SlideShare a Scribd company logo

Understanding eBPF in a Hurry!

Download as PPTX, PDF
R
Ray Jenkins

eBPF is an exciting new technology that is poised to transform Linux performance engineering. eBPF enables users to dynamically and programatically trace any kernel or user space code path, safely and efficiently. However, understanding eBPF is not so simple. The goal of this talk is to give audiences a fundamental understanding of eBPF, how it interconnects existing Linux tracing technologies, and provides a powerful aplatform to solve any Linux performance problem.

Software
1 of 77
Understanding eBPF in a Hurry! LinkedIn Performance Engineering Meetup June 2019 Ray Jenkins
Hi, I’m Ray @_rayjenkins github.com/rjenkins ray@segment.com
Let’s say you have a performance problem.
Examples ● A developer claims boxes have “slow” I/O ● Network connections are randomly terminated. ● Your service is crashing, you’re not sure why, maybe it getting OOM killed? ● You think some process might be getting starved.
Someone suggests you might be able to solve it with eBPF.
Now you got two problems.
Goal: Can we understand what eBPF is and how it works?
http://www.brendangregg.com/ebpf.html This is our map
What is eBPF? (Extended Berkeley Packet Filter) ● Fast and safe, in-kernel, register based, bytecode VM. ● Designed to be JITed with direct mapping to x86_64 and other modern architectures. ● eBPF programs are “attached” to code paths within the kernel or user space programs and are executed when the code path is traversed. ● Linux Kernel 3.18 (2014) - bpf(2) syscall ○ (4.1 for Kprobes)
What is eBPF? … cont. ● Programs are written in restricted C. eBPF backend for LLVM/Clang. ○ clang -O2 -emit-llvm -c bpf.c -o - | llc -march=bpf -filetype=obj -o bpf.o ● eBPF Verifier ○ Verified to finish (no loops), no unreachable instructions, reads to uninitialized registers, or memory access to arbitrary pointers restricted kernel func calls and data structure access. ● eBPF Maps / Perf Events Ring Buffer ○ Memory-Mapped, bi-directional data structures for storage. Allow sharing of data between eBPF kernel programs, and also between kernel and user-space applications. ● Helper Functions ○ Kernel functions exposed to eBPF programs. ○ Context sensitive to type of eBPF program.
https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md
Why do we need eBPF?
Dynamically and Programmatically Trace Kernel or User Space Functions and Events, Safely and Efficiently.
http://www.brendangregg.com/ebpf.html This is our map YOU ARE HERE
eBPF is appealing to different people for different reasons, but its power resides in what you can attach it to. For Performance Engineering we’re primarily interested in these hooks. ● Kprobes/Uprobes ● Tracepoints ● USDT ● PerfEvents https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/bpf.h#L145
Tracepoints (2.6.32) - 2009 ● Static places in the kernel where tracing is inserted. ● $ grep -ri TRACE_EVENT * ● https://github.com/brendangregg/perf-tools
K/J(ret)probes (2.6.9) - 2004 / U(ret)probes 3.15 - (2014) ● Probe any instruction, dynamically ● grep <func> /proc/kallsyms ● Register kprobes copies instruction, inserts breakpoint. (int3 on x86_64) ● Cpu hits breakpoints, trap occurs, registers saved and control passed to Kprobe. ● Pre-handler function called, Kprobes single steps instructions (Slow), Post-Handler called. ● CONFIG_OPTPROBES=Y (enabled on x86_64)
https://vjordan.info/log/fpga/how-linux-kprobes-works.html
https://vjordan.info/log/fpga/how-linux-kprobes-works.html
Perf events (2.6.31) - 2009 ● The “nearly un-googleable” - http://web.eece.maine.edu/~vweaver/projects/perf_events/ ● Trace and count tracepoints and lower level events, PMU, HW events (L1 cache store/load/miss etc). ● Accesses data from user space efficiently by accessing the perf_events ring buffer.
USDT (BCC March 2016) ● Userland Statically Defined Tracepoints ● sudo ./tplist -l <library name>
http://www.brendangregg.com/ebpf.html This is our map YOU ARE HERE
sudo apt-get install bpfcc- tools
Single Purpose Tools
Multi-Purpose Tools
So what does it look like?
https://github.com/torvalds/linux/blob/master/samples/bpf/sock_example.c
Ayyy, lol 😂 jk
https://github.com/iovisor/bcc https://github.com/iovisor/gobpf BPF Compiler Collection (BCC) Python, Lua, Golang
Let’s Talk about the VM, First Let’s Check our Map
YOU ARE IN 1992
https://www.tcpdump.org/papers/bpf-usenix93.pdf
tcpdump -ni eth0 ip and udp
tcpdump -ni eth0 ip and udp -d
tcpdump libpcap bpf Userspace Kernel tcp and udp bytecode packets packets
BPF - Berkeley Packet Filter ● Bytecode, register based VM, with a limited instruction set ● Runs in-kernel, designed for fast packet filtering ● 32-bit instructions (LOAD, STORE, ALU, BRANCH, RETURN) ● 2, 32-bit registers (A, X), hidden frame pointer
