examples on how to use pointers inside a BPF codebase because it seems to enforce specific rules in terms of what kind of method (__always_static) are allowed to modify or allocate memory. There's a lot of limitations that are documented _nowhere_ on the internet, and seemingly all developers are supposed to know them by reading the bpftool codebase itself!? Who's the audience for using the bpftool then? Developers of the bpftool itself?

- The BCC tools (bpf compiler collection) are still using examples that can't compile on an up-to-date kernel. [1] If you don't have the old headers, you'll find a lot of issues that show you the specific git hash where the "bpf-helpers.h" file was still inside the kernel codebase.

- The libbpf repo contain also examples that won't compile. Especially the xdp related ones [2]

- There's also an ongoing migration of all projects (?) to xdp-tools, which seems to be redundant in terms of bpf related topics, but also has only a couple examples that somehow work [3]

- Literally the only userspace eBPF generation framework that worked outside a super outdated enterprise linux environment is the cilium ebpf project [4], but only because they're using the old "bpf-helpers.h" file that are meanwhile removed from the kernel itself. [5] They're also incomplete for things like the new "__u128" and "__bpf_helper_methods" syntax which are sometimes missing.

- The only working examples that can also be used for reference on "what's available" in terms of eBPF and kernel userspace APIs is a forked repo of the bootlin project [6] which literally taught me how to use eBPF in practice.

- All other (official?) examples show you how to make a bpf_printk call, but _none_ of them show you how to even interact with bpf maps (whose syntax changed like 5 times over the course of the last years, and 4 of them don't run through the verifier, obviously). They're also somewhat documented in the wiki of the libbpf project, without further explanation on why or what [7]. Without that bootlin repo I still would have no idea other than how to make a print inside a "kretprobe". Anything more advanced is totally undocumented.

- OpenSnitch even has a workflow that copies their own codebase inside the kernel codebase, just to make it compile - because all other ways are too redundant or too broken. Not kidding you. [8]

Note that none of any BPF related projects uses any kind of reliable version scheme, and none of those project uses anything "modern" like conan (or whatever) as a package manager. Because that would have been too easy to use, and too easy on documenting on what breaks when. /s

Overall I have to say, BPF was the worst development experience I ever had. Writing a kernel module is _easier_ than writing a BPF module, because then you have at least reliable tooling. In the BPF world, anything will and can break at any unpredictable moment. If you compare that to the experience of other development environments like say, JVM or even the JS world, where debuggers that interact with JIT compilers are the norm, well ... then you've successfully been transferred back to the PTSD moments of the 90s.

Honestly I don't know how people can use BPF and say "yeah this has been a great experience and I love it" and not realize how broken the tooling is on every damn level.

I totally recommend reading the book [9] and watching the YouTube videos of Liz Rice [10]. They're awesome, and they show you how to tackle some of the problems I mentioned. I think that without her work, BPF would have had zero chance of success.

What's missing in the BPF world is definitely better tooling, better error messages (e.g. "did you forget to do this?" or even "unexpected statement" would be sooooo much better than the current state), and an easier way to debug an eBPF program. Documentation on what's available and what is not is also necessary, because it's impossible to find out right now. If I am not allowed to use pointers or whatever, then say so in the beginning.

[1] https://github.com/iovisor/bcc

[2] https://github.com/libbpf/libbpf

[3] https://github.com/xdp-project/xdp-tools

[4] https://github.com/cilium/ebpf/

[5] https://github.com/cilium/ebpf/tree/master/examples/headers

[6] https://elixir.bootlin.com/linux/latest/source/tools/testing...

[7] https://github.com/libbpf/libbpf/wiki/Libbpf-1.0-migration-g...

[8] https://github.com/evilsocket/opensnitch/blob/master/ebpf_pr...

[9] https://isovalent.com/learning-ebpf/

[10] (e.g.) https://www.youtube.com/watch?v=L3_AOFSNKK8

On Linux, this can be done using BPF (Berkley Packet Filter). In fact there is a tool in BCC[0] called filetop, which lists reads/writes by process and file[1].

0. https://github.com/iovisor/bcc

1. https://github.com/iovisor/bcc/blob/master/tools/filetop.py

Try running "zdb |grep ashift" and confirm that it's 12 (or even higher for SSDs). The default used to be 9 which killed IOPS on non-ancient HDDs that have 2^12 byte sectors and have to read-modify-write anything smaller than a sector.

“i3, 1600MHz RAM” sounds like a laptop. Are you doing anything funky like using USB HDD enclosures?

Also try comparing the number, size, and latency of IO operations submitted to ZFS vs the same stats for IO submitted to the disks with https://github.com/iovisor/bcc

Once you figure out what layer (application? VFS/cache? file system? IO elevator? HBA? disk firmware?) the performance drop is happening on, it should be trivial to fix.

If one doesn’t exist out of the box you can relatively simply roll your own using bcc https://github.com/iovisor/bcc.
Some of the most interesting BPF applications seem to be these tools here: https://github.com/iovisor/bcc
The bcc toolkit has been out for a while [1], it is a great collection of python wrapped bpf tools that is a little more user friendly.

[1] https://github.com/iovisor/bcc

Well clear your schedule, it's most commonly used interface is through it's python bindings (a library called BCC):

https://github.com/iovisor/bcc

If it's Linux there are various ways to find out who is sending that signal, killsnoop being one (part of bcc: https://github.com/iovisor/bcc), another using a trivial systemtap script (https://www.ibm.com/support/pages/systemtap-kill-who-killed-...).
biotop and biolatency surface similar info. they come with a ton of other ridiculously awesome tools in BCC tools. they are a set of python wrapper scripts that run eBPF programs. using eBPF generally has a really low impact on performance when compared with other tools that do similar work.

https://github.com/iovisor/bcc

Very interesting. The BPF programs are often written in C and compiled using a BPF backed to llvm using this project: https://github.com/iovisor/bcc

This should be useful any time you need a high performance, high security way to instrument or extend a C based program during run time! Not just in kernels.

High performance networking: https://www.iovisor.org/technology/xdp

Cloudflare uses XDP for a variety of things: https://blog.cloudflare.com/xdpcap/ https://blog.cloudflare.com/l4drop-xdp-ebpf-based-ddos-mitig...

Performance engineering, debugging, etc: https://github.com/iovisor/bcc https://github.com/iovisor/bpftrace

Brendan Gregg is all on board the BPF train as well - check out all the blogs he's written about it over the past several years: http://www.brendangregg.com/blog/

IMO, (E)BPF is one of the most exciting technologies to be introduced in the past half decade or so. bcc and now bpftrace have become two of my favorite tools to reach for when assisting EC2 customers with performance issues. (Edit: I suppose I should note that that's a personal preference and not AWS policy, and also that the performance issues aren't special to EC2 ;))

bcc https://github.com/iovisor/bcc if you need low-level abstractions or bpftrace https://github.com/iovisor/bpftrace if you need something simpler (similar to dtrace)
I can get you a couple:

eBPF is a new kernel "tool": https://qmonnet.github.io/whirl-offload/2016/09/01/dive-into...

BCC is built on eBPF: https://github.com/iovisor/bcc

It's really cool new debugging and analysis stuff for the Linux Kernel. I'm asking my team to learn it ASAP.

He didn't mention this in this snippet, but the BCC (BPF Compiler Collection) intends to make this much simpler[1]. In particular it lets you write a tracer in Python (with the BPF program written in C) that attaches the BPF program to whatever types of probe points you like. So while internally there might be all this fragmentation a user shouldn't have to deal with it as much.

[1]: https://github.com/iovisor/bcc

There definitely isn't any overarching design. You see the same thing all throughout Linux's interfaces (containers are another great example). If you contrast this with the Solaris or BSD interfaces you notice that Linux has always been odd in this respect (DTrace, Jails/Zones, ZFS, pf, kqueue/eventports and so on).

Depending on your view you can view this as a positive or a negative. One view is to say that Linux is more collaborative, and only the "common core" interfaces are actually put into the kernel (with the higher levels being provided in userspace by vendors). A good example of this is the live patching code that came from a distilling of Red Hat's ksplice and SUSE's kgraft systems. You can track done most of Linux's features to this sort of development model.

illumos and BSD however, usually work far more like traditional software products. Some engineer goes off and implements a really interesting system that then gets put into a release. That's how ZFS, Jails, DTrace and so on were developed (in Sun) and I'm sure you can come up with other examples from BSD. The key point here is that this is a far more authoritarian model -- one set of engineers have decided on a system and developed it mostly in isolation. Linux doesn't permit that style of development because large patchsets need to be broken down over releases.

Personally I must say that I don't care for the Linux style of things, mainly because I feel it hampers OS innovation in some ways. But the upside is that the facilities are more like libraries than frameworks and so you're forced to design your abstractions in userspace. Is that good? I don't know.

Note that following along with the above theme, there is an overarching architecture for Linux's tracing tools (in userspace) in the form of bcc[1].

[1]: https://github.com/iovisor/bcc

You only have to write the kernel stuff in C (which is a small part, since you are just collecting data), for the front end you can use BCC (Python/Lua)

https://github.com/iovisor/bcc

Personal favorite: https://github.com/iovisor/bcc/blob/master/tools/sslsniff_ex...

I assume BPF is Berkeley Packet Filters or maybe eBPF (Extended Berkeley Packet Filters) in this case. Just to save anyone else having to look this up. It looks like this is the link to the tools.

https://github.com/iovisor/bcc

https://en.wikipedia.org/wiki/Berkeley_Packet_Filter