eBPF Processes
Plugin: ebpf.plugin Module: processes
Overview
Monitor calls for function creating tasks (threads and processes) inside Linux kernel.
Attach tracing (kprobe or tracepoint, and trampoline) to internal kernel functions.
This collector is only supported on the following platforms:
- Linux
This collector supports collecting metrics from multiple instances of this integration, including remote instances.
The plugin needs setuid because it loads data inside kernel. Netada sets necessary permission during installation time.
Default Behavior
Auto-Detection
The plugin checks kernel compilation flags (CONFIG_KPROBES, CONFIG_BPF, CONFIG_BPF_SYSCALL, CONFIG_BPF_JIT), files inside debugfs, and presence of BTF files to decide which eBPF program will be attached.
Limits
The default configuration for this integration does not impose any limits on data collection.
Performance Impact
This thread will add overhead every time that an internal kernel function monitored by this thread is called.
Metrics
Metrics grouped by scope.
The scope defines the instance that the metric belongs to. An instance is uniquely identified by a set of labels.
Per eBPF Processes instance
These metrics show total number of calls to functions inside kernel.
This scope has no labels.
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| system.process_thread | process | calls/s |
| system.process_status | process, zombie | difference |
| system.exit | process | calls/s |
| system.task_error | task | calls/s |
Per apps
These Metrics show grouped information per apps group.
Labels:
| Label | Description |
|---|---|
| app_group | The name of the group defined in the configuration. |
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| app.process_create | calls | calls/s |
| app.thread_create | call | calls/s |
| app.task_exit | call | calls/s |
| app.task_close | call | calls/s |
| app.task_error | app | calls/s |
Per cgroup
These Metrics show grouped information per cgroup/service.
This scope has no labels.
Metrics:
| Metric | Dimensions | Unit |
|---|---|---|
| cgroup.process_create | process | calls/s |
| cgroup.thread_create | thread | calls/s |
| cgroup.task_exit | exit | calls/s |
| cgroup.task_close | process | calls/s |
| cgroup.task_error | process | calls/s |
| services.process_create | a dimension per systemd service | calls/s |
| services.thread_create | a dimension per systemd service | calls/s |
| services.task_close | a dimension per systemd service | calls/s |
| services.task_exit | a dimension per systemd service | calls/s |
| services.task_error | a dimension per systemd service | calls/s |
Alerts
There are no alerts configured by default for this integration.
Setup
Prerequisites
Compile kernel
Check if your kernel was compiled with necessary options (CONFIG_KPROBES, CONFIG_BPF, CONFIG_BPF_SYSCALL, CONFIG_BPF_JIT) in /proc/config.gz or inside /boot/config file. Some cited names can be different accoring preferences of Linux distributions.
When you do not have options set, it is necessary to get the kernel source code from https://kernel.org or a kernel package from your distribution, this last is preferred. The kernel compilation has a well definedd pattern, but distributions can deliver their configuration files
with different names.
Now follow steps:
- Copy the configuration file to /usr/src/linux/.config.
- Select the necessary options: make oldconfig
- Compile your kernel image: make bzImage
- Compile your modules: make modules
- Copy your new kernel image for boot loader directory
- Install the new modules: make modules_install
- Generate an initial ramdisk image (
initrd) if it is necessary. - Update your boot loader
Debug Filesystem
This thread needs to attach a tracepoint to monitor when a process schedule an exit event. To allow this specific feaure, it is necessary to mount debugfs (mount -t debugfs none /sys/kernel/debug/).
Configuration
File
The configuration file name for this integration is ebpf.d/process.conf.
You can edit the configuration file using the edit-config script from the
Netdata config directory.
cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
sudo ./edit-config ebpf.d/process.conf
Options
All options are defined inside section [global].
Config options
| Name | Description | Default | Required |
|---|---|---|---|
| update every | Data collection frequency. | 5 | no |
| ebpf load mode | Define whether plugin will monitor the call (entry) for the functions or it will also monitor the return (return). | entry | no |
| apps | Enable or disable integration with apps.plugin | no | no |
| cgroups | Enable or disable integration with cgroup.plugin | no | no |
| pid table size | Number of elements stored inside hash tables used to monitor calls per PID. | 32768 | no |
| ebpf type format | Define the file type to load an eBPF program. Three options are available: legacy (Attach only kprobe), co-re (Plugin tries to use trampoline when available), and auto (plugin check OS configuration before to load). | auto | no |
| ebpf co-re tracing | Select the attach method used by plugin when co-re is defined in previous option. Two options are available: trampoline (Option with lowest overhead), and probe (the same of legacy code). This plugin will always try to attach a tracepoint, so option here will impact only function used to monitor task (thread and process) creation. | trampoline | no |
| maps per core | Define how plugin will load their hash maps. When enabled (yes) plugin will load one hash table per core, instead to have centralized information. | yes | no |
| lifetime | Set default lifetime for thread when enabled by cloud. | 300 | no |
Examples
There are no configuration examples.
Do you have any feedback for this page? If so, you can open a new issue on our netdata/learn repository.