Chapter 3. Anatomy of an eBPF Program
In the previous chapter you saw a simple eBPF “Hello World” program written using the BCC framework. In this chapter there’s an example version of a “Hello World” program written entirely in C so that you can see some of the details BCC took care of behind the scenes.
This chapter also shows you the stages an eBPF program goes through on its journey from source code to execution, as illustrated in Figure 3-1.
Figure 3-1. C (or Rust) source code is compiled into eBPF bytecode, which is either JIT-compiled or interpreted into native machine code instructions
An eBPF program is a set of eBPF bytecode instructions. It’s possible to write eBPF code directly in this bytecode, much as it’s possible to program in assembly language. Humans typically find a higher-level programming language easier to deal with, and at least at the time of this writing, I’d say the vast majority of eBPF code is written in C1 and then compiled to eBPF bytecode.
Conceptually, this bytecode runs in an eBPF virtual machine within the kernel.
The eBPF Virtual Machine
The eBPF virtual machine, like any virtual machine, is a software implementation of a computer. It takes in a program in the form of eBPF bytecode instructions, and these have to be converted to native machine instructions that run on the CPU.
In early implementations of eBPF, the bytecode instructions were ...
Get Learning eBPF now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
