What do you think?
Rate this book
Learning eBPF: Programming the Linux Kernel for Enhanced Observability, Networking, and Security
What is eBPF? With this revolutionary technology, you can write custom code that dynamically changes the way the kernel behaves. It's an extraordinary platform for building a whole new generation of security, observability, and networking tools.
This practical book is ideal for developers, system administrators, operators, and students who are curious about eBPF and want to know how it works. Author Liz Rice, chief open source officer with cloud native networking and security specialists Isovalent, also provides a foundation for those who want to explore writing eBPF programs themselves.
With this book, you
Learn why eBPF has become so important in the past couple of yearsWrite basic eBPF code, and manipulate eBPF programs and attach them to eventsExplore how eBPF components interact with Linux to dynamically change the operating system's behaviorLearn how tools based on eBPF can instrument applications without changes to the apps or their configurationDiscover how this technology enables new tools for observability, security, and networking
This practical book is ideal for developers, system administrators, operators, and students who are curious about eBPF and want to know how it works. Author Liz Rice, chief open source officer with cloud native networking and security specialists Isovalent, also provides a foundation for those who want to explore writing eBPF programs themselves.
With this book, you
Learn why eBPF has become so important in the past couple of yearsWrite basic eBPF code, and manipulate eBPF programs and attach them to eventsExplore how eBPF components interact with Linux to dynamically change the operating system's behaviorLearn how tools based on eBPF can instrument applications without changes to the apps or their configurationDiscover how this technology enables new tools for observability, security, and networking
371 pages, Kindle Edition
Published March 7, 2023
51 people are currently reading
118 people want to read
Ratings & Reviews
Friends & Following
Create a free account to discover what your friends think of this book!
Community Reviews
Displaying 1 - 6 of 6 reviews
January 12, 2024
This is an excellent book on a very narrow and deep technical topic that is also a fast-moving target. As aptly described in ebpf.io, "eBPF is a revolutionary technology that can run sandboxed programs in the Linux kernel without changing kernel source code or loading a kernel module." In other words, without going through the pains and suffering of being a Linux kernel developer, you can wield some of their power by tapping into events at a very low level, tracing them, observing what they do, mess with the network packets, and so forth. Of course, majority of the business application developers won't do that, but for the minority of low-level programmers that want to have impact, the use cases and techniques presented in this book is the perfect starting point for their imagination.
But what made me read this book? Well, first of all, I saw that Richard Startin praised it, and then I realized that Kemal Akkoyun, an expert focused on building an eBPF-based whole-system performance profiler and one of the core developers of parca (continuous profiling for analysis of CPU and memory usage, down to the line number and throughout time) will give a talk at FOSDEM, titled "Profiling Python with eBPF: A New Frontier in Performance Analysis". On top of that, I've recently come across a Java expert write about using eBPF in Java: "Hello eBPF: Developing eBPF Apps in Java (1)". Needless to say, combination of performance engineering, low-level Linux aspects, and high level programming in Python and Java were more than enough to draw my interest to this book, and I must admit I'm totally satisfied.
I also liked the author's pedagogical approach: the book expects some technical background and maturity from the reader, but for those people, it presents each chapter with excellent descriptions, examples, very useful references & pointers, as well as motivating programming exercises. One of the thing I can't praise enough is the care taken by the author to provide relevant links directly to the Linux source code in C for eBPF related files (such as this one), as well as all those relevant links to the relevant Linux kernel documentation.
After having come across eBPF practically for the first time in Brendan Gregg's famous Systems Performance book, I must say that "Learning eBPF: Programming the Linux Kernel for Enhanced Observability, Networking, and Security" bolstered my understanding of relevant topics, so that I'm more prepared to tackle recent USENIX papers such as "Cross Container Attacks: The Bewildered eBPF on Clouds".
Another thing I learned from this book is the ongoing efforts to have eBPF capability on Microsoft Windows operating system. I was pretty much surprised by this, and I'm glad such observation and instrumentation capabilities will not be limited to Linux!
One last point of praise: from a computer science perspective, I really appreciated "Chapter 6. The eBPF Verifier". It even made me think about the famous "halting problem". :)
Conclusion: I strongly recommend this excellent technical book to people who want to discover the details of eBPF.
But what made me read this book? Well, first of all, I saw that Richard Startin praised it, and then I realized that Kemal Akkoyun, an expert focused on building an eBPF-based whole-system performance profiler and one of the core developers of parca (continuous profiling for analysis of CPU and memory usage, down to the line number and throughout time) will give a talk at FOSDEM, titled "Profiling Python with eBPF: A New Frontier in Performance Analysis". On top of that, I've recently come across a Java expert write about using eBPF in Java: "Hello eBPF: Developing eBPF Apps in Java (1)". Needless to say, combination of performance engineering, low-level Linux aspects, and high level programming in Python and Java were more than enough to draw my interest to this book, and I must admit I'm totally satisfied.
I also liked the author's pedagogical approach: the book expects some technical background and maturity from the reader, but for those people, it presents each chapter with excellent descriptions, examples, very useful references & pointers, as well as motivating programming exercises. One of the thing I can't praise enough is the care taken by the author to provide relevant links directly to the Linux source code in C for eBPF related files (such as this one), as well as all those relevant links to the relevant Linux kernel documentation.
After having come across eBPF practically for the first time in Brendan Gregg's famous Systems Performance book, I must say that "Learning eBPF: Programming the Linux Kernel for Enhanced Observability, Networking, and Security" bolstered my understanding of relevant topics, so that I'm more prepared to tackle recent USENIX papers such as "Cross Container Attacks: The Bewildered eBPF on Clouds".
Another thing I learned from this book is the ongoing efforts to have eBPF capability on Microsoft Windows operating system. I was pretty much surprised by this, and I'm glad such observation and instrumentation capabilities will not be limited to Linux!
One last point of praise: from a computer science perspective, I really appreciated "Chapter 6. The eBPF Verifier". It even made me think about the famous "halting problem". :)
Conclusion: I strongly recommend this excellent technical book to people who want to discover the details of eBPF.
April 3, 2023
The book is awesome for everybody who want to jump into eBPF, and who want write first small eBPF programs.
The entry barrier into eBPF world was high for user-space dev as me. But thanks to this book it's not true anymore.
The book goes thought all 3 aspects of eBPF - observability, networking and security. You will learn how to inject programs, how to communicate with you user-space program via maps. How to use eBPF in Go, Python, Rust. What libraries you can use etc.
If you're familiar with Liz's books, you know she's great in explaining complicated topic by human words. This book is no exception.
I like how Liz is going deep enough. The book is not too deep, not too shallow.
And I need to mention great examples. For instance: in networking you have 2 examples: packet filtering and simple load balancing. With these 2 examples you have good overview how eBPF is dealing with networking. What's the difference between XDP and TC.
Finally I have book I can refer to, if somebody ask me what's the good resource about eBPF.
Thanks Liz Rice. For great book.
..... "eBPF is a platform, not a feature" 🙂
The entry barrier into eBPF world was high for user-space dev as me. But thanks to this book it's not true anymore.
The book goes thought all 3 aspects of eBPF - observability, networking and security. You will learn how to inject programs, how to communicate with you user-space program via maps. How to use eBPF in Go, Python, Rust. What libraries you can use etc.
If you're familiar with Liz's books, you know she's great in explaining complicated topic by human words. This book is no exception.
I like how Liz is going deep enough. The book is not too deep, not too shallow.
And I need to mention great examples. For instance: in networking you have 2 examples: packet filtering and simple load balancing. With these 2 examples you have good overview how eBPF is dealing with networking. What's the difference between XDP and TC.
Finally I have book I can refer to, if somebody ask me what's the good resource about eBPF.
Thanks Liz Rice. For great book.
..... "eBPF is a platform, not a feature" 🙂
May 11, 2023
Really well-written intro book to eBPF. Overall it finds the right balance between breadth and depth: it doesn't go into a lot of detail in any specific area but gives enough information to understand what can be done with eBPF and covers pretty much all the fundamentals.
I would say that you definitely need to have decent background in system's programming to be able to follow the book easily as there are concepts that are assumed to be known.
But if you do, reading the book is easy and goes really quickly.
Highly recommend it if you want to get a good introduction to the what eBPF is, its core components and how it works.
I would say that you definitely need to have decent background in system's programming to be able to follow the book easily as there are concepts that are assumed to be known.
But if you do, reading the book is easy and goes really quickly.
Highly recommend it if you want to get a good introduction to the what eBPF is, its core components and how it works.
September 19, 2024
Creo que la gente que intenta aprender eBPF debe estar consciente que es un tema muy profundo de linux y kernels.
Lo tomé esperando tener una perspectiva de performance a como abordarlo y aprovecharlo. Desafortunadamente creo que se mete muy profundo en espacios de memoria de usauario y demas en el kernel. No es algo malo si estan muy metidos en eso, pero al decir verdad no es lo que yo esperaba. Tal vez algun dia me sirva mas haber entendido sus fundamentos.
Lo tomé esperando tener una perspectiva de performance a como abordarlo y aprovecharlo. Desafortunadamente creo que se mete muy profundo en espacios de memoria de usauario y demas en el kernel. No es algo malo si estan muy metidos en eso, pero al decir verdad no es lo que yo esperaba. Tal vez algun dia me sirva mas haber entendido sus fundamentos.
May 26, 2024
It is the perfect book for learning about eBPFs. It is very well written and has a fantastic flow. Any doubt that I may have got cleared in the next paragraph. Amazing allusions, diagrams, and lots of citations...
March 28, 2024
The best introduction book about eBPF
Displaying 1 - 6 of 6 reviews