Exploring a Language Runtime with Bpftrace

So I have been having quite a bit of fun learning about eBPF. It’s been on my todo list for like two or three years, but I’ve finally made the time to actually start to figure it out, and have already found some neat stuff, and had to do some fun hacking. Let’s set the stage. eBPF is an instrumentation and tracing system built into Linux (and Windows these days!). The general thrust of it is that you provide the kernel with some bytecode, which it verifies, then executes in kernel context. You’re able to collect all sorts of information via this bytecode, which then can be dumped out. There are multiple ways to get BPF bytecode into the kernel, but I’m going to talk about bpftrace , which provides an awk like language for writing BPF programs. Now, there’s a fair amount of reasonably comprehensive documentation about bpftrace so I’ll give only the tiniest intro, and then get into some of the problems I’ve been curious about and the solutions I’ve built around BPF to get answers. Y ... Read full article.