Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beginner's Guide to eBPF programming with Go

Liz Rice
February 09, 2021
Programming
0
1.3k

Beginner's Guide to eBPF programming with Go

Writing eBPF programs using libbpfgo to implement the userspace code in Go

Here's the example code

Liz Rice

February 09, 2021
Tweet

More Decks by Liz Rice

See All by Liz Rice
Unleashing the kernel with eBPF
lizrice
0
130
eBPF's Abilities and Limitations: The Truth
lizrice
0
240
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
140
When is a Secure Connection not encrypted? And other stories
lizrice
1
63
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
lizrice
1
570
How Many Proxies Do You Need
lizrice
1
120
eBPF for Security Observability
lizrice
0
1.2k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
2.2k
Contributing to Open Source - what's in it for my business?
lizrice
0
43

Other Decks in Programming

See All in Programming
アジャイルを支えるテストアーキテクチャ設計/Test Architecting for Agile
goyoki
9
3.3k
Flutterを言い訳にしない!アプリの使い心地改善テクニック5選🔥
kno3a87
1
160
CSC509 Lecture 09
javiergs
PRO
0
140
Less waste, more joy, and a lot more green: How Quarkus makes Java better
hollycummins
0
100
Ethereum_.pdf
nekomatu
0
460
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
610
as(型アサーション)を書く前にできること
marokanatani
9
2.6k
CSC509 Lecture 12
javiergs
PRO
0
160
現場で役立つモデリング 超入門
masuda220
PRO
15
3.2k
광고 소재 심사 과정에 AI를 도입하여 광고 서비스 생산성 향상시키기
kakao
PRO
0
170
Jakarta EE meets AI
ivargrimstad
0
130
エンジニアとして関わる要件と仕様(公開用)
murabayashi
0
280

Featured

See All Featured
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
A designer walks into a library…
pauljervisheath
203
24k
Into the Great Unknown - MozCon
thekraken
32
1.5k
Teambox: Starting and Learning
jrom
133
8.8k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Code Review Best Practice
trishagee
64
17k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k

Transcript

  1. © 2020 Aqua Security Software Ltd., All Rights Reserved with

    Go
  2. None

  3. man bpf The bpf() system call performs a range of

    operations related to extended Berkeley Packet Filters. Extended BPF (or eBPF) is similar to the original ("classic") BPF (cBPF) used to filter network packets. For both cBPF and eBPF programs, the kernel statically analyzes the programs before loading them, in order to ensure that they cannot harm the running system.

  4. userspace kernel syscalls app eBPF program

  5. None
  6. None

  7. $ sudo strace -e bpf bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm]

    = count(); }'

  8. $ sudo strace -e bpf bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm]

    = count(); }' bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_ARRAY, key_size=4, value_size=4, max_entrie bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERCPU_HASH, key_size=16, value_size=8, max bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERCPU_HASH, key_size=16, value_size=8, max bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERF_EVENT_ARRAY, key_size=4, value_size=4, Attaching 1 probe... bpf(BPF_MAP_UPDATE_ELEM, {map_fd=4, key=0x7ffcdab0dfcc, value=0x7ffcdab0dfd0, flags=BP bpf(BPF_MAP_UPDATE_ELEM, {map_fd=4, key=0x7ffcdab0dfcc, value=0x7ffcdab0dfd0, flags=BP bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_TRACEPOINT, insn_cnt=27, insns=0x7f86f16b3

  9. $ sudo strace -e bpf bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm]

    = count(); }' bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_ARRAY, key_size=4, value_size=4, max_entrie bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERCPU_HASH, key_size=16, value_size=8, max bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERCPU_HASH, key_size=16, value_size=8, max bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERF_EVENT_ARRAY, key_size=4, value_size=4, Attaching 1 probe... bpf(BPF_MAP_UPDATE_ELEM, {map_fd=4, key=0x7ffcdab0dfcc, value=0x7ffcdab0dfd0, flags=BP bpf(BPF_MAP_UPDATE_ELEM, {map_fd=4, key=0x7ffcdab0dfcc, value=0x7ffcdab0dfd0, flags=BP bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_TRACEPOINT, insn_cnt=27, insns=0x7f86f16b3 ^C @[vmstats]: 2 @[systemd-journal]: 5 @[sudo]: 7 @[multipathd]: 9 @[containerd]: 10 @[bpftrace]: 16 ...

  10. bpf(BPF_PROG_LOAD, …) bpf(BPF_MAP_CREATE, …)

  11. man bpf eBPF programs can be written in a restricted

    C that is compiled (using the clang compiler) into eBPF bytecode. Various features are omitted from this restricted C, such as loops, global variables, variadic functions, floating-point numbers, and passing structures as function arguments.

  12. man bpf eBPF programs can be written in a restricted

    C that is compiled (using the clang compiler) into eBPF bytecode. Various features are omitted from this restricted C, such as loops, global variables, variadic functions, floating-point numbers, and passing structures as function arguments. [eBPF Helper functions] are used by eBPF programs to interact with the system, or with the context in which they work. For instance, they can be used to print debugging messages... bpf_trace_printk() bpf_get_current_comm() bpf_perf_event_output() ...

  13. man bpf Maps are a generic data structure for storage

    of different types of data. They allow sharing of data between eBPF kernel programs, and also between kernel and user-space applications.

