How to solve ‘BPF’ object has no attribute ‘get_syscall_fnname’ when run bpf program in ubuntu ?

Problem

When you run python bpf program in ubuntu, you run this command:

python example.py

The example.py content is:

from bcc import BPF

bpf_source = """
#include <uapi/linux/ptrace.h>

int do_sys_execve(struct pt_regs *ctx) {
  char comm[16];
  bpf_get_current_comm(&comm, sizeof(comm));
  bpf_trace_printk("executing program: %s\\n", comm);
  return 0;
}
"""

bpf = BPF(text=bpf_source)
execve_function = bpf.get_syscall_fnname("execve")
bpf.attach_kprobe(event=execve_function, fn_name="do_sys_execve")
bpf.trace_print()

You get this error:

[email protected]:~/linux-observability-with-bpf/code/chapter-4/kprobes# python example.py
Traceback (most recent call last):
  File "example.py", line 15, in <module>
    execve_function = bpf.get_syscall_fnname("execve")
AttributeError: 'BPF' object has no attribute 'get_syscall_fnname'

Environment

You check your os version by this command:

cat /etc/os-release

NAME="Ubuntu"
VERSION="16.04.6 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.6 LTS"

Python version:

Python 2.7.17 (default, Apr 15 2020, 17:20:14)
[GCC 7.5.0] on linux2

Solution: Install the bcc dependencies

According to python bcc documents, you should install the libbcc and python bcc into system.

# add key server
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys D4284CDD
# add iovisor to repo
echo "deb https://repo.iovisor.org/apt/bionic bionic main" | sudo tee /etc/apt/sources.list.d/iovisor.list
# update the repo
sudo apt-get update
# install libbcc
sudo apt-get install libbcc
# install python-bcc
sudo apt-get install python-bcc

After all done, you can run the python bpf script again:

[email protected]:~/linux-observability-with-bpf/code/chapter-4/kprobes# python example.py
            bash-12522 [001] .... 330817.825407: 0x00000001: executing program: bash