Getting started eBPF development

Landscape of linux kernel tracing, monitoring,hooking and networking things method, tools.

Install essential compiler and kernel source code

1apt-get install clang
2sudo apt-get -y install libbpf-dev
3apt install linux-headers-`uname -r`
4sudo ln -s /usr/include/x86_64-linux-gnu/asm /usr/include/asm
5# download kernel source code corresponding kernel version 
6git clone --branch $(uname -r | awk -F- '{print $1}' | awk -F. '{print "v" $1 "." $2}') --single-branch https://github.com/torvalds/linux.git

The sample bpf code

 1#include <linux/bpf.h>
 2#define SEC(NAME) __attribute__((section(NAME), used))
 3
 4static int (*bpf_trace_printk)(const char *fmt, int fmt_size,
 5                               ...) = (void *)BPF_FUNC_trace_printk;
 6
 7SEC("tracepoint/syscalls/sys_enter_execve")
 8int bpf_prog(void *ctx) {
 9  char msg[] = "Hello, BPF World!";
10  bpf_trace_printk(msg, sizeof(msg));
11  return 0;
12}
13
14char _license[] SEC("license") = "GPL";

Compiler the bpf program

1clang -O2 -target bpf -c bpf_program.c -o bpf_program.o