eBPF
- eBPF programme in C, Rust or other programming languages.
- Compiler converts it to bytecode (obj file)
- Application pass this OBJ to kernel using eBPF library
- Kernel verifies it
- When event happens the program runs
- eBPF programme in C, Rust or other programming languages.
- Compiler converts it to bytecode (obj file)
- Application pass this OBJ to kernel using eBPF library
- Kernel verifies it
- JIT compiler converts byte code to machine code
- When event happens the program runs
- eBPF programme in C, Rust or other programming languages.
- Compiler converts it to bytecode (obj file)
- Application pass this OBJ to kernel using eBPF library
- Kernel verifies it
- JIT compiler converts byte code to machine code
- When event happens the program runs
- Multiple eBPF programs can access eBPF map at Kernel space
- Userspace App load config to map
- eBPF program pull config from map
- eBPF program sends metrics to map
- eBPF program stores/retrieve data from/to map
- eBPF map can store state in eBPF program
Different types of map
- BPF_TABLE
- BPF_HASH
- BPF_ARRAY
- BPF_HISTOGRAM
- BPF_PERF_ARRAY
- eBPF programme in C, Rust or other programming languages.
- Compiler converts it to bytecode (obj file)
- Application pass this OBJ to kernel using eBPF library
- Kernel verifies it
- JIT compiler converts byte code to machine code
- When event happens the program runs
- Multiple eBPF programs can access eBPF map at Kernel space
- Userspace App load config to map
- eBPF program pull config from map
- eBPF program sends metrics to map
- eBPF program stores/retrieve data from/to map
- eBPF map can store state in eBPF program
Different types of map
- BPF_TABLE
- BPF_HASH
- BPF_ARRAY
- BPF_HISTOGRAM
- BPF_PERF_ARRAY
- eBPF program can call Kernel function (eBPF helper)
UseCases
* Networking
- side car container networking by Cilium CNI
- Katran: L4 Load Balancing GitHub - facebookincubator/katran: A high performance layer 4 load balancer
* Performance / Tracing (observability)
- BPF Compiler Collection (BCC) GitHub - iovisor/bcc: BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more
- Hubble Network, Service & Security Observability for Kubernetes GitHub - cilium/hubble: Hubble - Network, Service & Security Observability for Kubernetes using eBPF
- Pyroscope Open Source Continuous Profiling Platform
* Security examples along with Linux Security Modules (LSM)
- Falco http://layers7.blogspot.com/2021/12/7-workload-considerations-falco.html
- Tetragon https://tetragon.io/
- Tracee https://layers7.blogspot.com/2021/11/7-workload-considerations-tracee.html
eBPF "Compile Once — Run Everywhere" (CO-RE) leverages BPF Type Format (BTF) : portable programs acorss kernel versions.
eBPF is for Windows also : GitHub - microsoft/ebpf-for-windows: eBPF implementation that runs on top of Windows
Reference:
Other References:
