Last active
March 10, 2024 14:54
-
-
Save zigelboim-misha/12b5c5f520fb0214afc93a0caf7115eb to your computer and use it in GitHub Desktop.
eBPF Kernel Side - Using eBPF to Go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FROM golang:1.22.1 | |
RUN apt update && \ | |
apt upgrade && apt install -y wget clang llvm libbpf-dev curl git make sudo build-essential && \ | |
ln -s /usr/include/x86_64-linux-gnu/asm /usr/include/asm | |
ENTRYPOINT [ "tail", "-f", "/dev/null" ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go test test.c |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
module ebpf-test | |
go 1.21.0 | |
toolchain go1.22.1 | |
require github.com/cilium/ebpf v0.13.2 | |
require ( | |
golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect | |
golang.org/x/sys v0.15.0 // indirect | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"github.com/cilium/ebpf/link" | |
"github.com/cilium/ebpf/rlimit" | |
"log" | |
) | |
func main() { | |
// Remove resource limits for kernels <5.11. | |
if err := rlimit.RemoveMemlock(); err != nil { | |
log.Fatal("Removing memlock:", err) | |
} | |
// Load the compiled eBPF ELF and load it into the kernel. | |
var objs testObjects | |
if err := loadTestObjects(&objs, nil); err != nil { | |
log.Fatal("Loading eBPF objects:", err) | |
} | |
defer objs.Close() | |
kp, err := link.Tracepoint("syscalls", "sys_enter_write", objs.HandleTp, nil) | |
if err != nil { | |
log.Fatalf("opening tracepoint: %s", err) | |
} | |
defer kp.Close() | |
for { | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//go:build ignore | |
// This code is taken from eunomia eBPF tutorial | |
// https://eunomia.dev/tutorials/1-helloworld/#hello-world-minimal-ebpf-program | |
/* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */ | |
#define BPF_NO_GLOBAL_DATA | |
#include <linux/bpf.h> | |
#include <bpf/bpf_helpers.h> | |
#include <bpf/bpf_tracing.h> | |
typedef unsigned int u32; | |
typedef int pid_t; | |
const pid_t pid_filter = 0; | |
char LICENSE[] SEC("license") = "Dual BSD/GPL"; | |
SEC("tp/syscalls/sys_enter_write") | |
int handle_tp(void *ctx) | |
{ | |
pid_t pid = bpf_get_current_pid_tgid() >> 32; | |
if (pid_filter && pid != pid_filter) | |
return 0; | |
bpf_printk("BPF triggered sys_enter_write from PID %d.\n", pid); | |
return 0; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In this gist we will compile, build and run our eBPF kernel side script.
Golang Project
First we must initiate a go project:
Generating our Go files from Clang
Using
go generate
to compile the.c
file into.o
and.go
files.Running the eBPF script on the Kernel
By executing
go generate && go build && sudo ./ebpf-test
for a couple of seconds and then usingctrl+c
we wrote some traces into/sys/kernel/debug/tracing/trace_pipe
.They can be viewed by
sudo cat /sys/kernel/debug/tracing/trace_pipe | grep "BPF triggered sys_enter_write"
.Enabling Tracing
If your Linux distribution (e.g. Ubuntu) does not have the tracing subsystem enabled by default, you may not see any output. Use the following command to enable this feature:
sudo mount -t debugfs none /sys/kernel/debug
sudo echo 1 > /sys/kernel/debug/tracing/tracing_on
Dockerfile
The Dockerfile contains everything that is needed to compile the
.c
code, build the.go
files and run it on the kernel:Build the image using
docker build -t ebpf2go .
Run the Dockerfile using
docker run --privileged -v C:\Path\To\Files:/ebpf ebpf2go:latest
MacOS
In the
dockerfile
there is a need to change the existingln
toln -s /usr/include/x86_64-linux-gnu/asm /usr/include/asm