Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beginner's Guide to eBPF

Liz Rice
October 28, 2020
Programming
3
3.7k

Beginner's Guide to eBPF

As seen at eBPF summit

See also github.com/lizrice/ebpf-beginners

Liz Rice

October 28, 2020
Tweet

More Decks by Liz Rice

See All by Liz Rice
Unleashing the kernel with eBPF
lizrice
0
8
eBPF's Abilities and Limitations: The Truth
lizrice
0
17
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
9
When is a Secure Connection not encrypted? And other stories
lizrice
1
17
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
lizrice
1
450
How Many Proxies Do You Need
lizrice
1
100
eBPF for Security Observability
lizrice
0
1k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
1.9k
Contributing to Open Source - what's in it for my business?
lizrice
0
35

Other Decks in Programming

See All in Programming
Folding Cheat Sheet #3
philipschwarz
PRO
0
110
15分間でふんわり理解するDocker @ Matsuriba MAX
ukwhatn
PRO
1
410
デザインシステムで Tailwind CSSとCSS in JSに分散投資をしたら良かった話
fsubal
18
4.8k
educure_カリキュラム生操作マニュアル.pdf
linew_official
0
320
どうしてこうなった命名集 ~🔥編~ / OOC 2024 LT
pictiny
5
3.9k
9年開発を牽引して見えてきた、共通化すべきものと個別でつくるもの ~プログラム言語~
shinout
1
630
try! Swift Tokyo 初参加報告LT
hinakko2
0
160
Blue/Greenデプロイの導入による 運用フローの改善
kudoas
1
320
SpringBoot+MyBatisで例外が出たときどこを見るか
syukai
0
110
両面どころかインフラもTSでできるよ ~ 全方位TypeScriptによるプロダクト開発 ~
myfinder
9
3.2k
せっかくモデル図描くのなら、 嬉しいことが多い方がいいよね!
kuboaki
1
3k
Folding Cheat Sheet #1
philipschwarz
PRO
0
200

Featured

See All Featured
The Cost Of JavaScript in 2023
addyosmani
13
3.8k
Practical Orchestrator
shlominoach
180
9.7k
The Invisible Side of Design
smashingmag
293
49k
GraphQLの誤解/rethinking-graphql
sonatard
49
9.2k
The Power of CSS Pseudo Elements
geoffreycrofte
58
5k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2.3k
Making the Leap to Tech Lead
cromwellryan
123
8.5k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
153
14k
VelocityConf: Rendering Performance Case Studies
addyosmani
319
23k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
73
41k
Building Applications with DynamoDB
mza
88
5.6k
Building Adaptive Systems
keathley
29
1.8k

Transcript

  1. A Beginner’s Guide to eBPF Programming Liz Rice @lizrice VP

    Open Source Engineering, Aqua Security October 28, 2020

  2. @lizrice Run custom code in the kernel

  3. @lizrice userspace kernel syscalls app eBPF program

  4. @lizrice man bpf eBPF programs can be written in a

    restricted C that is compiled (using the clang compiler) into eBPF bytecode. Various features are omitted from this restricted C, such as loops, global variables, variadic functions, floating-point numbers, and passing structures as function arguments.

  5. @lizrice man bpf eBPF programs can be written in a

    restricted C that is compiled (using the clang compiler) into eBPF bytecode. Various features are omitted from this restricted C, such as loops, global variables, variadic functions, floating-point numbers, and passing structures as function arguments. [eBPF Helper functions] are used by eBPF programs to interact with the system, or with the context in which they work. For instance, they can be used to print debugging messages... bpf_trace_printk() bpf_get_current_uid_gid() ...

  6. @lizrice man bpf Maps are a generic data structure for

    storage of different types of data. They allow sharing of data between eBPF kernel programs, and also between kernel and user-space applications.

  7. @lizrice man bpf Maps are a generic data structure for

    storage of different types of data. They allow sharing of data between eBPF kernel programs, and also between kernel and user-space applications. eBPF programs can be attached to different events.

  8. @lizrice

  9. @lizrice Explore bpf syscalls in bpftrace

  10. @lizrice eBPF programs & maps bpf(BPF_PROG_LOAD, …) bpf(BPF_MAP_CREATE, …)

  11. @lizrice Attach custom code to an event bpf(BPF_PROG_LOAD, …) =

    x perf_event_open(…) = y ioctl(y, PERF_EVENT_IOC_SET_BPF, x)

  12. @lizrice eBPF hello world

  13. @lizrice #!/usr/bin/python from bcc import BPF prog = """ int

    helloworld(void *ctx) { bpf_trace_printk("Hello world\\n"); return 0; } """ b = BPF(text=prog) clone = b.get_syscall_fnname("clone") b.attach_kprobe(event=clone, fn_name="helloworld") b.trace_print() github.com/lizrice/ebpf-beginners

  14. @lizrice #!/usr/bin/python from bcc import BPF from time import sleep

    prog = """ BPF_HASH(clones); int hello_world(void *ctx) { u64 uid; u64 counter = 0; u64 *p; uid = bpf_get_current_uid_gid() & 0xFFFFFFFF; p = clones.lookup(&uid); if (p != 0) { counter = *p; } counter++; clones.update(&uid, &counter); return 0; } """ b = BPF(text=prog) clone = b.get_syscall_fnname("clone") b.attach_kprobe(event=clone, fn_name="helloworld") while True: sleep(2) s = "" if len(b["clones"].items()): for k,v in b["clones"].items(): s += "ID {}: {}\t".format(k.value, v.value) print(s) else: print("No entries yet") github.com/lizrice/ebpf-beginners

  15. @lizrice ELF object file ◦ eBPF opcodes ◦ eBPF maps

    kernel verifier BPF vm maps user space bpf() system calls BPF_PROG_LOAD BPF_MAP_CREATE

  16. @lizrice ELF object file ◦ eBPF opcodes ◦ eBPF maps

    kernel verifier BPF vm maps user space bpf() system calls BPF_PROG_LOAD BPF_MAP_CREATE Attach BPF program to event

  17. @lizrice ELF object file ◦ eBPF opcodes ◦ eBPF maps

    kernel verifier BPF vm maps user space bpf() system calls BPF_PROG_LOAD BPF_MAP_CREATE Attach BPF program to event Read / write maps BPF_MAP_GET_NEXT_KEY BPF_MAP_LOOKUP_ELEM BPF_MAP_UPDATE_ELEM BPF_MAP_DELETE_ELEM

  18. @lizrice Thank you github.com/lizrice/ebpf-beginners