What is eBPF? With this revolutionary technology, you can write custom code that dynamically changes the way the kernel behaves. It's an extraordinary platform for building a whole new generation of security, observability, and networking tools.

This practical book is ideal for developers, system administrators, operators, and students who are curious about eBPF and want to know how it works. Author Liz Rice, chief open source officer with cloud native networking and security specialists Isovalent, also provides a foundation for those who want to explore writing eBPF programs themselves.

With this book, you will:

• Learn why eBPF has become so important in the past couple of years
• Write basic eBPF code, and manipulate eBPF programs and attach them to events
• Explore how eBPF components interact with Linux to dynamically change the operating system's behavior
• Learn how tools based on eBPF can instrument applications without changes to the apps or their configuration
• Discover how this technology enables new tools for observability, security, and networking

Table of Contents

Chapter 1. What Is eBPF, and Why Is It Important?

Chapter 2. eBPf's "Hello World"

Chapter 3. Anatomy of an eBPF Program

Chapter 4. The bpfQ System Call

Chapter 5. CO-RE, BTF, and Libbpf

Chapter 6. The eBPF Verifier

Chapter 7. eBPF Program and Attachment Types

Chapter 8. eBPF for Networking

Chapter 9. eBPF for Security

Chapter 10. eBPF Programming

Chapter 11. The Future Evolution of eBPF

Who This Book Is For

This book is for developers, system administrators, operators, and students who are curious about eBPF and want to know more about how it works. It will provide a foundation for those who want to explore writing eBPF programs themselves. Since eBPF provides a great platform for a whole new generation of instrumentation and tooling, there will likely be gainful employment for eBPF developers for some years to come.

But you don’t necessarily need to be planning to write eBPF code yourself for this book to be useful to you. If you work in operations, security, or any other role that involves software infrastructure, you’re likely to come across eBPF-based tooling, now or over the next few years. If you understand something about the internals of these tools, you’ll be in a better position to use them effectively. For example, if you know how events can trigger eBPF programs, you’ll have a better mental model for exactly what an eBPF-based tool is really measuring when it shows you performance metrics. If you’re an application developer, you might also come into contact with some of these eBPF-based tools—for example, if you are performance tuning an application, you might use a tool like Parca to generate flame graphs showing which functions are taking the most time. If you are evaluating security tools, this book will help you understand where eBPF shines, and how to avoid using it in a naïve way that is less effective against attacks.

Even if you’re not using eBPF tools today, I hope this book will give you interesting insights into areas of Linux that you might not have considered before. Most developers take the kernel for granted, as they use programming languages with convenient higher-level abstractions that allow them to focus on the work of application development—which is plenty hard enough! They use tools like debuggers and performance analyzers to help them do their job effectively. Knowing the internals of how a debugger or performance tool works might be interesting, but it’s not essential. Yet, for many of us, it’s fun and fulfilling to go down the rabbit hole to find out more. In the same way, most people will use eBPF tools without having to worry about how they are built. Arthur C. Clarke wrote that “any sufficiently advanced technology is indistinguishable from magic,” but personally, I like to dig in and find out how the magic trick works. You might be like me and feel compelled to explore eBPF programming to get a better feel for what is possible with this technology. If so, I think you’ll enjoy this book.

Prerequisite Knowledge

This book assumes you are comfortable with basic shell commands on Linux and with the idea of using a compiler to turn source code into an executable program. There are some simple example extracts from Makefiles, on the assumption that you have at least a minimal understanding of how make uses these files.

There are lots of code examples in Python, C, and Go. You won’t need in-depth knowledge of those languages to get something out of these examples, but you’ll get the most out of the book if you are generally happy to read some code. I’m also assuming you are familiar with the idea of pointers, which identify a memory location.

About the Author

Liz Rice is the chief open source officer with eBPF specialists at Isovalent, creators of the Cilium cloud native networking, security and observability project. She sits on the CNCF Governing Board and on the Board of OpenUK. She was chair of the CNCF's Technical Oversight Committee in 2019-2022, and co-chair of KubeCon + CloudNativeCon in 2018. She is also the author of Container Security published by O'Reilly.

She has a wealth of software development, team, and product management experience from working on network protocols and distributed systems and in digital technology sectors such as VOD, music, and VoIP. When not writing code, or talking about it, Liz loves riding bikes in places with better weather than her native London, competing in virtual races on Zwift, and making music under the pseudonym Insider Nine.