0

Hi I'm trying to learn how to use eBPF maps so I tried to run the simple code I found on BCC document.

import os
import socket
import time
import logging
import signal
import sys
import zmq
import json
import yaml
import netifaces as ni
from bcc import BPF
from ctypes import *

b = BPF(src_file="tailcall_test.c")
tail_fn = b.load_func("tail_call", BPF.KPROBE)
prog_array = b.get_table("prog_array")
prog_array[c_int(2)] = c_int(tail_fn.fd)
b.attach_kprobe(event="some_kprobe_event", fn_name = "do_tail_call")

and here's the c code that I used which name is :tailcall_test.c :

#include <uapi/linux/ptrace.h>
#include <net/sock.h>
#include <bcc/proto.h>
#include <linux/bpf.h>
#include <linux/kernel.h>
#include <uapi/linux/bpf.h>

BPF_PROG_ARRAY(prog_array, 10);

int tail_call(void *ctx) {
        bpf_trace_printk("tail-call\n");
        return 0;
}

int do_tail_call(void *ctx) {
        bpf_trace_printk("Original program\n");
        prog_array.call(ctx, 2);
        return 0;
}

I wasn't so sure which headers or libraries need to be included so I dumped everything in there.. sorry about the dirty code :(

Anyways, it gives me this error when I try to run it :

cannot attach kprobe, probe entry may not exist
Traceback (most recent call last):
  File "tailcall_test.py", line 18, in <module>
    b.attach_kprobe(event="some_kprobe_event", fn_name = "do_tail_call")
  File "/usr/lib/python2.7/dist-packages/bcc/__init__.py", line 648, in attach_kprobe
    (fn_name, event))
Exception: Failed to attach BPF program do_tail_call to kprobe some_kprobe_event

Any help..? Thank you so much in advance.

Plus, if you guys have any recommendation to check on to learn how to use eBPF tail calls, I would really appreciate it if you guys would share them with me.

Thanks a lot in advance.

pchaigno
  • 11,313
  • 2
  • 29
  • 54
Rosè
  • 345
  • 2
  • 13
  • 1
    I'd almost conclude that kernel doesn't have bpf compiled in, but that is probably premature. What I would do from here is to see if and which modules are compiled into the kernel and which are modules: `grep -i 'bpf' /boot/config-$(uname -r)` (Please substitute your own kernel version –  Jun 30 '19 at 22:23
  • The results of the command are : CONFIG_CGROUP_BPF=y CONFIG_BPF=y CONFIG_BPF_SYSCALL=y CONFIG_BPF_JIT_ALWAYS_ON=y CONFIG_NETFILTER_XT_MATCH_BPF=m CONFIG_NET_CLS_BPF=m CONFIG_NET_ACT_BPF=m CONFIG_BPF_JIT=y CONFIG_BPF_STREAM_PARSER=y CONFIG_LWTUNNEL_BPF=y CONFIG_HAVE_EBPF_JIT=y CONFIG_BPF_EVENTS=y CONFIG_TEST_BPF=m and my kernel version is : 4.15.0-52-generic – Rosè Jun 30 '19 at 22:30
  • 2
    Have you looked at this: https://github.com/iovisor/bcc/issues/2071 ? –  Jun 30 '19 at 22:31
  • 2
    Oh, btw., you have to be root to get such kprobe access. –  Jun 30 '19 at 22:34
  • Oh I did check the url you added on the comment but I didn't do root when I was running that code! and it solved the problem! Thank you so much for helping me out! I really appreciate it :D – Rosè Jun 30 '19 at 22:36
  • Glad it works. Have a nice day! –  Jun 30 '19 at 22:40

1 Answers1

2

So I didn't have time to finish typing my answer before the cause of the issue was found by Roadowl in the comments :). Since there was a second part in the question about references for tail calls, and I have written that bit anyway, I post it just in case it can be helpful.

  • Just for future reference, bcc documentation has a paragraph on tail calls, but by the look of your code you found it already :).

  • If you want to understand how tail calls work, I would suggest having a look at Cilium's documentation, in particular the section on tail calls. Keep in mind that bcc provides some wrappers (such as the .call() function) that won't be covered in Cilium's doc, but it should help you understand what is happening under the hood anyway.

  • bcc itself does not seem to use tail calls a lot, I could only find one networking example that seems to use it (although I did not search thoroughly).

  • You can find some simple example programs using tail calls in the iproute2 repository (a simple one, one that loops). You can also find some in kernel samples or selftests: grep for tail_call.

casey ryan
  • 151
  • 1
  • 2
  • 7
Qeole
  • 8,284
  • 1
  • 24
  • 52
  • Thank you so much! I was trying to look for other codes I could reference to practice tailcalls and wasn't really being succesful on that but now I know where to look :D Thanks again! – Rosè Jun 30 '19 at 22:58