kernel/bpf-developer-tutorial
1
0
Fork 0
mirror of https://github.com/eunomia-bpf/bpf-developer-tutorial.git synced 2026-02-03 02:04:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

add config for generate TOC

Browse Source
This commit is contained in:
Yusheng Zheng
2024-10-20 04:15:47 +00:00
parent 872fc7a3ab
commit 25ab494ccc
53 changed files with 518 additions and 215 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
README.md
View File

@@ -21,75 +21,72 @@ The tutorial focuses on eBPF examples in observability, networking, security, an
This section contains simple eBPF program examples and introductions. It primarily utilizes the `eunomia-bpf` framework to simplify development and introduces the basic usage and development process of eBPF.
- [lesson 0-introduce](src/0-introduce/README_en.md) Introduces basic concepts of eBPF and common development tools
- [lesson 1-helloworld](src/1-helloworld/README_en.md) Develops the simplest "Hello World" program using eBPF and introduces the basic framework and development process of eBPF
- [lesson 2-kprobe-unlink](src/2-kprobe-unlink/README_en.md) Uses kprobe in eBPF to capture the unlink system call
- [lesson 3-fentry-unlink](src/3-fentry-unlink/README_en.md) Uses fentry in eBPF to capture the unlink system call
- [lesson 4-opensnoop](src/4-opensnoop/README_en.md) Uses eBPF to capture the system call collection of processes opening files, and filters process PIDs in eBPF using global variables
- [lesson 5-uprobe-bashreadline](src/5-uprobe-bashreadline/README_en.md) Uses uprobe in eBPF to capture the readline function calls in bash
- [lesson 6-sigsnoop](src/6-sigsnoop/README_en.md) Captures the system call collection of processes sending signals and uses a hash map to store states
- [lesson 7-execsnoop](src/7-execsnoop/README_en.md) Captures process execution times and prints output to user space through perf event array
- [lesson 8-exitsnoop](src/8-exitsnoop/README_en.md) Captures process exit events and prints output to user space using a ring buffer
- [lesson 9-runqlat](src/9-runqlat/README_en.md) Captures process scheduling delays and records them in histogram format
- [lesson 10-hardirqs](src/10-hardirqs/README_en.md) Captures interrupt events using hardirqs or softirqs
- [lesson 0-introduce](src/0-introduce/README_en.md) Introduction to Core Concepts and Tools
- [lesson 1-helloworld](src/1-helloworld/README_en.md) Hello World, Framework and Development
- [lesson 2-kprobe-unlink](src/2-kprobe-unlink/README_en.md) Monitoring unlink System Calls with kprobe
- [lesson 3-fentry-unlink](src/3-fentry-unlink/README_en.md) Monitoring unlink System Calls with fentry
- [lesson 4-opensnoop](src/4-opensnoop/README_en.md) Capturing Opening Files and Filter with Global Variables
- [lesson 5-uprobe-bashreadline](src/5-uprobe-bashreadline/README_en.md) Capturing readline Function Calls with Uprobe
- [lesson 6-sigsnoop](src/6-sigsnoop/README_en.md) Capturing Signal Sending and Store State with Hash Maps
- [lesson 7-execsnoop](src/7-execsnoop/README_en.md) Capturing Process Execution, Output with perf event array
- [lesson 8-exitsnoop](src/8-exitsnoop/README_en.md) Monitoring Process Exit Events, Output with Ring Buffer
- [lesson 9-runqlat](src/9-runqlat/README_en.md) Capturing Scheduling Latency and Recording as Histogram
- [lesson 10-hardirqs](src/10-hardirqs/README_en.md) Capturing Interrupts with hardirqs or softirqs
### Advanced Documents and Examples
We start to build complete eBPF projects mainly based on `libbpf` and combine them with various application scenarios for practical use.
- [lesson 11-bootstrap](src/11-bootstrap/README_en.md) Writes native libbpf user space code for eBPF using libbpf-bootstrap and establishes a complete libbpf project.
- [lesson 12-profile](src/12-profile/README_en.md) Performs performance analysis using eBPF
- [lesson 13-tcpconnlat](src/13-tcpconnlat/README_en.md) Records TCP connection latency and processes data in user space using libbpf
- [lesson 14-tcpstates](src/14-tcpstates/README_en.md) Records TCP connection state and TCP RTT.- [lesson 15-javagc](src/15-javagc/README_en.md) Capture user-level Java GC event duration using usdt
- [lesson 16-memleak](src/16-memleak/README_en.md) Detect memory leaks
- [lesson 17-biopattern](src/17-biopattern/README_en.md) Capture disk IO patterns
- [lesson 18-further-reading](src/18-further-reading/README_en.md) Further reading: papers list, projects, blogs, etc.
- [lesson 19-lsm-connect](src/19-lsm-connect/README_en.md) Use LSM for security detection and defense
- [lesson 20-tc](src/20-tc/README_en.md) Use eBPF for tc traffic control
- [lesson 21-xdp](src/21-xdp/README_en.md) Use eBPF for XDP packet processing
- [lesson 11-bootstrap](src/11-bootstrap/README_en.md) Develop User-Space Programs with libbpf and Trace exec() and exit()
