Verdict: Highly recommended
This is the 4th book that Gregg has written (or co-written) that I’ve bought and read. That’s a reasonable sign that I like his work and was also probably going to like this book as well. However, this book is something of a departure from the first three regarding the subject matter. Whilst the previous three books were entirely or substantially about DTrace (a profiling tool that originated on Sun Solaris and is available on macOS, FreeBSD and sort-of on Linux), this book covers only BPF on Linux.
For those of you unfamiliar with BPF, it is a kernel tracing framework. The original BPF (Berkeley Packet Filter) has grown to be a general purpose tracing facility. The two main parts of BPF are kernel instrumentation, which gives access to many aspects of live systems, and the bytecode engine. The bytecode engine allows scripts to be compiled and to execute within the kernel. End users will then typically use either ‘one-liners’ (mini scripts that do everything in one line) or in longer scripts.
The first part of the book, 180 pages, explains how BPF works and goes into some detail on the two interfaces that can be used, BCC and bpftrace (the former the compiled form, the latter the script form), and also how to install these from package or source. Part 2 goes into the uses of BPF, and there are a lot of things that it can do, so this stretches to over 500 pages. In short the topics covered are CPU, memory, I/O of all forms, security, applications and kernel/virtualization. The book is wrapped up the some tips and tricks and summaries of one-liners.
I think that these tools are simply fantastic. Gregg has done sterling work not only developing many many tools, but also adding impetus to the development of BPF itself. This book explains both how it all works and also how to use the scripts. I’m sure that it will be an effective reference resource in the future. One indication of the amount that I expect to be referring back is the number of Post-It (TM)’s that I stuck in – most of a small pad.
One small frustration is that to run most BPF tools you need root access, and preferably a recent Linux kernel. That’s OK for me at home, but not at work at a large and fairly conservative company. I had a few niggles about the text. Because there are two user interfaces to BPF, each utility usually gets repeated for both, and that can get a bit boring. Gregg is fairly meticulous about attributing credit to the tool developers. I thought that this could have been moved online which would have slightly removed the clutter. Last whinge – I wish that the use of the word ‘technology’ could have been avoided more – in my jaundiced view it is overused and makes me think of powerpoint, conference calls and Golgafrinchans https://hitchhikers.fandom.com/wiki/Golgafrinchans.