The ebpf
was introduced in Linux 3.18 with limited capablities. The Linux Kernel version 4.4 introduced more features to ebpf
.
In usual, We run programs in userspace
. For example, when a program want to open an TCP
connection, the request/call will be made to kernel
via the syscalls
. The userspace programs can interact with resources(devices and data
) only by using supported syscalls
. So in some cases, it's not possible to go beyond the userspace
and do something closely with devices, resources and data in raw format
.
The eBPF
new technology solves the mentioned problem in safe way. Before eBPF
, We can use Linux Kernel Modules
known as LKMS
to load in runtime and add new functionalties to the kernel
without compiling the source code of kernel
. For example, We can load modules using the command modprobe
. The problem with LKMS
is that they introduce problems to OS
and may yield to crash the system if there were any bugs. So the safety is the problem.
The eBPF
solve the above mentioned security/safety concern as well. If I descripe the eBPF
program, first We need to write eBPF bytecode
and then We have to make a request to load it in the kernel. Before the kernel load into runtime, it'll do a few checks to ensure the safety. Once all the checkes are passed, the eBPF bytecode
will be compiled using JIT
compiler into native machine code and will placed in the runtime. If the program failed to pass checks, then they'll be rejected by the kernel.
In my undestanding, We can think eBPF
programs as interceptors
. For example, We can intercept all the syscalls
made to the kernel using an eBPF
program. There are many hook points available for eBPF
program.
sudo apt install linux-tools-5.15.0-48-generic
To execute bpftool
, you mostly need to provide root privileges.
-
Version
bpftool version
-
Maps
sudo bpftool map show sudo bpftool map list
-
Programs
sudo bpftool
References