http://blog.clearnetsec.com/articles/2006/08/30/intro-to-systemtap en-us 40 <h2>What is systemtap?</h2> <p> <a href=http://sources.redhat.com/systemtap/>Systemtap</a> is a tool built upon the kprobes framework for probing, debugging and analyzing the <a href=http://www.kernel.org/>linux kernel</a> at runtime. <a href=http://www.ibm.com>IBM</a> contributed <a href=http://sources.redhat.com/systemtap/kprobes/>kprobes</a> to linux and had it included during the 2.5 development tree in 2002. It's a supported and standard portion of the Linux kernel. Systemtap builds upon kprobes and creates a fairly easy to use tool that let's you probe just about anything and everything in the linux kernel with fairly simple commands, you can almost effortlessly modify any variable you wish on a running kernel. All with minimal performance impact. Essentially it's the linux version of dtrace the differences being that systemtap is probably more flexible in kernel space and dtrace currently does a lot more for probing userspace applications. <p> <h2>So how do I get this working?</h2> <p> It's fairly easy and straight forward to install. There are RPMs for Fedora, Redhat Enterprise and Suse based linux distributions. There is a slight trick, at least with Fedora Core 5, you need to have the kernel debug RPM also installed. Basically, it's just a set of object code files with debug symbols. I couldn't find it in the latest Fedora Core 5 and upon closer look the kernel RPM didn't have the debug package enabled by default. I placed the following in my kernel-2.6.spec from Fedora Core 5 and was able to build the kernel debug symbol package. <p> <pre> %define _enable_debug_packages 1 </pre> <p> With that added to your kernel spec file you can use rpmbuild and rebuild it and it will emit the debug package. <p> <h2> What can you do now? </h2> <p> Now you can start probing stuff. The systemtap site has some fairly simple demos, one is to print the top 20 most common syscalls every 5 seconds. <p> <pre> #!/usr/bin/env stap # # This script continuously lists the top 20 systemcalls on the system # global syscalls function print_top () { cnt=0 log ("SYSCALL\t\t\t\tCOUNT") foreach ([name] in syscalls-) { printf("%-20s\t\t%5d\n",name, syscalls[name]) if (cnt++ == 20) break } printf("--------------------------------------\n") delete syscalls } probe kernel.function("sys_*") { syscalls[probefunc()]++ } # print top syscalls every 5 seconds probe timer.ms(5000) { print_top () } </pre> <p> This little probe will sleep for 5 seconds counting each system call as it happens and then dumps the list out and starts counting again. Here is a sample output: <p> <pre> SYSCALL COUNT sys_gettimeofday 771 sys_futex 637 sys_clock_gettime 214 sys_rt_sigprocmask 141 sys_select 136 sys_poll 106 sys_newstat 84 sys_ioctl 62 sys_read 48 sys_write 47 sys_fcntl 47 sys_rt_sigaction 38 sys_time 30 sys_getppid 26 sys_setitimer 16 sys_recvfrom 13 sys_rt_sigreturn 13 sys_nanosleep 12 sys_close 11 sys_open 10 sys_newfstat 6 </pre> <p> Try altering the load on your system and seeing how that affects things. That's kind of interesting but not terribly useful. Try this version: <p> <pre> #! /usr/bin/env stap # # This script continuously lists the top 20 systemcalls on the system # global syscalls function print_top () { cnt=0 log ("SYSCALL\t\t\t\tCOUNT") foreach ([name] in syscalls-) { printf("%-20s\t\t%5d\n",name, syscalls[name]) if (cnt++ == 20) break } printf("--------------------------------------\n") delete syscalls } probe kernel.function("sys_*") { if (target() == tid()) syscalls[probefunc()]++ } # print top syscalls every 5 seconds probe timer.ms(5000) { print_top () } </pre> <p> I added a line to the probe which checks to see if the target is a value that system let's you pass in. Now you can add a -x argument and the pid of a process and it will perform the same probes only against that particular process. I have a postgresql database running and ps tells me that pid 16679 is the writer thread. <p> <pre> ... postgres 16679 0.0 4.4 199916 91000 ? S Jul21 0:00 postgres: writer process ... </pre> <p> Let's look at it. <pre> SYSCALL COUNT sys_getppid 25 sys_time 25 sys_select 25 </pre> <p> over and over and over, since the database isn't doing anything this makes sense, it's just waiting for something to tell it what to do. You can attach strace to that process (strace -p 16679) and see that it is correct. Let's distburb the database and make it do some I/O and see how it behaves. I'll insert a record into a table. <p> <pre> SYSCALL COUNT sys_getppid 25 sys_time 25 sys_select 25 sys_lseek 4 sys_write 4 </pre> <p> That makes some sense, one record insereted resulted in 4 seeks and 4 writes. Maybe that's a write to an index, a couple writes to b+tree nodes and then an actual record being written, or maybe it is writing to a journal file. I don't know, but it sounds kind of reasonable and I haven't looked at the postgresql code yet. In fact we haven't looked at any source code yet or really compiled anything. This is kind of a cheap