Chapter 10. eBPF Programming
In this book so far, you’ve learned a lot about eBPF and seen many examples of how it’s used for a variety of applications. But what if you want to implement your own ideas based on eBPF? This chapter discusses your options when it comes to writing your own eBPF code.
As you know from reading this book, eBPF programming consists of two parts:
Writing eBPF programs that run in the kernel
Writing the user space code that manages and interacts with eBPF programs
Most of the libraries and languages I’ll discuss in this chapter require you as a programmer to handle both parts, with an awareness of what is being handled where. But bpftrace, perhaps the simplest eBPF programming language, masks this distinction from the programmer.
Bpftrace
As described on the project’s README page, “bpftrace is a high-level tracing language for Linux eBPF … inspired by awk and C, and predecessor tracers such as DTrace and SystemTap.”
The bpftrace command-line tool converts programs written in this high-level language into eBPF kernel code and provides some output formatting for the results within the terminal. As a user, you don’t really need to think about the kernel–user space split.
You’ll find several examples of useful one-liners in the project documentation, including a nice tutorial that takes you from writing a simple “Hello World” script up to writing more sophisticated scripts that can trace out data read from within kernel data structures.
Note
Get a feel for ...
Get Learning eBPF now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
