O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Linux Observability with BPF

Book Description

Want to master the BPF virtual machine in the Linux Kernel? This practical guide shows you how to write applications that use BPF to observe and modify the kernel’s behavior on demand—without having prior knowledge of Linux Kernel development. David Calavera and Lorenzo Fontana introduce concepts to help systems engineers understand the BPF program lifecycle.

If you have knowledge about performance optimization, networking, and security, this book shows you how to inject code to monitor, trace, and observe events in the kernel in a secure way—without the need to recompile the kernel or reboot the system. You’ll find code examples in C, Go, and Python.

Table of Contents

  1. Foreword
  2. Preface
    1. Conventions Used in This Book
    2. Using Code Examples
    3. O’Reilly Online Learning
    4. How to Contact Us
    5. Acknowledgments
  3. 1. Introduction
    1. BPF’s History
    2. Architecture
    3. Conclusion
  4. 2. Running Your First BPF Programs
    1. Writing BPF Programs
    2. BPF Program Types
      1. Socket Filter Programs
      2. Kprobe Programs
      3. Tracepoint Programs
      4. XDP Programs
      5. Perf event programs
      6. Cgroup Socket Programs
      7. Cgroup Open Socket Programs
      8. Socket Option Programs
      9. Socket Map Programs
      10. Cgroup Device Programs
      11. Socket Message Delivery Programs
      12. Raw Tracepoint Programs
      13. Cgroup Socket Adress Programs
      14. Socket Reuseport Programs
      15. Flow Dissection Programs
      16. Other BPF Programs
    3. The BPF Verifier
    4. BPF Type Format (BTF)
    5. BPF Tail Calls
    6. Conclusion
  5. 3. BPF Maps
    1. Creating BPF Maps
      1. ELF Conventions to Create BPF Maps
    2. Working with BFP Maps
      1. Updating Elements in a BPF Map
      2. Reading Elements from a BPF Map
      3. Removing Element from a BPF Map
      4. Iterating Over Elements in a BPF Map
      5. Lookup and Delete Elements
      6. Concurrent Access To Map Elements
    3. Types of BPF Maps
      1. Hash-Table Maps
      2. Array Maps
      3. Program Array Maps
      4. Perf Events Array Maps
      5. Per-CPU Hash Maps
      6. Per-CPU Array Maps
      7. Stack Trace Maps
      8. Cgroup Array Maps
      9. LRU Hash and Per-CPU Hash Maps
      10. LPM Trie Maps
      11. Array of Maps, and Hash of Maps, Maps
      12. Device Map Maps
      13. CPU Map Maps
      14. Open Socket Maps
      15. Socket Array and Hash Maps
      16. Cgroup Storage and Per-CPU Storage Maps
      17. Reuseport Socket Maps
      18. Queue Maps
      19. Stack Maps
    4. The BPF Virtual File System
    5. Conclusion
  6. 4. Tracing with BPF
    1. Probes
      1. Kernel Probes
      2. Tracepoints
      3. User-Space Probes
      4. User Statically Defined Tracepoints
    2. Visualizing Tracing Data
      1. Flame Graphs
      2. Histograms
      3. Perf Events
    3. Conclusion
  7. 5. BPF Utilities
    1. BPFTool
      1. Installation
      2. Feature Display
      3. Inspecting BPF Programs
      4. Inspecting BPF Maps
      5. Inspecting Programs Attached to Specific Interfaces
      6. Loading Commands in Batch Mode
      7. Displaying BTF Information
    2. BPFTrace
      1. Installation
      2. Language Reference
      3. Filtering
      4. Dynamic Mapping
    3. Kubectl-Trace
      1. Installation
      2. Inspecting Kubernetes Nodes
    4. eBPF Exporter
      1. Installation
      2. Exporting Metrics from BPF
    5. Conclusion
  8. 6. Linux Networking and BPF
    1. BPF and Packet Filtering
      1. Tcpdump and BPF Expressions
      2. Packet Filtering for Raw Sockets (BPF_PROG_TYPE_SOCKET_FILTER)
    2. BPF Based Traffic Control Classifier
      1. Terminology
      2. Traffic Control classifier program using cls_bpf
      3. Differences Between TC and XDP
    3. Conclusion
  9. 7. eXpress Data Path (XDP)
    1. XDP Programs Overview
      1. Operation Modes
      2. The Packet Processor
      3. XDP and Iproute2 as a Loader
    2. XDP and BCC
    3. Testing XDP Programs
      1. XDP Testing Using the Python Unit Testing Framework
    4. XDP Use Cases
      1. Monitoring
      2. DDoS Mitigation
      3. Load Balancing
      4. Firewalling
    5. Conclusions
  10. 8. Linux Kernel Security, Capabilities and Seccomp
    1. Capabilities
    2. Seccomp
      1. Seccomp Errors
      2. Seccomp BPF Filter Example
    3. BPF LSM Hooks
    4. Conclusion
  11. 9. Real-World Use Cases
    1. Sysdig eBPF God Mode
    2. Flowmill
  12. Index