EBPF

Mihalis Tsoukalos explains how to use eBPF to track filesystems.

When we talk about using eBPF for tracing filesystems, we are not dealing with file I/O W (see LXF296) operations but with files as whole entities and filesystem operations. Additionally, for the first time in this series, we are going to develop our own tools using BCC Python and Go. But first, we are going to discuss the way eBPF works in more depth.

More about eBPF

You can consider eBPF a virtual machine located inside the Linux kernel that can execute eBPF commands, which is custom BPF code. It makes the Linux kernel programmable to help you solve real-world problems. Bear in mind that eBPF, like all languages, doesn’t solve problems on its own, it just gives you the tools to solve them. These eBPF programs are executed by the Linux kernel eBPF runtime.

EBPF software can be programmed in BCC, Bpftrace or using LLVM. The LLVM compiler can compile BPF programs into BPF bytecode using a supported programming language, such as C or the LLVM Intermediate Representation. As both ways are difficult to program because of the use of pretty low level code, BCC or Bpftrace make things simpler.

When working with eBPF, begin by thinking like a system administrator, not as a programmer. Put simply, start by trying the existing eBPF tools instead of writing your own. However, if you have an issue that can’t be solved by existing tools, you might need to start acting like a developer. Other reasons for thinking like a developer include the desire to learn the eBPF internals, creating a commercial or open source project based on eBPF, doing low-level stuff like networking and security, and debugging existing code and tools.

As you become more educated and proficient in eBPF, it might be time to learn how to write new tools. Therefore, the next two sections show how to develop eBPF tools in BCC Python and Go. Both examples are relatively easy yet fully functional and practical.

Creating a new tool

Let’s write a small eBPF tool using BCC and Python, and explain what is happening. Although we are using a Python script to put our code, most of it is going to be written in C, a common practice with BCC Python. You can create your tools step by step. For example you can print a message on screen using bpf_trace_printk() when the desired event is found before handling the event. Building tools in small stages enables you to have versions that compile and run all the time, which is good when learning new technologies.