Read the article at: https://www.ebpf.top/post/en/bpf_rawtracepoint 1. Common Hook Types in eBPF Trace 2. BPF Rawtracepoint 2.1 Trace Performance Enhanced by 20% 2.2 Rawtracepoint Tracking Event Inspection and Quantity Statistics 2.3 Passing Parameter Changes 3. Example of Using rawtracepoint in BPF Programs 3.1 libbpf Library (Based on CO-RE) 3.2 Bpftrace Sample Code See Also 1. Common Hook Types in eBPF Trace eBPF allows tracing events in various categories within the trace domain as follows: Kernel static trace points tracepoint/rawtracepoint/btf-tracepoint Refer to /sys/kernel/tracing/available_events Kernel dynamic trace points k[ret]probe, fentry/fexit (based on BTF) Kprobe /sys/kernel/tracing/available_filter_functions User-space static trace points USDT Viewing method: readelf -n or bpftrace tool bpftrace -l 'usdt:/home/dave/ebpf/linux-tracing/usdt/main:*' User-space dynamic trace: u[ret]probe, obtainable via nm hello | grep main Performance monitoring counters PMC perf_event This article will focus on rawtracepoint within kernel static tracing, concluding with practical code examples using the libbpf development library and bpftrace.……

Continue reading

Original Article: https://www.ebpf.top/post/bpfman_fedora_40 1. Background 2. Introducing bpfman 3. Standalone Deployment Process 4. Kubernetes Cluster Deployment Process 5. Summary Appendix: bpfman Single Machine Verification Development Environment Setup Code Download and Compilation of bpfman Test program management functionality 1. Background Fedora 40 proposes bpfman as the default program manager. The open-source project bpfman provides a deeper understanding of the eBPF runtime state, making it easier to manage eBPF programs (including loading, unloading, and viewing runtime status). This proposal requires approval from the Fedora Engineering Steering Committee (FESCo), but if successful, bpfman is likely to appear in Fedora 40 in April to enhance eBPF management. So, what exactly is bpfman? This article will give you a brief introduction to bpfman and its working principles. 2. Introducing bpfman Originally named bpfd, bpfman is developed based on the Rust Aya library, using the Rust programming language.……

Continue reading

Article address: https://www.ebpf.top/post/network_and_bpf_2024 1. eBPF 1.1 Exponential Growth of eBPF 1.2 eBPF Application Market 1.3 Wider Application of eBPF in Mobile Devices 1.4 Risks of eBPF Abuse 2. Observability 2.1 The Most Popular Topic: Observability 2.2 Reducing Observability Overhead 2.3 Context-Aware Kubernetes Workloads 2.4 AI-Assisted Network Troubleshooting 3. Networking 3.1 Container Networking Performance Matching Host Networking Performance 3.2 Transformation in the Networking Industry 3.3 Cilium in Home Environments 3.4 Network Operators Seeking LLM Help - Not All Roses 4. Cloud Native 4.1 Kubernetes Users Pushing Back on Complexity 4.2 IPv6-Only Kubernetes Clusters Becoming More Common 4.3 Rapid Growth of WSAM 4.4 The Not-to-Be-Forgotten Heterogeneous Networks 4.5 The Challenges of Platform Engineering and Network Growth In early 2024, Nico Vibert, Senior Sales Engineer at Isovalent, made some predictions about networks and eBPF. Here, we’ll briefly outline some important conclusions, mainly related to eBPF/Cilium/cloud-native/network/observability, and security areas.……

Continue reading

Program Framework (Skeleton) Combine the Open and Loader Stages Selective Attachment (Attach) Custom load and attach Multiple BPF handlers for the same event Map Reduce pre-allocation overhead Determining Map Size at Runtime Per-CPU Global Variables Note on accessing fields directly through pointers Conclusion Link to this article: https://www.ebpf.top/post/top_and_tricks_for_bpf_libbpf Original article: https://www.pingcap.com/blog/tips-and-tricks-for-writing-linux-bpf-applications-with-libbpf/ In the early days of 2020, when I was using the BCC tool to analyze our database’s performance bottlenecks and pulled code from GitHub, I unexpectedly found an extra libbpf-tools directory in the BCC project. I studied the articles on BPF Portability and BCC to libbpf Conversion and transformed the previously submitted bcc-tools into libbpf-tools based on the knowledge I had gained. Finally, I completed the conversion work for nearly 20 tools (see Why We Switched from BCC-Tools to libbpf-Tools for BPF Performance Analysis). During this process, I was fortunate to receive a lot of help from Andrii Nakryiko (the person in charge of the libbpf + BPF CO-RE project).……

Continue reading

This article is available at: https://www.ebpf.top/post/lsm_bpf_intro 1. Background on Security 2. General Framework of Kernel Security Policy Module LSM 2.1 Introduction to LSM Framework 2.2 Architecture of LSM 2.3 Hook Functions in LSM 3. LSM BPF 3.1 BCC Practice 3.2 libbpf-bootstrap Framework Practice 4. Summary 5. Appendix: Process of Finding LSM Hot Patch Kernel Vulnerabilities Monitoring Hook Points 1. Background on Security Internationally, computer security is summarized by three main characteristics: Confidentiality, Integrity, and Availability (CIA). Confidentiality means that data is not visible to unauthorized individuals. Integrity refers to information not being altered during storage or transmission. Availability implies that one’s devices can be used when needed. There are roughly four methods that computer systems employ to address security challenges: isolation, control, auditing, and obfuscation. Access control involves controlling access, representing the subject’s actions on objects. Access control primarily involves defining subjects and objects, operations, and setting access policies.……

