Jean-Tiare Le Bigot | a1ac2f9 | 2016-03-04 21:45:32 +0100 | [diff] [blame] | 1 | Demonstrations of solisten.py, the Linux eBPF/bcc version. |
| 2 | |
| 3 | |
| 4 | This tool traces the kernel function called when a program wants to listen |
| 5 | for TCP connections. It will not see UDP neither UNIX domain sockets. |
| 6 | |
| 7 | It can be used to dynamically update a load balancer as a program is actually |
| 8 | ready to accept connexion, hence avoiding the "downtime" while it is initializing. |
| 9 | |
| 10 | # ./solisten.py --show-netns |
| 11 | PID COMM NETNS PROTO BACKLOG ADDR PORT |
| 12 | 3643 nc 4026531957 TCPv4 1 0.0.0.0 4242 |
| 13 | 3659 nc 4026531957 TCPv6 1 2001:f0d0:1002:51::4 4242 |
| 14 | 4221 redis-server 4026532165 TCPv6 128 :: 6379 |
| 15 | 4221 redis-server 4026532165 TCPv4 128 0.0.0.0 6379 |
| 16 | 6067 nginx 4026531957 TCPv4 128 0.0.0.0 80 |
| 17 | 6067 nginx 4026531957 TCPv6 128 :: 80 |
| 18 | 6069 nginx 4026531957 TCPv4 128 0.0.0.0 80 |
| 19 | 6069 nginx 4026531957 TCPv6 128 :: 80 |
| 20 | 6069 nginx 4026531957 TCPv4 128 0.0.0.0 80 |
| 21 | 6069 nginx 4026531957 TCPv6 128 :: 80 |
| 22 | |
| 23 | This output show the listen event from 3 programs. Netcat was started twice as |
| 24 | shown by the 2 different PIDs. The first time on the wilcard IPv4, the second |
| 25 | time on an IPv6. Netcat being a "one shot" program. It can accept a single |
| 26 | connection, hence the backlog of "1". |
| 27 | |
| 28 | The next program is redis-server. As the netns column shows, it is in a |
| 29 | different network namespace than netcat and nginx. In this specific case |
| 30 | it was launched in a docker container. It listens both on IPv4 and IPv4 |
| 31 | with up to 128 pending connections. |
| 32 | |
| 33 | Determining the actual container is out if the scope of this tool. It could |
| 34 | be derived by scrapping /proc/<PID>/cgroup. Note that this is racy. |
| 35 | |
| 36 | The overhead of this tool is negligeable as it traces listen() calls which are |
| 37 | invoked in the initialization path of a program. The operation part will remain |
| 38 | unaffected. In particular, accept() calls will not be affected. Neither |
| 39 | individual read() and write(). |
| 40 | |