book

Learning eBPF

by Liz Rice

March 2023

Beginner

234 pages

6h 6m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Who This Book Is ForWhat This Book CoversPrerequisite KnowledgeExample Code and ExercisesIs eBPF Only for Linux?Conventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
eBPF’s Roots: The Berkeley Packet FilterFrom BPF to eBPFThe Evolution of eBPF to Production SystemsNaming Is HardThe Linux KernelAdding New Functionality to the KernelKernel ModulesDynamic Loading of eBPF ProgramsHigh Performance of eBPF ProgramseBPF in Cloud Native EnvironmentsSummary
BCC’s “Hello World”Running “Hello World”BPF MapsHash Table MapPerf and Ring Buffer MapsFunction CallsTail CallsSummaryExercises
The eBPF Virtual MachineeBPF RegisterseBPF InstructionseBPF “Hello World” for a Network InterfaceCompiling an eBPF Object FileInspecting an eBPF Object FileLoading the Program into the KernelInspecting the Loaded ProgramThe BPF Program TagThe Translated BytecodeThe JIT-Compiled Machine CodeAttaching to an EventGlobal VariablesDetaching the ProgramUnloading the ProgramBPF to BPF CallsSummaryExercises
Loading BTF DataCreating MapsLoading a ProgramModifying a Map from User SpaceBPF Program and Map ReferencesPinningBPF LinksAdditional Syscalls Involved in eBPFInitializing the Perf BufferAttaching to Kprobe EventsSetting Up and Reading Perf EventsRing BuffersReading Information from a MapFinding a MapReading Map ElementsSummaryExercises
BCC’s Approach to PortabilityCO-RE OverviewBPF Type FormatBTF Use CasesListing BTF Information with bpftoolBTF TypesMaps with BTF InformationBTF Data for Functions and Function PrototypesInspecting BTF Data for Maps and ProgramsGenerating a Kernel Header FileCO-RE eBPF ProgramsHeader FilesDefining MapseBPF Program SectionsMemory Access with CO-RELicense DefinitionCompiling eBPF Programs for CO-REDebug InformationOptimizationTarget ArchitectureMakefileBTF Information in the Object FileBPF RelocationsCO-RE User Space CodeThe Libbpf Library for User SpaceBPF SkeletonsLibbpf Code ExamplesSummaryExercises
The Verification ProcessThe Verifier LogVisualizing Control FlowValidating Helper FunctionsHelper Function ArgumentsChecking the LicenseChecking Memory AccessChecking Pointers Before Dereferencing ThemAccessing ContextRunning to CompletionLoopsChecking the Return CodeInvalid InstructionsUnreachable InstructionsSummaryExercises
Program Context ArgumentsHelper Functions and Return CodesKfuncsTracingKprobes and KretprobesFentry/FexitTracepointsBTF-Enabled TracepointsUser Space AttachmentsLSMNetworkingSocketsTraffic ControlXDPFlow DissectorLightweight TunnelsCgroupsInfrared ControllersBPF Attachment TypesSummaryExercises
Packet DropsXDP Program Return CodesXDP Packet ParsingLoad Balancing and ForwardingXDP OffloadingTraffic Control (TC)Packet Encryption and DecryptionUser Space SSL LibrarieseBPF and Kubernetes NetworkingAvoiding iptablesCoordinated Network ProgramsNetwork Policy EnforcementEncrypted ConnectionsSummaryExercises and Further Reading
Security Observability Requires Policy and ContextUsing System Calls for Security EventsSeccompGenerating Seccomp ProfilesSyscall-Tracking Security ToolsBPF LSMCilium TetragonAttaching to Internal Kernel FunctionsPreventative SecurityNetwork SecuritySummary

BpftraceLanguage Choices for eBPF in the KernelBCC Python/Lua/C++C and LibbpfGoGobpfEbpf-goLibbpfgoRustLibbpf-rsRedbpfAyaRust-bccTesting BPF ProgramsMultiple eBPF ProgramsSummaryExercises
The eBPF FoundationeBPF for WindowsLinux eBPF EvolutioneBPF Is a Platform, Not a FeatureConclusion

Content preview from Learning eBPF

Chapter 1. What Is eBPF, and Why Is It Important?

eBPF is a revolutionary kernel technology that allows developers to write custom code that can be loaded into the kernel dynamically, changing the way the kernel behaves. (Don’t worry if you’re not confident about what the kernel is—we’ll come to that shortly in this chapter.)

This enables a new generation of highly performant networking, observability, and security tools. And as you’ll see, if you want to instrument an app with these eBPF-based tools, you don’t need to modify or reconfigure the app in any way, thanks to eBPF’s vantage point within the kernel.

Just a few of the things you can do with eBPF include:

Performance tracing of pretty much any aspect of a system
High-performance networking, with built-in visibility
Detecting and (optionally) preventing malicious activity

Let’s take a brief journey through eBPF’s history, starting with the Berkeley Packet Filter.

eBPF’s Roots: The Berkeley Packet Filter

What we call “eBPF” today has its roots in the BSD Packet Filter, first described in 1993 in a paper¹ written by Lawrence Berkeley National Laboratory’s Steven McCanne and Van Jacobson. This paper discusses a pseudomachine that can run filters, which are programs written to determine whether to accept or reject a network packet. These programs were written in the BPF instruction set, a general-purpose set of 32-bit instructions that closely resembles assembly language. Here’s an example taken directly from that ...