[bpf]bcc-tools和bpftrac运行错误 Error creating printf map: Operation not permitted

最近把公司的电脑安装了 ubuntu系统,用来做日常开发和学习的环境,看到内核比较新,所以想弄点新玩意玩玩。

环境为

# cat /etc/issue
Ubuntu 18.04.3 LTS \n \l

# uname -a
Linux zhizhiliu-hp 5.0.0-32-generic #34~18.04.2-Ubuntu SMP Thu Oct 10 10:36:02 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

按照bpftrace 官方安装文档 安装了了之后,启动时候报错如下

# bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("%d %s %s\n", pid, comm, str(args->filename)); }'
Error creating printf map: Operation not permitted
Creation of the required BPF maps has failed.
Make sure you have all the required permissions and are not confined (e.g. like
snapcraft does). `dmesg` will likely have useful output for further troubleshooting

在这之前安装了bcc-tool,运行的时候也遇到了类似的错误,找了半天也没找到解决方案。

最后在这位老哥的blog中找到了一种解决方法 https://itnext.io/how-to-run-bpftrace-from-a-small-alpine-image-and-with-least-privileges-379146fcfcf1

修改如下的参数

root@zhizhiliu-hp:/data/softs/bpftrace/build# sudo bash -c 'echo 1 > /proc/sys/kernel/sysrq'
root@zhizhiliu-hp:/data/softs/bpftrace/build# sudo bash -c 'echo x > /proc/sysrq-trigger'

