Quick Start¶
Get up and running with eBPF development in under 30 minutes! This guide will get you from zero to your first working eBPF tool.
🚀 TL;DR - Super Quick Start¶
# 1. Clone the repository
git clone https://github.com/xmigrate/ebee.git
cd ebee
# 2. Install dependencies (Linux only)
make install
# 3. Generate kernel headers
make gen_vmlinux
# 4. Build the project
make deps && make build
# 5. Run your first eBPF tool!
sudo ./ebee execsnoop
That's it!
If the above commands worked, you now have a working eBPF development environment! Keep reading to understand what just happened.
📋 Step-by-Step Setup¶
Step 1: Clone the Repository¶
Step 2: Check Your System¶
Prerequisites
Make sure you have:
- Linux kernel 4.18+ (uname -r)
- Root access (sudo whoami)
- Internet connection for downloads
Step 3: Install Dependencies¶
Step 4: Generate Kernel Headers¶
This is the magic that makes eBPF development possible:
What's happening?
This command creates bpf/headers/vmlinux.h containing all kernel data structures your eBPF programs need to access.
Step 5: Build the Project¶
Step 6: Test Your First Tool¶
You should see output like:
Monitoring process executions... Press Ctrl+C to stop
PID Command Arguments
--- ------- ----------
1234 bash bash
5678 ls ls
9012 cat cat
Generate Some Events
Open another terminal and run commands like ls, cat, or ps to see them appear in execsnoop!
🎯 What You Just Built¶
Congratulations! You just:
- Set up a complete eBPF development environment
- Generated kernel headers for type-safe eBPF programming
- Compiled eBPF C code to bytecode
- Built a Go userspace application that loads eBPF programs
- Ran a real-time process monitor using eBPF
🔍 Understanding Your First Tool¶
Let's peek at what you just built:
The eBPF Program (bpf/execsnoop.c)¶
SEC("tracepoint/sched/sched_process_exec")
int trace_exec(struct trace_event_raw_sched_process_exec *ctx) {
// This runs in kernel space whenever a process starts!
struct data_t *data = bpf_ringbuf_reserve(&events, sizeof(*data), 0);
if (!data) return 0;
data->pid = bpf_get_current_pid_tgid() & 0xFFFFFFFF;
bpf_get_current_comm(&data->comm, sizeof(data->comm));
bpf_ringbuf_submit(data, 0);
return 0;
}
The Go Application (cmd/execsnoop.go)¶
// Load eBPF program into kernel
objs := execsnoopObjects{}
loadExecsnoopObjects(&objs, nil)
// Attach to kernel tracepoint
link.Tracepoint("sched", "sched_process_exec", objs.TraceExec, nil)
// Read events from kernel
rd, _ := ringbuf.NewReader(objs.Events)
// ... process events and display them
🚦 Next Steps¶
Now that you have a working environment, choose your path:
-
Learn the Fundamentals
Understand how eBPF works under the hood
-
Build Your Own Tool
Create a complete eBPF tool from scratch
-
Explore More Tools
Learn from existing tool implementations
🐛 Troubleshooting¶
Common Issues¶
vmlinux.h not found
Getting Help¶
- Check our troubleshooting guide
- Search GitHub issues
- Ask in GitHub discussions
🎉 Success!¶
You now have:
- ✅ Working eBPF development environment
- ✅ Understanding of the basic workflow
- ✅ A real monitoring tool running on your system
- ✅ Foundation to build more complex tools
Ready to dive deeper? Let's understand how eBPF works!
📊 Development Workflow¶
This is the workflow you'll follow for every eBPF tool:
graph TD
A[Write eBPF C Program] --> B[Write Go Userspace App]
B --> C[Update Makefile]
C --> D[Build Project]
D --> E[Test Tool]
E --> F{Works?}
F -->|No| G[Debug & Fix]
G --> D
F -->|Yes| H[Document & Share]
style A fill:#e1f5fe
style B fill:#f3e5f5
style H fill:#e8f5e8You've just completed this entire workflow! 🎯