Linux: why performance tools need BPF Technology

Love to learn 2021-01-23 15:15:04
linux performance tools bpf technology

BPF In recent years Linux A huge innovation in systems technology . As Linux A key development node of the kernel , It's as important as virtualization 、 Containers 、SDN Technology .

▼BPF It's a very interesting way to work :

End user use BPF Instruction set of virtual machine ( Also known as BPF Bytecode ) Define filter expressions , And then pass it to the kernel , Executed by the interpreter . This allows packet filtering to be done directly in the kernel , Avoid copying each packet to user mode process , This improves the performance of packet filtering ,tcpdump(8) That's how it works .

BPF It also provides security , Because the user-defined filter must pass the security verification before execution .

Early packet filtering had to be performed in kernel space , Safety is a hard and fast requirement . You can see how all this works from the figure below .


tcpdump and BPF

Running tcpdump(8) With command line arguments -d, You can print out expressions that use filters BPF Instructions . for example :

▊** classic BPF And the extended version BPF**

The original BPF Now it's called “ classic BPF”, It's a virtual machine with limited capabilities . It has two registers , One by 16 A temporary storage area composed of two memory slots and a program counter . The above parts are in accordance with 32 Bit register size runs . classic BPF On 1997 in Linux Kernel version 2.1.75.

Then Alexei Starovoitov Created an extended version BPF(eBPF). This is a 20 Over the years BPF The first major update of , The move will also help BPF Expand to a universal virtual machine .

although BPF It's often called a virtual machine , But this often refers to its implementation specification .BPF stay Linux The actual implementation of ( Runtime support ) It also includes an interpreter and a compiler that can be immediately compiled into native instructions .

“ virtual machine ” It seems to mean running another machine layer on top of the processor , But actually BPF Execution is not like that .JIT The compiled code will be like any other native kernel code , Run directly on the processor . it is to be noted that , stay Spectre After the vulnerability was announced , Some distributions default to x86 Enable on Architecture JIT, Completely removed the interpreter implementation from the kernel ( The relevant code is directly excluded through conditional compilation ).

Extended version of BPF More registers have been added to , And change the word length from 32 To increase to 64 position , Created a flexible BPF Mapped storage (map), And allow some restricted kernel functions to be called . meanwhile ,eBPF Designed to use just in time compilation (JIT), Machine instructions and registers can be mapped one-to-one . This makes the previous processor local instruction optimization technology , Can be reused for BPF above .BPF The validator has also been updated to support these extensions , And can reject any unsafe code .

classic BPF And extensions BPF The differences between them are as follows .


In the earliest code patches , Extended version BPF It was once abbreviated as eBPF, But now in the development discussion , They all use BPF This is called .

Linux BPF Runtime (runtime) The architecture of each module is shown in the figure below .


BPF The internal structure of the runtime

The picture above shows BPF How the instructions go through BPF Verifier verification , Again by BPF Virtual machine execution .

BPF The implementation of virtual machine includes an interpreter , Including another JIT compiler :JIT The compiler is responsible for generating machine instructions that the processor can execute directly . The verifier will reject unsafe operations , This includes checking for unbounded loops :BPF The program must be completed in a limited time .

BPF You can use auxiliary functions to get the kernel state , utilize BPF Mapping table for storage .BPF The program executes when a specific event occurs , Include kprobes、uprobes And tracking points .

Now let's talk about , Why performance tools need BPF technology .

Why performance tools need BPF technology

Performance tools use the extended version BPF To achieve programmability .BPF The program can perform user-defined delay calculation, statistical summary and other functions . These characteristics alone are enough to make BPF Become an interesting tool .

But in fact, many tracking tools have these functions .BPF The difference is , It also has the characteristics of high efficiency and safe production environment , And it's built into Linux The kernel .

With BPF, You can run these tools directly in the production environment , and No need to add new kernel components .

Let's take a look at how performance tools are used through the output of a tool and a graph BPF Of .

This The output of the example comes from Master of performance optimization Gregg A previously released one is called bitehist Of BPF Tools , It shows disks in the form of histograms I/O The size distribution of :


The following figure shows using the BPF Before and after the histogram generation process .


Use BPF A comparison of the process of generating histograms before and after

The key change here is , Histograms can be generated in the kernel context , This greatly reduces the amount of data that needs to be copied into user space . The efficiency improvement here is so remarkable , So that the overhead of the tool is reduced to the extent that it can be run directly in the production environment .

Use BPF Before , The best steps to make this diagram summary are as follows .

1. In kernel : Turn on the disk I/O Stake in observation of events .

2. In kernel , For each event : towards perf The buffer writes a record . If tracking point technology is used ( Recommend ways ), The record will contain information about the disk I/O Several metadata fields of .

  1. In user space : Periodically copies the buffer contents of all events into user space .

  2. In user space : Traverse each event , Parse the event metadata field of the byte field . Other fields are ignored .

  3. In user space : Generate histogram summary of byte fields

One step 2 To step 4 For high I/O The cost of performance is very high . You can imagine , take 10000 A disk I/O The trace records are copied into the user space program , Then parse to generate summary information — To perform a second 1 Time .

Use BPF after ,bitesize The procedures are as follows .

  1. In kernel : Enable disk I/O Stake in observation of events , And mount one by bitesize Tool defined BPF Program .

  2. In kernel , For every event : function BPF Program . It just gets byte fields , And save it to a custom BPF Histogram mapping data structure .

3. In user space : Read once BPF Histogram mapping table and output results .

This process avoids the cost of copying events to user space and processing them again , It also avoids copying unused metadata fields . As shown in the previous program output screenshot , The only data that needs to be copied to user space is “count” Column , It's an array of numbers .

▊ BPF Compared with kernel module

There's another way to understand BPF Advantages in observability : Compare it to the kernel module .

kprobes And tracking points have been around for years , You can use it directly from a loadable kernel module . Compared to using kernel modules , Use BPF The advantages of tracking are as follows :

● BPF The program will pass the verifier security check ; Kernel modules may introduce bug( Kernel crash ) Or security holes .

● BPF Provide rich data structure support through mapping .

● BPF The program can be compiled at one time , And then run anywhere , because BPF Instruction set 、 Mapping table structure 、 Auxiliary functions and related infrastructure are stable ABI.( Of course , There are some BPF The program contains unstable factors , Like using kprobes To see the kernel data structure , This will affect BPF The stability of the program itself )

● BPF Program compilation does not depend on the intermediate result of kernel compilation process .

● Compared with the amount of work required to develop kernel modules ,BPF Programming is easier to learn , We can get more people to use it .

Please note that , In the field of network application BPF There are additional benefits , Including atomic substitution BPF The ability of the program . If using kernel module , You need to uninstall it completely from the kernel first , And then load again , This may lead to service disruption .

One of the benefits of using kernel modules is : Other kernel functions and kernel facilities can be used in the module , Not limited to BPF Auxiliary functions provided .

however , If the ability to call any kernel function is abused , It also brings in bug The extra risk of .

writing : Blog views | from :InfoQ [ Take it with you !Python 3.9 Official Chinese documents , Time limited collection !] (

[ Time limit ! Quick collar !14 Zhang HD Python Quick reference table , It is necessary to improve efficiency !] (

[GitHub Star sign 3W+,80 individual Python Case study , Take you easy to play Python Study !] (

本文为[Love to learn]所创,转载请带上原文链接,感谢

  1. 【计算机网络 12(1),尚学堂马士兵Java视频教程
  2. 【程序猿历程,史上最全的Java面试题集锦在这里
  3. 【程序猿历程(1),Javaweb视频教程百度云
  4. Notes on MySQL 45 lectures (1-7)
  5. [computer network 12 (1), Shang Xuetang Ma soldier java video tutorial
  6. The most complete collection of Java interview questions in history is here
  7. [process of program ape (1), JavaWeb video tutorial, baidu cloud
  8. Notes on MySQL 45 lectures (1-7)
  9. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  10. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  11. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  12. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  13. 【递归,Java传智播客笔记
  14. [recursion, Java intelligence podcast notes
  15. [adhere to painting for 386 days] the beginning of spring of 24 solar terms
  16. K8S系列第八篇(Service、EndPoints以及高可用kubeadm部署)
  17. K8s Series Part 8 (service, endpoints and high availability kubeadm deployment)
  18. 【重识 HTML (3),350道Java面试真题分享
  19. 【重识 HTML (2),Java并发编程必会的多线程你竟然还不会
  20. 【重识 HTML (1),二本Java小菜鸟4面字节跳动被秒成渣渣
  21. [re recognize HTML (3) and share 350 real Java interview questions
  22. [re recognize HTML (2). Multithreading is a must for Java Concurrent Programming. How dare you not
  23. [re recognize HTML (1), two Java rookies' 4-sided bytes beat and become slag in seconds
  24. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  25. RPC 1: how to develop RPC framework from scratch
  26. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  27. RPC 1: how to develop RPC framework from scratch
  28. 一次性捋清楚吧,对乱糟糟的,Spring事务扩展机制
  29. 一文彻底弄懂如何选择抽象类还是接口,连续四年百度Java岗必问面试题
  30. Redis常用命令
  31. 一双拖鞋引发的血案,狂神说Java系列笔记
  32. 一、mysql基础安装
  33. 一位程序员的独白:尽管我一生坎坷,Java框架面试基础
  34. Clear it all at once. For the messy, spring transaction extension mechanism
  35. A thorough understanding of how to choose abstract classes or interfaces, baidu Java post must ask interview questions for four consecutive years
  36. Redis common commands
  37. A pair of slippers triggered the murder, crazy God said java series notes
  38. 1、 MySQL basic installation
  39. Monologue of a programmer: despite my ups and downs in my life, Java framework is the foundation of interview
  40. 【大厂面试】三面三问Spring循环依赖,请一定要把这篇看完(建议收藏)
  41. 一线互联网企业中,springboot入门项目
  42. 一篇文带你入门SSM框架Spring开发,帮你快速拿Offer
  43. 【面试资料】Java全集、微服务、大数据、数据结构与算法、机器学习知识最全总结,283页pdf
  44. 【leetcode刷题】24.数组中重复的数字——Java版
  45. 【leetcode刷题】23.对称二叉树——Java版
  46. 【leetcode刷题】22.二叉树的中序遍历——Java版
  47. 【leetcode刷题】21.三数之和——Java版
  48. 【leetcode刷题】20.最长回文子串——Java版
  49. 【leetcode刷题】19.回文链表——Java版
  50. 【leetcode刷题】18.反转链表——Java版
  51. 【leetcode刷题】17.相交链表——Java&python版
  52. 【leetcode刷题】16.环形链表——Java版
  53. 【leetcode刷题】15.汉明距离——Java版
  54. 【leetcode刷题】14.找到所有数组中消失的数字——Java版
  55. 【leetcode刷题】13.比特位计数——Java版
  56. oracle控制用户权限命令
  57. 三年Java开发,继阿里,鲁班二期Java架构师
  58. Oracle必须要启动的服务
  59. 万字长文!深入剖析HashMap,Java基础笔试题大全带答案
  60. 一问Kafka就心慌?我却凭着这份,图灵学院vip课程百度云