Learning eBPF: Programming the Linux Kernel for Enhanced Observability, Networking, and Security

Preface....7

Who This Book Is For....7

What This Book Covers....9

Prerequisite Knowledge....11

Example Code and Exercises....11

Is eBPF Only for Linux?....12

Conventions Used in This Book....12

Using Code Examples....13

O’Reilly Online Learning....14

How to Contact Us....14

Acknowledgments....15

1. What Is eBPF, and Why Is It Important?....17

eBPF’s Roots: The Berkeley Packet Filter....17

From BPF to eBPF....19

The Evolution of eBPF to Production Systems....19

Naming Is Hard....21

The Linux Kernel....21

Adding New Functionality to the Kernel....25

Kernel Modules....28

Dynamic Loading of eBPF Programs....29

High Performance of eBPF Programs....31

eBPF in Cloud Native Environments....31

Summary....36

2. eBPF’s “Hello World”....38

BCC’s “Hello World”....38

Running “Hello World”....44

BPF Maps....46

Hash Table Map....47

Perf and Ring Buffer Maps....50

Function Calls....57

Tail Calls....60

Summary....66

Exercises....66

3. Anatomy of an eBPF Program....69

The eBPF Virtual Machine....69

eBPF Registers....70

eBPF Instructions....71

eBPF “Hello World” for a Network Interface....72

Compiling an eBPF Object File....75

Inspecting an eBPF Object File....75

Loading the Program into the Kernel....78

Inspecting the Loaded Program....79

The BPF Program Tag....81

The Translated Bytecode....82

The JIT-Compiled Machine Code....83

Attaching to an Event....85

Global Variables....87

Detaching the Program....90

Unloading the Program....90

BPF to BPF Calls....90

Summary....93

Exercises....93

4. The bpf() System Call....97

Loading BTF Data....102

Creating Maps....103

Loading a Program....104

Modifying a Map from User Space....106

BPF Program and Map References....108

Pinning....108

BPF Links....110

Additional Syscalls Involved in eBPF....110

Initializing the Perf Buffer....111

Attaching to Kprobe Events....112

Setting Up and Reading Perf Events....114

Ring Buffers....115

Reading Information from a Map....118

Finding a Map....118

Reading Map Elements....120

Summary....121

Exercises....122

5. CO-RE, BTF, and Libbpf....126

BCC’s Approach to Portability....127

CO-RE Overview....128

BPF Type Format....130

BTF Use Cases....130

Listing BTF Information with bpftool....132

BTF Types....133

Maps with BTF Information....138

BTF Data for Functions and Function Prototypes....139

Inspecting BTF Data for Maps and Programs....140

Generating a Kernel Header File....141

CO-RE eBPF Programs....142

Header Files....143

Kernel header information....144

Headers from libbpf....144

Application-specific headers....145

Defining Maps....145

eBPF Program Sections....146

Memory Access with CO-RE....150

License Definition....152

Compiling eBPF Programs for CO-RE....152

Debug Information....152

Optimization....152

Target Architecture....153

Makefile....153

BTF Information in the Object File....154

BPF Relocations....155

CO-RE User Space Code....157

The Libbpf Library for User Space....157

BPF Skeletons....157

Loading programs and maps into the kernel....160

Accessing existing maps....161

Attaching to events....162

Managing an event buffer....162

Libbpf Code Examples....163

Summary....164

Exercises....164

6. The eBPF Verifier....166

The Verification Process....167

The Verifier Log....168

Visualizing Control Flow....172

Validating Helper Functions....174

Helper Function Arguments....175

Checking the License....176

Checking Memory Access....176

Checking Pointers Before Dereferencing Them....180

Accessing Context....181

Running to Completion....182

Loops....182

Checking the Return Code....183

Invalid Instructions....184

Unreachable Instructions....184

Summary....184

Exercises....185

7. eBPF Program and Attachment Types....188

Program Context Arguments....189

Helper Functions and Return Codes....189

Kfuncs....190

Tracing....191

Kprobes and Kretprobes....192

Attaching kprobes to syscall entry points....193

Attaching kprobes to other kernel functions....193

Fentry/Fexit....195

Tracepoints....196

BTF-Enabled Tracepoints....199

User Space Attachments....200

LSM....201

Networking....202

Sockets....204

Traffic Control....205

XDP....205

Flow Dissector....206

Lightweight Tunnels....207

Cgroups....207

Infrared Controllers....207

BPF Attachment Types....208

Summary....209

Exercises....209

8. eBPF for Networking....211

Packet Drops....211

XDP Program Return Codes....212

XDP Packet Parsing....213

Load Balancing and Forwarding....218

XDP Offloading....222

Traffic Control (TC)....224

Packet Encryption and Decryption....229

User Space SSL Libraries....229

eBPF and Kubernetes Networking....234

Avoiding iptables....238

Coordinated Network Programs....239

Network Policy Enforcement....242

Encrypted Connections....243

Summary....247

Exercises and Further Reading....247

9. eBPF for Security....249

Security Observability Requires Policy and Context....249

Using System Calls for Security Events....252

Seccomp....252

Generating Seccomp Profiles....254

Syscall-Tracking Security Tools....256

BPF LSM....259

Cilium Tetragon....261

Attaching to Internal Kernel Functions....262

Preventative Security....263

Network Security....266

Summary....267

10. eBPF Programming....268

Bpftrace....268

Language Choices for eBPF in the Kernel....273

BCC Python/Lua/C++....274

C and Libbpf....276

Go....277

Gobpf....278

Ebpf-go....278

Libbpfgo....281

Rust....282

Libbpf-rs....282

Redbpf....283

Aya....283

Rust-bcc....286

Testing BPF Programs....286

Multiple eBPF Programs....287

Summary....288

Exercises....289

11. The Future Evolution of eBPF....291

The eBPF Foundation....291

eBPF for Windows....292

Linux eBPF Evolution....295

eBPF Is a Platform, Not a Feature....298

Conclusion....299

Index....301

What is eBPF? With this revolutionary technology, you can write custom code that dynamically changes the way the kernel behaves. It's an extraordinary platform for building a whole new generation of security, observability, and networking tools.

This practical book is ideal for developers, system administrators, operators, and students who are curious about eBPF and want to know how it works. Author Liz Rice, chief open source officer with cloud native networking and security specialists Isovalent, also provides a foundation for those who want to explore writing eBPF programs themselves.

With this book, you will:

• Learn why eBPF has become so important in the past couple of years
• Write basic eBPF code, and manipulate eBPF programs and attach them to events
• Explore how eBPF components interact with Linux to dynamically change the operating system's behavior
• Learn how tools based on eBPF can instrument applications without changes to the apps or their configuration
• Discover how this technology enables new tools for observability, security, and networking