eBPF workshop at Velocity Conf 2019 San Jose

1. Getting Started
• Setup your workshop platform:
• https://bit.ly/2ZohsS1
• Token: 4YSH
• Background slides: https://bit.ly/2Ww980G
• Code repo: https://github.com/michael-
kehoe/bpf-workshop/
• Please let me know ASAP if you’re having
problems

2. (c|e)BPF Workshop
Michael Kehoe
Sr Staff Site Reliability Engineer

3. Agenda

4. Today’s
agenda
0 Setting up your eBPF lab
1 Introduction
2 eBPF 101
4 Writing eBPF programs
5 BCC
6 Tutorial

5. Getting Started
• Setup your workshop platform:
• https://bit.ly/2ZohsS1
• Token: 4YSH
• Background slides: https://bit.ly/2Ww980G
• Code repo: https://github.com/michael-
kehoe/bpf-workshop/
• Please let me know ASAP if you’re having
problems

6. Introduction

7. Michael Kehoe
$ WHOAMI
• Sr Staff Site Reliability Engineer @
LinkedIn
• Production-SRE Team
• What I do:
• Disaster Recovery
• (Organizational) Visibility Engineering
• Incident Management
• Reliability Research

8. eBPF 101

9. What is eBPF?
• eBPF – extended Berkeley Packet Filter
• User-defined, sandboxed bytecode
executed by the kernel
• VM that implements a RISC-like
assembly language in kernel space
• All interactions between kernel/ user
space are done through eBPF “maps”
• eBPF does not allow loops

10. What is eBPF?
• Similar to LSF, but with the following
improvements:
• More registers, JIT compiler (flexible/ faster),
verifier
• Attach on Tracepoint, Kprobe, Uprobe, USDT
• In-kernel trace aggregation & filtering
• Control via bpf()
• Designed for general event processing within
the kernel
• All interactions between kernel/ user space
are done through eBPF “maps”

11. History of BPF
• 3.15: Optimization of BPF Interpreter’s instruction
set
• 3.18: Linux eBPF was released (bpf() syscall)
• 3.19: Socket supports, BPF Maps
• 4.1: Kprobe support
• 4.4: Perf events
• 4.7: Attach to tracepoints
• 4.8: XDP core
• 4.10: cgroups support
• 4.18: bpfilter released
http://hsdm.dorsal.polymtl.ca/system/files/eBPF-5May2017%20%281%29.pdf

12. What is eBPF?
http://hsdm.dorsal.polymtl.ca/system/files/eBPF-5May2017%20%281%29.pdf

13. (e)BPF Program Types
• prog_type determines the
subset of kernel helper
functions that the program
may call
• Determines the program
input (bpf_context)

14. (e)BPF Maps
• Generic structure for
storage of different types of
data
• Allow sharing of data
between:
• eBPF kernel program
• Kernel and user-space

15. Writing eBPF programs

16. Writing eBPF programs
FY’17
Language/ Tool DIFFICULTY
BPF BYTECODE VERY HARD
C HARD
PERF HARD
BCC MODERATE
BPFTRACE EASY
PLY EASY

17. BCC
BPF Compiler Collection

18. BCC is a toolkit for creating efficient kernel
tracing and manipulation programs, and
includes several useful tools and examples. It
makes use of extended BPF (Berkeley Packet
Filters), formally known as eBPF,
https://github.com/iovisor/bcc

19. BCC makes BPF programs easier to write, with
kernel instrumentation in C (and includes a C
wrapper around LLVM), and front-ends in
Python and lua. It is suited for many tasks,
including performance analysis and network
traffic control.
https://github.com/iovisor/bcc

20. BCC
https://github.com/iovisor/bcc

21. BCC
Installation

22. BCC
On a Amazon Linux AMI 2018.03.0 host:
$ sudo yum update kernel
$ sudo yum install bcc $
sudo yum install kernel-devel-$(uname -r | cut -d'.' -f1-5)
$ sudo reboot
Examples are at: /usr/share/bcc/tools
BCC Repo at: ~/bcc

23. BCC
BCC Python Developers Guide: https://bit.ly/2KIfmID
Make sure you use /usr/bin/python3.6
Reference Guide: https://bit.ly/2Wypw5H

24. Tutorial

25. Look at `tutorial.md` in the Github repo