kernel/bpf-developer-tutorial
1
0
Fork 0
mirror of https://github.com/eunomia-bpf/bpf-developer-tutorial.git synced 2026-02-03 02:04:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

improve tutorial title for better seo (#70)

Browse Source 
* improve title for tutorial for better seo

* Add description test for summary page

* fix english documents syntax error

* fix links
This commit is contained in:
云微
2023-08-31 12:03:09 +01:00
committed by GitHub
parent 82cd415d84
commit eab62193c6
25 changed files with 62 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/1-helloworld/README_en.md
View File

@@ -1,4 +1,4 @@
# eBPF Tutorial by Example 1 Hello World, Basic Framework and Development Process
# eBPF Tutorial by Example 1: Hello World, Framework and Development
In this blog post, we will delve into the basic framework and development process of eBPF (Extended Berkeley Packet Filter). eBPF is a powerful network and performance analysis tool that runs on the Linux kernel, providing developers with the ability to dynamically load, update, and run user-defined code at kernel runtime. This enables developers to implement efficient, secure kernel-level network monitoring, performance analysis, and troubleshooting functionalities.

27
src/10-hardirqs/README_en.md
View File

@@ -1,4 +1,4 @@
# eBPF Tutorial by Example 10: Capturing Interrupt Events Using hardirqs or softirqs
# eBPF Tutorial by Example 10: Capturing Interrupts with hardirqs or softirqs
eBPF (Extended Berkeley Packet Filter) is a powerful network and performance analysis tool on the Linux kernel. It allows developers to dynamically load, update, and run user-defined code at runtime in the kernel.
@@ -63,7 +63,6 @@ struct {
__uint(max_entries, 1);
__type(key, u32);
__type(value, u64);
``````c
} start SEC(".maps");
struct {
@@ -159,7 +158,7 @@ int BPF_PROG(irq_handler_entry, int irq, struct irqaction *action)
}
SEC("raw_tp/irq_handler_exit")
```int BPF_PROG(irq_handler_exit, int irq, struct irqaction *action)
int BPF_PROG(irq_handler_exit, int irq, struct irqaction *action)
{
return handle_exit(irq, action);
}
@@ -171,7 +170,7 @@ This code is an eBPF program used to capture and analyze the execution informati
1. Include necessary header files and define data structures:
```c
```c
#include <vmlinux.h>
#include <bpf/bpf_core_read.h>
#include <bpf/bpf_helpers.h>
@@ -179,13 +178,13 @@ This code is an eBPF program used to capture and analyze the execution informati
#include "hardirqs.h"
#include "bits.bpf.h"
#include "maps.bpf.h"
```
```
This program includes the standard header files required for eBPF development, as well as custom header files for defining data structures and maps.
This program includes the standard header files required for eBPF development, as well as custom header files for defining data structures and maps.
2. Define global variables and maps:
```c
```c
#define MAX_ENTRIES 256
const volatile bool filter_cg = false;
@@ -194,17 +193,17 @@ This code is an eBPF program used to capture and analyze the execution informati
const volatile bool do_count = false;
...
```
```
This program defines some global variables that are used to configure the behavior of the program. For example, `filter_cg` controls whether to filter cgroups, `targ_dist` controls whether to display the distribution of execution time, etc. Additionally, the program defines three maps for storing cgroup information, start timestamps, and interrupt handler information.
This program defines some global variables that are used to configure the behavior of the program. For example, `filter_cg` controls whether to filter cgroups, `targ_dist` controls whether to display the distribution of execution time, etc. Additionally, the program defines three maps for storing cgroup information, start timestamps, and interrupt handler information.
3. Define two helper functions `handle_entry` and `handle_exit`:
These two functions are called at the entry and exit points of the interrupt handler. `handle_entry` records the start timestamp or updates the interrupt count, while `handle_exit` calculates the execution time of the interrupt handler and stores the result in the corresponding information map.
These two functions are called at the entry and exit points of the interrupt handler. `handle_entry` records the start timestamp or updates the interrupt count, while `handle_exit` calculates the execution time of the interrupt handler and stores the result in the corresponding information map.
4. Define the entry points of the eBPF program:
```c
```c
SEC("tp_btf/irq_handler_entry")
int BPF_PROG(irq_handler_entry_btf, int irq, struct irqaction *action)
{
@@ -228,15 +227,15 @@ This code is an eBPF program used to capture and analyze the execution informati
{
return handle_exit(irq, action);
}
```
```
Here, four entry points of the eBPF program are defined, which are used to capture the entry and exit events of the interrupt handler. `tp_btf` and `raw_tp` represent capturing events using BPF Type Format (BTF) and raw tracepoints, respectively. This ensures that the program can be ported and run on different kernel versions.
Here, four entry points of the eBPF program are defined, which are used to capture the entry and exit events of the interrupt handler. `tp_btf` and `raw_tp` represent capturing events using BPF Type Format (BTF) and raw tracepoints, respectively. This ensures that the program can be ported and run on different kernel versions.
The code for Softirq is similar, and I won't elaborate on it here.
## Run code.Translated content
"eunomia-bpf is an open-source eBPF dynamic loading runtime and development toolchain that combines Wasm. Its purpose is to simplify the development, building, distribution, and execution of eBPF programs. You can refer to <https://github.com/eunomia-bpf/eunomia-bpf> to download and install the ecc compilation toolchain and ecli runtime. We use eunomia-bpf to compile and run this example.
eunomia-bpf is an open-source eBPF dynamic loading runtime and development toolchain that combines Wasm. Its purpose is to simplify the development, building, distribution, and execution of eBPF programs. You can refer to <https://github.com/eunomia-bpf/eunomia-bpf> to download and install the ecc compilation toolchain and ecli runtime. We use eunomia-bpf to compile and run this example.
To compile this program, use the ecc tool:

2
src/11-bootstrap/README_en.md
View File

@@ -1,4 +1,4 @@
# eBPF Tutorial by Example 11: Using libbpf to Develop User-Space Programs in eBPF and Trace exec() and exit() System Calls
# eBPF Tutorial by Example 11: Develop User-Space Programs with libbpf and Trace exec() and exit()
eBPF (Extended Berkeley Packet Filter) is a powerful network and performance analysis tool on the Linux kernel. It allows developers to dynamically load, update, and run user-defined code during kernel runtime.

16
src/12-profile/README_en.md
View File

@@ -162,17 +162,19 @@ Use the `bpf_get_stack()` function to get kernel stack information. Store the re
```c
event->ustack_sz = bpf_get_stack(ctx, event->ustack, sizeof(event->ustack), BPF_F_USER_STACK);
```Using the `bpf_get_stack()` function with the `BPF_F_USER_STACK` flag retrieves information about the user space stack. Store the result in `event->ustack` and its size in `event->ustack_sz`.
```
Using the `bpf_get_stack()` function with the `BPF_F_USER_STACK` flag retrieves information about the user space stack. Store the result in `event->ustack` and its size in `event->ustack_sz`.
8. Submit the event to the Ring Buffer:
```c
```c
bpf_ringbuf_submit(event, 0);
```
```
Finally, use the `bpf_ringbuf_submit()` function to submit the event to the Ring Buffer for the user space program to read and process.
Finally, use the `bpf_ringbuf_submit()` function to submit the event to the Ring Buffer for the user space program to read and process.
This kernel mode eBPF program captures the program's execution flow by sampling the kernel stack and user space stack of the program periodically. These data are stored in the Ring Buffer for the user mode `profile` program to read.
This kernel mode eBPF program captures the program's execution flow by sampling the kernel stack and user space stack of the program periodically. These data are stored in the Ring Buffer for the user mode `profile` program to read.
### User Mode Section
@@ -286,7 +288,7 @@ static void show_stack_trace(__u64 *stack, int stack_sz, pid_t pid)
blazesym_result_free(result);
}
``` /* Receive events from the ring buffer. */".```c
/* Receive events from the ring buffer. */
static int event_handler(void *_ctx, void *data, size_t size)
{
struct stacktrace_event *event = data;
@@ -327,4 +329,4 @@ Through this introductory tutorial on eBPF, we have learned how to use eBPF prog
If you want to learn more about eBPF knowledge and practices, please refer to the official documentation of eunomia-bpf: <https://github.com/eunomia-bpf/eunomia-bpf>. You can also visit our tutorial code repository <https://github.com/eunomia-bpf/bpf-developer-tutorial> or website <https://eunomia.dev/tutorials/> for more examples and complete tutorials.
The next tutorial will further explore advanced features of eBPF. We will continue to share more content about eBPF development practices to help you better understand and master eBPF technology. We hope these contents will be helpful for your learning and practice on the eBPF development journey.
The next tutorial will further explore advanced features of eBPF. We will continue to share more content about eBPF development practices to help you better understand and master eBPF technology. We hope these contents will be helpful for your learning and practice on the eBPF development journey.

2
src/13-tcpconnlat/README_en.md
View File

@@ -1,4 +1,4 @@
# eBPF Tutorial by Example 13: Statistics of TCP Connection Delay and Data Processing in User Space Using libbpf
# eBPF Tutorial by Example 13: Statistics of TCP Connection Delay with libbpf
eBPF (Extended Berkeley Packet Filter) is a powerful network and performance analysis tool used in the Linux kernel. eBPF allows developers to dynamically load, update, and run user-defined code without restarting the kernel or changing the kernel source code.

2
src/15-javagc/README_en.md
View File

@@ -1,4 +1,4 @@
# eBPF Tutorial by Example 15: Capturing User-Space Java GC Event Duration Using USDT
# eBPF Tutorial by Example 15: Capturing User-Space Java GC Duration Using USDT
eBPF (Extended Berkeley Packet Filter) is a powerful network and performance analysis tool widely used in the Linux kernel. eBPF allows developers to dynamically load, update, and run user-defined code without the need to restart the kernel or modify the kernel source code. This feature provides eBPF with high flexibility and performance, making it widely applicable in network and system performance analysis. Furthermore, eBPF also supports capturing user-space application behavior using User-Level Statically Defined Tracing (USDT).

2
src/16-memleak/README_en.md
View File

@@ -1,4 +1,4 @@
# eBPF Tutorial by Example 16: Memleak for Monitoring Memory Leaks
# eBPF Tutorial by Example 16: Monitoring Memory Leaks
eBPF (extended Berkeley Packet Filter) is a powerful network and performance analysis tool that is widely used in the Linux kernel. eBPF allows developers to dynamically load, update, and run user-defined code without restarting the kernel or modifying its source code.

2
src/17-biopattern/README_en.md
View File

@@ -1,4 +1,4 @@
# eBPF Getting Started Hands-On Tutorial 17: Count Random/Sequential Disk I/O
# eBPF Tutorial by Example 17: Count Random/Sequential Disk I/O
eBPF (Extended Berkeley Packet Filter) is a new technology in the Linux kernel that allows users to execute custom programmes in kernel space without changing the kernel code. This provides system administrators and developers with powerful tools to gain insight into and monitor system behaviour for optimisation.

2
src/19-lsm-connect/README_en.md
View File

@@ -1,4 +1,4 @@
# eBPF Tutorial by Example: Security Detection and Defense using LSM
# eBPF Tutorial by Example 19: Security Detection and Defense using LSM
eBPF (Extended Berkeley Packet Filter) is a powerful network and performance analysis tool widely used in the Linux kernel. eBPF allows developers to dynamically load, update, and run user-defined code without restarting the kernel or modifying the kernel source code. This feature enables eBPF to provide high flexibility and performance, making it widely applicable in network and system performance analysis. The same applies to eBPF applications in security, and this article will introduce how to use the eBPF LSM (Linux Security Modules) mechanism to implement a simple security check program.

2
src/20-tc/README_en.md
View File

@@ -1,4 +1,4 @@
# eBPF Tutorial by Example 20: Use eBPF for tc Traffic Control
# eBPF Tutorial by Example 20: tc Traffic Control
## Background

2
src/22-android/README_en.md
View File

@@ -1,4 +1,4 @@
# Using eBPF Programs on Android
# eBPF Tutorial by Example: Using eBPF Programs on Android
> This article mainly documents the author's exploration process, results, and issues encountered while testing the level of support for CO-RE technology based on the libbpf library on high version Android kernels in the Android Studio Emulator.
> The test was conducted by building a Debian environment in the Android Shell environment and attempting to build the eunomia-bpf toolchain and run its test cases based on this.

2
src/23-http/README_en.md
View File

@@ -1,3 +1,3 @@
# http
# eBPF Practical Tutorial: trace http requests data
TODO

2
src/24-hide/README_en.md
View File

@@ -1,4 +1,4 @@
# eBPF Development Practice: Hiding Process or File Information with eBPF
# eBPF Practical Tutorial: Hiding Process or File Information
eBPF (Extended Berkeley Packet Filter) is a powerful feature in the Linux kernel that allows you to run, load, and update user-defined code without having to change the kernel source code or reboot the kernel. This capability allows eBPF to be used in a wide range of applications such as network and system performance analysis, packet filtering, and security policies.

