SystemTap: Getting Started with Dynamic EC2 Instance Diagnostics

Just because you can’t see or hear your Amazon EC2 instances the way you can in your local data center, doesn’t mean you shouldn’t be concerned about them. Think of SystemTap as a fabulous window into your VM.

Have you ever wondered what’s going on deep inside your Linux instance? Why some processes run so slowly? Why your disk is thrashing around so wildly? Have you tried to write your own system’s tools and wish that you were able to export or access certain systems’ internal variables or information? Have you tried to write your own Linux kernel module but felt that the learning curve was way too steep?

Let me introduce you to SystemTap.

(The beautiful SystemTap logo was designed by Andy Fitzsimon – who sat next to me when we were both working at Red Hat in Singapore.)
SystemTap is an open source software package to help you analyze or troubleshoot a running Linux instance. It provides a dynamic instrumentation framework that lets you probe a system to gather information and a scripting language translator that interprets scripts written in a C or Perl-like language into C code, that could be compiled into Linux kernel modules. These modules will then be loaded into the system to generate outcome specified by your script.

But enough introduction. Let’s get started already!

Installing SystemTap on your AWS EC2 instance

This article assumes that you know how to create and launch an EC2 instance. If not, I recommend taking Cloud Academy’s Compute Fundamentals for AWS Course as part of the AWS Fundamentals Learning Path.

Connect to the instance using the OpenSSH SSH client.

$ ssh -i "cloudacademy-keypair.pem" ec2-user@[redacted]

Note the Linux kernel version we are using. In this case, it’s version 3.10.0, and the release number is 229.el7.

$ uname -a
Linux ip-[redacted].ap-southeast-1.compute.internal 3.10.0-229.el7.x86_64 #1 SMP Thu Jan 29 18:37:38 EST 2015 x86_64 x86_64 x86_64 GNU/Linux

To prepare the Linux instance for kernel-space probing with SystemTap, we will need to install some RPM packages, including kernel-debuginfo and systemtap. We need to ensure that all the kernel packages we will install on the instance have the same version and of the same architecture.

To install a debuginfo package, we’ll enable the “Red Hat Enterprise Linux Server 7 Debug (Debug RPMs)” yum repository that, by default, is disabled.

$ sudo su -
# yum repolist disabled
Loaded plugins: amazon-id, rhui-lb
repo id                                                                repo name
rhui-REGION-rhel-server-debug-extras/7Server/x86_64                    Red Hat Enterprise Linux Server 7 Extra Debug (Debug RPMs)
rhui-REGION-rhel-server-debug-optional/7Server/x86_64                  Red Hat Enterprise Linux Server 7 Optional Debug (Debug RPMs)
rhui-REGION-rhel-server-debug-rh-common/7Server/x86_64                 Red Hat Enterprise Linux Server 7 RH Common Debug (Debug RPMs)
rhui-REGION-rhel-server-debug-rhscl/7Server/x86_64                     Red Hat Enterprise Linux Server 7 RHSCL Debug (Debug RPMs)
rhui-REGION-rhel-server-debug-supplementary/7Server/x86_64             Red Hat Enterprise Linux Server 7 Supplementary Debug (Debug RPMs)
rhui-REGION-rhel-server-extras/7Server/x86_64                          Red Hat Enterprise Linux Server 7 Extra(RPMs)
rhui-REGION-rhel-server-optional/7Server/x86_64                        Red Hat Enterprise Linux Server 7 Optional (RPMs)
rhui-REGION-rhel-server-releases-debug/7Server/x86_64                  Red Hat Enterprise Linux Server 7 Debug (Debug RPMs)
rhui-REGION-rhel-server-releases-source/7Server/x86_64                 Red Hat Enterprise Linux Server 7 (SRPMs)
rhui-REGION-rhel-server-rhscl/7Server/x86_64                           Red Hat Enterprise Linux Server 7 RHSCL (RPMs)
rhui-REGION-rhel-server-source-extras/7Server/x86_64                   Red Hat Enterprise Linux Server 7 Extra (SRPMs)
rhui-REGION-rhel-server-source-optional/7Server/x86_64                 Red Hat Enterprise Linux Server 7 Optional (SRPMs)
rhui-REGION-rhel-server-source-rh-common/7Server/x86_64                Red Hat Enterprise Linux Server 7 RH Common (SRPMs)
rhui-REGION-rhel-server-source-rhscl/7Server/x86_64                    Red Hat Enterprise Linux Server 7 RHSCL (SRPMs)
rhui-REGION-rhel-server-source-supplementary/7Server/x86_64            Red Hat Enterprise Linux Server 7 Supplementary (SRPMs)
rhui-REGION-rhel-server-supplementary/7Server/x86_64                   Red Hat Enterprise Linux Server 7 Supplementary (RPMs)
repolist: 0

