cbsensor-linux-bpf icon indicating copy to clipboard operation
cbsensor-linux-bpf copied to clipboard
verified publisher icon vmware

Investigate BPF Ring Buffer Map Usage

Open jrmwooldridge opened this issue 5 years ago • 2 comments

If we can programmatically detect the BPF Map ring buffer type via BCC or a capability BPF syscall test or very worst case a kernel version check in userspace, then we should attempt to use this for most if not all events. The perf output buffers work but there is a limit to scalability and ease of weaving BPF events together.

jrmwooldridge avatar Oct 02 '20 02:10 jrmwooldridge

There is a limitation of the perf ring buffer. If the BPF program produces events at a speed on perf ring buffer faster than any application code can process them, some events will be lost (overwritten since it's a ring). The Possibly lost XX samples message is a notification of this happening.

kirandivekar avatar Oct 05 '20 09:10 kirandivekar

Yes. One of the main reasons to switch the BPF Map based ring buffer when available. Since all of our events are tied to a single perf buffer across the multiple CPUs, we should benefit from using the BPF Map ring buffer.

Another option would be to throw more non-essential events into a secondary perf buffer.

jrmwooldridge avatar Oct 06 '20 20:10 jrmwooldridge