安裝 BCC 使用 Source Code

For Bionic (18.04 LTS)

Install related libraries and packages

$ sudo apt-get -y install bison build-essential cmake flex git libedit-dev \

libllvm6.0 llvm-6.0-dev libclang-6.0-dev python zlib1g-dev libelf-dev \

iperf3 luajit libluajit-5.1-dev netperf linux-headers-$(uname -r)

Compile BCC source code and install

$ git clone --recursive https://github.com/iovisor/bcc.git

$ git submodule update --recursive

# Or $ git pull --recurse-submodules

$ mkdir bcc/build; cd bcc/build

$ cmake .. -DCMAKE_INSTALL_PREFIX=/usr -DPYTHON_CMD="python python3.8"

$ make -j `nproc`
$ sudo make install

Quick Start Guide

A Docker container is provided for user to try out bcc.

From your host shell:

docker run -it --rm \
  --privileged \
  -v /lib/modules:/lib/modules:ro \
  -v /usr/src:/usr/src:ro \
  -v /etc/localtime:/etc/localtime:ro \
  --workdir /usr/share/bcc/tools \
  zlim/bcc

Linux Kernel Source Code查詢

https://elixir.bootlin.com/linux/v4.15/source

Using eBPF in Kubernetes

https://kubernetes.io/blog/2017/12/using-ebpf-in-kubernetes/

How can I determine which namespaces a PID is in from kernel space?

https://stackoverflow.com/questions/48401989/how-can-i-determine-which-namespaces-a-pid-is-in-from-kernel-space

P.S:

container id can be found in

cat /proc/self/cgroup | grep -o  -e "docker-.*.scope" | head -n 1 | sed "s/docker-\(.*\).scope/\\1/"

How can I retrieve a task's session_id in an eBPF program?

https://stackoverflow.com/questions/48425319/how-can-i-retrieve-a-tasks-sessionid-in-an-ebpf-program

P.S:

Linux PID, PPID, PGID (Process Group Leader), SID (Session Leader)

https://www.geekpills.com/operating-system/linux/the-ultimate-pid-ppid-pgid-process-group-leader-sid-session-leader

PGID — Process Group Identifier (Process Group Leader)

ps -Ao pid,ppid,command

SID — Session Identifier (Session Leader)

Tracee - Container and system tracing using eBPF

https://github.com/aquasecurity/tracee

eBPFlow

This project aims to offer a packet flow tracer based on eBPF

https://www.ntop.org/wp-content/uploads/2018/10/Sabella.pdf

https://www.ntop.org/wp-content/uploads/2019/01/eBPF_FOSDEM2019.pdf

Paper:

http://luca.ntop.org/ITASEC2019.pdf

Source Code:

https://github.com/samuelesabella/ebpflow

(Python version,to get container id)

https://github.com/ntop/libebpfflow

(C++ version)

https://github.com/ntop/ntopng

ntopng a web-based network traffic monitoring application

BPF 筆記 ( 安裝與BCC Python)

https://hackmd.io/@0xff07/HyrLVSZ78/https%3A%2F%2Fhackmd.io%2F%400xff07%2Fr1f4B8aGI

BCC 很好的範例, 利用BPF從Layer2 到 Layer4 擷取packet相關資訊

https://github.com/yadutaf/tracepkt

(Trace a ping packet on the L2 layer, as it crosses Linux network interfaces and namespaces. Supports IPv4 and IPv6.)
文章: https://blog.yadutaf.fr/2017/07/28/tracing-a-packet-journey-using-linux-tracepoints-perf-ebpf/

https://gist.github.com/chendotjs/194768c411f15ecfec11e7235c435fa0

(ebpf-skbtracer)

https://github.com/wofanli/linux-packet-tracer

(linux-packet-tracer in Golang)

getaddrinfo ( uprobe )

https://stackoverflow.com/questions/57242204/ebpf-reading-the-result-of-getaddrinfo

Persistent eBPF map object with bcc (可保存Map's data in the file descriptor)

http://yunazuno.hatenablog.com/entry/2017/04/09/112939

簡單範例 BPF Map の永続化

https://blog.ssrf.in/post/bpf-memo-1/

eBPF Maps Introduction

https://www.slideshare.net/suselab/ebpf-maps-101

[文章]Cloudflare architecture and how BPF eats the world

https://blog.cloudflare.com/cloudflare-architecture-and-how-bpf-eats-the-world/

Danny's tech notebook | 丹尼技術手札

Thursday, September 16, 2021

BCC programming 筆記

Quick Start Guide

No comments: