Get deeper insights into your system with eBPF

Peak Performance

One of the best uses for the eBPF tools is to help you tune your system for maximum performance by identifying and removing bottlenecks at various levels. You can begin by using the runqlat tool to chart how long threads spend waiting in the CPU run queues. It prints a summary of the scheduler run queue latency in the form of a histogram, as shown in Figure 4.

Figure 4: The runqlat tool helps chart the time that was lost while the CPU was busy elsewhere.

Then there's the biolatency tool, which comes in handy to visualize the latency of block device I/O. The biolatency tool keeps track of the elapsed time from when a device is called to its completion. Like runqlat, this tool will also print a histogram once it ends, either manually or after a specified duration. A typical invocation will look like:

sudo biolatency-bpfcc -D 6 2

The -D option instructs biolatency to print separate information for each block device. The first numeric value is the time interval for printing each summary, whereas the second numeric value informs biolatency of the total number of times it should collect information, after which point biolatency will automatically exit. Therefore, the previous command instructs biolatency to print the first histogram after 6 seconds of invoking the tool and another after another 6 seconds.

In addition to devices, there are also several tools for tracing filesystems. There's ext4slower for EXT4 filesystems, xfsslower for XFS, btrfsslower for BTRFS, nfsslower for NFS and zfsslower for ZFS file system. These tools will time the common filesystem operations and print a list of those that exceed a defined threshold. By default the threshold is set at 10ms, but you can customize it by specifying one manually (Listing 5).

Listing 5

Specifying a Threshold


The command in Listing 5 will display all filesystem operations that are slower than 100 ms. It measures the time it takes from when an operation is called from the virtual filesystem to its completion and flags it if it exceeds the specified threshold. This tool is ideal for picking up performance issues caused by slow disk I/O at the filesystem level. It is a lot better than statistics plotted by popular performance monitoring tools, since they depict the performance of the disk, when in fact the bottleneck can also be due to the inability of the filesystem to respond to the requests flooding in.

We've only touched upon some of the eBPF tools that are at your disposal to trace and inspect various areas of your installation. Remember, however, that just because you have the performance measurement tools, it doesn't mean that you'll be able to streamline the performance of your box. Interpreting the results of the trace requires a fair bit of understanding of how Linux works and its internals. So make sure you invest some time reading up about the internals of the Linux kernel before you begin to utilize these tools to chip away milliseconds and optimize your installation.

Also know that eBPF has a greater mandate than just tracing. Thanks to its architecture, it can also play a role in system security. It can be used to monitor and detect intrusions and may even become the de-facto means for enforcing firewalls in Linux.


  1. eBPF in the Linux Kernel:
  2. "The BSD Packet Filter: A New Architecture for User-level Packet Capture" by Steven McCanne and Van Jacobson:
  3. bcc Project:
  4. bcc Installation:

The Author

Mayank Sharma is a technology writer and you can read his scribblings in various geeky magazines on both sides of the pond.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Red Hat Enterprise Linux 8.2

    RHEL 8.2 comes with many new features, ranging from the kernel, through security and networking, to the desktop.

  • Open Heart Surgery

    Who is constantly creating the new processes that are paralyzing the system? Which process opens the most files and how many bytes is it reading or writing? Mike Schilli pokes inside the kernel to answer these questions with bpftrace and its code probes.

  • Packet Telemetry with Host-INT

    Inband Network Telemetry and Host-INT can provide valuable insights on network performance – including information on latency and packet drops.

  • perf

    The kernel supports performance analysis with built-in tools via the Linux performance counters subsystem. perf is easy to use and offers a detailed view of performance data.

  • This Month's DVD

    Arch Linux and CentOS 8.0.1905

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More