Learning eBPF
This repo accompanies my new book Learning eBPF (published by O'Reilly).
Buy your copy of the book from Bookshop.org or Amazon, view it on the O'Reilly platform, or download a copy from Isovalent.
Running the example code
The repo includes the example eBPF programs discussed in the book.
I've also provided a Lima config file with the packages you need for building the code pre-installed.
If you have a Linux machine or VM to hand, feel free to use that instead of
Lima, using the learning-ebpf.yaml
file as a guide for the packages you'll
need to install. The minimum kernel version required varies from chapter to chapter. All
these examples have been tested on an Ubuntu 22.04 distribution using a 5.15 kernel.
Install this repo
git clone --recurse-submodules https://github.com/lizrice/learning-ebpf
cd learning-ebpf
Lima VM
limactl start learning-ebpf.yaml
limactl shell learning-ebpf
# You'll need to be root for most of the examples
sudo -s
Building libbpf and installing header files
Libbpf is included as a submodule in this repo. You'll need to build and install it for the C-based examples to build correctly. (See libbpf/README.md for more details.)
cd libbpf/src
make install
cd ../..
Building bpftool
There are several examples using bpftool
throughout the book. To get a version
with libbfd support (which you'll need if you want to see the jited code in the
Chapter 3 examples) you might need to build it from source:
cd ..
git clone --recurse-submodules https://github.com/libbpf/bpftool.git
cd bpftool/src
make install
bpftool
binaries are now also available from https://github.com/libbpf/bpftool/releases these days.
Examples
You won't be surprised to learn that the directories correspond to chapters in the book. Here are the different examples that accompany each chapter.
- Chapter 1: What Is eBPF and Why Is It Important?
- Chapter 2: eBPF's "Hello World" - Basic examples using the BCC framework.
- Chapter 3: Anatomy of an eBPF Program - C-based XDP examples, used in the book to explore how the source code gets transformed to eBPF bytecode and machine code. There's also an example of BPF to BPF function calls.
- Chapter 4: The bpf() System Call - More BCC-based examples, used in the book to illustrate what's happening at the syscall level when you use eBPF.
- Chapter 5: CO-RE, BTF and Libbpf - Libbpf-based C example code.
- Chapter 6: The eBPF Verifier - Make small edits to the example code to cause a variety of verifier errors!
- Chapter 7: eBPF Program and Attachment Types - Examples of different eBPF program types.
- Chapter 8: eBPF for Networking - Example code that attaches to various points in the network stack to interfere with ping and curl requests. Coming soon, load balancer example
- Chapter 9: eBPF for Security - coming soon
- Chapter 10: eBPF Programming - The book explores examples from various eBPF libraries.
- Chapter 11: The Future Evolution of eBPF
There are no code examples for Chapters 1 and 11.
Privileges
You'll need root privileges (well, strictly CAP_BPF and additional
privileges) to be able to load BPF
programs into the kernel. sudo -s
is your friend.
View eBPF trace output
A couple of ways to see the output from the kernel's trace pipe where eBPF tracing gets written:
cat /sys/kernel/debug/tracing/trace_pipe
bpftool prog tracelog
Installing on other Linux distributions
As noted above, I've tested these examples using Ubuntu 22.04 and a 5.15 kernel. If you're using a different distribution and / or kernel version you might run into incompatibilities between various packages and dependencies. For example:
- My installation uses Clang 14. If you're using Clang 15 or later (which you can check with
clang --version
you'll need BCC version 0.27.0 or later
Corrections
I'd love to hear if you find corrections and improvements for these examples. Issues and PRs are welcome!