bcc 源码编译

guoguangwu

已于 2022-06-15 10:16:39 修改

阅读量2k

点赞数 1

分类专栏： ebpf 基础安全文章标签： ubuntu linux

于 2022-06-14 22:56:11 首次发布

本文链接：https://blog.csdn.net/guoguangwu/article/details/125287704

版权

基础同时被 3 个专栏收录

56 篇文章 1 订阅

订阅专栏

安全

51 篇文章 0 订阅

订阅专栏

ebpf

5 篇文章 0 订阅

订阅专栏

如果是Ubuntu 20.04

请参考如下链接安装依赖库：

https://github.com/iovisor/bcc/commit/63aade1bef80d81bde82a50c5a2728147073a768

重点是libllvm12 的版本，否则会编译报错。

然后是需要安装libdebuginfod依赖库，这个需要源码安装，可以参考我的博客

elfutils-0.178 configure 报错

源码下载网址：

Index of /elfutils/ftp

编译安装完之后执行ldconfig

否则会报如下错误：

OSError: libdebuginfod.so.1: cannot open shared object file: No such file or directory

bcc的源码安装步骤如下：

git clone https://github.com/iovisor/bcc.git
mkdir bcc/build; cd bcc/build
cmake ..
make
sudo make install
cmake -DPYTHON_CMD=python3 .. # build python3 binding
pushd src/python/
make
sudo make install
popd

安装目录，默认在/usr/share/bcc/下面。

我们以tcplife为例来运行：

# python3 /usr/share/bcc/tools/tcplife
PID   COMM       LADDR           LPORT RADDR           RPORT TX_KB RX_KB MS
731   NetworkMan 192.168.58.128  48130 35.232.111.17   80        0     0 304.11
8670  telnet     192.168.58.128  33288 36.152.44.95    23        0     0 8546.02
8671  wget       192.168.58.128  35050 36.152.44.96    80        0     2 13.49

这个是我执行telnet www.baidu.com和wget www.baidu.com产生的结果。

这个工具可以跟踪tcp连接，包含源目的端口还有上下行流量和时延

再以一个例子说明上面的数据：

wget https://sourceware.org/elfutils/ftp/0.187/elfutils-0.187.tar.bz2

 wget https://sourceware.org/elfutils/ftp/0.187/elfutils-0.187.tar.bz2
--2022-06-14 07:53:20--  https://sourceware.org/elfutils/ftp/0.187/elfutils-0.187.tar.bz2
Resolving sourceware.org (sourceware.org)... 8.43.85.97, 2620:52:3:1:0:246e:9693:128c
Connecting to sourceware.org (sourceware.org)|8.43.85.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9240221 (8.8M) [application/x-bzip2]
Saving to: ‘elfutils-0.187.tar.bz2’

elfutils-0.187.tar.bz2                   100%[===============================================================================>]   8.81M   233KB/s    in 23s

2022-06-14 07:53:45 (391 KB/s) - ‘elfutils-0.187.tar.bz2’ saved [9240221/9240221]

# python3 /usr/share/bcc/tools/tcplife
PID   COMM       LADDR           LPORT RADDR           RPORT TX_KB RX_KB MS
8702  wget       192.168.58.128  46508 8.43.85.97      443       0  9061 23987.62

