0

I'm new to eBPf, I want to chang kernel program attached to the same event in user application. So I write the following code:

#!/usr/bin/python
from bcc import BPF
import time
import sys
prog1 = """
int hello(void *ctx) {
    bpf_trace_printk("Hello world\\n");
    return 0;
}
"""



prog2 = """
int hello(void *ctx) {
    bpf_trace_printk("Hello hhh\\n");
    return 0;
}
"""

index = 1

while True:
    if index == 1:
        b = BPF(text=prog1)
        index = 2
    else:
        b = BPF(text=prog2)
        index = 1

    # attach the program to an event
    clone = b.get_syscall_fnname("clone")
    b.attach_kprobe(event=clone, fn_name="hello")
    line = b.trace_readline(nonblocking=False)
    print(line)
    sys.stdout.flush()
    time.sleep(3)
    # b.trace_print()

But the result is not what I expect. It seems that the kernel program doesn't change at all. Any help?

Nicholas
  • 127
  • 1
  • 11
  • Not sure here, but BCC has a `b.detach_kprobe()` function. Have you tried detaching the former program before attaching a new one, maybe? – Qeole May 23 '22 at 08:28
  • Yes, I have tried, but not work. – Nicholas May 23 '22 at 08:38
  • So is it possible to change kernel program during runtime? – Nicholas May 23 '22 at 08:40
  • What do you mean “during runtime”? Removing an eBPF program attached a to probe to replace it with another? Yes, this should certainly be possible. Never tried to do it with BCC though, sorry :/ Do you get any helpful logs from anywhere? – Qeole May 23 '22 at 12:07
  • > Removing an eBPF program attached a to probe to replace it with another? Yes, definitely. – Nicholas May 23 '22 at 12:08
  • Could you give me some advice on other approaches to remove an eBPF program attached a to probe to replace it with another? – Nicholas May 23 '22 at 12:11

0 Answers0