O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Linux Observability with BPF

Book Description

Build your expertise in the BPF virtual machine in the Linux kernel with this practical guide for systems engineers. You’ll not only dive into the BPF program lifecycle but also learn to write applications that observe and modify the kernel’s behavior; inject code to monitor, trace, and securely observe events in the kernel; and more.

Authors David Calavera and Lorenzo Fontana help you harness the power of BPF to make any computing system more observable. Familiarize yourself with the essential concepts you’ll use on a day-to-day basis and augment your knowledge about performance optimization, networking, and security. Then see how it all comes together with code examples in C, Go, and Python.

  • Write applications that use BPF to observe and modify the Linux kernel’s behavior on demand
  • Inject code to monitor, trace, and observe events in the kernel in a secure way—no need to recompile the kernel or reboot the system
  • Explore code examples in C, Go, and Python
  • Gain a more thorough understanding of the BPF program lifecycle

Table of Contents

  1. Foreword
  2. Preface
    1. Conventions Used in This Book
    2. Using Code Examples
    3. O’Reilly Online Learning
    4. How to Contact Us
    5. Acknowledgments
  3. 1. Introduction
    1. BPF’s History
    2. Architecture
    3. Conclusion
  4. 2. Running Your First BPF Programs
    1. Writing BPF Programs
    2. BPF Program Types
      1. Socket Filter Programs
      2. Kprobe Programs
      3. Tracepoint Programs
      4. XDP Programs
      5. Perf Event Programs
      6. Cgroup Socket Programs
      7. Cgroup Open Socket Programs
      8. Socket Option Programs
      9. Socket Map Programs
      10. Cgroup Device Programs
      11. Socket Message Delivery Programs
      12. Raw Tracepoint Programs
      13. Cgroup Socket Address Programs
      14. Socket Reuseport Programs
      15. Flow Dissection Programs
      16. Other BPF Programs
    3. The BPF Verifier
    4. BPF Type Format
    5. BPF Tail Calls
    6. Conclusion
  5. 3. BPF Maps
    1. Creating BPF Maps
      1. ELF Conventions to Create BPF Maps
    2. Working with BFP Maps
      1. Updating Elements in a BPF Map
      2. Reading Elements from a BPF Map
      3. Removing an Element from a BPF Map
      4. Iterating Over Elements in a BPF Map
      5. Looking Up and Deleting Elements
      6. Concurrent Access to Map Elements
    3. Types of BPF Maps
      1. Hash-Table Maps
      2. Array Maps
      3. Program Array Maps
      4. Perf Events Array Maps
      5. Per-CPU Hash Maps
      6. Per-CPU Array Maps
      7. Stack Trace Maps
      8. Cgroup Array Maps
      9. LRU Hash and Per-CPU Hash Maps
      10. LPM Trie Maps
      11. Array of Maps and Hash of Maps
      12. Device Map Maps
      13. CPU Map Maps
      14. Open Socket Maps
      15. Socket Array and Hash Maps
      16. Cgroup Storage and Per-CPU Storage Maps
      17. Reuseport Socket Maps
      18. Queue Maps
      19. Stack Maps
    4. The BPF Virtual Filesystem
    5. Conclusion
  6. 4. Tracing with BPF
    1. Probes
      1. Kernel Probes
      2. Tracepoints
      3. User-Space Probes
      4. User Statically Defined Tracepoints
    2. Visualizing Tracing Data
      1. Flame Graphs
      2. Histograms
      3. Perf Events
    3. Conclusion
  7. 5. BPF Utilities
    1. BPFTool
      1. Installation
      2. Feature Display
      3. Inspecting BPF Programs
      4. Inspecting BPF Maps
      5. Inspecting Programs Attached to Specific Interfaces
      6. Loading Commands in Batch Mode
      7. Displaying BTF Information
    2. BPFTrace
      1. Installation
      2. Language Reference
      3. Filtering
      4. Dynamic Mapping
    3. kubectl-trace
      1. Installation
      2. Inspecting Kubernetes Nodes
    4. eBPF Exporter
      1. Installation
      2. Exporting Metrics from BPF
    5. Conclusion
  8. 6. Linux Networking and BPF
    1. BPF and Packet Filtering
      1. tcpdump and BPF Expressions
      2. Packet Filtering for Raw Sockets
    2. BPF-Based Traffic Control Classifier
      1. Terminology
      2. Traffic Control Classifier Program Using cls_bpf
      3. Differences Between Traffic Control and XDP
    3. Conclusion
  9. 7. Express Data Path
    1. XDP Programs Overview
      1. Operation Modes
      2. The Packet Processor
      3. XDP and iproute2 as a Loader
    2. XDP and BCC
    3. Testing XDP Programs
      1. XDP Testing Using the Python Unit Testing Framework
    4. XDP Use Cases
      1. Monitoring
      2. DDoS Mitigation
      3. Load Balancing
      4. Firewalling
    5. Conclusion
  10. 8. Linux Kernel Security, Capabilities, and Seccomp
    1. Capabilities
    2. Seccomp
      1. Seccomp Errors
      2. Seccomp BPF Filter Example
    3. BPF LSM Hooks
    4. Conclusion
  11. 9. Real-World Use Cases
    1. Sysdig eBPF God Mode
    2. Flowmill
  12. Index