diff --git a/src/20-tc/README.md b/src/20-tc/README.md index 61afea2..b4836d8 100644 --- a/src/20-tc/README.md +++ b/src/20-tc/README.md @@ -1,9 +1,11 @@ # eBPF Tutorial by Example 20: tc Traffic Control -## Background Linux's Traffic Control (tc) subsystem has been present in the kernel for many years. Similar to the relationship between iptables and netfilter, tc includes a user-space tc program and a kernel-level traffic control framework. It is mainly used to control the sending and receiving of packets in terms of rate, sequence, and other aspects. Starting from Linux 4.1, tc has added some new attachment points and supports loading eBPF programs as filters onto these attachment points. +> The complete source code: + + ## Overview of tc From the protocol stack perspective, tc is located at the link layer. Its position has already completed the allocation of sk_buff and is later than xdp. In order to control the sending and receiving of packets, tc uses a queue structure to temporarily store and organize packets. In the tc subsystem, the corresponding data structure and algorithm control mechanism are abstracted as qdisc (Queueing discipline). It exposes two callback interfaces for enqueuing and dequeuing packets externally, and internally hides the implementation of queuing algorithms. In qdisc, we can implement complex tree structures based on filters and classes. Filters are mounted on qdisc or class to implement specific filtering logic, and the return value determines whether the packet belongs to a specific class. diff --git a/src/21-xdp/README.md b/src/21-xdp/README.md index ef6928c..a39c5e3 100644 --- a/src/21-xdp/README.md +++ b/src/21-xdp/README.md @@ -2,6 +2,8 @@ In this tutorial, we will introduce XDP (eXpress Data Path) and walk through a small example to help you get started. Later on, we will explore more advanced XDP applications, such as load balancers, firewalls, and other real-world use cases. Please give us a start on [Github](https://github.com/eunomia-bpf/bpf-developer-tutorial) if you are interested in eBPF or XDP! +> The complete source code: + ## What is XDP? XDP is a high-performance, programmable data path in the Linux kernel, designed for packet processing at the network interface level. By attaching eBPF programs directly to network device drivers, XDP can intercept and handle packets before they reach the kernel’s networking stack. This allows for extremely low-latency and efficient packet processing, making it ideal for tasks like DDoS defense, load balancing, and traffic filtering. In fact, XDP can achieve throughput as high as **24 million packets per second (Mpps) per core**. diff --git a/src/22-android/README.md b/src/22-android/README.md index d3b2cfb..e1121a8 100644 --- a/src/22-android/README.md +++ b/src/22-android/README.md @@ -3,6 +3,8 @@ > This article mainly documents the author's exploration process, results, and issues encountered while testing the level of support for CO-RE technology based on the libbpf library on high version Android kernels in the Android Studio Emulator. > The test was conducted by building a Debian environment in the Android Shell environment and attempting to build the eunomia-bpf toolchain and run its test cases based on this. +> The complete source code: + ## Background As of now (2023-04), Android has not provided good support for dynamic loading of eBPF programs. Both the compiler distribution scheme represented by bcc and the CO-RE scheme based on btf and libbpf rely heavily on Linux environment support and cannot run well on the Android system.[^WeiShu] diff --git a/src/24-hide/README.md b/src/24-hide/README.md index 437af5a..781062f 100644 --- a/src/24-hide/README.md +++ b/src/24-hide/README.md @@ -4,6 +4,8 @@ eBPF (Extended Berkeley Packet Filter) is a powerful feature in the Linux kernel In this tutorial, we will show how eBPF can be used to hide process or file information, a common technique in the field of network security and defence. +> The complete source code: + ## Background Knowledge and Implementation Mechanism "Process hiding" enables a specific process to become invisible to the operating system's regular detection mechanisms. This technique can be used in both hacking and system defence scenarios. Specifically, each process on a Linux system has a subfolder named after its process ID in the /proc/ directory, which contains various information about the process. `ps` displays process information by looking in these folders. Therefore, if we can hide the /proc/ folder of a process, we can make that process invisible to `ps` commands and other detection methods. diff --git a/src/25-signal/README.md b/src/25-signal/README.md index 8e58ce7..1eb2bce 100644 --- a/src/25-signal/README.md +++ b/src/25-signal/README.md @@ -4,6 +4,8 @@ eBPF (Extended Berkeley Packet Filter) is a revolutionary technology in the Linu This article introduces how to use the `bpf_send_signal` feature of eBPF to intervene by sending signals to specified processes. For more tutorial documentation and complete source code, please refer to . +> The complete source code: + ## Use Cases **1. Performance Issues:** diff --git a/src/26-sudo/README.md b/src/26-sudo/README.md index 7fe9a66..d4c7adf 100644 --- a/src/26-sudo/README.md +++ b/src/26-sudo/README.md @@ -1,6 +1,7 @@ # Using eBPF to add sudo user -The full source code for this article can be found at +> The complete source code: + Compilation: diff --git a/src/27-replace/README.md b/src/27-replace/README.md index 516e840..c0895bc 100644 --- a/src/27-replace/README.md +++ b/src/27-replace/README.md @@ -1,6 +1,6 @@ # Replace Text Read or Written by Any Program with eBPF -See for the full source code. +> The complete source code: Compile: diff --git a/src/28-detach/README.md b/src/28-detach/README.md index 645f798..897afd9 100644 --- a/src/28-detach/README.md +++ b/src/28-detach/README.md @@ -4,6 +4,8 @@ eBPF (Extended Berkeley Packet Filter) is a revolutionary technology in the Linu This article introduces the Lifecycle of eBPF Programs, how to run eBPF programs after user-space application exits, and how to use pin to share eBPF objects between processes. This article is part of the eBPF Developer Tutorial, more details can be found in and +> The complete source code: + By using the detach method to run eBPF programs, the user space loader can exit without stopping the eBPF program. Another common use case for pinning is sharing eBPF objects between processes. For example, one could create a Map from Go, pin it, and inspect it using `bpftool map dump pinned /sys/fs/bpf/my_map`. ## The Lifecycle of eBPF Programs diff --git a/src/29-sockops/README.md b/src/29-sockops/README.md index 8548b9f..d4d9962 100644 --- a/src/29-sockops/README.md +++ b/src/29-sockops/README.md @@ -6,7 +6,9 @@ This tutorial will focus on the application of eBPF in the networking domain, sp In many workloads, such as inter-service communication in a microservices architecture, the performance overhead of network requests made through the loopback interface can significantly impact the overall application performance. Since these requests have to go through the local network stack, their processing performance can become a bottleneck, especially in high-concurrency scenarios. To address this issue, sockops-type eBPF programs can be used to accelerate local request forwarding, providing functionality similar to direct memory access (DMA). Sockops programs can manage sockets in the kernel space and directly forward packets between sockets on the local machine, reducing the CPU time required for packet forwarding in the TCP/IP stack. -This tutorial will demonstrate how to use sockops-type eBPF programs to accelerate network request forwarding through a specific example. To help you understand how to use sockops programs, we will step by step introduce the code of the example program and discuss the working principle of each part. The complete source code and project can be found at . +This tutorial will demonstrate how to use sockops-type eBPF programs to accelerate network request forwarding through a specific example. To help you understand how to use sockops programs, we will step by step introduce the code of the example program and discuss the working principle of each part. + +> The complete source code: ## Leveraging eBPF Sockops for Performance Optimization diff --git a/src/30-sslsniff/README.md b/src/30-sslsniff/README.md index c1b8dcf..8b6fcaf 100644 --- a/src/30-sslsniff/README.md +++ b/src/30-sslsniff/README.md @@ -4,7 +4,9 @@ With the widespread use of TLS in modern network environments, tracing microserv However, a new solution is now available. Through the use of eBPF technology and its capability to perform probing in user space, a method has emerged to regain plain text data, allowing us to intuitively view the pre-encrypted communication content. Nevertheless, each application might utilize different libraries, and each library comes in multiple versions, introducing complexity to the tracking process. -In this tutorial, we will guide you through an eBPF tracing technique that spans across various