GitXplorerGitXplorer
m

node_bpfcc

public
17 stars
2 forks
2 issues

Commits

List of commits on branch master.
Unverified
791520bed95fff1f0c71dd8f2f41e7594f9fa1a9

upgrade dependencies, typescript, typedoc, jest, ts-node

mmildsunrise committed 3 years ago
Unverified
5989d18eaaab1c6c9a459ad912b9333e562d2ab8

package-lock version 2

mmildsunrise committed 3 years ago
Verified
5bef37b214e607b72432fb6c6bce65977f8325cd

📝 README: mention distro compatibility

mmildsunrise committed 3 years ago
Verified
67528238cebb76d794e19903b07d275c856a947e

typo in README

mmildsunrise committed 4 years ago
Verified
2b7398dcbfa48d77761cb6c5bcbef1b13ab54891

typo in README

mmildsunrise committed 4 years ago
Unverified
d7f9f30b2c6423d1e7149d8cfd86c7f259ec6a7b

📦 release 1.0.2

mmildsunrise committed 4 years ago

README

The README file for this repository.

bpfcc

Node.js frontend (aka bindings) for iovisor's BPF Compiler Collection (BCC).

💡 Examples  •  📚 API reference

Usage

Installing

First you need to install BCC on your system. For modern distros (Ubuntu 20.04+) you can use the repository packages. You don't need to install everything, only the C library & development files; for instance, on Ubuntu the following should be enough:

sudo apt install libbpfcc-dev

Then install this module and bpf, which is required as a peer dependency:

npm install bpfcc bpf

Loading & attaching programs

To use it, first pass your program to load or loadSync to compile it:

const { loadSync } = require('bpfcc')

const bpf = loadSync(`
    #include <uapi/linux/ptrace.h>
    #include <linux/blkdev.h>

    BPF_HISTOGRAM(dist);
    BPF_HISTOGRAM(dist_linear);

    int kprobe__blk_account_io_done(struct pt_regs *ctx, struct request *req) {
        dist.increment(bpf_log2l(req->__data_len / 1024));
        dist_linear.increment(req->__data_len / 1024);
        return 0;
    }
`)

Then you need to load & attach your functions to kernel events using the attach* methods:

bpf.attachKprobe('blk_account_io_done', 'kprobe__blk_account_io_done')

Note: By default, functions starting with prefixes like kprobe__ are automatically detected and attached, so the above isn't necessary in this case.

At a later point, if you no longer need it, you can use bpf.detachAll() to detach and unload everything from the kernel. If you don't, it might get called by the GC at some point, but it's not recommended to rely on this.

Accessing maps

Once tracing has started, we can communicate with our eBPF program by accessing its maps (using the get*Map methods). In our case we have two array maps, with uint32 values:

const dist = bpf.getRawArrayMap('dist')
const distLinear = bpf.getRawArrayMap('dist_linear')

// Retrieve current values & parse them
const ys = [...dist].map(x => x.readUInt32LE(0))
console.log(ys)

getRaw*Map methods provide a raw interface which returns Buffers, so we had to parse the values ourselves. But there are also high-level versions that take a conversion object. For convenience, bpf provides a conversion for uint32, so we can write:

const { u32type } = require('bpf')

const dist = bpf.getArrayMap('dist', u32type)
const distLinear = bpf.getArrayMap('dist_linear', u32type)

console.log( [...dist] )

Refer to the bpf module for details on the interface.

The full source code of this example is in bitehist.ts. Remember you'll probably need root to run.

Troubleshooting

Remember that not all features may be available in the kernel you are running, even if they're present in the API and typings. Trying to use a non-available feature will generally result in an EINVAL error.

A reference of eBPF features and minimum kernel versions required for them can be found here.