SystemTap: Getting Started with Dynamic EC2 Instance Diagnostics

Just because you can’t see or hear your Amazon EC2 instances the way you can in your local data center, doesn’t mean you shouldn’t be concerned about them. Think of SystemTap as a fabulous window into your VM.

Have you ever wondered what’s going on deep inside your Linux instance? Why some processes run so slowly? Why your disk is thrashing around so wildly? Have you tried to write your own system’s tools and wish that you were able to export or access certain systems’ internal variables or information? Have you tried to write your own Linux kernel module but felt that the learning curve was way too steep?

Let me introduce you to SystemTap.

(The beautiful SystemTap logo was designed by Andy Fitzsimon – who sat next to me when we were both working at Red Hat in Singapore.)
SystemTap is an open source software package to help you analyze or troubleshoot a running Linux instance. It provides a dynamic instrumentation framework that lets you probe a system to gather information and a scripting language translator that interprets scripts written in a C or Perl-like language into C code, that could be compiled into Linux kernel modules. These modules will then be loaded into the system to generate outcome specified by your script.

But enough introduction. Let’s get started already!

Installing SystemTap on your AWS EC2 instance

This article assumes that you know how to create and launch an EC2 instance. If not, I recommend taking Cloud Academy’s Compute Fundamentals for AWS Course as part of the AWS Fundamentals Learning Path.

Connect to the instance using the OpenSSH SSH client.

$ ssh -i "cloudacademy-keypair.pem" ec2-user@[redacted]

Note the Linux kernel version we are using. In this case, it’s version 3.10.0, and the release number is 229.el7.

$ uname -a
Linux ip-[redacted].ap-southeast-1.compute.internal 3.10.0-229.el7.x86_64 #1 SMP Thu Jan 29 18:37:38 EST 2015 x86_64 x86_64 x86_64 GNU/Linux

To prepare the Linux instance for kernel-space probing with SystemTap, we will need to install some RPM packages, including kernel-debuginfo and systemtap. We need to ensure that all the kernel packages we will install on the instance have the same version and of the same architecture.

To install a debuginfo package, we’ll enable the “Red Hat Enterprise Linux Server 7 Debug (Debug RPMs)” yum repository that, by default, is disabled.

$ sudo su -
# yum repolist disabled
Loaded plugins: amazon-id, rhui-lb
repo id                                                                repo name
rhui-REGION-rhel-server-debug-extras/7Server/x86_64                    Red Hat Enterprise Linux Server 7 Extra Debug (Debug RPMs)
rhui-REGION-rhel-server-debug-optional/7Server/x86_64                  Red Hat Enterprise Linux Server 7 Optional Debug (Debug RPMs)
rhui-REGION-rhel-server-debug-rh-common/7Server/x86_64                 Red Hat Enterprise Linux Server 7 RH Common Debug (Debug RPMs)
rhui-REGION-rhel-server-debug-rhscl/7Server/x86_64                     Red Hat Enterprise Linux Server 7 RHSCL Debug (Debug RPMs)
rhui-REGION-rhel-server-debug-supplementary/7Server/x86_64             Red Hat Enterprise Linux Server 7 Supplementary Debug (Debug RPMs)
rhui-REGION-rhel-server-extras/7Server/x86_64                          Red Hat Enterprise Linux Server 7 Extra(RPMs)
rhui-REGION-rhel-server-optional/7Server/x86_64                        Red Hat Enterprise Linux Server 7 Optional (RPMs)
rhui-REGION-rhel-server-releases-debug/7Server/x86_64                  Red Hat Enterprise Linux Server 7 Debug (Debug RPMs)
rhui-REGION-rhel-server-releases-source/7Server/x86_64                 Red Hat Enterprise Linux Server 7 (SRPMs)
rhui-REGION-rhel-server-rhscl/7Server/x86_64                           Red Hat Enterprise Linux Server 7 RHSCL (RPMs)
rhui-REGION-rhel-server-source-extras/7Server/x86_64                   Red Hat Enterprise Linux Server 7 Extra (SRPMs)
rhui-REGION-rhel-server-source-optional/7Server/x86_64                 Red Hat Enterprise Linux Server 7 Optional (SRPMs)
rhui-REGION-rhel-server-source-rh-common/7Server/x86_64                Red Hat Enterprise Linux Server 7 RH Common (SRPMs)
rhui-REGION-rhel-server-source-rhscl/7Server/x86_64                    Red Hat Enterprise Linux Server 7 RHSCL (SRPMs)
rhui-REGION-rhel-server-source-supplementary/7Server/x86_64            Red Hat Enterprise Linux Server 7 Supplementary (SRPMs)
rhui-REGION-rhel-server-supplementary/7Server/x86_64                   Red Hat Enterprise Linux Server 7 Supplementary (RPMs)
repolist: 0

Now we’ll use yum-config-manager to enable the repo.

# yum-config-manager --enable "Red Hat Enterprise Linux Server 7 Debug (Debug RPMs)"

Now you’ll be able to search for the debuginfo packages.

