Learning eBPF: Programming the Linux Kernel for Enhanced Observability, Networking, and Security
- Length: 234 pages
- Edition: 1
- Language: English
- Publisher: O'Reilly Media
- Publication Date: 2023-04-18
- ISBN-10: 1098135121
- ISBN-13: 9781098135126
- Sales Rank: #193712 (See Top 100 Books)
What is eBPF? With this revolutionary technology, you can write custom code that dynamically changes the way the kernel behaves. It’s an extraordinary platform for building a whole new generation of security, observability, and networking tools.
This practical book is ideal for developers, system administrators, operators, and students who are curious about eBPF and want to know how it works. Author Liz Rice, chief open source officer with cloud native networking and security specialists Isovalent, also provides a foundation for those who want to explore writing eBPF programs themselves.
With this book, you will:
- Learn why eBPF has become so important in the past couple of years
- Write basic eBPF code, and manipulate eBPF programs and attach them to events
- Explore how eBPF components interact with Linux to dynamically change the operating system’s behavior
- Learn how tools based on eBPF can instrument applications without changes to the apps or their configuration
- Discover how this technology enables new tools for observability, security, and networking
Preface Who This Book Is For What This Book Covers Prerequisite Knowledge Example Code and Exercises Is eBPF Only for Linux? Conventions Used in This Book Using Code Examples O’Reilly Online Learning How to Contact Us Acknowledgments 1. What Is eBPF, and Why Is It Important? eBPF’s Roots: The Berkeley Packet Filter From BPF to eBPF The Evolution of eBPF to Production Systems Naming Is Hard The Linux Kernel Adding New Functionality to the Kernel Kernel Modules Dynamic Loading of eBPF Programs High Performance of eBPF Programs eBPF in Cloud Native Environments Summary 2. eBPF’s “Hello World” BCC’s “Hello World” Running “Hello World” BPF Maps Hash Table Map Perf and Ring Buffer Maps Function Calls Tail Calls Summary Exercises 3. Anatomy of an eBPF Program The eBPF Virtual Machine eBPF Registers eBPF Instructions eBPF “Hello World” for a Network Interface Compiling an eBPF Object File Inspecting an eBPF Object File Loading the Program into the Kernel Inspecting the Loaded Program The BPF Program Tag The Translated Bytecode The JIT-Compiled Machine Code Attaching to an Event Global Variables Detaching the Program Unloading the Program BPF to BPF Calls Summary Exercises 4. The bpf() System Call Loading BTF Data Creating Maps Loading a Program Modifying a Map from User Space BPF Program and Map References Pinning BPF Links Additional Syscalls Involved in eBPF Initializing the Perf Buffer Attaching to Kprobe Events Setting Up and Reading Perf Events Ring Buffers Reading Information from a Map Finding a Map Reading Map Elements Summary Exercises 5. CO-RE, BTF, and Libbpf BCC’s Approach to Portability CO-RE Overview BPF Type Format BTF Use Cases Listing BTF Information with bpftool BTF Types Maps with BTF Information BTF Data for Functions and Function Prototypes Inspecting BTF Data for Maps and Programs Generating a Kernel Header File CO-RE eBPF Programs Header Files Kernel header information Headers from libbpf Application-specific headers Defining Maps eBPF Program Sections Memory Access with CO-RE License Definition Compiling eBPF Programs for CO-RE Debug Information Optimization Target Architecture Makefile BTF Information in the Object File BPF Relocations CO-RE User Space Code The Libbpf Library for User Space BPF Skeletons Loading programs and maps into the kernel Accessing existing maps Attaching to events Managing an event buffer Libbpf Code Examples Summary Exercises 6. The eBPF Verifier The Verification Process The Verifier Log Visualizing Control Flow Validating Helper Functions Helper Function Arguments Checking the License Checking Memory Access Checking Pointers Before Dereferencing Them Accessing Context Running to Completion Loops Checking the Return Code Invalid Instructions Unreachable Instructions Summary Exercises 7. eBPF Program and Attachment Types Program Context Arguments Helper Functions and Return Codes Kfuncs Tracing Kprobes and Kretprobes Attaching kprobes to syscall entry points Attaching kprobes to other kernel functions Fentry/Fexit Tracepoints BTF-Enabled Tracepoints User Space Attachments LSM Networking Sockets Traffic Control XDP Flow Dissector Lightweight Tunnels Cgroups Infrared Controllers BPF Attachment Types Summary Exercises 8. eBPF for Networking Packet Drops XDP Program Return Codes XDP Packet Parsing Load Balancing and Forwarding XDP Offloading Traffic Control (TC) Packet Encryption and Decryption User Space SSL Libraries eBPF and Kubernetes Networking Avoiding iptables Coordinated Network Programs Network Policy Enforcement Encrypted Connections Summary Exercises and Further Reading 9. eBPF for Security Security Observability Requires Policy and Context Using System Calls for Security Events Seccomp Generating Seccomp Profiles Syscall-Tracking Security Tools BPF LSM Cilium Tetragon Attaching to Internal Kernel Functions Preventative Security Network Security Summary 10. eBPF Programming Bpftrace Language Choices for eBPF in the Kernel BCC Python/Lua/C++ C and Libbpf Go Gobpf Ebpf-go Libbpfgo Rust Libbpf-rs Redbpf Aya Rust-bcc Testing BPF Programs Multiple eBPF Programs Summary Exercises 11. The Future Evolution of eBPF The eBPF Foundation eBPF for Windows Linux eBPF Evolution eBPF Is a Platform, Not a Feature Conclusion Index
Donate to keep this site alive
How to download source code?
1. Go to: https://www.oreilly.com/
2. Search the book title: Learning eBPF: Programming the Linux Kernel for Enhanced Observability, Networking, and Security
, sometime you may not get the results, please search the main title
3. Click the book title in the search results
3. Publisher resources
section, click Download Example Code
.
1. Disable the AdBlock plugin. Otherwise, you may not get any links.
2. Solve the CAPTCHA.
3. Click download link.
4. Lead to download server to download.