# eBPF 入门开发实践指南二:Hello World,基本框架和开发流程 eBPF (Extended Berkeley Packet Filter) 是 Linux 内核上的一个强大的网络和性能分析工具。它允许开发者在内核运行时动态加载、更新和运行用户定义的代码。 本文是 eBPF 入门开发实践指南的第二篇,主要介绍 eBPF 的基本框架和开发流程。 ## Hello World - minimal eBPF program ```c /* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */ #define BPF_NO_GLOBAL_DATA #include #include #include typedef unsigned int u32; typedef int pid_t; const pid_t pid_filter = 0; char LICENSE[] SEC("license") = "Dual BSD/GPL"; SEC("tp/syscalls/sys_enter_write") int handle_tp(void *ctx) { pid_t pid = bpf_get_current_pid_tgid() >> 32; if (pid_filter && pid != pid_filter) return 0; bpf_printk("BPF triggered from PID %d.\n", pid); return 0; } ``` `minimal` is just that – a minimal practical BPF application example. It doesn't use or require BPF CO-RE, so should run on quite old kernels. It installs a tracepoint handler which is triggered once every second. It uses `bpf_printk()` BPF helper to communicate with the world. ```console $ sudo ecli examples/bpftools/minimal/package.json Runing eBPF program... ``` To see it's output, read `/sys/kernel/debug/tracing/trace_pipe` file as a root: ```shell $ sudo cat /sys/kernel/debug/tracing/trace_pipe <...>-3840345 [010] d... 3220701.101143: bpf_trace_printk: BPF triggered from PID 3840345. <...>-3840345 [010] d... 3220702.101265: bpf_trace_printk: BPF triggered from PID 3840345. ``` `minimal` is great as a bare-bones experimental playground to quickly try out new ideas or BPF features. ## Compile and Run with eunomia-bpf Compile: ```console docker run -it -v `pwd`/:/src/ yunwei37/ebpm:latest ``` or compile with `ecc`: ```console $ ecc minimal.bpf.c Compiling bpf object... Packing ebpf object and config into package.json... ``` Run: ```console sudo ecli ./package.json ```