Getting started with eBPF
eBPF is the new standard to program Linux kernel capabilities in a safe and efficient manner without requiring to change kernel source code or loading kernel modules. It has enabled a new generation of high performance tooling to be developed covering networking, security, and observability use cases.
The best way to learn about eBPF is to read the book “What is eBPF” by Liz Rice. And the best way to have your first experience with eBPF programming is to walk through this lab, which takes the opensnoop example out of the book and teaches you to handle an eBPF tool, watch it loading its components and even add your own tracing into the source eBPF code.
Main steps in the lab
Build and run opensnoop to see immediately when files are opened
Let's observe the BPF object file while we are at it
We use bpftool to see what BPF programs are loaded into the kernel
Let's add our personal tracing message for debugging to an eBPF program!