Bpf bytecode for ‘tcpdump ip and udp’ (000) ldh [12] (load 2 bytes from packet, at offset 12) (001) jeq #0x800 jt 2 jf 5 (002) ldb [23] (load byte at offset 23) (003) jeq #0x11 jt 4jf 5 (0x11 == 17) (004) ret #262144 (005) ret #0 https://blog.cloudflare.com/bpf-the-forgotten-bytecode/ http://www.networksorcery.com/enp/protocol/ip.htm
http://www.brendangregg.com/ebpf.html This is our map YOU ARE HERE
eBPF - Extended Berkeley Packet Filter ● Bytecode, register based VM, with a extended instruction set ○ Designed to be JITed with direct mapping to x86_64 ● 64-bit instructions, and 10 64-bit registers ○ R0 - return value from in-kernel function, and exit value for eBPF program ○ R1 - R5 - arguments from eBPF program to in-kernel function ○ R6 - R9 - callee saved registers that in-kernel function will preserve ○ R10 - read-only frame pointer to access stack ● BPF_CALL ○ hw register zero overhead calls to other kernel functions ● BPF_MAPS ○ Bi-directional data structures for storage. Allow sharing of data between eBPF kernel programs, and also between kernel and user-space applications. ● Helper Functions ○ https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md ← Very Important!
eBPF - Extended Berkeley Packet Filter… cont ● Load programs via bpf(2) syscall (see: man bpf) ○ int bpf(int cmd, union bpf_attr *attr, unsigned int size); ● Cmd: BPF_PROG_LOAD ○ Verify and load an eBPF program, returning a new file descriptor associated with the program. The close-on-exec file descriptor flag (see fcntl(2)) is automatically enabled for the new file descriptor.
Can we learn more about eBPF VM like we did with tcpdump?
http://www.brendangregg.com/ebpf.html This is our map YOU ARE HERE
https://github.com/iovisor/bpf-docs/blob/master/eBPF.md
0xb7 r1 imm: 72=114, 6c=108,64=100, (op) (dst) 0a=10 imm->ascii=”rldn”
0x63 r1 r10 offset (op) (src) (dst)
0x18 r1 imm (op) (dst) “hello wo”
As you can imagine the next 4 instructions copy the “hello wo” into a scratch space at offset -16. Copy a “0” into r1 and then copies “0” at offset -4. Finally we copy the address of the variable from the frame pointer at r10 into r1.
To prepare for the call to int bpf_trace_printk(const char *fmt, u32 fmt_size, ...) We need to point r1 to the variable (which is -16 bytes from the frame pointer) and in r2, we store the size of “hello worldn0” = 13 bytes.
0x85 Is a function call, with an imm of 6. We need to look that up in bpf.h in order to figure out what that is.
0 1 2 3 4 5 6
Lastly we set our return value in r0 = 0 and exit with opcode 0x95.
http://www.brendangregg.com/ebpf.html This is our map YOU ARE HERE
eBPF Maps
Helper Functions ● https://github.com/torvalds/linux/blob/master/include/uapi/linux/bpf.h ● https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md ● int bpf_probe_read(void *dst, int size, const void *src) ← all reads must call ● int bpf_probe_read_str(void *dst, int size, const void *src) ● u64 bpf_ktime_get_ns(void) ● u64 bpf_get_current_pid_tgid(void) ● bpf_get_current_comm(char *buf, int size_of_buf) ● BPF_PERF_OUTPUT(name) ● int perf_submit((void *)ctx, (void *)data, u32 data_size) ● Map Functions ○ *val map.lookup(&key), val lookup_or_init(&key, &zero), delete(&key), update(&key, &val), map.increment(key[, increment_amount])
Segment Use Cases
segmentio/netsniff - tw: @julien_fabre / gh: @pryz
segmentio/ebpf ● Golang eBPF “Collectors”. ● CLI + ebpfd agent processes configuration and starts eBPF programs. ● Stats aggregation, publishing to observers, 3rd party stats forwarding (datadog etc.). ● Docker / pid -> container/service resolution.
segmentio/ebpf
Thank You! Questions?
References ● https://lwn.net/Articles/740157/ - A thorough introduction to eBPF ● https://lwn.net/Articles/599755/ - BPF: the universal in-kernel virtual machine ● https://www.collabora.com/news-and-blog/blog/2019/04/15/an-ebpf-overview-part-2-machine-and-bytecode/ ● https://www.youtube.com/watch?v=2lbtr85Yrs4 - Kernel Tracing with eBPF ● https://www.kernel.org/doc/Documentation/networking/filter.txt - Linux Socket Filtering aka Berkeley Packet Filter ● http://www.brendangregg.com/ebpf.html - Linux Extended BPF (eBPF) Tracing Tools ● https://www.slideshare.net/vh21/meet-cutebetweenebpfandtracing - Meet cute between eBPF and tracing ● https://blog.cloudflare.com/bpf-the-forgotten-bytecode/ - BPF the forgotten bytecode ● https://www.oreilly.com/learning/using-linux-tracing-tools - Modern Linux Tracing Landscape ● https://lwn.net/Articles/742082/ - An introduction to the BPF Compiler Collection ● https://bolinfest.github.io/opensnoop-native/ - How I ended up writing opensnoop in pure C using eBPF ● https://lwn.net/Articles/753601/ - Using user-space tracepoints with BPF ● http://brendangregg.com/perf.html - Perf Examples

Recommended

BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and moreBrendan Gregg
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPThomas Graf
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceSUSE Labs Taipei
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KernelThomas Graf
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Brendan Gregg
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDPlcplcp1
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101SUSE Labs Taipei
 

Recommended

BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and moreBrendan Gregg
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPThomas Graf
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceSUSE Labs Taipei
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KernelThomas Graf
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Brendan Gregg
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDPlcplcp1
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101SUSE Labs Taipei
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machineAlexei Starovoitov
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF BasicsMichael Kehoe
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringScyllaDB
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingViller Hsiao
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPFAlex Maestretti
 
Understanding DPDK algorithmics
Understanding DPDK algorithmicsUnderstanding DPDK algorithmics
Understanding DPDK algorithmicsDenys Haryachyy
 
eBPF/XDP
eBPF/XDP eBPF/XDP
eBPF/XDP Netronome
 
Introduction to eBPF
Introduction to eBPFIntroduction to eBPF
Introduction to eBPFRogerColl2
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCKernel TLV
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumScyllaDB
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
Performance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedPerformance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedBrendan Gregg
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBrendan Gregg
 
Kernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixKernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixBrendan Gregg
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In DepthKernel TLV
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at NetflixBrendan Gregg
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracingViller Hsiao
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network StackAdrien Mahieux
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
DMA Survival Guide
DMA Survival GuideDMA Survival Guide
DMA Survival GuideKernel TLV
 
Kernel bug hunting
Kernel bug huntingKernel bug hunting
Kernel bug huntingAndrea Righi
 
Spying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profitSpying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profitAndrea Righi
 

More Related Content

What's hot

BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machineAlexei Starovoitov
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringScyllaDB
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingViller Hsiao
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPFAlex Maestretti
 
Understanding DPDK algorithmics
Understanding DPDK algorithmicsUnderstanding DPDK algorithmics
Understanding DPDK algorithmicsDenys Haryachyy
 
Introduction to eBPF
Introduction to eBPFIntroduction to eBPF
Introduction to eBPFRogerColl2
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCKernel TLV
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumScyllaDB
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
Performance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedPerformance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedBrendan Gregg
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBrendan Gregg
 
Kernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixKernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixBrendan Gregg
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at NetflixBrendan Gregg
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracingViller Hsiao
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageKernel TLV
 
DMA Survival Guide
DMA Survival GuideDMA Survival Guide
DMA Survival GuideKernel TLV
 

What's hot (20)

BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF Basics
 
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringHigh-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uring
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
 
Understanding DPDK algorithmics
Understanding DPDK algorithmicsUnderstanding DPDK algorithmics
Understanding DPDK algorithmics
 
eBPF/XDP
eBPF/XDP eBPF/XDP
eBPF/XDP
 
Introduction to eBPF
Introduction to eBPFIntroduction to eBPF
Introduction to eBPF
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in Cilium
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
Performance Wins with BPF: Getting Started
Performance Wins with BPF: Getting StartedPerformance Wins with BPF: Getting Started
Performance Wins with BPF: Getting Started
 
Blazing Performance with Flame Graphs
Blazing Performance with Flame GraphsBlazing Performance with Flame Graphs
Blazing Performance with Flame Graphs
 
Kernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixKernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at Netflix
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
 
Linux Profiling at Netflix
Linux Profiling at NetflixLinux Profiling at Netflix
Linux Profiling at Netflix
 
Linux kernel tracing
Linux kernel tracingLinux kernel tracing
Linux kernel tracing
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
 
DMA Survival Guide
DMA Survival GuideDMA Survival Guide
DMA Survival Guide
 

Similar to Understanding eBPF in a Hurry!

Kernel bug hunting
Kernel bug huntingKernel bug hunting
Kernel bug huntingAndrea Righi
 
Spying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profitSpying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profitAndrea Righi
 
Andrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitAndrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitlinuxlab_conf
 
Understanding of linux kernel memory model
Understanding of linux kernel memory modelUnderstanding of linux kernel memory model
Understanding of linux kernel memory modelSeongJae Park
 
Not breaking userspace: the evolving Linux ABI
Not breaking userspace: the evolving Linux ABINot breaking userspace: the evolving Linux ABI
Not breaking userspace: the evolving Linux ABIAlison Chaiken
 
Performance Optimization of SPH Algorithms for Multi/Many-Core Architectures
Performance Optimization of SPH Algorithms for Multi/Many-Core ArchitecturesPerformance Optimization of SPH Algorithms for Multi/Many-Core Architectures
Performance Optimization of SPH Algorithms for Multi/Many-Core ArchitecturesDr. Fabio Baruffa
 
eBPF in the view of a storage developer
eBPF in the view of a storage developereBPF in the view of a storage developer
eBPF in the view of a storage developerRichárd Kovács
 
Debugging Python with gdb
Debugging Python with gdbDebugging Python with gdb
Debugging Python with gdbRoman Podoliaka
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Valeriy Kravchuk
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudAndrea Righi
 
lecture16-recap-questions-and-answers.pdf
lecture16-recap-questions-and-answers.pdflecture16-recap-questions-and-answers.pdf
lecture16-recap-questions-and-answers.pdfAyushKumar93531
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!Affan Syed
 
Revelation pyconuk2016
Revelation pyconuk2016Revelation pyconuk2016
Revelation pyconuk2016Sarah Mount
 
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation GuideBKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation GuideLinaro
 
HKG18-411 - Introduction to OpenAMP which is an open source solution for hete...
HKG18-411 - Introduction to OpenAMP which is an open source solution for hete...HKG18-411 - Introduction to OpenAMP which is an open source solution for hete...
HKG18-411 - Introduction to OpenAMP which is an open source solution for hete...Linaro
 
Continuous Go Profiling & Observability
Continuous Go Profiling & ObservabilityContinuous Go Profiling & Observability
Continuous Go Profiling & ObservabilityScyllaDB
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsGergely Szabó
 
Customize and Secure the Runtime and Dependencies of Your Procedural Language...
Customize and Secure the Runtime and Dependencies of Your Procedural Language...Customize and Secure the Runtime and Dependencies of Your Procedural Language...
Customize and Secure the Runtime and Dependencies of Your Procedural Language...VMware Tanzu
 
Debugging Hung Python Processes With GDB
Debugging Hung Python Processes With GDBDebugging Hung Python Processes With GDB
Debugging Hung Python Processes With GDBbmbouter
 
Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...
Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...
Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...Valeriy Kravchuk
 

Similar to Understanding eBPF in a Hurry! (20)

Kernel bug hunting
Kernel bug huntingKernel bug hunting
Kernel bug hunting
 
Spying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profitSpying on the Linux kernel for fun and profit
Spying on the Linux kernel for fun and profit
 
Andrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profitAndrea Righi - Spying on the Linux kernel for fun and profit
Andrea Righi - Spying on the Linux kernel for fun and profit
 
Understanding of linux kernel memory model
Understanding of linux kernel memory modelUnderstanding of linux kernel memory model
Understanding of linux kernel memory model
 
Not breaking userspace: the evolving Linux ABI
Not breaking userspace: the evolving Linux ABINot breaking userspace: the evolving Linux ABI
Not breaking userspace: the evolving Linux ABI
 
Performance Optimization of SPH Algorithms for Multi/Many-Core Architectures
Performance Optimization of SPH Algorithms for Multi/Many-Core ArchitecturesPerformance Optimization of SPH Algorithms for Multi/Many-Core Architectures
Performance Optimization of SPH Algorithms for Multi/Many-Core Architectures
 
eBPF in the view of a storage developer
eBPF in the view of a storage developereBPF in the view of a storage developer
eBPF in the view of a storage developer
 
Debugging Python with gdb
Debugging Python with gdbDebugging Python with gdb
Debugging Python with gdb
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
 
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudLinux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloud
 
lecture16-recap-questions-and-answers.pdf
lecture16-recap-questions-and-answers.pdflecture16-recap-questions-and-answers.pdf
lecture16-recap-questions-and-answers.pdf
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!
 
Revelation pyconuk2016
Revelation pyconuk2016Revelation pyconuk2016
Revelation pyconuk2016
 
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation GuideBKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
BKK16-302: Android Optimizing Compiler: New Member Assimilation Guide
 
HKG18-411 - Introduction to OpenAMP which is an open source solution for hete...
HKG18-411 - Introduction to OpenAMP which is an open source solution for hete...HKG18-411 - Introduction to OpenAMP which is an open source solution for hete...
HKG18-411 - Introduction to OpenAMP which is an open source solution for hete...
 
Continuous Go Profiling & Observability
Continuous Go Profiling & ObservabilityContinuous Go Profiling & Observability
Continuous Go Profiling & Observability
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native Environments
 
Customize and Secure the Runtime and Dependencies of Your Procedural Language...
Customize and Secure the Runtime and Dependencies of Your Procedural Language...Customize and Secure the Runtime and Dependencies of Your Procedural Language...
Customize and Secure the Runtime and Dependencies of Your Procedural Language...
 
Debugging Hung Python Processes With GDB
Debugging Hung Python Processes With GDBDebugging Hung Python Processes With GDB
Debugging Hung Python Processes With GDB
 
Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...
Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...
Dynamic tracing of MariaDB on Linux - problems and solutions (MariaDB Server ...
 

Recently uploaded

WSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million PeopleWSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million PeopleWSO2
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Eraconfluent
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2
 
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAMWSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAMWSO2
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationJuha-Pekka Tolvanen
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2
 
Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2WSO2
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2
 
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxAnnaArtyushina1
 
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...WSO2
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfonteinmasabamasaba
 
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next IntegrationWSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next IntegrationWSO2
 
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...WSO2
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2
 

Recently uploaded (20)

WSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million PeopleWSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million People
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAMWSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and ApplicationsWSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
WSO2CON 2024 - Architecting AI in the Enterprise: APIs and Applications
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
 
Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2Driving Innovation: Scania's API Revolution with WSO2
Driving Innovation: Scania's API Revolution with WSO2
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
 
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next IntegrationWSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration
 
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 

Understanding eBPF in a Hurry!

  • 1. Understanding eBPF in a Hurry! LinkedIn Performance Engineering Meetup June 2019 Ray Jenkins
  • 3. Let’s say you have a performance problem.
  • 4. Examples ● A developer claims boxes have “slow” I/O ● Network connections are randomly terminated. ● Your service is crashing, you’re not sure why, maybe it getting OOM killed? ● You think some process might be getting starved.
  • 5. Someone suggests you might be able to solve it with eBPF.
  • 6. Now you got two problems.
  • 7. Goal: Can we understand what eBPF is and how it works?
  • 9. What is eBPF? (Extended Berkeley Packet Filter) ● Fast and safe, in-kernel, register based, bytecode VM. ● Designed to be JITed with direct mapping to x86_64 and other modern architectures. ● eBPF programs are “attached” to code paths within the kernel or user space programs and are executed when the code path is traversed. ● Linux Kernel 3.18 (2014) - bpf(2) syscall ○ (4.1 for Kprobes)
  • 10.
  • 11.
  • 12. What is eBPF? … cont. ● Programs are written in restricted C. eBPF backend for LLVM/Clang. ○ clang -O2 -emit-llvm -c bpf.c -o - | llc -march=bpf -filetype=obj -o bpf.o ● eBPF Verifier ○ Verified to finish (no loops), no unreachable instructions, reads to uninitialized registers, or memory access to arbitrary pointers restricted kernel func calls and data structure access. ● eBPF Maps / Perf Events Ring Buffer ○ Memory-Mapped, bi-directional data structures for storage. Allow sharing of data between eBPF kernel programs, and also between kernel and user-space applications. ● Helper Functions ○ Kernel functions exposed to eBPF programs. ○ Context sensitive to type of eBPF program.
  • 14. Why do we need eBPF?
  • 15. Dynamically and Programmatically Trace Kernel or User Space Functions and Events, Safely and Efficiently.
  • 17. eBPF is appealing to different people for different reasons, but its power resides in what you can attach it to. For Performance Engineering we’re primarily interested in these hooks. ● Kprobes/Uprobes ● Tracepoints ● USDT ● PerfEvents https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/bpf.h#L145
  • 18. Tracepoints (2.6.32) - 2009 ● Static places in the kernel where tracing is inserted. ● $ grep -ri TRACE_EVENT * ● https://github.com/brendangregg/perf-tools
  • 19. K/J(ret)probes (2.6.9) - 2004 / U(ret)probes 3.15 - (2014) ● Probe any instruction, dynamically ● grep <func> /proc/kallsyms ● Register kprobes copies instruction, inserts breakpoint. (int3 on x86_64) ● Cpu hits breakpoints, trap occurs, registers saved and control passed to Kprobe. ● Pre-handler function called, Kprobes single steps instructions (Slow), Post-Handler called. ● CONFIG_OPTPROBES=Y (enabled on x86_64)
  • 22.
  • 23.
  • 24. Perf events (2.6.31) - 2009 ● The “nearly un-googleable” - http://web.eece.maine.edu/~vweaver/projects/perf_events/ ● Trace and count tracepoints and lower level events, PMU, HW events (L1 cache store/load/miss etc). ● Accesses data from user space efficiently by accessing the perf_events ring buffer.
  • 25. USDT (BCC March 2016) ● Userland Statically Defined Tracepoints ● sudo ./tplist -l <library name>
  • 26.
  • 28. sudo apt-get install bpfcc- tools
  • 30.
  • 31.
  • 33.
  • 34. So what does it look like?
  • 38.
  • 39.
  • 40.
  • 41. Let’s Talk about the VM, First Let’s Check our Map
  • 42. YOU ARE IN 1992
  • 44. tcpdump -ni eth0 ip and udp
  • 45.
  • 46. tcpdump -ni eth0 ip and udp -d
  • 48. BPF - Berkeley Packet Filter ● Bytecode, register based VM, with a limited instruction set ● Runs in-kernel, designed for fast packet filtering ● 32-bit instructions (LOAD, STORE, ALU, BRANCH, RETURN) ● 2, 32-bit registers (A, X), hidden frame pointer
  • 49. Bpf bytecode for ‘tcpdump ip and udp’ (000) ldh [12] (load 2 bytes from packet, at offset 12) (001) jeq #0x800 jt 2 jf 5 (002) ldb [23] (load byte at offset 23) (003) jeq #0x11 jt 4jf 5 (0x11 == 17) (004) ret #262144 (005) ret #0 https://blog.cloudflare.com/bpf-the-forgotten-bytecode/ http://www.networksorcery.com/enp/protocol/ip.htm
