book

Linux Observability with BPF

by David Calavera, Lorenzo Fontana

November 2019

Intermediate to advanced

177 pages

4h 39m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Conventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
BPF’s HistoryArchitectureConclusion
Writing BPF ProgramsBPF Program TypesSocket Filter ProgramsKprobe ProgramsTracepoint ProgramsXDP ProgramsPerf Event ProgramsCgroup Socket ProgramsCgroup Open Socket ProgramsSocket Option ProgramsSocket Map ProgramsCgroup Device ProgramsSocket Message Delivery ProgramsRaw Tracepoint ProgramsCgroup Socket Address ProgramsSocket Reuseport ProgramsFlow Dissection ProgramsOther BPF ProgramsThe BPF VerifierBPF Type FormatBPF Tail CallsConclusion
Creating BPF MapsELF Conventions to Create BPF MapsWorking with BFP MapsUpdating Elements in a BPF MapReading Elements from a BPF MapRemoving an Element from a BPF MapIterating Over Elements in a BPF MapLooking Up and Deleting ElementsConcurrent Access to Map ElementsTypes of BPF MapsHash-Table MapsArray MapsProgram Array MapsPerf Events Array MapsPer-CPU Hash MapsPer-CPU Array MapsStack Trace MapsCgroup Array MapsLRU Hash and Per-CPU Hash MapsLPM Trie MapsArray of Maps and Hash of MapsDevice Map MapsCPU Map MapsOpen Socket MapsSocket Array and Hash MapsCgroup Storage and Per-CPU Storage MapsReuseport Socket MapsQueue MapsStack MapsThe BPF Virtual FilesystemConclusion
ProbesKernel ProbesTracepointsUser-Space ProbesUser Statically Defined TracepointsVisualizing Tracing DataFlame GraphsHistogramsPerf EventsConclusion
BPFToolInstallationFeature DisplayInspecting BPF ProgramsInspecting BPF MapsInspecting Programs Attached to Specific InterfacesLoading Commands in Batch ModeDisplaying BTF InformationBPFTraceInstallationLanguage ReferenceFilteringDynamic Mappingkubectl-traceInstallationInspecting Kubernetes NodeseBPF ExporterInstallationExporting Metrics from BPFConclusion
BPF and Packet Filteringtcpdump and BPF ExpressionsPacket Filtering for Raw SocketsBPF-Based Traffic Control ClassifierTerminologyTraffic Control Classifier Program Using cls_bpfDifferences Between Traffic Control and XDPConclusion
XDP Programs OverviewOperation ModesThe Packet ProcessorXDP and iproute2 as a LoaderXDP and BCCTesting XDP ProgramsXDP Testing Using the Python Unit Testing FrameworkXDP Use CasesMonitoringDDoS MitigationLoad BalancingFirewallingConclusion
CapabilitiesSeccompSeccomp ErrorsSeccomp BPF Filter ExampleBPF LSM HooksConclusion

Sysdig eBPF God ModeFlowmill

Content preview from Linux Observability with BPF

Chapter 9. Real-World Use Cases

The most important question to ask yourself when implementing a new technology is: “What are the use cases for this out there?” That’s why we decided to interview the creators of some of the most exciting BPF projects out there to share their ideas.

Sysdig eBPF God Mode

Sysdig, the company that makes the eponymous open source Linux troubleshooting tool, started playing with eBPF in 2017 under kernel 4.11.

It has been historically using a kernel module to extract and do all the kernel-side work, but as the user base increased and when more and more companies started experimenting, the company acknowledged that it is a limitation for the majority of external actors, in many ways:

There’s an increasing number of users who can’t load kernel modules on their machines. Cloud-native platforms are becoming more and more restrictive against what runtime programs can do.
New contributors (and even old) don’t understand the architecture of a kernel module. That decreases the overall number of contributors and is a limiting factor for the growth of the project itself.
Kernel modules maintenance is difficult, not just because of writing the code, but also because of the effort needed to keep it safe and well organized.

For those motivations, Sysdig decided to try the approach of writing the same set of features it has in the module but using an eBPF program instead. Another benefit that automatically comes from adopting eBPF is the possibility for Sysdig ...