2
src/25-signal/README.md
View File

@@ -159,7 +159,7 @@ eunomia-bpf 是一个结合 Wasm 的开源 eBPF 动态加载运行时和开发
使用方式:
```console
sudo ./ecli package.json
$ sudo ./ecli package.json
```
这个程序会对任何试图使用 `ptrace` 系统调用的程序,例如 `strace`,发出 `SIG_KILL` 信号。

2
src/25-signal/README_en.md
View File

@@ -1,4 +1,4 @@
# Terminate Malicious Processes Using bpf_send_signal
# eBPF Practical Tutorial: Terminate Malicious Processes Using bpf_send_signal
Compile:

2
src/30-sslsniff/README_en.md
View File

@@ -1,4 +1,4 @@
# eBPF Practical Tutorial: Capturing Plain Text Data of Various Libraries' SSL/TLS Using uprobe
# eBPF Practical Tutorial: Capturing SSL/TLS Plain Text Data Using uprobe
With the widespread use of TLS in modern network environments, tracing microservices RPC messages has become increasingly challenging. Traditional traffic sniffing techniques often face limitations in accessing only encrypted data, preventing a genuine observation of the original communication content. This restriction poses significant obstacles to system debugging and analysis.

2
src/32-funclatency/README_en.md
View File

@@ -2,4 +2,4 @@
TODO: make it work
from https://github.com/iovisor/bcc/blob/master/libbpf-tools/funclatency.c.
from <https://github.com/iovisor/bcc/blob/master/libbpf-tools/funclatency.c>.

2
src/4-opensnoop/README_en.md
View File

@@ -1,4 +1,4 @@
# eBPF Tutorial by Example 4: Capturing Process Opening Files and Filter with Global Variables
# eBPF Tutorial by Example 4: Capturing Opening Files and Filter with Global Variables
eBPF (Extended Berkeley Packet Filter) is a kernel execution environment that allows users to run secure and efficient programs in the kernel. It is commonly used for network filtering, performance analysis, security monitoring, and other scenarios. The power of eBPF lies in its ability to capture and modify network packets or system calls at runtime in the kernel, enabling monitoring and adjustment of the operating system's behavior.

2
src/5-uprobe-bashreadline/README_en.md
View File

@@ -1,4 +1,4 @@
# eBPF Tutorial by Example 5: Capturing readline Function Calls with uprobe
# eBPF Tutorial by Example 5: Capturing readline Function Calls with Uprobe
eBPF (Extended Berkeley Packet Filter) is a powerful network and performance analysis tool on the Linux kernel that allows developers to dynamically load, update, and run user-defined code at runtime.

2
src/6-sigsnoop/README_en.md
View File

@@ -1,4 +1,4 @@
# eBPF Tutorial by Example 6: Capturing Process Signal Sending and Using a Hash Map to Store State
# eBPF Tutorial by Example 6: Capturing Signal Sending and Store State with Hash Maps
eBPF (Extended Berkeley Packet Filter) is a powerful network and performance analysis tool on the Linux kernel that allows developers to dynamically load, update, and run user-defined code at runtime.

2
src/7-execsnoop/README_en.md
View File

@@ -1,4 +1,4 @@
# eBPF Tutorial by Example 7: Capturing Process Execution Event, Printing Output with perf event array
# eBPF Tutorial by Example 7: Capturing Process Execution, Output with perf event array
eBPF (Extended Berkeley Packet Filter) is a powerful network and performance analysis tool on the Linux kernel that allows developers to dynamically load, update, and run user-defined code at runtime.

2
src/8-exitsnoop/README_en.md
View File

@@ -1,4 +1,4 @@
# eBPF Tutorial by Example 8: Monitoring Process Exit Events, Print Output with Ring Buffer
# eBPF Tutorial by Example 8: Monitoring Process Exit Events, Output with Ring Buffer
eBPF (Extended Berkeley Packet Filter) is a powerful network and performance analysis tool on the Linux kernel. It allows developers to dynamically load, update, and run user-defined code at runtime in the kernel.

2
src/9-runqlat/README_en.md
View File

@@ -1,4 +1,4 @@
# eBPF Tutorial by Example 9: Capturing Process Scheduling Latency and Recording as Histogram
# eBPF Tutorial by Example 9: Capturing Scheduling Latency and Recording as Histogram
eBPF (Extended Berkeley Packet Filter) is a powerful network and performance analysis tool on the Linux kernel. It allows developers to dynamically load, update, and run user-defined code at runtime.

