Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/64j0/starting-ebpf

Starting my journey through eBPF (Extended Berkeley Packet Filter)
https://github.com/64j0/starting-ebpf

ebpf

Last synced: about 1 month ago
JSON representation

Starting my journey through eBPF (Extended Berkeley Packet Filter)

Awesome Lists containing this project

README

        

#+TITLE: Starting eBPF
#+AUTHOR: 64J0

This repository is used to keep track of the programs I write while starting to
learn about eBPF (Extended Berkeley Packet Filter) technology.

The main reference for this journey is the book [[https://github.com/lizrice/learning-ebpf][Learning eBPF]] from Liz Rice,
leveraging this book's exercises and examples.

** What is eBPF?

eBPF is a revolutionary kernel technology that allows developers to write custom
code that can be loaded into the kernel dynamically, changing the way the kernel
behaves.

This tool provides us the flexibility to build bespoke tools or customized
policies. eBPF-based tools can observe any event across the kernel, and hence
across all applications running on a (virtual) machine, whether they are
containerized or not.

Just a few of the things you can do with eBPF include:

+ Performance tracing of pretty much any aspect of a system;
+ High-performance networking, with built-in visibility;
+ Detecting and (optionally) preventing malicious activity.

#+BEGIN_QUOTE
[!IMPORTANT]
Because eBPF is continually evolving, the features available to you depend on
the kernel version you're running.
#+END_QUOTE

*** eBPF safety

Since eBPF programs can be loaded into and removed from the kernel dynamically,
and a kernel code crash can potentially take down the machine and everything
running on it, it's important to have some guarantee that the code we're using
is correct to some extent.

With this in mind, the ~eBPF verifier~ was created. The ~eBPF verifier~ is the
tool that ensure that an eBPF program is loaded only if it's safe to run - it
won't crash the machine, or lock it up in a hard loop, and it won't allow data
to be compromised.

** Vagrant

As you can notice by checking this repository, I added a Vagrantfile to make it
easier to create a VM for testing purposes. This Vagrantfile is based on [[https://aquasecurity.github.io/tracee/v0.9/tutorials/setup-development-machine-with-vagrant/][this
reference]] from [[https://github.com/aquasecurity/tracee][aquasecurity/tracee]].

To start the server, you can do:

#+BEGIN_SRC bash :tangle no
# the vagrant version I'm using
vagrant --version
# Vagrant 2.4.1

# =====================
# start the vm
vagrant up

# =====================
# connect to the vm through ssh
vagrant ssh

# =====================
# stop the vm
vagrant halt
# if you want to destroy the VM completely
# vagrant destroy

# =====================
# restart the vm
vagrant up
#+END_SRC

** Helpers

**** bpf/bpf_helpers.h installation

I found the solution to this problem at this StackOverflow answer: [[https://stackoverflow.com/a/55438649][link]].

Basically, if you're using a Linux distribution that uses apt as the package
manager:

#+BEGIN_SRC bash
# update packages list
sudo apt update

# install libbpf-dev
sudo apt install libbpf-dev

# verify that it was installed
# check /usr/include/bpf/bpf_helpers.h
#+END_SRC

**** bpftool not found for kernel ...

If this messages appears to you when trying to use the ~bpftool~ command, you
can simply install it from the source, as explained at this comment: [[https://github.com/lizrice/lb-from-scratch/issues/1#issuecomment-1537098872][link]].

#+BEGIN_SRC bash
rm /usr/sbin/bpftool

apt update && apt install -y git
cd / && git clone --recurse-submodules https://github.com/libbpf/bpftool.git

cd bpftool/src
make install

ln -s /usr/local/sbin/bpftool /usr/sbin/bpftool
#+END_SRC