tools and mechanisms to debug bpf programs
play

Tools and Mechanisms to Debug BPF Programs Quentin Monnet @qeole - PowerPoint PPT Presentation

FOSDEM20 Brussels, 2020-02-02 Tools and Mechanisms to Debug BPF Programs Quentin Monnet @qeole eBPF Programming e xtended B erkeley P acket F ilter : with clang/LLVM, to assembly-like bytecode Q. Monnet Tools and Mechanisms to


  1. FOSDEM’20 • Brussels, 2020-02-02 Tools and Mechanisms to Debug BPF Programs Quentin Monnet @qeole

  2. eBPF Programming e xtended B erkeley P acket F ilter : with clang/LLVM, to assembly-like bytecode Q. Monnet • Tools and Mechanisms to Debug BPF Programs 2/42 • User-written programs, usually compiled from C (or Go, Rust, Lua…) • Programs are injected into the kernel with the bpf() system call • Verifjer: programs terminate, are safe • In-kernel interpreter, JIT (Just-in-Time) compiler • Once loaded, programs can be attached to a hook in the kernel • 64-bit instructions, 11 registers, 512 B stack, not Turing-complete • Additional features: “maps”, kernel helper functions, BTF, …

  3. eBPF Workfmow Q. Monnet • Tools and Mechanisms to Debug BPF Programs 3/42 C program Management LLVM Userspace eBPF bytecode bpf() syscall Kernel Veri fi er (JIT compiler) Attach point

  4. eBPF Use Cases Main use cases: Q. Monnet • Tools and Mechanisms to Debug BPF Programs 4/42 • Networking (tc, XDP: driver-level hook) • Tracing, monitoring (think DTrace) • Socket fjltering (cgroups) • Security (LSM, work in progress) • And more!

  5. Outline Q. Monnet • Tools and Mechanisms to Debug BPF Programs 5/42 • (Reminder on eBPF… DONE) • The tools to inspect eBPF objects, at each step of the workfmow • Getting familiar with bpftool • Next steps for BPF introspection and debugging

  6. Inspecting BPF Objects Q. Monnet • Tools and Mechanisms to Debug BPF Programs 6/42

  7. eBPF Workfmow Q. Monnet • Tools and Mechanisms to Debug BPF Programs 7/42 C program Management LLVM Userspace eBPF bytecode bpf() syscall Kernel Veri fi er (JIT compiler) Attach point

  8. Compile Time Objective: from C to eBPF Q. Monnet • Tools and Mechanisms to Debug BPF Programs 8/42 • Make sure the eBPF bytecode is generated as intended when compiling

  9. Compile Time: Compile and Dump b7 00 00 00 00 00 00 00 Tools and Mechanisms to Debug BPF Programs • Q. Monnet exit 95 00 00 00 00 00 00 00 1: r0 = 0 0: func: Disassembly of section .text: file format ELF64-BPF sample.o: $ llvm-objdump -d -r -print-imm-hex sample.o (prior to kernel injection, relocation, rewrites) llc -march=bpf -mcpu=probe -filetype=obj -o sample.o $ clang -O2 -emit-llvm -c sample.c -o - | \ 9/42 • Compile with clang/LLVM (or gcc, but fewer BPF features supported): • Dump instructions from object fjle with llvm-objdump (v4.0+) • If -g is passed to clang, llvm-objdump -S can dump the original C code

  10. Compile Time, in Two Steps: eBPF Assembly # %bb.0: Tools and Mechanisms to Debug BPF Programs • Q. Monnet $ clang -target bpf -c -o sample.o sample.S # -- End function exit r0 = 0 # @func func: 3 .p2align # -- Begin function func func .globl .text $ cat sample.S $ clang -target bpf -S -o sample.S sample.c 10/42 • Compile from C to eBPF assembly fjle • … Hack… • Then compile from assembly to eBPF bytecode (LLVM v6.0+)

  11. eBPF Workfmow Q. Monnet • Tools and Mechanisms to Debug BPF Programs 11/42 C program Management LLVM Userspace eBPF bytecode bpf() syscall Kernel Veri fi er (JIT compiler) Attach point

  12. Load Time Objective: Resources: Q. Monnet • Tools and Mechanisms to Debug BPF Programs 12/42 • Load program and pass the verifjer, or understand why it is rejected • libbpf / bpftool / ip / tc / bcc : load or list programs, manage objects • Output from verifjer logs, libbpf, kernel logs, extack messages • Documentation ( filter.txt , Cilium guide)

  13. The Kernel eBPF Verifjer: Checking Programs for Safety The verifjer performs checks on control fmow graph and individual insns: Tools and Mechanisms to Debug BPF Programs • Q. Monnet element 13/42 • Erroneous syntax (unknown or incorrect usage for the instruction) • Too many instructions or maps or branches • Back edges (i.e. loops, not bounded) in the control fmow graph • Unreachable instructions • Jump out of range • Out of bounds memory access • Access to forbidden context fjelds (read or write) • Reading access to non-initialized memory (stack or registers) • Use of forbidden helpers for the current type of program • Use of GPL helpers in non-GPL program (mostly tracing) • R0 not initialized before exiting the program • Memory access with incorrect alignment • Missing check on result from map_lookup_elem() before accessing map • …

