Convert Figma logo to code with AI

cilium logoebpf

ebpf-go is a pure-Go library to read, modify and load eBPF programs and attach them to various hooks in the Linux kernel.

6,127
674
6,127
41

Top Related Projects

20,418

BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more

2,114

Automated upstream mirror for libbpf stand-alone build.

3,578

Linux Runtime Security and Forensics using eBPF

7,328

Cloud Native Runtime Security

High-level tracing language for Linux

A curated list of awesome projects related to eBPF.

Quick Overview

Cilium/ebpf is a pure Go library that provides a robust and efficient way to work with eBPF programs. It allows developers to load, manipulate, and interact with eBPF programs and maps directly from Go, without requiring CGo. This library is particularly useful for building networking, security, and observability tools that leverage eBPF technology.

Pros

  • Pure Go implementation, eliminating the need for CGo and simplifying cross-compilation
  • Comprehensive support for eBPF features, including program types, map types, and helper functions
  • Strong type safety and extensive error checking, reducing the risk of runtime errors
  • Active development and maintenance, with regular updates and improvements

Cons

  • Steeper learning curve compared to some other eBPF libraries, especially for those new to eBPF concepts
  • Limited platform support compared to libbpf (primarily focuses on Linux)
  • May have slightly higher overhead compared to C-based eBPF libraries in some scenarios
  • Documentation, while improving, can be sparse for some advanced use cases

Code Examples

  1. Loading an eBPF program:
spec, err := ebpf.LoadCollectionSpec("path/to/program.o")
if err != nil {
    log.Fatalf("Failed to load eBPF program: %v", err)
}

coll, err := ebpf.NewCollection(spec)
if err != nil {
    log.Fatalf("Failed to create eBPF collection: %v", err)
}
defer coll.Close()
  1. Creating and using an eBPF map:
mapSpec := &ebpf.MapSpec{
    Type:       ebpf.Hash,
    KeySize:    4,
    ValueSize:  4,
    MaxEntries: 1024,
}

myMap, err := ebpf.NewMap(mapSpec)
if err != nil {
    log.Fatalf("Failed to create eBPF map: %v", err)
}
defer myMap.Close()

err = myMap.Put(uint32(1), uint32(100))
if err != nil {
    log.Fatalf("Failed to insert into map: %v", err)
}
  1. Attaching an eBPF program to a network interface:
link, err := link.AttachXDP(link.XDPOptions{
    Program:   coll.Programs["xdp_prog"],
    Interface: "eth0",
})
if err != nil {
    log.Fatalf("Failed to attach XDP program: %v", err)
}
defer link.Close()

Getting Started

To start using cilium/ebpf in your Go project:

  1. Install the library:

    go get github.com/cilium/ebpf
    
  2. Import the library in your Go code:

    import "github.com/cilium/ebpf"
    
  3. Ensure you have the necessary permissions to load eBPF programs (typically root access or CAP_BPF capability).

  4. Start writing your eBPF programs in C and your Go code to load and interact with them using the cilium/ebpf library.

Competitor Comparisons

20,418

BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more

Pros of BCC

  • More mature and widely adopted in the eBPF community
  • Extensive collection of pre-built tools for various use cases
  • Supports multiple programming languages (Python, Lua, C++)

Cons of BCC

  • Heavier dependency footprint, requiring LLVM and kernel headers
  • Steeper learning curve for beginners
  • Less suitable for production environments due to compilation overhead

Code Comparison

BCC example (Python):

from bcc import BPF

program = """
int hello(void *ctx) {
    bpf_trace_printk("Hello, World!\\n");
    return 0;
}
"""

b = BPF(text=program)
b.attach_kprobe(event="sys_clone", fn_name="hello")
b.trace_print()

Cilium eBPF example (Go):

import "github.com/cilium/ebpf"

prog, err := ebpf.NewProgram(&ebpf.ProgramSpec{
    Name:    "hello",
    Type:    ebpf.Kprobe,
    Instructions: ebpf.Instructions{
        ebpf.FnTracePrintk.Call().Const("Hello, World!\n"),
        ebpf.Return(),
    },
})

Both libraries provide eBPF functionality, but Cilium eBPF offers a more lightweight and production-ready approach, while BCC excels in rapid prototyping and provides a rich set of pre-built tools for various use cases.

