bpf_labs

Introduction to eBPF

This document provides a guide to setting up your host system for eBPF (Extended Berkeley Packet Filter) development and experimentation, and introduces some tools from the iovisor project (bcc, bpftrace) and Aqua Security (Tracee).

1. Prepare the Host for BCC (BPF Compiler Collection)

These steps will install the BCC tools and necessary dependencies.

Add iovisor Repository and Install Packages:

Note on apt-key: The apt-key add command is deprecated on many modern Linux systems. You might need to adapt the key addition method (e.g., by downloading the key and placing it in /etc/apt/keyrings/, then modifying the sources.list.d entry).

# Add iovisor GPG key (deprecated method)
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4052245BD4284CDD

# Add iovisor repository. The second line correctly uses your distribution's codename,
# effectively overwriting the 'bionic' specific line if it was for a different release.
# For Ubuntu Bionic (18.04):
# echo "deb https://repo.iovisor.org/apt/bionic bionic main" | sudo tee /etc/apt/sources.list.d/iovisor.list
# For your current distribution's codename (recommended):
echo "deb https://repo.iovisor.org/apt/$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/iovisor.list

sudo apt-get update
# Install BCC packages and kernel headers for your current kernel
sudo apt-get -y install libbcc python-bcc python3-bcc bcc-tools libbcc-examples linux-headers-$(uname -r)

(Removed the commented-out duplicate apt-key command. Clarified the iovisor.list lines.)

2. Playing with BCC Tools

BCC (BPF Compiler Collection) is a toolkit for creating efficient kernel tracing and manipulation programs. Many pre-built tools are available. Project Link: https://github.com/iovisor/bcc

Navigate to the BCC tools directory: The installed BCC tools are typically located here:
```
cd /usr/share/bcc/tools
```
Run example BCC tools:(These commands must be run with sudo and from the /usr/share/bcc/tools directory.)
Trace new TCP connections (SYN/ACK):
```
sudo ./tcplife
```
Trace new TCP active connections (connect()):
```
sudo ./tcpconnect
```
Trace new TCP passive connections (accept()):
```
sudo ./tcpaccept
```
Sniff SSL/TLS traffic (requires libssl/libcrypto to be dynamically linked, may not work for all processes):
```
sudo ./sslsniff
```
Capture commands typed into bash shells:
```
sudo ./bashreadline
```
For more tools and tutorials, check out the BCC Tutorial.

3. Playing with bpftrace

bpftrace is a high-level tracing language for Linux eBPF. Project Link: https://github.com/iovisor/bpftrace

3.1 Install bpftrace using Snap

# Install bpftrace using snap (devmode is often required for system-level tracing capabilities)
sudo snap install --devmode bpftrace
# Connect necessary interfaces for bpftrace to function correctly
sudo snap connect bpftrace:system-trace

(The commented #sudo snap install bpftrace was removed as the --devmode version is more likely to work for eBPF tasks.)

3.2 Running bpftrace via Docker (Alternative)

You can also run bpftrace using a Docker container provided by iovisor. This requires mounting several host directories and running in privileged mode.

Example 1: With host networking and PID namespace This allows bpftrace to see all host processes and network interfaces easily.

sudo docker run --rm -ti \
       -v /usr/src:/usr/src:ro \
       -v /lib/modules/:/lib/modules:ro \
       -v /sys/kernel/debug/:/sys/kernel/debug:rw \
       --net=host --pid=host --privileged \
       quay.io/iovisor/bpftrace:latest \
       tcplife.bt

(Added --rm for auto-cleanup.)

Example 2: Without host networking/PID, but still privileged This version is slightly more confined but still requires high privileges. It might be used if you want to trace processes within the container's own PID namespace or specific network interfaces if not using --net=host. For system-wide tracing like tcplife.bt, Example 1 is generally more suitable.

sudo docker run --rm -ti \
       -v /usr/src:/usr/src:ro \
       -v /lib/modules/:/lib/modules:ro \
       -v /sys/kernel/debug/:/sys/kernel/debug:rw \
       --privileged \
       quay.io/iovisor/bpftrace:latest \
       tcplife.bt

(Added --rm and a brief explanation of the difference.)

Note on Container Interaction: The original hint "maybe you can enter a container from another container" likely refers to advanced scenarios where one container (e.g., a privileged bpftrace container) might be used to inspect or interact with processes or network traffic of other containers on the same host, leveraging its privileged access to the host's kernel and namespaces.

4. Playing with Tracee

Tracee is a runtime security and forensics tool by Aqua Security that uses eBPF. Project Link: https://github.com/aquasecurity/tracee

Run Tracee using Docker. It also requires privileged access and volume mounts.

Example 1: Default Tracee operation (traces host and containers)

docker run --name tracee --rm --privileged \
  -v /lib/modules/:/lib/modules/:ro \
  -v /usr/src:/usr/src:ro \
  aquasec/tracee:latest

Example 2: Tracee with container filtering The --container flag (or other filtering flags provided by Tracee) can be used to focus on specific containers or events. Refer to Tracee documentation for advanced filtering.

docker run --name tracee --rm --privileged \
  -v /lib/modules/:/lib/modules/:ro \
  -v /usr/src:/usr/src:ro \
  aquasec/tracee:latest --filter container=new # Example: trace only newly created containers
  # The original had just '--container'. Tracee's flags might be more specific, e.g., '--filter container=new' or '--filter pid=new'
  # Or to trace specific existing containers, you might need different flags.
  # For general container events:
  # docker run --name tracee --rm --privileged -v /etc/os-release:/etc/os-release-host:ro -v /lib/modules/:/lib/modules/:ro -v /usr/src:/usr/src:ro -v /tmp/tracee:/tmp/tracee aquasec/tracee:latest --events container_created,container_removed

(Clarified Tracee flags and added a more specific example, as --container alone might not be a valid flag or might need a value. Pointed to Tracee docs.)

Home

Previousapi_access_via_pod Nextcontainer_networking

Last updated 6 months ago