最快的ebpf开发环境搭建方式

环境搭建

启动容器

sudo docker run --rm -it --privileged \
  -v /lib/modules:/lib/modules:ro \
  -v /sys:/sys:ro \
  -v /usr/src:/usr/src:ro \
  alpine:3.12

安装依赖

sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories

apk add bcc-tools bcc-doc

测试

hello.c

int hello_world(void *ctx)
{
	bpf_trace_printk("Hello, World");
	return 0;
}

hello.py

from bcc import BPF

b = BPF(src_file="hello.c")
b.attach_kprobe(event="do_sys_openat2", fn_name="hello_world")

b.trace_print()

执行，可看到打印出了hello world

/ # python3 hello.py 

In file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
In file included from include/linux/types.h:6:
In file included from include/uapi/linux/types.h:14:
In file included from ./include/uapi/linux/posix_types.h:5:
In file included from include/linux/stddef.h:5:
In file included from include/uapi/linux/stddef.h:5:
In file included from include/linux/compiler_types.h:90:
include/linux/compiler-clang.h:41:9: warning: '__HAVE_BUILTIN_BSWAP32__' macro redefined [-Wmacro-redefined]
#define __HAVE_BUILTIN_BSWAP32__
        ^
<command line>:4:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP32__ 1
        ^
In file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
In file included from include/linux/types.h:6:
In file included from include/uapi/linux/types.h:14:
In file included from ./include/uapi/linux/posix_types.h:5:
In file included from include/linux/stddef.h:5:
In file included from include/uapi/linux/stddef.h:5:
In file included from include/linux/compiler_types.h:90:
include/linux/compiler-clang.h:42:9: warning: '__HAVE_BUILTIN_BSWAP64__' macro redefined [-Wmacro-redefined]
#define __HAVE_BUILTIN_BSWAP64__
        ^
<command line>:5:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP64__ 1
        ^
In file included from <built-in>:2:
In file included from /virtual/include/bcc/bpf.h:12:
In file included from include/linux/types.h:6:
In file included from include/uapi/linux/types.h:14:
In file included from ./include/uapi/linux/posix_types.h:5:
In file included from include/linux/stddef.h:5:
In file included from include/uapi/linux/stddef.h:5:
In file included from include/linux/compiler_types.h:90:
include/linux/compiler-clang.h:43:9: warning: '__HAVE_BUILTIN_BSWAP16__' macro redefined [-Wmacro-redefined]
#define __HAVE_BUILTIN_BSWAP16__
        ^
<command line>:3:9: note: previous definition is here
#define __HAVE_BUILTIN_BSWAP16__ 1
        ^
3 warnings generated.
b'         python3-1056231 [005] d..31 1056012.574165: bpf_trace_printk: Hello, World'
b'         python3-1056231 [005] d..31 1056012.574277: bpf_trace_printk: Hello, World'
b'         python3-1056231 [005] d..31 1056012.574734: bpf_trace_printk: Hello, World'
b'           <...>-1059946 [006] d..31 1056300.636287: bpf_trace_printk: Hello, World'
b'           <...>-6346    [001] d..31 1056300.673240: bpf_trace_printk: Hello, World'
b'           <...>-6346    [001] d..31 1056300.673277: bpf_trace_printk: Hello, World'
b'           <...>-6346    [001] d..31 1056300.673287: bpf_trace_printk: Hello, World'
b'           <...>-6346    [001] d..31 1056300.673648: bpf_trace_printk: Hello, World'
b'           <...>-6346    [001] d..31 1056300.673666: bpf_trace_printk: Hello, World'
b'           <...>-6346    [001] d..31 1056300.673676: bpf_trace_printk: Hello, World'
b'           <...>-6346    [001] d..31 1056300.673685: bpf_trace_printk: Hello, World'