  14. eBPF programs are event-driven and are run when the kernel

    or an application passes a certain hook point. Pre-defined hooks include system calls, function entry/exit, kernel tracepoints, network events, and several others. If a predefined hook does not exist for a particular need, it is possible to create a kernel probe (kprobe) or user probe (uprobe) to attach eBPF programs almost anywhere in kernel or user applications.

  15. $ sudo strace -e bpf,perf_event_open,ioctl bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm]

    = count(); }' bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_ARRAY, key_size=4, value_size=4, max_entrie bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERCPU_HASH, key_size=16, value_size=8, max ... bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_TRACEPOINT, prog_name="sys_enter", ... attach_prog_fd=0}, 120) = 9 perf_event_open({type=PERF_TYPE_TRACEPOINT, size=0, ...) = 8 ioctl(8, PERF_EVENT_IOC_SET_BPF, 9) = 0

  16. bpf(BPF_PROG_LOAD, …) = x perf_event_open(…) = y ioctl(y, PERF_EVENT_IOC_SET_BPF, x)

  17. None

  18. userspace kernel syscalls app eBPF program written in C written

    in our choice of language BPF library compiled by clang

  19. clang & llvm wrapper for bpf() syscalls load eBPF object

    file

  20. verifier BPF vm maps

  21. TARGET := hello TARGET_BPF := $(TARGET).bpf.o GO_SRC := $(shell find

    . -type f -name '*.go') BPF_SRC := $(shell find . -type f -name '*.bpf.c') ... .PHONY: all all: $(TARGET) $(TARGET_BPF) go_env := CC=clang CGO_CFLAGS="-I $(LIBBPF_HEADERS)" CGO_LDFLAGS="$(LIBBPF_OBJ)" $(TARGET): $(GO_SRC) $(go_env) go build -o $(TARGET) $(TARGET_BPF): $(BPF_SRC) clang -I /usr/include/x86_64-linux-gnu \ -O2 -c -target bpf \ -o $@ $< github.com/lizrice/libbpfgo-beginners
  22. None

  23. SEC("kprobe/sys_execve") int hello(void *ctx) { bpf_printk("I'm alive!"); return 0; }

    github.com/lizrice/libbpfgo-beginners

  24. func doEbpf() { sig := make(chan os.Signal, 1) signal.Notify(sig, os.Interrupt)

    b, _ := bpf.NewModuleFromFile("hello.bpf.o") defer b.Close() b.BPFLoadObject() p, _ := bpfModule.GetProgram("hello") p.AttachKprobe("__x64_sys_execve") go bpf.TracePrint() <-sig } github.com/lizrice/libbpfgo-beginners

  25. Maps are a generic data structure for storage of different

    types of data. They allow sharing of data between eBPF kernel programs, and also between kernel and user-space applications. Each map type has the following attributes: * type * maximum number of elements * key size in bytes * value size in bytes BPF_MAP_TYPE_UNSPEC BPF_MAP_TYPE_HASH BPF_MAP_TYPE_ARRAY BPF_MAP_TYPE_PROG_ARRAY BPF_MAP_TYPE_PERF_EVENT_ARRAY BPF_MAP_TYPE_PERCPU_HASH BPF_MAP_TYPE_PERCPU_ARRAY BPF_MAP_TYPE_STACK_TRACE BPF_MAP_TYPE_CGROUP_ARRAY BPF_MAP_TYPE_LRU_HASH BPF_MAP_TYPE_LRU_PERCPU_HASH BPF_MAP_TYPE_LPM_TRIE BPF_MAP_TYPE_ARRAY_OF_MAPS BPF_MAP_TYPE_HASH_OF_MAPS BPF_MAP_TYPE_DEVMAP BPF_MAP_TYPE_SOCKMAP BPF_MAP_TYPE_CPUMAP

  26. bpf_perf_event_output() Write raw data blob into a special BPF perf

    event held by map of type BPF_MAP_TYPE_PERF_EVENT_ARRAY.

  27. BPF_PERF_OUTPUT(events); SEC("kprobe/sys_execve") int hello(void *ctx) { u64 data = 1337;

    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data, sizeof(u64)); return 0; } github.com/lizrice/libbpfgo-beginners

  28. func main() { ... e := make(chan []byte, 300) pb,

    _ := b.InitPerfBuf("events", e, nil, 1024) pb.Start() go func() { for data := <-e { val := binary.LittleEndian.Uint64(data) fmt.Printf(“data %d\n”, data) } }() <-sig pb.Stop() } github.com/lizrice/libbpfgo-beginners

  29. bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count();}'

  30. BPF_PERF_OUTPUT(events); SEC("raw_tracepoint/sys_enter") int hello(void *ctx) { char data[100]; bpf_get_current_comm(&data, 100);

    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data, 100); return 0; } github.com/lizrice/libbpfgo-beginners

  31. func main() { ... prog.AttachRawTracepoint("sys_enter") ... c := make(map[string]int, 300)

    go func() { for data := range e { comm := string(data) c[comm]++ } }() <-sig pb.Stop() for comm, n := range c { fmt.Printf("%s: %d\n", comm, n) } } github.com/lizrice/libbpfgo-beginners
  32. None