Skip to content

Instantly share code, notes, and snippets.

@kubosuke

kubosuke/[WIP]eBPF.md

Last active January 14, 2024 09:11
Show Gist options
  • Save kubosuke/f9f30ec9ca5d7eae49eecf976e5985e9 to your computer and use it in GitHub Desktop.
Save kubosuke/f9f30ec9ca5d7eae49eecf976e5985e9 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
[WIP]eBPF.md

What's eBPF?

kernel technology that allows developers to write custom codes that can be loaded into the kernel dynamically.

it's used for:

  • performance tracing
  • networking
  • detecting malicious activity

BPF stands for Berkeley Packet Filterting, first described in 1993 paper written by Berkeley.

ldh     [12] 
jeq     #ETHERTYPE IP, L1, L2 
L1:     ret     #TRUE 
L2:     ret     #0

we can load the eBPF dynamically, no need to reboot, rebuild

it evolves to what we call - eBPF, when kernel version 3.18 in 2014.

Linux kernel summary

  • kernel: software layer between our application runs (user space) and the hardware.
  • user application cannot accesss hw directly, we're accessing the hw via the kernel,
    • r/w files
    • accessing memory
    • r/s network packets

By using eBPF, we can intercept the system call from userspace applications (ex. what file application try to r/w)

Cloud native application and eBPF

eBPF is very useful for the Cloud-Native environment, these days many applications are running on the Cloud Services, that is, Fargate, GKE etc. these workload is working on the server at last, and if we apply the eBPF to the workload, we can observer the behaviours of all workloads that running on the same server.

as similar technology, service mesh, sidecar container exist, but they have some downside:

  • the application pod has to be restarted for the sidecar to be added
  • we may need to modify YAML configs to apply sidecar
  • performance issue as below:

image

https://learning.oreilly.com/library/view/learning-ebpf/9781098135119/ch01.html#high_performance_of_ebpf_programs

eBPF hello world

#!/usr/bin/python  
from bcc import BPF

program = r"""
int hello(void *ctx) {
    bpf_trace_printk("Hello World!");
    return 0;
}
"""

b = BPF(text=program)
syscall = b.get_syscall_fnname("execve")
b.attach_kprobe(event=syscall, fn_name="hello")

b.trace_print()

here's the source code written in C:

int hello(void *ctx) {
    bpf_trace_printk("Hello World!");
    return 0;
}

all the eBPF program does is use a helper funtion, bpf_trace_printk() to write a message

then,

syscall = b.get_syscall_fnname("execve")
b.attach_kprobe(event=syscall, fn_name="hello")

at here, we're getting the target system probe and create trap fot it via kprobe .

at this point, eBPF program is loaded into the kernel. after that, by b.trace_print(), we can print the output from the kernel.

image

https://learning.oreilly.com/library/view/learning-ebpf/9781098135119/ch02.html#running_quotation_markhello_worldquotat

execute sample:

image

eBPF map

map is a data structure that can be accessed from the eBPF/userspace applications. it's used for:

  • storing configuration data
  • communicate between other eBPF
  • store results/metrics for let userspace application read them

https://github.com/kubosuke/ebpf-playground/blob/main/counter.py

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment