Table Of ContentIsovalent
Learning eBPF
Programming the Linux Kernel for Enhanced
Observability, Networking, and Security
Liz Rice
Learning eBPF
by Liz Rice
Copyright © 2023 Vertical Shift Ltd. All rights reserved.
Printed in the United States of America.
Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North,
Sebastopol, CA 95472.
O’Reilly books may be purchased for educational, business, or sales
promotional use. Online editions are also available for most titles
(http://oreilly.com). For more information, contact our corporate/institutional
sales department: 800-998-9938 or [email protected].
Acquisitions Editor: John Devins
Development Editor: Rita Fernando
Production Editor: Chris Faucher
Copyeditor: Audrey Doyle
Proofreader: Kim Wimpsett
Indexer: WordCo Indexing Services, Inc.
Interior Designer: David Futato
Cover Designer: Karen Montgomery
Illustrator: Kate Dullea
March 2023: First Edition
Revision History for the First Edition
2023-03-07: First Release
See http://oreilly.com/catalog/errata.csp?isbn=9781098135126 for release
details.
The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Learning
eBPF, the cover image, and related trade dress are trademarks of O’Reilly
Media, Inc.
The views expressed in this work are those of the author and do not represent
the publisher’s views. While the publisher and the author have used good
faith efforts to ensure that the information and instructions contained in this
work are accurate, the publisher and the author disclaim all responsibility for
errors or omissions, including without limitation responsibility for damages
resulting from the use of or reliance on this work. Use of the information and
instructions contained in this work is at your own risk. If any code samples or
other technology this work contains or describes is subject to open source
licenses or the intellectual property rights of others, it is your responsibility to
ensure that your use thereof complies with such licenses and/or rights.
This work is part of a collaboration between O’Reilly and Isovalent. See our
statement of editorial independence.
978-1-098-13887-5
LSI
Preface
In the cloud native community and beyond, eBPF has become one of the
hottest technical topics of recent years. A new generation of powerful tools
and projects in networking, security, observability, and more have been built
(and more continue to be created) using eBPF as a platform, offering better
performance and accuracy compared to their predecessors. eBPF-related
conferences such as the eBPF Summit and Cloud Native eBPF Day have
attracted thousands of attendees and viewers, and at the time of this writing,
the eBPF Slack community has more than 14,000 members.
Why is eBPF being selected as the underlying technology for so many
infrastructure tools? How does it deliver the promised improvements to
performance? How is eBPF useful in such disparate technical fields, which
range from performance tracing to network traffic encryption?
This book aims to answer these questions by giving the reader an
understanding of how eBPF works, as well as providing an introduction to
writing eBPF code.
Who This Book Is For
This book is for developers, system administrators, operators, and students
who are curious about eBPF and want to know more about how it works. It
will provide a foundation for those who want to explore writing eBPF
programs themselves. Since eBPF provides a great platform for a whole new
generation of instrumentation and tooling, there will likely be gainful
employment for eBPF developers for some years to come.
But you don’t necessarily need to be planning to write eBPF code yourself
for this book to be useful to you. If you work in operations, security, or any
other role that involves software infrastructure, you’re likely to come across
eBPF-based tooling, now or over the next few years. If you understand
something about the internals of these tools, you’ll be in a better position to
use them effectively. For example, if you know how events can trigger eBPF
programs, you’ll have a better mental model for exactly what an eBPF-based
tool is really measuring when it shows you performance metrics. If you’re an
application developer, you might also come into contact with some of these
eBPF-based tools—for example, if you are performance tuning an
application, you might use a tool like Parca to generate flame graphs showing
which functions are taking the most time. If you are evaluating security tools,
this book will help you understand where eBPF shines and how to avoid
using it in a naïve way that is less effective against attacks.
Even if you’re not using eBPF tools today, I hope this book will give you
interesting insights into areas of Linux that you might not have considered
before. Most developers take the kernel for granted, as they use programming
languages with convenient higher-level abstractions that allow them to focus
on the work of application development—which is plenty hard enough! They
use tools like debuggers and performance analyzers to help them do their job
effectively. Knowing the internals of how a debugger or performance tool
works might be interesting, but it’s not essential. Yet, for many of us, it’s fun
and fulfilling to go down the rabbit hole to find out more.1 In the same way,
most people will use eBPF tools without having to worry about how they are
built. Arthur C. Clarke wrote that “any sufficiently advanced technology is
indistinguishable from magic,” but personally, I like to dig in and find out
how the magic trick works. You might be like me and feel compelled to
explore eBPF programming to get a better feel for what is possible with this
technology. If so, I think you’ll enjoy this book.
What This Book Covers
eBPF continues to evolve at quite a rapid pace, which makes it rather difficult
to write a comprehensive reference that doesn’t constantly need updating.
However, there are some fundamentals and basic principles that are unlikely
to change significantly, and that’s what this book discusses.
Chapter 1 sets the scene by describing why eBPF is so powerful as a
technology and explaining how the ability to run custom programs in the
operating system kernel enables so many exciting capabilities.
Things become more concrete in Chapter 2, where you’ll see some “Hello
World” examples that introduce you to the concepts of eBPF programs and
maps.
Chapter 3 dives into more detail about eBPF programs and how they run in
the kernel, and Chapter 4 explores the interface between user space
applications and eBPF programs.
One of the big challenges of eBPF in recent years has been the question of
compatibility across kernel versions. Chapter 5 looks at the “compile once,
run everywhere” (CO-RE) approach that solves this problem.
The verification process is perhaps the most important characteristic that
distinguishes eBPF from kernel modules. I’ll introduce you to the eBPF
verifier in Chapter 6.
In Chapter 7 you’ll get an introduction to the many different types of eBPF
programs and their attachment points. Many of those attachment points are
within the networking stack, and Chapter 8 explores the application of eBPF
for networking features in more detail. Chapter 9 looks at how eBPF is being
used to build security tools.
If you want to write a user space application that interacts with eBPF
programs, there are many libraries and frameworks available to help.
Chapter 10 gives an overview of the options for various programming
languages.