2,114

Automated upstream mirror for libbpf stand-alone build.

Pros of libbpf

  • Written in C, providing low-level access and potentially better performance
  • Closer to the kernel, offering more direct control over eBPF functionality
  • Widely used and supported by the Linux kernel community

Cons of libbpf

  • Steeper learning curve, especially for developers not familiar with C
  • Less abstraction, requiring more manual management of eBPF programs
  • Limited cross-platform support compared to higher-level libraries

Code Comparison

libbpf example:

#include <bpf/bpf.h>
#include <bpf/libbpf.h>

int main() {
    struct bpf_object *obj = bpf_object__open("program.o");
    bpf_object__load(obj);
    // Additional setup and usage
}

ebpf example:

import "github.com/cilium/ebpf"

func main() {
    spec, _ := ebpf.LoadCollectionSpec("program.o")
    coll, _ := ebpf.NewCollection(spec)
    // Additional setup and usage
}

The ebpf library provides a higher-level abstraction, making it easier to work with eBPF programs in Go. It offers a more user-friendly API and handles many low-level details automatically. However, libbpf provides more fine-grained control and is closer to the kernel, which can be advantageous for certain use cases or when maximum performance is required.

3,578

Linux Runtime Security and Forensics using eBPF

Pros of Tracee

  • Focused on runtime security and threat detection
  • Provides a higher-level abstraction for eBPF-based tracing
  • Includes pre-built detection rules and event types

Cons of Tracee

  • More specialized for security use cases
  • Less flexible for general-purpose eBPF programming
  • Steeper learning curve for customization

Code Comparison

Tracee (event definition):

events.RegisterEventType("file_write", &events.RegisterEventTypeParams{
    Name:     "file_write",
    Desc:     "File write operation",
    Origin:   "tracee",
    IsSyscall: true,
})

eBPF (program loading):

spec, err := ebpf.LoadCollectionSpec("path/to/bpf.o")
if err != nil {
    log.Fatalf("failed to load BPF spec: %v", err)
}

Summary

Tracee is a specialized tool for runtime security and threat detection using eBPF, while eBPF is a more general-purpose library for working with eBPF programs. Tracee offers higher-level abstractions and pre-built security features, making it easier to implement security monitoring. However, eBPF provides more flexibility for various eBPF use cases beyond security. The choice between the two depends on the specific requirements of your project and your familiarity with eBPF programming.

7,328

Cloud Native Runtime Security

Pros of Falco

  • Comprehensive security monitoring and threat detection for cloud-native environments
  • Out-of-the-box rules and configurations for common security scenarios
  • Integration with popular alerting and notification systems

Cons of Falco

  • Steeper learning curve for customizing rules and configurations
  • Higher resource consumption compared to lightweight eBPF libraries
  • More focused on security monitoring, less versatile for general-purpose eBPF programming

Code Comparison

Falco rule example:

- rule: Detect Suspicious File Access
  desc: Detect access to sensitive files
  condition: open_read and sensitive_files
  output: "Sensitive file opened for reading (user=%user.name file=%fd.name)"
  priority: WARNING

eBPF program using cilium/ebpf:

const source string = `
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>

SEC("kprobe/sys_open")
int kprobe_open(void *ctx) {
    bpf_trace_printk("sys_open called\\n");
    return 0;
}
`

Summary

Falco provides a more comprehensive security monitoring solution with pre-built rules, while cilium/ebpf offers a lower-level library for general-purpose eBPF programming. Falco is better suited for security-focused use cases, while cilium/ebpf provides more flexibility for custom eBPF applications across various domains.

