Quiz: eBPF¶

4 questions

L0 (1 questions)¶

1. What is eBPF and why is it safer than loading a kernel module for observability?

Show answer

eBPF lets you run sandboxed programs inside the kernel without writing kernel modules or rebooting. A verifier checks every eBPF program before loading: it guarantees memory safety, provable termination (bounded loops), and restricted function calls. This means an eBPF program cannot crash the kernel, unlike a kernel module which can cause a panic.

L1 (1 questions)¶

1. You suspect network packet loss is causing application slowness. Which BCC tool would you use and what does it show?

Show answer

Use tcpretrans-bpfcc. It traces TCP retransmissions in real-time, showing the timestamp, PID, local/remote addresses, ports, and TCP state for every retransmitted segment. A high retransmit rate indicates network congestion or packet loss. This is far more efficient than tcpdump because it only captures retransmit events, not all traffic.

L2 (1 questions)¶

1. API latency spikes occur every 2 minutes. CPU, memory, and disk metrics look normal. How would you use eBPF to find the root cause?

Show answer

Start with runqlat-bpfcc to check scheduler run queue latency. If you see latency spikes every 2 minutes, something is hogging the CPU and displacing your app. Then use 'bpftrace -e "profile:hz:99 { @[comm] = count(); }"' during a spike to identify which process is consuming CPU cycles. This commonly reveals things like logrotate compressing large files or a cron job consuming an entire core.

L3 (1 questions)¶

1. Write a bpftrace one-liner to trace which files nginx is opening in real-time.

Show answer

bpftrace -e 'tracepoint:syscalls:sys_enter_openat /comm == "nginx"/ { printf("%s opened %s
", comm, str(args->filename)); }' — This attaches to the openat syscall tracepoint, filters for processes named nginx, and prints the filename argument for each open call. Always filter by comm or PID on busy servers to avoid overwhelming output.