bpftrace single-line commands are not working in wsl ubuntu

Question

I am new to eBPF, kernel tracing, etc. I really just wanted a simple intro to eBPF while learning Rust / Aya eBPF tools / Solana blockchain.

My Windows version: Version 10.0.19043 Build 19043

Output of "wsl -l -v" is:

 NAME                   STATE           VERSION
* Ubuntu                 Stopped         2
  Ubuntu.22.04           Stopped         2
  docker-desktop         Stopped         2
  docker-desktop-data    Stopped         2
  Ubuntu.20.04           Stopped         2
  Ubuntu.21.04           Running         2

In Ubuntu:

EliezerC@Ubuntu2104:~
$ bpftrace --version
bpftrace v0.11.3

This works:

sudo bpftrace -e 'BEGIN { printf("hello world\n"); }'

No other single-line example works.

And,

EliezerC@Ubuntu2104:~
$ sudo ls -la /sys/kernel/debug/
total 0
dr-xr-xr-x  2 root root 0 Jul  2 16:36 .
drwxr-xr-x 12 root root 0 Jul  2 16:32 ..

Is it because kernel/debugging not enabled? Do I have to recompile the kernel?

Answer 1

Here is how to get the bpftrace one liner tutorial to work:

1) Mount Debugfs

WSL doesn't have debugfs by default, you need to mount it: sudo mount -t debugfs debugfs /sys/kernel/debug

Source: https://github.com/iovisor/bcc/issues/1878#issuecomment-403284169

You probably won't be able to do this mount at all with a vanilla WSL2 kernel because I don't think the kernel configuration CONFIG_DEBUG_FS=y is set.

2) Recompile WSL2 Kernel

Unfortunately WSL2 doesn't play nicely with eBPF tooling. There's this good tutorial from hhoover for recompiling the kernel for Cilium: https://harthoover.com/compiling-your-own-wsl2-kernel/ Cilium is an eBPF tool so bpftrace will probably work right out of the box with hhoover's WSL2 kernel. (P.S. his article is clearly a copy paste of his comment on this issue page)

Also, some tips before you learn the pain that is recompiling kernels:

• Don't use the --rm flag when from hhover's tutorial. this flag will delete your docker image once the program terminates. You might want to change your kernel later and compiling takes a good half hour. You can save yourself some time by keeping the docker image around.
• hhoover's apt install is missing some stuff, toss in python3, dwarves, and cpio
• I've had some issues where docker containers on WSL2 can't connect to internet, if that happens to you try changing your nameserver in /etc/resolv.conf in WSL2. I think if you use docker desktop you should be fine though.

This is the kernel file you will be changing: https://github.com/microsoft/WSL2-Linux-Kernel/blob/linux-msft-wsl-5.15.y/Microsoft/config-wsl

btw, if you do CONFIG_MY_CONF=y that means the kernel module MY_CONF will be linked once you build your kernel (Statically linked?), it is "built-in". but you might also come across CONFIG_MY_CONF=m, =m is short for "module", this means that the module will be built but it won't be linked automatically, it will instead be "loadable". This is useful if you want to save some space in memory by not having all the kernel modules up all the time, but you will have to do some modprobe commands to load in the module. More info here: https://wiki.archlinux.org/title/Kernel_module

bpftrace lists what kernel flags you need to set if they aren't set already: https://github.com/iovisor/bpftrace/blob/master/INSTALL.md#linux-kernel-requirements

(P.S. I had also discovered that BCC has a little section on compiling kernel modules for WSL: https://github.com/iovisor/bcc/blob/master/INSTALL.md#wslwindows-subsystem-for-linux---binary I would still just use hhoover's tutorial though, since hhoover's is more fleshed out and I know it works.)

3) Verify your install of bpftrace

You'll know you've done it right when lesson one spits out like 300 lines of potential tracepoints.

$ sudo bpftrace -l 'tracepoint:syscalls:sys_enter_*' | wc --lines
336

I have a couple other mods to my WSL2 at this point so I wouldn't fret if you don't get 336 tracepoints exactly. (But if you follow this and you do get 336 exactly, please modify this wiki answer.)