SlideShare a Scribd company logo

Using eBPF Off-CPU Sampling to See What Your DBs are Really Waiting For by Tanel Poder

ScyllaDB, profile picture
ScyllaDB

The document discusses the use of eBPF for off-CPU sampling in diagnosing database performance issues by monitoring thread activity. It outlines methods, tools, and the architecture for capturing and analyzing system-level performance data, emphasizing the ability to track thread states and latencies without extensive tracing. Future plans for development include integrating with monitoring tools and enhancing capabilities for performance diagnostics.

Technology
1 of 21
Download to read offline
1
2
3
4
5
6
Most read
7
8
9
Most read
10
11
12
13
Most read
14
15
16
17
18
19
20
21
A ScyllaDB Community Using eBPF Off-CPU Sampling to See What Your DBs are Really Waiting For Tanel Põder Computer Performance Nerd
Tanel Põder A long-time computer performance nerd ■ I've been promoting DB session- or OS thread-level performance diagnosis approach for decades now ■ P99CONF is the best performance conference these days! :-) ■ I'm originally from (a small country) Estonia - and my company logo uses our flag's colors! ■ I still end up researching & testing out modern tech even in my free time (CXL.mem is my latest interest)
Method > Data Sources > Tools Every system is a bunch of threads. Measure where they spend most of their time and do it less! /proc/PID/task/TID perf, ftrace, ... "top" for wallclock time ... and much more! eBPF
0x.tools ● /proc sampling ● works without eBPF ● even very old linuxes ● eBPF! ● see anything you want! ● PoC prototype with bcc ● work-in-progress Extended Linux Thread State Sampling method
/proc sampling example (psn) the fact of sampling: a thread seen in "active state" sample attributes: (many) dimensions in a "fact table"
For systematic performance & troubleshooting work, I want to: ● See the full system activity (“active threads”) ● Not only system-wide utilization averages ● Not only on-CPU thread stacks, but all thread states (and offcpu stacks) ● With ability to drill down into each thread’s activity ● See what each thread of interest is doing, for whom and why (context) ● I/O & function call latencies tied to each thread & its context at the time ● All this without tracing & postprocessing every event for every thread! Detailed full system activity without tracing every event?
eBPF example (xtop with bcc) Each dimension attribute is linked to the same point in time! (*except oncpu)
"stacktiles" show the value of a stack_id
Extended Task State Array (very basic) example
How does it work?! Two decoupled layers ● eBPF populating & maintaining the array ● Keep only the latest state change for each thread ● “Tracking, not tracing!” ● Sampling program independent from population ● Python/BCC, C, Rust/libbpf, eBPF iterators, etc... ● Multiple concurrent samplers allowed ● Different sampling frequencies allowed
Time tid 10 tid 11 tid 42 10 11 42 N ... 10 10 10 TRACEPOINT_PROBE( raw_syscalls, sys_enter) { ... t->syscall_id = args->id; tsa.update(&tid, t); ... } BPF_HASH(tsa, ...); TRACEPOINT_PROBE( raw_syscalls, sys_exit) { ... t->syscall_id = -1; tsa.update(&tid, t); ... } Populating the extended task state array
Time tid 10 tid 11 tid 42 10 11 42 N ... 10 11 11 11 11 11 BPF_HASH(tsa, ...); TRACEPOINT_PROBE( raw_syscalls, sys_enter) { ... t->syscall_id = args->id; tsa.update(&tid, t); ... } TRACEPOINT_PROBE( raw_syscalls, sys_exit) { ... t->syscall_id = -1; tsa.update(&tid, t); ... } Populating the extended task state array
Time tid 10 tid 11 tid 42 10 11 42 N ... 10 42 42 42 42 42 42 42 42 42 42 42 We are not tracing: no logging or appending all events ... We track: overwrite the task's current action in the extended task state array ... BPF_HASH(tsa, ...); TRACEPOINT_PROBE( raw_syscalls, sys_enter) { ... t->syscall_id = args->id; tsa.update(&tid, t); ... } TRACEPOINT_PROBE( raw_syscalls, sys_exit) { ... t->syscall_id = -1; tsa.update(&tid, t); ... } Populating the extended task state array
Time tid 10 tid 11 tid 42 10 11 42 N ... A separate, independent program samples the state arrays using its desired frequency and filter rules to userspace tsa = BPF.get_table(“tsa”) for x in tsa.items(): ... 10 11 42 N 10 11 42 N 10 11 42 N 10 11 42 N BPF_HASH(tsa, ...); TRACEPOINT_PROBE( raw_syscalls, sys_enter) { ... t->syscall_id = args->id; tsa.update(&tid, t); ... } TRACEPOINT_PROBE( raw_syscalls, sys_exit) { ... t->syscall_id = -1; tsa.update(&tid, t); ... } Sampling the extended task state array
Time tid 10 tid 11 tid 42 10 11 42 N ... 10 11 42 N 10 11 42 N 10 11 42 N 10 11 42 N The sampler(s) can be eBPF client programs (bcc, libbpf) using bpf() syscall or a bpf task iterator with perf_event queue BPF_HASH(tsa, ...); TRACEPOINT_PROBE( raw_syscalls, sys_enter) { ... t->syscall_id = args->id; tsa.update(&tid, t); ... } TRACEPOINT_PROBE( raw_syscalls, sys_exit) { ... t->syscall_id = -1; tsa.update(&tid, t); ... } tsa = BPF.get_table(“tsa”) for x in tsa.items(): ... Sampling the extended task state array
Always-on output logging (for time travel and advanced analytics) $ ./xcapture-bpf -h usage: xcapture-bpf [-h] [-x] [-d report_seconds] [-f SAMPLE_HZ] [-g csv-columns] [-G append-csv-columns] [-n] [-N] [-c] [-V] [-o OUTPUT_DIR] [-l] Always-on profiling of Linux thread activity using eBPF. options: -h, --help show this help message and exit -x, --xtop Run in aggregated top-thread-activity (xtop) mode -d report_seconds xtop report printing interval (default: 5s) -f SAMPLE_HZ, --sample-hz SAMPLE_HZ xtop sampling frequency in Hz (default: 20) -g csv-columns, --group-by csv-columns Full column list what to group by -G append-csv-columns, --append-group-by append-csv-columns List of additional columns to default cols what to group by -n, --nerd-mode Print out relevant stack traces as wide output lines -N, --giant-nerd-mode Print out relevant stack traces as stacktiles -c, --clear-screen Clear screen before printing next output -V, --version Show the program version and exit -o OUTPUT_DIR, --output-dir OUTPUT_DIR Directory path where to write the output CSV files -l, --list list all available columns for display and grouping
Always-on output logging (for time travel and advanced analytics) $ ls -l total 236 -rw-r--r-- 1 root root 19080 Jul 12 17:30 stacks_2024-07-12.16.csv -rw-r--r-- 1 root root 41061 Jul 12 17:00 threads_2024-07-12.16.csv -rw-r--r-- 1 root root 162132 Jul 12 17:33 threads_2024-07-12.17.csv $ grep -E "TIMESTAMP|mysql" threads_2024-07-12.17.csv | head TIMESTAMP,ST,TID,PID,USERNAME,COMM,SYSCALL,CMDLINE,OFFCPU_U,OFFCPU_K,ONCPU_U,ONCPU_K,WAKER_TID,SCH 2024-07-12 17:14:16.798,R,1894,1836,mysql,ib_log_fl_notif,-,,-,-,14409,12280,0,___- 2024-07-12 17:22:44.575,D,1895,1836,mysql,ib_log_flush,fsync,/usr/sbin/mysqld,9692,24360,-,-,0,____ 2024-07-12 17:22:45.619,D,1895,1836,mysql,ib_log_flush,fsync,/usr/sbin/mysqld,9692,24360,-,-,30,____ 2024-07-12 17:22:46.694,D,1895,1836,mysql,ib_log_flush,fsync,/usr/sbin/mysqld,9692,24360,-,-,0,____ 2024-07-12 17:22:47.734,D,1895,1836,mysql,ib_log_flush,fsync,/usr/sbin/mysqld,9692,24360,-,-,0,____ 2024-07-12 17:22:48.778,D,1895,1836,mysql,ib_log_flush,fsync,/usr/sbin/mysqld,9692,24360,-,-,353,_-__ 2024-07-12 17:22:49.821,D,1895,1836,mysql,ib_log_flush,fsync,/usr/sbin/mysqld,9692,24360,-,-,353,____ 2024-07-12 17:22:50.864,D,1895,1836,mysql,ib_log_flush,fsync,/usr/sbin/mysqld,9692,24360,-,-,353,____ 2024-07-12 17:22:51.913,D,1895,1836,mysql,ib_log_flush,fsync,/usr/sbin/mysqld,9692,24360,-,-,57771,____ $ grep 9692 stacks_2024-07-12.16.csv ustack 9692 ->71051cceabb4->std::thread::_State_impl->log_flusher->log_flush_low->Log_file_handle::fsync-> os_file_flush_func->os_file_fsync_posix
Path to "IPC wait chains"? $ sudo ./xcapture-bpf Client – Server interaction RDBMS commit "log file sync"
Things not yet implemented, but possible (it's eBPF, after all!) Many components are already successfully implemented in other (eBPF) tools ● IPC wait chains (more research needed) ● RPC / trace_id / distributed tracing context propagation ● Sample & estimate I/O latencies for each captured thread that's off CPU ● Use these samples for analyzing various latencies across any "dimension" ● Read common SQL DB context (SQL text/hash, exec phase DB wait events) ● Read interpreted language/VM state (via perf.map or direct)
● Still just a method, datasource and a couple of tools, not a product or platform ● Production-grade, always on, focus on compiled binaries & perf.map capable runtimes ● Use BTF, CO-RE and libbpf instead of bcc ● Use BPF task iterators for sampling kernel-maintained task fields (no field duplication) ● Use BPF_MAP_TASK_STORAGE for all the additional (extended context) structures ● Use get_stack (not get_stackid) – flexible, no need for large stack-maps in kernel mem ● Use BlazeSym as the build-id aware symbolizer (OSS by Meta, written in Rust) ● Feed output to common metrics/monitoring/visualization tools (which metric type?!) ● Contribute/integrate with OpenTelemetry agent (if/when the time is right)? 0x.tools future plans and hopes: xcapture-bpf v3.0 Modern libbpf dev help is appreciated!
● 0x.tools ● tanelpoder.com ● tanel@tanelpoder.com ● @tanelpoder Thank You!

More Related Content

PPTX
Always-on Profiling of All Linux Threads, On-CPU and Off-CPU, with eBPF & Con...
ScyllaDB
 
PDF
Linux BPF Superpowers
Brendan Gregg
 
PDF
USENIX ATC 2017 Performance Superpowers with Enhanced BPF
Brendan Gregg
 
PDF
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
Brendan Gregg
 
PDF
eBPF Perf Tools 2019
Brendan Gregg
 
PDF
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
PDF
Velocity 2017 Performance analysis superpowers with Linux eBPF
Brendan Gregg
 
PDF
Systems@Scale 2021 BPF Performance Getting Started
Brendan Gregg
 
Always-on Profiling of All Linux Threads, On-CPU and Off-CPU, with eBPF & Con...
ScyllaDB
 
Linux BPF Superpowers
Brendan Gregg
 
USENIX ATC 2017 Performance Superpowers with Enhanced BPF
Brendan Gregg
 
OSSNA 2017 Performance Analysis Superpowers with Linux BPF
Brendan Gregg
 
eBPF Perf Tools 2019
Brendan Gregg
 
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
Velocity 2017 Performance analysis superpowers with Linux eBPF
Brendan Gregg
 
Systems@Scale 2021 BPF Performance Getting Started
Brendan Gregg
 

Similar to Using eBPF Off-CPU Sampling to See What Your DBs are Really Waiting For by Tanel Poder (20)

PDF
Efficient System Monitoring in Cloud Native Environments
Gergely Szabó
 
PDF
Andrea Righi - Spying on the Linux kernel for fun and profit
linuxlab_conf
 
PDF
Spying on the Linux kernel for fun and profit
Andrea Righi
 
PDF
LSFMM 2019 BPF Observability
Brendan Gregg
 
PDF
UM2019 Extended BPF: A New Type of Software
Brendan Gregg
 
PDF
Security Monitoring with eBPF
Alex Maestretti
 
PDF
Linux 4.x Tracing Tools: Using BPF Superpowers
Brendan Gregg
 
PDF
Kernel Recipes 2017: Performance Analysis with BPF
Brendan Gregg
 
PDF
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Anne Nicolas
 
PDF
bcc/BPF tools - Strategy, current tools, future challenges
IO Visor Project
 
PDF
BPF Tools 2017
Brendan Gregg
 
PDF
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Valeriy Kravchuk
 
PDF
NetConf 2018 BPF Observability
Brendan Gregg
 
PPTX
Understanding eBPF in a Hurry!
Ray Jenkins
 
PDF
Performance Wins with BPF: Getting Started
Brendan Gregg
 
PDF
BPF: Tracing and more
Brendan Gregg
 
PDF
Introduction of eBPF - 時下最夯的Linux Technology
Jace Liang
 
PDF
ATO Linux Performance 2018
Brendan Gregg
 
PDF
re:Invent 2019 BPF Performance Analysis at Netflix
Brendan Gregg
 
PDF
Kernel bug hunting
Andrea Righi
 
Efficient System Monitoring in Cloud Native Environments
Gergely Szabó
 
Andrea Righi - Spying on the Linux kernel for fun and profit
linuxlab_conf
 
Spying on the Linux kernel for fun and profit
Andrea Righi
 
LSFMM 2019 BPF Observability
Brendan Gregg
 
UM2019 Extended BPF: A New Type of Software
Brendan Gregg
 
Security Monitoring with eBPF
Alex Maestretti
 
Linux 4.x Tracing Tools: Using BPF Superpowers
Brendan Gregg
 
Kernel Recipes 2017: Performance Analysis with BPF
Brendan Gregg
 
Kernel Recipes 2017 - Performance analysis Superpowers with Linux BPF - Brend...
Anne Nicolas
 
bcc/BPF tools - Strategy, current tools, future challenges
IO Visor Project
 
BPF Tools 2017
Brendan Gregg
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Valeriy Kravchuk
 
NetConf 2018 BPF Observability
Brendan Gregg
 
Understanding eBPF in a Hurry!
Ray Jenkins
 
Performance Wins with BPF: Getting Started
Brendan Gregg
 
BPF: Tracing and more
Brendan Gregg
 
Introduction of eBPF - 時下最夯的Linux Technology
Jace Liang
 
ATO Linux Performance 2018
Brendan Gregg
 
re:Invent 2019 BPF Performance Analysis at Netflix
Brendan Gregg
 
Kernel bug hunting
Andrea Righi
 
Ad

More from ScyllaDB (20)

PDF
Understanding The True Cost of DynamoDB Webinar
ScyllaDB
 
PDF
Database Benchmarking for Performance Masterclass: Session 2 - Data Modeling ...
ScyllaDB
 
PDF
Database Benchmarking for Performance Masterclass: Session 1 - Benchmarking F...
ScyllaDB
 
PDF
New Ways to Reduce Database Costs with ScyllaDB
ScyllaDB
 
PDF
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
PDF
Powering a Billion Dreams: Scaling Meesho’s E-commerce Revolution with Scylla...
ScyllaDB
 
PDF
Leading a High-Stakes Database Migration
ScyllaDB
 
PDF
Achieving Extreme Scale with ScyllaDB: Tips & Tradeoffs
ScyllaDB
 
PDF
Securely Serving Millions of Boot Artifacts a Day by João Pedro Lima & Matt ...
ScyllaDB
 
PDF
How Agoda Scaled 50x Throughput with ScyllaDB by Worakarn Isaratham
ScyllaDB
 
PDF
How Yieldmo Cut Database Costs and Cloud Dependencies Fast by Todd Coleman
ScyllaDB
 
PDF
ScyllaDB: 10 Years and Beyond by Dor Laor
ScyllaDB
 
PDF
Reduce Your Cloud Spend with ScyllaDB by Tzach Livyatan
ScyllaDB
 
PDF
Migrating 50TB Data From a Home-Grown Database to ScyllaDB, Fast by Terence Liu
ScyllaDB
 
PDF
Vector Search with ScyllaDB by Szymon Wasik
ScyllaDB
 
PDF
Workload Prioritization: How to Balance Multiple Workloads in a Cluster by Fe...
ScyllaDB
 
PDF
Two Leading Approaches to Data Virtualization, and Which Scales Better? by Da...
ScyllaDB
 
