BPF In recent years Linux A huge innovation in systems technology . As Linux A key development node of the kernel , It's as important as virtualization 、 Containers 、SDN Technology .
▼BPF It's a very interesting way to work ：
End user use BPF Instruction set of virtual machine （ Also known as BPF Bytecode ） Define filter expressions , And then pass it to the kernel , Executed by the interpreter . This allows packet filtering to be done directly in the kernel , Avoid copying each packet to user mode process , This improves the performance of packet filtering ,tcpdump(8) That's how it works .
BPF It also provides security , Because the user-defined filter must pass the security verification before execution .
Early packet filtering had to be performed in kernel space , Safety is a hard and fast requirement . You can see how all this works from the figure below .
tcpdump and BPF
Running tcpdump(8) With command line arguments -d, You can print out expressions that use filters BPF Instructions . for example ：
▊** classic BPF And the extended version BPF**
The original BPF Now it's called “ classic BPF”, It's a virtual machine with limited capabilities . It has two registers , One by 16 A temporary storage area composed of two memory slots and a program counter . The above parts are in accordance with 32 Bit register size runs . classic BPF On 1997 in Linux Kernel version 2.1.75.
Then Alexei Starovoitov Created an extended version BPF（eBPF）. This is a 20 Over the years BPF The first major update of , The move will also help BPF Expand to a universal virtual machine .
although BPF It's often called a virtual machine , But this often refers to its implementation specification .BPF stay Linux The actual implementation of （ Runtime support ） It also includes an interpreter and a compiler that can be immediately compiled into native instructions .
“ virtual machine ” It seems to mean running another machine layer on top of the processor , But actually BPF Execution is not like that .JIT The compiled code will be like any other native kernel code , Run directly on the processor . it is to be noted that , stay Spectre After the vulnerability was announced , Some distributions default to x86 Enable on Architecture JIT, Completely removed the interpreter implementation from the kernel （ The relevant code is directly excluded through conditional compilation ）.
Extended version of BPF More registers have been added to , And change the word length from 32 To increase to 64 position , Created a flexible BPF Mapped storage （map）, And allow some restricted kernel functions to be called . meanwhile ,eBPF Designed to use just in time compilation （JIT）, Machine instructions and registers can be mapped one-to-one . This makes the previous processor local instruction optimization technology , Can be reused for BPF above .BPF The validator has also been updated to support these extensions , And can reject any unsafe code .
classic BPF And extensions BPF The differences between them are as follows .
In the earliest code patches , Extended version BPF It was once abbreviated as eBPF, But now in the development discussion , They all use BPF This is called .
Linux BPF Runtime （runtime） The architecture of each module is shown in the figure below .
BPF The internal structure of the runtime
The picture above shows BPF How the instructions go through BPF Verifier verification , Again by BPF Virtual machine execution .
BPF The implementation of virtual machine includes an interpreter , Including another JIT compiler ：JIT The compiler is responsible for generating machine instructions that the processor can execute directly . The verifier will reject unsafe operations , This includes checking for unbounded loops ：BPF The program must be completed in a limited time .
BPF You can use auxiliary functions to get the kernel state , utilize BPF Mapping table for storage .BPF The program executes when a specific event occurs , Include kprobes、uprobes And tracking points .
Now let's talk about , Why performance tools need BPF technology .
▊ Why performance tools need BPF technology
Performance tools use the extended version BPF To achieve programmability .BPF The program can perform user-defined delay calculation, statistical summary and other functions . These characteristics alone are enough to make BPF Become an interesting tool .
But in fact, many tracking tools have these functions .BPF The difference is , It also has the characteristics of high efficiency and safe production environment , And it's built into Linux The kernel .
With BPF, You can run these tools directly in the production environment , and No need to add new kernel components .
Let's take a look at how performance tools are used through the output of a tool and a graph BPF Of .
This The output of the example comes from Master of performance optimization Gregg A previously released one is called bitehist Of BPF Tools , It shows disks in the form of histograms I/O The size distribution of ：
The following figure shows using the BPF Before and after the histogram generation process .
Use BPF A comparison of the process of generating histograms before and after
The key change here is , Histograms can be generated in the kernel context , This greatly reduces the amount of data that needs to be copied into user space . The efficiency improvement here is so remarkable , So that the overhead of the tool is reduced to the extent that it can be run directly in the production environment .
Use BPF Before , The best steps to make this diagram summary are as follows .
1. In kernel ： Turn on the disk I/O Stake in observation of events .
2. In kernel , For each event ： towards perf The buffer writes a record . If tracking point technology is used （ Recommend ways ）, The record will contain information about the disk I/O Several metadata fields of .
In user space ： Periodically copies the buffer contents of all events into user space .
In user space ： Traverse each event , Parse the event metadata field of the byte field . Other fields are ignored .
In user space ： Generate histogram summary of byte fields
One step 2 To step 4 For high I/O The cost of performance is very high . You can imagine , take 10000 A disk I/O The trace records are copied into the user space program , Then parse to generate summary information — To perform a second 1 Time .
Use BPF after ,bitesize The procedures are as follows .
In kernel ： Enable disk I/O Stake in observation of events , And mount one by bitesize Tool defined BPF Program .
In kernel , For every event ： function BPF Program . It just gets byte fields , And save it to a custom BPF Histogram mapping data structure .
3. In user space ： Read once BPF Histogram mapping table and output results .
This process avoids the cost of copying events to user space and processing them again , It also avoids copying unused metadata fields . As shown in the previous program output screenshot , The only data that needs to be copied to user space is “count” Column , It's an array of numbers .
▊ BPF Compared with kernel module
There's another way to understand BPF Advantages in observability ： Compare it to the kernel module .
kprobes And tracking points have been around for years , You can use it directly from a loadable kernel module . Compared to using kernel modules , Use BPF The advantages of tracking are as follows ：
● BPF The program will pass the verifier security check ; Kernel modules may introduce bug（ Kernel crash ） Or security holes .
● BPF Provide rich data structure support through mapping .
● BPF The program can be compiled at one time , And then run anywhere , because BPF Instruction set 、 Mapping table structure 、 Auxiliary functions and related infrastructure are stable ABI.（ Of course , There are some BPF The program contains unstable factors , Like using kprobes To see the kernel data structure , This will affect BPF The stability of the program itself ）
● BPF Program compilation does not depend on the intermediate result of kernel compilation process .
● Compared with the amount of work required to develop kernel modules ,BPF Programming is easier to learn , We can get more people to use it .
Please note that , In the field of network application BPF There are additional benefits , Including atomic substitution BPF The ability of the program . If using kernel module , You need to uninstall it completely from the kernel first , And then load again , This may lead to service disruption .
One of the benefits of using kernel modules is ： Other kernel functions and kernel facilities can be used in the module , Not limited to BPF Auxiliary functions provided .
however , If the ability to call any kernel function is abused , It also brings in bug The extra risk of .
writing ： Blog views | from ：InfoQ [ Take it with you ！Python 3.9 Official Chinese documents , Time limited collection ！] (http://dwz.date/dE6v)
[ Time limit ！ Quick collar ！14 Zhang HD Python Quick reference table , It is necessary to improve efficiency ！] (http://dwz.date/dE6w)
[GitHub Star sign 3W+,80 individual Python Case study , Take you easy to play Python Study ！] (http://dwz.date/dE64)