eBPF in one line: bpftrace live

18 мин · урок входит в курс «Продвинутый»

eBPF is bytecode programs that the kernel verifies and runs in response to an event: a system call, an incoming packet, a context switch. No separate module, no reboot; it works on a modern kernel. Grouping usually goes by process-and-pid / comm, that is, how many openat calls each process made.

bpftrace is a high-level language on top of eBPF. One one-liner replaces a dozen strace/lsof calls: count syscalls per process, find who opens a specific file, measure TCP connections per second.

⚠️ Caveat: on a Mac/OrbStack VM not every probe will work (it depends on how the kernel was built). On production Linux it comes up right away. If a step fails with "Failed to attach probe", that is a known limitation of the dev environment; the lesson explains the principle.

Урок закрыт

Чтобы запустить sandbox и пройти этот урок целиком, нужен соответствующий курс. Внутри - ещё много практических уроков того же уровня и сквозной прогресс.

Купить курс Войти ← Все уроки

дальше →

eBPF answers "what is the kernel doing right now". perf answers "where the CPU goes". Next: perf record plus perf report plus the flame graph, the main CPU profiler. On production you cannot do without it.

Открыть превью: Profiling with perf: where the CPU goesв курсе «Продвинутый» - /pricing