{"id":13719491,"url":"https://github.com/bpftools/linux-observability-with-bpf","last_synced_at":"2025-05-07T11:32:06.641Z","repository":{"id":35148365,"uuid":"205408262","full_name":"bpftools/linux-observability-with-bpf","owner":"bpftools","description":"Code snippets from the O'Reilly book","archived":true,"fork":false,"pushed_at":"2022-01-30T21:52:08.000Z","size":201,"stargazers_count":900,"open_issues_count":0,"forks_count":279,"subscribers_count":50,"default_branch":"master","last_synced_at":"2024-11-14T09:38:52.795Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://bit.ly/bpf-safari","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bpftools.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-08-30T15:24:30.000Z","updated_at":"2024-11-14T09:09:58.000Z","dependencies_parsed_at":"2022-08-08T05:16:15.535Z","dependency_job_id":null,"html_url":"https://github.com/bpftools/linux-observability-with-bpf","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bpftools%2Flinux-observability-with-bpf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bpftools%2Flinux-observability-with-bpf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bpftools%2Flinux-observability-with-bpf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bpftools%2Flinux-observability-with-bpf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bpftools","download_url":"https://codeload.github.com/bpftools/linux-observability-with-bpf/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252869031,"owners_count":21816963,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T01:00:49.973Z","updated_at":"2025-05-07T11:32:06.227Z","avatar_url":"https://github.com/bpftools.png","language":"C","funding_links":[],"categories":["C"],"sub_categories":[],"readme":"\u003cp\u003e\u003cimg align=\"right\" src=\"/img/owl.png\" width=\"150px\"/\u003e\u003c/p\u003e\n\u003cp\u003e\u003c/p\u003e\n\n# Important note for readers (Jan 30th 2022)\n\nThis repository is now archived, this book was published in 2019 and written in 2018. We have been trying to keep the repository up-to-date until now but eBPF had a tremendous evolution in the past 3 years. This does not mean that reading the book is a complete waste of your time now, many concepts are always the same: like how the bpf syscall works, the instruction set and things like how tracepoints, kprobes, uprobes, xdp and traffic control works. However, at this point, just updating the examples here is not enough anymore and many areas of the book would need to be rewritten to fit the new concepts, tools, libraries and the ecosystem around eBPF. A second edition is not yet planned (will update here if it ever happens).\n\nWe want to say **thank you** to all the readers and the [amazing people](https://github.com/bpftools/linux-observability-with-bpf/pulls?q=is%3Apr+is%3Aclosed) who helped updating the examples with their findings.\n\n## What should I do then?\n\nIf you are new to eBPF and don't know where to start good news is that today there is an amazing community that didn't exist in 2018!\n\nHere you go! There are just two links you will really need.\n\n- [eBPF.io website](https://ebpf.io/): A website containing useful documentation, blog post, conference talks and links to many resources\n- [The eBPF and Cilium Slack](https://ebpf.io/slack): an amazing community of people around eBPF, you'll be welcome there. \n\nWhat are you waiting for? Go meet your new friends!\n\n\nFrom now on, the original text of this readme.\n\n# Linux Observability with BPF code examples\n\nThis is the companion code repo for the book [Linux Observability with BPF](https://bit.ly/bpf-safari).\n\nWe believe that even if the examples included in the book were all tested and working when we wrote them, human error is possible and technology changes.\nFor that reason, the purpose of this repo is to keep them as updated as possible and correct mistakes we made while writing the book.\n\n**Nota Bene**: All the examples in this repository are adapted from the book to assume that you use the Vagrant environment we provide.\nExamples can be slightly different in this repository because of that. The reason is that we didn't want to couple the book itself to Vagrant as a tool.\nIf you don't want a Vagrant based environment, make sure you have: [bcc](https://github.com/iovisor/bcc/blob/master/INSTALL.md) and [clang](https://clang.llvm.org/)\n\n\n## Environment setup\n\n- Please expand the details of the environment you want to work on.\n- Remember that the examples have been tested on the Vagrant based environment primarily.\n- Feel free to open an issue or a PR if you want to help in making this better for everyone!\n\n\u003cdetails\u003e\n\u003csummary\u003eFedora 30\u003c/summary\u003e\n\nFirst, we need to install some build dependencies and all the tools needed for the examples:\n\n```bash\nsudo dnf install make glibc-devel.i686 elfutils-libelf-devel wget tar clang bcc strace kernel-devel -y\n```\n\nThen we need grab a copy of the source code of the current kernel.\n\nIn our case the kernel runing can be verified with `uname`.\n\n```bash\n$ uname -r\n5.0.9-301.fc30.x86_64\n```\n\nGiven that version, please notice the URL we fetch the sources from in the following command.\nChange it according to your version.\n\n```bash\ncd /tmp\nwget -c https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.0.9.tar.gz -O - | tar -xz\n```\n\nNow that we have the kernel source, we can move it to the `/kernel-src` folder.\n\n**NOTE THAT: All the examples** using kernel sources in this repo assume that the kernel sources are available there. In case you don't like it,\nmake sure you do a search and replace!\n\nAt this point we move the kernel sources and compile `libbpf`. Again please notice the `5.0.9` here and change accordingly.\n\n```\nsudo mv linux-5.0.9 /kernel-src\ncd /kernel-src/tools/lib/bpf\nsudo make \u0026\u0026 sudo make install prefix=/\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eUbuntu 18.04\u003c/summary\u003e\n\nFirst, we need to install some build dependencies and all the tools needed for the examples:\n\n```bash\nsudo apt update\nsudo apt install build-essential git make libelf-dev clang strace tar bpfcc-tools linux-headers-$(uname -r) gcc-multilib\n```\n\n**Note on Kernel version**: make sure to have a recent kernel to run the examples, a version `\u003e=5.0.0` will do the job. Most Ubuntu `18.04` providers are shipping with the kernel `4.15` that doesn't work for most of the examples. Upgrading options are left to the reader, we've been successful on aws by installing the `linux-image-5.0.0-1019-aws` package.\n\nAfter dependencies, we need grab a copy of the kernel source code for the current release.\nSince this assumes that you are running an updated Ubuntu 18.04 we can get it directly from the repo they provide.\n\n```\ncd /tmp\ngit clone --depth 1 git://kernel.ubuntu.com/ubuntu/ubuntu-bionic.git\n```\n\nNow that we have the kernel source, we can move it to the `/kernel-src` folder.\n\n**NOTE THAT: All the examples** using kernel sources in this repo assume that the kernel sources are available at `/kernel-src`. In case you don't like it,\nmake sure you do a search and replace!\n\n\nAt this point we move the kernel sources and compile `libbpf`.\n\n```\nsudo mv ubuntu-bionic /kernel-src\ncd /kernel-src/tools/lib/bpf\nsudo make \u0026\u0026 sudo make install prefix=/usr/local\n```\n\nUbuntu doesn't have the library path that the makefile expects so we need to move our libraries\nto its library path now.\n\n```\nsudo mv /usr/local/lib64/libbpf.* /lib/x86_64-linux-gnu/\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eVagrant (recommended)\u003c/summary\u003e\nWe provide reproducible environment in the form of a Vagrantfile that installs all the needed to make the examples work.\n\nThe environment is based on Fedora 30.\n\n### Install Vagrant\n\nTo install Vagrant, follow the official guide [here](https://www.vagrantup.com/docs/installation/).\n\nOnce you have Vagrant installed, you will need to clone this repository and issue a `vagrant up`.\n\n```bash\ngit clone https://github.com/bpftools/linux-observability-with-bpf.git\ncd linux-observability-with-bpf\nvagrant up\n```\n\nThis Vagrant command, will start a Fedora 30 VM in Virtualbox, you can SSH into the machine using:\n\n```\nvagrant ssh\n```\n\nBefore going on, make sure you download the kernel source tree in this repository. It is needed as a dependency for some examples.\nWe will be downloading the code for Kernel 5.0.9 - We are avoiding a git clone here because the Git history of the kernel is very big.\n\nIn the machine:\n\n```bash\ncd /tmp\nwget -c https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.0.9.tar.gz -O - | tar -xz\nsudo mv linux-5.0.9 /kernel-src\n```\n\nAt this point, we need to compile the `libbpf` library:\n\n```\ncd /kernel-src/tools/lib/bpf\nmake \u0026\u0026 sudo make install prefix=/\n```\n\n\n\u003c/details\u003e\n\n\nBefore going to the examples, it will be useful to have a copy of this repo in your environment.\n\n```\ngit clone https://github.com/bpftools/linux-observability-with-bpf.git ~/linux-observability-with-bpf\n```\n\n**IMPORTANT NOTE**: The examples assume that you clone the repo in your home folder `~/linux-observability-with-bpf`, if you didn't do\nplease remember to change your commands!\n\nYay, at this point you have everything and can follow the following code examples.\n\n## Code examples\n\nClick on each example to follow the setup instructions.\n\n\n### Chapter 2\n\n- [Hello World](/code/chapter-2/hello_world)\n\n### Chapter 3\n\n- [The BPF Virtual Filesystem](/code/chapter-3/bpf_fs)\n\n### Chapter 4\n\n#### Probes\n\n##### Kernel Probes\n- [Kprobes](/code/chapter-4/kprobes)\n- [Kretprobes](/code/chapter-4/kretprobes)\n\n##### User-Space Probes\n- [Uprobes](/code/chapter-4/uprobes)\n- [Uretprobes ](/code/chapter-4/uretprobes)\n\n##### Tracepoints\n- [Tracepoints](/code/chapter-4/tracepoints)\n\n#### User Statically Defined Tracepoints (USDT)\n- [User Statically Defined Tracepoints](/code/chapter-4/usdt)\n\n##### Visualizing Tracing Data\n- [Flame Graphs](/code/chapter-4/flamegraphs)\n- [Histograms](/code/chapter-4/histograms)\n- [Perf Events](/code/chapter-4/histograms)\n\n### Chapter 6 - Linux Networking and BPF\n\n- [Packet filtering for raw sockets](/code/chapter-6/packet-filtering-raw-sockets)\n- [Traffic control classifier program using cls_bpf](/code/chapter-6/tc-flow-bpf-cls)\n\n### Chapter 7 - eXpress Data Path (XDP)\n\n- [XDP and iproute2 as a loader](/code/chapter-7/iproute2)\n- [XDP and BCC](/code/chapter-7/bcc)\n- [Testing XDP programs](/code/chapter-7/prog-test-run)\n\n\n### Chapter 8 - Linux Kernel security, Capabilities and Seccomp\n\n- [Seccomp BPF filter example](/code/chapter-8/seccomp)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbpftools%2Flinux-observability-with-bpf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbpftools%2Flinux-observability-with-bpf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbpftools%2Flinux-observability-with-bpf/lists"}