• About
• Why This Repository?
• Who Is This For?
• What You'll Learn
• Repository Structure
• Learning Path
• Prerequisites
• Getting Started
• Quick Start Examples
• Documentation
• Contributing
• License
• Acknowledgments
• Community & Support

Amazing eBPF Learning & Practice is a world-class educational resource that systematically teaches eBPF (extended Berkeley Packet Filter) from foundational concepts to production deployment. This repository contains real, working code examples (not pseudocode), comprehensive documentation, hands-on labs, and production-grade patterns used by industry-leading projects like Cilium, Tetragon, Falco, and Pixie.

• Structured 5-Level Curriculum: Progressive learning from Linux fundamentals to production systems
• 28+ Working Code Examples: Real implementations in C, Go, Python, and bpftrace
• 3000+ Lines of Documentation: Extensive guides, tutorials, and explanations
• Hands-On Labs: Practical exercises and real-world challenges
• Production Patterns: Enterprise-grade patterns with CI/CD, monitoring, and deployment
• Multiple Toolchains: Coverage of BCC, bpftrace, and libbpf frameworks
• Cloud-Native Ready: Kubernetes deployments, observability integration, and security enforcement

eBPF is revolutionizing how we build observability, networking, and security tools in Linux. However, learning eBPF can be challenging due to:

• Fragmented learning resources scattered across blogs and docs
• Outdated examples using deprecated APIs
• Lack of production-grade patterns and best practices
• Missing integration with modern cloud-native ecosystems

This repository solves these problems by providing:

1. Complete Learning Path: From "What is eBPF?" to building production agents
2. Modern APIs: libbpf, CO-RE (Compile Once Run Everywhere), and BPF skeletons
3. Production Focus: Real-world patterns, error handling, and operational practices
4. Cloud-Native Integration: Kubernetes, Prometheus, OpenTelemetry, and more

This repository is designed for:

• Software Engineers wanting to learn eBPF systematically
• DevOps/SRE Engineers building observability and networking solutions
• Security Engineers implementing runtime security monitoring
• Kernel Developers understanding modern kernel tracing and instrumentation
• Students & Researchers learning systems programming and performance analysis

• Required: Basic Linux command-line knowledge
• Recommended: Understanding of C programming and system calls
• Optional: Kernel development experience (helpful but not required)

By completing this curriculum, you will:

• eBPF architecture, verifier, JIT compilation, and BTF (BPF Type Format)
• Writing production-grade eBPF programs with libbpf and CO-RE
• XDP (eXpress Data Path) for high-performance packet processing
• LSM (Linux Security Modules) for runtime security enforcement
• Traffic control (tc) for network filtering and QoS
• Ring buffers, maps, and efficient data structures
• BPF skeletons for type-safe user-space integration
• Debugging verifier errors systematically

• Building observability pipelines (Prometheus, Grafana, OpenTelemetry)
• Implementing DDoS mitigation and firewall functionality
• Creating runtime security monitors for file access and process execution
• Performance profiling and latency analysis
• Container and Kubernetes networking solutions

• CI/CD pipelines for eBPF programs
• Graceful degradation and feature detection
• Multi-tenancy and security hardening
• Monitoring, health checks, and operational practices
• Kubernetes deployments with DaemonSets and RBAC

Amazing-eBPF-learning-Practice/
│
├── LEARNING_PATH.md              # Complete learning roadmap (448 lines)
├── README.md                     # This file
├── CONTRIBUTING.md               # Contribution guidelines
├── LICENSE                       # MIT License
│
├── level-01-linux-and-ebpf-foundations/
│   ├── README.md                 # eBPF architecture, verifier, BTF (506 lines)
│   ├── docs/                     # Linux fundamentals, kernel configs
│   ├── lab/                      # Hands-on kernel support checks
│   ├── src/                      # Minimal eBPF programs
│   └── tools/                    # Setup and verification scripts
│
├── level-02-bcc-and-bpftrace-tooling/
│   ├── README.md                 # BCC and bpftrace deep dives (725 lines)
│   ├── docs/                     # Tool-specific guides
│   ├── examples/
│   │   ├── bcc/                  # Python BCC examples
│   │   └── bpftrace/             # bpftrace one-liners and scripts
│   └── tools/                    # Tool installation scripts
│
├── level-03-libbpf-and-core-programming/
│   ├── README.md                 # libbpf, CO-RE, skeletons (762 lines)
│   ├── docs/                     # Production eBPF programming
│   ├── examples/
│   │   ├── 01-hello-libbpf/      # Basic libbpf program
│   │   ├── 02-ringbuf-events/    # Ring buffer event streaming
│   │   └── 03-fentry-fexit/      # Function latency tracing
│   └── tools/                    # libbpf setup and vmlinux generation
│
├── level-04-ebpf-networking-observability-security/
│   ├── README.md                 # Real-world applications
│   ├── docs/                     # XDP, LSM, tc, observability guides
│   ├── examples/
│   │   ├── xdp/                  # XDP packet filtering
│   │   ├── tc/                   # Traffic control examples
│   │   ├── lsm/                  # Security monitoring
│   │   └── observability/        # Prometheus exporter (Go)
│   ├── k8s/                      # Kubernetes manifests
│   └── tools/                    # Networking setup and helpers
│
└── level-05-production-agent-and-hardening/
    ├── README.md                 # Production deployment guide
    ├── agent/                    # Complete Go-based agent
    │   ├── main.go               # Agent entry point
    │   ├── pkg/                  # Modules (observability, security, networking)
    │   ├── config.yaml           # Configuration example
    │   └── Makefile              # Build system
    ├── deployment/               # Docker and Kubernetes deployments
    ├── ci-cd/                    # GitHub Actions workflows
    ├── docs/                     # Production operations guides
    └── tools/                    # Deployment and health check scripts

