ebpf Tooling and Debugging Infrastructure

Similar documents
ebpf Debugging Infrastructure Current Techniques and Additional Proposals

The Challenges of XDP Hardware Offload

ebpf Offload Getting Started Guide

Comprehensive BPF offload

XDP Hardware Offload: Current Work, Debugging and Edge Cases

On getting tc classifier fully programmable with cls bpf.

BPF Hardware Offload Deep Dive

A practical introduction to XDP

XDP For the Rest of Us

Host Dataplane Acceleration: SmartNIC Deployment Models

ebpf Offload to Hardware cls_bpf and XDP

Linux Network Programming with P4. Linux Plumbers 2018 Fabian Ruffy, William Tu, Mihai Budiu VMware Inc. and University of British Columbia

DPDK+eBPF KONSTANTIN ANANYEV INTEL

On getting tc classifier fully programmable with cls bpf.

Bringing the Power of ebpf to Open vswitch

Bringing the Power of ebpf to Open vswitch. Linux Plumber 2018 William Tu, Joe Stringer, Yifeng Sun, Yi-Hung Wei VMware Inc. and Cilium.

SmartNIC Data Plane Acceleration & Reconfiguration. Nic Viljoen, Senior Software Engineer, Netronome

Accelerating VM networking through XDP. Jason Wang Red Hat

Open-NFP Summer Webinar Series: Session 4: P4, EBPF And Linux TC Offload

XDP: The Future of Networks. David S. Miller, Red Hat Inc., Seoul 2017

Rtnetlink dump filtering in the kernel Roopa Prabhu

Università Ca Foscari Venezia

Suricata Performance with a S like Security

Quick Introduction to ebpf & BCC Suchakrapani Sharma. Kernel Meetup (Reserved Bit, Pune)

18-600: Recitation #4 Exploits

Shell Code For Beginners

XDP in practice: integrating XDP into our DDoS mitigation pipeline

Accelerating Load Balancing programs using HW- Based Hints in XDP

Hardware accelerating Linux network functions Roopa Prabhu, Wilson Kok

An interface for programmable IPv6 Segment Routing network functions in Linux

What is an L3 Master Device?

XDP: 1.5 years in production. Evolution and lessons learned. Nikita V. Shirokov

Blanket Execution: Dynamic Similarity Testing for Program Binaries and Components

Comparing Open vswitch (OpenFlow) and P4 Dataplanes for Agilio SmartNICs

High Speed Packet Filtering on Linux

Download the tarball for this session. It will include the following files:

Download the tarball for this session. It will include the following files:

CS377P Programming for Performance Leveraging the Compiler for Performance

18-600: Recitation #4 Exploits (Attack Lab)

Efficient and Large Scale Program Flow Tracing in Linux. Alexander Shishkin, Intel

Lab 7 Linux Debugging. EECS 448: Software Engineering I Mark Calnon October 17, 2011

CS-220 Spring 2018 Test 2 Version Practice Apr. 23, Name:

Soumava Ghosh The University of Texas at Austin

CSE2421 Systems1 Introduction to Low-Level Programming and Computer Organization

Blossom Hands-on exercises for computer forensics and security. Buffer Overflow

RALPH BÖHME, SERNET, SAMBA TEAM UNDERSTANDING AND IMPROVING SAMBA FILESERVER PERFORMANCE HOW I FELL IN LOVE WITH SYSTEMTAP AND PERF

SmartNIC Programming Models

Programming Netronome Agilio SmartNICs

TraceLeft. A Configuration Driven ebpf Tracing Framework. Suchakra Sharma & Alban Crequy All Systems Go, 29th September 2018, Berlin

String Instructions In C Program Examples. Reverse >>>CLICK HERE<<<

JIT Code Generator for NetBSD. Alexander Nasonov EuroBSDCon 2014, Sofia

John A. Ronciak Staff Engineer NCG/NID/LAO Intel Corp.

ERSPAN in Linux. A short history and review. Presenters: William Tu and Greg Rose

Optimization Techniques

Binary Code Analysis: Concepts and Perspectives

This is an example C code used to try out our codes, there several ways to write this but they works out all the same.

CS377P Programming for Performance Single Thread Performance In-order Pipelines

SmartNIC Programming Models

Packet Sniffing and Spoofing

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Using ebpf for network traffic analysis. Samuele Sabella Luca Deri

Efficient JIT to 32-bit Arches

T Jarkko Turkulainen, F-Secure Corporation

Getting started. Roel Jordans

ebpf-based tracing tools under 32 bit architectures

Practical Malware Analysis

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

CS356: Discussion #8 Buffer-Overflow Attacks. Marco Paolieri

CSC 405 Computer Security Shellcode

Advanced IP Routing. Policy Routing QoS RVSP

6.828: OS/Language Co-design. Adam Belay

XDP in Practice DDoS Gilberto Bertin

The X86 Assembly Language Instruction Nop Means

CS356: Discussion #7 Buffer Overflows. Marco Paolieri

CS 161 Computer Security

Dynamic Binary Instrumentation: Introduction to Pin

An Evil Copy: How the Loader Betrays You

Userspace Application Tracing with Markers and Tracepoints

Containers and isolation as implemented in the Linux kernel

AN LLVM INSTRUMENTATION PLUG-IN FOR SCORE-P

Netfilter updates since last NetDev. NetDev 2.2, Seoul, Korea (Nov 2017) Pablo Neira Ayuso

Buffer Overflow Attack (AskCypert CLaaS)

Sandwiches for everyone

ECE 471 Embedded Systems Lecture 8

Android Kernel Security

Roadmap. Java: Assembly language: OS: Machine code: Computer system:

Where We Are. Lexical Analysis. Syntax Analysis. IR Generation. IR Optimization. Code Generation. Machine Code. Optimization.

CS Bootcamp x86-64 Autumn 2015

Tracing Lustre. New approach to debugging. ORNL is managed by UT-Battelle for the US Department of Energy

Netfilter updates since last NetDev. NetDev 2.2, Seoul, Korea (Nov 2017) Pablo Neira Ayuso

XDP now with REDIRECT

Virtual Switch Acceleration with OVS-TC

Function Call Convention


sottotitolo Network Administration Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani, Alessandro Barenghi

Combining ktls and BPF for Introspection and Policy Enforcement

Computer Systems C S Cynthia Lee

Programming NFP with P4 and C

Computer Systems C S Cynthia Lee

Black Box Debugging of Embedded Systems

Transcription:

ebpf Tooling and Debugging Infrastructure Quentin Monnet Fall ebpf Webinar Series 2018-10-09 Netronome 2018

Injecting Programs into the Kernel ebpf programs are usually compiled from C (or Go, Rust, Lua ) to ebpf bytecode They are injected into the kernel with the bpf() system call Safety and termination are ensured by the kernel verifier Programs can be JIT (Just-In-Time) compiled Once loaded, programs can be attached to a hook in the kernel (socket, TC, XDP ) Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 2/27

ebpf for Network Packet Processing C program LLVM Userspace ebpf bytecode bpf() syscall Kernel Verifier Host JIT NFP JIT ndo_bpf() Host CPU ndo_bpf() Hardware Agilio SmartNIC Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 3/27

Agenda Short reminder about ebpf infrastructure and program loading DONE Understand the basic tools available for working with ebpf Understand how to dump the ebpf instructions at the different stages of the process Learn how to avoid some common mistakes Learn where to find more resources for troubleshooting other issues Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 4/27

ebpf for Network Packet Processing C program LLVM Userspace ebpf bytecode bpf() syscall Kernel Verifier Host JIT NFP JIT ndo_bpf() Host CPU ndo_bpf() Hardware Agilio SmartNIC Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 5/27

From C to ebpf Bytecode: Tools Compile with clang $ clang -O2 -emit-llvm -c sample_ret0.c -o - \ llc -march=bpf -mcpu=probe -filetype=obj -o sample_ret0.o Dump with llvm-objdump (v4.0+) $ llvm-objdump -d -r -print-imm-hex sample_ret0.o sample_ret0.o: file format ELF64-BPF Disassembly of section.text: func: 0: b7 00 00 00 00 00 00 00 r0 = 0 1: 95 00 00 00 00 00 00 00 exit If -g is passed to clang, llvm-objdump -S can dump the original C code Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 6/27

From C to ebpf Bytecode: Common Mistakes Unroll loops next_iph_u16 = (u16 *)iph; #pragma clang loop unroll(full) for (i = 0; i < sizeof(*iph) >> 1; i++) csum += *next_iph_u16++; Force function inlining on older kernels (before v4.16) Functional errors will be detected only at load time by the verifier Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 7/27

From C to ebpf, in Two Steps: ebpf Assembly Compile from C to ebpf assembly file $ clang -target bpf -S -o sample_ret0.s sample_ret0.c $ cat sample_ret0.s.text.globl func # -- Begin function func.p2align 3 func: # @func # %bb.0: r0 = 0 exit # -- End function Hack Then compile from assembly to ebpf bytecode (LLVM v6.0+) $ clang -target bpf -c -o sample_ret0.o sample_ret0.s Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 8/27

ebpf for Network Packet Processing C program LLVM Userspace ebpf bytecode bpf() syscall Kernel Verifier Host JIT NFP JIT ndo_bpf() Host CPU ndo_bpf() Hardware Agilio SmartNIC Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 9/27

Loading ebpf Program TC hook: create a qdisc and attach the program as a filter, with tc # tc qdisc add dev eth0 clsact # tc filter add dev eth0 ingress bpf \ object-file bpf_program.o section.text direct-action # tc filter show dev eth0 ingress filter pref 49152 bpf chain 0 filter pref 49152 bpf chain 0 handle 0x1 sample_ret0.o:[.text] \ id 73 tag b07f8eff09a9a611 XDP: attach to the driver (or as generic XDP ) with ip link # ip -force link set dev eth0 xdp object sample_ret0.o section.text # ip link show dev eth0 11: eth0: <BROADCAST,NOARP> mtu 1500 xdpoffload qdisc noop state DOWN \ mode DEFAULT group default qlen 1000 link/ether 0e:41:b5:45:47:51 brd ff:ff:ff:ff:ff:ff prog/xdp id 74 tag 704bfda100a6df93 Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 10/27

Loading ebpf: Common Mistakes tc, ip: Error fetching program/map! Make sure to pass the correct section name (defaults to.text ) With tc, direct-action (da) option is recommended (mandatory for offload): makes TC consider return values as actions (pass, drop ) instead of queues id. RTNETLINK answers: Device or resource busy -force option with ip link to overwrite a program previously loaded Make sure your version of iproute2 is recent enough If in doubt, download and compile the latest version For offload: v4.18 (iproute2-ss180813) recommended for perf map support (see also Netronome ebpf Getting Started Guide) Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 11/27

The Kernel ebpf Verifier: Checking Programs for Safety The verifier performs many checks on control flow graph and individual instructions It complains about: Erroneous syntax (unknown instruction, incorrect usage for the instruction) Too many instructions or maps or branches Back edges (i.e. loops) in the control flow graph Unreachable instructions Jump out of range Out of bounds memory access (data or stack, including passing stack pointers to functions) Access to forbidden context fields (read or write) Reading access to non-initialized memory (stack or registers) Use of forbidden helpers for the current type of program Use of GPL helpers in non-gpl program (mostly tracing) R0 not initialized before exiting the program Memory access with incorrect alignment Missing check on result from map_lookup_elem() before accessing map element Problem: error messages are not always easy to understand. Examples Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 12/27

Extending Kernel ebpf Verifier for Offload The NFP driver hooks into the verifier to add its own checks, but output any error in the console just as the kernel verifier does Verifier Analysis: 0: (b7) r2 = 0x32 1: (07) r2 += -8 2: (b7) r1 = 0x0 3: (85) call 6 [nfp] unsupported function id: 6 Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 13/27

ebpf for Network Packet Processing C program LLVM Userspace ebpf bytecode bpf() syscall Kernel Verifier Host JIT NFP JIT ndo_bpf() Host CPU ndo_bpf() Hardware Agilio SmartNIC Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 14/27

JIT-compile ebpf Programs for the Hardware Most programs will be offloaded smoothly if they have passed the verifiers. Some error messages at JIT-compiling time cannot reuse the verifier buffer, they are sent to the kernel logs (in /var/log/kernel, or print with dmesg) [88613.915838] nfp 0000:04:00.0 nfp_p0: stack too large: program 576B > FW stack 512B Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 15/27