数据基本上能对应上。

如果直接安装bcc-tools，运行tcplife-bpfcc会直接报如下错误

$ tcplife-bpfcc
^CIn file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
In file included from include/linux/types.h:6:
In file included from include/uapi/linux/types.h:14:
In file included from ./include/uapi/linux/posix_types.h:5:
In file included from include/linux/stddef.h:5:
In file included from include/uapi/linux/stddef.h:2:
In file included from include/linux/compiler_types.h:80:
include/linux/compiler-clang.h:41:9: warning: '__HAVE_BUILTIN_BSWAP32__' macro redefined [-Wmacro-redefined]
#define __HAVE_BUILTIN_BSWAP32__
        ^
<command line>:4:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP32__ 1
        ^
In file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
In file included from include/linux/types.h:6:
In file included from include/uapi/linux/types.h:14:
In file included from ./include/uapi/linux/posix_types.h:5:
In file included from include/linux/stddef.h:5:
In file included from include/uapi/linux/stddef.h:2:
In file included from include/linux/compiler_types.h:80:
include/linux/compiler-clang.h:42:9: warning: '__HAVE_BUILTIN_BSWAP64__' macro redefined [-Wmacro-redefined]
#define __HAVE_BUILTIN_BSWAP64__
        ^
<command line>:5:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP64__ 1
        ^
In file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
In file included from include/linux/types.h:6:
In file included from include/uapi/linux/types.h:14:
In file included from ./include/uapi/linux/posix_types.h:5:
In file included from include/linux/stddef.h:5:
In file included from include/uapi/linux/stddef.h:2:
In file included from include/linux/compiler_types.h:80:
include/linux/compiler-clang.h:43:9: warning: '__HAVE_BUILTIN_BSWAP16__' macro redefined [-Wmacro-redefined]
#define __HAVE_BUILTIN_BSWAP16__
        ^
<command line>:3:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP16__ 1
        ^
In file included from /virtual/main.c:4:
In file included from include/linux/tcp.h:19:
In file included from include/net/sock.h:46:
In file included from include/linux/netdevice.h:37:
In file included from include/net/net_namespace.h:36:
In file included from include/net/netns/bpf.h:9:
include/linux/bpf-netns.h:21:7: error: use of undeclared identifier 'BPF_SK_LOOKUP'
        case BPF_SK_LOOKUP:
             ^
In file included from /virtual/main.c:4:
In file included from include/linux/tcp.h:19:
In file included from include/net/sock.h:46:
In file included from include/linux/netdevice.h:41:
In file included from include/net/netprio_cgroup.h:11:
In file included from include/linux/cgroup.h:28:
In file included from include/linux/cgroup-defs.h:22:
In file included from include/linux/bpf-cgroup.h:5:
include/linux/bpf.h:916:21: error: field has incomplete type 'enum bpf_link_type'
        enum bpf_link_type type;
                           ^
include/linux/bpf.h:916:7: note: forward declaration of 'enum bpf_link_type'
        enum bpf_link_type type;
             ^
include/linux/bpf.h:930:17: warning: declaration of 'struct bpf_link_info' will not be visible outside of this function [-Wvisibility]
                              struct bpf_link_info *info);
                                     ^
include/linux/bpf.h:1386:12: warning: declaration of 'union bpf_iter_link_info' will not be visible outside of this function [-Wvisibility]
                                        union bpf_iter_link_info *linfo,
                                              ^
include/linux/bpf.h:1392:14: warning: declaration of 'struct bpf_link_info' will not be visible outside of this function [-Wvisibility]
                                         struct bpf_link_info *info);
                                                ^
include/linux/bpf.h:1435:12: warning: declaration of 'struct bpf_link_info' will not be visible outside of this function [-Wvisibility]
                                struct bpf_link_info *info);
                                       ^
7 warnings and 2 errors generated.
Traceback (most recent call last):
  File "/usr/sbin/tcplife-bpfcc", line 456, in <module>
    b = BPF(text=bpf_text)
  File "/usr/lib/python3/dist-packages/bcc/__init__.py", line 342, in __init__
    self.module = lib.bpf_module_create_c_from_string(text,
KeyboardInterrupt

jack@ubuntu:~/code/cnsp-cli$ sudo tcplife-bpfcc
[sudo] password for jack:
In file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
In file included from include/linux/types.h:6:
In file included from include/uapi/linux/types.h:14:
In file included from ./include/uapi/linux/posix_types.h:5:
In file included from include/linux/stddef.h:5:
In file included from include/uapi/linux/stddef.h:2:
In file included from include/linux/compiler_types.h:80:
include/linux/compiler-clang.h:41:9: warning: '__HAVE_BUILTIN_BSWAP32__' macro redefined [-Wmacro-redefined]
#define __HAVE_BUILTIN_BSWAP32__
        ^
<command line>:4:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP32__ 1
        ^
In file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
In file included from include/linux/types.h:6:
In file included from include/uapi/linux/types.h:14:
In file included from ./include/uapi/linux/posix_types.h:5:
In file included from include/linux/stddef.h:5:
In file included from include/uapi/linux/stddef.h:2:
In file included from include/linux/compiler_types.h:80:
include/linux/compiler-clang.h:42:9: warning: '__HAVE_BUILTIN_BSWAP64__' macro redefined [-Wmacro-redefined]
#define __HAVE_BUILTIN_BSWAP64__
        ^
<command line>:5:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP64__ 1
        ^
In file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
In file included from include/linux/types.h:6:
In file included from include/uapi/linux/types.h:14:
In file included from ./include/uapi/linux/posix_types.h:5:
In file included from include/linux/stddef.h:5:
In file included from include/uapi/linux/stddef.h:2:
In file included from include/linux/compiler_types.h:80:
include/linux/compiler-clang.h:43:9: warning: '__HAVE_BUILTIN_BSWAP16__' macro redefined [-Wmacro-redefined]
#define __HAVE_BUILTIN_BSWAP16__
        ^
<command line>:3:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP16__ 1
        ^
In file included from /virtual/main.c:4:
In file included from include/linux/tcp.h:19:
In file included from include/net/sock.h:46:
In file included from include/linux/netdevice.h:37:
In file included from include/net/net_namespace.h:36:
In file included from include/net/netns/bpf.h:9:
include/linux/bpf-netns.h:21:7: error: use of undeclared identifier 'BPF_SK_LOOKUP'
        case BPF_SK_LOOKUP:
             ^
In file included from /virtual/main.c:4:
In file included from include/linux/tcp.h:19:
In file included from include/net/sock.h:46:
In file included from include/linux/netdevice.h:41:
In file included from include/net/netprio_cgroup.h:11:
In file included from include/linux/cgroup.h:28:
In file included from include/linux/cgroup-defs.h:22:
In file included from include/linux/bpf-cgroup.h:5:
include/linux/bpf.h:916:21: error: field has incomplete type 'enum bpf_link_type'
        enum bpf_link_type type;
                           ^
include/linux/bpf.h:916:7: note: forward declaration of 'enum bpf_link_type'
        enum bpf_link_type type;
             ^
include/linux/bpf.h:930:17: warning: declaration of 'struct bpf_link_info' will not be visible outside of this function [-Wvisibility]
                              struct bpf_link_info *info);
                                     ^
include/linux/bpf.h:1386:12: warning: declaration of 'union bpf_iter_link_info' will not be visible outside of this function [-Wvisibility]
                                        union bpf_iter_link_info *linfo,
                                              ^
include/linux/bpf.h:1392:14: warning: declaration of 'struct bpf_link_info' will not be visible outside of this function [-Wvisibility]
                                         struct bpf_link_info *info);
                                                ^
include/linux/bpf.h:1435:12: warning: declaration of 'struct bpf_link_info' will not be visible outside of this function [-Wvisibility]
                                struct bpf_link_info *info);
                                       ^
7 warnings and 2 errors generated.
Traceback (most recent call last):
  File "/usr/sbin/tcplife-bpfcc", line 456, in <module>
    b = BPF(text=bpf_text)
  File "/usr/lib/python3/dist-packages/bcc/__init__.py", line 347, in __init__
    raise Exception("Failed to compile BPF module %s" % (src_file or "<text>"))
Exception: Failed to compile BPF module <text>

官方建议使用源码编译。

再次执行tcplife-bpfcc:

$ sudo tcplife-bpfcc
/virtual/main.c:3:9: warning: 'KBUILD_MODNAME' macro redefined [-Wmacro-redefined]
#define KBUILD_MODNAME "foo"
        ^
<command line>:3:9: note: previous definition is here
#define KBUILD_MODNAME "bcc"
        ^
1 warning generated.
PID   COMM       LADDR           LPORT RADDR           RPORT TX_KB RX_KB MS
1499328 dockerd    192.168.1.90   47854 192.168.1.91   443       0     2 10.63
1499328 dockerd    192.168.1.90   47856 192.168.1.91   443       0     3 24.46
1499328 dockerd    192.168.1.90   47858 192.168.1.91   443       1     2 12.44

没有错误了。