当前位置：首页 > news >正文

bpftrace 中使用 bpf_trace_printk

news 2025/5/9 22:00:43

bpf_trace_printk

bcc 中可以通过 bpf_trace_printk 来打印输出 , 同时有个非常有用的功能, 同时输出到 /sys/kernel/tracing/trace 文件中
比如bcc代码

// read_trace.c（eBPF 内核态代码）
#include <vmlinux.h>
#include <bpf/bpf_helpers.h>// 跟踪 sys_read 进入事件
SEC("tracepoint/syscalls/sys_enter_read")
int tracepoint_sys_enter_read(struct trace_event_raw_sys_enter *ctx) {long fd = ctx->args[0];    // 第一个参数：文件描述符long count = ctx->args[2]; // 第三个参数：读取字节数// 使用 bpf_trace_printk 输出调试信息bpf_trace_printk("sys_read: fd=%d, count=%ld\n", fd, count);return 0;
}char _license[] SEC("license") = "GPL";

问题?

我想通过 bpftrace 将内核中采集的数据实时输出到trace_pipe 文件, 然后随着 perfetto 运行,最终输出到 perfetto中去, 方便后续做 ebpf采集的数据通过perfetto可视化.

但是 bpftrace工具没有 bpf_trace_printk 这个工具, 这样就需要稍微麻烦些写bcc代码.
后续发现其实 bpftrace中有一个命令 debugf 可以输出日志到 trace_pipe 中去

参考此 issue Add support for bpf_trace_printk

demo

root@ubuntu:/usr/sbin# cat ./execsnoop.bt 
#!/usr/bin/env bpftrace
/** execsnoop.bt   Trace new processes via exec() syscalls.*                For Linux, uses bpftrace and eBPF.** This traces when processes call exec(). It is handy for identifying new* processes created via the usual fork()->exec() sequence. Note that the* return value is not currently traced, so the exec() may have failed.** TODO: switch to tracepoints args. Support more args. Include retval.** This is a bpftrace version of the bcc tool of the same name.** 15-Nov-2017  Brendan Gregg Created this.* 11-Sep-2018     "     "    Switched to use join().*/#ifndef BPFTRACE_HAVE_BTF
#include <linux/sched.h>
#endifBEGIN
{printf("%-15s %-7s %-7s %s\n", "TIME", "PID", "PPID", "ARGS");
}tracepoint:syscalls:sys_enter_exec*
{$task = (struct task_struct *)curtask;printf("%15s %-7d %-7d ", strftime("%H:%M:%S.%f", nsecs), pid, $task->real_parent->pid);debugf("%15s %-7d %-7d ", strftime("%H:%M:%S.%f", nsecs), pid, $task->real_parent->pid);join(args.argv);
}
root@ubuntu:/usr/sbin# 
root@ubuntu:/usr/sbin# 
root@ubuntu:/usr/sbin# 
root@ubuntu:/usr/sbin# 
root@ubuntu:/usr/sbin# 
root@ubuntu:/usr/sbin# 
root@ubuntu:/usr/sbin# ./execsnoop.bt 
./execsnoop.bt:31:2-89: WARNING: The debugf() builtin is not recommended for production use. For more information see bpf_trace_printk in bpf-helpers(7).debugf("%15s %-7d %-7d ", strftime("%H:%M:%S.%f", nsecs), pid, $task->real_parent->pid);~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Attaching 3 probes...
TIME            PID     PPID    ARGS
18:17:17.673759 14314   2529    /bin/sh -c which ps
18:17:17.675398 14315   14314   which ps
18:17:17.677677 14316   2529    /bin/sh -c /usr/bin/ps -ax -o pid=,ppid=,pcpu=,pmem=,command=
18:17:17.678727 14317   14316   /usr/bin/ps -ax -o pid=,ppid=,pcpu=,pmem=,command=
18:17:17.690633 14318   2529    /bin/sh -c "/home/lucas/.vscode-server/cli/servers/Stable-2fc07b811f760549dab9be9d2bedd06c51dfcb9a/server/out/vs/base/node/cpuUsage.sh" 2589 11178 11179 11180 11181 14305
18:17:17.691955 14319   14318   /home/lucas/.vscode-server/cli/servers/Stable-2fc07b811f760549dab9be9d2bedd06c51dfcb9a/server/out/vs/base/node/cpuUsage.sh 2589 11178 11179 11180 11181 14305
18:17:17.693714 14320   14319   sed -n s/^cpu\s//p /proc/stat
18:17:17.695494 14321   14319   cat /proc/2589/stat
18:17:17.697076 14322   14319   cat /proc/11178/stat
18:17:17.698526 14323   14319   cat /proc/11179/stat
18:17:17.699908 14324   14319   cat /proc/11180/stat

然后再 trace_pipe 中

root@ubuntu:/sys/kernel/tracing# cat trace_pipesed-11694   [006] ...21  1142.986227: bpf_trace_printk:                11694   11680   cat-11695   [005] ...21  1142.988071: bpf_trace_printk:                11695   11680   cat-11697   [004] ...21  1142.989799: bpf_trace_printk:                11697   11680   node-11699   [003] ...21  1143.063668: bpf_trace_printk:                11699   2529    sh-11700   [003] ...21  1143.065349: bpf_trace_printk:                11700   11699   node-11701   [003] ...21  1143.068664: bpf_trace_printk:                11701   2529    sh-11702   [003] ...21  1143.070832: bpf_trace_printk:                11702   11701   node-11703   [003] ...21  1143.081343: bpf_trace_printk:                11703   2529    sh-11704   [003] ...21  1143.082961: bpf_trace_printk:                11704   11703   cpuUsage.sh-11705   [003] ...21  1143.085420: bpf_trace_printk:                11705   11704   cpuUsage.sh-11706   [003] ...21  1143.087973: bpf_trace_printk:                11706   11704   cpuUsage.sh-11707   [003] ...21  1143.090004: bpf_trace_printk:                11707   11704