PDF
Scaling a Beast: Lessons from 400x Growth in a High-Stakes Financial System b...
ScyllaDB
 
PDF
Object Storage in ScyllaDB by Ran Regev, ScyllaDB
ScyllaDB
 
PDF
Lessons Learned from Building a Serverless Notifications System by Srushith R...
ScyllaDB
 
Understanding The True Cost of DynamoDB Webinar
ScyllaDB
 
Database Benchmarking for Performance Masterclass: Session 2 - Data Modeling ...
ScyllaDB
 
Database Benchmarking for Performance Masterclass: Session 1 - Benchmarking F...
ScyllaDB
 
New Ways to Reduce Database Costs with ScyllaDB
ScyllaDB
 
Designing Low-Latency Systems with Rust and ScyllaDB: An Architectural Deep Dive
ScyllaDB
 
Powering a Billion Dreams: Scaling Meesho’s E-commerce Revolution with Scylla...
ScyllaDB
 
Leading a High-Stakes Database Migration
ScyllaDB
 
Achieving Extreme Scale with ScyllaDB: Tips & Tradeoffs
ScyllaDB
 
Securely Serving Millions of Boot Artifacts a Day by João Pedro Lima & Matt ...
ScyllaDB
 
How Agoda Scaled 50x Throughput with ScyllaDB by Worakarn Isaratham
ScyllaDB
 
How Yieldmo Cut Database Costs and Cloud Dependencies Fast by Todd Coleman
ScyllaDB
 
ScyllaDB: 10 Years and Beyond by Dor Laor
ScyllaDB
 
Reduce Your Cloud Spend with ScyllaDB by Tzach Livyatan
ScyllaDB
 
Migrating 50TB Data From a Home-Grown Database to ScyllaDB, Fast by Terence Liu
ScyllaDB
 
Vector Search with ScyllaDB by Szymon Wasik
ScyllaDB
 
Workload Prioritization: How to Balance Multiple Workloads in a Cluster by Fe...
ScyllaDB
 
Two Leading Approaches to Data Virtualization, and Which Scales Better? by Da...
ScyllaDB
 
Scaling a Beast: Lessons from 400x Growth in a High-Stakes Financial System b...
ScyllaDB
 
Object Storage in ScyllaDB by Ran Regev, ScyllaDB
ScyllaDB
 
Lessons Learned from Building a Serverless Notifications System by Srushith R...
ScyllaDB
 
Ad

Recently uploaded (20)

PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Teaching material agriculture food technology
LiaRayya
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 

Using eBPF Off-CPU Sampling to See What Your DBs are Really Waiting For by Tanel Poder

  • 1. A ScyllaDB Community Using eBPF Off-CPU Sampling to See What Your DBs are Really Waiting For Tanel Põder Computer Performance Nerd
  • 2. Tanel Põder A long-time computer performance nerd ■ I've been promoting DB session- or OS thread-level performance diagnosis approach for decades now ■ P99CONF is the best performance conference these days! :-) ■ I'm originally from (a small country) Estonia - and my company logo uses our flag's colors! ■ I still end up researching & testing out modern tech even in my free time (CXL.mem is my latest interest)
  • 3. Method > Data Sources > Tools Every system is a bunch of threads. Measure where they spend most of their time and do it less! /proc/PID/task/TID perf, ftrace, ... "top" for wallclock time ... and much more! eBPF
  • 4. 0x.tools ● /proc sampling ● works without eBPF ● even very old linuxes ● eBPF! ● see anything you want! ● PoC prototype with bcc ● work-in-progress Extended Linux Thread State Sampling method
  • 5. /proc sampling example (psn) the fact of sampling: a thread seen in "active state" sample attributes: (many) dimensions in a "fact table"
  • 6. For systematic performance & troubleshooting work, I want to: ● See the full system activity (“active threads”) ● Not only system-wide utilization averages ● Not only on-CPU thread stacks, but all thread states (and offcpu stacks) ● With ability to drill down into each thread’s activity ● See what each thread of interest is doing, for whom and why (context) ● I/O & function call latencies tied to each thread & its context at the time ● All this without tracing & postprocessing every event for every thread! Detailed full system activity without tracing every event?
  • 7. eBPF example (xtop with bcc) Each dimension attribute is linked to the same point in time! (*except oncpu)
  • 9. Extended Task State Array (very basic) example
  • 10. How does it work?! Two decoupled layers ● eBPF populating & maintaining the array ● Keep only the latest state change for each thread ● “Tracking, not tracing!” ● Sampling program independent from population ● Python/BCC, C, Rust/libbpf, eBPF iterators, etc... ● Multiple concurrent samplers allowed ● Different sampling frequencies allowed
  • 11. Time tid 10 tid 11 tid 42 10 11 42 N ... 10 10 10 TRACEPOINT_PROBE( raw_syscalls, sys_enter) { ... t->syscall_id = args->id; tsa.update(&tid, t); ... } BPF_HASH(tsa, ...); TRACEPOINT_PROBE( raw_syscalls, sys_exit) { ... t->syscall_id = -1; tsa.update(&tid, t); ... } Populating the extended task state array
  • 12. Time tid 10 tid 11 tid 42 10 11 42 N ... 10 11 11 11 11 11 BPF_HASH(tsa, ...); TRACEPOINT_PROBE( raw_syscalls, sys_enter) { ... t->syscall_id = args->id; tsa.update(&tid, t); ... } TRACEPOINT_PROBE( raw_syscalls, sys_exit) { ... t->syscall_id = -1; tsa.update(&tid, t); ... } Populating the extended task state array
  • 13. Time tid 10 tid 11 tid 42 10 11 42 N ... 10 42 42 42 42 42 42 42 42 42 42 42 We are not tracing: no logging or appending all events ... We track: overwrite the task's current action in the extended task state array ... BPF_HASH(tsa, ...); TRACEPOINT_PROBE( raw_syscalls, sys_enter) { ... t->syscall_id = args->id; tsa.update(&tid, t); ... } TRACEPOINT_PROBE( raw_syscalls, sys_exit) { ... t->syscall_id = -1; tsa.update(&tid, t); ... } Populating the extended task state array
  • 14. Time tid 10 tid 11 tid 42 10 11 42 N ... A separate, independent program samples the state arrays using its desired frequency and filter rules to userspace tsa = BPF.get_table(“tsa”) for x in tsa.items(): ... 10 11 42 N 10 11 42 N 10 11 42 N 10 11 42 N BPF_HASH(tsa, ...); TRACEPOINT_PROBE( raw_syscalls, sys_enter) { ... t->syscall_id = args->id; tsa.update(&tid, t); ... } TRACEPOINT_PROBE( raw_syscalls, sys_exit) { ... t->syscall_id = -1; tsa.update(&tid, t); ... } Sampling the extended task state array
  • 15. Time tid 10 tid 11 tid 42 10 11 42 N ... 10 11 42 N 10 11 42 N 10 11 42 N 10 11 42 N The sampler(s) can be eBPF client programs (bcc, libbpf) using bpf() syscall or a bpf task iterator with perf_event queue BPF_HASH(tsa, ...); TRACEPOINT_PROBE( raw_syscalls, sys_enter) { ... t->syscall_id = args->id; tsa.update(&tid, t); ... } TRACEPOINT_PROBE( raw_syscalls, sys_exit) { ... t->syscall_id = -1; tsa.update(&tid, t); ... } tsa = BPF.get_table(“tsa”) for x in tsa.items(): ... Sampling the extended task state array
