Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/64j0/starting-ebpf

Starting my journey through eBPF (Extended Berkeley Packet Filter)
https://github.com/64j0/starting-ebpf

ebpf

Last synced: 2 days ago
JSON representation

Starting my journey through eBPF (Extended Berkeley Packet Filter)

Awesome Lists containing this project

README 

        
#+TITLE: Starting eBPF

#+AUTHOR: 64J0



This repository is used to keep track of the programs I write while starting to

learn about eBPF (Extended Berkeley Packet Filter) technology.



The main reference for this journey is the book [[https://github.com/lizrice/learning-ebpf][Learning eBPF]] from Liz Rice,

leveraging this book's exercises and examples.



** What is eBPF?



eBPF is a revolutionary kernel technology that allows developers to write custom

code that can be loaded into the kernel dynamically, changing the way the kernel

behaves.



This tool provides us the flexibility to build bespoke tools or customized

policies. eBPF-based tools can observe any event across the kernel, and hence

across all applications running on a (virtual) machine, whether they are

containerized or not.



Just a few of the things you can do with eBPF include:



+ Performance tracing of pretty much any aspect of a system;

+ High-performance networking, with built-in visibility;

+ Detecting and (optionally) preventing malicious activity.



#+BEGIN_QUOTE

[!IMPORTANT]

Because eBPF is continually evolving, the features available to you depend on

the kernel version you're running.

#+END_QUOTE



*** eBPF safety



Since eBPF programs can be loaded into and removed from the kernel dynamically,

and a kernel code crash can potentially take down the machine and everything

running on it, it's important to have some guarantee that the code we're using

is correct to some extent.



With this in mind, the ~eBPF verifier~ was created. The ~eBPF verifier~ is the

tool that ensure that an eBPF program is loaded only if it's safe to run - it

won't crash the machine, or lock it up in a hard loop, and it won't allow data

to be compromised.



** Vagrant



As you can notice by checking this repository, I added a Vagrantfile to make it

easier to create a VM for testing purposes. This Vagrantfile is based on [[https://aquasecurity.github.io/tracee/v0.9/tutorials/setup-development-machine-with-vagrant/][this

reference]] from [[https://github.com/aquasecurity/tracee][aquasecurity/tracee]].



To start the server, you can do:



#+BEGIN_SRC bash :tangle no

  # the vagrant version I'm using

  vagrant --version

  # Vagrant 2.4.1



  # =====================

  # start the vm

  vagrant up



  # =====================

  # connect to the vm through ssh

  vagrant ssh



  # =====================

  # stop the vm

  vagrant halt

  # if you want to destroy the VM completely

  # vagrant destroy



  # =====================

  # restart the vm

  vagrant up

#+END_SRC



** Helpers



**** bpf/bpf_helpers.h installation



I found the solution to this problem at this StackOverflow answer: [[https://stackoverflow.com/a/55438649][link]].



Basically, if you're using a Linux distribution that uses apt as the package

manager:



#+BEGIN_SRC bash

  # update packages list

  sudo apt update



  # install libbpf-dev

  sudo apt install libbpf-dev



  # verify that it was installed

  # check /usr/include/bpf/bpf_helpers.h

#+END_SRC



**** bpftool not found for kernel ...



If this messages appears to you when trying to use the ~bpftool~ command, you

can simply install it from the source, as explained at this comment: [[https://github.com/lizrice/lb-from-scratch/issues/1#issuecomment-1537098872][link]].



#+BEGIN_SRC bash

  rm /usr/sbin/bpftool



  apt update && apt install -y git

  cd / && git clone --recurse-submodules https://github.com/libbpf/bpftool.git



  cd bpftool/src

  make install



  ln -s /usr/local/sbin/bpftool /usr/sbin/bpftool

#+END_SRC