Getting started with eBPF

eBPF is the new standard to program Linux kernel capabilities in a safe and efficient manner without requiring to change kernel source code or loading kernel modules. It has enabled a new generation of high performance tooling to be developed covering networking, security, and observability use cases.

The best way to learn about eBPF is to read the book “What is eBPF” by Liz Rice. And the best way to have your first experience with eBPF programming is to walk through this lab, which takes the opensnoop example out of the book and teaches you to handle an eBPF tool, watch it loading its components and even add your own tracing into the source eBPF code.

DifficultyBeginner
VersionOpen Source
TopicsNetworking
ProjectCilium

Main steps in the lab

01🔧 Build & run opensnoop

Build and run opensnoop to see immediately when files are opened

02📂 Examine the BPF object file

Let's observe the BPF object file while we are at it

03🔍 Use bpftool to see BPF programs loaded into the kernel

We use bpftool to see what BPF programs are loaded into the kernel

04✏️ Add your own trace message

Let's add our personal tracing message for debugging to an eBPF program!