user-space SSL/TLS libraries. This technique not only allows simultaneous tracing of user-space libraries like GnuTLS and OpenSSL but also significantly reduces maintenance efforts for new library versions compared to previous methods. The complete code for this tutorial can be found in <完整的源代码可以在这里查看: +In this tutorial, we will guide you through an eBPF tracing technique that spans across various user-space SSL/TLS libraries. This technique not only allows simultaneous tracing of user-space libraries like GnuTLS and OpenSSL but also significantly reduces maintenance efforts for new library versions compared to previous methods. + +> The complete source code: ## Background Knowledge diff --git a/src/31-goroutine/README.md b/src/31-goroutine/README.md index 02e0cde..ff8e563 100644 --- a/src/31-goroutine/README.md +++ b/src/31-goroutine/README.md @@ -4,6 +4,8 @@ Go, the popular programming language created by Google, is known for its powerfu Enter eBPF (Extended Berkeley Packet Filter), a technology originally designed for network packet filtering, but which has since evolved into a powerful tool for tracing and monitoring system behavior. By leveraging eBPF, we can tap into the kernel and gather insights about the runtime behavior of Go programs, including the states of goroutines. This blog post explores how to use eBPF to trace the state transitions of goroutines in a Go program. +> The complete source code: + ## Background: Goroutines and eBPF ### Goroutines diff --git a/src/33-funclatency/README.md b/src/33-funclatency/README.md index 83c19f7..fc922cf 100644 --- a/src/33-funclatency/README.md +++ b/src/33-funclatency/README.md @@ -4,6 +4,8 @@ In modern software systems, understanding the performance characteristics of fun This blog post will dive into how to measure function latency using eBPF, an incredibly powerful tool for tracing and monitoring both kernel and user-space programs. +> The complete source code: + ## What is eBPF? eBPF (Extended Berkeley Packet Filter) is a revolutionary technology that allows developers to write small programs that run in the Linux kernel. Originally designed for packet filtering, eBPF has evolved into a versatile tool for tracing, monitoring, and profiling system behavior. With eBPF, you can instrument almost any part of the Linux kernel or user-space programs to collect performance data, enforce security policies, or even debug systems in real time—all without the need to modify the kernel source code or restart the system. diff --git a/src/34-syscall/README.md b/src/34-syscall/README.md index c30cee7..17ef9fa 100644 --- a/src/34-syscall/README.md +++ b/src/34-syscall/README.md @@ -4,7 +4,8 @@ eBPF (Extended Berkeley Packet Filter) is a powerful feature in the Linux kernel In this tutorial, we will explore how to use eBPF to modify the arguments of a running system call. This technique can be used for security auditing, system monitoring, or even malicious behavior. However, it is important to note that modifying system call arguments can have negative implications for system stability and security, so caution must be exercised. To implement this functionality, we will use the `bpf_probe_write_user` feature of eBPF, which allows us to modify memory in the user space and therefore modify system call arguments before the kernel reads them from user space. -The complete code for this tutorial can be found in the repository on GitHub. + +> The complete source code: ## Modifying the File Name of the `open` System Call diff --git a/src/35-user-ringbuf/README.md b/src/35-user-ringbuf/README.md index 769f6b7..850f7f4 100644 --- a/src/35-user-ringbuf/README.md +++ b/src/35-user-ringbuf/README.md @@ -4,7 +4,9 @@ eBPF, or Extended Berkeley Packet Filter, is a revolutionary technology in the L One unique aspect of eBPF is that it not only allows programs to run in kernel mode to access low-level system states and resources, but it can also communicate with user mode programs through special data structures. One important concept in this regard is the ring buffer between kernel mode and user mode. In many real-time or high-performance applications, the ring buffer is a commonly used data structure. Due to its FIFO (first in, first out) characteristics, data can flow continuously and linearly between the producer and the consumer, avoiding frequent IO operations and unnecessary memory reallocation overhead. -In eBPF, two types of ring buffers are provided: user ring buffer and kernel ring buffer, to achieve efficient data communication between user mode and kernel mode. This article is part of the eBPF developer tutorial. More detailed content can be found here: The source code is open source in the . +In eBPF, two types of ring buffers are provided: user ring buffer and kernel ring buffer, to achieve efficient data communication between user mode and kernel mode. This article is part of the eBPF developer tutorial. More detailed content can be found here: + +> The complete source code: ## User mode and kernel mode ring buffers—user ring buffer and kernel ring buffer diff --git a/src/36-userspace-ebpf/README.md b/src/36-userspace-ebpf/README.md index 504314b..d836cd8 100644 --- a/src/36-userspace-ebpf/README.md +++ b/src/36-userspace-ebpf/README.md @@ -4,6 +4,8 @@ Yusheng Zheng In this blog post, we'll dive into the world of eBPF in userspace. While many are familiar with kernel-based eBPF, userspace eBPF runtimes have been making significant strides and offer compelling use cases. We will also compare userspace eBPF runtimes with Wasm runtimes, another popular technology in the cloud-native and edge computing landscape. Among these, we're excited to introduce [bpftime](https://github.com/eunomia-bpf/bpftime). Powered by an LLVM `JIT/AOT` backend, our benchmarks suggest that bpftime stands out as one of the fastest userspace eBPF runtimes available. +> The complete source code: + ## Introduction to eBPF ### What is eBPF? diff --git a/src/37-uprobe-rust/README.md b/src/37-uprobe-rust/README.md index 769798f..0c718bc 100644 --- a/src/37-uprobe-rust/README.md +++ b/src/37-uprobe-rust/README.md @@ -2,7 +2,9 @@ eBPF, or Extended Berkeley Packet Filter, is a revolutionary technology in the Linux kernel that allows developers to run custom "micro-programs" in kernel mode, thus changing system behavior or collecting granular performance data without modifying the kernel code. -This article discusses how to trace user space Rust applications with Uprobe and eBPF, including how to obtain symbol names and attach them, get function parameters, get return values, etc. This article is part of the eBPF developer tutorial, more detailed content can be found here: The source code is open source in the [GitHub repository](https://github.com/eunomia-bpf/bpf-developer-tutorial). +This article discusses how to trace user space Rust applications with Uprobe and eBPF, including how to obtain symbol names and attach them, get function parameters, get return values, etc. This article is part of the eBPF developer tutorial, more detailed content can be found here: + +> The complete source code: ## Uprobe diff --git a/src/38-btf-uprobe/README.md b/src/38-btf-uprobe/README.md index aa1a0e6..ffbca46 100644 --- a/src/38-btf-uprobe/README.md +++ b/src/38-btf-uprobe/README.md @@ -12,7 +12,9 @@ This approach may be particularly beneficial for tracing applications like OpenS To implement the Co-RE feature of eBPF in user-space applications, we also need to utilize the BPF Type Format (BTF) to overcome some of the limitations of traditional eBPF programs. The key to this approach lies in providing user-space programs with similar type information and compatibility support as the kernel, thereby enabling eBPF programs to more flexibly handle different versions of user-space applications and libraries. -This article is part of the eBPF Developer Tutorial, and for more detailed content, you can visit [https://eunomia.dev/tutorials/](https://eunomia.dev/tutorials/). The source code is available on the [https://github.com/eunomia-bpf/bpf-developer-tutorial](https://github.com/eunomia-bpf/bpf-developer-tutorial/tree/main/src/38-btf-uprobe). +This article is part of the eBPF Developer Tutorial, and for more detailed content, you can visit [https://eunomia.dev/tutorials/](https://eunomia.dev/tutorials/). + +> The complete source code: ## Why we need CO-RE? diff --git a/src/39-nginx/README.md b/src/39-nginx/README.md index 44ff33f..dde0b94 100644 --- a/src/39-nginx/README.md +++ b/src/39-nginx/README.md @@ -4,6 +4,8 @@ Nginx is one of the most popular web servers and reverse proxies in the world, k eBPF is a revolutionary technology that allows developers to run custom programs in the Linux kernel. Originally designed for network packet filtering, eBPF has evolved into a versatile tool for tracing, monitoring, and profiling system behavior in both kernel and user space. By leveraging eBPF, you can trace Nginx's critical functions, measure latency, and identify bottlenecks without modifying the source code or restarting the service. +> The complete source code: + ## Background: Nginx and eBPF ### Nginx