Build your expertise in the BPF virtual machine in the Linux kernel with this practical guide for systems engineers. You’ll not only dive into the BPF program lifecycle but also learn to write applications that observe and modify the kernel’s behavior; inject code to monitor, trace, and securely observe events in the kernel; and more.
Authors David Calavera and Lorenzo Fontana help you harness the power of BPF to make any computing system more observable. Familiarize yourself with the essential concepts you’ll use on a day-to-day basis and augment your knowledge about performance optimization, networking, and security. Then see how it all comes together with code examples in C, Go, and Python.
• Write applications that use BPF to observe and modify the Linux kernel’s behavior on demand
• Inject code to monitor, trace, and observe events in the kernel in a secure way—no need to recompile the kernel or reboot the system
• Explore code examples in C, Go, and Python
• Gain a more thorough understanding of the BPF program lifecycle
Author(s): David Calavera, Lorenzo Fontana
Edition: 1
Publisher: O’Reilly Media
Year: 2019
Language: English
Pages: 180
City: Sebastopol, CA
Copyright
Table of Contents
Foreword
Preface
Conventions Used in This Book
Using Code Examples
O’Reilly Online Learning
How to Contact Us
Acknowledgments
Chapter 1. Introduction
BPF’s History
Architecture
Conclusion
Chapter 2. Running Your First BPF Programs
Writing BPF Programs
BPF Program Types
Socket Filter Programs
Kprobe Programs
Tracepoint Programs
XDP Programs
Perf Event Programs
Cgroup Socket Programs
Cgroup Open Socket Programs
Socket Option Programs
Socket Map Programs
Cgroup Device Programs
Socket Message Delivery Programs
Raw Tracepoint Programs
Cgroup Socket Address Programs
Socket Reuseport Programs
Flow Dissection Programs
Other BPF Programs
The BPF Verifier
BPF Type Format
BPF Tail Calls
Conclusion
Chapter 3. BPF Maps
Creating BPF Maps
ELF Conventions to Create BPF Maps
Working with BFP Maps
Updating Elements in a BPF Map
Reading Elements from a BPF Map
Removing an Element from a BPF Map
Iterating Over Elements in a BPF Map
Looking Up and Deleting Elements
Concurrent Access to Map Elements
Types of BPF Maps
Hash-Table Maps
Array Maps
Program Array Maps
Perf Events Array Maps
Per-CPU Hash Maps
Per-CPU Array Maps
Stack Trace Maps
Cgroup Array Maps
LRU Hash and Per-CPU Hash Maps
LPM Trie Maps
Array of Maps and Hash of Maps
Device Map Maps
CPU Map Maps
Open Socket Maps
Socket Array and Hash Maps
Cgroup Storage and Per-CPU Storage Maps
Reuseport Socket Maps
Queue Maps
Stack Maps
The BPF Virtual Filesystem
Conclusion
Chapter 4. Tracing with BPF
Probes
Kernel Probes
Tracepoints
User-Space Probes
User Statically Defined Tracepoints
Visualizing Tracing Data
Flame Graphs
Histograms
Perf Events
Conclusion
Chapter 5. BPF Utilities
BPFTool
Installation
Feature Display
Inspecting BPF Programs
Inspecting BPF Maps
Inspecting Programs Attached to Specific Interfaces
Loading Commands in Batch Mode
Displaying BTF Information
BPFTrace
Installation
Language Reference
Filtering
Dynamic Mapping
kubectl-trace
Installation
Inspecting Kubernetes Nodes
eBPF Exporter
Installation
Exporting Metrics from BPF
Conclusion
Chapter 6. Linux Networking and BPF
BPF and Packet Filtering
tcpdump and BPF Expressions
Packet Filtering for Raw Sockets
BPF-Based Traffic Control Classifier
Terminology
Traffic Control Classifier Program Using cls_bpf
Differences Between Traffic Control and XDP
Conclusion
Chapter 7. Express Data Path
XDP Programs Overview
Operation Modes
The Packet Processor
XDP and iproute2 as a Loader
XDP and BCC
Testing XDP Programs
XDP Testing Using the Python Unit Testing Framework
XDP Use Cases
Monitoring
DDoS Mitigation
Load Balancing
Firewalling
Conclusion
Chapter 8. Linux Kernel Security, Capabilities, and Seccomp
Capabilities
Seccomp
Seccomp Errors
Seccomp BPF Filter Example
BPF LSM Hooks
Conclusion
Chapter 9. Real-World Use Cases
Sysdig eBPF God Mode
Flowmill
Index
About the Authors
Colophon