EBPF originated from Berkeley Packet Filter (BPF), a traditional technology formed on BSD in earlier years. Berkeley Packet Filter is the Berkeley Packet Filter. As the name implies, BPF is an architecture for filtering network packets.

BPF was first introduced into Linux in 1997. The packet filtering mechanism in Linux kernel actually has its own name: Linux Socket Filter, or LSF for short.

From 3.15 onwards, a new BPF design was introduced, which was added to the kernel/ BPF in 3.17. The new design was eventually named Extended BPF(eBPF); For backward compatibility, the traditional BPF was retained and renamed Classical BPF(cBPF). Compared with cBPF, eBPF has brought revolutionary changes: on the one hand, it has brought exciting changes to Kernel Tracing, application performance tuning/monitoring, Traffic Control and other fields; On the other hand, eBPF also has significant improvements in interface design and ease of use.

The function range covered by cBPF is very simple, namely network monitoring and SECCOMP, and the extensive design of data interface; EBPF uses a much wider range of performance tuning, kernel monitoring, flow control, and so on, as well as a variety of data interface designs.

Evolution from a file (net/core/filter.c) to a directory (kernel/ BPF)

LLVM is currently the only compiler that supports generating BPF pseudocode, and even for Linux kernels that use GCC throughout, the BPF samples under the samples directory need to be compiled using LLVM.

1. Operation monitoring

EBPF is actually a kernel module. It is shorter and more efficient than a kernel module. The code injected by eBPF is intended to run in the kernel, which may cause security risks.

In order to minimize security risks, code inspection mechanisms were introduced in the cBPF era to prevent non-standard injected code; EBPF adds a more complex Verifier mechanism to load programs (BPF_load_program ()) that performs a series of security checks.

2. The architecture

The structure is as follows:

3. bcc

It is now possible to implement BPF in C, but the compiled files are still ELF files, and developers need to manually generate code that can actually be injected into the kernel. BPF Compiler Collection(BCC) is a Python library, but a large part of its implementation is based on C and C++. Python implements the encapsulation of the BCC application-layer interface.

BPF development using BCC still requires developers to design THEIR own BPF programs in C — but that’s about it, and the rest of the work, including compiling, parsing ELF, loading BPF code blocks, and creating maps, can be done by THE BCC itself.

3.1 BCC installation

Github’s address is linked below:

github.com/iovisor/bcc

Execution: git clone https://github.com/iovisor/bcc.git

To install the binaries directly in Ubuntu, run the following command:

sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys D4284CDD

echo “deb https://repo.iovisor.org/apt/xenial xenial main” | sudo tee /etc/apt/sources.list.d/iovisor.list

sudo apt-get update

sudo apt-get install bcc-tools libbcc-examples linux-headers-$(uname -r)

This allows you to use python use cases in BCC /example/tracing.

mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.

Linux Future Monitor Tracing framework – eBPF

1. Operation monitoring

2. The architecture

3. bcc

3.1 BCC installation

Linux Future Monitor Tracing framework – eBPF

1. Operation monitoring

2. The architecture

3. bcc

3.1 BCC installation

Related Posts

Why should a circular queue waste a storage space

Building a Campus Wiki in Python (part 2)

Custom data validation annotations