eBPF Tutorial by Example: Learning CO-RE eBPF Step by Step

This is a development tutorial for eBPF based on CO-RE (Compile Once, Run Everywhere). It provides practical eBPF development practices from beginner to advanced, including basic concepts, code examples, and real-world applications. Unlike BCC, we use frameworks like libbpf, Cilium, libbpf-rs, and eunomia-bpf for development, with examples in languages such as C, Go, and Rust.

This tutorial does not cover complex concepts and scenario introductions. Its main purpose is to provide examples of eBPF tools (very short, starting with twenty lines of code!) to help eBPF application developers quickly grasp eBPF development methods and techniques. The tutorial content can be found in the directory, with each directory being an independent eBPF tool example.

For the complete source code of the tutorial, please refer to the repo https://github.com/eunomia-bpf/bpf-developer-tutorial on GitHub. If you find this tutorial helpful, please give us a star!

Getting Started Examples

This section contains simple eBPF program examples and introductions. It primarily utilizes the eunomia-bpf framework to simplify development and introduces the basic usage and development process of eBPF.

lesson 0-introduce Introduces basic concepts of eBPF and common development tools
lesson 1-helloworld Develops the simplest "Hello World" program using eBPF and introduces the basic framework and development process of eBPF
lesson 2-kprobe-unlink Uses kprobe in eBPF to capture the unlink system call
lesson 3-fentry-unlink Uses fentry in eBPF to capture the unlink system call
lesson 4-opensnoop Uses eBPF to capture the system call collection of processes opening files, and filters process PIDs in eBPF using global variables
lesson 5-uprobe-bashreadline Uses uprobe in eBPF to capture the readline function calls in bash
lesson 6-sigsnoop Captures the system call collection of processes sending signals and uses a hash map to store states
lesson 7-execsnoop Captures process execution times and prints output to user space through perf event array
lesson 8-exitsnoop Captures process exit events and prints output to user space using a ring buffer
lesson 9-runqlat Captures process scheduling delays and records them in histogram format
lesson 10-hardirqs Captures interrupt events using hardirqs or softirqs

Advanced Documents and Examples

We start to build complete eBPF projects mainly based on libbpf and combine them with various application scenarios for practical use.

lesson 11-bootstrap Writes native libbpf user space code for eBPF using libbpf-bootstrap and establishes a complete libbpf project.
lesson 12-profile Performs performance analysis using eBPF
lesson 13-tcpconnlat Records TCP connection latency and processes data in user space using libbpf
lesson 14-tcpstates Records TCP connection state and TCP RTT.- lesson 15-javagc Capture user-level Java GC event duration using usdt
lesson 16-memleak Detect memory leaks
lesson 17-biopattern Capture disk IO patterns
lesson 18-further-reading Further reading: papers list, projects, blogs, etc.
lesson 19-lsm-connect Use LSM for security detection and defense
lesson 20-tc Use eBPF for tc traffic control
lesson 21-xdp Use eBPF for XDP packet processing

In-Depth Topics

This section covers advanced topics related to eBPF, including using eBPF programs on Android, possible attacks and defenses using eBPF programs, and complex tracing. Combining the user-mode and kernel-mode aspects of eBPF can bring great power (as well as security risks).

Android:

Using eBPF programs on Android

Networking and tracing:

Security:

Other:

bcc and bpftrace tutorial

For reference: