Learning eBPF

Learning eBPF

by Liz Rice
Released March 2023
Publisher(s): O'Reilly Media, Inc.
ISBN: 9781098135126

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Buy on Amazon Buy on ebooks.com
Start your free trial

Book description

What is eBPF? With this revolutionary technology, you can write custom code that dynamically changes the way the kernel behaves. It's an extraordinary platform for building a whole new generation of security, observability, and networking tools.

This practical book is ideal for developers, system administrators, operators, and students who are curious about eBPF and want to know how it works. Author Liz Rice, chief open source officer with cloud native networking and security specialists Isovalent, also provides a foundation for those who want to explore writing eBPF programs themselves.

With this book, you will:

  • Learn why eBPF has become so important in the past couple of years
  • Write basic eBPF code, and manipulate eBPF programs and attach them to events
  • Explore how eBPF components interact with Linux to dynamically change the operating system's behavior
  • Learn how tools based on eBPF can instrument applications without changes to the apps or their configuration
  • Discover how this technology enables new tools for observability, security, and networking

Publisher resources

View/Submit Errata

Table of contents

  1. Preface
    1. Who This Book Is For
    2. What This Book Covers
    3. Prerequisite Knowledge
    4. Example Code and Exercises
    5. Is eBPF Only for Linux?
    6. Conventions Used in This Book
    7. Using Code Examples
    8. O’Reilly Online Learning
    9. How to Contact Us
    10. Acknowledgments
  2. 1. What Is eBPF, and Why Is It Important?
    1. eBPF’s Roots: The Berkeley Packet Filter
    2. From BPF to eBPF
    3. The Evolution of eBPF to Production Systems
    4. Naming Is Hard
    5. The Linux Kernel
    6. Adding New Functionality to the Kernel
    7. Kernel Modules
    8. Dynamic Loading of eBPF Programs
    9. High Performance of eBPF Programs
    10. eBPF in Cloud Native Environments
    11. Summary
  3. 2. eBPF’s “Hello World”
    1. BCC’s “Hello World”
    2. Running “Hello World”
    3. BPF Maps
      1. Hash Table Map
      2. Perf and Ring Buffer Maps
      3. Function Calls
      4. Tail Calls
    4. Summary
    5. Exercises
  4. 3. Anatomy of an eBPF Program
    1. The eBPF Virtual Machine
      1. eBPF Registers
      2. eBPF Instructions
    2. eBPF “Hello World” for a Network Interface
    3. Compiling an eBPF Object File
    4. Inspecting an eBPF Object File
    5. Loading the Program into the Kernel
    6. Inspecting the Loaded Program
      1. The BPF Program Tag
      2. The Translated Bytecode
      3. The JIT-Compiled Machine Code
    7. Attaching to an Event
    8. Global Variables
    9. Detaching the Program
    10. Unloading the Program
    11. BPF to BPF Calls
    12. Summary
    13. Exercises
  5. 4. The bpf() System Call
    1. Loading BTF Data
    2. Creating Maps
    3. Loading a Program
    4. Modifying a Map from User Space
    5. BPF Program and Map References
      1. Pinning
      2. BPF Links
    6. Additional Syscalls Involved in eBPF
      1. Initializing the Perf Buffer
      2. Attaching to Kprobe Events
      3. Setting Up and Reading Perf Events
    7. Ring Buffers
    8. Reading Information from a Map
      1. Finding a Map
      2. Reading Map Elements
    9. Summary
    10. Exercises
  6. 5. CO-RE, BTF, and Libbpf
    1. BCC’s Approach to Portability
    2. CO-RE Overview
    3. BPF Type Format
      1. BTF Use Cases
      2. Listing BTF Information with bpftool
      3. BTF Types
      4. Maps with BTF Information
      5. BTF Data for Functions and Function Prototypes
      6. Inspecting BTF Data for Maps and Programs
    4. Generating a Kernel Header File
    5. CO-RE eBPF Programs
      1. Header Files
      2. Defining Maps
      3. eBPF Program Sections
      4. Memory Access with CO-RE
      5. License Definition
    6. Compiling eBPF Programs for CO-RE
      1. Debug Information
      2. Optimization
      3. Target Architecture
      4. Makefile
      5. BTF Information in the Object File
    7. BPF Relocations
    8. CO-RE User Space Code
    9. The Libbpf Library for User Space
      1. BPF Skeletons
      2. Libbpf Code Examples
    10. Summary
    11. Exercises
  7. 6. The eBPF Verifier
    1. The Verification Process
    2. The Verifier Log
    3. Visualizing Control Flow
    4. Validating Helper Functions
    5. Helper Function Arguments
    6. Checking the License
    7. Checking Memory Access
    8. Checking Pointers Before Dereferencing Them
    9. Accessing Context
    10. Running to Completion
    11. Loops
    12. Checking the Return Code
    13. Invalid Instructions
    14. Unreachable Instructions
    15. Summary
    16. Exercises
  8. 7. eBPF Program and Attachment Types
    1. Program Context Arguments
    2. Helper Functions and Return Codes
    3. Kfuncs
    4. Tracing
      1. Kprobes and Kretprobes
      2. Fentry/Fexit
      3. Tracepoints
      4. BTF-Enabled Tracepoints
      5. User Space Attachments
      6. LSM
    5. Networking
      1. Sockets
      2. Traffic Control
      3. XDP
      4. Flow Dissector
      5. Lightweight Tunnels
      6. Cgroups
      7. Infrared Controllers
    6. BPF Attachment Types
    7. Summary
    8. Exercises
  9. 8. eBPF for Networking
    1. Packet Drops
      1. XDP Program Return Codes
      2. XDP Packet Parsing
    2. Load Balancing and Forwarding
    3. XDP Offloading
    4. Traffic Control (TC)
    5. Packet Encryption and Decryption
      1. User Space SSL Libraries
    6. eBPF and Kubernetes Networking
      1. Avoiding iptables
      2. Coordinated Network Programs
      3. Network Policy Enforcement
      4. Encrypted Connections
    7. Summary
    8. Exercises and Further Reading
  10. 9. eBPF for Security
    1. Security Observability Requires Policy and Context
    2. Using System Calls for Security Events
      1. Seccomp
      2. Generating Seccomp Profiles
      3. Syscall-Tracking Security Tools
    3. BPF LSM
    4. Cilium Tetragon
      1. Attaching to Internal Kernel Functions
      2. Preventative Security
    5. Network Security
    6. Summary
  11. 10. eBPF Programming
    1. Bpftrace
    2. Language Choices for eBPF in the Kernel
    3. BCC Python/Lua/C++
    4. C and Libbpf
      1. Go
      2. Gobpf
      3. Ebpf-go
      4. Libbpfgo
    5. Rust
      1. Libbpf-rs
      2. Redbpf
      3. Aya
      4. Rust-bcc
    6. Testing BPF Programs
    7. Multiple eBPF Programs
    8. Summary
    9. Exercises
  12. 11. The Future Evolution of eBPF
    1. The eBPF Foundation
    2. eBPF for Windows
    3. Linux eBPF Evolution
    4. eBPF Is a Platform, Not a Feature
    5. Conclusion
  13. Index
  14. About the Author

Product information

  • Title: Learning eBPF
  • Author(s): Liz Rice
  • Release date: March 2023
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781098135126