LEARNING EBPF : programming the linux kernel for enhanced observability, networking, and security

Cover Isovalent Copyright Table of Contents Preface Who This Book Is For What This Book Covers Prerequisite Knowledge Example Code and Exercises Is eBPF Only for Linux? Conventions Used in This Book Using Code Examples O’Reilly Online Learning How to Contact Us Acknowledgments Chapter 1. What Is eBPF, and Why Is It Important? eBPF’s Roots: The Berkeley Packet Filter From BPF to eBPF The Evolution of eBPF to Production Systems Naming Is Hard The Linux Kernel Adding New Functionality to the Kernel Kernel Modules Dynamic Loading of eBPF Programs High Performance of eBPF Programs eBPF in Cloud Native Environments Summary Chapter 2. eBPF’s “Hello World” BCC’s “Hello World” Running “Hello World” BPF Maps Hash Table Map Perf and Ring Buffer Maps Function Calls Tail Calls Summary Exercises Chapter 3. Anatomy of an eBPF Program The eBPF Virtual Machine eBPF Registers eBPF Instructions eBPF “Hello World” for a Network Interface Compiling an eBPF Object File Inspecting an eBPF Object File Loading the Program into the Kernel Inspecting the Loaded Program The BPF Program Tag The Translated Bytecode The JIT-Compiled Machine Code Attaching to an Event Global Variables Detaching the Program Unloading the Program BPF to BPF Calls Summary Exercises Chapter 4. The bpf() System Call Loading BTF Data Creating Maps Loading a Program Modifying a Map from User Space BPF Program and Map References Pinning BPF Links Additional Syscalls Involved in eBPF Initializing the Perf Buffer Attaching to Kprobe Events Setting Up and Reading Perf Events Ring Buffers Reading Information from a Map Finding a Map Reading Map Elements Summary Exercises Chapter 5. CO-RE, BTF, and Libbpf BCC’s Approach to Portability CO-RE Overview BPF Type Format BTF Use Cases Listing BTF Information with bpftool BTF Types Maps with BTF Information BTF Data for Functions and Function Prototypes Inspecting BTF Data for Maps and Programs Generating a Kernel Header File CO-RE eBPF Programs Header Files Defining Maps eBPF Program Sections Memory Access with CO-RE License Definition Compiling eBPF Programs for CO-RE Debug Information Optimization Target Architecture Makefile BTF Information in the Object File BPF Relocations CO-RE User Space Code The Libbpf Library for User Space BPF Skeletons Libbpf Code Examples Summary Exercises Chapter 6. The eBPF Verifier The Verification Process The Verifier Log Visualizing Control Flow Validating Helper Functions Helper Function Arguments Checking the License Checking Memory Access Checking Pointers Before Dereferencing Them Accessing Context Running to Completion Loops Checking the Return Code Invalid Instructions Unreachable Instructions Summary Exercises Chapter 7. eBPF Program and Attachment Types Program Context Arguments Helper Functions and Return Codes Kfuncs Tracing Kprobes and Kretprobes Fentry/Fexit Tracepoints BTF-Enabled Tracepoints User Space Attachments LSM Networking Sockets Traffic Control XDP Flow Dissector Lightweight Tunnels Cgroups Infrared Controllers BPF Attachment Types Summary Exercises Chapter 8. eBPF for Networking Packet Drops XDP Program Return Codes XDP Packet Parsing Load Balancing and Forwarding XDP Offloading Traffic Control (TC) Packet Encryption and Decryption User Space SSL Libraries eBPF and Kubernetes Networking Avoiding iptables Coordinated Network Programs Network Policy Enforcement Encrypted Connections Summary Exercises and Further Reading Chapter 9. eBPF for Security Security Observability Requires Policy and Context Using System Calls for Security Events Seccomp Generating Seccomp Profiles Syscall-Tracking Security Tools BPF LSM Cilium Tetragon Attaching to Internal Kernel Functions Preventative Security Network Security Summary Chapter 10. eBPF Programming Bpftrace Language Choices for eBPF in the Kernel BCC Python/Lua/C++ C and Libbpf Go Gobpf Ebpf-go Libbpfgo Rust Libbpf-rs Redbpf Aya Rust-bcc Testing BPF Programs Multiple eBPF Programs Summary Exercises Chapter 11. The Future Evolution of eBPF The eBPF Foundation eBPF for Windows Linux eBPF Evolution eBPF Is a Platform, Not a Feature Conclusion Index About the Author Colophon What is eBPF? With this revolutionary technology, you can write custom code that dynamically changes the way the kernel behaves. It's an extraordinary platform for building a whole new generation of security, observability, and networking tools. This practical book is ideal for developers, system administrators, operators, and students who are curious about eBPF and want to know how it works. Author Liz Rice, chief open source officer with cloud native networking and security specialists Isovalent, also provides a foundation for those who want to explore writing eBPF programs themselves. With this book, you will: Learn why eBPF has become so important in the past couple of years Write basic eBPF code, and manipulate eBPF programs and attach them to events Explore how eBPF components interact with Linux to dynamically change the operating system's behavior Learn how tools based on eBPF can instrument applications without changes to the apps or their configuration Discover how this technology enables new tools for observability, security, and networking