This repo accompanies my new book Learning eBPF (published by O'Reilly).
<img src="learning-ebpf-cover.png" height=250 alt="Learning eBPF cover features an image of an Early Bumblebee" />
Buy your copy of the book from Bookshop.org or Amazon, view it on the O'Reilly platform, or download a copy from Isovalent.
The repo includes the example eBPF programs discussed in the book.
I've also provided a Lima config file with the packages you need for building the code pre-installed.
If you have a Linux machine or VM to hand, feel free to use that instead of
Lima, using the learning-ebpf.yaml
file as a guide for the packages you'll
need to install. The minimum kernel version required varies from chapter to chapter. All
these examples have been tested on an Ubuntu 22.04 distribution using a 5.15 kernel.
git clone --recurse-submodules https://github.com/lizrice/learning-ebpf
cd learning-ebpf
limactl start learning-ebpf.yaml
limactl shell learning-ebpf
# You'll need to be root for most of the examples
sudo -s
Libbpf is included as a submodule in this repo. You'll need to build and install it for the C-based examples to build correctly. (See libbpf/README.md for more details.)
cd libbpf/src
make install
cd ../..
There are several examples using bpftool
throughout the book. To get a version
with libbfd support (which you'll need if you want to see the jited code in the
Chapter 3 examples) you might need to build it from source:
cd ..
git clone --recurse-submodules https://github.com/libbpf/bpftool.git
cd bpftool/src
make install
bpftool
binaries are now also available from https://github.com/libbpf/bpftool/releases these days.
You won't be surprised to learn that the directories correspond to chapters in the book. Here are the different examples that accompany each chapter.
There are no code examples for Chapters 1 and 11.
You'll need root privileges (well, strictly CAP_BPF and additional
privileges) to be able to load BPF
programs into the kernel. sudo -s
is your friend.
A couple of ways to see the output from the kernel's trace pipe where eBPF tracing gets written:
cat /sys/kernel/debug/tracing/trace_pipe
bpftool prog tracelog
As noted above, I've tested these examples using Ubuntu 22.04 and a 5.15 kernel. If you're using a different distribution and / or kernel version you might run into incompatibilities between various packages and dependencies. For example:
clang --version
you'll need BCC version 0.27.0 or laterI'd love to hear if you find corrections and improvements for these examples. Issues and PRs are welcome!