What is eBPF? With this revolutionary technology, you can write custom code that dynamically changes the way the kernel behaves. It's an extraordinary platform for building a whole new generation of security, observability, and networking tools.
This practical book is ideal for developers, system administrators, operators, and students who are curious about eBPF and want to know how it works. Author Liz Rice, chief open source officer with cloud native networking and security specialists Isovalent, also provides a foundation for those who want to explore writing eBPF programs themselves.
With this book, you will:
- Learn why eBPF has become so important in the past couple of years
- Write basic eBPF code, and manipulate eBPF programs and attach them to events
- Explore how eBPF components interact with Linux to dynamically change the operating system's behavior
- Learn how tools based on eBPF can instrument applications without changes to the apps or their configuration
- Discover how this technology enables new tools for observability, security, and networking
Author(s): Liz Rice
Edition: 1
Publisher: O'Reilly Media
Year: 2023
Language: English
Commentary: Revision History for the First Edition: 2023-03-07: First Release || TOC has broken links: replace ".html" with ".xhtml" in the anchor tags.
Pages: 234
City: Sebastopol, CA
Tags: eBPF; Linux; Operating Systems; Kernel Behavior; Linux Kernel; Extended Berkeley Packet Filter; Network Traffic Analysis; Computer Security
Preface
Who This Book Is For
What This Book Covers
Prerequisite Knowledge
Example Code and Exercises
Is eBPF Only for Linux?
Conventions Used in This Book
Using Code Examples
O’Reilly Online Learning
How to Contact Us
Acknowledgments
1. What Is eBPF, and Why Is It Important?
eBPF’s Roots: The Berkeley Packet Filter
From BPF to eBPF
The Evolution of eBPF to Production Systems
Naming Is Hard
The Linux Kernel
Adding New Functionality to the Kernel
Kernel Modules
Dynamic Loading of eBPF Programs
High Performance of eBPF Programs
eBPF in Cloud Native Environments
Summary
2. eBPF’s “Hello World”
BCC’s “Hello World”
Running “Hello World”
BPF Maps
Hash Table Map
Perf and Ring Buffer Maps
Function Calls
Tail Calls
Summary
Exercises
3. Anatomy of an eBPF Program
The eBPF Virtual Machine
eBPF Registers
eBPF Instructions
eBPF “Hello World” for a Network Interface
Compiling an eBPF Object File
Inspecting an eBPF Object File
Loading the Program into the Kernel
Inspecting the Loaded Program
The BPF Program Tag
The Translated Bytecode
The JIT-Compiled Machine Code
Attaching to an Event
Global Variables
Detaching the Program
Unloading the Program
BPF to BPF Calls
Summary
Exercises
4. The bpf() System Call
Loading BTF Data
Creating Maps
Loading a Program
Modifying a Map from User Space
BPF Program and Map References
Pinning
BPF Links
Additional Syscalls Involved in eBPF
Initializing the Perf Buffer
Attaching to Kprobe Events
Setting Up and Reading Perf Events
Ring Buffers
Reading Information from a Map
Finding a Map
Reading Map Elements
Summary
Exercises
5. CO-RE, BTF, and Libbpf
BCC’s Approach to Portability
CO-RE Overview
BPF Type Format
BTF Use Cases
Listing BTF Information with bpftool
BTF Types
Maps with BTF Information
BTF Data for Functions and Function Prototypes
Inspecting BTF Data for Maps and Programs
Generating a Kernel Header File
CO-RE eBPF Programs
Header Files
Defining Maps
eBPF Program Sections
Memory Access with CO-RE
License Definition
Compiling eBPF Programs for CO-RE
Debug Information
Optimization
Target Architecture
Makefile
BTF Information in the Object File
BPF Relocations
CO-RE User Space Code
The Libbpf Library for User Space
BPF Skeletons
Libbpf Code Examples
Summary
Exercises
6. The eBPF Verifier
The Verification Process
The Verifier Log
Visualizing Control Flow
Validating Helper Functions
Helper Function Arguments
Checking the License
Checking Memory Access
Checking Pointers Before Dereferencing Them
Accessing Context
Running to Completion
Loops
Checking the Return Code
Invalid Instructions
Unreachable Instructions
Summary
Exercises
7. eBPF Program and Attachment Types
Program Context Arguments
Helper Functions and Return Codes
Kfuncs
Tracing
Kprobes and Kretprobes
Fentry/Fexit
Tracepoints
BTF-Enabled Tracepoints
User Space Attachments
LSM
Networking
Sockets
Traffic Control
XDP
Flow Dissector
Lightweight Tunnels
Cgroups
Infrared Controllers
BPF Attachment Types
Summary
Exercises
8. eBPF for Networking
Packet Drops
XDP Program Return Codes
XDP Packet Parsing
Load Balancing and Forwarding
XDP Offloading
Traffic Control (TC)
Packet Encryption and Decryption
User Space SSL Libraries
eBPF and Kubernetes Networking
Avoiding iptables
Coordinated Network Programs
Network Policy Enforcement
Encrypted Connections
Summary
Exercises and Further Reading
9. eBPF for Security
Security Observability Requires Policy and Context
Using System Calls for Security Events
Seccomp
Generating Seccomp Profiles
Syscall-Tracking Security Tools
BPF LSM
Cilium Tetragon
Attaching to Internal Kernel Functions
Preventative Security
Network Security
Summary
10. eBPF Programming
Bpftrace
Language Choices for eBPF in the Kernel
BCC Python/Lua/C++
C and Libbpf
Go
Gobpf
Ebpf-go
Libbpfgo
Rust
Libbpf-rs
Redbpf
Aya
Rust-bcc
Testing BPF Programs
Multiple eBPF Programs
Summary
Exercises
11. The Future Evolution of eBPF
The eBPF Foundation
eBPF for Windows
Linux eBPF Evolution
eBPF Is a Platform, Not a Feature
Conclusion
Index
About the Author
