Peak Performance

One of the best uses for the eBPF tools is to help you tune your system for maximum performance by identifying and removing bottlenecks at various levels. You can begin by using the runqlat tool to chart how long threads spend waiting in the CPU run queues. It prints a summary of the scheduler run queue latency in the form of a histogram, as shown in Figure 4.

Figure 4: The runqlat tool helps chart the time that was lost while the CPU was busy elsewhere.

Then there's the biolatency tool, which comes in handy to visualize the latency of block device I/O. The biolatency tool keeps track of the elapsed time from when a device is called to its completion. Like runqlat, this tool will also print a histogram once it ends, either manually or after a specified duration. A typical invocation will look like:

sudo biolatency-bpfcc -D 6 2

The -D option instructs biolatency to print separate information for each block device. The first numeric value is the time interval for printing each summary, whereas the second numeric value informs biolatency of the total number of times it should collect information, after which point biolatency will automatically exit. Therefore, the previous command instructs biolatency to print the first histogram after 6 seconds of invoking the tool and another after another 6 seconds.

In addition to devices, there are also several tools for tracing filesystems. There's ext4slower for EXT4 filesystems, xfsslower for XFS, btrfsslower for BTRFS, nfsslower for NFS and zfsslower for ZFS file system. These tools will time the common filesystem operations and print a list of those that exceed a defined threshold. By default the threshold is set at 10ms, but you can customize it by specifying one manually (Listing 5).

The command in Listing 5 will display all filesystem operations that are slower than 100 ms. It measures the time it takes from when an operation is called from the virtual filesystem to its completion and flags it if it exceeds the specified threshold. This tool is ideal for picking up performance issues caused by slow disk I/O at the filesystem level. It is a lot better than statistics plotted by popular performance monitoring tools, since they depict the performance of the disk, when in fact the bottleneck can also be due to the inability of the filesystem to respond to the requests flooding in.

We've only touched upon some of the eBPF tools that are at your disposal to trace and inspect various areas of your installation. Remember, however, that just because you have the performance measurement tools, it doesn't mean that you'll be able to streamline the performance of your box. Interpreting the results of the trace requires a fair bit of understanding of how Linux works and its internals. So make sure you invest some time reading up about the internals of the Linux kernel before you begin to utilize these tools to chip away milliseconds and optimize your installation.

Also know that eBPF has a greater mandate than just tracing. Thanks to its architecture, it can also play a role in system security. It can be used to monitor and detect intrusions and may even become the de-facto means for enforcing firewalls in Linux.