Program is Loaded: Introspection We have passed the verifier! The program is loaded in the kernel For map and program introspection: bpftool List maps and programs Load a program, pin it Dump program instructions (ebpf or JIT-ed) Dump and edit map contents etc. Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 16/27

Program is Loaded: Introspection (Program on the Host) Dump kernel-translated instructions # bpftool prog dump xlated id 4 0: (b7) r0 = 0 1: (95) exit Dump JIT-ed instructions # bpftool prog dump jited id 4 0: push %rbp 1: mov %rsp,%rbp 4: sub $0x28,%rsp b: sub $0x28,%rbp f: mov %rbx,0x0(%rbp) 13: mov %r13,0x8(%rbp) [...] 33: mov 0x18(%rbp),%r15 37: add $0x28,%rbp 3b: leaveq 3c: retq Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 17/27

Program is Loaded: Introspection (Offloaded Program) Dumping instructions of an offloaded program works exactly the same: # bpftool prog dump jited id 4 0:.0 immed[gprb_6, 0x3fff] 8:.1 alu[gprb_6, gprb_6, AND, *l$index1] 10:.2 immed[gpra_0, 0x0], gpr_wrboth 18:.3 immed[gpra_1, 0x0], gpr_wrboth 20:.4 br[.15000] [...] NFP support for disassembler available in latest version of libbfd (binutils-dev v2.31) Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 18/27

Attaching ebpf In our examples, attaching was actually performed by tc and ip link right after program load Netlink extended ack (extack) messages in the console Example: RTNETLINK answers: Device or resource busy Same thing for offloaded programs Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 19/27

Debugging at Runtime with bpf_trace_printk() ebpf helper bpf_trace_printk() prints to /sys/kernel/debug/tracing/trace const char fmt[] = First four bytes of packet: %x\n ; bpf_trace_printk(fmt, sizeof(fmt), *(uint32_t *)data); Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 20/27

Debugging at Runtime with Perf Events Also, support for perf event arrays, more efficient Example: dump data from packet struct bpf_map_def SEC( maps ) pa = {.type = BPF_MAP_TYPE_PERF_EVENT_ARRAY,.key_size = sizeof(int),.value_size = sizeof(int),.max_entries = 64, }; int xdp_prog1(struct xdp_md *xdp) { int key = 0; bpf_perf_event_output(xdp, &pa, 0x20ffffffffULL, &key, 0); return XDP_PASS; } Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 21/27

Debugging at Runtime: Miscellaneous No ebpf debugger at this time User space interpreters: ubpf, rbpf (Minor differences, some features missing, no verifier) Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 22/27

Tools: ebpf Programming Environment Libraries for managing ebpf programs: libbpf (kernel tree, tools/lib/bpf), libbcc (bcc tools) strace: support for bpf() system call strace -e bpf ip link set dev nfp_p0 xdpoffload obj prog.o valgrind: upcoming version (3.14) with support for bpf() system call valgrind bpftool prog show Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 23/27

Next Steps for ebpf Tooling Netronome remains involved! We do or intend to Improve components Error messages Existing tool set Documentation Improve packaging bpftool libbpf Help keep tools up-to-date Create new tools? Thinking about ways to run ebpf in a debugger Maybe some work to do on the side of libpcap We are not alone: ebpf community increasing, more and more activity! Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 24/27

Summary ebpf programs do not run in user space: debugging is not trivial But: Tooling is getting better and better: more tools, more complete Possible to dump the instructions at all the stages of the process (llvm-obdjump, bpftool) Possible to get some output (bpf_trace_printk(), perf event maps) at runtime Debugging offloaded programs is nearly the same as for programs on the host Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 25/27

More resources Netronome s ebpf Getting Started Guide https://www.netronome.com/documents/305/ebpf-getting_started_guide.pdf Partial F.A.Q for verifier output: Kernel documentation (filter.txt) https://www.kernel.org/doc/documentation/networking/filter.txt Netronome s resources on ebpf https://www.netronome.com/technology/ebpf/ Netronome s sample ebpf applications https://github.com/netronome/bpf-samples Kernel source code https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/ Documentation on ebpf helper functions, generated from kernel comments https://github.com/iovisor/bpf-docs/blob/master/bpf_helpers.rst Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 26/27

The End Thank you! Fall ebpf Webinar Series ebpf Tooling and Debugging Infrastructure 27/27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback