diff --git a/docs/reference_guide.md b/docs/reference_guide.md index 2807a5a93d86..05ff31681d74 100644 --- a/docs/reference_guide.md +++ b/docs/reference_guide.md @@ -170,6 +170,28 @@ iscsid is sleeping. [...] ``` +It can also be made executable to run stand-alone. Start by adding an interpreter line at the top (`#!`) with the path to your installed bpftrace (/usr/local/bin is the default): + +``` + 1 #!/usr/local/bin/bpftrace + 2 + 3 tracepoint:syscalls:sys_enter_nanosleep + 4 { + 5 printf("%s is sleeping.\n", comm); + 6 } +``` + +Then make it executable: + +``` +# chmod 755 sleepers.bt +# ./sleepers.bt +Attaching 1 probe... +iscsid is sleeping. +iscsid is sleeping. +[...] +``` + ## 4. `-l`: Listing Probes Probes from the tracepoint and kprobe libraries can be listed with `-l`. diff --git a/src/lexer.l b/src/lexer.l index fa6d31ea24ab..5b1a50b13d0a 100644 --- a/src/lexer.l +++ b/src/lexer.l @@ -39,6 +39,7 @@ path :(\\.|[_\-\./a-zA-Z0-9])*: {hspace}+ { loc.step(); } {vspace}+ { loc.lines(yyleng); loc.step(); } +^"#!".*$ // executable line "//".*$ // single-line comments "/*" BEGIN(COMMENT); // multi-line comments; see flex(1) "/*" driver.error(loc, std::string("nested comments unsupported")); @@ -87,7 +88,7 @@ pid|tid|cgroup|uid|gid|nsecs|cpu|comm|stack|ustack|arg[0-9]|retval|func|name|cur "~" { return Parser::make_BNOT(loc); } "." { return Parser::make_DOT(loc); } "->" { return Parser::make_PTR(loc); } -"#".* { return Parser::make_CPREPROC(yytext, loc); } +"#"[^!].* { return Parser::make_CPREPROC(yytext, loc); } "if" { return Parser::make_IF(yytext, loc); } "else" { return Parser::make_ELSE(yytext, loc); } "?" { return Parser::make_QUES(loc); } diff --git a/tools/bashreadline.bt b/tools/bashreadline.bt old mode 100644 new mode 100755 index d706f35c578e..e803906c43df --- a/tools/bashreadline.bt +++ b/tools/bashreadline.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * bashreadline Print entered bash commands from all running shells. * For Linux, uses bpftrace and eBPF. diff --git a/tools/bashreadline_example.txt b/tools/bashreadline_example.txt index c8a2b2471470..677276d0f8e6 100644 --- a/tools/bashreadline_example.txt +++ b/tools/bashreadline_example.txt @@ -4,7 +4,7 @@ Demonstrations of bashreadline, the Linux bpftrace/eBPF version. This prints bash commands from all running bash shells on the system. For example: -# bpftrace bashreadline.bt +# bashreadline.bt Attaching 2 probes... Tracing bash commands... Hit Ctrl-C to end. TIME PID COMMAND diff --git a/tools/biolatency.bt b/tools/biolatency.bt old mode 100644 new mode 100755 index 93b4641f505d..e7913cc8233e --- a/tools/biolatency.bt +++ b/tools/biolatency.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * biolatency.bt Block I/O latency as a histogram. * For Linux, uses bpftrace, eBPF. diff --git a/tools/biosnoop.bt b/tools/biosnoop.bt old mode 100644 new mode 100755 index a88115cadf0d..ab9abb994f5c --- a/tools/biosnoop.bt +++ b/tools/biosnoop.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * biosnoop.bt Block I/O tracing tool, showing per I/O latency. * For Linux, uses bpftrace, eBPF. diff --git a/tools/biosnoop_example.txt b/tools/biosnoop_example.txt index a5eb2deb513f..9b0fc2be27c9 100644 --- a/tools/biosnoop_example.txt +++ b/tools/biosnoop_example.txt @@ -4,7 +4,7 @@ Demonstrations of biosnoop, the Linux BPF/bpftrace version. This traces block I/O, and shows the issuing process (at least, the process that was on-CPU at the time of queue insert) and the latency of the I/O: -# bpftrace biosnoop.bt +# biosnoop.bt Attaching 4 probes... TIME(ms) COMM PID LAT(ms) 611 bash 4179 10 @@ -35,7 +35,7 @@ program start. An example of some background flushing: -# bpftrace biosnoop.bt +# biosnoop.bt Attaching 4 probes... TIME(ms) COMM PID LAT(ms) 2966 jbd2/nvme0n1-8 615 0 diff --git a/tools/bitesize.bt b/tools/bitesize.bt old mode 100644 new mode 100755 index 7820395fccb9..4c377d169692 --- a/tools/bitesize.bt +++ b/tools/bitesize.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * bitesize Show disk I/O size as a histogram. * For Linux, uses bpftrace and eBPF. diff --git a/tools/bitesize_example.txt b/tools/bitesize_example.txt index 9dfee3273f06..b34d40182cbf 100644 --- a/tools/bitesize_example.txt +++ b/tools/bitesize_example.txt @@ -4,7 +4,7 @@ Demonstrations of bitesize, the Linux bpftrace/eBPF version. This traces disk I/O via the block I/O interface, and prints a summary of I/O sizes as histograms for each process name. For example: -# bpftrace bitesize.bt +# bitesize.bt Attaching 3 probes... Tracing block device I/O... Hit Ctrl-C to end. ^C diff --git a/tools/capable.bt b/tools/capable.bt old mode 100644 new mode 100755 index 233effc422a3..1d33b5ba47ab --- a/tools/capable.bt +++ b/tools/capable.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * capable Trace security capabilitiy checks (cap_capable()). * For Linux, uses bpftrace and eBPF. diff --git a/tools/cpuwalk.bt b/tools/cpuwalk.bt old mode 100644 new mode 100755 index ae120ddd1e67..5b4dad94b576 --- a/tools/cpuwalk.bt +++ b/tools/cpuwalk.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * cpuwalk Sample which CPUs are executing processes. * For Linux, uses bpftrace and eBPF. diff --git a/tools/dcsnoop.bt b/tools/dcsnoop.bt old mode 100644 new mode 100755 index aa8b3d781034..0bea81468635 --- a/tools/dcsnoop.bt +++ b/tools/dcsnoop.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * dcsnoop Trace directory entry cache (dcache) lookups. * For Linux, uses bpftrace and eBPF. diff --git a/tools/execsnoop.bt b/tools/execsnoop.bt old mode 100644 new mode 100755 index 8d2f7512c5a6..366fb9d5a101 --- a/tools/execsnoop.bt +++ b/tools/execsnoop.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * execsnoop.bt Trace new processes via exec() syscalls. * For Linux, uses bpftrace and eBPF. diff --git a/tools/execsnoop_example.txt b/tools/execsnoop_example.txt index d443e7d3659c..ca7242750519 100644 --- a/tools/execsnoop_example.txt +++ b/tools/execsnoop_example.txt @@ -3,7 +3,7 @@ Demonstrations of execsnoop, the Linux BPF/bpftrace version. Tracing all new process execution (via exec()): -# bpftrace execsnoop.bt +# execsnoop.bt Attaching 3 probes... TIME(ms) PID ARGS 2460 3466 ls --color=auto -lh execsnoop.bt execsnoop.bt.0 execsnoop.bt.1 diff --git a/tools/gethostlatency.bt b/tools/gethostlatency.bt old mode 100644 new mode 100755 index 29fb3f475694..41ec38f88cbf --- a/tools/gethostlatency.bt +++ b/tools/gethostlatency.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * gethostlatency Trace getaddrinfo/gethostbyname[2] calls. * For Linux, uses bpftrace and eBPF. diff --git a/tools/gethostlatency_example.txt b/tools/gethostlatency_example.txt index 025f23551f0d..daf0d4267b51 100644 --- a/tools/gethostlatency_example.txt +++ b/tools/gethostlatency_example.txt @@ -5,7 +5,7 @@ This traces host name lookup calls (getaddrinfo(), gethostbyname(), and gethostbyname2()), and shows the PID and command performing the lookup, the latency (duration) of the call in milliseconds, and the host string: -# bpftrace gethostlatency.bt +# gethostlatency.bt Attaching 7 probes... Tracing getaddr/gethost calls... Hit Ctrl-C to end. TIME PID COMM LATms HOST diff --git a/tools/killsnoop.bt b/tools/killsnoop.bt old mode 100644 new mode 100755 index 0cf538d660b4..4dfb0f5fdd99 --- a/tools/killsnoop.bt +++ b/tools/killsnoop.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * killsnoop Trace signals issued by the kill() syscall. * For Linux, uses bpftrace and eBPF. diff --git a/tools/killsnoop_example.txt b/tools/killsnoop_example.txt index 221395665bdf..e8aa379c6525 100644 --- a/tools/killsnoop_example.txt +++ b/tools/killsnoop_example.txt @@ -3,7 +3,7 @@ Demonstrations of killsnoop, the Linux bpftrace/eBPF version. This traces signals sent via the kill() syscall. For example: -# bpftrace killsnoop.bt +# killsnoop.bt Attaching 3 probes... Tracing kill() signals... Hit Ctrl-C to end. TIME PID COMM SIG TPID RESULT diff --git a/tools/loads.bt b/tools/loads.bt old mode 100644 new mode 100755 index deb2d98fa28c..58ebe9d84bb0 --- a/tools/loads.bt +++ b/tools/loads.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * loads Prints load averages. * For Linux, uses bpftrace and eBPF. diff --git a/tools/loads_example.txt b/tools/loads_example.txt index e721979a4625..ed1bc95ff15a 100644 --- a/tools/loads_example.txt +++ b/tools/loads_example.txt @@ -5,7 +5,7 @@ This is a simple tool that prints the system load averages, to three decimal places each (not that it really matters), as a demonstration of fetching kernel structures from bpftrace: -# bpftrace loads.bt +# loads.bt Attaching 2 probes... Reading load averages... Hit Ctrl-C to end. 21:29:17 load averages: 2.091 2.048 1.947 diff --git a/tools/mdflush.bt b/tools/mdflush.bt old mode 100644 new mode 100755 index f5694f6248ad..7d9952def297 --- a/tools/mdflush.bt +++ b/tools/mdflush.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * mdflush Trace md flush events. * For Linux, uses bpftrace and eBPF. diff --git a/tools/mdflush_example.txt b/tools/mdflush_example.txt index bc3c5458ec3e..87c442a7fd68 100644 --- a/tools/mdflush_example.txt +++ b/tools/mdflush_example.txt @@ -4,7 +4,7 @@ Demonstrations of mdflush, the Linux bpftrace/eBPF version. The mdflush tool traces flushes at the md driver level, and prints details including the time of the flush: -# ./mdflush.bt +# mdflush.bt Tracing md flush requests... Hit Ctrl-C to end. TIME PID COMM DEVICE 03:13:49 16770 sync md0 diff --git a/tools/oomkill.bt b/tools/oomkill.bt old mode 100644 new mode 100755 index f994095268de..762b5edc7fe1 --- a/tools/oomkill.bt +++ b/tools/oomkill.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * oomkill Trace OOM killer. * For Linux, uses bpftrace and eBPF. diff --git a/tools/oomkill_example.txt b/tools/oomkill_example.txt index 0b33f39a13e8..4f63e3fd55c3 100644 --- a/tools/oomkill_example.txt +++ b/tools/oomkill_example.txt @@ -4,7 +4,7 @@ Demonstrations of oomkill, the Linux bpftrace/eBPF version. oomkill is a simple program that traces the Linux out-of-memory (OOM) killer, and shows basic details on one line per OOM kill: -# ./oomkill +# oomkill Tracing oom_kill_process()... Ctrl-C to end. 21:03:39 Triggered by PID 3297 ("ntpd"), OOM kill of PID 22516 ("perl"), 3850642 pages, loadavg: 0.99 0.39 0.30 3/282 22724 21:03:48 Triggered by PID 22517 ("perl"), OOM kill of PID 22517 ("perl"), 3850642 pages, loadavg: 0.99 0.41 0.30 2/282 22932 diff --git a/tools/opensnoop.bt b/tools/opensnoop.bt old mode 100644 new mode 100755 index c127a70d57dc..a469c5ff4fbd --- a/tools/opensnoop.bt +++ b/tools/opensnoop.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * opensnoop Trace open() syscalls. * For Linux, uses bpftrace and eBPF. diff --git a/tools/opensnoop_example.txt b/tools/opensnoop_example.txt index ae70a207f5b6..c60c859dffb4 100644 --- a/tools/opensnoop_example.txt +++ b/tools/opensnoop_example.txt @@ -4,7 +4,7 @@ Demonstrations of opensnoop, the Linux bpftrace/eBPF version. opensnoop traces the open() syscall system-wide, and prints various details. Example output: -# bpftrace opensnoop.bt +# opensnoop.bt Attaching 3 probes... Tracing open syscalls... Hit Ctrl-C to end. PID COMM FD ERR PATH diff --git a/tools/pidpersec.bt b/tools/pidpersec.bt old mode 100644 new mode 100755 index 742b54a3c71d..4632ec3a5410 --- a/tools/pidpersec.bt +++ b/tools/pidpersec.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * pidpersec Count new procesess (via fork). * For Linux, uses bpftrace and eBPF. diff --git a/tools/runqlat.bt b/tools/runqlat.bt old mode 100644 new mode 100755 index faed1f3b544a..225d5cc9fe5f --- a/tools/runqlat.bt +++ b/tools/runqlat.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * runqlat.bt CPU scheduler run queue latency as a histogram. * For Linux, uses bpftrace, eBPF. diff --git a/tools/runqlat_example.txt b/tools/runqlat_example.txt index 5013174dc557..0814fa5dc3fc 100644 --- a/tools/runqlat_example.txt +++ b/tools/runqlat_example.txt @@ -5,7 +5,7 @@ This traces time spent waiting in the CPU scheduler for a turn on-CPU. This metric is often called run queue latency, or scheduler latency. This tool shows this latency as a power-of-2 histogram in nanoseconds. For example: -# bpftrace runqlat.bt +# runqlat.bt Attaching 5 probes... Tracing CPU scheduler... Hit Ctrl-C to end. ^C @@ -49,7 +49,7 @@ the CPU caches should be hotter. I'll now add a single-threaded CPU bound workload to this system, and bind it on one CPU: -# bpftrace runqlat.bt +# runqlat.bt Attaching 5 probes... Tracing CPU scheduler... Hit Ctrl-C to end. ^C @@ -85,7 +85,7 @@ That didn't make much difference. Now I'll add a second single-threaded CPU workload, and bind it to the same CPU, causing contention: -# bpftrace runqlat.bt +# runqlat.bt Attaching 5 probes... Tracing CPU scheduler... Hit Ctrl-C to end. ^C @@ -119,7 +119,7 @@ wait its turn on the one CPU. Now I'l run 10 CPU-bound throuds on one CPU: -# bpftrace runqlat.bt +# runqlat.bt Attaching 5 probes... Tracing CPU scheduler... Hit Ctrl-C to end. ^C diff --git a/tools/runqlen.bt b/tools/runqlen.bt old mode 100644 new mode 100755 index 117f02657a16..91ba11b00455 --- a/tools/runqlen.bt +++ b/tools/runqlen.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * runqlen.bt CPU scheduler run queue length as a histogram. * For Linux, uses bpftrace, eBPF. diff --git a/tools/statsnoop.bt b/tools/statsnoop.bt old mode 100644 new mode 100755 index 2d805340866d..54297e590f4a --- a/tools/statsnoop.bt +++ b/tools/statsnoop.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * statsnoop Trace stat() syscalls. * For Linux, uses bpftrace and eBPF. diff --git a/tools/statsnoop_example.txt b/tools/statsnoop_example.txt index 60a9db7699cd..ba5acbca9336 100644 --- a/tools/statsnoop_example.txt +++ b/tools/statsnoop_example.txt @@ -4,7 +4,7 @@ Demonstrations of statsnoop, the Linux bpftrace/eBPF version. statsnoop traces different stat() syscalls system-wide, and prints details. Example output: -# bpftrace statsnoop.bt +# statsnoop.bt Attaching 9 probes... Tracing stat syscalls... Hit Ctrl-C to end. PID COMM ERR PATH diff --git a/tools/syncsnoop.bt b/tools/syncsnoop.bt old mode 100644 new mode 100755 index 84df59ccee4a..f1be21441948 --- a/tools/syncsnoop.bt +++ b/tools/syncsnoop.