跳转至

Get Started with eBPF | Introduction to eBPF

Get Started with eBPF

This example is provided using the Ubuntu Linux distribution.

Before you begin, let's make sure your Linux machine has support for eBPF:

more /boot/config-$(uname -r) | grep CONFIG_BPF

If the output lists CONFIG_BPF=y, you are ready to proceed.

CONFIG_BPF=y
<... output omitted ...>

In addition to using eBPF, you will be writing eBPF programs. To do so, you must install the BCC toolset. First, make sure that your packages are up to date:

sudo apt-get update

Wait for the update to complete:

<... output omitted ...>
Get:54 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 c-n-f Metadata [548 B]
Fetched 21,4 MB in 4s (5.277 kB/s)
Reading package lists... Done

After that, you are ready to install the BCC toolset:

sudo apt-get install bpfcc-tools linux-headers-$(uname -r)

Accept any prompts asking you to continue, and wait for the installation to finish:

Reading package lists... Done
Building dependency tree
Reading state information... Done
linux-headers-5.15.0-60-generic is already the newest version (5.15.0-60.66~20.04.1).
The following NEW packages will be installed:
  bpfcc-tools
0 upgraded, 1 newly installed, 0 to remove and 551 not upgraded.
Need to get 0 B/579 kB of archives.
After this operation, 2.357 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Selecting previously unselected package bpfcc-tools.
(Reading database ... 215701 files and directories currently installed.)
Preparing to unpack .../bpfcc-tools_0.12.0-2_all.deb ...
Unpacking bpfcc-tools (0.12.0-2) ...
Setting up bpfcc-tools (0.12.0-2) ...
Processing triggers for man-db (2.9.1-1) ...

Now, you should make sure that the BCC tool works by issuing the bashreadline-bpfcc command. This is one of the tools included in the BCC toolset. Run it and leave it running:

sudo /usr/sbin/bashreadline-bpfcc

You should see output similar to the following:

In file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
<... output omitted ...>
        ^
<command line>:3:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP16__ 1
        ^
3 warnings generated.
TIME      PID    COMMAND

Open a second terminal window in your Linux VM. Execute the following commands one by one:

date

echo hey

whoami

The output of the above commands is not important. What is important is that, meanwhile, in your first terminal window, BCC captured these commands being executed. You should see the time, process identifier (PID), and command that you executed in your second terminal window.

TIME      PID    COMMAND
20:50:25  9853   date
20:50:28  9853   echo hey
20:50:51  9853   whoami

You can now exit the BCC tool that you were using in terminal window 1 by pressing Ctrl+C.

At this point, you have functional eBPF on your Linux box. Now, you are ready to create your first eBPF program!

Keep going!

Skip to table of contents

Introduction to eBPF