- [lesson 12-profile](src/12-profile/README_en.md) Using eBPF Program Profile for Performance Analysis
- [lesson 13-tcpconnlat](src/13-tcpconnlat/README_en.md) Statistics of TCP Connection Delay with libbpf
- [lesson 14-tcpstates](src/14-tcpstates/README_en.md) Recording TCP Connection Status and TCP RTT
- [lesson 15-javagc](src/15-javagc/README_en.md) Capturing User-Space Java GC Duration Using USDT
- [lesson 16-memleak](src/16-memleak/README_en.md) Monitoring Memory Leaks
- [lesson 17-biopattern](src/17-biopattern/README_en.md) Count Random/Sequential Disk I/O
- [lesson 18-further-reading](src/18-further-reading/README_en.md) More Reference Materials papers, projects
- [lesson 19-lsm-connect](src/19-lsm-connect/README_en.md) Security Detection and Defense using LSM
- [lesson 20-tc](src/20-tc/README_en.md) tc Traffic Control
- [lesson 21-xdp](src/21-xdp/README_en.md) Programmable Packet Processing with XDP
### In-Depth Topics
This section covers advanced topics related to eBPF, including using eBPF programs on Android, possible attacks and defenses using eBPF programs, and complex tracing. Combining the user-mode and kernel-mode aspects of eBPF can bring great power (as well as security risks).
Android:
- [Using eBPF programs on Android](src/22-android/README_en.md)
- [lesson 22-android](src/22-android/README_en.md) Using eBPF Programs on Android
Networking:
- [Accelerating network request forwarding using sockops](src/29-sockops/README.md)
- [Capturing TCP Information with XDP](src/41-xdp-tcpdump/README.md)
- [XDP Load Balancer](src/42-xdp-loadbalancer/README.md)
- [lesson 23-http](src/23-http/README_en.md) L7 Tracing with eBPF: HTTP and Beyond via Socket Filters and Syscall Tracepoints
- [lesson 29-sockops](src/29-sockops/README_en.md) Accelerating Network Request Forwarding with Sockops
- [lesson 41-xdp-tcpdump](src/41-xdp-tcpdump/README_en.md) Capturing TCP Information with XDP
- [lesson 42-xdp-loadbalancer](src/42-xdp-loadbalancer/README_en.md) XDP Load Balancer
tracing:
- [Tracing HTTP requests or other layer-7 protocols using eBPF socket filter or syscall trace](src/23-http/README.md)
- [Capturing Plain Text Data of Various Libraries' SSL/TLS Using uprobe](src/30-sslsniff/README.md)
- [Using eBPF to Trace Go Routine States](src/31-goroutine/README.md)
- [Measuring Function Latency with eBPF](src/33-funclatency/README.md)
- [Use Uprobe to trace Rust programs](src/37-uprobe-rust/README.md)
- [Using eBPF to Trace Nginx Requests](src/39-nginx/README.md)
- [Using eBPF to Trace MySQL Queries](src/40-mysql)
Security:
- [Use eBPF to modify syscall parameters](src/34-syscall/README.md)
- [The Secure Path Forward for eBPF: Challenges and Innovations](src/18-further-reading/ebpf-security.md)
- [Hiding process or file information using eBPF](src/24-hide/README_en.md)
- [Terminating processes by sending signals using bpf_send_signal](src/25-signal/README_en.md)
- [Adding sudo users using eBPF](src/26-sudo/README_en.md)
- [Replacing text read or written by any program using eBPF](src/27-replace/README_en.md)
- [BPF lifecycle: Running eBPF programs continuously in Detached mode after user-mode applications exit](src/28-detach/README_en.md)
- [lesson 24-hide](src/24-hide/README_en.md) Hiding Process or File Information
- [lesson 25-signal](src/25-signal/README_en.md) Using bpf_send_signal to Terminate Malicious Processes in eBPF
- [lesson 26-sudo](src/26-sudo/README_en.md) Using eBPF to add sudo user
- [lesson 27-replace](src/27-replace/README_en.md) Replace Text Read or Written by Any Program with eBPF
- [lesson 28-detach](src/28-detach/README_en.md) Running eBPF After Application Exits: The Lifecycle of eBPF Programs
- [lesson 34-syscall](src/34-syscall/README_en.md) Modifying System Call Arguments with eBPF
Scheduler:
- [lesson 44-scx-simple](src/44-scx-simple/README_en.md) Introduction to the BPF Scheduler
Other:
- [Using user ring buffer to send information to the kernel](src/35-user-ringbuf/README.md)
- [Userspace eBPF Runtimes: Overview and Applications](src/36-userspace-ebpf/README.md)
- [Compile Once, Run Everywhere for userspace trace with eBPF and BTF](src/38-btf-uprobe/README.md)
- [Extending eBPF Beyond Its Limits: Custom kfuncs in Kernel Modules](src/43-kfuncs/README.md)
- [lesson 35-user-ringbuf](src/35-user-ringbuf/README_en.md) Asynchronously Send to Kernel with User Ring Buffer
- [lesson 36-userspace-ebpf](src/36-userspace-ebpf/README_en.md) Userspace eBPF Runtimes: Overview and Applications
- [lesson 38-btf-uprobe](src/38-btf-uprobe/README_en.md) Expanding eBPF Compile Once, Run Everywhere(CO-RE) to Userspace Compatibility
- [lesson 43-kfuncs](src/43-kfuncs/README_en.md) Extending eBPF Beyond Its Limits: Custom kfuncs in Kernel Modules
Continuously updating...