Successfully reported this slideshow.
Your SlideShare is downloading. ×

eBPF Workshop

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
eBPF Basics
eBPF Basics
Loading in …3
×

Check these out next

1 of 26 Ad

More Related Content

Slideshows for you (20)

Similar to eBPF Workshop (20)

Advertisement

More from Michael Kehoe (20)

Recently uploaded (20)

Advertisement

eBPF Workshop

  1. 1. Getting Started • Setup your workshop platform: • https://bit.ly/2ZohsS1 • Token: 4YSH • Background slides: https://bit.ly/2Ww980G • Code repo: https://github.com/michael- kehoe/bpf-workshop/ • Please let me know ASAP if you’re having problems
  2. 2. (c|e)BPF Workshop Michael Kehoe Sr Staff Site Reliability Engineer
  3. 3. Agenda
  4. 4. Today’s agenda 0 Setting up your eBPF lab 1 Introduction 2 eBPF 101 4 Writing eBPF programs 5 BCC 6 Tutorial
  5. 5. Getting Started • Setup your workshop platform: • https://bit.ly/2ZohsS1 • Token: 4YSH • Background slides: https://bit.ly/2Ww980G • Code repo: https://github.com/michael- kehoe/bpf-workshop/ • Please let me know ASAP if you’re having problems
  6. 6. Introduction
  7. 7. Michael Kehoe $ WHOAMI • Sr Staff Site Reliability Engineer @ LinkedIn • Production-SRE Team • What I do: • Disaster Recovery • (Organizational) Visibility Engineering • Incident Management • Reliability Research
  8. 8. eBPF 101
  9. 9. What is eBPF? • eBPF – extended Berkeley Packet Filter • User-defined, sandboxed bytecode executed by the kernel • VM that implements a RISC-like assembly language in kernel space • All interactions between kernel/ user space are done through eBPF “maps” • eBPF does not allow loops
  10. 10. What is eBPF? • Similar to LSF, but with the following improvements: • More registers, JIT compiler (flexible/ faster), verifier • Attach on Tracepoint, Kprobe, Uprobe, USDT • In-kernel trace aggregation & filtering • Control via bpf() • Designed for general event processing within the kernel • All interactions between kernel/ user space are done through eBPF “maps”
  11. 11. History of BPF • 3.15: Optimization of BPF Interpreter’s instruction set • 3.18: Linux eBPF was released (bpf() syscall) • 3.19: Socket supports, BPF Maps • 4.1: Kprobe support • 4.4: Perf events • 4.7: Attach to tracepoints • 4.8: XDP core • 4.10: cgroups support • 4.18: bpfilter released http://hsdm.dorsal.polymtl.ca/system/files/eBPF-5May2017%20%281%29.pdf
  12. 12. What is eBPF? http://hsdm.dorsal.polymtl.ca/system/files/eBPF-5May2017%20%281%29.pdf
  13. 13. (e)BPF Program Types • prog_type determines the subset of kernel helper functions that the program may call • Determines the program input (bpf_context)
  14. 14. (e)BPF Maps • Generic structure for storage of different types of data • Allow sharing of data between: • eBPF kernel program • Kernel and user-space
  15. 15. Writing eBPF programs
  16. 16. Writing eBPF programs FY’17 Language/ Tool DIFFICULTY BPF BYTECODE VERY HARD C HARD PERF HARD BCC MODERATE BPFTRACE EASY PLY EASY
  17. 17. BCC BPF Compiler Collection
  18. 18. BCC is a toolkit for creating efficient kernel tracing and manipulation programs, and includes several useful tools and examples. It makes use of extended BPF (Berkeley Packet Filters), formally known as eBPF, https://github.com/iovisor/bcc
  19. 19. BCC makes BPF programs easier to write, with kernel instrumentation in C (and includes a C wrapper around LLVM), and front-ends in Python and lua. It is suited for many tasks, including performance analysis and network traffic control. https://github.com/iovisor/bcc
  20. 20. BCC https://github.com/iovisor/bcc
  21. 21. BCC Installation
  22. 22. BCC On a Amazon Linux AMI 2018.03.0 host: $ sudo yum update kernel $ sudo yum install bcc $ sudo yum install kernel-devel-$(uname -r | cut -d'.' -f1-5) $ sudo reboot Examples are at: /usr/share/bcc/tools BCC Repo at: ~/bcc
  23. 23. BCC BCC Python Developers Guide: https://bit.ly/2KIfmID Make sure you use /usr/bin/python3.6 Reference Guide: https://bit.ly/2Wypw5H
  24. 24. Tutorial
  25. 25. Look at `tutorial.md` in the Github repo

Editor's Notes

  • There’s various ways to write eBPF programs.
    Starting with C which as you can imagine is fun
    Bcc & bpftrace are reasonably common at the larger companies that use eBPF

×