example since strace and the ptrace API can provide all of this information (although there is considerable impact on system performance with them) so here is something a bit harder to do. <p> <pre> #! /usr/bin/env stap global comps global compsizes probe kernel.function("memcmp") { comps++ compsizes = compsizes + $count } probe timer.ms(5000) { printf("memcmp call count bytes compared\n") printf("%d %d\n", comps, compsizes) comps = 0 compsizes = 0 } </pre> <p> This probe monitors the kernel's memcmp function which compares two buffers of memory. $count is an argument to that function which contains the number of bytes to compare. <pre> memcmp call count bytes compared 17151 114214 memcmp call count bytes compared 5455 34990 memcmp call count bytes compared 17165 114269 memcmp call count bytes compared 5398 34817 </pre> <p> As you can see memcmp is called a lot and on average to compare about 6 bytes worth of data. I wonder what it sort of oscillates? I'll have to look in to that. <p> Here is another simple one, __kmalloc is used to allocate memory in the kernel. <pre> #! /usr/bin/env stap global allocs global allocsizes probe kernel.function("__kmalloc") { allocs ++ allocsizes = allocsizes + $size } probe timer.ms(5000) { printf("malloc count bytes malloced \n") printf("%d %d \n", allocs, allocsizes) allocs = 0 allocsizes = 0 } </pre> which produces something looking like this: <pre> malloc count bytes malloced 16 30128 malloc count bytes malloced 36 69312 malloc count bytes malloced 76 64469 malloc count bytes malloced 28 56651 </pre> So every 5 seconds this particular system is doing about 40 mallocs and it's averaging to about 5K per malloc if my napkin math is correct. <p> That's just a taste, next week I'll do a more interesting example. Wed, 30 Aug 2006 17:13:00 -0600 urn:uuid:faa4a008-f42a-40e1-88d9-6827e25aceca ian@ClearNetSec.com (Ian S. Nelson) http://blog.clearnetsec.com/articles/2006/08/30/intro-to-systemtap linux systemtap kernel profiling <p>It is fixed. </p> <p>So I was having the hardest time probing my e1000 driver. Turns out there is a bug in the Linux kernel. /sys/modules/foo/sections was limited to 32 characters and many of the actual object sections in modules are quite a bit longer than that. Andrew and Linus have accepted my patch and it should be in the next mm tree and Linus tree.</p> Fri, 01 Sep 2006 19:34:14 -0600 urn:uuid:c1dcd0a4-de82-4e7e-acbc-d29a6340bf08 http://blog.clearnetsec.com/articles/2006/08/30/intro-to-systemtap#comment-16 <p>Very cool, thanks for the pointers. Thanks for commenting too. I can&#8217;t tell you how many times I&#8217;ve baked a kernel just to measure something or tweak it. It&#8217;s a great tool, thanks for working on it.</p> <p>I started looking at some of the taps in /usr/share/systemtap but I wanted to get an article out and couldn&#8217;t figure out a couple of problems I kept running in to. In the process I joined the mailing list because I think I may have found a slight bug that I&#8217;ll be submitting a patch to fix as soon as I verify it. </p> <p>I&#8217;ll definitely blog some more and try to generate some more interest, like I said, it&#8217;s an incredibly cool tool.</p> Thu, 31 Aug 2006 01:29:11 -0600 urn:uuid:5e347615-7bf0-492a-9e24-a40459144cb1 http://blog.clearnetsec.com/articles/2006/08/30/intro-to-systemtap#comment-15 <p>Thanks for the nice intro!</p> <p>As one of the SystemTap developers, I have a few comments that might give you more success.</p> <p>First, for the debuginfo, Fedora does provide the necessary files in a separate package called <code>kernel-debuginfo</code>. You can use <code>yum</code> to install this, though you may need to enable extra repositories (e.g., <code>core-debuginfo</code> and/or <code>updates-debuginfo</code>). For example:</p> <pre>yum --enablerepo=updates-debuginfo install kernel-debuginfo</pre> <p>Make sure that the version you grab matches your running kernel!</p> <p>I would also recommend that you look into the stats capability. Not only does it give you access to functions like min, max, avg, sum, etc., but it also uses percpu data structures for better scalability. Consider the following &#8220;port&#8221; of your kmalloc example:</p> <pre>#! /usr/bin/env stap global allocs probe kernel.function("__kmalloc") { allocs &lt;&lt;&lt; $size } probe timer.ms(5000) { count = @count(allocs) sum = count ? @sum(allocs) : 0 printf("malloc count bytes malloced\n") printf("%d %d\n", count, sum) delete allocs }</pre> <p>Please continue to blog your SystemTap experiences, and feel free to join us on the mailing list as well&#8230;</p> Wed, 30 Aug 2006 21:56:07 -0600 urn:uuid:524cc8fa-4a27-4f31-a8bd-07d5f5f9485e http://blog.clearnetsec.com/articles/2006/08/30/intro-to-systemtap#comment-12 <p>Pardon the look of the data, I&#8217;ll get tate to fix the CSS to have fixed width fonts for the fixed width data&#8230;</p> Wed, 30 Aug 2006 14:15:47 -0600 urn:uuid:f283a194-a22b-4cc7-b490-2694fa4c8adb http://blog.clearnetsec.com/articles/2006/08/30/intro-to-systemtap#comment-1