REVIEW - Linux Observability with BPF - Advanced Programming for Performance and Networking

Title:

Linux Observability with BPF - Advanced Programming for Performance and Networking

Author:

David Calavera, Lorenzo Fontana

ISBN:

9781492050209

Publisher:

O’Reilly Media (2019)

Pages:

200pp

Reviewer:

Ian Bruntlett

Reviewed:

July 2020

Rating:

★★★★☆

Verdict: I liked it. Mind-bending but good.

BPF is a technology that emerged out of bpf and eBPF. Whilst not a kernel expert, I am a programmer and I bought this book with a view to learning what goes on inside the kernel and to help when testing pre-release versions of Ubuntu/Lubuntu Linux. This slim book (162 pages) that brings many things together in one place. It has its source code on the book’s GitHub page. Warning: this is bleeding edge stuff.

The ‘Introduction’ chapter covers the history and architecture of bpf. It turns out that bpf programs have certain limitations which in turn makes certain guarantees possible.

The ‘Running your first BPF program’ chapter has a short example that has to be compiled using LLVM’s C compiler. It then goes on to catalogue the different BPF program types and gives info on the BPF verifier and other details.

The ‘BPF Maps’ chapter is highly technical and fiddly – it describes an illustrates the BPF Map API where a Map can be some arbitrary key-value pairs – other data structures – confusingly still called Maps – have been added to BPF over time. Finally, it explains the BPF Virtual Filesystem.

The ‘Tracing with BPF’ chapter is all about efficiently collecting data from the Kernel and User-Space programs for debugging and profiling. It introduces the BPF Compiler Collection (BCC) and mostly uses Python programs to provide hosts for BPF programs. It goes into detail about tracing probes which it defines as ‘exploratory programs designed to transmit information about the environment in which they are executed’. This sounds dangerous but the BPF verifier validates code before it is accepted for execution. It finishes with two ways to visualise accumulated data – flame graphs and histograms.

The ‘BPF Utilities’ chapter covers some very interesting tools. BPFTool is an awesome tool for working with BPF programs and the data they generate. In Ubuntu, searching the package repositories for BPFTool found nothing but later on I found it is provided by the linux-tools-common package. BPFTrace implements a concise, domain-specific-language for writing BPF programs – it provides more support for the programmer than BCC does – however, it is less suited for advanced programs. It covers kubectl-trace, a kubernetes tool which I cannot comment upon. Finally, it covers eBPF Exporter, a tool to export data to Prometheus, a monitoring tool alerting system.

The ‘Linux Networking and BPF’ chapter is interesting but a bit beyond my experience. It covers packet filtering with BPF and illustrates how tcpdump in turn writes bpf programs. It disassembles a BPF program’s byte code and explains what it does. I did notice that on page 96 there is a small problem with the Ethernet frame header offsets. It goes on to cover the Traffic Control subsystem with examples.

The ‘Express Data Path (XDP)’ chapter is more networking. It is all about running BPF programs whenever a network interface receives a packet. It is intricate, complete with useful diagrams. I was impressed by its flexibility to handle denial of service attacks. It also covers the writing and testing of XDP programs. It finishes with XDP Use Cases – monitoring, DDOS mitigation, Load Balancing and Firewalling.

The ‘Linux Kernel Security, Capabilities, and Seccomp’ chapter explains Secure Computing (abbreviated to Seccomp), a security layer of the kernel for filtering syscalls and provides a C program example.

The final chapter, ‘Real-World Use-Cases’, is a couple of anecdotes on real-world uses of BPF – Sysdig and Flowmill.

To conclude: this is a slim book that covers a highly technical subject. It has a reasonable index but no bibliography. Should you read this book? Maybe. There is another BPF book available (BPF Performance Tools by Brendan Gregg) which is considerably larger. This book has an improved awareness of BPF in the Kernel and was sufficiently brief to make reading it a manageable project.