iovisor/bcc

update killsnoop to use tracepoints

Open

#3,592 建立於 2021年8月27日

在 GitHub 查看
 (7 留言) (0 反應) (1 負責人)C (22,409 star) (4,051 fork)batch import
help wanted

描述

This is a request for help.

I wrote killsnoop back in 2015 before tracepoint support, and so I kprobe'd sys_kill(). It still does some derivation of that. But now there's a report it no longer works on Linux 5.11: https://github.com/iovisor/bcc/pull/3572#issuecomment-900357032 CC @chenhengqi

Can someone please update killsnoop (both Python and libbpf-tools) to use tracepoints instead of kprobes (if it works as expected). All of these:

  syscalls:sys_enter_kill                            [Tracepoint event]
  syscalls:sys_enter_tgkill                          [Tracepoint event]
  syscalls:sys_enter_tkill                           [Tracepoint event]
  syscalls:sys_exit_kill                             [Tracepoint event]
  syscalls:sys_exit_tgkill                           [Tracepoint event]
  syscalls:sys_exit_tkill                            [Tracepoint event]

貢獻者指南

技術棧
cpython
領域
observability
議題類型
feature
難度面向新貢獻者的預計實作難度,1 表示很小改動,5 表示專家級工作。
3
預計時間有經驗貢獻者完成調查、實作、測試並準備 pull request 的粗略時間範圍。
1-2 days
活動狀態議題目前的可參與程度:新鮮、活躍、陳舊、阻塞或等待維護者輸入。
active
清晰度議題是否清楚說明預期改動、驗收標準和下一步。
clear
前置要求
understanding of BPFknowledge of tracepointsfamiliarity with syscall hooks
新手友善度1-100 的估計分數,表示該議題對首次貢獻者的友善程度。
40
研究方向
Examine the current killsnoop implementation in bcc/tools/killsnoop.py and libbpf tools/killsnoop.c. Look at other bcc tools that use tracepoints (e.g., execsnoop, opensnoop) for reference patterns. Test the new tracepoint based version on Linux 5.11+ to ensure correctness. Note that the issue mentions a previous report of breakage, so verify the fix works across kernel versions.