book

Linux Observability with BPF

by David Calavera, Lorenzo Fontana

November 2019

Intermediate to advanced

177 pages

4h 39m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Conventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
BPF’s HistoryArchitectureConclusion
Writing BPF ProgramsBPF Program TypesSocket Filter ProgramsKprobe ProgramsTracepoint ProgramsXDP ProgramsPerf Event ProgramsCgroup Socket ProgramsCgroup Open Socket ProgramsSocket Option ProgramsSocket Map ProgramsCgroup Device ProgramsSocket Message Delivery ProgramsRaw Tracepoint ProgramsCgroup Socket Address ProgramsSocket Reuseport ProgramsFlow Dissection ProgramsOther BPF ProgramsThe BPF VerifierBPF Type FormatBPF Tail CallsConclusion
Creating BPF MapsELF Conventions to Create BPF MapsWorking with BFP MapsUpdating Elements in a BPF MapReading Elements from a BPF MapRemoving an Element from a BPF MapIterating Over Elements in a BPF MapLooking Up and Deleting ElementsConcurrent Access to Map ElementsTypes of BPF MapsHash-Table MapsArray MapsProgram Array MapsPerf Events Array MapsPer-CPU Hash MapsPer-CPU Array MapsStack Trace MapsCgroup Array MapsLRU Hash and Per-CPU Hash MapsLPM Trie MapsArray of Maps and Hash of MapsDevice Map MapsCPU Map MapsOpen Socket MapsSocket Array and Hash MapsCgroup Storage and Per-CPU Storage MapsReuseport Socket MapsQueue MapsStack MapsThe BPF Virtual FilesystemConclusion
ProbesKernel ProbesTracepointsUser-Space ProbesUser Statically Defined TracepointsVisualizing Tracing DataFlame GraphsHistogramsPerf EventsConclusion
BPFToolInstallationFeature DisplayInspecting BPF ProgramsInspecting BPF MapsInspecting Programs Attached to Specific InterfacesLoading Commands in Batch ModeDisplaying BTF InformationBPFTraceInstallationLanguage ReferenceFilteringDynamic Mappingkubectl-traceInstallationInspecting Kubernetes NodeseBPF ExporterInstallationExporting Metrics from BPFConclusion
BPF and Packet Filteringtcpdump and BPF ExpressionsPacket Filtering for Raw SocketsBPF-Based Traffic Control ClassifierTerminologyTraffic Control Classifier Program Using cls_bpfDifferences Between Traffic Control and XDPConclusion
XDP Programs OverviewOperation ModesThe Packet ProcessorXDP and iproute2 as a LoaderXDP and BCCTesting XDP ProgramsXDP Testing Using the Python Unit Testing FrameworkXDP Use CasesMonitoringDDoS MitigationLoad BalancingFirewallingConclusion
CapabilitiesSeccompSeccomp ErrorsSeccomp BPF Filter ExampleBPF LSM HooksConclusion

Sysdig eBPF God ModeFlowmill

Content preview from Linux Observability with BPF

Chapter 1. Introduction

Over the past few decades computing systems have only grown in complexity. Reasoning about how software behaves has created multiple business categories, all of them trying solve the challenges of gaining insight into complex systems. One approach to get this visibility is to analyze the logs of data generated by all applications running in a computing system. Logs are a great source of information. They can give you precise data about how an application is behaving. However, they constrain you because you get only the information that the engineers who built the application exposed in those logs. Gathering any additional information in log format from any system can be as challenging as decompiling the program and looking at the execution flow. Another popular approach is to use metrics to reason why a program behaves the way it does. Metrics differ from logs in the data format; whereas logs give you explicit data, metrics aggregate data to measure how a program behaves at a specific point in time.

Observability is an emergent practice that approaches this problem from an different angle. People define observability as the capacity that we have to ask arbitrary questions and receive complex answers from any given system. A key difference between observability, logs, and metrics aggregation is the data that you collect. Given that by practicing observability you need to answer any arbitrary question at any point in time, the only way to reason about data ...