debugging: slides: develop eBPF part in the training

eBPF is currently mentioned in the training, but it is far from enough to give enough knowledge to start writing some tooling in eBPF: we only mention the core concepts, introduce two tracing/profiling frameworks, and have no lab about it. Add core content to really teach how to manipulate eBPF. The new content brings the following organization: - general intro: how and why, the setup, the core components - writing ebpf programs - managing ebpf programs with bcc - manual operations with clang and bpftool - managing ebpf programs with libbpf The new content is integrated in the "System Wide Profiling and Tracing" part, and has been put as the last subpart (just after LTTng) Also, since the new corresponding lab is big enough, it is done separately from the current system wide tracing lab. Signed-off-by: Alexis Lothoré <[email protected]>
bootlin · Aug 26, 2024 · 88d205b · 88d205b
1 parent 88e7e74
commit 88d205b
Show file tree

Hide file tree

Showing 4 changed files with 1,858 additions and 294 deletions.
diff --git a/labs/debugging-ebpf/debugging-ebpf.tex b/labs/debugging-ebpf/debugging-ebpf.tex
@@ -165,7 +165,13 @@ \section{Improving our program}
 As a final improvement, we will trace the parent PID as well to know who is starting any program.
 \begin{itemize}
   \item Edit your eBPF program to read the parent PID. This info can be captured by retrieving the current \code{struct task_struct}, and identifying the relevant fields. Check both Elixir for the layout of \code{struct task_struct}, and \manpage{bpf-helpers}{7} to learn how to get the current task.
-  \item We are using CO-RE definition for kernel data (through vmlinux.h), so we can not dereference directly a \code{struct task_struct} in our eBPF program, we must use helpers to retrieve struct fields. You can check \href{https://nakryiko.com/posts/bpf-core-reference-guide/#the-missing-manual}{this blog post from Andrii Nakryiko} to learn about such helpers.
+  \item We are using CO-RE definition for kernel data (through vmlinux.h), so
+  we can not dereference directly a \code{struct task_struct} in our eBPF
+  program, we must use helpers to retrieve struct fields. You can check
+  \href{https://nakryiko.com/posts/bpf-core-reference-guide/#the-missing-manual}{this
+  blog post from Andrii Nakryiko} to learn about such helpers. Also, you will
+  need to check \kstruct{task_struct} to know what field to extract to get the
+  parent PID.
   \item Update your userspace program to read and print the newly captured value
 \end{itemize}