Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

eBPF Workshop

1,107 views

Published on

eBPF workshop at Velocity Conf 2019 San Jose

Published in: Engineering
  • Login to see the comments

eBPF Workshop

  1. 1. Getting Started • Setup your workshop platform: • https://bit.ly/2ZohsS1 • Token: 4YSH • Background slides: https://bit.ly/2Ww980G • Code repo: https://github.com/michael- kehoe/bpf-workshop/ • Please let me know ASAP if you’re having problems
  2. 2. (c|e)BPF Workshop Michael Kehoe Sr Staff Site Reliability Engineer
  3. 3. Agenda
  4. 4. Today’s agenda 0 Setting up your eBPF lab 1 Introduction 2 eBPF 101 4 Writing eBPF programs 5 BCC 6 Tutorial
  5. 5. Getting Started • Setup your workshop platform: • https://bit.ly/2ZohsS1 • Token: 4YSH • Background slides: https://bit.ly/2Ww980G • Code repo: https://github.com/michael- kehoe/bpf-workshop/ • Please let me know ASAP if you’re having problems
  6. 6. Introduction
  7. 7. Michael Kehoe $ WHOAMI • Sr Staff Site Reliability Engineer @ LinkedIn • Production-SRE Team • What I do: • Disaster Recovery • (Organizational) Visibility Engineering • Incident Management • Reliability Research
  8. 8. eBPF 101
  9. 9. What is eBPF? • eBPF – extended Berkeley Packet Filter • User-defined, sandboxed bytecode executed by the kernel • VM that implements a RISC-like assembly language in kernel space • All interactions between kernel/ user space are done through eBPF “maps” • eBPF does not allow loops
  10. 10. What is eBPF? • Similar to LSF, but with the following improvements: • More registers, JIT compiler (flexible/ faster), verifier • Attach on Tracepoint, Kprobe, Uprobe, USDT • In-kernel trace aggregation & filtering • Control via bpf() • Designed for general event processing within the kernel • All interactions between kernel/ user space are done through eBPF “maps”
  11. 11. History of BPF • 3.15: Optimization of BPF Interpreter’s instruction set • 3.18: Linux eBPF was released (bpf() syscall) • 3.19: Socket supports, BPF Maps • 4.1: Kprobe support • 4.4: Perf events • 4.7: Attach to tracepoints • 4.8: XDP core • 4.10: cgroups support • 4.18: bpfilter released http://hsdm.dorsal.polymtl.ca/system/files/eBPF-5May2017%20%281%29.pdf
  12. 12. What is eBPF? http://hsdm.dorsal.polymtl.ca/system/files/eBPF-5May2017%20%281%29.pdf
  13. 13. (e)BPF Program Types • prog_type determines the subset of kernel helper functions that the program may call • Determines the program input (bpf_context)
  14. 14. (e)BPF Maps • Generic structure for storage of different types of data • Allow sharing of data between: • eBPF kernel program • Kernel and user-space
  15. 15. Writing eBPF programs
  16. 16. Writing eBPF programs FY’17 Language/ Tool DIFFICULTY BPF BYTECODE VERY HARD C HARD PERF HARD BCC MODERATE BPFTRACE EASY PLY EASY
  17. 17. BCC BPF Compiler Collection
  18. 18. BCC is a toolkit for creating efficient kernel tracing and manipulation programs, and includes several useful tools and examples. It makes use of extended BPF (Berkeley Packet Filters), formally known as eBPF, https://github.com/iovisor/bcc
  19. 19. BCC makes BPF programs easier to write, with kernel instrumentation in C (and includes a C wrapper around LLVM), and front-ends in Python and lua. It is suited for many tasks, including performance analysis and network traffic control. https://github.com/iovisor/bcc
  20. 20. BCC https://github.com/iovisor/bcc
  21. 21. BCC Installation
  22. 22. BCC On a Amazon Linux AMI 2018.03.0 host: $ sudo yum update kernel $ sudo yum install bcc $ sudo yum install kernel-devel-$(uname -r | cut -d'.' -f1-5) $ sudo reboot Examples are at: /usr/share/bcc/tools BCC Repo at: ~/bcc
  23. 23. BCC BCC Python Developers Guide: https://bit.ly/2KIfmID Make sure you use /usr/bin/python3.6 Reference Guide: https://bit.ly/2Wypw5H
  24. 24. Tutorial
  25. 25. Look at `tutorial.md` in the Github repo

×