Skip to content

io_uring activity detection using tracepoints #2

New issue
New issue
Open
Open
io_uring activity detection using tracepoints#2
@anfedotoff

Description

@anfedotoff
anfedotoff
opened on May 9, 2025

Hi 👋 !

Thank you, @amitschendel, for your very interesting blog post. It inspired me to do some experiments. I wonder can we monitor io_uring activity using eBPF? I have a personal project: bombini for experiments with eBPF. It took some time to write a detector which tracks SQE submitting using io_uring_submit_req tracepoint. Detector provides events with the following information:

  • io_uring_op opcode
  • process information

It works fine on examples that you provided, here are some logs:

{                                                                                                            
  "flags": 8208,                                                                                             
  "host": "(unnamed)",                                                                                       
  "opcode": "IORING_OP_OPENAT",                                                                              
  "process": {                                                                                               
    "args": "",                                                                                              
    "auid": 1000,                                                                                            
    "binary_path": "/home/fedotoff/curing/io_uring_example/program",                                         
    "cap_effective": 0,                                                                                      
    "cap_inheritable": 0,                                                                                    
    "cap_permitted": 0,                                                                                      
    "euid": 1000,                                                                                            
    "filename": "program",
    "pid": 187450,
    "ppid": 0,
    "secureexec": "",
    "tid": 187450,
    "uid": 1000
  },
  "source_type": "socket",
  "timestamp": "2025-05-09T09:52:02.306431290Z",
  "type": "IOUringEvent"
}
{
  "flags": 0,
  "host": "(unnamed)",
  "opcode": "IORING_OP_WRITE",
  "process": {
    "args": "",
    "auid": 1000,
    "binary_path": "/home/fedotoff/curing/io_uring_example/program",
    "cap_effective": 0,
    "cap_inheritable": 0,
    "cap_permitted": 0,
    "euid": 1000,
    "filename": "program",
    "pid": 187450,
    "ppid": 0,
    "secureexec": "",
    "tid": 187450,
    "uid": 1000
  },
  "source_type": "socket",
  "timestamp": "2025-05-09T09:52:02.306762611Z",
  "type": "IOUringEvent"
}
{
  "flags": 0,
  "host": "(unnamed)",
  "opcode": "IORING_OP_CLOSE",
  "process": {
    "args": "",
    "auid": 1000,
    "binary_path": "/home/fedotoff/curing/io_uring_example/program",
    "cap_effective": 0,
    "cap_inheritable": 0,
    "cap_permitted": 0,
    "euid": 1000,
    "filename": "program",
    "pid": 187450,
    "ppid": 0,
    "secureexec": "",
    "tid": 187450,
    "uid": 1000
  },
  "source_type": "socket",
  "timestamp": "2025-05-09T09:52:02.306941263Z",
  "type": "IOUringEvent"
}

It seems to me, that we can collect more details of SQE, not only opcode, but I think it's a good start. Also I think, it's possible to write a Tetragon tracingpolicy for io_uring_submit_req and extract opcode.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions