eBPF Tutorial by Example: Learning CO-RE eBPF Step by Step
This is a development tutorial for eBPF based on CO-RE (Compile Once, Run Everywhere). It provides practical eBPF development practices from beginner to advanced, including basic concepts, code examples, and real-world applications. Unlike BCC, we use frameworks like libbpf, Cilium, libbpf-rs, and eunomia-bpf for development, with examples in languages such as C, Go, and Rust.
This tutorial does not cover complex concepts and scenario introductions. Its main purpose is to provide examples of eBPF tools (very short, starting with twenty lines of code!) to help eBPF application developers quickly grasp eBPF development methods and techniques. The tutorial content can be found in the directory, with each directory being an independent eBPF tool example.
For the complete source code of the tutorial, please refer to the repo https://github.com/eunomia-bpf/bpf-developer-tutorial on GitHub. If you find this tutorial helpful, please give us a star!
Getting Started Examples
This section contains simple eBPF program examples and introductions. It primarily utilizes the eunomia-bpf
framework to simplify development and introduces the basic usage and development process of eBPF.
- lesson 0-introduce Introduces basic concepts of eBPF and common development tools
- lesson 1-helloworld Develops the simplest "Hello World" program using eBPF and introduces the basic framework and development process of eBPF
- lesson 2-kprobe-unlink Uses kprobe in eBPF to capture the unlink system call
- lesson 3-fentry-unlink Uses fentry in eBPF to capture the unlink system call
- lesson 4-opensnoop Uses eBPF to capture the system call collection of processes opening files, and filters process PIDs in eBPF using global variables
- lesson 5-uprobe-bashreadline Uses uprobe in eBPF to capture the readline function calls in bash
- lesson 6-sigsnoop Captures the system call collection of processes sending signals and uses a hash map to store states
- lesson 7-execsnoop Captures process execution times and prints output to user space through perf event array
- lesson 8-exitsnoop Captures process exit events and prints output to user space using a ring buffer
- lesson 9-runqlat Captures process scheduling delays and records them in histogram format
- lesson 10-hardirqs Captures interrupt events using hardirqs or softirqs
Advanced Documents and Examples
We start to build complete eBPF projects mainly based on libbpf
and combine them with various application scenarios for practical use.
- lesson 11-bootstrap Writes native libbpf user space code for eBPF using libbpf-bootstrap and establishes a complete libbpf project.
- lesson 12-profile Performs performance analysis using eBPF
- lesson 13-tcpconnlat Records TCP connection latency and processes data in user space using libbpf
- lesson 14-tcpstates Records TCP connection state and TCP RTT.- lesson 15-javagc Capture user-level Java GC event duration using usdt
- lesson 16-memleak Detect memory leaks
- lesson 17-biopattern Capture disk IO patterns
- lesson 18-further-reading Further reading: papers list, projects, blogs, etc.
- lesson 19-lsm-connect Use LSM for security detection and defense
- lesson 20-tc Use eBPF for tc traffic control
- lesson 21-xdp Use eBPF for XDP packet processing
In-Depth Topics
This section covers advanced topics related to eBPF, including using eBPF programs on Android, possible attacks and defenses using eBPF programs, and complex tracing. Combining the user-mode and kernel-mode aspects of eBPF can bring great power (as well as security risks).
Android:
Networking:
tracing:
- Tracing HTTP requests or other layer-7 protocols using eBPF socket filter or syscall trace
- Capturing Plain Text Data of Various Libraries' SSL/TLS Using uprobe
- Using eBPF to Trace Go Routine States
- Measuring Function Latency with eBPF
- Use uprobe to trace Rust programs
- Using eBPF to Trace Nginx Requests
- Using eBPF to Trace MySQL Queries
Security:
- Use eBPF to modify syscall parameters
- The Secure Path Forward for eBPF: Challenges and Innovations
- Hiding process or file information using eBPF
- Terminating processes by sending signals using bpf_send_signal
- Adding sudo users using eBPF
- Replacing text read or written by any program using eBPF
- BPF lifecycle: Running eBPF programs continuously in Detached mode after user-mode applications exit
- Modifying System Call Parameters with eBPF
Other:
- Using user ring buffer to send information to the kernel
- Userspace eBPF Runtimes: Overview and Applications
- Compile Once, Run Everywhere for userspace with eBPF and BTF
bcc and bpftrace tutorial
For reference: