Package bpftool
@mps wanted an issue to justify !33554 (merged) so here it is.
bpftool is the swiss army knife of eBPF in linux. eBPF is used by various tools under the hood (obviously bpftrace and bcc, but also tcpdump (for filters), perf (can be used to augment record), strace (seccomp filters to speed it up), etc etc)
It's also possible to write your own standalone bpf programs which seems to be the new fad -- with BTF/CO-RE it's possible to make application specific debuggers that fit ~200KB that can run anywhere.
This would be more practical with #12563 (closed), but it's not needed if the application targets a specific kernel and I in particular rebuild my own kernel for BTF, and it's also possible to run these in a privileged alpine container with these tools on just about any other distro (rhel/fedora/debian/arch/etc).
bpftool is mostly about debugging when these go wrong, in no particular order:
- bpftool prog show: list currently running bpf programs, along with what process used it
- bpftool prog dump: dump said programs for inspection/debugging
- bpftool prog tracelog: dump bpf_trace_printk() messages from bpf programs
- bpftool prog pin/run/etc: run bpf program directly
- bpftool prog profile: profile program for optimization
- bpftool map: list, dump content, update, lookup etc maps used by these programs (memory regions used by the programs, also used to communicate back to userspace)
- bpftool perf: ditto for tracepoint/kprobe attachments
- bpftool link: ditto for bpf_link (see https://lore.kernel.org/bpf/20200228223948.360936-1-andriin@fb.com/ )
- bpftool struct_ops: ditto for struct_opts (see https://lwn.net/Articles/809092/ , currently can only set tcp_congestion_ops)
- bpftool gen: helper to generate skeleton bpf code
- bpftool btf: dump c structs (or raw format) for vmlinux.h (if kernel compiled with btf) or arbitrary program given a compatible object file
- bpftool iter: manipulate bpf iterators (see https://lwn.net/Articles/819422/ ) -- these are a nice way to create custom files like files in /proc so monitoring can fetch values regularly without being aware of bpf
- also some net, feature, btf subfunction I never tried
I mostly use it for bpftool prog/map when developing tooling, but just system inspection is also useful occasionally. I'm also interested in iterators but haven't really started using those.
EDIT: Quentin Monnet wrote a blog post with various examples of most of the features: https://qmonnet.github.io/whirl-offload/2021/09/23/bpftool-features-thread/