Abstract image of a woman sitting on books and studying on a laptop

No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)

P
Pixie Labs

The document discusses using eBPF for instrumentation and logging in Golang applications without source code modifications. It provides an example of using eBPF to log function arguments by attaching a BPF program to the computeE function via uprobes. This allows viewing function parameters in production without recompiling or using a debugger. eBPF provides low overhead dynamic tracing of all application code compared to other options like debuggers or static tracing tools.

Engineering
1 of 25
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
GoSF Nov 11, 2020 No-Instrumentation Golang Logging with eBPF
ABOUT ME 👋 i’m Zain @zainasgar Co-Founder/CEO Pixie Labs & Adjunct Professor of CS @ Stanford
DEVELOPER PROBLEM You’re an application developer, and your program is misbehaving. ● No problem. You have logs! Right? ● Uh-oh, not in the spot you need. 😞 We’ve all been there: ● “I just wish I could see the variable x when Foo() is called”
- Delve is one of the main Go debuggers. - You can also use GDB, but it has less support for Go runtime, data structures, etc. - Install Delve to get started go get github.com/go-delve/delve/cmd/dlv First steps with a debugger DEBUGGERS
Github Link: https://github.com/pixie-labs/pixie/tree/main/demos/simple-gotracing Relevant Code: // computeE computes the approximation of e by running a fixed number of iterations. func computeE(iterations int64) float64 { res := 2.0 fact := 1.0 for i := int64(2); i < iterations; i++ { fact *= float64(i) res += 1 / fact } return res } Let’s look at test application Use Case GET /e?iters={iterations}
// computeE computes the approximation of e by running a fixed number of iterations. func computeE(iterations int64) float64 { res := 2.0 fact := 1.0 for i := int64(2); i < iterations; i++ { fact *= float64(i) res += 1 / fact } return res } What if we just want to log the iterations? Use Case fmt.Printf("iterations: %dn”, iterations)
Running and using the debugger % dlv exec app Type 'help' for list of commands. (dlv) b app.go:15 Breakpoint 1 set at 0x125ef40 for main.computeE() ./app.go:15 (dlv) c Starting server on: :9090 > main.computeE() ./app.go:15 (hits goroutine(34):1 total:1) (PC: 0x125ef40) Warning: debugging optimized function ... 14: for i := int64(2); i < iterations; i++ { => 15: fact *= float64(i) 16: res += 1 / fact 17: } ... (dlv) print iterations 100000 (dlv) print i 2 Delve
(dlv) bt 0 0x000000000125ef40 in main.computeE at ./app.go:15 1 0x000000000125f2b1 in main.main.func1 at ./app.go:39 2 0x0000000001232f24 in net/http.HandlerFunc.ServeHTTP at /opt/golang/src/net/http/server.go:2007 3 0x0000000001234dfd in net/http.(*ServeMux).ServeHTTP at /opt/golang/src/net/http/server.go:2387 4 0x0000000001235d74 in net/http.serverHandler.ServeHTTP at /opt/golang/src/net/http/server.go:2802 5 0x0000000001231f55 in net/http.(*conn).serve at /opt/golang/src/net/http/server.go:1890 6 0x000000000105ab11 in runtime.goexit at /opt/golang/src/runtime/asm_amd64.s:1357 (dlv) grs Goroutine 1 - User: /opt/golang/src/runtime/netpoll.go:184 internal/poll.runtime_pollWait (0x102aa45) Goroutine 2 - User: /opt/golang/src/runtime/proc.go:305 runtime.gopark (0x1030360) Goroutine 3 - User: /opt/golang/src/runtime/proc.go:305 runtime.gopark (0x1030360) Goroutine 4 - User: /opt/golang/src/runtime/proc.go:305 runtime.gopark (0x1030360) Goroutine 18 - User: /opt/golang/src/runtime/proc.go:305 runtime.gopark (0x1030360) * Goroutine 34 - User: ./app.go:15 main.computeE (0x125ef40) (thread 36175033) Goroutine 35 - User: /opt/golang/src/runtime/netpoll.go:184 internal/poll.runtime_pollWait (0x102aa45) [7 goroutines] Stack Goroutines GETTING CONTEXT
RECAP ON DEBUGGERS ● Debuggers provide and easy way to get information about executing code ● No need to add fmt.Print and recompile. ○ Can easily step through code and get information. ● Dlv and GDB can connect to remote binaries to help debug machines running on servers. ○ Unfortunately this turns out to be harder than expected when running in environments like Kubernetes . ○ Checkout Solo.io, etc.
CAN WE RUN THIS SAFELY ON PRODUCTION CODE? ● Debuggers can be attached to production binaries by using a remote attachment. ● Unfortunately, they can mutate, stop execution of the code and lead to unexpected failures. ○ You probably don’t want this on prod ● What else can we do?
YOUR OPTIONS Option 1: Add a log to your program, re-compile and re-deploy. ○ This can be simple log statements, or ○ More comprehensive like Open tracing. Option 2: Debugger ○ GDB ○ Delve Option 3: Linux tracing utility ○ strace/ftrace ○ LTTng/USDT Option 4: eBPF 🤔
What is Credit: https://ebpf.io/ eBPF
What are we going to build? eBPF
[0] % objdump --syms app|grep computeE 00000000006609a0 g F .text 000000000000004b main.computeE [0] % objdump -d app | less 00000000006609a0 <main.computeE>: 6609a0: 48 8b 44 24 08 mov 0x8(%rsp),%rax 6609a5: b9 02 00 00 00 mov $0x2,%ecx 6609aa: f2 0f 10 05 16 a6 0f movsd 0xfa616(%rip),%xmm0 # 75afc8 <$f64.3ff0000000000000> 6609b1: 00 6609b2: f2 0f 10 0d 36 a6 0f movsd 0xfa636(%rip),%xmm1 # 75aff0 <$f64.4000000000000000> Diving into the details eBPF
Using uprobes eBPF ... ... main.computeE 0x6609a0 { App Binary main.main { 0x6609f0 ... ... main.computeE Uprobe Hook { App Binary main.main { 0x6609f0 BPF Program Perf Buffer Tracer Binary
What does the BPF program look like? ● The function is simply invoked whenever main.computeE is called. ● The registration is done via UProbes ● It attaches to every running version of the binary #include <uapi/linux/ptrace.h> BPF_PERF_OUTPUT(trace); inline int computeECalled(struct pt_regs *ctx) { // The input argument is stored in ax. long val = ctx->ax; trace.perf_submit(ctx, &val, sizeof(val)); return 0; } eBPF Github Link: https://github.com/pixie-labs/pixie/tree/main/demos/simple-gotracing/trace_example
DEMO: eBPF
● Utilizing tracepoints for dynamic logging allows for easy instrumentation of production binaries ● The complexities of the Go ABI make it difficult to do. Especially when you consider: interfaces, channels, etc. What’s next? eBPF
DEMO: HTTP Tracer
eBPF https://github.com/pixie-labs/pixie https://github.com/kinvolk/inspektor-gadget Some related projects https://github.com/draios/sysdig/wiki/eBPF
APPENDIX
eBPF Dynamic Tracepoint (live injection) func Foo(a, b int) int { c := a + 2; if c > threshold { return Bar(b) } return 0 } fmt.Printf("%v, %v, %v", b, c, threshold) - Function Argument Tracing → “What are the arguments being passed to Foo(x, y, z)?” - Function Input-Output Tracing → “What are the arguments and return value of calls to Foo(x, y, z)?” - Function Latency Profiling → “What is the latency (call to return) of calls to Login(username)?”
At, less than 2% CPU overhead and Latency degradation Less than 2% overhead at 0% sampling !!
... ... main.computeE 0x6609a0 { App Binary main.main { 0x6609f0 ... ... main.computeE Uprobe Hook { App Binary main.main { 0x6609f0 BPF Program Perf Buffer Tracer Binary
COMPARING TOOLS GDB, Delve etc. USDT, LTTng OpenTracing eBPF Traceable Code Instrumented Application Code All application code Instrumented Application Code All application code Application Disruption High Low Low Low Distributed Analysis No No Multi-Node No Performance Impact High Low Low/Med Low

