Learning eBPF: Programming the Linux Kernel for Enhanced Observability, Networking, and Security

Length: 234 pages
Edition: 1
Language: English
Publisher: O'Reilly Media
Publication Date: 2023-04-18
ISBN-10: 1098135121
ISBN-13: 9781098135126
Sales Rank: #193712 (See Top 100 Books)

What is eBPF? With this revolutionary technology, you can write custom code that dynamically changes the way the kernel behaves. It’s an extraordinary platform for building a whole new generation of security, observability, and networking tools.

This practical book is ideal for developers, system administrators, operators, and students who are curious about eBPF and want to know how it works. Author Liz Rice, chief open source officer with cloud native networking and security specialists Isovalent, also provides a foundation for those who want to explore writing eBPF programs themselves.

With this book, you will:

Learn why eBPF has become so important in the past couple of years
Write basic eBPF code, and manipulate eBPF programs and attach them to events
Explore how eBPF components interact with Linux to dynamically change the operating system’s behavior
Learn how tools based on eBPF can instrument applications without changes to the apps or their configuration
Discover how this technology enables new tools for observability, security, and networking

Preface
    Who This Book Is For
    What This Book Covers
    Prerequisite Knowledge
    Example Code and Exercises
    Is eBPF Only for Linux?
    Conventions Used in This Book
    Using Code Examples
    O’Reilly Online Learning
    How to Contact Us
    Acknowledgments
1. What Is eBPF, and Why Is It Important?
    eBPF’s Roots: The Berkeley Packet Filter
    From BPF to eBPF
    The Evolution of eBPF to Production Systems
    Naming Is Hard
    The Linux Kernel
    Adding New Functionality to the Kernel
    Kernel Modules
    Dynamic Loading of eBPF Programs
    High Performance of eBPF Programs
    eBPF in Cloud Native Environments
    Summary
2. eBPF’s “Hello World”
    BCC’s “Hello World”
    Running “Hello World”
    BPF Maps
        Hash Table Map
        Perf and Ring Buffer Maps
        Function Calls
        Tail Calls
    Summary
    Exercises
3. Anatomy of an eBPF Program
    The eBPF Virtual Machine
        eBPF Registers
        eBPF Instructions
    eBPF “Hello World” for a Network Interface
    Compiling an eBPF Object File
    Inspecting an eBPF Object File
    Loading the Program into the Kernel
    Inspecting the Loaded Program
        The BPF Program Tag
        The Translated Bytecode
        The JIT-Compiled Machine Code
    Attaching to an Event
    Global Variables
    Detaching the Program
    Unloading the Program
    BPF to BPF Calls
    Summary
    Exercises
4. The bpf() System Call
    Loading BTF Data
    Creating Maps
    Loading a Program
    Modifying a Map from User Space
    BPF Program and Map References
        Pinning
        BPF Links
    Additional Syscalls Involved in eBPF
        Initializing the Perf Buffer
        Attaching to Kprobe Events
        Setting Up and Reading Perf Events
    Ring Buffers
    Reading Information from a Map
        Finding a Map
        Reading Map Elements
    Summary
    Exercises
5. CO-RE, BTF, and Libbpf
    BCC’s Approach to Portability
    CO-RE Overview
    BPF Type Format
        BTF Use Cases
        Listing BTF Information with bpftool
        BTF Types
        Maps with BTF Information
        BTF Data for Functions and Function Prototypes
        Inspecting BTF Data for Maps and Programs
    Generating a Kernel Header File
    CO-RE eBPF Programs
        Header Files
            Kernel header information
            Headers from libbpf
            Application-specific headers
        Defining Maps
        eBPF Program Sections
        Memory Access with CO-RE
        License Definition
    Compiling eBPF Programs for CO-RE
        Debug Information
        Optimization
        Target Architecture
        Makefile
