Red Hat SummitChapter 22. Analyzing system performance with BPF Compiler Collection
The BPF Compiler Collection (BCC) analyzes system performance by using Berkeley Packet Filter (BPF) functions to run custom kernel programs. BCC accesses system events for performance monitoring, tracing, and debugging of BPF programs, providing tools and libraries for extracting system insights.
22.1. Installing the bcc-tools package
You can install the bcc-tools package to get the BPF Compiler Collection (BCC) library and related tools.
Procedure
Install bcc-tools.
# dnf install bcc-toolsThe BCC tools are installed in the
/usr/share/bcc/tools/directory.
Verification
Inspect the installed tools.
# ls -l /usr/share/bcc/tools/A list of tools installed appears. The
docdirectory in the listing provides documentation for each tool.
22.2. Examining the system processes with execsnoop
The execsnoop tool from the BCC suite captures and displays new process execution events in real time. It is useful for observing which commands or binaries are being executed on a system, helping with debugging, auditing, and security monitoring.
Procedure
Run the
execsnoopprogram in one command line:# /usr/share/bcc/tools/execsnoopTo create a short-lived process of the
lscommand, in another command line, enter:$ ls /usr/share/bcc/tools/doc/The command line running
execsnoopshows the following output:PCOMM PID PPID RET ARGS ls 8382 8287 0 /usr/bin/ls --color=auto /usr/share/bcc/tools/doc/The
execsnoopprogram prints a line of output for each new process that consumes system resources. It even detects processes of programs that run very shortly, such asls, and most monitoring tools would not register them. Theexecsnoopoutput displays the following fields:- PCOMM
-
The parent process name. (
ls) - PID
- The process ID. (8382)
- PPID
- The parent process ID. (8287)
- RET
- The return value of the exec() system call (0), which loads program code into new processes.
- ARGS
The location of the started program with arguments.
For more information, see the
/usr/share/bcc/tools/doc/execsnoop_example.txtfile and theexec(3)man page on your system.
22.3. Tracking files opened by a command with opensnoop
Use the opensnoop tool from BPF Compiler Collection (BCC) to monitor and log file access by a specific command in real time. This is useful for debugging, auditing, or understanding the runtime behavior of an application.
Procedure
In one command line, run the
opensnoopprogram to print the output for files opened only by the process of theunamecommand:# /usr/share/bcc/tools/opensnoop -n unameIn another command line, enter the command to open certain files:
$ unameThe command line running opensnoop shows the output similar to the following: PID COMM FD ERR PATH 8596 uname 3 0 /etc/ld.so.cache 8596 uname 3 0 /lib64/libc.so.6 8596 uname 3 0 /usr/lib/locale/locale-archive ...The
opensnoopprogram watches theopen()system call across the whole system, and prints a line of output for each file thatunametries to open along the way. Theopensnoopoutput displays the following fields:- PID
- The process ID. (8596)
- COMM
-
The process name. (
uname) - FD
- The file descriptor - a value that open() returns to refer to the open file. (3)
- ERR
- Any errors.
- PATH
The location of files that
open()tries to open.If a command tries to read a non-existent file, the FD column returns
-1. Also, the ERR column prints a value corresponding to the relevant error. Useopensnoopto identify an application that does not behave properly. For more information, see the/usr/share/bcc/tools/doc/opensnoop_example.txtfile andopen(2)man page on your system.
22.4. Monitoring the top processes performing I/O operations on the disk with biotop
The biotop tool provides a real-time view of processes generating the most disk I/O activity. It identifies high-disk-usage applications, serving as a tool for performance monitoring and troubleshooting.
Procedure
Run the
biotopprogram in one command line with 30 as an argument to produce 30 second summary:# /usr/share/bcc/tools/biotop 30When you do not provide any argument, the output screen refreshes every 1 second by default.
In another command line, enter command to read the content from the local hard disk device and write the output to the
/dev/zerofile:# dd if=/dev/vda of=/dev/zeroThis step generates certain I/O traffic to illustrate
biotop. The command line runningbiotopshows an output similar to the following:PID COMM D MAJ MIN DISK I/O Kbytes AVGms 9568 dd R 252 0 vda 16294 14440636.0 3.69 48 kswapd0 W 252 0 vda 1763 120696.0 1.65 7571 gnome-shell R 252 0 vda 834 83612.0 0.33 1891 gnome-shell R 252 0 vda 1379 19792.0 0.15 7515 Xorg R 252 0 vda 280 9940.0 0.28 7579 llvmpipe-1 R 252 0 vda 228 6928.0 0.19 9515 gnome-control-c R 252 0 vda 62 6444.0 0.43 8112 gnome-terminal- R 252 0 vda 67 2572.0 1.54 7807 gnome-software R 252 0 vda 31 2336.0 0.73 9578 awk R 252 0 vda 17 2228.0 0.66 7578 llvmpipe-0 R 252 0 vda 156 2204.0 0.07 9581 pgrep R 252 0 vda 58 1748.0 0.42 7531 InputThread R 252 0 vda 30 1200.0 0.48 7504 gdbus R 252 0 vda 3 1164.0 0.30 1983 llvmpipe-1 R 252 0 vda 39 724.0 0.08 1982 llvmpipe-0 R 252 0 vda 36 652.0 0.06 ...The
biotopoutput displays the following fields:- PID
- The process ID. (9568)
- COMM
-
The process name. (
dd) - DISK
- The disk performs the read operations. (vda)
- I/O
- The number of read operations performed. (16294)
- Kbytes
- The amount of Kbytes reached by the read operations. (14,440,636)
- AVGms
The average I/O time of read operations. (3.69)
For more information, see the
/usr/share/bcc/tools/doc/biotop_example.txtfile and thedd(1)man page on your system.
22.5. Exposing unexpectedly slow file system operations with xfsslower
The xfsslower measures the time spent by the XFS file system in performing read, write, open or sync (fsync) operations. The argument 1 ensures that the program shows only the operations that are slower than 1 ms.
Procedure
Run the
xfsslowerprogram in one command line:# /usr/share/bcc/tools/xfsslower 1When you do not provide any arguments,
xfsslowerdisplays operations slower than 10 ms by default.Use
vimin another command line to create a text file to start interaction with the XFS file system:$ vim textThe command line running xfsslower shows something similar upon saving the file from the previous step: TIME COMM PID T BYTES OFF_KB LAT(ms) FILENAME 13:07:14 b'bash' 4754 R 256 0 7.11 b'vim' 13:07:14 b'vim' 4754 R 832 0 4.03 b'libgpm.so.2.1.0' 13:07:14 b'vim' 4754 R 32 20 1.04 b'libgpm.so.2.1.0' 13:07:14 b'vim' 4754 R 1982 0 2.30 b'vimrc' 13:07:14 b'vim' 4754 R 1393 0 2.52 b'getscriptPlugin.vim' 13:07:45 b'vim' 4754 S 0 0 6.71 b'text' 13:07:45 b'pool' 2588 R 16 0 5.58 b'text’ ...Each line represents an operation in the file system, which took more time than a certain threshold.
xfsslowerdetects possible file system problems, which can take the form of unexpectedly slow operations. Thexfssloweroutput displays the following fields:- COMM
-
The process name. (
b’bash') - T
The operation type. (
R)- Read
- Write
- Open
- Sync
- OFF_KB
- The file offset in KB. (0)
- FILENAME
The file that is read, written, or synced.
For more information, see the
/usr/share/bcc/tools/doc/xfsslower_example.txtfile and thefsync(2)man page on your system.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}