Red Hat SummitChapter 21. Analyzing system performance with BPF Compiler Collection
The BPF Compiler Collection (BCC) analyzes system performance by combining the capabilities of Berkeley Packet Filter (BPF). With BPF, you can safely run the custom programs within the kernel to access system events and data for performance monitoring, tracing, and debugging. BCC simplifies the development and deployment of BPF programs with tools and libraries for users to extract important insights from their systems.
21.1. Installing the bcc-tools package
Install the bcc-tools package to get the BPF Compiler Collection (BCC) library and related tools.
Procedure
Install bcc-tools.
dnf install bcc-tools
# dnf install bcc-toolsCopy to Clipboard Copied! The BCC tools are installed in the
/usr/share/bcc/tools/directory.
Verification
Inspect the installed tools.
ls -l /usr/share/bcc/tools/
# ls -l /usr/share/bcc/tools/Copy to Clipboard Copied! A list of tools installed appears. The
docdirectory in the listing provides documentation for each tool.
21.2. Examining the system processes with execsnoop
The execsnoop tool from the BCC suite captures and displays new process execution events in real time. It is useful for observing which commands or binaries are being executed on a system, helping with debugging, auditing, and security monitoring.
Procedure
Run the
execsnoopprogram in one terminal:/usr/share/bcc/tools/execsnoop
# /usr/share/bcc/tools/execsnoopCopy to Clipboard Copied! To create a short-lived process of the
lscommand, in another terminal, enter:ls /usr/share/bcc/tools/doc/
$ ls /usr/share/bcc/tools/doc/Copy to Clipboard Copied! The terminal running
execsnoopshows the output similar to the following:PCOMM PID PPID RET ARGS ls 8382 8287 0 /usr/bin/ls --color=auto /usr/share/bcc/tools/doc/
PCOMM PID PPID RET ARGS ls 8382 8287 0 /usr/bin/ls --color=auto /usr/share/bcc/tools/doc/Copy to Clipboard Copied! The
execsnoopprogram prints a line of output for each new process that consumes system resources. It even detects processes of programs that run very shortly, such asls, and most monitoring tools would not register them. Theexecsnoopoutput displays the following fields:- PCOMM
-
The parent process name. (
ls) - PID
- The process ID. (8382)
- PPID
- The parent process ID. (8287)
- RET
- The return value of the exec() system call (0), which loads program code into new processes.
- ARGS
- The location of the started program with arguments.
21.3. Tracking files opened by a command with opensnoop
You can use the opensnoop tool from the BCC (BPF Compiler Collection) to monitor and log file access by a specific command in real time. This is useful for debugging, auditing, or understanding the runtime behavior of an application.
Procedure
In one terminal, run the
opensnoopprogram to print the output for files opened only by the process of theunamecommand:/usr/share/bcc/tools/opensnoop -n uname
# /usr/share/bcc/tools/opensnoop -n unameCopy to Clipboard Copied! In another terminal, enter the command to open certain files:
uname
$ uname The terminal running opensnoop shows the output similar to the following: PID COMM FD ERR PATH 8596 uname 3 0 /etc/ld.so.cache 8596 uname 3 0 /lib64/libc.so.6 8596 uname 3 0 /usr/lib/locale/locale-archive ...Copy to Clipboard Copied! The
opensnoopprogram watches theopen()system call across the whole system, and prints a line of output for each file thatunametries to open along the way. Theopensnoopoutput displays the following fields:- PID
- The process ID. (8596)
- COMM
-
The process name. (
uname) - FD
- The file descriptor - a value that open() returns to refer to the open file. (3)
- ERR
- Any errors.
- PATH
The location of files that
open()tries to open.If a command tries to read a non-existent file, the FD column returns
-1and the ERR column prints a value corresponding to the relevant error. By usingopensnoop, you can identify an application that does not behave properly.
21.4. Monitoring the top processes performing I/O operations on the disk with biotop
The biotop tool provides a real-time view of processes generating the most disk I/O activity. It identifies applications that are heavily reading from or writing to the disk, making it a valuable utility for performance monitoring and troubleshooting.
Procedure
Run the
biotopprogram in one terminal with 30 as an argument to produce 30 second summary:/usr/share/bcc/tools/biotop 30
# /usr/share/bcc/tools/biotop 30Copy to Clipboard Copied! When you do not provide any argument, the output screen refreshes every 1 second by default.
In another terminal, enter command to read the content from the local hard disk device and write the output to the
/dev/zerofile:dd if=/dev/vda of=/dev/zero
# dd if=/dev/vda of=/dev/zeroCopy to Clipboard Copied! This step generates certain I/O traffic to illustrate
biotop. The terminal runningbiotopshows an output similar to the following:PID COMM D MAJ MIN DISK I/O Kbytes AVGms 9568 dd R 252 0 vda 16294 14440636.0 3.69 48 kswapd0 W 252 0 vda 1763 120696.0 1.65 7571 gnome-shell R 252 0 vda 834 83612.0 0.33 1891 gnome-shell R 252 0 vda 1379 19792.0 0.15 7515 Xorg R 252 0 vda 280 9940.0 0.28 7579 llvmpipe-1 R 252 0 vda 228 6928.0 0.19 9515 gnome-control-c R 252 0 vda 62 6444.0 0.43 8112 gnome-terminal- R 252 0 vda 67 2572.0 1.54 7807 gnome-software R 252 0 vda 31 2336.0 0.73 9578 awk R 252 0 vda 17 2228.0 0.66 7578 llvmpipe-0 R 252 0 vda 156 2204.0 0.07 9581 pgrep R 252 0 vda 58 1748.0 0.42 7531 InputThread R 252 0 vda 30 1200.0 0.48 7504 gdbus R 252 0 vda 3 1164.0 0.30 1983 llvmpipe-1 R 252 0 vda 39 724.0 0.08 1982 llvmpipe-0 R 252 0 vda 36 652.0 0.06 ...
PID COMM D MAJ MIN DISK I/O Kbytes AVGms 9568 dd R 252 0 vda 16294 14440636.0 3.69 48 kswapd0 W 252 0 vda 1763 120696.0 1.65 7571 gnome-shell R 252 0 vda 834 83612.0 0.33 1891 gnome-shell R 252 0 vda 1379 19792.0 0.15 7515 Xorg R 252 0 vda 280 9940.0 0.28 7579 llvmpipe-1 R 252 0 vda 228 6928.0 0.19 9515 gnome-control-c R 252 0 vda 62 6444.0 0.43 8112 gnome-terminal- R 252 0 vda 67 2572.0 1.54 7807 gnome-software R 252 0 vda 31 2336.0 0.73 9578 awk R 252 0 vda 17 2228.0 0.66 7578 llvmpipe-0 R 252 0 vda 156 2204.0 0.07 9581 pgrep R 252 0 vda 58 1748.0 0.42 7531 InputThread R 252 0 vda 30 1200.0 0.48 7504 gdbus R 252 0 vda 3 1164.0 0.30 1983 llvmpipe-1 R 252 0 vda 39 724.0 0.08 1982 llvmpipe-0 R 252 0 vda 36 652.0 0.06 ...Copy to Clipboard Copied! The
biotopoutput displays the following fields:- PID
- The process ID. (9568)
- COMM
-
The process name. (
dd) - DISK
- The disk performs the read operations. (vda)
- I/O
- The number of read operations performed. (16294)
- Kbytes
- The amount of Kbytes reached by the read operations. (14,440,636)
- AVGms
- The average I/O time of read operations. (3.69)
21.5. Exposing unexpectedly slow file system operations with xfsslower
The xfsslower measures the time spent by the XFS file system in performing read, write, open or sync (fsync) operations. The argument 1 ensures that the program shows only the operations that are slower than 1 ms.
Procedure
Run the
xfsslowerprogram in one terminal:/usr/share/bcc/tools/xfsslower 1
# /usr/share/bcc/tools/xfsslower 1Copy to Clipboard Copied! When you do not provide any arguments,
xfsslowerdisplays operations slower than 10 ms by default.In another terminal, enter the command to create a text file in the vim editor to start interaction with the XFS file system:
vim text
$ vim text The terminal running xfsslower shows something similar upon saving the file from the previous step: TIME COMM PID T BYTES OFF_KB LAT(ms) FILENAME 13:07:14 b'bash' 4754 R 256 0 7.11 b'vim' 13:07:14 b'vim' 4754 R 832 0 4.03 b'libgpm.so.2.1.0' 13:07:14 b'vim' 4754 R 32 20 1.04 b'libgpm.so.2.1.0' 13:07:14 b'vim' 4754 R 1982 0 2.30 b'vimrc' 13:07:14 b'vim' 4754 R 1393 0 2.52 b'getscriptPlugin.vim' 13:07:45 b'vim' 4754 S 0 0 6.71 b'text' 13:07:45 b'pool' 2588 R 16 0 5.58 b'text’ ...Copy to Clipboard Copied! Each line represents an operation in the file system, which took more time than a certain threshold.
xfsslowerdetects possible file system problems, which can take the form of unexpectedly slow operations. Thexfssloweroutput displays the following fields:- COMM
-
The process name. (
b’bash') - T
The operation type. (
R)- Read
- Write
- Open
- Sync
- OFF_KB
- The file offset in KB. (0)
- FILENAME
- The file that is read, written, or synced.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}