10
src/SUMMARY.md
View File

@@ -1,6 +1,10 @@
# Summary
# eBPF 开发实践教程:基于 CO-RE通过小工具快速上手 eBPF 开发
# eBPF 实践教程:基于 libbpf 和 CO-RE
这是一个基于 `CO-RE`(一次编译,到处运行)的 eBPF 的开发教程,提供了从入门到进阶的 eBPF 开发实践,包括基本概念、代码实例、实际应用等内容。和 BCC 不同的是,我们使用 libbpf、Cilium、libbpf-rs、eunomia-bpf 等框架进行开发,包含 C、Go、Rust 等语言的示例。
本教程不会进行复杂的概念讲解和场景介绍,主要希望提供一些 eBPF 小工具的案例(**非常短小,从二十行代码开始入门!**),来帮助 eBPF 应用的开发者快速上手 eBPF 的开发方法和技巧。教程内容可以在目录中找到,每个目录都是一个独立的 eBPF 工具案例。
教程关注于可观测性、网络、安全等等方面的 eBPF 示例:
- [介绍 eBPF 的基本概念、常见的开发工具](0-introduce/README.md)
- [eBPF Hello World基本框架和开发流程](1-helloworld/README.md)
@@ -36,7 +40,7 @@
- [BPF的生命周期使用 Detached 模式在用户态应用退出后持续运行 eBPF 程序](28-detach/README.md)
- [使用 eBPF 用户态捕获多种库的 SSL/TLS 明文数据](30-sslsniff/README.md)
# bcc tutorial
# bcc 教程与文档
- [BPF Features by Linux Kernel Version](bcc-documents/kernel-versions.md)
- [Kernel Configuration for BPF Features](bcc-documents/kernel_config.md)

16
src/SUMMARY_en.md
View File

@@ -1,6 +1,14 @@
# Summary
# eBPF Tutorial by Example: Learning CO-RE eBPF Step by Step with Tools
# eBPF Practice Tutorial: Based on libbpf and CO-RE
[![CI](https://github.com/eunomia-bpf/bpf-developer-tutorial/actions/workflows/main.yml/badge.svg)](https://github.com/eunomia-bpf/bpf-developer-tutorial/actions/workflows/main.yml)
Dive straight into eBPF development with this concise tutorial, built around the powerful CO-RE (Compile Once, Run Everywhere) philosophy. Whether you're a newbie or a pro, we've got you covered with:
- 🛠 **Practical Examples:** Start coding with bite-sized examples, some as short as just 20 lines!
- 🔍 **Focused Learning:** We prioritize hands-on learning, skipping the lengthy theory. Each directory offers an independent eBPF tool example.
- 💼 **Modern Frameworks:** Get comfortable with the latest eBPF frameworks such as libbpf, Cilium, libbpf-rs, and eunomia-bpf.
- 🌐 **Multi-language Support:** Play with code samples in C, Go, and Rust.
- 🌍 **Bilingual Content:** This tutorial is available in both Chinese and English. For the English version, click [here](README_en.md) or check the README_en.md inside each directory.
- [Introduction to basic concepts of eBPF and common development tools](0-introduce/README.md)
- [eBPF Hello World, basic framework and development process](1-helloworld/README.md)
@@ -27,7 +35,7 @@
- [Using eBPF programs on Android](22-android/README.md)
- [Tracing HTTP requests or other layer 7 protocols using eBPF](23-http/README.md)
- [Capturing Plain Text Data of Various Libraries' SSL/TLS Using uprobe](30-sslsniff/README_en.md)
- [Capturing Plain Text Data of Various Libraries' SSL/TLS Using uprobe](30-sslsniff/README.md)
- [Accelerating network request forwarding using sockops](29-sockops/README.md)
- [Hiding process or file information using eBPF](24-hide/README.md)
- [Terminating processes by sending signals using bpf_send_signal](25-signal/README.md)
@@ -41,4 +49,4 @@
- [Kernel Configuration for BPF Features](bcc-documents/kernel_config.md)
- [bcc Reference Guide](bcc-documents/reference_guide.md)
- [Special Filtering](bcc-documents/special_filtering.md)
- [bcc Tutorial](bcc-documents/tutorial.md)".- [bcc Python Developer Tutorial](bcc-documents/tutorial_bcc_python_developer.md)
- [bcc Tutorial](bcc-documents/tutorial.md)".- [bcc Python Developer Tutorial](bcc-documents/tutorial_bcc_python_developer.md)