环境搭建

启动容器

sudo docker run --rm -it --privileged \-v /lib/modules:/lib/modules:ro \-v /sys:/sys:ro \-v /usr/src:/usr/src:ro \alpine:3.12

安装依赖

sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositoriesapk add bcc-tools bcc-doc

测试

hello.c 

int hello_world(void *ctx)
{bpf_trace_printk("Hello, World");return 0;
}

hello.py  

from bcc import BPFb = BPF(src_file="hello.c")
b.attach_kprobe(event="do_sys_openat2", fn_name="hello_world")b.trace_print()

执行，可看到打印出了hello world

/ # python3 hello.py In file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
In file included from include/linux/types.h:6:
In file included from include/uapi/linux/types.h:14:
In file included from ./include/uapi/linux/posix_types.h:5:
In file included from include/linux/stddef.h:5:
In file included from include/uapi/linux/stddef.h:5:
In file included from include/linux/compiler_types.h:90:
include/linux/compiler-clang.h:41:9: warning: '__HAVE_BUILTIN_BSWAP32__' macro redefined [-Wmacro-redefined]
#define __HAVE_BUILTIN_BSWAP32__^
<command line>:4:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP32__ 1^
In file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
In file included from include/linux/types.h:6:
In file included from include/uapi/linux/types.h:14:
In file included from ./include/uapi/linux/posix_types.h:5:
In file included from include/linux/stddef.h:5:
In file included from include/uapi/linux/stddef.h:5:
In file included from include/linux/compiler_types.h:90:
include/linux/compiler-clang.h:42:9: warning: '__HAVE_BUILTIN_BSWAP64__' macro redefined [-Wmacro-redefined]
#define __HAVE_BUILTIN_BSWAP64__^
<command line>:5:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP64__ 1^
In file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
In file included from include/linux/types.h:6:
In file included from include/uapi/linux/types.h:14:
In file included from ./include/uapi/linux/posix_types.h:5:
In file included from include/linux/stddef.h:5:
In file included from include/uapi/linux/stddef.h:5:
In file included from include/linux/compiler_types.h:90:
include/linux/compiler-clang.h:43:9: warning: '__HAVE_BUILTIN_BSWAP16__' macro redefined [-Wmacro-redefined]
#define __HAVE_BUILTIN_BSWAP16__^
<command line>:3:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP16__ 1^
3 warnings generated.
b'         python3-1056231 [005] d..31 1056012.574165: bpf_trace_printk: Hello, World'
b'         python3-1056231 [005] d..31 1056012.574277: bpf_trace_printk: Hello, World'
b'         python3-1056231 [005] d..31 1056012.574734: bpf_trace_printk: Hello, World'
b'           <...>-1059946 [006] d..31 1056300.636287: bpf_trace_printk: Hello, World'
b'           <...>-6346    [001] d..31 1056300.673240: bpf_trace_printk: Hello, World'
b'           <...>-6346    [001] d..31 1056300.673277: bpf_trace_printk: Hello, World'
b'           <...>-6346    [001] d..31 1056300.673287: bpf_trace_printk: Hello, World'
b'           <...>-6346    [001] d..31 1056300.673648: bpf_trace_printk: Hello, World'
b'           <...>-6346    [001] d..31 1056300.673666: bpf_trace_printk: Hello, World'
b'           <...>-6346    [001] d..31 1056300.673676: bpf_trace_printk: Hello, World'
b'           <...>-6346    [001] d..31 1056300.673685: bpf_trace_printk: Hello, World'