Expand description
Public surface for the live-host introspection pipeline.
Re-exports from the otherwise-internal monitor module so the
live-host capture binary, integration tests, and downstream
consumers can invoke the bpf()-syscall data path, kernel
auto-discovery, kallsyms parser, and dmesg-scx parser without the
monitor module’s frozen-VM internals leaking into the public API.
This module is the entry point for binaries and tests that consume the live-host capture pipeline.
Modules§
- tl_evt
- Type-byte values from
src/bpf/intf.h::TL_EVT_*. Pinned here as the userspace-facing identifier for each variant; the parser uses these to discriminate theTimelineEventvariant.
Structs§
- BpfMap
Info - Discovered BPF map metadata and value location.
- BpfSyscall
Accessor - Live-host BPF map accessor.
- Incremental
Capture - Capture handle the freeze coordinator passes into the dump pipeline when periodic incremental snapshots are enabled.
- Incremental
Snapshot - One incremental snapshot — opaque raw bytes captured at a particular freeze instant + the wall-clock ts of capture.
- Kallsyms
Table - Parsed kernel symbol table from
/proc/kallsyms. - Live
Host Kernel Env - Resolved live-host kernel environment.
- ScxExit
Event - One parsed scx exit event from a kernel-message buffer window.
- Snapshot
Ring - Bounded ring of
IncrementalSnapshotvalues. - Stack
Symbol - One frame of a
%pS-formatted stack trace. - Timeline
Capture - Capture handle for the freeze coordinator’s drain of the
timeline_eventsBPF ringbuf. - Timeline
Event Raw - Wire-format mirror of
struct timeline_eventfromsrc/bpf/intf.h.
Enums§
- ScxExit
Kind - Kind of scx exit event extracted from dmesg.
- Timeline
Event - Parsed timeline event with variant-aware field naming.
Constants§
- BPF_
MAP_ TYPE_ ARENA BPF_MAP_TYPE_ARENA— sparse, page-granular memory region shared between BPF programs and userspace. The host-side walker for arena pages lives insuper::arena.- BPF_
MAP_ TYPE_ ARRAY BPF_MAP_TYPE_ARRAY— fixed-size array of values. Inline values at thebpf_array.valueflex array.- BPF_
MAP_ TYPE_ HASH BPF_MAP_TYPE_HASH— generic hash table. Inline value bytes athtab_elem_value(key + round_up(key_size, 8)).- BPF_
MAP_ TYPE_ PERCPU_ ARRAY BPF_MAP_TYPE_PERCPU_ARRAY— likeARRAYbut each slot is avoid __percpu *resolved per-CPU.- DEFAULT_
SNAPSHOT_ RING_ DEPTH - Default snapshot-ring depth: 60 entries at 1 Hz steady-state covers 60 seconds of pre-trigger context — long enough for the dual-snapshot delta to detect slow drift, short enough that the storage cost stays within the 60-300 MiB envelope of the per-VM budget for incremental capture.
Traits§
- BpfMap
Accessor - Read-only abstraction over BPF map enumeration and value reads across data sources. Mutating operations (write_value etc.) are inherent on each backend, NOT exposed here — the trait surface is a snapshot-style read API used by the failure-dump renderer and any future read-only consumer.
Functions§
- extract_
stack_ symbols - Extract
funcname+0xoff/0xsztokens from one line of kernel output. - parse_
kmsg_ window - Parse a window of
/dev/kmsg(ordmesgtext) and return every scx exit event found in it. - parse_
timeline_ buf - Parse a contiguous buffer of timeline records into a vec of
TimelineEventvalues, in encounter order. - parse_
timeline_ record - Parse a single 40-byte ringbuf record.
- uname_
release uname(2)syscall wrapper. Returns the running kernel’s release string (the field thatuname -rprints).