kernel/bpf-developer-tutorial
1
0
Fork 0
mirror of https://github.com/eunomia-bpf/bpf-developer-tutorial.git synced 2026-02-02 17:59:47 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add eBPF tutorial templates and update SUMMARY files

Browse Source 
- Created SUMMARY.md.template and SUMMARY.zh.md.template for eBPF tutorial.
- Updated generate_toc.py to generate table of contents for English and Chinese versions.
- Added configuration files for new eBPF examples, categorizing them by level and type.
- Updated SUMMARY.md and SUMMARY.zh.md to reflect new lessons and reorganized sections.
- Introduced new features related to GPU and tracing in the tutorial.
This commit is contained in:
yunwei37
2025-10-05 20:56:50 -07:00
parent 29e8113081
commit a2e7b20d63
22 changed files with 602 additions and 208 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
README.md
View File

@@ -32,7 +32,6 @@ This section contains simple eBPF program examples and introductions. It primari
- [lesson 8-exitsnoop](src/8-exitsnoop/README.md) Monitoring Process Exit Events, Output with Ring Buffer
- [lesson 9-runqlat](src/9-runqlat/README.md) Capturing Scheduling Latency and Recording as Histogram
- [lesson 10-hardirqs](src/10-hardirqs/README.md) Capturing Interrupts with hardirqs or softirqs
### Advanced Documents and Examples
We start to build complete eBPF projects mainly based on `libbpf` and combine them with various application scenarios for practical use.
@@ -48,14 +47,24 @@ We start to build complete eBPF projects mainly based on `libbpf` and combine th
- [lesson 19-lsm-connect](src/19-lsm-connect/README.md) Security Detection and Defense using LSM
- [lesson 20-tc](src/20-tc/README.md) tc Traffic Control
- [lesson 21-xdp](src/21-xdp/README.md) Programmable Packet Processing with XDP
### In-Depth Topics
This section covers advanced topics related to eBPF, including using eBPF programs on Android, possible attacks and defenses using eBPF programs, and complex tracing. Combining the user-mode and kernel-mode aspects of eBPF can bring great power (as well as security risks).
Android:
- [lesson 22-android](src/22-android/README.md) Using eBPF Programs on Android
GPU:
- [lesson 47-cuda-events](src/47-cuda-events/README.md) Tracing CUDA GPU Operations
- [lesson xpu/gpu-kernel-driver](src/xpu/gpu-kernel-driver/README.md) Monitoring GPU Driver Activity with Kernel Tracepoints
- [lesson xpu/npu-kernel-driver](src/xpu/npu-kernel-driver/README.md) Tracing Intel NPU Kernel Driver Operations
Scheduler:
- [lesson 44-scx-simple](src/44-scx-simple/README.md) Introduction to the BPF Scheduler
- [lesson 45-scx-nest](src/45-scx-nest/README.md) Implementing the `scx_nest` Scheduler
Networking:
@@ -63,6 +72,13 @@ Networking:
- [lesson 29-sockops](src/29-sockops/README.md) Accelerating Network Request Forwarding with Sockops
- [lesson 41-xdp-tcpdump](src/41-xdp-tcpdump/README.md) Capturing TCP Information with XDP
- [lesson 42-xdp-loadbalancer](src/42-xdp-loadbalancer/README.md) XDP Load Balancer
- [lesson 46-xdp-test](src/46-xdp-test/README.md) Building a High-Performance XDP Packet Generator
Tracing:
- [lesson 48-energy](src/48-energy/README.md) Energy Monitoring for Process-Level Power Analysis
Security:
@@ -73,22 +89,21 @@ Security:
- [lesson 28-detach](src/28-detach/README.md) Running eBPF After Application Exits: The Lifecycle of eBPF Programs
- [lesson 34-syscall](src/34-syscall/README.md) Modifying System Call Arguments with eBPF
Scheduler:
- [lesson 44-scx-simple](src/44-scx-simple/README.md) Introduction to the BPF Scheduler
- [lesson 45-scx-nest](src/45-scx-nest/README.md) Implementing the `scx_nest` Scheduler
GPU:
- [lesson 47](src/47-cuda-events/README.md) Using eBPF to trace CUDA operations for GPU
Other:
Features:
- [lesson 35-user-ringbuf](src/35-user-ringbuf/README.md) Asynchronously Send to Kernel with User Ring Buffer
- [lesson 36-userspace-ebpf](src/36-userspace-ebpf/README.md) Userspace eBPF Runtimes: Overview and Applications
- [lesson 38-btf-uprobe](src/38-btf-uprobe/README.md) Expanding eBPF Compile Once, Run Everywhere(CO-RE) to Userspace Compatibility
- [lesson 43-kfuncs](src/43-kfuncs/README.md) Extending eBPF Beyond Its Limits: Custom kfuncs in Kernel Modules
- [features bpf_iters](src/features/bpf_iters/README.md) BPF Iterators for Kernel Data Export
- [features bpf_arena](src/features/bpf_arena/README.md) BPF Arena for Zero-Copy Shared Memory
- [features bpf_wq](src/features/bpf_wq/README.md) BPF Workqueues for Asynchronous Sleepable Tasks
Android:
- [lesson 22-android](src/22-android/README.md) Using eBPF Programs on Android
Continuously updating...

32
README.zh.md
View File

@@ -31,7 +31,6 @@
- [lesson 8-exitsnoop](src/8-exitsnoop/README.zh.md) eBPF 入门开发实践教程八:在 eBPF 中使用 exitsnoop 监控进程退出事件,使用 ring buffer 向用户态打印输出
- [lesson 9-runqlat](src/9-runqlat/README.zh.md) eBPF 入门开发实践教程九:捕获进程调度延迟,以直方图方式记录
- [lesson 10-hardirqs](src/10-hardirqs/README.zh.md) eBPF 入门开发实践教程十:在 eBPF 中使用 hardirqs 或 softirqs 捕获中断事件
### 高级文档和示例
我们开始构建完整的 eBPF 项目,主要基于 `libbpf`,并将其与各种应用场景结合起来,以便实际使用。
@@ -47,20 +46,29 @@
- [lesson 19-lsm-connect](src/19-lsm-connect/README.zh.md) eBPF 入门实践教程:使用 LSM 进行安全检测防御
- [lesson 20-tc](src/20-tc/README.zh.md) eBPF 入门实践教程二十:使用 eBPF 进行 tc 流量控制
- [lesson 21-xdp](src/21-xdp/README.zh.md) eBPF 入门实践教程二十一: 使用 XDP 进行可编程数据包处理
### 深入主题
这一部分涵盖了与 eBPF 相关的高级主题,包括在 Android 上使用 eBPF 程序、利用 eBPF 程序进行的潜在攻击和防御以及复杂的追踪。结合用户模式和内核模式的 eBPF 可以带来强大的能力(也可能带来安全风险)。
Android:
GPU:
- [lesson 22-android](src/22-android/README.zh.md) 在 Android 上使用 eBPF 程序
- [lesson 47-cuda-events](src/47-cuda-events/README.zh.md) eBPF 教程:追踪 CUDA GPU 操作
- [lesson xpu/gpu-kernel-driver](src/xpu/gpu-kernel-driver/README.zh.md) eBPF 实例教程:使用内核跟踪点监控 GPU 驱动活动
- [lesson xpu/npu-kernel-driver](src/xpu/npu-kernel-driver/README.zh.md) eBPF 实例教程:跟踪 Intel NPU 内核驱动操作
调度器:
- [lesson 44-scx-simple](src/44-scx-simple/README.zh.md) eBPF 教程BPF 调度器入门
- [lesson 45-scx-nest](src/45-scx-nest/README.zh.md) eBPF 示例教程:实现 `scx_nest` 调度器
网络:
- [lesson 23-http](src/23-http/README.zh.md) 通过 eBPF socket filter 或 syscall trace 追踪 HTTP 请求等七层协议 - eBPF 实践教程
- [lesson 29-sockops](src/29-sockops/README.zh.md) eBPF 开发实践:使用 sockops 加速网络请求转发
- [lesson 41-xdp-tcpdump](src/41-xdp-tcpdump/README.zh.md) eBPF 示例教程:使用 XDP 捕获 TCP 信息
- [lesson 42-xdp-loadbalancer](src/42-xdp-loadbalancer/README.zh.md) eBPF 开发者教程: 简单的 XDP 负载均衡器
- [lesson 46-xdp-test](src/46-xdp-test/README.zh.md) eBPF 实例教程:构建高性能 XDP 数据包生成器
Tracing:
- [lesson 48-energy](src/48-energy/README.zh.md) eBPF 教程:进程级能源监控与功耗分析
安全:
- [lesson 24-hide](src/24-hide/README.zh.md) eBPF 开发实践:使用 eBPF 隐藏进程或文件信息
@@ -69,20 +77,18 @@ Android:
- [lesson 27-replace](src/27-replace/README.zh.md) 使用 eBPF 替换任意程序读取或写入的文本
- [lesson 28-detach](src/28-detach/README.zh.md) 在应用程序退出后运行 eBPF 程序eBPF 程序的生命周期
- [lesson 34-syscall](src/34-syscall/README.zh.md) eBPF 开发实践:使用 eBPF 修改系统调用参数
调度器:
- [lesson 44-scx-simple](src/44-scx-simple/README.zh.md) None
GPU:
- [lesson 47-cuda-events](src/47-cuda-events/README.zh.md) 使用 eBPF 追踪 CUDA 操作
其他:
特性:
- [lesson 35-user-ringbuf](src/35-user-ringbuf/README.zh.md) eBPF开发实践使用 user ring buffer 向内核异步发送信息
- [lesson 36-userspace-ebpf](src/36-userspace-ebpf/README.zh.md) 用户空间 eBPF 运行时:深度解析与应用实践
- [lesson 38-btf-uprobe](src/38-btf-uprobe/README.zh.md) 借助 eBPF 和 BTF让用户态也能一次编译、到处运行
- [lesson 43-kfuncs](src/43-kfuncs/README.zh.md) 超越 eBPF 的极限:在内核模块中定义自定义 kfunc
- [features bpf_iters](src/features/bpf_iters/README.zh.md) eBPF 教程BPF 迭代器用于内核数据导出
- [features bpf_arena](src/features/bpf_arena/README.zh.md) eBPF 实例教程BPF Arena 零拷贝共享内存
- [features bpf_wq](src/features/bpf_wq/README.zh.md) eBPF 教程BPF 工作队列用于异步可睡眠任务
Android:
- [lesson 22-android](src/22-android/README.zh.md) 在 Android 上使用 eBPF 程序
持续更新中...

