Hi 👋 !
Thank you, @amitschendel, for your very interesting blog post. It inspired me to do some experiments. I wonder can we monitor io_uring activity using eBPF? I have a personal project: bombini for experiments with eBPF. It took some time to write a detector which tracks SQE submitting using io_uring_submit_req tracepoint. Detector provides events with the following information:
- io_uring_op opcode
- process information
It works fine on examples that you provided, here are some logs:
{
"flags": 8208,
"host": "(unnamed)",
"opcode": "IORING_OP_OPENAT",
"process": {
"args": "",
"auid": 1000,
"binary_path": "/home/fedotoff/curing/io_uring_example/program",
"cap_effective": 0,
"cap_inheritable": 0,
"cap_permitted": 0,
"euid": 1000,
"filename": "program",
"pid": 187450,
"ppid": 0,
"secureexec": "",
"tid": 187450,
"uid": 1000
},
"source_type": "socket",
"timestamp": "2025-05-09T09:52:02.306431290Z",
"type": "IOUringEvent"
}
{
"flags": 0,
"host": "(unnamed)",
"opcode": "IORING_OP_WRITE",
"process": {
"args": "",
"auid": 1000,
"binary_path": "/home/fedotoff/curing/io_uring_example/program",
"cap_effective": 0,
"cap_inheritable": 0,
"cap_permitted": 0,
"euid": 1000,
"filename": "program",
"pid": 187450,
"ppid": 0,
"secureexec": "",
"tid": 187450,
"uid": 1000
},
"source_type": "socket",
"timestamp": "2025-05-09T09:52:02.306762611Z",
"type": "IOUringEvent"
}
{
"flags": 0,
"host": "(unnamed)",
"opcode": "IORING_OP_CLOSE",
"process": {
"args": "",
"auid": 1000,
"binary_path": "/home/fedotoff/curing/io_uring_example/program",
"cap_effective": 0,
"cap_inheritable": 0,
"cap_permitted": 0,
"euid": 1000,
"filename": "program",
"pid": 187450,
"ppid": 0,
"secureexec": "",
"tid": 187450,
"uid": 1000
},
"source_type": "socket",
"timestamp": "2025-05-09T09:52:02.306941263Z",
"type": "IOUringEvent"
}It seems to me, that we can collect more details of SQE, not only opcode, but I think it's a good start. Also I think, it's possible to write a Tetragon tracingpolicy for io_uring_submit_req and extract opcode.
Hi 👋 !
Thank you, @amitschendel, for your very interesting blog post. It inspired me to do some experiments. I wonder can we monitor io_uring activity using eBPF? I have a personal project: bombini for experiments with eBPF. It took some time to write a detector which tracks SQE submitting using
io_uring_submit_reqtracepoint. Detector provides events with the following information:It works fine on examples that you provided, here are some logs:
{ "flags": 8208, "host": "(unnamed)", "opcode": "IORING_OP_OPENAT", "process": { "args": "", "auid": 1000, "binary_path": "/home/fedotoff/curing/io_uring_example/program", "cap_effective": 0, "cap_inheritable": 0, "cap_permitted": 0, "euid": 1000, "filename": "program", "pid": 187450, "ppid": 0, "secureexec": "", "tid": 187450, "uid": 1000 }, "source_type": "socket", "timestamp": "2025-05-09T09:52:02.306431290Z", "type": "IOUringEvent" } { "flags": 0, "host": "(unnamed)", "opcode": "IORING_OP_WRITE", "process": { "args": "", "auid": 1000, "binary_path": "/home/fedotoff/curing/io_uring_example/program", "cap_effective": 0, "cap_inheritable": 0, "cap_permitted": 0, "euid": 1000, "filename": "program", "pid": 187450, "ppid": 0, "secureexec": "", "tid": 187450, "uid": 1000 }, "source_type": "socket", "timestamp": "2025-05-09T09:52:02.306762611Z", "type": "IOUringEvent" } { "flags": 0, "host": "(unnamed)", "opcode": "IORING_OP_CLOSE", "process": { "args": "", "auid": 1000, "binary_path": "/home/fedotoff/curing/io_uring_example/program", "cap_effective": 0, "cap_inheritable": 0, "cap_permitted": 0, "euid": 1000, "filename": "program", "pid": 187450, "ppid": 0, "secureexec": "", "tid": 187450, "uid": 1000 }, "source_type": "socket", "timestamp": "2025-05-09T09:52:02.306941263Z", "type": "IOUringEvent" }It seems to me, that we can collect more details of SQE, not only opcode, but I think it's a good start. Also I think, it's possible to write a Tetragon tracingpolicy for
io_uring_submit_reqand extract opcode.