# eBPF: rethinking the linux kernel * Programmability essentials * Safety --> sandboxing * Continuous Delivery --> deploy anytime with seamless upgrades * Performance --> native execution (JIT compiler) * Kernel architecture * Kernel abstracts using driver: enable the H/W, but don't want to expose * Block device, network device * System calls: application invokes to communicate with kernels * Middle logic: business logic * Virtual file system * TCP / IP * Last piece: someone operates the system, through configuration APIs * Interact from the kernel through the APIs ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FsDMvvTVuV9Yp8KO2moS7%2Fimage.png?alt=media\&token=3a079e2f-c313-48e0-930b-1f68b09a74e1) #### Kernel Development 101 * Option 1: native support * Change kernel source code * Expose configuration API * Wait 5 years for your users to upgrade * Cons: nobody wants to wait * Option 2: kernel module * Write kernel module * Every kernel release will break it * Cons * You likely to ship a different module for each kernel version * Might crash your kernel #### How about we add JS-like capabilities to the Linux Kernel? * eBPF * Take that syscall, and run a program that takes over on behalf of the system call and then returns * ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2F9rq0cXiFAmrIDxCZgZUG%2Fimage.png?alt=media\&token=54d938b8-2534-4348-be3e-ee00387ff047) * Extract the metadata from the system call, and send that through a bpf map, for tracing purpose and provide context * **eBPF runtime**: how does that work? * Runtime: ensure that we fulfill all the programmability essentials that we cover earlier * BPF bytecode: the compiled version of the code above * Safety & security: the verifier will reject any unsafe program and provides a sandbox * Major difference compared to the Linux module * Privilege, access / expose control * Similar to JS (software-based sandbox) * Performance: JIT compiler --> ensures native execution performance * Portable * Continuous Delivery * Programs can be exchanged without disrupting workloads ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FvmGUbqa07bnOzcei8C00%2Fimage.png?alt=media\&token=cf711276-2b25-417f-9fd0-25b18afabffd) * eBPF Hooks ![Hooks](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FbuwaWnT3C66HybNaQh8s%2Fimage.png?alt=media\&token=a656b7b9-5a5a-460d-93ff-944465eb2223) * **What can you hook?** * Kernel functions (kprobes) * Userspace functions (uprobes) * Functions in your application! Profile application * System calls * Tracepoints * Function names in kernel that will stay stable * Instrument the entire Linux kernel * Network devices (tc / xdp) * Network routes * TCP congestion algorithms * Sockets (data level) #### eBPF Maps ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FK4RTNxGLgRoAOnDsKfmv%2Fimage.png?alt=media\&token=cba95d1e-8260-46b3-b305-e46ba0c34f75) * BPF program: only instructions, no data * States are stored in BPF maps, separate from the programs * Keep the maps alive, while replacing the programs * E.x. LPM --> routing table * Seamless upgrades * Used for * Retrieve and configure #### eBPF helpers ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FK2ZamkzASJWg0l1Sm4Sh%2Fimage.png?alt=media\&token=c2665168-1b22-4aa1-bfc0-d95819b7942e) * Linux module can call any kernel functions * Downsides: abuse or misuse --> crash the kernel, and are not stable * BPF programs * Helpers: used to interact with OS, and they are stable over time * Interactions with OS are done via helpers * Portable across kernel versions #### eBPF Tail and Function calls ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FSct6uwP6lrgnv2Ta6KGQ%2Fimage.png?alt=media\&token=338a5e18-8b20-4f79-bcfd-4c11cc750a4c) * Tail calls: chain, and will not return to the old programs * Hook: run multiple logical pieces * Tail / function calls * Composable * Reduce the size of the programs ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2Fi0zrtWmaFsP8D1vIklIA%2Fimage.png?alt=media\&token=3fe9ee4d-6f4b-4936-9815-e5c8c253ba21) #### Applications * Tracing & Profiling with eBPF * BCC: BPF compiler collection * Allow application developers to run a python program, which contains the actual BPF program and the logic in python to read the state / metrics from BPF maps and displays it in some way * bpftrace - Dtrace for Linux * Creating BPF maps, read it, and so on * Cilium: networking, load-balancing, and security for Kubernetes * Network policies, Kubernetes services and so on * Introspect the data ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FTMmL7e14JOekJlDT2SbL%2Fimage.png?alt=media\&token=a461e71d-81e4-4652-8676-ead8ba225b31) ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FnC3oXixde0LWTvmiMtOn%2Fimage.png?alt=media\&token=6bd249df-b86b-4f1b-8bb0-961f525cfa29) ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FyusPW6ExaECXBifP9nRm%2Fimage.png?alt=media\&token=29ee2501-f56e-46ca-b972-5b0eb43ab8ec) ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FLb6QyK8ebu4tod8ssVx3%2Fimage.png?alt=media\&token=722f86ee-db88-4b14-978a-1431fa5f1501) ![](https://2097630930-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MVORxAomcgtzVVUqmws%2Fuploads%2FcF9TA8QCLif9xsquj4vN%2Fimage.png?alt=media\&token=ca2c9dca-133a-4961-991b-dfa3832e6457)