Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/64j0/starting-ebpf
Starting my journey through eBPF (Extended Berkeley Packet Filter)
https://github.com/64j0/starting-ebpf
ebpf
Last synced: about 1 month ago
JSON representation
Starting my journey through eBPF (Extended Berkeley Packet Filter)
- Host: GitHub
- URL: https://github.com/64j0/starting-ebpf
- Owner: 64J0
- Created: 2023-06-21T21:40:59.000Z (over 1 year ago)
- Default Branch: master
- Last Pushed: 2024-08-21T14:26:59.000Z (4 months ago)
- Last Synced: 2024-08-21T22:11:25.656Z (4 months ago)
- Topics: ebpf
- Language: C
- Homepage:
- Size: 643 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.org
Awesome Lists containing this project
README
#+TITLE: Starting eBPF
#+AUTHOR: 64J0This repository is used to keep track of the programs I write while starting to
learn about eBPF (Extended Berkeley Packet Filter) technology.The main reference for this journey is the book [[https://github.com/lizrice/learning-ebpf][Learning eBPF]] from Liz Rice,
leveraging this book's exercises and examples.** What is eBPF?
eBPF is a revolutionary kernel technology that allows developers to write custom
code that can be loaded into the kernel dynamically, changing the way the kernel
behaves.This tool provides us the flexibility to build bespoke tools or customized
policies. eBPF-based tools can observe any event across the kernel, and hence
across all applications running on a (virtual) machine, whether they are
containerized or not.Just a few of the things you can do with eBPF include:
+ Performance tracing of pretty much any aspect of a system;
+ High-performance networking, with built-in visibility;
+ Detecting and (optionally) preventing malicious activity.#+BEGIN_QUOTE
[!IMPORTANT]
Because eBPF is continually evolving, the features available to you depend on
the kernel version you're running.
#+END_QUOTE*** eBPF safety
Since eBPF programs can be loaded into and removed from the kernel dynamically,
and a kernel code crash can potentially take down the machine and everything
running on it, it's important to have some guarantee that the code we're using
is correct to some extent.With this in mind, the ~eBPF verifier~ was created. The ~eBPF verifier~ is the
tool that ensure that an eBPF program is loaded only if it's safe to run - it
won't crash the machine, or lock it up in a hard loop, and it won't allow data
to be compromised.** Vagrant
As you can notice by checking this repository, I added a Vagrantfile to make it
easier to create a VM for testing purposes. This Vagrantfile is based on [[https://aquasecurity.github.io/tracee/v0.9/tutorials/setup-development-machine-with-vagrant/][this
reference]] from [[https://github.com/aquasecurity/tracee][aquasecurity/tracee]].To start the server, you can do:
#+BEGIN_SRC bash :tangle no
# the vagrant version I'm using
vagrant --version
# Vagrant 2.4.1# =====================
# start the vm
vagrant up# =====================
# connect to the vm through ssh
vagrant ssh# =====================
# stop the vm
vagrant halt
# if you want to destroy the VM completely
# vagrant destroy# =====================
# restart the vm
vagrant up
#+END_SRC** Helpers
**** bpf/bpf_helpers.h installation
I found the solution to this problem at this StackOverflow answer: [[https://stackoverflow.com/a/55438649][link]].
Basically, if you're using a Linux distribution that uses apt as the package
manager:#+BEGIN_SRC bash
# update packages list
sudo apt update# install libbpf-dev
sudo apt install libbpf-dev# verify that it was installed
# check /usr/include/bpf/bpf_helpers.h
#+END_SRC**** bpftool not found for kernel ...
If this messages appears to you when trying to use the ~bpftool~ command, you
can simply install it from the source, as explained at this comment: [[https://github.com/lizrice/lb-from-scratch/issues/1#issuecomment-1537098872][link]].#+BEGIN_SRC bash
rm /usr/sbin/bpftoolapt update && apt install -y git
cd / && git clone --recurse-submodules https://github.com/libbpf/bpftool.gitcd bpftool/src
make installln -s /usr/local/sbin/bpftool /usr/sbin/bpftool
#+END_SRC