eBPF is derived from the traditional technology BPF (Berkeley Packet Filter) formed on BSD in the early years. The full name of BPF is Berkeley Packet Filter. As the name suggests, this is an architecture for filtering network packets.
BPF was first introduced into Linux in 1997. The packet filtering mechanism in the Linux kernel actually has its own name: Linux Socket Filter, or LSF for short.
Beginning with 3.15, a new set of designs derived from BPF started, and was added under kernel/bpf in 3.17. The new design was eventually named extended BPF (eBPF); for backward compatibility, the traditional BPF was retained and renamed to classic BPF (cBPF). Compared with cBPF, the changes brought by eBPF can be described as revolutionary: on the one hand, it has brought exciting changes to areas such as Kernel Tracing, application performance tuning/monitoring, and Traffic Control. On the other hand, eBPF has also made great improvements in interface design and ease of use.
The scope of functions covered by cBPF is very simple, including network monitoring and seccomp, and extensive data interface design; while eBPF has a much wider range of uses, such as performance tuning, kernel monitoring, flow control, etc., and the diversity of data interfaces design.
Evolved from a file (net/core/filter.c) to a directory (kernel/bpf)
Currently, only llvm is the only compiler that supports generating BPF pseudocode. Even if the Linux kernel is compiled with gcc throughout, the bpf examples in the samples directory must be compiled with llvm.
1. Operation monitoring
eBPF is actually a kernel module, which is shorter and more compact than the kernel module, and has more novel functions. The code injected by eBPF is to be run in the kernel, which will cause security risks.
In order to maximize the control of security risks, the cBPF era began to add a code inspection mechanism to prevent non-standard injection code; in eBPF, a more complex verifier mechanism was added when the program (bpf_load_program()) was loaded, and a series of Security check.
2. Architecture
The architecture is as follows:
3. bcc
Now C can be used to implement BPF, but the compiled files are still ELF files, and developers need to manually extract the code that can actually be injected into the kernel. This work is a bit troublesome, so someone designed the BPF Compiler Collection (BCC). BCC is a python library, but a large part of the implementation is based on C and C++, and python implements the encapsulation of the BCC application layer interface.
Using BCC for BPF development still requires developers to use C to design BPF programs - but that's all, the rest of the work, including compiling, parsing ELF, loading BPF code blocks, and creating maps, etc. can basically be done by BCC alone Affordable, no need to bother developers.
3.1 bcc installation
The address link of github is as follows:
https://github.com/iovisor/bcc
Execute: git clone https://github.com/iovisor/bcc.git
To install the binaries directly in Ubuntu, the command is as follows:
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys D4284CDD
echo "deb https://repo.iovisor.org/apt/xenial xenial main" | sudo tee /etc/apt/sources.list.d/iovisor.list
sudo apt-get update
sudo apt-get install bcc-tools libbcc-examples linux-headers-$(uname -r)
This makes it possible to use the python use case from bcc/example/tracing.