Getting started eBPF development
Landscape of linux kernel tracing, monitoring,hooking and networking things method, tools.
Install essential compiler and kernel source code
1apt-get install clang
2sudo apt-get -y install libbpf-dev
3apt install linux-headers-`uname -r`
4sudo ln -s /usr/include/x86_64-linux-gnu/asm /usr/include/asm
5# download kernel source code corresponding kernel version
6git clone --branch $(uname -r | awk -F- '{print $1}' | awk -F. '{print "v" $1 "." $2}') --single-branch https://github.com/torvalds/linux.git
The sample bpf code
1#include <linux/bpf.h>
2#define SEC(NAME) __attribute__((section(NAME), used))
3
4static int (*bpf_trace_printk)(const char *fmt, int fmt_size,
5 ...) = (void *)BPF_FUNC_trace_printk;
6
7SEC("tracepoint/syscalls/sys_enter_execve")
8int bpf_prog(void *ctx) {
9 char msg[] = "Hello, BPF World!";
10 bpf_trace_printk(msg, sizeof(msg));
11 return 0;
12}
13
14char _license[] SEC("license") = "GPL";
Compiler the bpf program
1clang -O2 -target bpf -c bpf_program.c -o bpf_program.o