# yum search kernel | grep ^kernel-debuginfo
kernel-debuginfo.x86_64 : Debug information for package kernel
kernel-debuginfo-common-x86_64.x86_64 : Kernel source files used by

To ensure that we have the same Linux kernel version, we need to install the kernel and kernel-devel packages along with the kernel-debuginfo packages. If yum returns a different kernel version from the kernel-debuginfo packages, you may need to specify the version manually.

# yum -y install kernel-debuginfo kernel kernel-devel

Depending on your Internet connectivity, it may take some time to download these packages. To give you an idea how large some of these packages are, the kernel-debuginfo-common package is 41MB and the kernel-debuginfo package is 259MB. Fortunately, unless the kernel version and release number change, you only need to install these packages once.

You will need to reboot your machine to apply the new kernel.

# init 6

Once we’re running again, let’s reconnect to the instance.

$ ssh -i "cloudacademy-keypair.pem" ec2-user@[redacted]

Verify that we are using the right kernel version. Notice that the release number is now 229.11.1.el7. Each time Red Hat spins a new kernel, it will update the release number of the package.

$ uname -a
Linux ip-[redacted].ap-southeast-1.compute.internal 3.10.0-229.11.1.el7.x86_64 #1 SMP Wed Jul 22 12:06:11 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux

We can use the rpm command to make sure that the version we booted is the same as the debuginfo packages we have installed. This is important.

$ rpm -qa | grep ^kernel
kernel-tools-3.10.0-229.el7.x86_64
kernel-3.10.0-229.el7.x86_64
kernel-debuginfo-common-x86_64-3.10.0-229.11.1.el7.x86_64
kernel-3.10.0-229.11.1.el7.x86_64
kernel-devel-3.10.0-229.11.1.el7.x86_64
kernel-tools-libs-3.10.0-229.el7.x86_64
kernel-debuginfo-3.10.0-229.11.1.el7.x86_64

Next, use yum to list all the systemtap-related packages.

# yum list systemtap*
Loaded plugins: amazon-id, rhui-lb
Available Packages
systemtap.x86_64                                              2.6-10.el7_1                                    rhui-REGION-rhel-server-releases
systemtap-client.x86_64                                       2.6-10.el7_1                                    rhui-REGION-rhel-server-releases
systemtap-debuginfo.i686                                      2.6-10.el7_1                                    rhui-REGION-rhel-server-releases-debug
systemtap-debuginfo.x86_64                                    2.6-10.el7_1                                    rhui-REGION-rhel-server-releases-debug
systemtap-devel.x86_64                                        2.6-10.el7_1                                    rhui-REGION-rhel-server-releases
systemtap-initscript.x86_64                                   2.6-10.el7_1                                    rhui-REGION-rhel-server-releases
systemtap-runtime.x86_64                                      2.6-10.el7_1                                    rhui-REGION-rhel-server-releases
systemtap-sdt-devel.i686                                      2.6-10.el7_1                                    rhui-REGION-rhel-server-releases
systemtap-sdt-devel.x86_64                                    2.6-10.el7_1                                    rhui-REGION-rhel-server-releases
systemtap-server.x86_64                                       2.6-10.el7_1                                    rhui-REGION-rhel-server-releases

Then install the main systemtap package, and yum will take care of its dependencies.

# yum -y install systemtap

Once all the systemtap-related packages are installed, exit from the root shell to return to the normal user shell.

# logout

Running our first SystemTap script

We have installed all the necessary RPM packages and we are almost ready to run our very first “Hello World” script!

SystemTap uses a simple permission model to grant users’ permissions to use the tool to prevent people from misusing or abusing the tool. Unless you’re a member of the stapusr and stapdev groups, you will not be allowed to build and run SystemTap scripts. Since we are going to write and run our own script, and we hopefully know exactly what we are doing, we will add ourselves to the stapusr and stapdev groups.

$ sudo usermod -G stapusr,stapdev ec2-user
$ grep ^stap /etc/group
stapusr:x:156:ec2-user
stapsys:x:157:
stapdev:x:158:ec2-user

You will need to logout and re-login to the instance to reflect that you are now members of these two groups.

$ logout
$ ssh -i "cloudacademy-keypair.pem" ec2-user@[redacted]

Type id to see if you are in stapusr and stapdev groups.

$ id
uid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2-user),156(stapusr),158(stapdev) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

If you are, let’s party on! stap is the SystemTap tool you’ll use to run the script.
There are two ways to write a script. You can either write it in a .stp extension file, or simply specify the script on the command-line with the -e option.

We will opt for the latter since we will use a one-liner script to test if the installation works as expected.

$ stap -e 'probe begin { log("hello world") exit () }'
hello world

Voilà! We have successfully run our first SystemTap script!

In our next article, we will explore some interesting scripts that come with SystemTap.

Avatar

Written by

Eugene Teo

Eugene Teo is a director of security at a US-based technology company. He is interested in applying machine learning techniques to solve problems in the security domain.