More Related Content

PPT
Assurer - a pluggable server testing/monitoring framework
Gosuke Miyashita
 
PDF
Debugging in Clojure: Finding Light in the Darkness using Emacs and Cursive
Ahmad Ragab
 
PDF
Introduction to Node.JS
Eueung Mulyana
 
PDF
Google app engine python
Eueung Mulyana
 
PDF
Pilha de caracteres
Elaine Cecília Gatto
 
PPT
Cell processor lab
coolmirza143
 
PPT
Adventures in infrastructure as code
Julian Simpson
 
PPTX
Ensemble: A DSL for Concurrency, Adaptability, and Distribution
jhebus
 
Assurer - a pluggable server testing/monitoring framework
Gosuke Miyashita
 
Debugging in Clojure: Finding Light in the Darkness using Emacs and Cursive
Ahmad Ragab
 
Introduction to Node.JS
Eueung Mulyana
 
Google app engine python
Eueung Mulyana
 
Pilha de caracteres
Elaine Cecília Gatto
 
Cell processor lab
coolmirza143
 
Adventures in infrastructure as code
Julian Simpson
 
Ensemble: A DSL for Concurrency, Adaptability, and Distribution
jhebus
 

What's hot (20)

PPTX
Python Programming Essentials - M27 - Logging module
P3 InfoTech Solutions Pvt. Ltd.
 
