Hacker News new | past | comments | ask | show | jobs | submit login
Full-system dynamic tracing on Linux using eBPF and bpftrace (joyfulbikeshedding.com)
139 points by signa11 on Feb 2, 2019 | hide | past | favorite | 11 comments

This is a great post! Brendan Greg's perf page [0] is another interesting collections page. And the best introduction to using kprobes I've seen is by WindRiver [1] where they do it all manually in a tutorial.

[0] http://www.brendangregg.com/perf.html

[1] https://docs.windriver.com/bundle/Wind_River_Linux_Tutorial_...

> the macOS version is as good as defunct because System Integrity Protection broke many aspects of DTrace

Of course, DTrace works on macOS if you disable the parts of System Integrity Protection that block it (csrutil enable --without dtrace).

That used to be enough, but Mojave has broken DTrace further. I find it completely unusable now.

Could you give a concrete example of something that broke in Mojave? I used it a lot in High Sierra, and was preparing to return now under Mojave, would like to know what to keep my eyes open for.

pid provider's gone:

sudo dtrace -ln 'pid50922:::entry {}' dtrace: invalid probe specifier pid50922:::entry {}: pid provider is not installed on this system

mysql provider's gone:

sudo dtrace -x strsize=1024 -q -n 'mysql:::query-start{printf("%s;\n\n", copyinstr(arg0))}' dtrace: invalid probe specifier mysql:::query-start{printf("%s;\n\n", copyinstr(arg0))}: probe description mysql*:::query-start does not match any probes

those were really crucial for me. I'm preparing to do a presentation on dynamic tracing next week, and I think I'll have to use a BSD VM instead of using my Mac natively.

Also DTrace has a replacement in place anyway.

"Creating Custom Instruments" at WWDC 2018


It's a bit of a reach to call Instruments a replacement for DTrace. A replacement for a subset of DTrace perhaps. And maybe they'll massively expand it over the next few macOS/Xcode versions. Or maybe it'll suffer the same fate as a lot of Apple's OS features and end up rotting away until it's no longer sensibly usable.

I know, just repeating what seems to be the official position.

This. Is. Beautiful.

"The dark days before eBPF" indeed.

sad to see this still has to be compiled from scratch on ubuntu 18.04.

same for archlinux

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact