/learning-ebpf

Learning eBPF, published by O'Reilly - out now! Here's where you'll find a VM config for the examples, and more

Primary LanguageCApache License 2.0Apache-2.0

Learning eBPF

This repo accompanies my new book Learning eBPF (published by O'Reilly).

Learning eBPF cover features an image of an Early
Bumblebee

Buy your copy of the book from Bookshop.org or Amazon, view it on the O'Reilly platform, or download a copy from Isovalent.

Running the example code

The repo includes the example eBPF programs discussed in the book.

I've also provided a Lima config file with the packages you need for building the code pre-installed.

If you have a Linux machine or VM to hand, feel free to use that instead of Lima. The minimum kernel version required varies from chapter to chapter. All these examples have been tested on an Ubuntu distribution using a 5.15 kernel.

Install this repo

git clone --recurse-submodules https://github.com/lizrice/learning-ebpf
cd learning-ebpf

Lima VM

limactl start learning-ebpf.yaml
limactl shell learning-ebpf

# You'll need to be root for most of the examples
sudo -s

Building libbpf and installing header files

Libbpf is included as a submodule in this repo. You'll need to build and install it for the C-based examples to build correctly. (See libbpf/README.md for more details.)

cd libbpf/src
make install 
cd ../..

Building bpftool

There are several examples using bpftool throughout the book. To get a version with libbfd support you might need to build it from source:

cd ..
git clone --recurse-submodules https://github.com/libbpf/bpftool.git
cd bpftool/src 
make install 

Examples

You won't be surprised to learn that the directories correspond to chapters in the book. Here are the different examples that accompany each chapter.

There are no code examples for Chapters 1 and 11.

Privileges

You'll need root privileges (well, strictly CAP_BPF and additional privileges) to be able to load BPF programs into the kernel. sudo -s is your friend.

View eBPF trace output

A couple of ways to see the output from the kernel's trace pipe where eBPF tracing gets written:

  • cat /sys/kernel/debug/tracing/trace_pipe
  • bpftool prog tracelog

Corrections

I'd love to hear if you find corrections and improvements for these examples. Issues and PRs are welcome!