When we talk about using eBPF for tracing filesystems, we are not dealing with file I/O W (see LXF296) operations but with files as whole entities and filesystem operations. Additionally, for the first time in this series, we are going to develop our own tools using BCC Python and Go. But first, we are going to discuss the way eBPF works in more depth.
More about eBPF
You can consider eBPF a virtual machine located inside the Linux kernel that can execute eBPF commands, which is custom BPF code. It makes the Linux kernel programmable to help you solve real-world problems. Bear in mind that eBPF, like all languages, doesn’t solve problems on its own, it just gives you the tools to solve them. These eBPF programs are executed by the Linux kernel eBPF runtime.
EBPF software can be programmed in BCC, Bpftrace or using LLVM. The LLVM compiler can compile BPF programs into BPF bytecode using a supported programming language, such as C or the LLVM Intermediate Representation. As both ways are difficult to program because of the use of pretty low level code, BCC or Bpftrace make things simpler.
When working with eBPF, begin by thinking like a system administrator, not as a programmer. Put simply, start by