Continue reading

Article link: https://www.ebpf.top/en/post/cisco_and_isovalent On December 21, 2023, Thomas Graf, CTO & Co-founder of Isovalent, and Tom Gillis, Senior Vice President and General Manager of Cisco’s Security Business Group, announced on their respective company websites Cisco’s plan to acquire Isovalent. The acquisition price was not disclosed by either party. Following the completion of the acquisition, the Isovalent team is set to join Cisco’s Security Business Group, with the acquisition expected to be finalized in the third quarter of the 2024 fiscal year. Cisco has a history with Isovalent, having participated in Isovalent’s $29 million Series A funding at the end of 2020. Subsequently, in 2022, Cisco, along with Microsoft, Google, and other companies, added $40 million in the Isaolvent’s Series B funding. Cisco aims to enhance its capabilities in multi-cloud networking and security through this acquisition. The collaboration between Cisco and Isovalent will leverage the power of Cilium’s open-source technology to create uniquely advanced multi-cloud security and networking functionalities, aiding customers in simplifying and accelerating their digital transformation journey.……

Continue reading

This article link: https://www.ebpf.top/en/post/ebpf_and_kernel_feature BPF kfuncs Bloom Filter Map: 5.16 Compile Once – Run Everywhere: Linux 5.17 [Kernel Space] bpf_loop() Helper Function: 5.17 BPF_LINK_TYPE_KPROBE_MULTI: 5.18 Dynamic Pointers and Type Pointers: 5.19 USDT: 5.19 BPF panic: 6.1 BPF Memory Allocator, Linked Lists: 6.1 User Ring Buffer: 6.1 User-defined linked list support: 6.2 User-defined rbtree support: 6.3 BPF Generic Iterator: 6.4 References: In 2022, the Linux kernel primarily released versions 5.16-5.19, 6.0, and 6.1, each introducing numerous new features for eBPF. This article briefly introduces these new features. For more in-depth information, please refer to the provided links. Overall, eBPF remains one of the most active modules in the kernel, with its functionality continuously evolving at a rapid pace. In a sense, eBPF is rapidly evolving towards a comprehensive kernel-state programmable interface. BPF kfuncs The BPF subsystem exposes many aspects of kernel……

Continue reading

This article is available at: https://www.ebpf.top/post/xdp_lb_demo Author: Qiu Kang Creating network environment SLB Cluster Routing NAT Mode Load Balancing Algorithms With the progress of eBPF, we can now deploy eBPF/XDP programs directly on regular servers to achieve load balancing, saving the need for dedicated machines for LVS deployment. The previous article shared how to use xdp/ebpf to replace LVS for SLB. It adopted the independent machine deployment mode for SLB and loaded xdp program using bpftool and hardcoded configuration, which was version 0.1. Version 0.2 modified the 0.1 version to a programmatic loading mode based on BPF skeleton. To experience this workflow easily without changing the overall deployment mode of version 0.1, you can check out https://github.com/MageekChiu/xdp4slb/tree/dev-0.2 Version 0.3 added support for dynamically loading SLB configurations in the form of configuration files and command-line parameters. This article belongs to version 0.……

Continue reading

This article can be found at: https://www.ebpf.top/post/ebpf_rust_aya 1. Introduction 2. Setting Up Rust Development Environment 2.1 Create a VM Virtual Machine 2.2 Install Rust Development Environment 2.3 Install Dependencies for bpf-linker and bpftool 3. Aya Guide to Create eBPF Programs 3.1 Creating a Project Using the Guide 3.2 Compile eBPF Program 3.3 Run User-space Program 4. Conclusion References 1. Introduction A significant change in Linux Kernel version 6.1 is the introduction of support for the Rust programming language. Rust is a system programming language that offers robust compile-time guarantees and precise control over memory lifetimes. Integrating Rust language into kernel development will bring additional safety measures to the early stages of kernel development. eBPF is a technology in the kernel that enables running user-defined programs based on events, with a validator mechanism ensuring the security of eBPF programs running in……

Continue reading

Site link: https://www.ebpf.top/post/bpf2pbpf_tail_call Author: Richard Li (Original author’s permission obtained) Original article link: https://blog.csdn.net/weixin_43705457/article/details/123474244 1. Introduction 2. Tail Call 3. BPF to BPF Calls 4. CO-RE Sample 5. Tail Call Costs in eBPF 6. Summary 7. References 1. Introduction This article first introduces the general restrictions and usage of tail calls, compares them with BPF to BPF calls, and finally provides a modified version I made of the tail call sample in the kernel source code (using CO-RE). (When learning about tail calls, I struggled with not having a simple and understandable example that could run, so I ended up creating one myself. I believe this version is the most beginner-friendly and logically clear among all examples currently available). 2. Tail Call BPF provides a capability to safely inject code when kernel events and user program events occur, allowing non-kernel developers to control the kernel.……

Continue reading