  • 51. eBPF - Extended Berkeley Packet Filter ● Bytecode, register based VM, with a extended instruction set ○ Designed to be JITed with direct mapping to x86_64 ● 64-bit instructions, and 10 64-bit registers ○ R0 - return value from in-kernel function, and exit value for eBPF program ○ R1 - R5 - arguments from eBPF program to in-kernel function ○ R6 - R9 - callee saved registers that in-kernel function will preserve ○ R10 - read-only frame pointer to access stack ● BPF_CALL ○ hw register zero overhead calls to other kernel functions ● BPF_MAPS ○ Bi-directional data structures for storage. Allow sharing of data between eBPF kernel programs, and also between kernel and user-space applications. ● Helper Functions ○ https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md ← Very Important!
  • 52. eBPF - Extended Berkeley Packet Filter… cont ● Load programs via bpf(2) syscall (see: man bpf) ○ int bpf(int cmd, union bpf_attr *attr, unsigned int size); ● Cmd: BPF_PROG_LOAD ○ Verify and load an eBPF program, returning a new file descriptor associated with the program. The close-on-exec file descriptor flag (see fcntl(2)) is automatically enabled for the new file descriptor.
  • 53.
  • 54. Can we learn more about eBPF VM like we did with tcpdump?
  • 56.
  • 57.
  • 58.
  • 59.
  • 61. 0xb7 r1 imm: 72=114, 6c=108,64=100, (op) (dst) 0a=10 imm->ascii=”rldn”
  • 62. 0x63 r1 r10 offset (op) (src) (dst)
  • 63. 0x18 r1 imm (op) (dst) “hello wo”
  • 64. As you can imagine the next 4 instructions copy the “hello wo” into a scratch space at offset -16. Copy a “0” into r1 and then copies “0” at offset -4. Finally we copy the address of the variable from the frame pointer at r10 into r1.
  • 65. To prepare for the call to int bpf_trace_printk(const char *fmt, u32 fmt_size, ...) We need to point r1 to the variable (which is -16 bytes from the frame pointer) and in r2, we store the size of “hello worldn0” = 13 bytes.
  • 66. 0x85 Is a function call, with an imm of 6. We need to look that up in bpf.h in order to figure out what that is.
  • 68. Lastly we set our return value in r0 = 0 and exit with opcode 0x95.
  • 71. Helper Functions ● https://github.com/torvalds/linux/blob/master/include/uapi/linux/bpf.h ● https://github.com/iovisor/bcc/blob/master/docs/reference_guide.md ● int bpf_probe_read(void *dst, int size, const void *src) ← all reads must call ● int bpf_probe_read_str(void *dst, int size, const void *src) ● u64 bpf_ktime_get_ns(void) ● u64 bpf_get_current_pid_tgid(void) ● bpf_get_current_comm(char *buf, int size_of_buf) ● BPF_PERF_OUTPUT(name) ● int perf_submit((void *)ctx, (void *)data, u32 data_size) ● Map Functions ○ *val map.lookup(&key), val lookup_or_init(&key, &zero), delete(&key), update(&key, &val), map.increment(key[, increment_amount])
  • 73. segmentio/netsniff - tw: @julien_fabre / gh: @pryz
  • 74. segmentio/ebpf ● Golang eBPF “Collectors”. ● CLI + ebpfd agent processes configuration and starts eBPF programs. ● Stats aggregation, publishing to observers, 3rd party stats forwarding (datadog etc.). ● Docker / pid -> container/service resolution.
  • 77. References ● https://lwn.net/Articles/740157/ - A thorough introduction to eBPF ● https://lwn.net/Articles/599755/ - BPF: the universal in-kernel virtual machine ● https://www.collabora.com/news-and-blog/blog/2019/04/15/an-ebpf-overview-part-2-machine-and-bytecode/ ● https://www.youtube.com/watch?v=2lbtr85Yrs4 - Kernel Tracing with eBPF ● https://www.kernel.org/doc/Documentation/networking/filter.txt - Linux Socket Filtering aka Berkeley Packet Filter ● http://www.brendangregg.com/ebpf.html - Linux Extended BPF (eBPF) Tracing Tools ● https://www.slideshare.net/vh21/meet-cutebetweenebpfandtracing - Meet cute between eBPF and tracing ● https://blog.cloudflare.com/bpf-the-forgotten-bytecode/ - BPF the forgotten bytecode ● https://www.oreilly.com/learning/using-linux-tracing-tools - Modern Linux Tracing Landscape ● https://lwn.net/Articles/742082/ - An introduction to the BPF Compiler Collection ● https://bolinfest.github.io/opensnoop-native/ - How I ended up writing opensnoop in pure C using eBPF ● https://lwn.net/Articles/753601/ - Using user-space tracepoints with BPF ● http://brendangregg.com/perf.html - Perf Examples

Editor's Notes

  1. We’re going to refer back to the slide several time in our presentation
  2. Kprobe tcp_set_state We check subnet for whether it’s an AWS hosted service docker