PPTX
Design patterns as power of programing
Lukas Lesniewski
 
PPTX
Test Fest 2009
Pierre Joye
 
PDF
Python event based network sniffer
Jirka Vejrazka
 
PDF
Debugging concurrency programs in go
Andrii Soldatenko
 
ODP
The why and how of moving to php 5.4
Wim Godden
 
PDF
Php matusri xhprof custompanel
Masaki YOSHIDA
 
PDF
The true story_of_hello_world
fantasy zheng
 
PDF
Elixir on Containers
Sachirou Inoue
 
ODP
Perl In The Command Line
Marcos Rebelo
 
PPTX
Introducing Revel
Zhebr
 
PDF
No Hugging, No Learning
Olaf Alders
 
PDF
How to deploy node to production
Sean Hess
 
PDF
EasyMock 101
Matthew McCullough
 
DOCX
(Meta 2.3) figura de auto con simbolos dev c++
Eli Diaz
 
PDF
Stability issues of user space
晓东 杜
 
PDF
톰캣 #04-환경설정
GyuSeok Lee
 
PDF
Fun with Ruby and Cocoa
Patrick Huesler
 
PDF
Simple ETL in python 3.5+ with Bonobo - PyParis 2017
Romain Dorgueil
 
PDF
PHP 机智问答
Shengyou Fan
 
Python Programming Essentials - M27 - Logging module
P3 InfoTech Solutions Pvt. Ltd.
 
Design patterns as power of programing
Lukas Lesniewski
 
Test Fest 2009
Pierre Joye
 
Python event based network sniffer
Jirka Vejrazka
 
Debugging concurrency programs in go
Andrii Soldatenko
 
The why and how of moving to php 5.4
Wim Godden
 
Php matusri xhprof custompanel
Masaki YOSHIDA
 
The true story_of_hello_world
fantasy zheng
 
Elixir on Containers
Sachirou Inoue
 
Perl In The Command Line
Marcos Rebelo
 
Introducing Revel
Zhebr
 
No Hugging, No Learning
Olaf Alders
 
How to deploy node to production
Sean Hess
 
EasyMock 101
Matthew McCullough
 
(Meta 2.3) figura de auto con simbolos dev c++
Eli Diaz
 
Stability issues of user space
晓东 杜
 
톰캣 #04-환경설정
GyuSeok Lee
 
Fun with Ruby and Cocoa
Patrick Huesler
 
Simple ETL in python 3.5+ with Bonobo - PyParis 2017
Romain Dorgueil
 
PHP 机智问答
Shengyou Fan
 
Ad

Similar to No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20) (20)

PDF
Go - techniques for writing high performance Go applications
ss63261
 
PDF
HKG15-207: Advanced Toolchain Usage Part 3
Linaro
 
PDF
HKG15-211: Advanced Toolchain Usage Part 4
Linaro
 
PPTX
TechDays Switzerland 2009
Laurent Bugnion
 
PPT
Introduction to gdb
Owen Hsu
 
PPT
Testing of javacript
Lei Kang
 
PDF
Continuous Go Profiling & Observability
ScyllaDB
 
PDF
Debugging Python with gdb
Roman Podoliaka
 
PDF
Go 1.8 Release Party
Rodolfo Carvalho
 
PDF
Debugging Hung Python Processes With GDB
bmbouter
 
ODP
The why and how of moving to PHP 5.5/5.6
Wim Godden
 
ODP
Incredible Machine with Pipelines and Generators
dantleech
 
PDF
Php 5.6 From the Inside Out
Ferenc Kovács
 
PDF
Advanced debugging  techniques in different environments
Andrii Soldatenko
 
PDF
Mini Session - Using GDB for Profiling
Enkitec
 
PDF
Building resilient services in go
Jaehue Jang
 
PDF
eBPF Tooling and Debugging Infrastructure
Netronome
 
PDF
Bfg Ploneconf Oct2008
Jeffrey Clark
 
PPTX
HPC_MPI_CICD.pptx
ObjectAutomation2
 
KEY
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
renebruns
 
Go - techniques for writing high performance Go applications
ss63261
 
HKG15-207: Advanced Toolchain Usage Part 3
Linaro
 
HKG15-211: Advanced Toolchain Usage Part 4
Linaro
 
TechDays Switzerland 2009
Laurent Bugnion
 
Introduction to gdb
Owen Hsu
 
Testing of javacript
Lei Kang
 
Continuous Go Profiling & Observability
ScyllaDB
 
Debugging Python with gdb
Roman Podoliaka
 
Go 1.8 Release Party
Rodolfo Carvalho
 
Debugging Hung Python Processes With GDB
bmbouter
 
The why and how of moving to PHP 5.5/5.6
Wim Godden
 
Incredible Machine with Pipelines and Generators
dantleech
 
Php 5.6 From the Inside Out
Ferenc Kovács
 
Advanced debugging  techniques in different environments
Andrii Soldatenko
 
Mini Session - Using GDB for Profiling
Enkitec
 
Building resilient services in go
Jaehue Jang
 
eBPF Tooling and Debugging Infrastructure
Netronome
 
Bfg Ploneconf Oct2008
Jeffrey Clark
 
HPC_MPI_CICD.pptx
ObjectAutomation2
 
Ein Stall voller Trüffelschweine - (PHP-)Profiling-Tools im Überblick
renebruns
 
Ad

Recently uploaded (20)

PDF
Improvement effect of pyrolyzed agro-food biochar on the properties of.pdf
LasFernandaJuchem
 
PPTX
introduction to high performance computing
JuanDavid747466
 
PDF
Influence of Green Infrastructure on Residents’ Endorsement of the New Ecolog...
Journal of Contemporary Urban Affairs
 
PDF
Exploratory_Data_Analysis_Fundamentals.pdf
Ashutosh Satapathy
 
PDF
22EC502-MICROCONTROLLER AND INTERFACING-8051 MICROCONTROLLER.pdf
RajalakshmiSermadura
 
PPTX
CyberSecurity Mobile and Wireless Devices
RobinRohit2
 
PDF
A SYSTEMATIC REVIEW OF APPLICATIONS IN FRAUD DETECTION
IJNSA Journal
 
PPTX
"Array and Linked List in Data Structures with Types, Operations, Implementat...
usham61
 
PPTX
ASME PCC-02 TRAINING -DESKTOP-NLE5HNP.pptx
laxmikantvjawale
 
PPTX
Management Information system : MIS-e-Business Systems.pptx
ShankarGowda22
 
PPT
Total quality management ppt for engineering students
juleeyadav818
 
PDF
August 2025 - Top 10 Read Articles in Network Security & Its Applications
IJNSA Journal
 
PDF
Soil Improvement Techniques Note - Rabbi
rahmatideal000
 
PPTX
Fundamentals of Mechanical Engineering.pptx
MdMowdudAhmed
 
PDF
737-MAX_SRG.pdf student reference guides
ssusere2119a1
 
PDF
Level 2 – IBM Data and AI Fundamentals (1)_v1.1.PDF
KSRIHARISASANKA
 
PPTX
Chemical Technological Processes, Feasibility Study and Chemical Process Indu...
Raihan87
 
PDF
PREDICTION OF DIABETES FROM ELECTRONIC HEALTH RECORDS
ijaia
 
PPT
INTRODUCTION -Data Warehousing and Mining-M.Tech- VTU.ppt
Subramanyam Natarajan
 
PPTX
CURRICULAM DESIGN engineering FOR CSE 2025.pptx
Amuda3
 
Improvement effect of pyrolyzed agro-food biochar on the properties of.pdf
LasFernandaJuchem
 
introduction to high performance computing
JuanDavid747466
 
Influence of Green Infrastructure on Residents’ Endorsement of the New Ecolog...
Journal of Contemporary Urban Affairs
 
Exploratory_Data_Analysis_Fundamentals.pdf
Ashutosh Satapathy
 
22EC502-MICROCONTROLLER AND INTERFACING-8051 MICROCONTROLLER.pdf
RajalakshmiSermadura
 
CyberSecurity Mobile and Wireless Devices
RobinRohit2
 
A SYSTEMATIC REVIEW OF APPLICATIONS IN FRAUD DETECTION
IJNSA Journal
 
"Array and Linked List in Data Structures with Types, Operations, Implementat...
usham61
 