This curriculum is organized into 5 progressive levels, designed to be completed in 3-4 months of focused learning:

Time Estimate: 1-2 weeks Focus: Understanding eBPF architecture and kernel fundamentals

Topics:

• Linux kernel concepts for eBPF
• eBPF virtual machine, verifier, and JIT compilation
• BTF (BPF Type Format) and type information
• Kernel configuration requirements
• Loading and inspecting basic eBPF programs

Deliverables:

• Set up eBPF development environment
• Load and run minimal eBPF program
• Use bpftool for program inspection
• Understand verifier requirements

Start Level 01 →

Time Estimate: 1-2 weeks Focus: High-level tracing tools for rapid development

Topics:

• BCC (BPF Compiler Collection) with Python
• bpftrace language and one-liners
• Syscall tracing, latency analysis, and profiling
• Tool overhead evaluation
• Choosing the right tool for the job

Deliverables:

• Write BCC tools for custom tracing
• Create bpftrace scripts for profiling
• Understand when to use BCC vs bpftrace vs libbpf
• Build performance monitoring dashboards

Start Level 02 →

Time Estimate: 2-3 weeks Focus: Production-grade eBPF with portability

Topics:

• libbpf library fundamentals
• CO-RE (Compile Once, Run Everywhere)
• BPF skeletons for type-safe integration
• Ring buffers for efficient event streaming
• fentry/fexit for low-overhead tracing
• Verifier error debugging strategies

Deliverables:

• Build portable eBPF programs with CO-RE
• Implement ring buffer-based event collectors
• Generate and use BPF skeletons
• Debug complex verifier errors

Start Level 03 →

Time Estimate: 3-4 weeks Focus: Real-world applications and integrations

Topics:

• XDP (eXpress Data Path) for packet processing
• Traffic control (tc) for filtering and QoS
• LSM (Linux Security Modules) for runtime security
• Observability pipeline integration (Prometheus, Grafana, OpenTelemetry)
• Kubernetes deployment patterns

Deliverables:

• Build XDP-based DDoS mitigation
• Implement LSM file monitoring
• Create Prometheus eBPF exporter
• Deploy eBPF agents in Kubernetes

Start Level 04 →

Time Estimate: 4-5 weeks Focus: Enterprise deployment and operations

Topics:

• Production agent architecture (modular design)
• Feature detection and graceful degradation
• CI/CD pipelines for eBPF (GitHub Actions)
• Health checks, metrics, and monitoring
• Security hardening and multi-tenancy
• Troubleshooting and operations

Deliverables:

• Complete production-ready eBPF agent
• Automated CI/CD pipeline
• Kubernetes deployment with monitoring
• Operational runbooks

Start Level 05 →

• Operating System: Linux kernel 5.10+ (recommended: 5.15+ for all features)
• Architecture: x86_64 or ARM64
• Memory: Minimum 4GB RAM (8GB+ recommended)
• Disk Space: 10GB for tools, dependencies, and build artifacts

• Basic Linux command-line skills (ls, cd, grep, etc.)
• Understanding of C programming (variables, pointers, structs)
• Familiarity with system calls and processes
• Basic networking concepts (TCP/IP, packets, ports)

• Kernel development experience
• Go programming (for Level 05)
• Python (for Level 02 BCC examples)
• Container and Kubernetes concepts (for Level 04-05)

git clone https://github.com/yourusername/Amazing-eBPF-learning-Practice.git
cd Amazing-eBPF-learning-Practice

Verify your kernel has eBPF support:

cd level-01-linux-and-ebpf-foundations/tools
./verify-setup.sh

This script checks:

• Kernel version (5.10+ recommended)
• eBPF-related kernel configurations
• BPF filesystem mount
• BTF (BPF Type Format) support
• Required tools (clang, llvm, bpftool)

cd level-01-linux-and-ebpf-foundations/tools
sudo ./setup-environment.sh

# Install base tools
sudo dnf install -y clang llvm kernel-devel bpftool \
  libbpf-devel elfutils-libelf-devel zlib-devel

# Install BCC and bpftrace (Level 02)
sudo dnf install -y bcc-tools python3-bcc bpftrace

# See level-01-linux-and-ebpf-foundations/docs/01-linux-fundamentals.md
# for detailed build-from-source instructions

cd level-01-linux-and-ebpf-foundations
cat README.md  # Read the comprehensive guide
cd src
make           # Build minimal eBPF example
sudo ./minimal_loader  # Run your first eBPF program!