98
scripts/README.md.template Normal file
View File

@@ -0,0 +1,98 @@
# eBPF Developer Tutorial: Learning eBPF Step by Step with Examples
[![Test example CI](https://github.com/eunomia-bpf/bpf-developer-tutorial/actions/workflows/test-libbpf.yml/badge.svg)](https://github.com/eunomia-bpf/bpf-developer-tutorial/actions/workflows/test-libbpf.yml)
[![Test and trigger downstream tutorial sync](https://github.com/eunomia-bpf/bpf-developer-tutorial/actions/workflows/trigger-sync.yml/badge.svg)](https://github.com/eunomia-bpf/bpf-developer-tutorial/actions/workflows/trigger-sync.yml)
[GitHub](https://github.com/eunomia-bpf/bpf-developer-tutorial)
[Gitee Mirror](https://gitee.com/yunwei37/bpf-developer-tutorial)
[中文版](README.zh.md)
This is a development tutorial for eBPF based on CO-RE (Compile Once, Run Everywhere). It provides practical eBPF development practices from beginner to advanced, including basic concepts, code examples, and real-world applications. Unlike BCC, we use frameworks like `libbpf`, `Cilium`, `libbpf-rs`, and eunomia-bpf for development, with examples in languages such as `C`, `Go`, and `Rust`.
This tutorial **does not cover complex concepts and scenario introductions**. Its main purpose is to provide examples of eBPF tools (**very short, starting with twenty lines of code!**) to help eBPF application developers quickly grasp eBPF development methods and techniques. The tutorial content can be found in the directory, with each directory being an independent eBPF tool example.
The tutorial focuses on eBPF examples in observability, networking, security, and more.
[**中文版在这里**](README.zh.md)
{{TOC_CONTENT}}
## Why write this tutorial?
In the process of learning eBPF, we have been inspired and helped by the [bcc python developer tutorial](src/bcc-documents/tutorial_bcc_python_developer.md). However, from the current perspective, using `libbpf` to develop eBPF applications is a relatively better choice.
This project is mainly based on [libbpf](https://github.com/libbpf/libbpf) frameworks.
> - We also provide a small tool called GPTtrace, which uses ChatGPT to automatically write eBPF programs and trace Linux systems through natural language descriptions. This tool allows you to interactively learn eBPF programs: [GPTtrace](https://github.com/eunomia-bpf/GPTtrace)
> - Feel free to raise any questions or issues related to eBPF learning, or bugs encountered in practice, in the issue or discussion section of this repository. We will do our best to help you!
## Install deps and Compile
- For libbpf based: see [src/11-bootstrap](https://github.com/eunomia-bpf/bpf-developer-tutorial/blob/main/src/11-bootstrap/README.md)
- For eunomia-bpf based: see [src/1-helloworld](https://github.com/eunomia-bpf/bpf-developer-tutorial/blob/main/src/1-helloworld/README.md)
## GitHub Templates: Easily build eBPF projects and development environments, compile and run eBPF programs online with one click
When starting a new eBPF project, are you confused about how to set up the environment and choose a programming language? Don't worry, we have prepared a series of GitHub templates for you to quickly start a brand new eBPF project. Just click the `Use this template` button on GitHub to get started.
- <https://github.com/eunomia-bpf/libbpf-starter-template>: eBPF project template based on the C language and libbpf framework
- <https://github.com/eunomia-bpf/cilium-ebpf-starter-template>: eBPF project template based on the Go language and cilium/ framework
- <https://github.com/eunomia-bpf/libbpf-rs-starter-template>: eBPF project template based on the Rust language and libbpf-rs framework
- <https://github.com/eunomia-bpf/eunomia-template>: eBPF project template based on the C language and eunomia-bpf framework
These starter templates include the following features:
- A Makefile to build the project with a single command
- A Dockerfile to automatically create a containerized environment for your eBPF project and publish it to GitHub Packages
- GitHub Actions to automate the build, test, and release processes
- All dependencies required for eBPF development
> By setting an existing repository as a template, you and others can quickly generate new repositories with the same basic structure, eliminating the need for manual creation and configuration. With GitHub template repositories, developers can focus on the core functionality and logic of their projects without wasting time on the setup and structure. For more information about template repositories, see the official documentation: <https://docs.github.com/en/repositories/creating-and-managing-repositories/creating-a-template-repository>
When you create a new repository using one of the eBPF project templates mentioned above, you can easily set up and launch an online development environment with GitHub Codespaces. Here are the steps to compile and run eBPF programs using GitHub Codespaces:
1. Click the Code button in your new repository and select the Open with Codespaces option:
![code](imgs/code-button.png)
2. GitHub will create a new Codespace for you, which may take a few minutes depending on your network speed and the size of the repository.
3. Once your Codespace is launched and ready to use, you can open the terminal and navigate to your project directory.
4. You can follow the instructions in the corresponding repository to compile and run eBPF programs:
![codespace](imgs/codespace.png)
With Codespaces, you can easily create, manage, and share cloud-based development environments, speeding up and making your development process more reliable. You can develop with Codespaces anywhere, on any device, just need a computer with a web browser. Additionally, GitHub Codespaces supports pre-configured environments, customized development containers, and customizable development experiences to meet your development needs.
After writing code in a codespace and making a commit, GitHub Actions will compile and automatically publish the container image. Then, you can use Docker to run this eBPF program anywhere with just one command, for example:
```console
$ sudo docker run --rm -it --privileged ghcr.io/eunomia-bpf/libbpf-rs-template:latest
[sudo] password for xxx:
Tracing run queue latency higher than 10000 us
TIME COMM TID LAT(us)
12:09:19 systemd-udevd 30786 18300
12:09:19 systemd-udevd 30796 21941
12:09:19 systemd-udevd 30793 10323
12:09:19 systemd-udevd 30795 14827
12:09:19 systemd-udevd 30790 17973
12:09:19 systemd-udevd 30793 12328
12:09:19 systemd-udevd 30796 28721
```
![docker](imgs/docker.png)
## build
The example of local compilation is shown as follows:
```shell
git clone https://github.com/eunomia-bpf/bpf-developer-tutorial.git
cd bpf-developer-tutorial
git submodule update --init --recursive # Synchronize submodule
cd src/24-hide
make
```
## LICENSE
MIT

139
scripts/README.zh.md.template Normal file
View File

@@ -0,0 +1,139 @@
# eBPF 开发者教程与知识库eBPF Tutorial by Example
[![Test example CI](https://github.com/eunomia-bpf/bpf-developer-tutorial/actions/workflows/test-libbpf.yml/badge.svg)](https://github.com/eunomia-bpf/bpf-developer-tutorial/actions/workflows/test-libbpf.yml)
[GitHub](https://github.com/eunomia-bpf/bpf-developer-tutorial)
[Gitee 镜像](https://gitee.com/yunwei37/bpf-developer-tutorial)
[English Version](README_en.md)
#### [**Check out the English version here**](README.md)
这是一个基于 `CO-RE`(一次编译,到处运行)的 eBPF 的开发教程,提供了从入门到进阶的 eBPF 开发实践,包括基本概念、代码实例、实际应用等内容。和 BCC 不同的是,我们使用 libbpf、Cilium、libbpf-rs、eunomia-bpf 等框架进行开发,包含 C、Go、Rust 等语言的示例。
本教程不会进行复杂的概念讲解和场景介绍,主要希望提供一些 eBPF 小工具的案例(**非常短小,从二十行代码开始入门!**),来帮助 eBPF 应用的开发者快速上手 eBPF 的开发方法和技巧。教程内容可以在目录中找到,每个目录都是一个独立的 eBPF 工具案例。
教程关注于可观测性、网络、安全等等方面的 eBPF 示例。
{{TOC_CONTENT}}
## 为什么要写这个教程?
在学习 eBPF 的过程中,我们受到了 [bcc python developer tutorial](src/bcc-documents/tutorial_bcc_python_developer.md) 的许多启发和帮助,但从当下的角度出发,使用 libbpf 开发 eBPF 的应用是目前相对更好的选择。但目前似乎很少有基于 libbpf 和 BPF CO-RE 出发的、通过案例和工具介绍 eBPF 开发的教程,因此我们发起了这个项目,采用类似 bcc python developer tutorial 的组织方式,但使用 CO-RE 的 libbpf 进行开发。
本项目主要基于 [libbpf-boostrap](https://github.com/libbpf/libbpf-bootstrap) 和 [eunomia-bpf](https://github.com/eunomia-bpf/eunomia-bpf) 两个框架完成,并使用 eunomia-bpf 帮助简化一部分 libbpf eBPF 用户态代码的编写,让开发者专注于内核态的 eBPF 代码的开发。
> - 我们还提供了一个使用 ChatGPT ,通过自然语言描述即可自动编写 eBPF 程序和追踪 Linux 系统的小工具,可以让您交互式地学习 eBPF 程序:[GPTtrace](https://github.com/eunomia-bpf/GPTtrace)
> - 欢迎在本仓库的 issue 或 discussion 中提出任意关于 eBPF 学习的疑惑和问题,或者实践中遇到的 bug我们会尽力帮助您解答
## GitHub 模板:轻松构建 eBPF 项目和开发环境,一键在线编译运行 eBPF 程序
面对创建一个 eBPF 项目,您是否对如何开始搭建环境以及选择编程语言感到困惑?别担心,我们为您准备了一系列 GitHub 模板以便您快速启动一个全新的eBPF项目。只需在GitHub上点击 `Use this template` 按钮,即可开始使用。
- <https://github.com/eunomia-bpf/libbpf-starter-template>:基于 C 语言和 libbpf 框架的eBPF 项目模板
- <https://github.com/eunomia-bpf/cilium-ebpf-starter-template>:基于 Go 语言和cilium/框架的的 eBPF 项目模板
- <https://github.com/eunomia-bpf/libbpf-rs-starter-template>:基于 Rust 语言和libbpf-rs 框架的 eBPF 项目模板
- <https://github.com/eunomia-bpf/eunomia-template>:基于 C 语言和 eunomia-bpf 框架的eBPF 项目模板
这些启动模板包含以下功能:
- 一个 Makefile让您可以一键构建项目
- 一个 Dockerfile用于为您的 eBPF 项目自动创建一个容器化环境并发布到 Github Packages
- GitHub Actions用于自动化构建、测试和发布流程
- eBPF 开发所需的所有依赖项
> 通过将现有仓库设置为模板,您和其他人可以快速生成具有相同基础结构的新仓库,从而省去了手动创建和配置的繁琐过程。借助 GitHub 模板仓库,开发者可以专注于项目的核心功能和逻辑,而无需为基础设置和结构浪费时间。更多关于模板仓库的信息,请参阅官方文档:<https://docs.github.com/en/repositories/creating-and-managing-repositories/creating-a-template-repository>
当您使用上述 eBPF 项目模板中的一个创建了一个新仓库时,您可以使用 GitHub Codespaces 轻松地设置和启动一个在线开发环境。以下是使用 GitHub Codespaces 编译和运行 eBPF 程序的步骤:
1. 点击您的新仓库中的 Code 按钮,然后选择 Open with Codespaces 选项:
![code](imgs/code-button.png)
2. GitHub 将为您创建一个新的 Codespace这可能需要几分钟的时间具体取决于您的网络速度和仓库的大小。
3. 一旦您的 Codespace 启动并准备好使用,您可以打开终端并导航到您的项目目录中。
4. 可以按照对应的仓库中的介绍来编译和运行 eBPF 程序:
![codespace](imgs/codespace.png)
使用 Codespaces您可以轻松地创建、管理和共享云端开发环境从而将您的开发过程加速并使其更具可靠性。您可以在任何地方、任何设备上使用 Codespaces 进行开发,只需要一个具有 Web 浏览器的计算机即可。同时GitHub Codespaces 还支持预先配置好的环境、自定义开发容器和可定制化的开发体验等功能,以满足您的开发需求。
在 codespace 编写代码提交后Github Actions 会进行编译并自动发布容器镜像。接下来,你可以在任何地方使用 docker 一键运行这个 eBPF 程序,例如:
```console
$ sudo docker run --rm -it --privileged ghcr.io/eunomia-bpf/libbpf-rs-template:latest
[sudo] password for xxx:
Tracing run queue latency higher than 10000 us
TIME COMM TID LAT(us)
12:09:19 systemd-udevd 30786 18300
12:09:19 systemd-udevd 30796 21941
12:09:19 systemd-udevd 30793 10323
12:09:19 systemd-udevd 30795 14827
12:09:19 systemd-udevd 30790 17973
12:09:19 systemd-udevd 30793 12328
12:09:19 systemd-udevd 30796 28721
```
![docker](imgs/docker.png)
## 本地编译
本地编译示例如下所示:
```shell
git clone https://github.com/eunomia-bpf/bpf-developer-tutorial.git
cd bpf-developer-tutorial
git submodule update --init --recursive # 同步 submodule 子模块
cd src/24-hide
make
```
## 为什么需要基于 libbpf 和 BPF CO-RE 的教程?
> 历史上当需要开发一个BPF应用时可以选择BCC 框架在实现各种用于Tracepoints的BPF程序时需要将BPF程序加载到内核中。BCC提供了内置的Clang编译器可以在运行时编译BPF代码并将其定制为符合特定主机内核的程序。这是在不断变化的内核内部下开发可维护的BPF应用程序的唯一方法。在BPF的可移植性和CO-RE一文中详细介绍了为什么会这样以及为什么BCC是之前唯一的可行方式此外还解释了为什么 libbpf 是目前比较好的选择。去年Libbpf的功能和复杂性得到了重大提升消除了与BCC之间的很多差异(特别是对Tracepoints应用来说)并增加了很多BCC不支持的新的且强大的特性(如全局变量和BPF skeletons)。
>
> 诚然BCC会竭尽全力简化BPF开发人员的工作但有时在获取便利性的同时也增加了问题定位和修复的困难度。用户必须记住其命名规范以及自动生成的用于Tracepoints的结构体且必须依赖这些代码的重写来读取内核数据和获取kprobe参数。当使用BPF map时需要编写一个半面向对象的C代码这与内核中发生的情况并不完全匹配。除此之外BCC使得用户在用户空间编写了大量样板代码且需要手动配置最琐碎的部分。
>
> 如上所述BCC依赖运行时编译且本身嵌入了庞大的LLVM/Clang库由于这些原因BCC与理想的使用有一定差距
>
> - 编译时的高资源利用率(内存和CPU),在繁忙的服务器上时有可能干扰主流程。
> - 依赖内核头文件包不得不在每台目标主机上进行安装。即使这样如果需要某些没有通过公共头文件暴露的内核内容时需要将类型定义拷贝黏贴到BPF代码中通过这种方式达成目的。
> - 即使是很小的编译时错误也只能在运行时被检测到,之后不得不重新编译并重启用户层的应用;这大大影响了开发的迭代时间(并增加了挫败感...)
>
> Libbpf + BPF CO-RE (Compile Once Run Everywhere) 选择了一个不同的方式其思想在于将BPF程序视为一个普通的用户空间的程序仅需要将其编译成一些小的二进制然后不用经过修改就可以部署到目的主机上。libbpf扮演了BPF程序的加载器负责配置工作(重定位加载和校验BPF程序创建BPF maps附加到BPF钩子上等)开发者仅需要关注BPF程序的正确性和性能即可。这种方式使得开销降到了最低消除了大量依赖提升了整体开发者的开发体验。
>
> 在API和代码约定方面libbpf坚持"最少意外"的哲学即大部分内容都需要明确地阐述不会隐含任何头文件也不会重写代码。仅使用简单的C代码和适当的辅助宏即可消除大部分单调的环节。 此外用户编写的是需要执行的内容BPF应用程序的结构是一对一的最终由内核验证并执行。
>
> 参考:[BCC 到libbpf 的转换指南【译】 - 深入浅出eBPF: https://www.ebpf.top/post/bcc-to-libbpf-guid/](https://www.ebpf.top/post/bcc-to-libbpf-guid/)
## eunomia-bpf
[eunomia-bpf](https://github.com/eunomia-bpf/eunomia-bpf) 是一个开源的 eBPF 动态加载运行时和开发工具链,是为了简化 eBPF 程序的开发、构建、分发、运行而设计的,基于 libbpf 的 CO-RE 轻量级开发框架。
使用 eunomia-bpf ,可以:
- 在编写 eBPF 程序或工具时只编写 libbpf 内核态代码,自动获取内核态导出信息;
- 使用 Wasm 进行 eBPF 用户态程序的开发,在 WASM 虚拟机内部控制整个 eBPF 程序的加载和执行,以及处理相关数据;
- eunomia-bpf 可以将预编译的 eBPF 程序打包为通用的 JSON 或 WASM 模块,跨架构和内核版本进行分发,无需重新编译即可动态加载运行。
eunomia-bpf 由一个编译工具链和一个运行时库组成, 对比传统的 BCC、原生 libbpf 等框架,简化了 eBPF 程序的开发流程,在大多数时候只需编写内核态代码,即可轻松构建、打包、发布完整的 eBPF 应用,同时保证内核态 eBPF 代码和主流的 libbpf, libbpfgo, libbpf-rs 等开发框架的兼容性。需要编写用户态代码的时候,也可以借助 Webassembly 实现通过多种语言进行用户态开发。和 bpftrace 等脚本工具相比, eunomia-bpf 保留了类似的便捷性, 同时不仅局限于 trace 方面, 可以用于更多的场景, 如网络、安全等等。
> - eunomia-bpf 项目 Github 地址: <https://github.com/eunomia-bpf/eunomia-bpf>
> - gitee 镜像: <https://gitee.com/anolis/eunomia>
## 让 ChatGPT 来帮助我们
本教程也尝试借助 ChatGPT 来学习编写 eBPF 程序,同时我们尝试教会 ChatGPT 编写 eBPF 程序,大概步骤如下:
1. 告诉它基本的 eBPF 编程相关的常识
2. 告诉它一些案例hello worldeBPF 程序的基本结构,如何使用 eBPF 程序进行追踪,并且让它开始编写教程
3. 手动调整教程,并纠正代码和文档中的错误
4. 把修改后的代码再喂给 ChatGPT让它继续学习
5. 尝试让 ChatGPT 自动生成 eBPF 程序和对应的教程文档!例如
![ebpf-chatgpt-signal](imgs/ebpf-chatgpt-signal.png)
完整的对话记录可以在这里找到: [ChatGPT.md](src/ChatGPT.md)
我们也构建了一个命令行工具的 demo ,通过本教程的训练, 让它通过自然语言描述即可自动编写 eBPF 程序,追踪 Linux 系统:<https://github.com/eunomia-bpf/GPTtrace>
![ebpf-chatgpt-signal](https://github.com/eunomia-bpf/GPTtrace/blob/main/doc/result.gif)

9
scripts/SUMMARY.md.template Normal file
View File

@@ -0,0 +1,9 @@
# eBPF Tutorial by Example: Learning CO-RE eBPF Step by Step
This is a development tutorial for eBPF based on CO-RE (Compile Once, Run Everywhere). It provides practical eBPF development practices from beginner to advanced, including basic concepts, code examples, and real-world applications. Unlike BCC, we use frameworks like libbpf, Cilium, libbpf-rs, and eunomia-bpf for development, with examples in languages such as C, Go, and Rust.
This tutorial does not cover complex concepts and scenario introductions. Its main purpose is to provide examples of eBPF tools (**very short, starting with twenty lines of code!**) to help eBPF application developers quickly grasp eBPF development methods and techniques. The tutorial content can be found in the directory, with each directory being an independent eBPF tool example.
For the complete source code of the tutorial, please refer to the repo [https://github.com/eunomia-bpf/bpf-developer-tutorial](https://github.com/eunomia-bpf/bpf-developer-tutorial) on GitHub. **If you find this tutorial helpful, please give us a star!**
{{TOC_CONTENT}}

9
scripts/SUMMARY.zh.md.template Normal file
View File

@@ -0,0 +1,9 @@
# eBPF 开发实践教程:基于 CO-RE通过小工具快速上手 eBPF 开发
这是一个基于 `CO-RE`(一次编译,到处运行)的 eBPF 的开发教程,提供了从入门到进阶的 eBPF 开发实践,包括基本概念、代码实例、实际应用等内容。和 BCC 不同的是,我们使用 libbpf、Cilium、libbpf-rs、eunomia-bpf 等框架进行开发,包含 C、Go、Rust 等语言的示例。
本教程不会进行复杂的概念讲解和场景介绍,主要希望提供一些 eBPF 小工具的案例(**非常短小,从二十行代码开始入门!**),来帮助 eBPF 应用的开发者快速上手 eBPF 的开发方法和技巧。教程内容可以在目录中找到,每个目录都是一个独立的 eBPF 工具案例。
教程关注于可观测性、网络、安全等等方面的 eBPF 示例。完整的代码和教程可以在 [https://github.com/eunomia-bpf/bpf-developer-tutorial](https://github.com/eunomia-bpf/bpf-developer-tutorial) GitHub 开源仓库中找到。**如果您认为本教程对您有所帮助,也请给我们一个 star 鼓励一下!**
{{TOC_CONTENT}}

152
scripts/generate_toc.py
View File

@@ -12,14 +12,16 @@ def generate_toc(base_dir, project_root):
subsection_titles = {
"Android": "\n\nAndroid:\n\n",
"Networking": "\n\nNetworking:\n\n",
"tracing": "\n\ntracing:\n\n",
"Security": "\n\nSecurity:\n\n",
"GPU": "\n\nGPU:\n\n",
"Scheduler": "\n\nScheduler:\n\n",
"Other": "\n\nOther:\n\n"
"Networking": "\n\nNetworking:\n\n",
"tracing": "\n\nTracing:\n\n",
"Security": "\n\nSecurity:\n\n",
"Features": "\n\nFeatures:\n\n",
"Other": "\n\nFeatures:\n\n"
}
subsection_order = ['Android', 'Networking', 'tracing', 'Security', 'Scheduler', 'Other']
subsection_order = ['GPU', 'Scheduler', 'Networking', 'tracing', 'Security', 'Features', 'Other', 'Android']
# To ensure numeric sorting of directories
def sort_key(directory_name):
@@ -27,8 +29,23 @@ def generate_toc(base_dir, project_root):
sections = {} # {section_level: {subsection_type: [lessons]}}
# Sort directories properly by numeric order
all_dirs = sorted([d for d in os.listdir(base_dir) if os.path.isdir(os.path.join(base_dir, d))], key=sort_key)
# Collect all directories including subdirectories
all_dirs = []
for item in os.listdir(base_dir):
item_path = os.path.join(base_dir, item)
if os.path.isdir(item_path):
# Add numbered directories directly
if re.match(r'^\d+', item):
all_dirs.append(item)
# Also scan subdirectories (like features/, xpu/)
else:
for subitem in os.listdir(item_path):
subitem_path = os.path.join(item_path, subitem)
if os.path.isdir(subitem_path):
all_dirs.append(os.path.join(item, subitem))
# Sort directories properly by numeric order (non-numeric dirs go to end)
all_dirs = sorted(all_dirs, key=lambda d: sort_key(d) if re.search(r'\d+', d) else [999999])
# Loop over the sorted directories
for directory in all_dirs:
@@ -68,9 +85,15 @@ def generate_toc(base_dir, project_root):
lesson_rel_path = os.path.relpath(readme_path, project_root)
# Prepare lesson data
lesson_number = directory.split('-')[0]
lesson_name = directory.split('-', 1)[1]
link_text = f"lesson {lesson_number}-{lesson_name}"
# Handle both numbered lessons (e.g., "12-profile") and named lessons (e.g., "features/bpf_arena")
if '-' in os.path.basename(directory):
lesson_number = directory.split('-')[0]
lesson_name = directory.split('-', 1)[1]
link_text = f"lesson {lesson_number}-{lesson_name}"
else:
# For non-numbered directories, use the full path as name
link_text = directory.replace('/', ' ')
link = f"{lesson_rel_path}"
# Use description if available, else use first title
lesson_desc = desc if desc else first_title
@@ -117,14 +140,16 @@ def generate_toc_cn(base_dir, project_root):
subsection_titles = {
"Android": "Android:\n\n",
"Networking": "网络:\n\n",
"tracing": "追踪:\n\n",
"Security": "安全:\n\n",
"GPU": "GPU:\n\n",
"Scheduler": "调度器:\n\n",
"Other": "其他:\n\n"
"Networking": "网络:\n\n",
"tracing": "Tracing:\n\n",
"Security": "安全:\n\n",
"Features": "特性:\n\n",
"Other": "特性:\n\n"
}
subsection_order = ['Android', 'Networking', 'tracing', 'Security', 'Scheduler', 'Other']
subsection_order = ['GPU', 'Scheduler', 'Networking', 'tracing', 'Security', 'Features', 'Other', 'Android']
# To ensure numeric sorting of directories
def sort_key(directory_name):
@@ -132,8 +157,23 @@ def generate_toc_cn(base_dir, project_root):
sections = {} # {section_level: {subsection_type: [lessons]}}
# Sort directories properly by numeric order
all_dirs = sorted([d for d in os.listdir(base_dir) if os.path.isdir(os.path.join(base_dir, d))], key=sort_key)
# Collect all directories including subdirectories
all_dirs = []
for item in os.listdir(base_dir):
item_path = os.path.join(base_dir, item)
if os.path.isdir(item_path):
# Add numbered directories directly
if re.match(r'^\d+', item):
all_dirs.append(item)
# Also scan subdirectories (like features/, xpu/)
else:
for subitem in os.listdir(item_path):
subitem_path = os.path.join(item_path, subitem)
if os.path.isdir(subitem_path):
all_dirs.append(os.path.join(item, subitem))
# Sort directories properly by numeric order (non-numeric dirs go to end)
all_dirs = sorted(all_dirs, key=lambda d: sort_key(d) if re.search(r'\d+', d) else [999999])
# Loop over the sorted directories
for directory in all_dirs:
@@ -173,9 +213,15 @@ def generate_toc_cn(base_dir, project_root):
lesson_rel_path = os.path.relpath(readme_path, project_root)
# Prepare lesson data
lesson_number = directory.split('-')[0]
lesson_name = directory.split('-', 1)[1]
link_text = f"lesson {lesson_number}-{lesson_name}"
# Handle both numbered lessons (e.g., "12-profile") and named lessons (e.g., "features/bpf_arena")
if '-' in os.path.basename(directory):
lesson_number = directory.split('-')[0]
lesson_name = directory.split('-', 1)[1]
link_text = f"lesson {lesson_number}-{lesson_name}"
else:
# For non-numbered directories, use the full path as name
link_text = directory.replace('/', ' ')
link = f"{lesson_rel_path}"
# Use description if available, else use first title
lesson_desc = desc if desc else first_title
@@ -210,10 +256,62 @@ def generate_toc_cn(base_dir, project_root):
toc += "\n持续更新中..."
return toc
# Example usage
base_directory = "src/" # Replace with the actual base directory
project_root = "./" # The root of the project
toc_output = generate_toc(base_directory, project_root)
# toc_output = generate_toc_cn(base_directory, project_root)
# Output the TOC
print(toc_output)
def load_template(template_path):
"""Load a template file and return its content"""
with open(template_path, 'r', encoding='utf-8') as f:
return f.read()
def generate_file_from_template(template_path, output_path, toc_content):
"""Generate a file from template by replacing {{TOC_CONTENT}} placeholder"""
template = load_template(template_path)
output_content = template.replace('{{TOC_CONTENT}}', toc_content)
with open(output_path, 'w', encoding='utf-8') as f:
f.write(output_content)
print(f"Generated: {output_path}")
# Main execution
if __name__ == "__main__":
base_directory = "src/" # Base directory for lessons
project_root = "./" # The root of the project
scripts_dir = "scripts/" # Directory containing templates
# Generate TOC content for English
toc_en = generate_toc(base_directory, project_root)
# Generate TOC content for Chinese
toc_cn = generate_toc_cn(base_directory, project_root)
# Generate SUMMARY.md from template
generate_file_from_template(
os.path.join(scripts_dir, 'SUMMARY.md.template'),
os.path.join('src', 'SUMMARY.md'),
toc_en
)
# Generate SUMMARY.zh.md from template
generate_file_from_template(
os.path.join(scripts_dir, 'SUMMARY.zh.md.template'),
os.path.join('src', 'SUMMARY.zh.md'),
toc_cn
)
# Generate README.md from template
generate_file_from_template(
os.path.join(scripts_dir, 'README.md.template'),
'README.md',
toc_en
)
# Generate README.zh.md from template
generate_file_from_template(
os.path.join(scripts_dir, 'README.zh.md.template'),
'README.zh.md',
toc_cn
)
print("\nAll files generated successfully!")

1
src/12-profile/.config Normal file
View File

@@ -0,0 +1 @@
level=Advance

2
src/35-user-ringbuf/.config
View File

@@ -1,2 +1,2 @@
level=Depth
type=Other
type=Features

2
src/36-userspace-ebpf/.config
View File

@@ -1,2 +1,2 @@
level=Depth
type=Other
type=Features

2
src/38-btf-uprobe/.config
View File

@@ -1,2 +1,2 @@
level=Depth
type=Other
type=Features

2
src/43-kfuncs/.config
View File

@@ -1,2 +1,2 @@
level=Depth
type=Other
type=Features

2
src/46-xdp-test/.config Normal file
View File

@@ -0,0 +1,2 @@
level=Depth
type=Networking

3
src/47-cuda-events/.config
View File

@@ -1 +1,2 @@
level=Advance
level=Depth
type=GPU

2
src/48-energy/.config Normal file
View File

@@ -0,0 +1,2 @@
level=Depth
type=tracing

141
src/SUMMARY.md
View File

@@ -6,87 +6,94 @@ This tutorial does not cover complex concepts and scenario introductions. Its ma
For the complete source code of the tutorial, please refer to the repo [https://github.com/eunomia-bpf/bpf-developer-tutorial](https://github.com/eunomia-bpf/bpf-developer-tutorial) on GitHub. **If you find this tutorial helpful, please give us a star!**
# Getting Started Examples
## Table of Contents
### Getting Started Examples
This section contains simple eBPF program examples and introductions. It primarily utilizes the `eunomia-bpf` framework to simplify development and introduces the basic usage and development process of eBPF.
- [lesson 0-introduce](0-introduce/README.md) Introduction to Core Concepts and Tools
- [lesson 1-helloworld](1-helloworld/README.md) Hello World, Framework and Development
- [lesson 2-kprobe-unlink](2-kprobe-unlink/README.md) Monitoring unlink System Calls with kprobe
- [lesson 3-fentry-unlink](3-fentry-unlink/README.md) Monitoring unlink System Calls with fentry
- [lesson 4-opensnoop](4-opensnoop/README.md) Capturing Opening Files and Filter with Global Variables
- [lesson 5-uprobe-bashreadline](5-uprobe-bashreadline/README.md) Capturing readline Function Calls with Uprobe
- [lesson 6-sigsnoop](6-sigsnoop/README.md) Capturing Signal Sending and Store State with Hash Maps
- [lesson 7-execsnoop](7-execsnoop/README.md) Capturing Process Execution, Output with perf event array
- [lesson 8-exitsnoop](8-exitsnoop/README.md) Monitoring Process Exit Events, Output with Ring Buffer
- [lesson 9-runqlat](9-runqlat/README.md) Capturing Scheduling Latency and Recording as Histogram
- [lesson 10-hardirqs](10-hardirqs/README.md) Capturing Interrupts with hardirqs or softirqs
# Advanced Documents and Examples
- [lesson 0-introduce](src/0-introduce/README.md) Introduction to Core Concepts and Tools
- [lesson 1-helloworld](src/1-helloworld/README.md) Hello World, Framework and Development
- [lesson 2-kprobe-unlink](src/2-kprobe-unlink/README.md) Monitoring unlink System Calls with kprobe
- [lesson 3-fentry-unlink](src/3-fentry-unlink/README.md) Monitoring unlink System Calls with fentry
- [lesson 4-opensnoop](src/4-opensnoop/README.md) Capturing Opening Files and Filter with Global Variables
- [lesson 5-uprobe-bashreadline](src/5-uprobe-bashreadline/README.md) Capturing readline Function Calls with Uprobe
- [lesson 6-sigsnoop](src/6-sigsnoop/README.md) Capturing Signal Sending and Store State with Hash Maps
- [lesson 7-execsnoop](src/7-execsnoop/README.md) Capturing Process Execution, Output with perf event array
- [lesson 8-exitsnoop](src/8-exitsnoop/README.md) Monitoring Process Exit Events, Output with Ring Buffer
- [lesson 9-runqlat](src/9-runqlat/README.md) Capturing Scheduling Latency and Recording as Histogram
- [lesson 10-hardirqs](src/10-hardirqs/README.md) Capturing Interrupts with hardirqs or softirqs
### Advanced Documents and Examples
We start to build complete eBPF projects mainly based on `libbpf` and combine them with various application scenarios for practical use.
- [lesson 11-bootstrap](11-bootstrap/README.md) Develop User-Space Programs with libbpf and Trace exec() and exit()
- [lesson 12-profile](12-profile/README.md) Using eBPF Program Profile for Performance Analysis
- [lesson 13-tcpconnlat](13-tcpconnlat/README.md) Statistics of TCP Connection Delay with libbpf
- [lesson 14-tcpstates](14-tcpstates/README.md) Recording TCP Connection Status and TCP RTT
- [lesson 15-javagc](15-javagc/README.md) Capturing User-Space Java GC Duration Using USDT
- [lesson 16-memleak](16-memleak/README.md) Monitoring Memory Leaks
- [lesson 17-biopattern](17-biopattern/README.md) Count Random/Sequential Disk I/O
- [lesson 18-further-reading](18-further-reading/README.md) More Reference Materials papers, projects
- [lesson 19-lsm-connect](19-lsm-connect/README.md) Security Detection and Defense using LSM
- [lesson 20-tc](20-tc/README.md) tc Traffic Control
- [lesson 21-xdp](21-xdp/README.md) Programmable Packet Processing with XDP
# In-Depth Topics
- [lesson 11-bootstrap](src/11-bootstrap/README.md) Develop User-Space Programs with libbpf and Trace exec() and exit()
- [lesson 12-profile](src/12-profile/README.md) Using eBPF Program Profile for Performance Analysis
- [lesson 13-tcpconnlat](src/13-tcpconnlat/README.md) Statistics of TCP Connection Delay with libbpf
- [lesson 14-tcpstates](src/14-tcpstates/README.md) Recording TCP Connection Status and TCP RTT
- [lesson 15-javagc](src/15-javagc/README.md) Capturing User-Space Java GC Duration Using USDT
- [lesson 16-memleak](src/16-memleak/README.md) Monitoring Memory Leaks
- [lesson 17-biopattern](src/17-biopattern/README.md) Count Random/Sequential Disk I/O
- [lesson 18-further-reading](src/18-further-reading/README.md) More Reference Materials papers, projects
- [lesson 19-lsm-connect](src/19-lsm-connect/README.md) Security Detection and Defense using LSM
- [lesson 20-tc](src/20-tc/README.md) tc Traffic Control
- [lesson 21-xdp](src/21-xdp/README.md) Programmable Packet Processing with XDP
### In-Depth Topics
This section covers advanced topics related to eBPF, including using eBPF programs on Android, possible attacks and defenses using eBPF programs, and complex tracing. Combining the user-mode and kernel-mode aspects of eBPF can bring great power (as well as security risks).
Android:
- [lesson 22-android](22-android/README.md) Using eBPF Programs on Android
Networking:
- [lesson 23-http](23-http/README.md) L7 Tracing with eBPF: HTTP and Beyond via Socket Filters and Syscall Tracepoints
- [lesson 29-sockops](29-sockops/README.md) Accelerating Network Request Forwarding with Sockops
- [lesson 41-xdp-tcpdump](41-xdp-tcpdump/README.md) Capturing TCP Information with XDP
- [lesson 42-xdp-loadbalancer](42-xdp-loadbalancer/README.md) XDP Load Balancer
Security:
- [lesson 24-hide](24-hide/README.md) Hiding Process or File Information
- [lesson 25-signal](25-signal/README.md) Using bpf_send_signal to Terminate Malicious Processes in eBPF
- [lesson 26-sudo](26-sudo/README.md) Using eBPF to add sudo user
- [lesson 27-replace](27-replace/README.md) Replace Text Read or Written by Any Program with eBPF
- [lesson 28-detach](28-detach/README.md) Running eBPF After Application Exits: The Lifecycle of eBPF Programs
- [lesson 34-syscall](34-syscall/README.md) Modifying System Call Arguments with eBPF
Scheduler:
- [lesson 44-scx-simple](44-scx-simple/README.md) Introduction to the BPF Scheduler
- [lesson 45-scx-nest](45-scx-nest/README.md) Implementing the `scx_nest` Scheduler
GPU:
- [lesson 47-cuda-events](47-cuda-events/README.md) Using eBPF to trace CUDA operations for GPU
- [lesson 47-cuda-events](src/47-cuda-events/README.md) Tracing CUDA GPU Operations
- [lesson xpu/gpu-kernel-driver](src/xpu/gpu-kernel-driver/README.md) Monitoring GPU Driver Activity with Kernel Tracepoints
- [lesson xpu/npu-kernel-driver](src/xpu/npu-kernel-driver/README.md) Tracing Intel NPU Kernel Driver Operations
Other:
- [lesson 35-user-ringbuf](35-user-ringbuf/README.md) Asynchronously Send to Kernel with User Ring Buffer
- [lesson 36-userspace-ebpf](36-userspace-ebpf/README.md) Userspace eBPF Runtimes: Overview and Applications
- [lesson 38-btf-uprobe](38-btf-uprobe/README.md) Expanding eBPF Compile Once, Run Everywhere(CO-RE) to Userspace Compatibility
- [lesson 43-kfuncs](43-kfuncs/README.md) Extending eBPF Beyond Its Limits: Custom kfuncs in Kernel Modules
Scheduler:
- [lesson 44-scx-simple](src/44-scx-simple/README.md) Introduction to the BPF Scheduler
- [lesson 45-scx-nest](src/45-scx-nest/README.md) Implementing the `scx_nest` Scheduler
Networking:
- [lesson 23-http](src/23-http/README.md) L7 Tracing with eBPF: HTTP and Beyond via Socket Filters and Syscall Tracepoints
- [lesson 29-sockops](src/29-sockops/README.md) Accelerating Network Request Forwarding with Sockops
- [lesson 41-xdp-tcpdump](src/41-xdp-tcpdump/README.md) Capturing TCP Information with XDP
- [lesson 42-xdp-loadbalancer](src/42-xdp-loadbalancer/README.md) XDP Load Balancer
- [lesson 46-xdp-test](src/46-xdp-test/README.md) Building a High-Performance XDP Packet Generator
Tracing:
- [lesson 48-energy](src/48-energy/README.md) Energy Monitoring for Process-Level Power Analysis
Security:
- [lesson 24-hide](src/24-hide/README.md) Hiding Process or File Information
- [lesson 25-signal](src/25-signal/README.md) Using bpf_send_signal to Terminate Malicious Processes in eBPF
- [lesson 26-sudo](src/26-sudo/README.md) Using eBPF to add sudo user
- [lesson 27-replace](src/27-replace/README.md) Replace Text Read or Written by Any Program with eBPF
- [lesson 28-detach](src/28-detach/README.md) Running eBPF After Application Exits: The Lifecycle of eBPF Programs
- [lesson 34-syscall](src/34-syscall/README.md) Modifying System Call Arguments with eBPF
Features:
- [lesson 35-user-ringbuf](src/35-user-ringbuf/README.md) Asynchronously Send to Kernel with User Ring Buffer
- [lesson 36-userspace-ebpf](src/36-userspace-ebpf/README.md) Userspace eBPF Runtimes: Overview and Applications
- [lesson 38-btf-uprobe](src/38-btf-uprobe/README.md) Expanding eBPF Compile Once, Run Everywhere(CO-RE) to Userspace Compatibility
- [lesson 43-kfuncs](src/43-kfuncs/README.md) Extending eBPF Beyond Its Limits: Custom kfuncs in Kernel Modules
- [features bpf_iters](src/features/bpf_iters/README.md) BPF Iterators for Kernel Data Export
- [features bpf_arena](src/features/bpf_arena/README.md) BPF Arena for Zero-Copy Shared Memory
- [features bpf_wq](src/features/bpf_wq/README.md) BPF Workqueues for Asynchronous Sleepable Tasks
Android:
- [lesson 22-android](src/22-android/README.md) Using eBPF Programs on Android
Continuously updating...
# bcc and bpftrace tutorial
For reference:
- [BPF Features by Linux Kernel Version](bcc-documents/kernel-versions.md)
- [Kernel Configuration for BPF Features](bcc-documents/kernel_config.md)
- [bcc Reference Guide](bcc-documents/reference_guide.md)
- [Special Filtering](bcc-documents/special_filtering.md)
- [bcc Tutorial](bcc-documents/tutorial.md)".- [bcc Python Developer Tutorial](bcc-documents/tutorial_bcc_python_developer.md)
- [bpftrace Tutorial](bpftrace-tutorial/README.md)

129
src/SUMMARY.zh.md
View File

@@ -1,88 +1,85 @@
# eBPF 开发实践教程:基于 CO-RE通过小工具快速上手 eBPF 开发
这是一个基于 `CO-RE`(一次编译,到处运行)的 eBPF 的开发教程,提供了从入门到进阶的 eBPF 开发实践,包括基本概念、代码实例、实际应用等内容。和 BCC 不同的是我们使用 libbpf、Cilium、libbpf-rs、eunomia-bpf 等框架进行开发,包含 C、Go、Rust 等语言的示例。
这是一个基于 `CO-RE`(一次编译,到处运行)的 eBPF 的开发教程,提供了从入门到进阶的 eBPF 开发实践,包括基本概念、代码实例、实际应用等内容。和 BCC 不同的是,我们使用 libbpf、Cilium、libbpf-rs、eunomia-bpf 等框架进行开发,包含 C、Go、Rust 等语言的示例。
本教程不会进行复杂的概念讲解和场景介绍,主要希望提供一些 eBPF 小工具的案例(**非常短小,从二十行代码开始入门!**),来帮助 eBPF 应用的开发者快速上手 eBPF 的开发方法和技巧。教程内容可以在目录中找到,每个目录都是一个独立的 eBPF 工具案例。
教程关注于可观测性、网络、安全等等方面的 eBPF 示例。完整的代码和教程可以在 [https://github.com/eunomia-bpf/bpf-developer-tutorial](https://github.com/eunomia-bpf/bpf-developer-tutorial) GitHub 开源仓库中找到。**如果您认为本教程对您有所帮助,也请给我们一个 star 鼓励一下!**
# 入门示例
## 目录
### 入门示例
这一部分包含简单的 eBPF 程序示例和介绍。主要利用 `eunomia-bpf` 框架简化开发,介绍 eBPF 的基本用法和开发流程。
- [lesson 0-introduce](0-introduce/README.zh.md) eBPF 示例教程 0核心概念与工具简介
- [lesson 1-helloworld](1-helloworld/README.zh.md) eBPF 入门开发实践教程一Hello World基本框架和开发流程
- [lesson 2-kprobe-unlink](2-kprobe-unlink/README.zh.md) eBPF 入门开发实践教程二:在 eBPF 中使用 kprobe 监测捕获 unlink 系统调用
- [lesson 3-fentry-unlink](3-fentry-unlink/README.zh.md) eBPF 入门开发实践教程三:在 eBPF 中使用 fentry 监测捕获 unlink 系统调用
- [lesson 4-opensnoop](4-opensnoop/README.zh.md) eBPF 入门开发实践教程四:在 eBPF 中捕获进程打开文件的系统调用集合,使用全局变量过滤进程 pid
- [lesson 5-uprobe-bashreadline](5-uprobe-bashreadline/README.zh.md) eBPF 入门开发实践教程五:在 eBPF 中使用 uprobe 捕获 bash 的 readline 函数调用
- [lesson 6-sigsnoop](6-sigsnoop/README.zh.md) eBPF 入门开发实践教程六:捕获进程发送信号的系统调用集合,使用 hash map 保存状态
- [lesson 7-execsnoop](7-execsnoop/README.zh.md) eBPF 入门实践教程七:捕获进程执行事件,通过 perf event array 向用户态打印输出
- [lesson 8-exitsnoop](8-exitsnoop/README.zh.md) eBPF 入门开发实践教程八:在 eBPF 中使用 exitsnoop 监控进程退出事件,使用 ring buffer 向用户态打印输出
- [lesson 9-runqlat](9-runqlat/README.zh.md) eBPF 入门开发实践教程九:捕获进程调度延迟,以直方图方式记录
- [lesson 10-hardirqs](10-hardirqs/README.zh.md) eBPF 入门开发实践教程十:在 eBPF 中使用 hardirqs 或 softirqs 捕获中断事件
# 高级文档和示例
- [lesson 0-introduce](src/0-introduce/README.zh.md) eBPF 示例教程 0核心概念与工具简介
- [lesson 1-helloworld](src/1-helloworld/README.zh.md) eBPF 入门开发实践教程一Hello World基本框架和开发流程
- [lesson 2-kprobe-unlink](src/2-kprobe-unlink/README.zh.md) eBPF 入门开发实践教程二:在 eBPF 中使用 kprobe 监测捕获 unlink 系统调用
- [lesson 3-fentry-unlink](src/3-fentry-unlink/README.zh.md) eBPF 入门开发实践教程三:在 eBPF 中使用 fentry 监测捕获 unlink 系统调用
- [lesson 4-opensnoop](src/4-opensnoop/README.zh.md) eBPF 入门开发实践教程四:在 eBPF 中捕获进程打开文件的系统调用集合,使用全局变量过滤进程 pid
- [lesson 5-uprobe-bashreadline](src/5-uprobe-bashreadline/README.zh.md) eBPF 入门开发实践教程五:在 eBPF 中使用 uprobe 捕获 bash 的 readline 函数调用
- [lesson 6-sigsnoop](src/6-sigsnoop/README.zh.md) eBPF 入门开发实践教程六:捕获进程发送信号的系统调用集合,使用 hash map 保存状态
- [lesson 7-execsnoop](src/7-execsnoop/README.zh.md) eBPF 入门实践教程七:捕获进程执行事件,通过 perf event array 向用户态打印输出
- [lesson 8-exitsnoop](src/8-exitsnoop/README.zh.md) eBPF 入门开发实践教程八:在 eBPF 中使用 exitsnoop 监控进程退出事件,使用 ring buffer 向用户态打印输出
- [lesson 9-runqlat](src/9-runqlat/README.zh.md) eBPF 入门开发实践教程九:捕获进程调度延迟,以直方图方式记录
- [lesson 10-hardirqs](src/10-hardirqs/README.zh.md) eBPF 入门开发实践教程十:在 eBPF 中使用 hardirqs 或 softirqs 捕获中断事件
### 高级文档和示例
我们开始构建完整的 eBPF 项目,主要基于 `libbpf`,并将其与各种应用场景结合起来,以便实际使用。
- [lesson 11-bootstrap](11-bootstrap/README.zh.md) eBPF 入门开发实践教程十一:在 eBPF 中使用 libbpf 开发用户态程序并跟踪 exec() 和 exit() 系统调用
- [lesson 12-profile](12-profile/README.zh.md) eBPF 入门实践教程十二:使用 eBPF 程序 profile 进行性能分析
- [lesson 13-tcpconnlat](13-tcpconnlat/README.zh.md) eBPF入门开发实践教程十三统计 TCP 连接延时,并使用 libbpf 在用户态处理数据
- [lesson 14-tcpstates](14-tcpstates/README.zh.md) eBPF入门实践教程十四记录 TCP 连接状态与 TCP RTT
- [lesson 15-javagc](15-javagc/README.zh.md) eBPF 入门实践教程十五:使用 USDT 捕获用户态 Java GC 事件耗时
- [lesson 16-memleak](16-memleak/README.zh.md) eBPF 入门实践教程十六:编写 eBPF 程序 Memleak 监控内存泄漏
- [lesson 17-biopattern](17-biopattern/README.zh.md) eBPF 入门实践教程十七:编写 eBPF 程序统计随机/顺序磁盘 I/O
- [lesson 18-further-reading](18-further-reading/README.zh.md) 更多的参考资料:论文、项目等等
- [lesson 19-lsm-connect](19-lsm-connect/README.zh.md) eBPF 入门实践教程:使用 LSM 进行安全检测防御
- [lesson 20-tc](20-tc/README.zh.md) eBPF 入门实践教程二十:使用 eBPF 进行 tc 流量控制
- [lesson 21-xdp](21-xdp/README.zh.md) eBPF 入门实践教程二十一: 使用 XDP 进行可编程数据包处理
# 深入主题
- [lesson 11-bootstrap](src/11-bootstrap/README.zh.md) eBPF 入门开发实践教程十一:在 eBPF 中使用 libbpf 开发用户态程序并跟踪 exec() 和 exit() 系统调用
- [lesson 12-profile](src/12-profile/README.zh.md) eBPF 入门实践教程十二:使用 eBPF 程序 profile 进行性能分析
- [lesson 13-tcpconnlat](src/13-tcpconnlat/README.zh.md) eBPF入门开发实践教程十三统计 TCP 连接延时,并使用 libbpf 在用户态处理数据
- [lesson 14-tcpstates](src/14-tcpstates/README.zh.md) eBPF入门实践教程十四记录 TCP 连接状态与 TCP RTT
- [lesson 15-javagc](src/15-javagc/README.zh.md) eBPF 入门实践教程十五:使用 USDT 捕获用户态 Java GC 事件耗时
- [lesson 16-memleak](src/16-memleak/README.zh.md) eBPF 入门实践教程十六:编写 eBPF 程序 Memleak 监控内存泄漏
- [lesson 17-biopattern](src/17-biopattern/README.zh.md) eBPF 入门实践教程十七:编写 eBPF 程序统计随机/顺序磁盘 I/O
- [lesson 18-further-reading](src/18-further-reading/README.zh.md) 更多的参考资料:论文、项目等等