High-level tracing language for Linux

Pros of bpftrace

  • High-level language for writing eBPF programs, making it easier for users to create tracing scripts
  • Extensive built-in functions and probes for common tracing scenarios
  • Supports one-liners for quick debugging and analysis

Cons of bpftrace

  • Limited to tracing and observability use cases
  • May have higher overhead for complex programs compared to lower-level eBPF implementations

Code Comparison

bpftrace example:

#!/usr/bin/env bpftrace
BEGIN {
    printf("Tracing TCP connects. Hit Ctrl-C to end.\n");
}
kprobe:tcp_connect {
    printf("TCP connect: %s\n", comm);
}

ebpf example (using Go):

prog := &ebpf.Program{
    Type:    ebpf.Kprobe,
    Name:    "tcp_connect",
    License: "GPL",
    Instructions: asm.Instructions{
        // eBPF instructions here
    },
}

Summary

bpftrace provides a high-level, user-friendly approach to eBPF tracing, while ebpf offers a more flexible, low-level API for broader eBPF applications. bpftrace is ideal for quick tracing tasks, while ebpf is better suited for complex, performance-critical eBPF programs across various use cases.

A curated list of awesome projects related to eBPF.

Pros of awesome-ebpf

  • Comprehensive collection of eBPF resources and projects
  • Regularly updated with new eBPF-related tools and libraries
  • Serves as a valuable starting point for eBPF exploration and learning

Cons of awesome-ebpf

  • Not a functional library or tool, just a curated list
  • Lacks direct implementation examples or code snippets
  • May include outdated or less maintained projects alongside popular ones

Code comparison

As awesome-ebpf is a curated list and not a functional library, a direct code comparison is not applicable. However, here's an example of how the repositories differ in content:

awesome-ebpf:

## eBPF Learning Resources

- [eBPF.io](https://ebpf.io/)
- [Learn eBPF Tracing](https://github.com/iovisor/bcc/blob/master/docs/tutorial_bcc_python_developer.md)

ebpf:

func (m *Map) Update(key, value interface{}, flags uint64) error {
	keyPtr, err := m.marshalKey(key)
	if err != nil {
		return fmt.Errorf("can't marshal key: %w", err)
	}
	// ... (implementation continues)
}

The awesome-ebpf repository provides a list of resources, while ebpf offers a functional Go library for working with eBPF programs and maps.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

eBPF

PkgGoDev

HoneyGopher

ebpf-go is a pure Go library that provides utilities for loading, compiling, and debugging eBPF programs. It has minimal external dependencies and is intended to be used in long running processes.

See ebpf.io for complementary projects from the wider eBPF ecosystem.

Getting Started

Please take a look at our Getting Started guide.

Contributions are highly encouraged, as they highlight certain use cases of eBPF and the library, and help shape the future of the project.

Getting Help

The community actively monitors our GitHub Discussions page. Please search for existing threads before starting a new one. Refrain from opening issues on the bug tracker if you're just starting out or if you're not sure if something is a bug in the library code.

Alternatively, join the #ebpf-go channel on Slack if you have other questions regarding the project. Note that this channel is ephemeral and has its history erased past a certain point, which is less helpful for others running into the same problem later.

Packages

This library includes the following packages:

  • asm contains a basic assembler, allowing you to write eBPF assembly instructions directly within your Go code. (You don't need to use this if you prefer to write your eBPF program in C.)
  • cmd/bpf2go allows compiling and embedding eBPF programs written in C within Go code. As well as compiling the C code, it auto-generates Go code for loading and manipulating the eBPF program and map objects.
  • link allows attaching eBPF to various hooks
  • perf allows reading from a PERF_EVENT_ARRAY
  • ringbuf allows reading from a BPF_MAP_TYPE_RINGBUF map
  • features implements the equivalent of bpftool feature probe for discovering BPF-related kernel features using native Go.
  • rlimit provides a convenient API to lift the RLIMIT_MEMLOCK constraint on kernels before 5.11.
  • btf allows reading the BPF Type Format.

Requirements

  • A version of Go that is supported by upstream
  • CI is run against kernel.org LTS releases. >= 4.4 should work but EOL'ed versions are not supported.

License

MIT

eBPF Gopher

The eBPF honeygopher is based on the Go gopher designed by Renee French.