Название: Learning eBPF: Programming the Linux Kernel for Enhanced Observability, Networking, and Security (3rd Early Release)Автор: Liz Rice
Издательство: O’Reilly Media, Inc.
Год: 2023-02-13
Страниц: 232
Язык: английский
Формат: pdf, epub, mobi
Размер: 11.5 MB
What is eBPF? With this revolutionary technology, you can write custom code that dynamically changes the way the kernel behaves. It's an extraordinary platform for building a whole new generation of security, observability, and networking tools.
This practical book is ideal for developers, system administrators, operators, and students who are curious about eBPF and want to know how it works. Author Liz Rice, chief open source officer with cloud native networking and security specialists Isovalent, also provides a foundation for those who want to explore writing eBPF programs themselves.
The entire eBPF program is defined as a string called “program” in the Python code. This C program needs to be compiled before it can be executed, but BCC takes care of that for you. The eBPF program is loaded into the kernel and attached to an event, so the program will be triggered whenever a new executable gets launched on the machine. All that remains to do in the Python code is to read the tracing that is output by the kernel, and write it on screen. In the Chapter 2, you saw a simple eBPF Hello World, written using the BCC framework. In the Chapter 3 I’ll show you a version of Hello World entirely in C, so that you can see some of the details that BCC took care of in the previous chapter. I’ll also show you the stages that an eBPF program goes through on its journey from source code to execution.
eBPF programs can be used to dynamically change the behavior of the system. There’s no need to reboot the machine or restart existing processes - eBPF code starts taking effect as soon as it is attached to an event.
What we call “eBPF” today has its roots in the BSD Packet Filter, first described in 1993 in a paper1 written by Lawrence Berkeley National Laboratory’s Steven McCanne and Van Jacobson. This paper discusses a pseudomachine that can run filters, which are programs written to determine whether to accept or reject a network packet. These programs were written in the BPF instruction set, a general-purpose set of 32-bit instructions that closely resembles assembly language.
You can imagine (or, indeed, refer to the paper to find examples of) more complex filter programs that make decisions based on other aspects of the packet. Importantly, the author of the filter can write their own custom programs to be executed within the kernel, and this is the heart of what eBPF enables.
With this book, you will:
Learn why eBPF has become so important in the past couple of years
Write basic eBPF code, and manipulate eBPF programs and attach them to events
Explore how eBPF components interact with Linux to dynamically change the operating system's behavior
Learn how tools based on eBPF can instrument applications without changes to the apps or their configuration
Discover how this technology enables new tools for observability, security, and networking
Скачать Learning eBPF (3rd Early Release)