Demo eBPF Program.
This program uses an eBPF Tracepoint, sched/sched_process_exec, to monitor new processes being executed.
Tracepoints are eBPF programs that attach to pre-defined trace points in the linux kernel. These tracepoints are often placed in locations which are interesting or common locations to measure performance.
- Lima
- QEMU
When running on macOS you need to build and run this in a Linux virtual machine (VM). On macOS 13.0+ VMs can also be run using macOS's Virtualization Framework (vz) instead of QEMU but it has some limitations so QEMU is preferred.
Note: Some of the limitations of vz are that it fails to cross-compile for multiple architectures and also can not emulate a different architecture and can only run VMs using its own native architecture; example M3 Macs (arm64 arch) can only run arm64 VMs.
brew bundleStart a virtual machine using Lima and QEMU, and getting a terminal:
limactl start ./lima/ebpf-demo.yaml
limactl shell ebpf-demo- To start the VM using a different architecture add
--arch=<ARCH>where<ARCH>can be one of:x86_64oraarch64.
- Go
- linux-tools
- build-essential
- llvm
- clang
- libbpf-dev
- libelf-dev
- libpcap-dev
- bpftool
- curl
-
Install dependencies:
export KERNEL_VERSION=`uname -r` apt-get update -q apt-get install -q -y \ apt-transport-https ca-certificates curl \ linux-tools-common linux-tools-generic linux-tools-${KERNEL_VERSION} \ build-essential llvm clang \ libbpf-dev libelf-dev libpcap-dev
-
Install BPFTool
git clone --recurse-submodules https://github.com/libbpf/bpftool.git /tmp/bpftool pushd /tmp/bpftool/src make install popd
On a linux environment run make build.
Running applications that load BPF programs needs privilege so running the application as root or using sudo is required.
sudo ./demoSome useful links for additional information and learning about eBPF: