Przejdลบ do treล›ci

๐Ÿ”ฌ eBPF Intro for Shell Users

eBPF (extended Berkeley Packet Filter) is a revolutionary technology that allows you to run sandboxed programs in the Linux kernel without modifying kernel source code or loading kernel modules. For shell users, eBPF provides unprecedented visibility into system behavior.

๐ŸŽฏ What is eBPF?

Originally designed for packet filtering, eBPF has evolved into a powerful virtual machine inside the Linux kernel that can safely execute bytecode at various kernel hooks.

Key Characteristics

  • Sandboxed: Programs run in a restricted environment
  • Verified: Kernel verifies safety before execution
  • Efficient: JIT-compiled for near-native performance
  • Dynamic: Programs can be loaded/unloaded at runtime

๐Ÿ› ๏ธ eBPF Tools Ecosystem

bpftrace

A high-level tracing language for Linux eBPF, perfect for shell users: 

1
2
# Trace all open() syscalls
bpftrace -e 'tracepoint:syscalls:sys_enter_open { printf("%s opened %s\n", comm, str(args->filename)); }'

BCC (BPF Compiler Collection)

Python-based tools for advanced eBPF programming: 

1
2
3
4
5
# Monitor process execution
/usr/share/bcc/tools/execsnoop

# Trace file opens
/usr/share/bcc/tools/opensnoop

bpftool

Kernel's built-in eBPF management tool: 

1
2
3
4
5
# List loaded eBPF programs
bpftool prog list

# Show eBPF map contents
bpftool map dump pinned /sys/fs/bpf/my_map

๐Ÿ”ง Basic eBPF Concepts for Shell Users

Probes and Tracepoints

1
2
3
4
5
6
7
8
# Kernel tracepoints (stable API)
bpftrace -e 'tracepoint:syscalls:sys_enter_open { printf("Opening: %s\n", str(args->filename)); }'

# Kernel kprobes (function-level tracing)
bpftrace -e 'kprobe:do_sys_open { printf("do_sys_open called by %s\n", comm); }'

# User-space uprobes
bpftrace -e 'uprobe:/bin/bash:main { printf("Bash main() called\n"); }'

Maps (Data Storage)

1
2
3
4
5
6
7
8
9
# Count syscalls by process
bpftrace -e '
tracepoint:syscalls:sys_enter_open {
  @counts[comm] = count();
}
interval:s:5 {
  print(@counts);
  clear(@counts);
}'

๐Ÿš€ Quick Start Examples

Monitor File Access

1
2
3
4
5
6
# Simple file access monitor
bpftrace -e '
tracepoint:syscalls:sys_enter_open,
tracepoint:syscalls:sys_enter_openat {
  printf("%-6d %-16s %s\n", pid, comm, str(args->filename));
}'

Process Execution Tracking

1
2
3
4
5
# Track new processes
bpftrace -e '
tracepoint:syscalls:sys_enter_execve {
  printf("EXEC: %-6d %-16s %s\n", pid, comm, str(args->argv[0]));
}'

Network Connection Monitoring

1
2
3
4
5
# Monitor TCP connections
bpftrace -e '
kprobe:tcp_v4_connect {
  printf("TCP CONNECT: %-6d %-16s\n", pid, comm);
}'

๐Ÿ›ก๏ธ Safety and Permissions

Required Capabilities

1
2
3
4
5
# Most eBPF tools require root privileges
sudo bpftrace script.bt

# Or specific capabilities
sudo setcap cap_sys_admin,cap_sys_resource+ep /usr/bin/bpftrace

Kernel Version Requirements

1
2
3
4
5
# Check kernel version
uname -r  # 4.18+ recommended

# Check eBPF support
grep CONFIG_BPF /boot/config-$(uname -r)

๐ŸŽฏ Common Use Cases for Sysadmins

Performance Troubleshooting

1
2
3
4
5
6
7
8
9
# Find processes with high syscall rates
bpftrace -e '
tracepoint:syscalls:sys_enter_* {
  @syscalls[comm] = count();
}
interval:s:10 {
  print(@syscalls);
  exit();
}'

Security Monitoring

1
2
3
4
5
6
7
# Monitor suspicious file access
bpftrace -e '
tracepoint:syscalls:sys_enter_openat {
  if (strncmp(str(args->filename), "/etc/passwd", 11) == 0) {
    printf("ALERT: %s accessing /etc/passwd\n", comm);
  }
}'

Resource Usage Analysis

1
2
3
4
5
6
7
8
9
# Monitor memory allocation
bpftrace -e '
kprobe:kmalloc {
  @bytes = hist(args->size);
}
interval:s:30 {
  print(@bytes);
  clear(@bytes);
}'

๐Ÿงช Environment Setup

Installation (Ubuntu/Debian)

1
2
3
4
5
6
7
8
# Install bpftrace
sudo apt install bpftrace

# Install BCC tools
sudo apt install bpfcc-tools linux-headers-$(uname -r)

# Verify installation
bpftrace -e 'BEGIN { printf("Hello eBPF!\n"); exit(); }'

Installation (CentOS/RHEL)

1
2
3
4
5
6
# Enable EPEL and install
sudo yum install epel-release
sudo yum install bpftrace bcc-tools

# Or use snap
sudo snap install --devmode bpftrace

Docker Environment

1
2
3
4
5
6
# Run bpftrace in container
docker run --rm -it --privileged \
  -v /sys/kernel/debug:/sys/kernel/debug:rw \
  -v /lib/modules:/lib/modules:ro \
  quay.io/iovisor/bpftrace:latest \
  bpftrace -e 'BEGIN { printf("Hello from container!\n"); exit(); }'

๐Ÿงพ Summary

โœ… No kernel modifications required โœ… Near-zero performance overhead โœ… Dynamic instrumentation at runtime โœ… Safe execution with kernel verification โœ… Rich ecosystem of tools and languages

๐Ÿงพ See Also