Week 11 - eBPF: Foundations¶

11.1 Conceptual Core¶

eBPF is an in-kernel virtual machine that runs verified bytecode at hookpoints (kprobes, tracepoints, XDP, socket filters, LSM, etc.). It is the modern way to extend Linux without writing kernel modules.
The verifier rejects programs that could crash the kernel (unbounded loops, invalid memory access, dereferencing null). This is what makes eBPF safe.
Programs communicate with userspace via maps (hash, array, ring buffer, LRU, per-CPU variants).

Tooling tiers, low to high level:
Raw eBPF C compiled with clang -target bpf and loaded with libbpf. The production-grade path.
libbpf + CO-RE (Compile Once, Run Everywhere)-portable across kernel versions.
BCC (Python frontend)-older, requires kernel headers at runtime.
bpftrace-high-level scripting, fastest path to a one-off observation.
Hookpoints:
kprobes / kretprobes-kernel function entry/exit.
uprobes / uretprobes-userspace function entry/exit.
tracepoints-stable kernel events with structured args. Prefer over kprobes when available.
XDP-packet processing at NIC driver level (covered Month 4).
fentry/fexit-modern, lower-overhead replacement for kprobes (BPF Trampoline).
LSM hooks-security-relevant decisions.
Sched, syscalls, perf events-many more.

Install bpftrace. Run bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("%s %s\n", comm, str(args->filename)) }' and watch the system-wide open trace. Triage.
Write a bpftrace script that histograms read() syscall sizes by process.
Convert one of the recipes to libbpf C + a userspace consumer using libbpf-bootstrap as the template.
Read 10 of Brendan Gregg's bpftrace recipes (runqlat.bt, tcpaccept.bt, vfsstat.bt, etc.) and run them. Document each.

kernel.unprivileged_bpf_disabled=1 is the modern default (only root or CAP_BPF can load programs). Verify and document.

Use runqlat (run queue latency histogram) to detect scheduler stalls. Capture a baseline; document p50/p99/p99.9.