再次运行就正常了,很开心。

这两个命令做了啥呢?
是关闭了 kernel lock-down 机制,lock-down 这个东西是个啥呢?是一种新的内核安全机制,类似一种保护锁。

已标记关键词 清除标记
<div><p>I just tried a fresh build on a 4.4 kernel.</p> <pre><code> # ./bpftrace -e 'kprobe:sys_read { [tid] = count(); }' Error creating map: '' Attaching 1 probe... bpf: Failed to load program: Invalid argument Error loading program: kprobe:sys_read </code></pre> <p>Here's the BPF syscalls:</p> <pre><code> # strace -febpf ./bpftrace -e 'kprobe:sys_read { [tid] = count(); }' bpf(BPF_MAP_CREATE, {map_type=0x5 /* BPF_MAP_TYPE_??? */, key_size=8, value_size=8, max_entries=128}, 72) = -1 EINVAL (Invalid argument) bpf(BPF_MAP_CREATE, {map_type=0x5 /* BPF_MAP_TYPE_??? */, key_size=8, value_size=8, max_entries=128}, 72) = -1 EINVAL (Invalid argument) Error creating map: '' bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERF_EVENT_ARRAY, key_size=4, value_size=4, max_entries=8}, 72) = -1 EINVAL (Invalid argument) bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERF_EVENT_ARRAY, key_size=4, value_size=4, max_entries=8}, 72) = 3 Attaching 1 probe... bpf(BPF_MAP_UPDATE_ELEM, {map_fd=3, key=0x7ffd8a1c820c, value=0x7ffd8a1c8210, flags=BPF_ANY}, 72) = 0 bpf(BPF_MAP_UPDATE_ELEM, {map_fd=3, key=0x7ffd8a1c820c, value=0x7ffd8a1c8210, flags=BPF_ANY}, 72) = 0 bpf(BPF_MAP_UPDATE_ELEM, {map_fd=3, key=0x7ffd8a1c820c, value=0x7ffd8a1c8210, flags=BPF_ANY}, 72) = 0 bpf(BPF_MAP_UPDATE_ELEM, {map_fd=3, key=0x7ffd8a1c820c, value=0x7ffd8a1c8210, flags=BPF_ANY}, 72) = 0 bpf(BPF_MAP_UPDATE_ELEM, {map_fd=3, key=0x7ffd8a1c820c, value=0x7ffd8a1c8210, flags=BPF_ANY}, 72) = 0 bpf(BPF_MAP_UPDATE_ELEM, {map_fd=3, key=0x7ffd8a1c820c, value=0x7ffd8a1c8210, flags=BPF_ANY}, 72) = 0 bpf(BPF_MAP_UPDATE_ELEM, {map_fd=3, key=0x7ffd8a1c820c, value=0x7ffd8a1c8210, flags=BPF_ANY}, 72) = 0 bpf(BPF_MAP_UPDATE_ELEM, {map_fd=3, key=0x7ffd8a1c820c, value=0x7ffd8a1c8210, flags=BPF_ANY}, 72) = 0 bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE, insn_cnt=24, insns=0x7f567068b000, license="GPL", log_level=0, log_size=0, log_buf=0, kern_version=263168}, 72) = -1 E2BIG (Argument list too long) bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE, insn_cnt=24, insns=0x7f567068b000, license="GPL", log_level=0, log_size=0, log_buf=0, kern_version=263168}, 72) = -1 EINVAL (Invalid argument) bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE, insn_cnt=24, insns=0x7f567068b000, license="GPL", log_level=1, log_size=65536, log_buf=0x35597b0, kern_version=263168}, 72) = -1 EINVAL (Invalid argument) bpf: Failed to load program: Invalid argument Error loading program: kprobe:sys_read +++ exited with 255 +++ </code></pre> <p>Comparing to a working bcc tool:</p> <pre><code> # strace -febpf /usr/share/bcc/tools/ext4dist bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_HASH, key_size=4, value_size=8, max_entries=10240}, 64) = -1 EINVAL (Invalid argument) bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_HASH, key_size=4, value_size=8, max_entries=10240}, 64) = -1 EPERM (Operation not permitted) bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_HASH, key_size=4, value_size=8, max_entries=10240}, 64) = 3 bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_HASH, key_size=16, value_size=8, max_entries=64}, 64) = -1 EINVAL (Invalid argument) bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_HASH, key_size=16, value_size=8, max_entries=64}, 64) = 4 bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE, insn_cnt=31, insns=0x7fb30a456bf0, license="GPL", log_level=0, log_size=0, log_buf=0, kern_version=263258}, 64) = -1 E2BIG (Argument list too long) bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE, insn_cnt=31, insns=0x7fb30a456bf0, license="GPL", log_level=0, log_size=0, log_buf=0, kern_version=263258}, 64) = 5 bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE, insn_cnt=14, insns=0x7fb30a456ce8, license="GPL", log_level=0, log_size=0, log_buf=0, kern_version=263258}, 64) = -1 E2BIG (Argument list too long) bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE, insn_cnt=14, insns=0x7fb30a456ce8, license="GPL", log_level=0, log_size=0, log_buf=0, kern_version=263258}, 64) = 8 bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE, insn_cnt=131, insns=0x7fb30a455838, license="GPL", log_level=0, log_size=0, log_buf=0, kern_version=263258}, 64) = -1 E2BIG (Argument list too long) bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE, insn_cnt=131, insns=0x7fb30a455838, license="GPL", log_level=0, log_size=0, log_buf=0, kern_version=263258}, 64) = 12 bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE, insn_cnt=132, insns=0x7fb30a4567d0, license="GPL", log_level=0, log_size=0, log_buf=0, kern_version=263258}, 64) = -1 E2BIG (Argument list too long) bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE, insn_cnt=132, insns=0x7fb30a4567d0, license="GPL", log_level=0, log_size=0, log_buf=0, kern_version=263258}, 64) = 14 bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE, insn_cnt=131, insns=0x7fb30a455000, license="GPL", log_level=0, log_size=0, log_buf=0, kern_version=263258}, 64) = -1 E2BIG (Argument list too long) bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE, insn_cnt=131, insns=0x7fb30a455000, license="GPL", log_level=0, log_size=0, log_buf=0, kern_version=263258}, 64) = 16 bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE, insn_cnt=132, insns=0x7fb30a455418, license="GPL", log_level=0, log_size=0, log_buf=0, kern_version=263258}, 64) = -1 E2BIG (Argument list too long) bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE, insn_cnt=132, insns=0x7fb30a455418, license="GPL", log_level=0, log_size=0, log_buf=0, kern_version=263258}, 64) = 18 Tracing ext4 operation latency... Hit Ctrl-C to end. ^Cstrace: Process 21116 detached </code></pre> <p>So I can see that the kern_version is wrong.</p> <p>As an experiment, I hardwired it in src/attached_probe.cpp's kernel_version(), and now bpftrace gets further and then fails for a different reason. I won't include details here as I think that's a separate bug.</p><p>该提问来源于开源项目:ajor/bpftrace</p></div>
©️2020 CSDN 皮肤主题: 编程工作室 设计师:CSDN官方博客 返回首页