/linux-observability-with-bpf

Code snippets from the O'Reilly book

Primary LanguageCApache License 2.0Apache-2.0

Important note for readers (Jan 30th 2022)

This repository is now archived, this book was published in 2019 and written in 2018. We have been trying to keep the repository up-to-date until now but eBPF had a tremendous evolution in the past 3 years. This does not mean that reading the book is a complete waste of your time now, many concepts are always the same: like how the bpf syscall works, the instruction set and things like how tracepoints, kprobes, uprobes, xdp and traffic control works. However, at this point, just updating the examples here is not enough anymore and many areas of the book would need to be rewritten to fit the new concepts, tools, libraries and the ecosystem around eBPF. A second edition is not yet planned (will update here if it ever happens).

We want to say thank you to all the readers and the amazing people who helped updating the examples with their findings.

What should I do then?

If you are new to eBPF and don't know where to start good news is that today there is an amazing community that didn't exist in 2018!

Here you go! There are just two links you will really need.

  • eBPF.io website: A website containing useful documentation, blog post, conference talks and links to many resources
  • The eBPF and Cilium Slack: an amazing community of people around eBPF, you'll be welcome there.

What are you waiting for? Go meet your new friends!

From now on, the original text of this readme.

Linux Observability with BPF code examples

This is the companion code repo for the book Linux Observability with BPF.

We believe that even if the examples included in the book were all tested and working when we wrote them, human error is possible and technology changes. For that reason, the purpose of this repo is to keep them as updated as possible and correct mistakes we made while writing the book.

Nota Bene: All the examples in this repository are adapted from the book to assume that you use the Vagrant environment we provide. Examples can be slightly different in this repository because of that. The reason is that we didn't want to couple the book itself to Vagrant as a tool. If you don't want a Vagrant based environment, make sure you have: bcc and clang

Environment setup

  • Please expand the details of the environment you want to work on.
  • Remember that the examples have been tested on the Vagrant based environment primarily.
  • Feel free to open an issue or a PR if you want to help in making this better for everyone!
Fedora 30

First, we need to install some build dependencies and all the tools needed for the examples:

sudo dnf install make glibc-devel.i686 elfutils-libelf-devel wget tar clang bcc strace kernel-devel -y

Then we need grab a copy of the source code of the current kernel.

In our case the kernel runing can be verified with uname.

$ uname -r
5.0.9-301.fc30.x86_64

Given that version, please notice the URL we fetch the sources from in the following command. Change it according to your version.

cd /tmp
wget -c https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.0.9.tar.gz -O - | tar -xz

Now that we have the kernel source, we can move it to the /kernel-src folder.

NOTE THAT: All the examples using kernel sources in this repo assume that the kernel sources are available there. In case you don't like it, make sure you do a search and replace!

At this point we move the kernel sources and compile libbpf. Again please notice the 5.0.9 here and change accordingly.

sudo mv linux-5.0.9 /kernel-src
cd /kernel-src/tools/lib/bpf
sudo make && sudo make install prefix=/
Ubuntu 18.04

First, we need to install some build dependencies and all the tools needed for the examples:

sudo apt update
sudo apt install build-essential git make libelf-dev clang strace tar bpfcc-tools linux-headers-$(uname -r) gcc-multilib

Note on Kernel version: make sure to have a recent kernel to run the examples, a version >=5.0.0 will do the job. Most Ubuntu 18.04 providers are shipping with the kernel 4.15 that doesn't work for most of the examples. Upgrading options are left to the reader, we've been successful on aws by installing the linux-image-5.0.0-1019-aws package.

After dependencies, we need grab a copy of the kernel source code for the current release. Since this assumes that you are running an updated Ubuntu 18.04 we can get it directly from the repo they provide.

cd /tmp
git clone --depth 1 git://kernel.ubuntu.com/ubuntu/ubuntu-bionic.git

Now that we have the kernel source, we can move it to the /kernel-src folder.

NOTE THAT: All the examples using kernel sources in this repo assume that the kernel sources are available at /kernel-src. In case you don't like it, make sure you do a search and replace!

At this point we move the kernel sources and compile libbpf.

sudo mv ubuntu-bionic /kernel-src
cd /kernel-src/tools/lib/bpf
sudo make && sudo make install prefix=/usr/local

Ubuntu doesn't have the library path that the makefile expects so we need to move our libraries to its library path now.

sudo mv /usr/local/lib64/libbpf.* /lib/x86_64-linux-gnu/
Vagrant (recommended) We provide reproducible environment in the form of a Vagrantfile that installs all the needed to make the examples work.

The environment is based on Fedora 30.

Install Vagrant

To install Vagrant, follow the official guide here.

Once you have Vagrant installed, you will need to clone this repository and issue a vagrant up.

git clone https://github.com/bpftools/linux-observability-with-bpf.git
cd linux-observability-with-bpf
vagrant up

This Vagrant command, will start a Fedora 30 VM in Virtualbox, you can SSH into the machine using:

vagrant ssh

Before going on, make sure you download the kernel source tree in this repository. It is needed as a dependency for some examples. We will be downloading the code for Kernel 5.0.9 - We are avoiding a git clone here because the Git history of the kernel is very big.

In the machine:

cd /tmp
wget -c https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.0.9.tar.gz -O - | tar -xz
sudo mv linux-5.0.9 /kernel-src

At this point, we need to compile the libbpf library:

cd /kernel-src/tools/lib/bpf
make && sudo make install prefix=/

Before going to the examples, it will be useful to have a copy of this repo in your environment.

git clone https://github.com/bpftools/linux-observability-with-bpf.git ~/linux-observability-with-bpf

IMPORTANT NOTE: The examples assume that you clone the repo in your home folder ~/linux-observability-with-bpf, if you didn't do please remember to change your commands!

Yay, at this point you have everything and can follow the following code examples.

Code examples

Click on each example to follow the setup instructions.

Chapter 2

Chapter 3

Chapter 4

Probes

Kernel Probes
User-Space Probes
Tracepoints

User Statically Defined Tracepoints (USDT)

Visualizing Tracing Data

Chapter 6 - Linux Networking and BPF

Chapter 7 - eXpress Data Path (XDP)

Chapter 8 - Linux Kernel security, Capabilities and Seccomp