        BTF Information in the Object File
    BPF Relocations
    CO-RE User Space Code
    The Libbpf Library for User Space
        BPF Skeletons
            Loading programs and maps into the kernel
            Accessing existing maps
            Attaching to events
            Managing an event buffer
        Libbpf Code Examples
    Summary
    Exercises
6. The eBPF Verifier
    The Verification Process
    The Verifier Log
    Visualizing Control Flow
    Validating Helper Functions
    Helper Function Arguments
    Checking the License
    Checking Memory Access
    Checking Pointers Before Dereferencing Them
    Accessing Context
    Running to Completion
    Loops
    Checking the Return Code
    Invalid Instructions
    Unreachable Instructions
    Summary
    Exercises
7. eBPF Program and Attachment Types
    Program Context Arguments
    Helper Functions and Return Codes
    Kfuncs
    Tracing
        Kprobes and Kretprobes
            Attaching kprobes to syscall entry points
            Attaching kprobes to other kernel functions
        Fentry/Fexit
        Tracepoints
        BTF-Enabled Tracepoints
        User Space Attachments
        LSM
    Networking
        Sockets
        Traffic Control
        XDP
        Flow Dissector
        Lightweight Tunnels
        Cgroups
        Infrared Controllers
    BPF Attachment Types
    Summary
    Exercises
8. eBPF for Networking
    Packet Drops
        XDP Program Return Codes
        XDP Packet Parsing
    Load Balancing and Forwarding
    XDP Offloading
    Traffic Control (TC)
    Packet Encryption and Decryption
        User Space SSL Libraries
    eBPF and Kubernetes Networking
        Avoiding iptables
        Coordinated Network Programs
        Network Policy Enforcement
        Encrypted Connections
    Summary
    Exercises and Further Reading
9. eBPF for Security
    Security Observability Requires Policy and Context
    Using System Calls for Security Events
        Seccomp
        Generating Seccomp Profiles
        Syscall-Tracking Security Tools
    BPF LSM
    Cilium Tetragon
        Attaching to Internal Kernel Functions
        Preventative Security
    Network Security
    Summary
10. eBPF Programming
    Bpftrace
    Language Choices for eBPF in the Kernel
    BCC Python/Lua/C++
    C and Libbpf
        Go
        Gobpf
        Ebpf-go
        Libbpfgo
    Rust
        Libbpf-rs
        Redbpf
        Aya
        Rust-bcc
    Testing BPF Programs
    Multiple eBPF Programs
    Summary
    Exercises
11. The Future Evolution of eBPF
    The eBPF Foundation
    eBPF for Windows
    Linux eBPF Evolution
    eBPF Is a Platform, Not a Feature
    Conclusion
Index

Donate to keep this site alive

To access the Link, solve the captcha.

How to download source code?

1. Go to: https://www.oreilly.com/

2. Search the book title: Learning eBPF: Programming the Linux Kernel for Enhanced Observability, Networking, and Security, sometime you may not get the results, please search the main title

3. Click the book title in the search results

3. Publisher resources section, click Download Example Code.

1. Disable the AdBlock plugin. Otherwise, you may not get any links.

2. Solve the CAPTCHA.

3. Click download link.

4. Lead to download server to download.

Learning eBPF: Programming the Linux Kernel for Enhanced Observability, Networking, and Security

How to download source code?

Programming Ruby 3.3: The Pragmatic Programmers' Guide

Python Programming for Beginners: The Definitive Guide, With Hands-On Exercises and Secret Coding Tips, to Master Python in Just One Week and Get Your Dream Job!

Computer Graphics Programming in OpenGL with C++, 2nd Edition

Mathematics for Computer Graphics and Game Programming: A Self-Teaching Introduction

Generative AI for Cloud Solutions: Architect modern AI LLMs in secure, scalable, and ethical cloud environments

Bootstrapping Microservices, 2nd Edition: With Docker, Kubernetes, GitHub Actions, and Terraform