DTrace for Linux
DTrace is a dynamic tracing tool that allows kernel and userspace tracing in
operating systems. It was first implemented for Sun's Solaris and later adopted
by other operating systems (Mac OS X, BSD). The Linux port is still ongoing.
In this talk, I would like to introduce the D language and its features. After a
brief introduction the talk will focus on the architecture of the DTrace itself.
Last part of the talk will be focused on the current status of the project.
DTrace is able to process data directly in kernel like eBPF. This allows us to
perform some actions at the time an event has occured rather than during post
processing of the records later in userspace. It allows also more precise selection
of events of interest.
It is possible to use DTrace in many use cases:
- A kernel hacker may precisely monitor the Linux kernel
- A system administrator might use DTrace as an underlying technology
for observing system behavior.
- Participation in distributed tracing of complex scenarios
I would like to show some real life examples how DTrace can be used to inspect
running system or as source for external telemetric system.
There are many tracers in the Linux world today with different aproaches to achive
their goals. One way to group them depends on when the data processing happens.
DTrace is a predecessor of eBPF. The difference is that eBPF alone is not easy to
handle from user perspective. For that purpose a BCC project has started that provides
compiler and runtime libraries based on llvm to allow end users write tracing tools
in high level languages (C/Python). DTrace is based on D language (DTrace own language)
and has its own compiler built-in. This does not require any high-level language skills
or extra tools to start using DTrace.