this is a starter project in which you can start developing ebpf without any hassle.
it creates an ebpf ready environment using devcontainer+docker.
it even works in apple silicon (m1/m2/m3...) macOS.
(actually I have only tested it in mac, will test it in other devices as well if I get the chance)
if you don't know what a devcontainer is, it is a shareable, reusable & reproducible
development environment, which is supported by docker and won't pollute your system or VM.
so you don't need to create an ebpf development environment yourself,
and most importantly you can throw it away anytime.
- vscode or goland or neovim (any IDE which supports remote container development)
- for neovim I haven't tested yet, but the neo-vim-remote-containers can help
- docker ( personally I'm enjoying OrbStack for macOS, but I guess any docker flavour would be ok)
- open the project with goland
- choose the container icon when opening up
devcontainer.jsonand click onCreate Dev Container and Mound Sources...
- if it wants to access your confidential information feel free to
denyit, currently I'm not sure why it's asking it and didn't want to share my information with it, so I denied it, and it worked flawlessly.
- I suppose you already have installed Remote Development Extension for vscode, I guess it should be installed by default
- open the project with vscode
- click on
Reopen in Container
when the container env has been loaded and get ready:
- open an extra terminal in that container in your ide or directly create a terminal into that container outside ide. if you open up the terminal within the ide it should automatically navigate to project source folder in container itself.
- run
go generate ./ebpfit will generate some go files from./ebpf/counter.cbpf file usingbpf2gotool. you can use these files in your./cmd/main.go. it would greatly simplify the userspace/kernel space communication. the generated files are already committed, so you won't feel any difference after executing this command. - run
go run ./cmd/main.goin jetbrains goland, in vscode you need to runsudo go run ./cmd/main.go( currently I'm not sure why, but I'll try to fix it in the future.)
- usually ebpf programs has two legs, one leg in the userspace (
./cmd/main.go) and the other leg in kernel space (./ebpf/counter.c) - we write the ebpf code (kernel space code) in
c(or something similar to ) and put it into a file, in our case./ebpf/counter.c. - we need to compile the kernel space code (
./ebpf/counter.c) and then load it into the kernel, upon loading the kernel would first verify the compiled object and if it agrees with it then load it into kernel - we can do this procedure manually and step by step, but it would be a tedious task
- here comes the cilium ebpf project, which helps us to do the compilation and loading the kernel space to the program an easy task
- using
go generate ./ebpf+./ebpf/gen.gowe ask thebpf2goto compile the./ebpf/counter.cand also generate some extra golang codes - then in
./cmd/main.gouserspace code we use those generated go codes and actually try to load the compiled version of./ebpf/counter.cinto the kernel space. - after the ebpf program get loaded in the kernel, we can maintain a communication channel between the kernel space and userspace, so in
./cmd/main.goyou can do some extra work as well- like fetching statistics that has been sent by the kernel space program
- ....
- in ebpf there are some data structures that can hold data, which is called
bpf maps, the communication between userspace and kernel space can be achieved through thesebpf maps
- cilium ebpf project for creating
bpf2go, check out their website ebpf-go.dev for more learning material on ebpf and go. - https://github.com/markpash for introducing
bpf2goto me