book

Linux Observability with BPF

by David Calavera, Lorenzo Fontana

November 2019

Intermediate to advanced

177 pages

4h 39m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Conventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
BPF’s HistoryArchitectureConclusion
Writing BPF ProgramsBPF Program TypesSocket Filter ProgramsKprobe ProgramsTracepoint ProgramsXDP ProgramsPerf Event ProgramsCgroup Socket ProgramsCgroup Open Socket ProgramsSocket Option ProgramsSocket Map ProgramsCgroup Device ProgramsSocket Message Delivery ProgramsRaw Tracepoint ProgramsCgroup Socket Address ProgramsSocket Reuseport ProgramsFlow Dissection ProgramsOther BPF ProgramsThe BPF VerifierBPF Type FormatBPF Tail CallsConclusion
Creating BPF MapsELF Conventions to Create BPF MapsWorking with BFP MapsUpdating Elements in a BPF MapReading Elements from a BPF MapRemoving an Element from a BPF MapIterating Over Elements in a BPF MapLooking Up and Deleting ElementsConcurrent Access to Map ElementsTypes of BPF MapsHash-Table MapsArray MapsProgram Array MapsPerf Events Array MapsPer-CPU Hash MapsPer-CPU Array MapsStack Trace MapsCgroup Array MapsLRU Hash and Per-CPU Hash MapsLPM Trie MapsArray of Maps and Hash of MapsDevice Map MapsCPU Map MapsOpen Socket MapsSocket Array and Hash MapsCgroup Storage and Per-CPU Storage MapsReuseport Socket MapsQueue MapsStack MapsThe BPF Virtual FilesystemConclusion
ProbesKernel ProbesTracepointsUser-Space ProbesUser Statically Defined TracepointsVisualizing Tracing DataFlame GraphsHistogramsPerf EventsConclusion
BPFToolInstallationFeature DisplayInspecting BPF ProgramsInspecting BPF MapsInspecting Programs Attached to Specific InterfacesLoading Commands in Batch ModeDisplaying BTF InformationBPFTraceInstallationLanguage ReferenceFilteringDynamic Mappingkubectl-traceInstallationInspecting Kubernetes NodeseBPF ExporterInstallationExporting Metrics from BPFConclusion
BPF and Packet Filteringtcpdump and BPF ExpressionsPacket Filtering for Raw SocketsBPF-Based Traffic Control ClassifierTerminologyTraffic Control Classifier Program Using cls_bpfDifferences Between Traffic Control and XDPConclusion
XDP Programs OverviewOperation ModesThe Packet ProcessorXDP and iproute2 as a LoaderXDP and BCCTesting XDP ProgramsXDP Testing Using the Python Unit Testing FrameworkXDP Use CasesMonitoringDDoS MitigationLoad BalancingFirewallingConclusion
CapabilitiesSeccompSeccomp ErrorsSeccomp BPF Filter ExampleBPF LSM HooksConclusion

Sysdig eBPF God ModeFlowmill

Overview

Build your expertise in the BPF virtual machine in the Linux kernel with this practical guide for systems engineers. You’ll not only dive into the BPF program lifecycle but also learn to write applications that observe and modify the kernel’s behavior; inject code to monitor, trace, and securely observe events in the kernel; and more.

Authors David Calavera and Lorenzo Fontana help you harness the power of BPF to make any computing system more observable. Familiarize yourself with the essential concepts you’ll use on a day-to-day basis and augment your knowledge about performance optimization, networking, and security. Then see how it all comes together with code examples in C, Go, and Python.

Write applications that use BPF to observe and modify the Linux kernel’s behavior on demand
Inject code to monitor, trace, and observe events in the kernel in a secure way—no need to recompile the kernel or reboot the system
Explore code examples in C, Go, and Python
Gain a more thorough understanding of the BPF program lifecycle