Isovalent Learning eBPF Programming the Linux Kernel for Enhanced Observability, Networking, and Security Liz Rice Learning eBPF by Liz Rice Copyright © 2023 Vertical Shift Ltd. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or [email protected]. Acquisitions Editor: John Devins Development Editor: Rita Fernando Production Editor: Chris Faucher Copyeditor: Audrey Doyle Proofreader: Kim Wimpsett Indexer: WordCo Indexing Services, Inc. Interior Designer: David Futato Cover Designer: Karen Montgomery Illustrator: Kate Dullea March 2023: First Edition Revision History for the First Edition 2023-03-07: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781098135126 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Learning eBPF, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. The views expressed in this work are those of the author and do not represent the publisher’s views. While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights. This work is part of a collaboration between O’Reilly and Isovalent. See our statement of editorial independence. 978-1-098-13887-5 LSI Preface In the cloud native community and beyond, eBPF has become one of the hottest technical topics of recent years. A new generation of powerful tools and projects in networking, security, observability, and more have been built (and more continue to be created) using eBPF as a platform, offering better performance and accuracy compared to their predecessors. eBPF-related conferences such as the eBPF Summit and Cloud Native eBPF Day have attracted thousands of attendees and viewers, and at the time of this writing, the eBPF Slack community has more than 14,000 members. Why is eBPF being selected as the underlying technology for so many infrastructure tools? How does it deliver the promised improvements to performance? How is eBPF useful in such disparate technical fields, which range from performance tracing to network traffic encryption? This book aims to answer these questions by giving the reader an understanding of how eBPF works, as well as providing an introduction to writing eBPF code. Who This Book Is For This book is for developers, system administrators, operators, and students who are curious about eBPF and want to know more about how it works. It will provide a foundation for those who want to explore writing eBPF programs themselves. Since eBPF provides a great platform for a whole new generation of instrumentation and tooling, there will likely be gainful employment for eBPF developers for some years to come. But you don’t necessarily need to be planning to write eBPF code yourself for this book to be useful to you. If you work in operations, security, or any other role that involves software infrastructure, you’re likely to come across eBPF-based tooling, now or over the next few years. If you understand something about the internals of these tools, you’ll be in a better position to use them effectively. For example, if you know how events can trigger eBPF programs, you’ll have a better mental model for exactly what an eBPF-based tool is really measuring when it shows you performance metrics. If you’re an application developer, you might also come into contact with some of these eBPF-based tools—for example, if you are performance tuning an application, you might use a tool like Parca to generate flame graphs showing which functions are taking the most time. If you are evaluating security tools, this book will help you understand where eBPF shines and how to avoid using it in a naïve way that is less effective against attacks. Even if you’re not using eBPF tools today, I hope this book will give you interesting insights into areas of Linux that you might not have considered before. Most developers take the kernel for granted, as they use programming languages with convenient higher-level abstractions that allow them to focus on the work of application development—which is plenty hard enough! They use tools like debuggers and performance analyzers to help them do their job effectively. Knowing the internals of how a debugger or performance tool works might be interesting, but it’s not essential. Yet, for many of us, it’s fun and fulfilling to go down the rabbit hole to find out more.1 In the same way, most people will use eBPF tools without having to worry about how they are built. Arthur C. Clarke wrote that “any sufficiently advanced technology is indistinguishable from magic,” but personally, I like to dig in and find out how the magic trick works. You might be like me and feel compelled to explore eBPF programming to get a better feel for what is possible with this technology. If so, I think you’ll enjoy this book. What This Book Covers eBPF continues to evolve at quite a rapid pace, which makes it rather difficult to write a comprehensive reference that doesn’t constantly need updating. However, there are some fundamentals and basic principles that are unlikely to change significantly, and that’s what this book discusses. Chapter 1 sets the scene by describing why eBPF is so powerful as a technology and explaining how the ability to run custom programs in the operating system kernel enables so many exciting capabilities. Things become more concrete in Chapter 2, where you’ll see some “Hello World” examples that introduce you to the concepts of eBPF programs and maps. Chapter 3 dives into more detail about eBPF programs and how they run in the kernel, and Chapter 4 explores the interface between user space applications and eBPF programs. One of the big challenges of eBPF in recent years has been the question of compatibility across kernel versions. Chapter 5 looks at the “compile once, run everywhere” (CO-RE) approach that solves this problem. The verification process is perhaps the most important characteristic that distinguishes eBPF from kernel modules. I’ll introduce you to the eBPF verifier in Chapter 6. In Chapter 7 you’ll get an introduction to the many different types of eBPF programs and their attachment points. Many of those attachment points are within the networking stack, and Chapter 8 explores the application of eBPF for networking features in more detail. Chapter 9 looks at how eBPF is being used to build security tools. If you want to write a user space application that interacts with eBPF programs, there are many libraries and frameworks available to help. Chapter 10 gives an overview of the options for various programming languages.