This guide covers setting up your development environment for eBPF development with the ebee project.
For Linux users, the setup is straightforward:
# Install all requirements using the Makefile
make installThis will install:
- clang - C compiler for eBPF programs
- llvm - Low Level Virtual Machine (required for eBPF compilation)
- golang - Go programming language
- bpftool - eBPF introspection and manipulation tool
- bpftrace - High-level tracing language for Linux eBPF
Since eBPF development requires Linux kernel headers and tools, we use Lima to run Ubuntu:
# Install/upgrade Lima + guest agents
brew install lima lima-additional-guestagents || brew upgrade lima lima-additional-guestagents# Start Ubuntu VM with our configuration
limactl start scripts/default.yaml --name=default --timeout 30m# Connect to the VM
limactl shell default
# Now run the Linux setup
make installOnce your environment is set up:
Before building, you need to generate the vmlinux.h file which contains kernel type definitions:
# Generate vmlinux.h for the current kernel
make gen_vmlinuxThis command uses bpftool to extract BTF (BPF Type Format) information from the running kernel and generate a header file with all kernel type definitions. This is essential for eBPF programs to access kernel data structures.
Note: This step requires root privileges and must be run on the target kernel where you'll be running the eBPF programs.
# Install Go dependencies
make deps
# Generate eBPF Go bindings and build
make buildWhen adding a new eBPF tool:
- Create eBPF C program in
bpf/your_tool.c - Create Go command in
cmd/your_tool.go - Update Makefile generate target to include your C file
- Add documentation in
docs/tools/your_tool.md - Test thoroughly on both Linux and macOS (via Lima)
# Generate eBPF bindings
make generate
# Build the application
make build
# Clean generated files
make clean
# Run specific tools (requires sudo)
sudo ./ebee rmdetect
sudo ./ebee execsnoop- Permission Denied: Always run eBPF tools with
sudo - Compilation Errors: Check kernel headers and eBPF program syntax
- Load Errors: Verify eBPF program verifier passes
# Check eBPF program with bpftool
sudo bpftool prog list
# Verify eBPF program loading
sudo bpftool prog load bpf/your_tool.o /sys/fs/bpf/your_tool
# Check tracepoints
sudo cat /sys/kernel/debug/tracing/available_events | grep sched- Linux Kernel: 4.18+ (for most eBPF features)
- BPF Type Format (BTF): Required for modern eBPF development
- Kernel Headers: Must match your running kernel version
The vmlinux.h file is a crucial component for eBPF development. It contains:
- Kernel Type Definitions: All kernel data structures and types
- BTF Information: BPF Type Format data extracted from the kernel
- Compile-time Safety: Enables type checking for eBPF programs
eBPF programs need to access kernel data structures (like task_struct, inode, etc.). The vmlinux.h file provides:
- Type Safety: Ensures eBPF programs use correct data types
- Field Access: Allows safe access to kernel structure fields
- Compilation: Enables eBPF programs to compile with kernel types
# The gen_vmlinux target runs this command:
sudo bpftool btf dump file /sys/kernel/btf/vmlinux format c > ./bpf/headers/vmlinux.hThis command:
- Reads BTF data from
/sys/kernel/btf/vmlinux - Extracts type information from the running kernel
- Generates C header file with all kernel type definitions
- Saves to
./bpf/headers/vmlinux.h
You should regenerate vmlinux.h when:
- Kernel is updated to a new version
- Switching systems with different kernels
- BTF data changes (rare, but possible)
- Compilation errors related to missing kernel types
- bpftool: eBPF introspection and manipulation
- bpftrace: High-level tracing language
- clang/llvm: eBPF program compilation
- golang: Application development
# Check kernel version
uname -r
# Check eBPF support
cat /sys/kernel/debug/bpf/verifier_log
# List available tracepoints
sudo cat /sys/kernel/debug/tracing/available_events
# Check BTF support
ls /sys/kernel/btf/vmlinux
# Generate vmlinux.h (extracts kernel type definitions)
sudo bpftool btf dump file /sys/kernel/btf/vmlinux format c > ./bpf/headers/vmlinux.h- C/C++: For eBPF C development
- Go: For Go application development
- eBPF: For eBPF syntax highlighting (if available)
{
"go.buildOnSave": true,
"go.lintOnSave": true,
"files.associations": {
"*.c": "c",
"*.h": "c"
}
}# Run Go tests
go test ./...
# Test eBPF programs
make test# Test on different kernel versions
# Test with different workloads
# Test error conditions- "permission denied": Run with sudo
- "invalid mem access": Check eBPF program memory access patterns
- "unknown field": Verify kernel headers match running kernel
- "verifier failed": Check eBPF program logic and bounds
- "vmlinux.h not found": Run
make gen_vmlinuxto generate kernel headers - "BTF not found": Ensure your kernel supports BTF (check with
ls /sys/kernel/btf/vmlinux)
- Check kernel logs:
dmesg | tail - Check eBPF verifier logs:
cat /sys/kernel/debug/bpf/verifier_log - Use bpftool for debugging:
sudo bpftool prog list
After setting up your environment:
- Read eBPF Fundamentals
- Explore the tool documentation
- Try building and running existing tools
- Start developing your own eBPF tools