Re: Help using libbpf with kernel 4.14

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Andrii,

I used BPF skeleton as you suggested, which did work with kernel 4.19
but not with 4.14.
I used the exact same program,  same environment, only changed the
kernel version.
The error message I get on 4.14:

libbpf: elf: skipping unrecognized data section(5) .rodata.str1.1
libbpf: failed to determine kprobe perf type: No such file or directory
libbpf: prog 'kprobe__do_sys_open': failed to create kprobe
'do_sys_open' perf event: No such file or directory
libbpf: failed to auto-attach program 'kprobe__do_sys_open': -2
failed to attach BPF programs: No such file or directory

As the program I made is small, I'm copying it here:

===========================================
#include <linux/version.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>
#include <uapi/linux/bpf.h>
#include <uapi/linux/ptrace.h>

struct bpf_map_def SEC("maps") open_fds = {
  .type = BPF_MAP_TYPE_LRU_HASH,
  .key_size = sizeof(int),
  .value_size = sizeof(int),
  .max_entries = 1024,
};

SEC("kprobe/do_sys_open")
int BPF_KPROBE(kprobe__do_sys_open)
{
  int err;

  u32 id = bpf_get_current_pid_tgid();
  int dfd = PT_REGS_PARM1(ctx);

  if ((err = bpf_map_update_elem(&open_fds, &id, &dfd, BPF_ANY))) {
    char log[] = "bpf_map_update_elem %d\n";
    bpf_trace_printk(log, sizeof(log), err);
    return 1;
  }

  return 0;
}

char LICENSE[] SEC("license") = "GPL";
==================================================

Can you think of a reason why this only happens on 4.14?

Thanks,
Yaniv

‫בתאריך יום ב׳, 28 בספט׳ 2020 ב-23:24 מאת ‪Andrii Nakryiko‬‏
<‪andrii.nakryiko@xxxxxxxxx‬‏>:‬
>
> On Mon, Sep 28, 2020 at 1:08 PM Yaniv Agman <yanivagman@xxxxxxxxx> wrote:
> >
> > ‫בתאריך יום ב׳, 28 בספט׳ 2020 ב-8:50 מאת ‪Andrii Nakryiko‬‏
> > <‪andrii.nakryiko@xxxxxxxxx‬‏>:‬
> > >
> > > On Fri, Sep 25, 2020 at 4:58 PM Yaniv Agman <yanivagman@xxxxxxxxx> wrote:
> > > >
> > > > Hello,
> > > >
> > > > I'm developing a tool which is now based on BCC, and would like to
> > > > make the move to libbpf.
> > > > I need the tool to support a minimal kernel version 4.14, which
> > > > doesn't have CO-RE.
> > >
> > > You don't need kernel itself to support CO-RE, you just need that
> > > kernel to have BTF in it. If the kernel is too old to have
> > > CONFIG_DEBUG_INFO_BTF config, you can still add BTF by running `pahole
> > > -J <path-to-vmlinux-image>`, if that's at all an option for your
> > > setup.
> > >
> >
> > Thanks, I didn't know that
> >
> > > >
> > > > I have read bcc-to-libbpf-howto-guide, and looked at the libbpf-tools of bcc,
> > > > but both only deal with newer kernels, and I failed to change them to
> > > > run with a 4.14 kernel.
> > > >
> > > > Although some of the bpf samples in the kernel source don't use CO-RE,
> > > > they all use bpf_load.h,
> > > > and have dependencies on the tools dir, which I would like to avoid.
> > >
> > > Depending on what exactly you are trying to achieve with your BPF
> > > application, you might not need BPF CO-RE, and using libbpf without
> > > CO-RE would be enough for your needs. This would be the case if you
> > > don't need to access any of the kernel data structures (e.g., all sort
> > > of networking BPF apps: TC programs, cgroup sock progs, XDP). But if
> > > you need to do anything tracing related (e.g., looking at kernel's
> > > task_struct or any other internal structure), then you have no choice
> > > and you either have to do on-the-target-host runtime compilation (BCC
> > > way) or relocations (libbpf + BPF CO-RE). This is because of changing
> > > memory layout of kernel structures.
> > >
> > > So, unless you can compile one specific version of your BPF code for a
> > > one specific version of the kernel, you need either BCC or BPF CO-RE.
> > >
> >
> > I'm working on a tracing application
> > (https://github.com/aquasecurity/tracee) which now uses bcc. We now
> > require a minimal kernel version 4.14, and bcc, but eventually we
> > would like to support CO-RE. I thought that we could do the move in
> > two steps. First moving to libbpf and keeping the 4.14 minimal
> > requirement, then adding CO-RE support in the future.
> > In order to do that, I thought of changing bcc requirement to clang
> > requirement, and compile the program once during installation on the
> > target host. This way we get the added value of fast start time
> > without the need to compile every time the program starts (like bcc
> > does), plus having an easier move to CO-RE in the future.
>
> Right, pre-compiling on the target machine with host kernel headers
> should work. So just don't use any of CO-RE features (no CO-RE
> relocations, no vmlinux.h), and it should just work.
>
> >
> > A problem that I encountered with kernel 4.14 and libbpf was that when
> > using bpf_prog_load (If I remember correctly), it returned an error of
> > invalid argument (-22). Doing a small investigation I saw that it
> > happened when trying to create bpf maps with names. Indeed I saw that
> > libbpf API changed between kernel 4.14 and 4.15 and the function
> > bpf_create_map_node now takes map name as an argument. Is there a way
> > to workaround this with kernel 4.14 and still use map names in
> > userspace to refer to bpf maps with libbpf?
>
> So we do run a few simple tests loading BPF programs (using libbpf) on
> 4.9 kernel, so map name should definitely not be a problem at all
> (libbpf is smart about detecting what's not supported in kernel and
> omitting non-essential things). It might be because of bpf_prog_load
> itself, which was long deprecated and you shouldn't use it for
> real-world applications. Please either use BPF skeleton or bpf_object
> APIs. It should just work, but if it doesn't please report back.
>
> >
> > > >
> > > > I would appreciate it if someone can help with a simple working
> > > > example of using libbpf on 4.14 kernel, without having any
> > > > dependencies. Specifically, I'm looking for an example makefile, and
> > > > to know how to load my bpf code with libbpf.
> > >
> > > libbpf-tools's Makefile would still work. Just drop dependency on
> > > vmlinux.h and include system headers directly, if necessary (and if
> > > you considered implications of kernel memory layout changes).
> > >
> >
> > Thanks, I'll try that
> >
> > > >
> > > > Thanks,
> > > > Yaniv




[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux