Usage
Usage
The only file you will need to write is:
your_program.bpf.c
your_program.h # optional, if you want to use ring buffer to export events
after that, simply run this:
$ docker run -it -v /path/to/repo/:/src yunwei37/ebpm:latest # use absolute path
you will get a package.json in your root dir. Just run:
$ sudo ./ecli run package.json
to start it you can download ecli tool from eunomia-bpf/releases, we have pre-build binaries for linux x86. Small and No dependencies, besides glibc and glibcxx. Or just run this:
$ wget https://aka.pw/bpf-ecli -O ecli && chmod +x ecli
The eBPF compiled code can run on different kernel versions(CO-RE). see: github.com/eunomia-bpf/eunomia-bpf for details.
container image
simply run:
$ docker run -it -v /path/to/repo:/src yunwei37/ebpm
Or you can do that without a container, which is listed below:
Github actions
Use this as a github action, to compile online: see eunomia-bpf/ebpm-template). Only three steps
- use this repo as a github template: see creating-a-repository-from-a-template
- modify the
bootstrap.bpf.c, commit it and wait for the workflow to stop - Run the
ecliwith remote url:
$ sudo ./ecli run https://eunomia-bpf.github.io/ebpm-template/package.json
Notifications
-
We use the same c ebpf code as libbpf, so most libbpf ebpf c code can run without any modification.
-
Supported ebpf program types:
kprobe,tracepoint,fentry, we will add more types in the future. -
If you want to use ring buffer to export events, you need to add
your_program.hto your repo, and define the export data type in it, the export data type should be a Cstruct, for example:struct process_event { int pid; int ppid; unsigned exit_code; unsigned long long duration_ns; char comm[TASK_COMM_LEN]; char filename[MAX_FILENAME_LEN]; int exit_event; };The name and field types are not limited, but we will prefer use standard C types. If multiple struct exists in the header, we will use the first one. The feature is only enabled if we found a
BPF_MAP_TYPE_RINGBUFmap exists in the ebpf program.