  14. The Kernel eBPF Verifjer: Example message 1: (7b) *(u64 *)(r10 -16) = r1 Tools and Mechanisms to Debug BPF Programs • Q. Monnet Problem: error messages good for developers, but cryptic for newcomers Error fetching program/map! invalid bpf_context access off=76 size=4 3: (61) r1 = *(u32 *)(r1 +76) 2: (79) r1 = *(u64 *)(r10 -16) 0: (bf) r2 = r1 Possible out-of-bound access to packet data (no check on packet length): Verifier analysis: GPL - License: - Instructions: 41 (0 over limit) 6 - Type: Prog section 'action' rejected: Permission denied (13)! # ip link set dev eth0 xdp object sample.o 14/42

  15. Make Sure to Get Verifjer Information Still, we do want the messages! Q. Monnet • Tools and Mechanisms to Debug BPF Programs 15/42 • Use debug fmags when available • Debug bufger for verifjer logs (pass to bpf() ) • Debug fmag for libbpf • Activate both in bpftool with --debug • Interpret information: • Search the docs, Documentation/networking/filter.txt , Cilium guide • Read kernel code • To do: some kind of documentation/FAQ detailing the errors?

  16. Program is Loaded: Introspection We have passed the verifjer! The program is loaded in the kernel We will come back to bpftool later Q. Monnet • Tools and Mechanisms to Debug BPF Programs 16/42 • For map and program introspection: bpftool • List maps and programs • Load a program, pin it • Dump program instructions (eBPF or JIT-ed) • Dump and edit map contents • etc.

  17. BTF: BPF Type Format struct my_value *value; Tools and Mechanisms to Debug BPF Programs • Q. Monnet (See kernel commit abd29c931459) }; .max_entries = 16, .type = BPF_MAP_TYPE_ARRAY, } btf_map SEC(”.maps”) = { int *key; BTF objects embed debug information on programs and maps int max_entries; int type; struct { struct my_value { int x, y, z; }; They are also use internally by the kernel for some advanced BPF features 17/42 • Embed BTF information when compiling programs: Compile with LLVM v8+, use -g fmag • For maps, some wrapping needed in the C source code

  18. BTF: BPF Type Format Exemple: Program dump from kernel, with C source code Q. Monnet • Tools and Mechanisms to Debug BPF Programs 18/42

  19. eBPF Workfmow Q. Monnet • Tools and Mechanisms to Debug BPF Programs 19/42 C program Management LLVM Userspace eBPF bytecode bpf() syscall Kernel Veri fi er (JIT compiler) Attach point

  20. Runtime Objective: Several solutions Q. Monnet • Tools and Mechanisms to Debug BPF Programs 20/42 • Understand why a program does not run as intended

  21. Debugging at Runtime with bpf_trace_printk() Prints to /sys/kernel/debug/tracing/trace Example snippet: const char fmt[] = ”First four bytes of packet: %x\n”; bpf_trace_printk(fmt, sizeof(fmt), *(uint32_t *)data); Q. Monnet • Tools and Mechanisms to Debug BPF Programs 21/42 • eBPF helper bpf_trace_printk()

  22. Debugging at Runtime with Perf Events int key = 0; Tools and Mechanisms to Debug BPF Programs • Q. Monnet } return XDP_PASS; bpf_perf_event_output(xdp, &pa, 0x20ffffffffULL, &key, 0); { int xdp_prog1(struct xdp_md *xdp) }; .max_entries = 64, .value_size = sizeof(int), .key_size = sizeof(int), .type = BPF_MAP_TYPE_PERF_EVENT_ARRAY, struct bpf_map_def SEC(”maps”) pa = { Example: dump data from packet 22/42 • “Perf event arrays”, more effjcient than bpf_trace_printk() • Contrary to bpf_trace_printk() , can be used with hardware offmoad

  23. Debug BPF with BPF BPF can be used for tracing, and comes to the rescue networking BPF program (Linux 5.5) used at verifjcation time to follow verifjcation steps) Q. Monnet • Tools and Mechanisms to Debug BPF Programs 23/42 • Possible to attach tracing BPF programs at entry and exit of a • E.g. get packet data in input and/or output of the program • See tools/testing/selftests/bpf/progs/test_xdp_bpf2bpf.c and related • Not sure if compatible with tracing programs? • Use bcc or bpftrace to examine what happens in the kernel (can also be

  24. Testing Programs: BPF_PROG_TEST_RUN BPF_PROG_TEST_RUN subcommand for the bpf() system call Limitations: Q. Monnet • Tools and Mechanisms to Debug BPF Programs 24/42 • Manually run a program with given input data and context • Output data and context are retrieved • Not available for all programs (mostly networking for now) • Tracing: How to check kernel data structures are changed? • Some BPF helpers hard to support ( bpf_redirect() etc.) • Non-root accessibility would be nice? • (Proposal on the topic for next Netdev conference in March 2020)

  25. Statistics for Programs Statistics for BPF programs: completion time and number of runs # sysctl -w kernel.bpf_stats_enabled=1 Q. Monnet • Tools and Mechanisms to Debug BPF Programs 25/42 • Activate (slight overhead) with: • Displayed by e.g. bpftool:

Recommend


More recommend