ASME PCC-02 TRAINING -DESKTOP-NLE5HNP.pptx
laxmikantvjawale
 
Management Information system : MIS-e-Business Systems.pptx
ShankarGowda22
 
Total quality management ppt for engineering students
juleeyadav818
 
August 2025 - Top 10 Read Articles in Network Security & Its Applications
IJNSA Journal
 
Soil Improvement Techniques Note - Rabbi
rahmatideal000
 
Fundamentals of Mechanical Engineering.pptx
MdMowdudAhmed
 
737-MAX_SRG.pdf student reference guides
ssusere2119a1
 
Level 2 – IBM Data and AI Fundamentals (1)_v1.1.PDF
KSRIHARISASANKA
 
Chemical Technological Processes, Feasibility Study and Chemical Process Indu...
Raihan87
 
PREDICTION OF DIABETES FROM ELECTRONIC HEALTH RECORDS
ijaia
 
INTRODUCTION -Data Warehousing and Mining-M.Tech- VTU.ppt
Subramanyam Natarajan
 
CURRICULAM DESIGN engineering FOR CSE 2025.pptx
Amuda3
 

No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)

  • 1. GoSF Nov 11, 2020 No-Instrumentation Golang Logging with eBPF
  • 2. ABOUT ME 👋 i’m Zain @zainasgar Co-Founder/CEO Pixie Labs & Adjunct Professor of CS @ Stanford
  • 3. DEVELOPER PROBLEM You’re an application developer, and your program is misbehaving. ● No problem. You have logs! Right? ● Uh-oh, not in the spot you need. 😞 We’ve all been there: ● “I just wish I could see the variable x when Foo() is called”
  • 4. - Delve is one of the main Go debuggers. - You can also use GDB, but it has less support for Go runtime, data structures, etc. - Install Delve to get started go get github.com/go-delve/delve/cmd/dlv First steps with a debugger DEBUGGERS
  • 5. Github Link: https://github.com/pixie-labs/pixie/tree/main/demos/simple-gotracing Relevant Code: // computeE computes the approximation of e by running a fixed number of iterations. func computeE(iterations int64) float64 { res := 2.0 fact := 1.0 for i := int64(2); i < iterations; i++ { fact *= float64(i) res += 1 / fact } return res } Let’s look at test application Use Case GET /e?iters={iterations}
  • 6. // computeE computes the approximation of e by running a fixed number of iterations. func computeE(iterations int64) float64 { res := 2.0 fact := 1.0 for i := int64(2); i < iterations; i++ { fact *= float64(i) res += 1 / fact } return res } What if we just want to log the iterations? Use Case fmt.Printf("iterations: %dn”, iterations)
  • 7. Running and using the debugger % dlv exec app Type 'help' for list of commands. (dlv) b app.go:15 Breakpoint 1 set at 0x125ef40 for main.computeE() ./app.go:15 (dlv) c Starting server on: :9090 > main.computeE() ./app.go:15 (hits goroutine(34):1 total:1) (PC: 0x125ef40) Warning: debugging optimized function ... 14: for i := int64(2); i < iterations; i++ { => 15: fact *= float64(i) 16: res += 1 / fact 17: } ... (dlv) print iterations 100000 (dlv) print i 2 Delve
  • 8. (dlv) bt 0 0x000000000125ef40 in main.computeE at ./app.go:15 1 0x000000000125f2b1 in main.main.func1 at ./app.go:39 2 0x0000000001232f24 in net/http.HandlerFunc.ServeHTTP at /opt/golang/src/net/http/server.go:2007 3 0x0000000001234dfd in net/http.(*ServeMux).ServeHTTP at /opt/golang/src/net/http/server.go:2387 4 0x0000000001235d74 in net/http.serverHandler.ServeHTTP at /opt/golang/src/net/http/server.go:2802 5 0x0000000001231f55 in net/http.(*conn).serve at /opt/golang/src/net/http/server.go:1890 6 0x000000000105ab11 in runtime.goexit at /opt/golang/src/runtime/asm_amd64.s:1357 (dlv) grs Goroutine 1 - User: /opt/golang/src/runtime/netpoll.go:184 internal/poll.runtime_pollWait (0x102aa45) Goroutine 2 - User: /opt/golang/src/runtime/proc.go:305 runtime.gopark (0x1030360) Goroutine 3 - User: /opt/golang/src/runtime/proc.go:305 runtime.gopark (0x1030360) Goroutine 4 - User: /opt/golang/src/runtime/proc.go:305 runtime.gopark (0x1030360) Goroutine 18 - User: /opt/golang/src/runtime/proc.go:305 runtime.gopark (0x1030360) * Goroutine 34 - User: ./app.go:15 main.computeE (0x125ef40) (thread 36175033) Goroutine 35 - User: /opt/golang/src/runtime/netpoll.go:184 internal/poll.runtime_pollWait (0x102aa45) [7 goroutines] Stack Goroutines GETTING CONTEXT
  • 9. RECAP ON DEBUGGERS ● Debuggers provide and easy way to get information about executing code ● No need to add fmt.Print and recompile. ○ Can easily step through code and get information. ● Dlv and GDB can connect to remote binaries to help debug machines running on servers. ○ Unfortunately this turns out to be harder than expected when running in environments like Kubernetes . ○ Checkout Solo.io, etc.
  • 10. CAN WE RUN THIS SAFELY ON PRODUCTION CODE? ● Debuggers can be attached to production binaries by using a remote attachment. ● Unfortunately, they can mutate, stop execution of the code and lead to unexpected failures. ○ You probably don’t want this on prod ● What else can we do?
  • 11. YOUR OPTIONS Option 1: Add a log to your program, re-compile and re-deploy. ○ This can be simple log statements, or ○ More comprehensive like Open tracing. Option 2: Debugger ○ GDB ○ Delve Option 3: Linux tracing utility ○ strace/ftrace ○ LTTng/USDT Option 4: eBPF 🤔
  • 13. What are we going to build? eBPF
  • 14. [0] % objdump --syms app|grep computeE 00000000006609a0 g F .text 000000000000004b main.computeE [0] % objdump -d app | less 00000000006609a0 <main.computeE>: 6609a0: 48 8b 44 24 08 mov 0x8(%rsp),%rax 6609a5: b9 02 00 00 00 mov $0x2,%ecx 6609aa: f2 0f 10 05 16 a6 0f movsd 0xfa616(%rip),%xmm0 # 75afc8 <$f64.3ff0000000000000> 6609b1: 00 6609b2: f2 0f 10 0d 36 a6 0f movsd 0xfa636(%rip),%xmm1 # 75aff0 <$f64.4000000000000000> Diving into the details eBPF
  • 15. Using uprobes eBPF ... ... main.computeE 0x6609a0 { App Binary main.main { 0x6609f0 ... ... main.computeE Uprobe Hook { App Binary main.main { 0x6609f0 BPF Program Perf Buffer Tracer Binary
  • 16. What does the BPF program look like? ● The function is simply invoked whenever main.computeE is called. ● The registration is done via UProbes ● It attaches to every running version of the binary #include <uapi/linux/ptrace.h> BPF_PERF_OUTPUT(trace); inline int computeECalled(struct pt_regs *ctx) { // The input argument is stored in ax. long val = ctx->ax; trace.perf_submit(ctx, &val, sizeof(val)); return 0; } eBPF Github Link: https://github.com/pixie-labs/pixie/tree/main/demos/simple-gotracing/trace_example
  • 18. ● Utilizing tracepoints for dynamic logging allows for easy instrumentation of production binaries ● The complexities of the Go ABI make it difficult to do. Especially when you consider: interfaces, channels, etc. What’s next? eBPF
  • 22. eBPF Dynamic Tracepoint (live injection) func Foo(a, b int) int { c := a + 2; if c > threshold { return Bar(b) } return 0 } fmt.Printf("%v, %v, %v", b, c, threshold) - Function Argument Tracing → “What are the arguments being passed to Foo(x, y, z)?” - Function Input-Output Tracing → “What are the arguments and return value of calls to Foo(x, y, z)?” - Function Latency Profiling → “What is the latency (call to return) of calls to Login(username)?”
  • 23. At, less than 2% CPU overhead and Latency degradation Less than 2% overhead at 0% sampling !!
  • 24. ... ... main.computeE 0x6609a0 { App Binary main.main { 0x6609f0 ... ... main.computeE Uprobe Hook { App Binary main.main { 0x6609f0 BPF Program Perf Buffer Tracer Binary
  • 25. COMPARING TOOLS GDB, Delve etc. USDT, LTTng OpenTracing eBPF Traceable Code Instrumented Application Code All application code Instrumented Application Code All application code Application Disruption High Low Low Low Distributed Analysis No No Multi-Node No Performance Impact High Low Low/Med Low