/https://tf-cmsv2-smithsonianmag-media.s3.amazonaws.com/filer_public/89/1e/891e92d0-6728-47c3-b935-f279f604f40c/gettyimages-1962575656_web.jpg?#)
Enhancing your Aya program with eBPF maps
I'm getting started with eBPF programming with Aya. The idea behind this series of articles is to get you started too. This section is dedicated to eBPF maps. We'll learn how to create, use and differentiate them. As this is the most important concept in eBPF, it's well worth devoting a whole section to it. We will first fix a bug in the Aya program from the previous section by introducing an eBPF map. This will explain what an eBPF map is. Then we'll improve the program with another map. My first eBPF map We'll pick up where we left off in Part 2. If you want to skip it or start again cleanly, you can clone the dedicated repo and go to the tracepoint-binary directory: git clone https://github.com/littlejo/aya-examples cd aya-examples/tracepoint-binary Check that it compiles correctly: RUST_LOG=info cargo run #We're seeing binaries executed on the computer You can also do the Killercoda lab, which follows step-by-step the creation and use of eBPF map : killercoda.com What's wrong with it? As we saw in Part 2, the program that allows you to see which binaries are being executed works well. But we notice that the display is truncated: Why? The answer can be found in these lines from the tracepoint-binary-ebpf/src/main.rs file: const LEN_MAX_PATH: usize = 16; [...] let mut buf = [0u8; LEN_MAX_PATH]; This creates an array of bytes with 16 entries. Remember that we're in UTF-8. For ASCII characters: a character is encoded on one byte. This is not always true, for example, for smileys (like this one:
I'm getting started with eBPF programming with Aya. The idea behind this series of articles is to get you started too.
This section is dedicated to eBPF maps. We'll learn how to create, use and differentiate them. As this is the most important concept in eBPF, it's well worth devoting a whole section to it.
We will first fix a bug in the Aya program from the previous section by introducing an eBPF map. This will explain what an eBPF map is. Then we'll improve the program with another map.
My first eBPF map
We'll pick up where we left off in Part 2. If you want to skip it or start again cleanly, you can clone the dedicated repo and go to the tracepoint-binary directory:
git clone https://github.com/littlejo/aya-examples
cd aya-examples/tracepoint-binary
Check that it compiles correctly:
RUST_LOG=info cargo run #We're seeing binaries executed on the computer
You can also do the Killercoda lab, which follows step-by-step the creation and use of eBPF map :
What's wrong with it?
As we saw in Part 2, the program that allows you to see which binaries are being executed works well. But we notice that the display is truncated:
Why? The answer can be found in these lines from the tracepoint-binary-ebpf/src/main.rs file:
const LEN_MAX_PATH: usize = 16;
[...]
let mut buf = [0u8; LEN_MAX_PATH];
This creates an array of bytes with 16 entries. Remember that we're in UTF-8. For ASCII characters: a character is encoded on one byte. This is not always true, for example, for smileys (like this one:
