Now, I have done a talk about eBPF before, but today I'm going to do something new in that I am writing my code, or at least my user space code, with Go today, it's the first time I've done the talk using Go, so that's the new twist that we're going to tackle today.

現在，我曾經做過一次關於 eBPF 的演講，但今天我要做一些新的事情，因為我今天要使用 Go 編寫我的代碼，或者至少是我的用戶空間代碼，這是我第一次使用 Go 進行演講，所以這也是我們今天要解決的新問題。

So, before I get into the point where I'm going to start using Go and start writing some code, I should probably start by talking a little bit about what eBPF is.

是以，在開始使用 Go 和編寫代碼之前，我應該先介紹一下什麼是 eBPF。

Key thing is, it lets you run custom programs of your choice in the kernel, so it's a Linux kernel feature technology that lets you, on the fly, add and change code programs that are going to run in response to events, and you can change them dynamically without having to reboot the machine, so much, much more powerful than writing a kernel module.

最關鍵的是，它能讓你在內核中運行自己選擇的自定義程序，是以它是一種 Linux 內核功能技術，能讓你在運行過程中添加和更改代碼程序，這些程序將根據事件響應運行，你可以動態地更改它們，而無需重啟機器，這比編寫內核模塊要強大得多。

We've seen eBPF becoming really a hot technology over the last few years, because it's so powerful and because you can hook it into so many different events, we're seeing it used in lots of observability tools, we're starting to see it used for security as well.

在過去幾年裡，我們看到 eBPF 成為了一項熱門技術，因為它功能強大，而且可以與許多不同的事件掛鉤，我們看到它被用於許多可觀察性工具，我們也開始看到它被用於安全領域。

Today, I'm going to talk more about how it works and hopefully give you enough grounding that you can go away and start writing your own eBPF code.

今天，我將詳細介紹它是如何工作的，希望能給你足夠的基礎，讓你可以開始編寫自己的 eBPF 代碼。

Now, if we're going to run some code in the kernel, but as developers, we're usually writing applications in user space, so how do we communicate between user space and kernel?

現在，如果我們要在內核中運行一些代碼，但作為開發人員，我們通常在用戶空間中編寫應用程序，那麼我們如何在用戶空間和內核之間進行通信呢？

The answer is system calls.

答案就是系統調用。

System calls provide the interface between user space and kernel.

系統調用提供了用戶空間和內核之間的接口。

So, I can make a pretty good guess that there would be a system call related to eBPF, and there certainly is.

是以，我可以很肯定地猜測，會有一個與 eBPF 相關的系統調用，而且肯定是有的。

If we look up the man page for BPF, we'll find lots of really helpful information about what BPF is and how we use it.

如果我們查找 BPF 的 man 頁面，就會發現很多關於 BPF 是什麼以及如何使用它的有用資訊。

So, first of all, BPF stands for Berkeley Packet Filters.

首先，BPF 代表伯克利數據包過濾器。

I'm going to use the word eBPF and BBF pretty interchangeably.

我打算把 eBPF 和 BBF 互換使用。

Historically, it was about filtering network packets, running custom code when a network packet arrived.

從歷史上看，它就是過濾網絡數據包，在網絡數據包到達時運行自定義代碼。

That's been extended.

已經延期。

You can now run your BPF programs in response to lots and lots of different types of events, not just the arrival of a network packet.

現在，您可以運行 BPF 程序來響應大量不同類型的事件，而不僅僅是網絡數據包的到達。

So, whether it's classic BPF or eBPF doesn't really matter these days.

是以，無論是傳統的 BPF 還是 eBPF，如今都已經不重要了。

But in both cases, you're running code in the kernel, and you really, really don't want the kernel to crash or hang.

但在這兩種情況下，你都是在內核中運行代碼，你真的真的不希望內核崩潰或掛起。

So, when we want to run some eBPF code, it goes through a verification step to make sure that it's safe to run.

是以，當我們要運行一些 eBPF 代碼時，它需要經過一個驗證步驟，以確保可以安全運行。

So, that's something we'll talk a little bit more about later.

所以，這一點我們稍後再談。

So, we have some eBPF code that's going to run in the kernel.

是以，我們有一些 eBPF 代碼將在內核中運行。

We have user space application code that, as developers, is normally where we're used to writing code.

我們有用戶空間應用代碼，作為開發人員，這通常是我們習慣編寫代碼的地方。

And there's a system call interface between the two.

兩者之間有一個系統調用接口。

And I think if we look at the system calls, that can actually be quite helpful for understanding really what's happening when we're talking about inserting code into the kernel.

我認為，如果我們看一下系統調用，這對於理解在內核中插入代碼時到底發生了什麼很有幫助。

So, I'm going to start by using an example.

所以，我先舉一個例子。

I'm going to use BPF trace.

我要使用 BPF 跟蹤器。

This is quite a widely used tool for running BPF scripts on a system.

這是在系統上運行 BPF 腳本時使用相當廣泛的工具。

And so, I'm going to show this partly as an example to show the kind of things you can do with BPF, and partly so that we can examine the system calls that happen when we run it.

是以，我將舉例說明 BPF 可以實現的功能，並檢查運行時發生的系統調用。

So, let's explore some BPF trace and the system calls it uses.

是以，讓我們來探索一些 BPF 跟蹤及其使用的系統調用。

So, I have an example that I'm going to use.

所以，我要舉一個例子。

It doesn't really matter that much what my example is.

我的例子是什麼並不重要。

But in this case, I'm setting up a script that's going to run on a trace point.

但在這種情況下，我要設置一個在跟蹤點上運行的腳本。

It's running when we call the sysenter.

當我們呼叫系統中心時，它正在運行。

The sysenter function actually gets triggered for every single system call.

實際上，每次系統調用都會觸發 sysenter 函數。

So, I'm going to run a script every time any process on my virtual machine calls a system call.

是以，每次虛擬機上的任何進程調用系統調用時，我都要運行一個腳本。

And it's going to run this script.

它將運行這個腳本。

What that script actually does is it takes, it sets up a counter for the number of times each different command makes a system call.

該腳本的實際作用是，為每個不同命令進行系統調用的次數設置一個計數器。

So, if I try to run that, well, you have to be a privileged user to do it.

是以，如果我嘗試運行它，那麼你必須是有權限的用戶才能運行。

That kind of makes sense.

這也說得通。

You don't want every unprivileged user running code in your kernel.

你不會希望每個無權限用戶都在你的內核中運行代碼。

So, I can use sudo.

是以，我可以使用 sudo。

I just run that for a few seconds, and then I'll interrupt it.

我只運行幾秒鐘，然後就中斷它。

And it's going to show us for each different kind of command that's running on my machine, the number of system calls.

它會顯示在我的機器上運行的每種不同命令的系統調用次數。

I mean, that's quite interestingly powerful that we can get to such fine granularity as counting every single system call that's happening on my machine.

我的意思是，我們能做到如此精細的粒度，就像計算我的機器上發生的每一個系統調用一樣，這非常有趣，也非常強大。

So, I'm going to run the same thing again.

所以，我要再做一次同樣的事情。

But this time, let's have a look at the BPF system calls that are being called.

但這次，讓我們來看看正在調用的 BPF 系統調用。

So, I do that with strace.

所以，我就用strace來做這個。

I'm just going to look for BPF system calls and quit it after a few seconds.

我只是要查找 BPF 系統調用，幾秒鐘後就退出。

And the thing that I want to show you is these BPF system calls that are being called.

我想向大家展示的是正在調用的 BPF 系統調用。

So, we see a few map create, we see map update element, and we see program load.

是以，我們可以看到一些地圖創建、地圖更新元素和程序加載。

So, that tells us something or indicates something about a couple of concepts we need to know about.

是以，這告訴了我們一些事情，或者說表明了我們需要了解的幾個概念。

Those are BPF programs and BPF maps.

這些是 BPF 程序和 BPF 地圖。

So, we use the same call, but with a different parameter to manipulate programs and maps.

是以，我們使用相同的調用，但使用不同的參數來操作程序和地圖。

So, starting with the programs, what are those programs?

那麼，從計劃開始，這些計劃是什麼？

Well, I mean, they're programs.

我的意思是，它們是程序。

They run on the CPU.

它們在 CPU 上運行。

They're essentially machine code instructions.

它們本質上是機器碼指令。

But for BPF, we're restricted in what we can run because of that requirement for BPF code to be safe.

但對於 BPF 而言，由於要求 BPF 代碼必須安全，我們在運行方面受到了限制。

It mustn't crash, it mustn't loop.

不能崩潰，不能循環。

So, we typically write our BPF programs in C, a restricted set of C, which we don't use any loops.

是以，我們通常用 C 語言編寫 BPF 程序，這是一套受限的 C 語言，我們不使用任何循環。

We always have to check that a pointer is not null before we dereference it.

在取消引用指針之前，我們必須檢查指針是否為空。

And then we use the Clang compiler to convert it into an eBPF object, a set of bytecode instructions that are going to get run inside a BPF virtual machine inside the kernel.

然後，我們使用 Clang 編譯器將其轉換為 eBPF 對象，即一組字節碼指令，這些指令將在內核中的 BPF 虛擬機內運行。

So, we're going to write the kernel code in C.

是以，我們要用 C 語言編寫內核代碼。

We get some helper functions that give us some useful contextual information.

我們會得到一些輔助函數，為我們提供一些有用的上下文資訊。

So, for example, we can print debugging messages with a helper function.

例如，我們可以使用輔助函數打印調試信息。

We can get information about the current running command.

我們可以獲取當前運行命令的資訊。

That's how BPF trace knows which command is running, as we saw in the previous example.

這就是 BPF 跟蹤如何知道哪個命令正在運行的，正如我們在前面的示例中所看到的。

Lots of, I guess, a few dozen of these helper functions that can help us with contextual information.

很多，我猜有幾十個這樣的輔助功能可以幫助我們獲取上下文資訊。

The other thing I talked about was maps, or the other thing we saw in our system course was maps.

我談到的另一件事是地圖，或者說我們在系統課程中看到的另一件事是地圖。

And maps are really how we get information between our eBPF program running in the kernel and user space.

而映射實際上就是我們在內核和用戶空間運行的 eBPF 程序之間獲取信息的方式。

We'll come back to a bit more detail about maps shortly.

稍後我們會再詳細介紹地圖。

And then the last kind of conceptual thing we really need to know about is the fact that these programs are triggered by an event happening.

我們真正需要了解的最後一種概念性的東西是，這些程序是由發生的事件觸發的。

We saw an event, an example where we run a program in response to system calls, in response to triggering a hook at the entry to the function called sysenter.

我們看到了一個事件，一個我們運行程序以響應系統調用的例子，一個在名為 sysenter 的函數入口處觸發鉤子的例子。

There are tons of these hooks already predefined, essentially every function entry and exit, every system call, every trace point in the kernel, every time a network packet arrives.

我們已經預定義了大量這樣的鉤子，基本上包括每個函數的進入和退出、每個系統調用、內核中的每個跟蹤點以及每次網絡數據包到達時的鉤子。

All of these are possible points where you can trigger an eBPF program.

所有這些都是觸發 eBPF 程序的可能點。

And we also have the term k-probe and u-probe.

我們還有 k-探針和 u-探針。

The k-probe is the entry to a kernel function.

k 探針是內核函數的入口。

A k-rep probe is the exit from a kernel function, and correspondingly the same for user space.

k-rep 探針是內核函數的出口，相應地，用戶空間也是如此。

Combination of all these different types of events means we can really run eBPF code in response to pretty much anything that's happening in your Linux machine.

將所有這些不同類型的事件結合起來，意味著我們真的可以運行 eBPF 代碼，以響應 Linux 機器中發生的幾乎任何事情。

So how do we attach the program to an event?

那麼，我們如何將程序附加到活動中呢？

And again, I think it's a little bit helpful to look at the system calls that are happening.

再說一遍，我認為查看正在發生的系統調用會有點幫助。

We're going to not just use the BPF call, but also a couple more system calls per event open, which sets up a trace point.

我們不僅要使用 BPF 調用，還要在每個事件打開時再使用幾個系統調用，這樣就能設置一個跟蹤點。

So program load gives us a file descriptor that I've called x here.

是以，程序加載為我們提供了一個文件描述符，我在這裡稱之為 x。

The trace point comes back as y, and then there's an IO control event that associates the trace point with the program that should be triggered.

跟蹤點的返回值為 y，然後會出現一個 IO 控制事件，將跟蹤點與應觸發的程序關聯起來。

So again we can take a look at that in our BPF trace example.

是以，我們可以在 BPF 跟蹤示例中再次看到這一點。

Again, I just trace out those additional system calls to event, oops, event open, and let's see.

同樣，我只需追蹤出這些額外的系統調用事件，哎呀，事件打開，讓我們來看看。

Again, it doesn't really matter too much exactly what's happening.

同樣，到底發生了什麼並不重要。

I just really want to show you this program load BPF call that comes back with the file descriptor of nine.

我只是想向你展示一下這個程序加載 BPF 調用，它返回的文件描述符是 9。

There should be perf event open.

應該有灌水活動開放。

Yeah, this perf event open here, which comes back with a file descriptor of eight.

是的，這個 perf 事件在這裡打開，返回的文件描述符為 8。

And then here is the IO control that associates eight and nine and says, this is the BPF program that I want you to run when we hit that trace point.

然後這裡是 IO 控制，它將 8 和 9 聯繫起來，並說："這是 BPF 程序，當我們到達跟蹤點時，我希望你運行它。

So loading the program and associating the program with the trace point is something we're going to have to do from user space.

是以，加載程序並將程序與跟蹤點關聯起來，是我們必須在用戶空間完成的工作。

Okay, so if we want to write hello world in eBPF, what do we need to do?

好了，如果我們想用 eBPF 寫 hello world，需要做些什麼呢？

What do we need to have in place?

我們需要準備些什麼？

We know we're going to have to write some C code that's going to run in the kernel and that's going to get compiled by Clang.

我們知道，我們需要編寫一些 C 代碼，這些代碼將在內核中運行，並由 Clang 進行編譯。

And we're going to have to write some user space code that gets the tracing, the hello world message from the kernel and displays it.

我們需要編寫一些用戶空間代碼，從內核獲取並顯示 "hello world "資訊。

And we can write that, at least in theory, we can write it in any language of our choice.

至少在理論上，我們可以用我們選擇的任何語言來寫。

For most of us, we don't typically interact with system calls very often when we're writing user space applications.

對於我們大多數人來說，在編寫用戶空間應用程序時，通常不會經常與系統調用交互。

There's usually some level of abstraction.

通常會有一定程度的抽象。

And in fact, many of us don't know that system calls exist.

事實上，我們很多人都不知道系統調用的存在。

We don't have to deal with them on a day-to-day basis.

我們不必每天與他們打交道。

For BPF, there is, we would want a library, a BPF library that gives us a higher level of abstraction over those BPF system calls and things like the perf event open that we just saw.

對於 BPF 來說，我們需要一個庫，一個 BPF 庫，它能為我們提供更高級別的 BPF 系統調用抽象，比如我們剛才看到的 perf 事件打開。

And the library that I'm going to use today is called libbpf-go.

我今天要使用的庫叫做 libbpf-go。

And we actually wrote this as part of a tool called Tracy that's an eBPF security event detection tool we're working on.

實際上，我們將其作為一個名為 Tracy 的工具的一部分來編寫，該工具是我們正在開發的一個 eBPF 安全事件檢測工具。

And we've isolated the libbpf wrapper.

我們已經隔離了 libbpf 封裝程序。

So there's a C library called libbpf, which is a wrapper for the system calls.

是以，有一個名為 libbpf 的 C 語言庫，它是系統調用的包裝器。

And libbpf-go is a pretty thin go wrapper, giving us go bindings around those libbpf interface.

libbpf-go 是一個很薄的 go 封裝器，為我們提供了 libbpf 接口的 go 綁定。

So we're going to write some go code that uses libbpf-go.

是以，我們要編寫一些使用 libbpf-go 的 go 代碼。

And we're also going to write some C code, which we're going to compile into eBPF objects using the Clang compiler.

我們還將編寫一些 C 代碼，並使用 Clang 編譯器將其編譯成 eBPF 對象。

And then the go code is going to read that object file, get the contents out, insert it into the kernel.

然後，go 代碼將讀取該對象文件，取出其中的內容，並將其插入內核。

So we have an object file that has the eBPF code and the definition of any maps.

是以，我們有一個包含 eBPF 代碼和地圖定義的對象文件。

Talk about maps a bit more later.

稍後再談地圖。

We have our user space code that's driving our system calls and has the kind of logic around what programs we want to run, what we want to attach them to.

我們有用戶空間代碼來驅動我們的系統調用，並圍繞我們想要運行的程序和我們想要將它們附加到的程序進行邏輯設計。

When the user space code calls that BPF program load, it sends the program to the kernel.

當用戶空間代碼調用 BPF 程序加載時，它會將程序發送到內核。

The kernel will verify it, make sure that it's safe to run.

內核會對其進行驗證，確保可以安全運行。

And if it is, it will start running it inside this BPF virtual machine.

如果是，它就會開始在這個 BPF 虛擬機內運行。

So we're going to build two objects.

是以，我們要創建兩個對象。

We've got two different compilation steps.

我們有兩個不同的編譯步驟。

We've got to use the go compiler, go build, to create a go executable.

我們必須使用 go 編譯器 go build 來創建 go 可執行文件。

And we're going to use Clang to build the BPF object file.

我們將使用 Clang 來構建 BPF 對象文件。

All right.

好吧

I think we have enough to actually start writing some code.

我想我們已經有足夠的能力開始編寫一些代碼了。

So let's go to my editor.

那就去找我的編輯吧

And this is my make file.

這是我的製作文件。

It's pretty much exactly what I just showed you on the slide.

這和我剛才在幻燈片上給你們演示的幾乎一模一樣。

So we have a go build step and a Clang step for building the eBPF object.

是以，我們有一個 go 生成步驟和一個 Clang 生成步驟來生成 eBPF 對象。

And let's start with the C code.

讓我們從 C 代碼開始。

So I'm going to write a function called hello.

是以，我要編寫一個名為 hello 的函數。

Exit context pointer, they all do.

退出上下文指針，它們都是如此。

I'm going to just do some hello world tracing.

我要做一些 hello world 跟蹤。

So let's say hello, go topia.

所以，讓我們打個招呼吧，走吧，topia。

And we'll return zero exit code.

我們將返回零退出代碼。

The other thing I have to do is define an object code section.

我要做的另一件事是定義對象代碼部分。

This tells the, essentially, the object loader what kind of BPF program this is going to be.

這主要是告訴對象加載器這將是一個什麼樣的 BPF 程序。

This is kind of a level of detail we don't need to worry about too much today.

今天，我們不需要過多地擔心這些細節。

But you can write, you can use different helper functions and do different things depending on the type of program you're running and the type of event you're attaching it to.

但你可以編寫、使用不同的輔助函數，並根據運行的程序類型和附加的事件類型做不同的事情。

So I'm going to attach to a K probe the entry point to a function in a kernel.

是以，我要在 K 探針上附加內核函數的入口點。

And I'm actually going to run this whenever the system call exec V gets triggered.

實際上，只要系統調用 exec V 被觸發，我就會運行這個程序。

So that's my C code.

這就是我的 C 代碼。

And let's compile that.

讓我們來彙編一下。

So I'm just going to run the make on my BPF object file target to start with.

是以，我將首先在我的 BPF 對象文件目標上運行 make。

And that should give me an object file that I can look at.

這樣我就可以查看對象文件了。

And there are a couple of interesting things to look at in this object file.

在這個對象文件中，有幾個有趣的地方值得關注。

So, first of all, it's a little engine machine.

首先，它是一臺小型發動機。

I will need that in a moment.

我馬上就需要。

And this object file is designed, it's compiled to run in a Linux BPF virtual machine.

這個對象文件經過設計和編譯，可以在 Linux BPF 虛擬機中運行。

We can see here's the section declaration for the fact that it's running as a K probe on sysex exec V.

我們可以看到這裡的部分聲明，它是作為 K 探針在 sysex exec V 上運行的。

And here is the function name.

這裡是函數名稱。

So I might say eBPF program.

是以，我可以說是 eBPF 計劃。

A program is really a function.

程序其實就是函數。

So that information from the L file is what is going to help the Go code know how to insert it into the kernel.

是以，L 文件中的資訊將幫助 Go 代碼知道如何將其插入內核。

So let's write some Go code.

那麼，讓我們來編寫一些 Go 代碼吧。

Right.

對

I already have a reference to libBPF Go here.

我已經在這裡引用了 libBPF Go。

And I have a convenience function called must that I'm going to use to trap any errors and panic crash if we see any errors.

我有一個名為 must 的便利函數，用來捕獲任何錯誤，並在出現任何錯誤時立即崩潰。

Hopefully we won't hit that.

希望我們不會遇到這種情況。

Don't do that in production.

不要在生產中這樣做。

Really bad idea.

真是個餿主意。

But it will be fine for demo purposes.

但用於演示還是沒問題的。

So the first thing I'm going to do is I'm going to open this file.

所以我要做的第一件事就是打開這個文件。

I'm going to do new module from file.

我要從文件中創建新模塊。

And reading from that object file that we just built.

然後讀取我們剛剛創建的對象文件。

We want to catch any errors.

我們希望發現任何錯誤。

And I'm going to use a defer.