From e2981121e62f41f293b04b615b993ccf8ad0f3d4 Mon Sep 17 00:00:00 2001 From: yunwei37 Date: Wed, 17 Jan 2024 21:28:52 +0000 Subject: [PATCH] Update index for better view --- README_en.md | 2 +- src/SUMMARY.md | 76 ++++++++++++++++++++++++++-------------- src/SUMMARY_en.md | 89 +++++++++++++++++++++++++++++------------------ 3 files changed, 107 insertions(+), 60 deletions(-) diff --git a/README_en.md b/README_en.md index 8c570a8..20a059b 100644 --- a/README_en.md +++ b/README_en.md @@ -69,7 +69,7 @@ Security: - [BPF lifecycle: Running eBPF programs continuously in Detached mode after user-mode applications exit](src/28-detach/README_en.md) - [Userspace eBPF Runtimes: Overview and Applications](src\36-userspace-ebpf\README_en.md) -Continuously updated... +Continuously updating... ## Why write this tutorial? diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 7641bb8..9a724a3 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -6,42 +6,66 @@ 教程关注于可观测性、网络、安全等等方面的 eBPF 示例。完整的代码和教程可以在 [https://github.com/eunomia-bpf/bpf-developer-tutorial](https://github.com/eunomia-bpf/bpf-developer-tutorial) GitHub 开源仓库中找到。**如果您认为本教程对您有所帮助,也请给我们一个 star 鼓励一下!** -# 目录 +## 目录 -- [介绍 eBPF 的基本概念、常见的开发工具](0-introduce/README.md) -- [eBPF Hello World,基本框架和开发流程](1-helloworld/README.md) -- [使用 kprobe 监测捕获 unlink 系统调用](2-kprobe-unlink/README.md) -- [使用 fentry 监测捕获 unlink 系统调用](3-fentry-unlink/README.md) -- [捕获进程打开文件的系统调用集合,使用全局变量过滤进程 pid](4-opensnoop/README.md) -- [使用 uprobe 捕获 bash 的 readline 函数调用](5-uprobe-bashreadline/README.md) -- [捕获进程发送信号的系统调用集合,使用 hash map 保存状态](6-sigsnoop/README.md) -- [捕获进程执行/退出时间,通过 perf event array 向用户态打印输出](7-execsnoop/README.md) -- [使用 exitsnoop 监控进程退出事件,使用 ring buffer 向用户态打印输出](8-exitsnoop/README.md) -- [一个 Linux 内核 BPF 程序,通过柱状图来总结调度程序运行队列延迟,显示任务等待运行在 CPU 上的时间长度](9-runqlat/README.md) -- [使用 hardirqs 或 softirqs 捕获中断事件](10-hardirqs/README.md) -- [使用 bootstrap 开发用户态程序并跟踪 exec() 和 exit() 系统调用](11-bootstrap/README.md) -- [使用 libbpf-bootstrap 开发程序统计 TCP 连接延时](13-tcpconnlat/README.md) -- [使用 libbpf-bootstrap 记录 TCP 连接状态与 TCP RTT](14-tcpstates/README.md) -- [使用 USDT 捕获用户态 Java GC 事件耗时](15-javagc/README.md) -- [编写 eBPF 程序 Memleak 监控内存泄漏](16-memleak/README.md) -- [编写 eBPF 程序 Biopattern 统计随机/顺序磁盘 I/O](17-biopattern/README.md) -- [更多的参考资料:论文列表、项目、博客等等](18-further-reading/README.md) -- [使用 LSM 进行安全检测防御](19-lsm-connect/README.md) -- [使用 eBPF 进行 tc 流量控制](20-tc/README.md) +### 入门文档 -# eBPF 高级特性与进阶主题 +包含简单的 eBPF 程序样例与介绍,这部分主要使用 `eunomia-bpf` 框架简化开发,并介绍了 eBPF 的基本使用方式和开发流程。 + +- [lesson 0-introduce](0-introduce/README.md) 介绍 eBPF 的基本概念和常见的开发工具 +- [lesson 1-helloworld](1-helloworld/README.md) 使用 eBPF 开发最简单的「Hello World」程序,介绍 eBPF 的基本框架和开发流程 +- [lesson 2-kprobe-unlink](2-kprobe-unlink/README.md) 在 eBPF 中使用 kprobe 捕获 unlink 系统调用 +- [lesson 3-fentry-unlink](3-fentry-unlink/README.md) 在 eBPF 中使用 fentry 捕获 unlink 系统调用 +- [lesson 4-opensnoop](4-opensnoop/README.md) 使用 eBPF 捕获进程打开文件的系统调用集合,使用全局变量在 eBPF 中过滤进程 pid +- [lesson 5-uprobe-bashreadline](5-uprobe-bashreadline/README.md) 在 eBPF 中使用 uprobe 捕获 bash 的 readline 函数调用 +- [lesson 6-sigsnoop](6-sigsnoop/README.md) 捕获进程发送信号的系统调用集合,使用 hash map 保存状态 +- [lesson 7-execsnoop](7-execsnoop/README.md) 捕获进程执行时间,通过 perf event array 向用户态打印输出 +- [lesson 8-execsnoop](8-exitsnoop/README.md) 捕获进程退出事件,使用 ring buffer 向用户态打印输出 +- [lesson 9-runqlat](9-runqlat/README.md) 捕获进程调度延迟,以直方图方式记录 +- [lesson 10-hardirqs](10-hardirqs/README.md) 使用 hardirqs 或 softirqs 捕获中断事件 + +### 进阶文档和示例 + +我们开始主要基于 `libbpf` 构建完整的 eBPF 工程,并且把它和各种应用场景结合起来进行实践。 + +- [lesson 11-bootstrap](11-bootstrap/README.md) 使用 libbpf-boostrap 为 eBPF 编写原生的 libbpf 用户态代码,并建立完整的 libbpf 工程。 +- [lesson 12-profile](12-profile/README.md) 使用 eBPF 进行性能分析 +- [lesson 13-tcpconnlat](13-tcpconnlat/README.md) 记录 TCP 连接延迟,并使用 libbpf 在用户态处理数据 +- [lesson 14-tcpstates](14-tcpstates/README.md) 记录 TCP 连接状态与 TCP RTT +- [lesson 15-javagc](15-javagc/README.md) 使用 usdt 捕获用户态 Java GC 事件耗时 +- [lesson 16-memleak](16-memleak/README.md) 检测内存泄漏 +- [lesson 17-biopattern](17-biopattern/README.md) 捕获磁盘 IO 模式 +- [lesson 18-further-reading](18-further-reading/README.md) 更进一步的相关资料:论文列表、项目、博客等等 +- [lesson 19-lsm-connect](19-lsm-connect/README.md) 使用 LSM 进行安全检测防御 +- [lesson 20-tc](20-tc/README.md) 使用 eBPF 进行 tc 流量控制 +- [lesson 21-xdp](21-xdp/README.md) 使用 eBPF 进行 XDP 报文处理 + +### 高级主题 + +这里涵盖了一系列和 eBPF 相关的高级内容,包含在 Android 上使用 eBPF 程序、使用 eBPF 程序进行可能的攻击与防御、复杂的追踪等等。这部分主要基于 libbpf、Cilium 等框架进行开发。 + +Android: - [在 Android 上使用 eBPF 程序](22-android/README.md) -- [使用 eBPF socket filter 或 syscall tracepoint 追踪 HTTP 请求等七层协议](23-http/README.md) -- [使用 Uprobe+eBPF 捕获多种库的 SSL/TLS 明文数据](30-sslsniff/README.md) + +网络和追踪: + +- [使用 uprobe 捕获多种库的 SSL/TLS 明文数据](30-sslsniff/README.md) +- [使用 eBPF socket filter 或 syscall trace 追踪 HTTP 请求和其他七层协议](23-http/README.md) - [使用 sockops 加速网络请求转发](29-sockops/README.md) -- [eBPF 运行时的安全性与面临的挑战](18-further-reading/ebpf-security.zh.md) + +安全: + +- [使用 eBPF 修改系统调用参数](34-syscall/README.md) - [使用 eBPF 隐藏进程或文件信息](24-hide/README.md) - [使用 bpf_send_signal 发送信号终止进程](25-signal/README.md) - [使用 eBPF 添加 sudo 用户](26-sudo/README.md) - [使用 eBPF 替换任意程序读取或写入的文本](27-replace/README.md) -- [BPF的生命周期:使用 Detached 模式在用户态应用退出后持续运行 eBPF 程序](28-detach/README.md) +- [BPF 的生命周期:使用 Detached 模式在用户态应用退出后持续运行 eBPF 程序](28-detach/README.md) +- [eBPF 运行时的安全性与面临的挑战](18-further-reading/ebpf-security.zh.md) - [用户空间 eBPF 运行时:深度解析与应用实践](src\36-userspace-ebpf\README.md) + +持续更新中... # bcc 教程与文档 diff --git a/src/SUMMARY_en.md b/src/SUMMARY_en.md index 098f4eb..870770c 100644 --- a/src/SUMMARY_en.md +++ b/src/SUMMARY_en.md @@ -1,4 +1,4 @@ -# eBPF Tutorial by Example: Learning CO-RE eBPF Step by Step with Tools +# eBPF Tutorial by Example: Learning CO-RE eBPF Step by Step [![CI](https://github.com/eunomia-bpf/bpf-developer-tutorial/actions/workflows/main.yml/badge.svg)](https://github.com/eunomia-bpf/bpf-developer-tutorial/actions/workflows/main.yml) @@ -8,43 +8,66 @@ This tutorial does not cover complex concepts and scenario introductions. Its ma For the complete source code of the tutorial, please refer to the repo [https://github.com/eunomia-bpf/bpf-developer-tutorial](https://github.com/eunomia-bpf/bpf-developer-tutorial) on GitHub. **If you find this tutorial helpful, please give us a star!** -# Table of Contents +## Table of Contents -- [Introduction to basic concepts of eBPF and common development tools](0-introduce/README.md) -- [eBPF Hello World, basic framework and development process](1-helloworld/README.md) -- [Monitoring and capturing unlink system calls using kprobe](2-kprobe-unlink/README.md) -- [Monitoring and capturing unlink system calls using fentry](3-fentry-unlink/README.md) -- [Collection of system calls for capturing processes opening files, filtering process pid using global variables](4-opensnoop/README.md) -- [Capturing readline function calls of bash using uprobe](5-uprobe-bashreadline/README.md) -- [Collection of system calls for capturing process signal sending, saving state using hash map](6-sigsnoop/README.md) -- [Capturing process execution/exit time, printing output to user space using perf event array](7-execsnoop/README.md) -- [Monitoring process exit events using exitsnoop, printing output to user space using ring buffer](8-exitsnoop/README.md) -- [A Linux kernel BPF program that summarizes scheduler run queue latency using histograms, displaying time length tasks wait to run on the CPU](9-runqlat/README.md) -- [Capturing interrupt events using hardirqs or softirqs](10-hardirqs/README.md) -- [Developing user space programs and tracing exec() and exit() system calls using bootstrap](11-bootstrap/README.md) -- [Developing programs to measure TCP connection latency using libbpf-bootstrap](13-tcpconnlat/README.md) -- [Recording TCP connection state and TCP RTT using libbpf-bootstrap](14-tcpstates/README.md) -- [Capturing user space Java GC event duration using USDT](15-javagc/README.md) -- [Writing eBPF program Memleak to monitor memory leaks](16-memleak/README.md) -- [Writing eBPF program Biopattern to measure random/sequential disk I/O](17-biopattern/README.md) -- [More reference materials: papers list, projects, blogs, etc.](18-further-reading/README.md) -- [Performing security detection and defense using LSM](19-lsm-connect/README.md) -- [Performing traffic control using eBPF and tc](20-tc/README.md) +### Getting Started Examples -# Advanced Features and Advanced Topics of eBPF +This section contains simple eBPF program examples and introductions. It primarily utilizes the `eunomia-bpf` framework to simplify development and introduces the basic usage and development process of eBPF. -- [Using eBPF programs on Android](22-android/README.md) -- [Tracing HTTP requests or other layer 7 protocols using eBPF](23-http/README.md) -- [Capturing Plain Text Data of Various Libraries' SSL/TLS Using uprobe](30-sslsniff/README.md) +- [lesson 0-introduce](0-introduce/README_en.md) Introduces basic concepts of eBPF and common development tools +- [lesson 1-helloworld](1-helloworld/README_en.md) Develops the simplest "Hello World" program using eBPF and introduces the basic framework and development process of eBPF +- [lesson 2-kprobe-unlink](2-kprobe-unlink/README_en.md) Uses kprobe in eBPF to capture the unlink system call +- [lesson 3-fentry-unlink](3-fentry-unlink/README_en.md) Uses fentry in eBPF to capture the unlink system call +- [lesson 4-opensnoop](4-opensnoop/README_en.md) Uses eBPF to capture the system call collection of processes opening files, and filters process PIDs in eBPF using global variables +- [lesson 5-uprobe-bashreadline](5-uprobe-bashreadline/README_en.md) Uses uprobe in eBPF to capture the readline function calls in bash +- [lesson 6-sigsnoop](6-sigsnoop/README_en.md) Captures the system call collection of processes sending signals and uses a hash map to store states +- [lesson 7-execsnoop](7-execsnoop/README_en.md) Captures process execution times and prints output to user space through perf event array +- [lesson 8-exitsnoop](8-exitsnoop/README_en.md) Captures process exit events and prints output to user space using a ring buffer +- [lesson 9-runqlat](9-runqlat/README_en.md) Captures process scheduling delays and records them in histogram format +- [lesson 10-hardirqs](10-hardirqs/README_en.md) Captures interrupt events using hardirqs or softirqs + +### Advanced Documents and Examples + +We start to build complete eBPF projects mainly based on `libbpf` and combine them with various application scenarios for practical use. + +- [lesson 11-bootstrap](11-bootstrap/README_en.md) Writes native libbpf user space code for eBPF using libbpf-bootstrap and establishes a complete libbpf project. +- [lesson 12-profile](12-profile/README_en.md) Performs performance analysis using eBPF +- [lesson 13-tcpconnlat](13-tcpconnlat/README_en.md) Records TCP connection latency and processes data in user space using libbpf +- [lesson 14-tcpstates](14-tcpstates/README_en.md) Records TCP connection state and TCP RTT.- [lesson 15-javagc](15-javagc/README_en.md) Capture user-level Java GC event duration using usdt +- [lesson 16-memleak](16-memleak/README_en.md) Detect memory leaks +- [lesson 17-biopattern](17-biopattern/README_en.md) Capture disk IO patterns +- [lesson 18-further-reading](18-further-reading/README_en.md) Further reading: papers list, projects, blogs, etc. +- [lesson 19-lsm-connect](19-lsm-connect/README_en.md) Use LSM for security detection and defense +- [lesson 20-tc](20-tc/README_en.md) Use eBPF for tc traffic control +- [lesson 21-xdp](21-xdp/README_en.md) Use eBPF for XDP packet processing + +### In-Depth Topics + +This section covers advanced topics related to eBPF, including using eBPF programs on Android, possible attacks and defenses using eBPF programs, and complex tracing. Combining the user-mode and kernel-mode aspects of eBPF can bring great power (as well as security risks). + +Android: + +- [Using eBPF programs on Android](22-android/README_en.md) + +Networking and tracing: + +- [Tracing HTTP requests or other layer-7 protocols using eBPF socket filter or syscall trace](23-http/README_en.md) +- [Accelerating network request forwarding using sockops](29-sockops/README_en.md) +- [Capturing Plain Text Data of Various Libraries' SSL/TLS Using uprobe](30-sslsniff/README_en.md) + +Security: + +- [Use eBPF to modify syscall parameters](34-syscall/README.md) - [The Secure Path Forward for eBPF: Challenges and Innovations](18-further-reading/ebpf-security.md) -- [Accelerating network request forwarding using sockops](29-sockops/README.md) -- [Hiding process or file information using eBPF](24-hide/README.md) -- [Terminating processes by sending signals using bpf_send_signal](25-signal/README.md) -- [Adding sudo users using eBPF](26-sudo/README.md) -- [Replacing text read or written by any program using eBPF](27-replace/README.md) -- [BPF lifecycle: Running eBPF programs continuously after the user space application exits using Detached mode](28-detach/README.md) +- [Hiding process or file information using eBPF](24-hide/README_en.md) +- [Terminating processes by sending signals using bpf_send_signal](25-signal/README_en.md) +- [Adding sudo users using eBPF](26-sudo/README_en.md) +- [Replacing text read or written by any program using eBPF](27-replace/README_en.md) +- [BPF lifecycle: Running eBPF programs continuously in Detached mode after user-mode applications exit](28-detach/README_en.md) - [Userspace eBPF Runtimes: Overview and Applications](src\36-userspace-ebpf\README_en.md) - + +Continuously updating... + # bcc tutorial - [BPF Features by Linux Kernel Version](bcc-documents/kernel-versions.md)