Now we’ll use yum-config-manager to enable the repo.

# yum-config-manager --enable "Red Hat Enterprise Linux Server 7 Debug (Debug RPMs)"

Now you’ll be able to search for the debuginfo packages.

# yum search kernel | grep ^kernel-debuginfo
kernel-debuginfo.x86_64 : Debug information for package kernel
kernel-debuginfo-common-x86_64.x86_64 : Kernel source files used by

To ensure that we have the same Linux kernel version, we need to install the kernel and kernel-devel packages along with the kernel-debuginfo packages. If yum returns a different kernel version from the kernel-debuginfo packages, you may need to specify the version manually.

# yum -y install kernel-debuginfo kernel kernel-devel

Depending on your Internet connectivity, it may take some time to download these packages. To give you an idea how large some of these packages are, the kernel-debuginfo-common package is 41MB and the kernel-debuginfo package is 259MB. Fortunately, unless the kernel version and release number change, you only need to install these packages once.

You will need to reboot your machine to apply the new kernel.

# init 6

Once we’re running again, let’s reconnect to the instance.

$ ssh -i "cloudacademy-keypair.pem" ec2-user@[redacted]

Verify that we are using the right kernel version. Notice that the release number is now 229.11.1.el7. Each time Red Hat spins a new kernel, it will update the release number of the package.

$ uname -a
Linux ip-[redacted].ap-southeast-1.compute.internal 3.10.0-229.11.1.el7.x86_64 #1 SMP Wed Jul 22 12:06:11 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux

We can use the rpm command to make sure that the version we booted is the same as the debuginfo packages we have installed. This is important.

$ rpm -qa | grep ^kernel
kernel-tools-3.10.0-229.el7.x86_64
kernel-3.10.0-229.el7.x86_64
kernel-debuginfo-common-x86_64-3.10.0-229.11.1.el7.x86_64
kernel-3.10.0-229.11.1.el7.x86_64
kernel-devel-3.10.0-229.11.1.el7.x86_64
kernel-tools-libs-3.10.0-229.el7.x86_64
kernel-debuginfo-3.10.0-229.11.1.el7.x86_64

Next, use yum to list all the systemtap-related packages.

# yum list systemtap*
Loaded plugins: amazon-id, rhui-lb
Available Packages
systemtap.x86_64                                              2.6-10.el7_1                                    rhui-REGION-rhel-server-releases
systemtap-client.x86_64                                       2.6-10.el7_1                                    rhui-REGION-rhel-server-releases
systemtap-debuginfo.i686                                      2.6-10.el7_1                                    rhui-REGION-rhel-server-releases-debug
systemtap-debuginfo.x86_64                                    2.6-10.el7_1                                    rhui-REGION-rhel-server-releases-debug
systemtap-devel.x86_64                                        2.6-10.el7_1                                    rhui-REGION-rhel-server-releases
systemtap-initscript.x86_64                                   2.6-10.el7_1                                    rhui-REGION-rhel-server-releases
systemtap-runtime.x86_64                                      2.6-10.el7_1                                    rhui-REGION-rhel-server-releases
systemtap-sdt-devel.i686                                      2.6-10.el7_1                                    rhui-REGION-rhel-server-releases
systemtap-sdt-devel.x86_64                                    2.6-10.el7_1                                    rhui-REGION-rhel-server-releases
systemtap-server.x86_64                                       2.6-10.el7_1                                    rhui-REGION-rhel-server-releases

Then install the main systemtap package, and yum will take care of its dependencies.

# yum -y install systemtap

Once all the systemtap-related packages are installed, exit from the root shell to return to the normal user shell.

# logout

Running our first SystemTap script

We have installed all the necessary RPM packages and we are almost ready to run our very first “Hello World” script!

SystemTap uses a simple permission model to grant users’ permissions to use the tool to prevent people from misusing or abusing the tool. Unless you’re a member of the stapusr and stapdev groups, you will not be allowed to build and run SystemTap scripts. Since we are going to write and run our own script, and we hopefully know exactly what we are doing, we will add ourselves to the stapusr and stapdev groups.

$ sudo usermod -G stapusr,stapdev ec2-user
$ grep ^stap /etc/group
stapusr:x:156:ec2-user
stapsys:x:157:
stapdev:x:158:ec2-user

You will need to logout and re-login to the instance to reflect that you are now members of these two groups.

$ logout
$ ssh -i "cloudacademy-keypair.pem" ec2-user@[redacted]

Type id to see if you are in stapusr and stapdev groups.

$ id
uid=1000(ec2-user) gid=1000(ec2-user) groups=1000(ec2-user),156(stapusr),158(stapdev) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

If you are, let’s party on! stap is the SystemTap tool you’ll use to run the script.
There are two ways to write a script. You can either write it in a .stp extension file, or simply specify the script on the command-line with the -e option.

We will opt for the latter since we will use a one-liner script to test if the installation works as expected.

$ stap -e 'probe begin { log("hello world") exit () }'
hello world

Voilà! We have successfully run our first SystemTap script!

In our next article, we will explore some interesting scripts that come with SystemTap.

Avatar

Written by

Eugene Teo

Eugene Teo is a director of security at a US-based technology company. He is interested in applying machine learning techniques to solve problems in the security domain.


Related Posts

Vijayakumar Athithan
Vijayakumar Athithan
— March 27, 2020

What is Cognito in AWS?

Web applications usually allow a valid username and password combination for successful sign in to the application. Modern authentication flows incorporate more approaches to ensure user authentication. When using AWS, this is no exception, thanks to the abilities and features offered b...

Read more
  • AWS
  • AWS Cognito
  • Solutions Architect
Connie Benton
Connie Benton
— March 25, 2020

How To Build a Career with AWS Certifications

From Iaas and PaaS solutions to digital marketing, cloud computing reshapes the world of technology. As the influence of this technology grows, so does investment. Tens of billions of dollars are being spent on cloud computing-related services each year. This influx is continuing to inc...

Read more
  • AWS
  • Certifications
Avatar
Andrew Larkin
— March 20, 2020

The 12 AWS Certifications: Which is Right for You and Your Team?

As companies increasingly shift workloads to the public cloud, cloud computing has moved from a nice-to-have to a core competency in the enterprise. This shift requires a new set of skills to design, deploy, and manage applications in cloud computing. As the market leader and most ma...

Read more
  • AWS
  • AWS Certifications
Alisha Reyes
Alisha Reyes
— March 17, 2020

Cloud Academy’s Blog Digest: How Do AWS Certifications Increase Your Employability, How to Become a Microsoft Certified Azure Data Engineer, and more

With everything going on right now, it's likely that the only thing you've been reading lately is related to the coronavirus pandemic. It's important to stay informed during these times, but it's also good to jump into something that can take your mind off of the current situation for j...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • programming
  • Security
Avatar
Cloud Academy Team
— March 13, 2020

Which Certifications Should I Get?

