This document provides instructions for setting up and attending an eBPF workshop. It includes links for setting up the workshop platform, background slides, and code repository. It also lists an agenda with topics that will be covered, including setting up the eBPF lab, an introduction, eBPF 101, writing eBPF programs, BCC, and a tutorial. Attendees are asked to let the presenter know if they have any problems setting up.

1. Getting Started
• Setup your workshop platform:
• https://bit.ly/2ZohsS1
• Token: 4YSH
• Background slides: https://bit.ly/2Ww980G
• Code repo: https://github.com/michael-
kehoe/bpf-workshop/
• Please let me know ASAP if you’re having
problems

2. (c|e)BPF Workshop
Michael Kehoe
Sr Staff Site Reliability Engineer

3. Agenda

4. Today’s
agenda
0 Setting up your eBPF lab
1 Introduction
2 eBPF 101
4 Writing eBPF programs
5 BCC
6 Tutorial

5. Getting Started
• Setup your workshop platform:
• https://bit.ly/2ZohsS1
• Token: 4YSH
• Background slides: https://bit.ly/2Ww980G
• Code repo: https://github.com/michael-
kehoe/bpf-workshop/
• Please let me know ASAP if you’re having
problems

6. Introduction

7. Michael Kehoe
$ WHOAMI
• Sr Staff Site Reliability Engineer @
LinkedIn
• Production-SRE Team
• What I do:
• Disaster Recovery
• (Organizational) Visibility Engineering
• Incident Management
• Reliability Research

8. eBPF 101

9. What is eBPF?
• eBPF – extended Berkeley Packet Filter
• User-defined, sandboxed bytecode
executed by the kernel
• VM that implements a RISC-like
assembly language in kernel space
• All interactions between kernel/ user
space are done through eBPF “maps”
• eBPF does not allow loops

10. What is eBPF?
• Similar to LSF, but with the following
improvements:
• More registers, JIT compiler (flexible/ faster),
verifier
• Attach on Tracepoint, Kprobe, Uprobe, USDT
• In-kernel trace aggregation & filtering
• Control via bpf()
• Designed for general event processing within
the kernel
• All interactions between kernel/ user space
are done through eBPF “maps”

11. History of BPF
• 3.15: Optimization of BPF Interpreter’s instruction
set
• 3.18: Linux eBPF was released (bpf() syscall)
• 3.19: Socket supports, BPF Maps
• 4.1: Kprobe support
• 4.4: Perf events
• 4.7: Attach to tracepoints
• 4.8: XDP core
• 4.10: cgroups support
• 4.18: bpfilter released
http://hsdm.dorsal.polymtl.ca/system/files/eBPF-5May2017%20%281%29.pdf

12. What is eBPF?
http://hsdm.dorsal.polymtl.ca/system/files/eBPF-5May2017%20%281%29.pdf

13. (e)BPF Program Types
• prog_type determines the
subset of kernel helper
functions that the program
may call
• Determines the program
input (bpf_context)

14. (e)BPF Maps
• Generic structure for
storage of different types of
data
• Allow sharing of data
between:
• eBPF kernel program
• Kernel and user-space

15. Writing eBPF programs

16. Writing eBPF programs
FY’17
Language/ Tool DIFFICULTY
BPF BYTECODE VERY HARD
C HARD
PERF HARD
BCC MODERATE
BPFTRACE EASY
PLY EASY

17. BCC
BPF Compiler Collection

18. BCC is a toolkit for creating efficient kernel
tracing and manipulation programs, and
includes several useful tools and examples. It
makes use of extended BPF (Berkeley Packet
Filters), formally known as eBPF,
https://github.com/iovisor/bcc

19. BCC makes BPF programs easier to write, with
kernel instrumentation in C (and includes a C
wrapper around LLVM), and front-ends in
Python and lua. It is suited for many tasks,
including performance analysis and network
traffic control.
https://github.com/iovisor/bcc

20. BCC
https://github.com/iovisor/bcc

21. BCC
Installation

22. BCC
On a Amazon Linux AMI 2018.03.0 host:
$ sudo yum update kernel
$ sudo yum install bcc $
sudo yum install kernel-devel-$(uname -r | cut -d'.' -f1-5)
$ sudo reboot
Examples are at: /usr/share/bcc/tools
BCC Repo at: ~/bcc

23. BCC
BCC Python Developers Guide: https://bit.ly/2KIfmID
Make sure you use /usr/bin/python3.6
Reference Guide: https://bit.ly/2Wypw5H

24. Tutorial

25. Look at `tutorial.md` in the Github repo