  • 16. Always-on output logging (for time travel and advanced analytics) $ ./xcapture-bpf -h usage: xcapture-bpf [-h] [-x] [-d report_seconds] [-f SAMPLE_HZ] [-g csv-columns] [-G append-csv-columns] [-n] [-N] [-c] [-V] [-o OUTPUT_DIR] [-l] Always-on profiling of Linux thread activity using eBPF. options: -h, --help show this help message and exit -x, --xtop Run in aggregated top-thread-activity (xtop) mode -d report_seconds xtop report printing interval (default: 5s) -f SAMPLE_HZ, --sample-hz SAMPLE_HZ xtop sampling frequency in Hz (default: 20) -g csv-columns, --group-by csv-columns Full column list what to group by -G append-csv-columns, --append-group-by append-csv-columns List of additional columns to default cols what to group by -n, --nerd-mode Print out relevant stack traces as wide output lines -N, --giant-nerd-mode Print out relevant stack traces as stacktiles -c, --clear-screen Clear screen before printing next output -V, --version Show the program version and exit -o OUTPUT_DIR, --output-dir OUTPUT_DIR Directory path where to write the output CSV files -l, --list list all available columns for display and grouping
  • 17. Always-on output logging (for time travel and advanced analytics) $ ls -l total 236 -rw-r--r-- 1 root root 19080 Jul 12 17:30 stacks_2024-07-12.16.csv -rw-r--r-- 1 root root 41061 Jul 12 17:00 threads_2024-07-12.16.csv -rw-r--r-- 1 root root 162132 Jul 12 17:33 threads_2024-07-12.17.csv $ grep -E "TIMESTAMP|mysql" threads_2024-07-12.17.csv | head TIMESTAMP,ST,TID,PID,USERNAME,COMM,SYSCALL,CMDLINE,OFFCPU_U,OFFCPU_K,ONCPU_U,ONCPU_K,WAKER_TID,SCH 2024-07-12 17:14:16.798,R,1894,1836,mysql,ib_log_fl_notif,-,,-,-,14409,12280,0,___- 2024-07-12 17:22:44.575,D,1895,1836,mysql,ib_log_flush,fsync,/usr/sbin/mysqld,9692,24360,-,-,0,____ 2024-07-12 17:22:45.619,D,1895,1836,mysql,ib_log_flush,fsync,/usr/sbin/mysqld,9692,24360,-,-,30,____ 2024-07-12 17:22:46.694,D,1895,1836,mysql,ib_log_flush,fsync,/usr/sbin/mysqld,9692,24360,-,-,0,____ 2024-07-12 17:22:47.734,D,1895,1836,mysql,ib_log_flush,fsync,/usr/sbin/mysqld,9692,24360,-,-,0,____ 2024-07-12 17:22:48.778,D,1895,1836,mysql,ib_log_flush,fsync,/usr/sbin/mysqld,9692,24360,-,-,353,_-__ 2024-07-12 17:22:49.821,D,1895,1836,mysql,ib_log_flush,fsync,/usr/sbin/mysqld,9692,24360,-,-,353,____ 2024-07-12 17:22:50.864,D,1895,1836,mysql,ib_log_flush,fsync,/usr/sbin/mysqld,9692,24360,-,-,353,____ 2024-07-12 17:22:51.913,D,1895,1836,mysql,ib_log_flush,fsync,/usr/sbin/mysqld,9692,24360,-,-,57771,____ $ grep 9692 stacks_2024-07-12.16.csv ustack 9692 ->71051cceabb4->std::thread::_State_impl->log_flusher->log_flush_low->Log_file_handle::fsync-> os_file_flush_func->os_file_fsync_posix
  • 18. Path to "IPC wait chains"? $ sudo ./xcapture-bpf Client – Server interaction RDBMS commit "log file sync"
  • 19. Things not yet implemented, but possible (it's eBPF, after all!) Many components are already successfully implemented in other (eBPF) tools ● IPC wait chains (more research needed) ● RPC / trace_id / distributed tracing context propagation ● Sample & estimate I/O latencies for each captured thread that's off CPU ● Use these samples for analyzing various latencies across any "dimension" ● Read common SQL DB context (SQL text/hash, exec phase DB wait events) ● Read interpreted language/VM state (via perf.map or direct)
  • 20. ● Still just a method, datasource and a couple of tools, not a product or platform ● Production-grade, always on, focus on compiled binaries & perf.map capable runtimes ● Use BTF, CO-RE and libbpf instead of bcc ● Use BPF task iterators for sampling kernel-maintained task fields (no field duplication) ● Use BPF_MAP_TASK_STORAGE for all the additional (extended context) structures ● Use get_stack (not get_stackid) – flexible, no need for large stack-maps in kernel mem ● Use BlazeSym as the build-id aware symbolizer (OSS by Meta, written in Rust) ● Feed output to common metrics/monitoring/visualization tools (which metric type?!) ● Contribute/integrate with OpenTelemetry agent (if/when the time is right)? 0x.tools future plans and hopes: xcapture-bpf v3.0 Modern libbpf dev help is appreciated!
  • 21. ● 0x.tools ● tanelpoder.com ● tanel@tanelpoder.com ● @tanelpoder Thank You!