Book Review: Linux Observability with BPF

Book Review | Linux, Unix, Operating Systems | Cloud, Containers, Virtualization
  • Linux Observability with BPF
  • David Calavera, Lorenzo Fontana
  • 177 pages
  • O’Reilly (2019)
  • ISBN: 978-1492050209

A little while ago, I read (and quite enjoyed) “Learning eBPF” by Liz Rice. “Linux Observability with BPF” by David Calavera and Lorenzo Fontana is another, slightly earlier, book on the BPF framework, also published by O’Reilly.

Despite the title, this book does not concentrate specifically on observability only. Instead, it covers similar ground to “Learning eBPF”: it is a rather general introduction to the BPF (or eBPF) technology for programmers without prior exposure. We are treated to an introduction to the BPF architecture, the verifier, data transfer via “maps”, and the typical attachment points (kernel probes and tracepoints). Being a little older, this book does not yet mention some of the convenience features which have been added in the meantime (for example, eBPF loops do not seem to be covered). The book concludes with a few worked examples applying BPF to the networking stack, and for security monitoring purposes.

Compared with the book by Liz Rice, this one seems less well organized: the pace of the presentation varies a lot from section to section. Some aspects of the examples may appear unmotivated or left unexplained. And overall, the text would have benefited from some careful copy editing!

What makes this book nevertheless valuable is that, at times, it gives a more thorough overview over the breadth of the BPF ecosystem: for instance, I found the extensive description of different BPF program “types”, and the exhaustive overview of the different kinds of available maps valuable. Although appearing like overkill, this kind of detail provides depth and texture to the material — more so than just a collection of slick, solved use cases does! In particular the networking and security use cases presented at the end provided some level of inspiration what might be possible with eBPF.

That being said, I would recommend the book by Liz Rice as the first introduction to the topic, and consider this as a possible follow-on, for a different view of the topic and a bit more detail in places.