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * syncsnoop Trace sync() variety of syscalls. * For Linux, uses bpftrace and eBPF. diff --git a/tools/syncsnoop_example.txt b/tools/syncsnoop_example.txt index 6f0d4a2b9247..19508ca17abd 100644 --- a/tools/syncsnoop_example.txt +++ b/tools/syncsnoop_example.txt @@ -3,7 +3,7 @@ Demonstrations of syncsnoop, the Linux bpftrace/eBPF version. Tracing file system sync events: -# bpftrace syncsnoop.bt +# syncsnoop.bt Attaching 7 probes... Tracing sync syscalls... Hit Ctrl-C to end. TIME PID COMM EVENT diff --git a/tools/syscount.bt b/tools/syscount.bt old mode 100644 new mode 100755 index 080173acd7cb..a70742f364ac --- a/tools/syscount.bt +++ b/tools/syscount.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * syscount.bt Count system callls. * For Linux, uses bpftrace, eBPF. diff --git a/tools/syscount_example.txt b/tools/syscount_example.txt index 82e5ef345fb0..a4457d414768 100644 --- a/tools/syscount_example.txt +++ b/tools/syscount_example.txt @@ -4,7 +4,7 @@ Demonstrations of syscount, the Linux bpftrace/eBPF version. syscount counts system calls, and prints summaries of the top ten syscall IDs, and the top ten process names making syscalls. For example: -# bpftrace syscount.bt +# syscount.bt Attaching 3 probes... Counting syscalls... Hit Ctrl-C to end. ^C diff --git a/tools/vfscount.bt b/tools/vfscount.bt old mode 100644 new mode 100755 index 412273402fbb..d27c758d2a39 --- a/tools/vfscount.bt +++ b/tools/vfscount.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * vfscount Count VFS calls ("vfs_*"). * For Linux, uses bpftrace and eBPF. diff --git a/tools/vfscount_example.txt b/tools/vfscount_example.txt index a6897d759aa2..c56b36d97152 100644 --- a/tools/vfscount_example.txt +++ b/tools/vfscount_example.txt @@ -3,7 +3,7 @@ Demonstrations of vfscount, the Linux bpftrace/eBPF version. Tracing all VFS calls: -# bpftrace vfscount.bt +# vfscount.bt Attaching 54 probes... cannot attach kprobe, Invalid argument Warning: could not attach probe kprobe:vfs_dedupe_get_page.isra.21, skipping. diff --git a/tools/vfsstat.bt b/tools/vfsstat.bt old mode 100644 new mode 100755 index 484b5ec3bb49..0c4e9b894b20 --- a/tools/vfsstat.bt +++ b/tools/vfsstat.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * vfsstat Count some VFS calls, with per-second summaries. * For Linux, uses bpftrace and eBPF. diff --git a/tools/vfsstat_example.txt b/tools/vfsstat_example.txt index 35b3174b702c..38be5bb71956 100644 --- a/tools/vfsstat_example.txt +++ b/tools/vfsstat_example.txt @@ -4,7 +4,7 @@ Demonstrations of vfsstat, the Linux bpftrace/eBPF version. This traces some common VFS calls (see the script for the list) and prints per-second summaries. -# bpftrace vfsstat.bt +# vfsstat.bt Attaching 8 probes... Tracing key VFS calls... Hit Ctrl-C to end. 21:30:38 diff --git a/tools/writeback.bt b/tools/writeback.bt old mode 100644 new mode 100755 index 700d59cfe1eb..bccef838dc06 --- a/tools/writeback.bt +++ b/tools/writeback.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * writeback Trace file system writeback events with details. * For Linux, uses bpftrace and eBPF. diff --git a/tools/writeback_example.txt b/tools/writeback_example.txt index cadb1defd388..21ab588a3309 100644 --- a/tools/writeback_example.txt +++ b/tools/writeback_example.txt @@ -5,7 +5,7 @@ This tool traces when the kernel writeback procedure is writing dirtied pages to disk, and shows details such as the time, device numbers, reason for the write back, and the duration. For example: -# bpftrace writeback.bt +# writeback.bt Attaching 4 probes... Tracing writeback... Hit Ctrl-C to end. TIME DEVICE PAGES REASON ms diff --git a/tools/xfsdist.bt b/tools/xfsdist.bt old mode 100644 new mode 100755 index c0a024ce0108..91c376fc936a --- a/tools/xfsdist.bt +++ b/tools/xfsdist.bt @@ -1,3 +1,4 @@ +#!/usr/local/bin/bpftrace /* * xfsdist Summarize XFS operation latency. * For Linux, uses bpftrace and eBPF.