When asked for a good source to learn how to write BPF code I send people to the BPF Compiler Collection (BCC) project - https://github.com/iovisor/bcc . In addition to a C/C++ library for BPF and bindings in Python and LUA, it contains various tracing tools with clear examples of how to use them. It’s useful to read the source of those tools to learn the coding patterns with BPF. A number of the gadgets in Inspektor Gadget such as execsnoop and opensnoop are directly based on BCC tools execsnoop and opensnoop without modifications.

Continue reading »

Related Articles