Introduction

Platform overview

This platform provides a configured environment and exercises to help you learn eBPF.

The editor compiles your code locally as you type, but you can disable this by clicking the button. Compilation errors are highlighted inline.

Try typing into the editor and see how it reacts, then click ‘Run’ to execute your code on the server.

If you prefer ‘vim mode’, the button will toggle it.

Hotkeys

  • Ctrl+Enter runs the code.
  • Ctrl+Click on type definitions (my_struct, trace_event_raw_sched_process_exec) shows a type definition popup

Debugging utilities

There are multiple DEBUG_ macros to display data from your programs. Each macro takes a label (a string constant) as its first argument.

  • DEBUG_NUM(label, num) can take any number, like u32 or ssize_t
  • DEBUG_STR(label, buf) requires a fixed-size buf, like char[64]
  • DEBUG_STR_LEN(label, ptr, len) can take any pointer, will debug len bytes
  • DEBUG_STRUCT(label, struct) can take any struct by value

Submitting answers

To solve the exercises, you will need to submit answers directly from your code, using SUBMIT_NUM(answer), SUBMIT_STR(answer) or SUBMIT_STR_LEN(answer, len).

Your eBPF program triggers on multiple events, so you’ll need to guard your SUBMIT_X calls, as multiple submissions invalidate all answers.

When using SUBMIT_STR, trailing null bytes are trimmed, but trailing garbage is not. Use the SUBMIT_STR_LEN variant when you can’t guarantee null termination.

Solve this exercise by uncommenting SUBMIT_STR("the answer");

Run your code to see execution events here