7. Michael Kehoe
$ WHOAMI
• Sr Staff Site Reliability Engineer @
LinkedIn
• Production-SRE Team
• What I do:
• Disaster Recovery
• (Organizational) Visibility Engineering
• Incident Management
• Reliability Research
9. What is eBPF?
• eBPF – extended Berkeley Packet Filter
• User-defined, sandboxed bytecode
executed by the kernel
• VM that implements a RISC-like
assembly language in kernel space
• All interactions between kernel/ user
space are done through eBPF “maps”
• eBPF does not allow loops
10. What is eBPF?
• Similar to LSF, but with the following
improvements:
• More registers, JIT compiler (flexible/ faster),
verifier
• Attach on Tracepoint, Kprobe, Uprobe, USDT
• In-kernel trace aggregation & filtering
• Control via bpf()
• Designed for general event processing within
the kernel
• All interactions between kernel/ user space
are done through eBPF “maps”
11. History of BPF
• 3.15: Optimization of BPF Interpreter’s instruction
set
• 3.18: Linux eBPF was released (bpf() syscall)
• 3.19: Socket supports, BPF Maps
• 4.1: Kprobe support
• 4.4: Perf events
• 4.7: Attach to tracepoints
• 4.8: XDP core
• 4.10: cgroups support
• 4.18: bpfilter released
http://hsdm.dorsal.polymtl.ca/system/files/eBPF-5May2017%20%281%29.pdf
13. (e)BPF Program Types
• prog_type determines the
subset of kernel helper
functions that the program
may call
• Determines the program
input (bpf_context)
14. (e)BPF Maps
• Generic structure for
storage of different types of
data
• Allow sharing of data
between:
• eBPF kernel program
• Kernel and user-space
18. BCC is a toolkit for creating efficient kernel
tracing and manipulation programs, and
includes several useful tools and examples. It
makes use of extended BPF (Berkeley Packet
Filters), formally known as eBPF,
https://github.com/iovisor/bcc
19. BCC makes BPF programs easier to write, with
kernel instrumentation in C (and includes a C
wrapper around LLVM), and front-ends in
Python and lua. It is suited for many tasks,
including performance analysis and network
traffic control.
https://github.com/iovisor/bcc
There’s various ways to write eBPF programs.
Starting with C which as you can imagine is fun
Bcc & bpftrace are reasonably common at the larger companies that use eBPF