Learning eBPF: Programming the Linux Kernel for Enhanced Observability, Networking, and Security (Final Release)

What is eBPF? With this revolutionary technology, you can write custom code that dynamically changes the way the kernel behaves. It's an extraordinary platform for building a whole new generation of security, observability, and networking tools. This practical book is ideal for developers, system administrators, operators, and students who are curious about eBPF and want to know how it works. Author Liz Rice, chief open source officer with cloud native networking and security specialists Isovalent, also provides a foundation for those who want to explore writing eBPF programs themselves. The entire eBPF program is defined as a string called “program” in the Python code. This C program needs to be compiled before it can be executed, but BCC takes care of that for you. The eBPF program is loaded into the kernel and attached to an event, so the program will be triggered whenever a new executable gets launched on the machine. All that remains to do in the Python code is to read the tracing that is output by the kernel, and write it on screen. In the Chapter 2, you saw a simple eBPF Hello World, written using the BCC framework. In the Chapter 3 I’ll show you a version of Hello World entirely in C, so that you can see some of the details that BCC took care of in the previous chapter. I’ll also show you the stages that an eBPF program goes through on its journey from source code to execution. eBPF programs can be used to dynamically change the behavior of the system. There’s no need to reboot the machine or restart existing processes - eBPF code starts taking effect as soon as it is attached to an event. What we call “eBPF” today has its roots in the BSD Packet Filter, first described in 1993 in a paper1 written by Lawrence Berkeley National Laboratory’s Steven McCanne and Van Jacobson. This paper discusses a pseudomachine that can run filters, which are programs written to determine whether to accept or reject a network packet. These programs were written in the BPF instruction set, a general-purpose set of 32-bit instructions that closely resembles assembly language. You can imagine (or, indeed, refer to the paper to find examples of) more complex filter programs that make decisions based on other aspects of the packet. Importantly, the author of the filter can write their own custom programs to be executed within the kernel, and this is the heart of what eBPF enables. With this book, you will: Learn why eBPF has become so important in the past couple of years Write basic eBPF code, and manipulate eBPF programs and attach them to events Explore how eBPF components interact with Linux to dynamically change the operating system's behavior Learn how tools based on eBPF can instrument applications without changes to the apps or their configuration Discover how this technology enables new tools for observability, security, and networking Who This Book Is For: This book is for developers, system administrators, operators, and students who are curious about eBPF and want to know more about how it works. It will provide a foundation for those who want to explore writing eBPF programs themselves. Since eBPF provides a great platform for a whole new generation of instrumentation and tooling, there will likely be gainful employment for eBPF developers for some years to come. But you don’t necessarily need to be planning to write eBPF code yourself for this book to be useful to you. If you work in operations, security, or any other role that involves software infrastructure, you’re likely to come across eBPF-based tooling, now or over the next few years. If you understand something about the internals of these tools, you’ll be in a better position to use them effectively. For example, if you know how events can trigger eBPF programs, you’ll have a better mental model for exactly what an eBPF-based tool is really measuring when it shows you performance metrics. If you’re an application developer, you might also come into contact with some of these eBPF-based tools—for example, if you are performance tuning an application, you might use a tool like Parca to generate flame graphs showing which functions are taking the most time. If you are evaluating security tools, this book will help you understand where eBPF shines and how to avoid using it in a naïve way that is less effective against attacks. Even if you’re not using eBPF tools today, I hope this book will give you interesting insights into areas of Linux that you might not have considered before. Most developers take the kernel for granted, as they use programming languages with convenient higher-level abstractions that allow them to focus on the work of application development—which is plenty hard enough! They use tools like debuggers and performance analyzers to help them do their job effectively. Knowing the internals of how a debugger or performance tool works might be interesting, but it’s not essential.