- [lesson 19-lsm-connect](src/19-lsm-connect/README.zh.md) eBPF 入门实践教程:使用 LSM 进行安全检测防御
- [lesson 20-tc](src/20-tc/README.zh.md) eBPF 入门实践教程二十:使用 eBPF 进行 tc 流量控制
- [lesson 21-xdp](src/21-xdp/README.zh.md) eBPF 入门实践教程二十一: 使用 XDP 进行可编程数据包处理
### 深入主题
这一部分涵盖了与 eBPF 相关的高级主题,包括在 Android 上使用 eBPF 程序、利用 eBPF 程序进行的潜在攻击和防御以及复杂的追踪。结合用户模式和内核模式的 eBPF 可以带来强大的能力(也可能带来安全风险)。
Android:
- [lesson 22-android](22-android/README.zh.md) 在 Android 上使用 eBPF 程序
网络:
- [lesson 23-http](23-http/README.zh.md) 通过 eBPF socket filter 或 syscall trace 追踪 HTTP 请求等七层协议 - eBPF 实践教程
- [lesson 29-sockops](29-sockops/README.zh.md) eBPF 开发实践:使用 sockops 加速网络请求转发
- [lesson 41-xdp-tcpdump](41-xdp-tcpdump/README.zh.md) eBPF 示例教程:使用 XDP 捕获 TCP 信息
- [lesson 42-xdp-loadbalancer](42-xdp-loadbalancer/README.zh.md) eBPF 开发者教程: 简单的 XDP 负载均衡器
安全:
- [lesson 24-hide](24-hide/README.zh.md) eBPF 开发实践:使用 eBPF 隐藏进程或文件信息
- [lesson 25-signal](25-signal/README.zh.md) eBPF 入门实践教程:用 bpf_send_signal 发送信号终止恶意进程
- [lesson 26-sudo](26-sudo/README.zh.md) 使用 eBPF 添加 sudo 用户
- [lesson 27-replace](27-replace/README.zh.md) 使用 eBPF 替换任意程序读取或写入的文本
- [lesson 28-detach](28-detach/README.zh.md) 在应用程序退出后运行 eBPF 程序eBPF 程序的生命周期
- [lesson 34-syscall](34-syscall/README.zh.md) eBPF 开发实践:使用 eBPF 修改系统调用参数
调度器:
- [lesson 44-scx-simple](44-scx-simple/README.zh.md) eBPF 教程BPF 调度器入门
- [lesson 45-scx-nest](45-scx-nest/README.zh.md) eBPF 示例教程:实现 `scx_nest` 调度器
GPU:
- [lesson 47-cuda-events](47-cuda-events/README.zh.md) 使用 eBPF 追踪 CUDA 操作
- [lesson 47-cuda-events](src/47-cuda-events/README.zh.md) eBPF 教程:追踪 CUDA GPU 操作
- [lesson xpu/gpu-kernel-driver](src/xpu/gpu-kernel-driver/README.zh.md) eBPF 实例教程:使用内核跟踪点监控 GPU 驱动活动
- [lesson xpu/npu-kernel-driver](src/xpu/npu-kernel-driver/README.zh.md) eBPF 实例教程:跟踪 Intel NPU 内核驱动操作
调度器:
其他:
- [lesson 44-scx-simple](src/44-scx-simple/README.zh.md) eBPF 教程BPF 调度器入门
- [lesson 45-scx-nest](src/45-scx-nest/README.zh.md) eBPF 示例教程:实现 `scx_nest` 调度器
网络:
- [lesson 35-user-ringbuf](35-user-ringbuf/README.zh.md) eBPF开发实践:使用 user ring buffer 向内核异步发送信息
- [lesson 36-userspace-ebpf](36-userspace-ebpf/README.zh.md) 用户空间 eBPF 运行时:深度解析与应用实践
- [lesson 38-btf-uprobe](38-btf-uprobe/README.zh.md) 借助 eBPF 和 BTF让用户态也能一次编译、到处运行
- [lesson 43-kfuncs](43-kfuncs/README.zh.md) 超越 eBPF 的极限:在内核模块中定义自定义 kfunc
- [lesson 23-http](src/23-http/README.zh.md) 通过 eBPF socket filter 或 syscall trace 追踪 HTTP 请求等七层协议 - eBPF 实践教程
- [lesson 29-sockops](src/29-sockops/README.zh.md) eBPF 开发实践:使用 sockops 加速网络请求转发
- [lesson 41-xdp-tcpdump](src/41-xdp-tcpdump/README.zh.md) eBPF 示例教程:使用 XDP 捕获 TCP 信息
- [lesson 42-xdp-loadbalancer](src/42-xdp-loadbalancer/README.zh.md) eBPF 开发者教程: 简单的 XDP 负载均衡器
- [lesson 46-xdp-test](src/46-xdp-test/README.zh.md) eBPF 实例教程:构建高性能 XDP 数据包生成器
Tracing:
- [lesson 48-energy](src/48-energy/README.zh.md) eBPF 教程:进程级能源监控与功耗分析
安全:
- [lesson 24-hide](src/24-hide/README.zh.md) eBPF 开发实践:使用 eBPF 隐藏进程或文件信息
- [lesson 25-signal](src/25-signal/README.zh.md) eBPF 入门实践教程:用 bpf_send_signal 发送信号终止恶意进程
- [lesson 26-sudo](src/26-sudo/README.zh.md) 使用 eBPF 添加 sudo 用户
- [lesson 27-replace](src/27-replace/README.zh.md) 使用 eBPF 替换任意程序读取或写入的文本
- [lesson 28-detach](src/28-detach/README.zh.md) 在应用程序退出后运行 eBPF 程序eBPF 程序的生命周期
- [lesson 34-syscall](src/34-syscall/README.zh.md) eBPF 开发实践:使用 eBPF 修改系统调用参数
特性:
- [lesson 35-user-ringbuf](src/35-user-ringbuf/README.zh.md) eBPF开发实践使用 user ring buffer 向内核异步发送信息
- [lesson 36-userspace-ebpf](src/36-userspace-ebpf/README.zh.md) 用户空间 eBPF 运行时:深度解析与应用实践
- [lesson 38-btf-uprobe](src/38-btf-uprobe/README.zh.md) 借助 eBPF 和 BTF让用户态也能一次编译、到处运行
- [lesson 43-kfuncs](src/43-kfuncs/README.zh.md) 超越 eBPF 的极限:在内核模块中定义自定义 kfunc
- [features bpf_iters](src/features/bpf_iters/README.zh.md) eBPF 教程BPF 迭代器用于内核数据导出
- [features bpf_arena](src/features/bpf_arena/README.zh.md) eBPF 实例教程BPF Arena 零拷贝共享内存
- [features bpf_wq](src/features/bpf_wq/README.zh.md) eBPF 教程BPF 工作队列用于异步可睡眠任务
Android:
- [lesson 22-android](src/22-android/README.zh.md) 在 Android 上使用 eBPF 程序
持续更新中...
# bcc 和 bpftrace 教程与文档
- [BPF Features by Linux Kernel Version](bcc-documents/kernel-versions.md)
- [Kernel Configuration for BPF Features](bcc-documents/kernel_config.md)
- [bcc Reference Guide](bcc-documents/reference_guide.md)
- [Special Filtering](bcc-documents/special_filtering.md)
- [bcc Tutorial](bcc-documents/tutorial.md)
- [bcc Python Developer Tutorial](bcc-documents/tutorial_bcc_python_developer.md)
- [bpftrace Tutorial](bpftrace-tutorial/README.md)

2
src/features/bpf_arena/.config Normal file
View File

@@ -0,0 +1,2 @@
level=Depth
type=Features

2
src/features/bpf_iters/.config Normal file
View File

@@ -0,0 +1,2 @@
level=Depth
type=Features

2
src/features/bpf_wq/.config Normal file
View File

@@ -0,0 +1,2 @@
level=Depth
type=Features

2
src/xpu/gpu-kernel-driver/.config Normal file
View File

@@ -0,0 +1,2 @@
level=Depth
type=GPU

2
src/xpu/npu-kernel-driver/.config Normal file
View File

@@ -0,0 +1,2 @@
level=Depth
type=GPU