Module live_host

Module live_host 

Source
Expand description

Public surface for the live-host introspection pipeline.

Re-exports from the otherwise-internal monitor module so the live-host capture binary, integration tests, and downstream consumers can invoke the bpf()-syscall data path, kernel auto-discovery, kallsyms parser, and dmesg-scx parser without the monitor module’s frozen-VM internals leaking into the public API.

This module is the entry point for binaries and tests that consume the live-host capture pipeline.

Modules§

tl_evt
Type-byte values from src/bpf/intf.h::TL_EVT_*. Pinned here as the userspace-facing identifier for each variant; the parser uses these to discriminate the TimelineEvent variant.

Structs§

BpfMapInfo
Discovered BPF map metadata and value location.
BpfSyscallAccessor
Live-host BPF map accessor.
IncrementalCapture
Capture handle the freeze coordinator passes into the dump pipeline when periodic incremental snapshots are enabled.
IncrementalSnapshot
One incremental snapshot — opaque raw bytes captured at a particular freeze instant + the wall-clock ts of capture.
KallsymsTable
Parsed kernel symbol table from /proc/kallsyms.
LiveHostKernelEnv
Resolved live-host kernel environment.
ScxExitEvent
One parsed scx exit event from a kernel-message buffer window.
SnapshotRing
Bounded ring of IncrementalSnapshot values.
StackSymbol
One frame of a %pS-formatted stack trace.
TimelineCapture
Capture handle for the freeze coordinator’s drain of the timeline_events BPF ringbuf.
TimelineEventRaw
Wire-format mirror of struct timeline_event from src/bpf/intf.h.

Enums§

ScxExitKind
Kind of scx exit event extracted from dmesg.
TimelineEvent
Parsed timeline event with variant-aware field naming.

Constants§

BPF_MAP_TYPE_ARENA
BPF_MAP_TYPE_ARENA — sparse, page-granular memory region shared between BPF programs and userspace. The host-side walker for arena pages lives in super::arena.
BPF_MAP_TYPE_ARRAY
BPF_MAP_TYPE_ARRAY — fixed-size array of values. Inline values at the bpf_array.value flex array.
BPF_MAP_TYPE_HASH
BPF_MAP_TYPE_HASH — generic hash table. Inline value bytes at htab_elem_value (key + round_up(key_size, 8)).
BPF_MAP_TYPE_PERCPU_ARRAY
BPF_MAP_TYPE_PERCPU_ARRAY — like ARRAY but each slot is a void __percpu * resolved per-CPU.
DEFAULT_SNAPSHOT_RING_DEPTH
Default snapshot-ring depth: 60 entries at 1 Hz steady-state covers 60 seconds of pre-trigger context — long enough for the dual-snapshot delta to detect slow drift, short enough that the storage cost stays within the 60-300 MiB envelope of the per-VM budget for incremental capture.

Traits§

BpfMapAccessor
Read-only abstraction over BPF map enumeration and value reads across data sources. Mutating operations (write_value etc.) are inherent on each backend, NOT exposed here — the trait surface is a snapshot-style read API used by the failure-dump renderer and any future read-only consumer.

Functions§

extract_stack_symbols
Extract funcname+0xoff/0xsz tokens from one line of kernel output.
parse_kmsg_window
Parse a window of /dev/kmsg (or dmesg text) and return every scx exit event found in it.
parse_timeline_buf
Parse a contiguous buffer of timeline records into a vec of TimelineEvent values, in encounter order.
parse_timeline_record
Parse a single 40-byte ringbuf record.
uname_release
uname(2) syscall wrapper. Returns the running kernel’s release string (the field that uname -r prints).