As we mentioned in an earlier post, the old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and compan...

Read more
  • AWS
  • Azure
  • Certifications
  • Cloud Computing
  • Google Cloud Platform
Alisha Reyes
Alisha Reyes
— March 7, 2020

New on Cloud Academy: Intro to GitOps; AWS Courses; Java, Python, Amazon Linux 2, Ubuntu, & Docker Playgrounds; and much more

New Lab Playgrounds This month, our Content Team released six new "playground labs." Our playground labs provide a safe and secure sandbox environment for you to explore your own ideas, follow along with Cloud Academy courses, or answer your own questions — all without having to instal...

Read more
  • AWS
  • Azure
  • gitops
  • Google Cloud Platform
  • lab playground
  • programming
Alisha Reyes
Alisha Reyes
— March 6, 2020

New on Cloud Academy: Intro to GitOps; AWS Courses; Java, Python, Amazon Linux 2, Ubuntu, & Docker Playgrounds; and much more

New Lab Playgrounds This month, our Content Team released six new "playground labs." Our playground labs provide a safe and secure sandbox environment for you to explore your own ideas, follow along with Cloud Academy courses, or answer your own questions — all without having to instal...

Read more
  • AWS
  • Azure
  • gitops
  • Google Cloud Platform
  • lab playground
  • programming
Patrick Navarro
Patrick Navarro
— March 4, 2020

AWS Certifications: How Do They Increase Your Employability and Progress Your Career?

AWS certifications are no walk in the park. They’re designed to validate in-depth, specialist knowledge and comprehensive experience, often requiring months of dedicated studying to earn even for those already working with the cloud platform. But the rewards that AWS professionals ca...

Read more
  • AWS
  • AWS certification
  • certification
Avatar
Chandan Patra
— February 21, 2020

Elasticsearch vs. CloudSearch: AWS Cloud Search Choices

Elasticsearch vs. CloudSearch: What's the main difference? Let's compare AWS-based cloud tools: Elasticsearch vs. CloudSearch. While both services use proven technologies, Elasticsearch is more popular, open source, and has a flexible API to use for customization; in comparison, CloudS...

Read more
  • AWS
  • Azure
  • cloudsearch
  • elasticsearch
Avatar
Andrew Larkin
— February 13, 2020

Cloud Academy Content Roadmap Updates

Welcome to our Q1 2020 roadmap. This is the content we plan to build over the next three months, between February 1 - and April 30, 2020. Let's look at some of our roadmap highlights. Atlassian Bamboo for CI/CD We had a lot of requests for practical guides on how to apply DevOps tool...

Read more
  • Artificial Intelligence
  • AWS
  • Azure
  • Docker
  • Google Cloud Platform
  • Kubernetes
  • Machine Learning
Alisha Reyes
Alisha Reyes
— February 7, 2020

New on Cloud Academy: Git Labs, CKA and CKAD Lab Challenges, AWS and Azure Learning Paths, AGILE, and Much More

We just kicked off our first Free Weekend of 2020. This means we've unlocked our Training Library for just 72 hours. Until Sunday at 11:59 pm (PST), you can get unlimited access to our industry-leading learning paths, courses, certification prep exams, and our most popular hands-on labs...

Read more
  • agile
  • AWS
  • Azure
  • Google Cloud Platform
  • Linux
  • OWASP
  • programming
  • red hat
  • scrum
Avatar
Stuart Scott
— February 6, 2020

How to Encrypt an EBS Volume

Keeping data and applications safe in the cloud is one of the most visible challenges facing cloud teams in 2020. Cloud storage services where data resides are frequently a target for hackers, not because the services are inherently weak but because they are often improperly configured....

Read more
  • AWS
  • EBS
  • Encryption