Related Posts

Alisha Reyes
Alisha Reyes
— August 22, 2019

How to Unlock Complimentary Access to Cloud Academy

Are you looking to get trained or certified on AWS, Azure, Google Cloud Platform, DevOps, Cloud Security, Python, Java, or another technical skill? Then you'll want to mark your calendars for August 23, 2019. Starting Friday at 12:00 a.m. PDT (3:00 a.m. EDT), Cloud Academy is offering c...

Read more
  • AWS
  • Azure
  • cloud academy content
  • complimentary access
  • GCP
  • on the house
Avatar
Michael Sheehy
— August 19, 2019

What Exactly Is a Cloud Architect and How Do You Become One?

One of the buzzwords surrounding the cloud that I'm sure you've heard is "Cloud Architect." In this article, I will outline my understanding of what a cloud architect does and I'll analyze the skills and certifications necessary to become one. I will also list some of the types of jobs ...

Read more
  • AWS
  • Cloud Computing
Avatar
Nitheesh Poojary
— August 19, 2019

Boto: Using Python to Automate AWS Services

Boto allows you to write scripts to automate things like starting AWS EC2 instances Boto is a Python package that provides programmatic connectivity to Amazon Web Services (AWS). AWS offers a range of services for dynamically scaling servers including the core compute service, Elastic...

Read more
  • Automated AWS Services
  • AWS
  • Boto
  • Python
Avatar
Andrew Larkin
— August 13, 2019

Content Roadmap: AZ-500, ITIL 4, MS-100, Google Cloud Associate Engineer, and More

Last month, Cloud Academy joined forces with QA, the UK’s largest B2B skills provider, and it put us in an excellent position to solve a massive skills gap problem. As a result of this collaboration, you will see our training library grow with additions from QA’s massive catalog of 500+...

Read more
  • AWS
  • Azure
  • content roadmap
  • Google Cloud Platform
Avatar
Adam Hawkins
— August 9, 2019

DevSecOps: How to Secure DevOps Environments

Security has been a friction point when discussing DevOps. This stems from the assumption that DevOps teams move too fast to handle security concerns. This makes sense if Information Security (InfoSec) is separate from the DevOps value stream, or if development velocity exceeds the band...

Read more
  • AWS
  • cloud security
  • DevOps
  • DevSecOps
  • Security
Avatar
Stefano Giacone
— August 8, 2019

Test Your Cloud Knowledge on AWS, Azure, or Google Cloud Platform

Cloud skills are in demand | In today's digital era, employers are constantly seeking skilled professionals with working knowledge of AWS, Azure, and Google Cloud Platform. According to the 2019 Trends in Cloud Transformation report by 451 Research: Business and IT transformations re...

Read more
  • AWS
  • Cloud skills
  • Google Cloud
  • Microsoft Azure
Avatar
Andrew Larkin
— August 7, 2019

Disadvantages of Cloud Computing

If you want to deliver digital services of any kind, you’ll need to estimate all types of resources, not the least of which are CPU, memory, storage, and network connectivity. Which resources you choose for your delivery —  cloud-based or local — is up to you. But you’ll definitely want...

Read more
  • AWS
  • Azure
  • Cloud Computing
  • Google Cloud Platform
Joe Nemer
Joe Nemer
— August 6, 2019

Google Cloud vs AWS: A Comparison (or can they be compared?)

The "Google Cloud vs AWS" argument used to be a common discussion among our members, but is this still really a thing? You may already know that there are three major players in the public cloud platforms arena: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP)...

Read more
  • AWS
  • Google Cloud Platform
  • Kubernetes
Avatar
Stuart Scott
— July 29, 2019

Deployment Orchestration with AWS Elastic Beanstalk

If you're responsible for the development and deployment of web applications within your AWS environment for your organization, then it's likely you've heard of AWS Elastic Beanstalk. If you are new to this service, or simply need to know a bit more about the service and the benefits th...

Read more
  • AWS
  • elastic beanstalk
Avatar
Stuart Scott
— July 26, 2019

How to Use & Install the AWS CLI

What is the AWS CLI? | The AWS Command Line Interface (CLI) is for managing your AWS services from a terminal session on your own client, allowing you to control and configure multiple AWS services and implement a level of automation. If you’ve been using AWS for some time and feel...

Read more
  • AWS
  • AWS CLI
  • Command line interface
Alisha Reyes
Alisha Reyes
— July 22, 2019

Cloud Academy’s Blog Digest: July 2019

July has been a very exciting month for us at Cloud Academy. On July 10, we officially joined forces with QA, the UK’s largest B2B skills provider (read the announcement). Over the coming weeks, you will see additions from QA’s massive catalog of 500+ certification courses and 1500+ ins...

Read more
  • AWS
  • Azure
  • Cloud Academy
  • Cybersecurity
  • DevOps
  • Kubernetes
Avatar
Stuart Scott
— July 18, 2019

AWS Fundamentals: Understanding Compute, Storage, Database, Networking & Security

If you are just starting out on your journey toward mastering AWS cloud computing, then your first stop should be to understand the AWS fundamentals. This will enable you to get a solid foundation to then expand your knowledge across the entire AWS service catalog.   It can be both d...

Read more
  • AWS
  • Compute
  • Database
  • fundamentals
  • networking
  • Security
  • Storage