Read LEARNING_PATH.md for the complete roadmap with:

• Detailed time estimates per level
• Learning principles and best practices
• Recommended study approach
• Progress tracking guidance

# Using bpftrace (Level 02)
cd level-02-bcc-and-bpftrace-tooling/examples/bpftrace
sudo bpftrace syscall_count.bt

# Press Ctrl-C after a few seconds to see syscall statistics

# Using BCC Python (Level 02)
cd level-02-bcc-and-bpftrace-tooling/examples/bcc
sudo python3 opencount.py

# In another terminal, create some file activity:
# ls /tmp && cat /etc/hosts

# Using libbpf (Level 03)
cd level-03-libbpf-and-core-programming/examples/01-hello-libbpf
make
sudo ./hello

# In another terminal:
# curl https://example.com

# Drop traffic on specific port (Level 04)
cd level-04-ebpf-networking-observability-security/examples/xdp

# See xdp_drop_port.c for implementation
# Requires manual compilation and loading (see Level 04 README)

This repository includes extensive documentation:

• LEARNING_PATH.md - Complete learning roadmap with time estimates
• CONTRIBUTING.md - How to contribute to this project
• LICENSE - MIT License terms

Each level contains:

• README.md - Comprehensive guide for that level (500-750 lines)
• docs/ - Deep-dive technical documentation
• examples/ - Working code with inline comments
• lab/ - Hands-on exercises and challenges

• Architecture Diagrams: level-01-linux-and-ebpf-foundations/architecture/
• Setup Scripts: Each level's tools/ directory
• Configuration Examples: level-05-production-agent-and-hardening/agent/config.yaml

We welcome contributions! This project thrives on community involvement.

1. Report Issues: Found a bug or typo? Open an issue
2. Submit Examples: Have a great eBPF example? Submit a PR!
3. Improve Documentation: Fix typos, clarify explanations, add examples
4. Add Labs: Create hands-on exercises for learners
5. Share Feedback: What worked? What was confusing? Let us know!

Please read CONTRIBUTING.md for:

• Code standards and style guide
• Testing requirements
• Documentation conventions
• Pull request process
• Community guidelines

• Testing on different kernel versions (5.10, 5.15, 6.0+)
• ARM64 compatibility verification
• Additional real-world examples
• Translation to other languages
• Video tutorials and walkthroughs
• Performance benchmarking

This project is licensed under the MIT License - see the LICENSE file for details.

Note: Individual eBPF programs may use GPL-2.0 license (required by kernel) as indicated in their headers.

We chose MIT license to:

• Maximize learning and reusability
• Allow both open source and commercial use
• Encourage widespread adoption and contributions
• Align with industry-standard educational resources

This repository builds upon the incredible work of the eBPF community:

• Cilium - CNI and service mesh with eBPF
• Tetragon - Runtime security observability
• Falco - Cloud-native runtime security
• Pixie - Kubernetes observability
• BCC - Tools for BPF-based tracing
• libbpf - Library for eBPF programs
• libbpf-bootstrap - Scaffolding for libbpf
• bpftrace - High-level tracing language

• ebpf.io - Official eBPF documentation
• Cilium eBPF Go Library - Go eBPF library
• Brendan Gregg's Blog - Performance analysis and eBPF insights
• Linux Kernel Documentation - BPF subsystem docs

Thank you to all contributors who help make this resource better!

• Issues: GitHub Issues for bugs and questions
• Discussions: GitHub Discussions for general questions
• Documentation: Extensive docs in each level's README and docs/ folder

• Be respectful and inclusive
• Help others learn - we all started somewhere
• Share your experiences and learnings
• Report issues constructively
• Contribute back when you can

• Star this repository to stay updated
• Watch for new releases and examples
• Share your learning journey (blog posts, tweets, etc.)
• Consider contributing your own examples

• Complete 5-level curriculum
• 28+ working code examples
• 3000+ lines of documentation
• Production agent implementation
• Kubernetes deployment examples
• CI/CD pipeline templates

• Fix critical issues identified in code review
• Video walkthroughs for each level
• Interactive web-based tutorials
• Performance benchmarking suite
• Additional cloud platform examples (AWS, GCP, Azure)
• Windows WSL2 support guide

• eBPF for ARM64 deep dive
• Advanced topics: eBPF JIT internals
• eBPF for embedded systems
• Machine learning with eBPF data
• Multi-language examples (Rust, C++)

• Total Files: 234
• Code Examples: 28+
• Documentation Lines: 3000+
• Programming Languages: C, Go, Python, bpftrace, Bash
• Levels: 5 (Foundation + 4 Progressive)
• Estimated Time: 3-4 months
• Kubernetes Manifests: 2 (DaemonSet, ServiceMonitor)

If you find this repository useful, please consider giving it a star! ⭐

Your support helps more people discover this resource and motivates continued development.