# eBPF: rethinking the linux kernel

* Programmability essentials&#x20;
  * Safety --> sandboxing&#x20;
  * Continuous Delivery --> deploy anytime with seamless upgrades&#x20;
  * Performance --> native execution (JIT compiler)&#x20;
* Kernel architecture&#x20;
  * Kernel abstracts using driver: enable the H/W, but don't want to expose&#x20;
    * Block device, network device&#x20;
  * System calls: application invokes to communicate with kernels&#x20;
  * Middle logic: business logic&#x20;
    * Virtual file system
    * TCP / IP&#x20;
  * Last piece: someone operates the system, through configuration APIs&#x20;
    * Interact from the kernel through the APIs&#x20;

![](/files/ZsjqW7ZD6RdebowUNWQd)

#### Kernel Development 101&#x20;

* Option 1: native support&#x20;
  * Change kernel source code
  * Expose configuration API&#x20;
  * Wait 5 years for your users to upgrade&#x20;
  * Cons: nobody wants to wait&#x20;
* Option 2: kernel module&#x20;
  * Write kernel module
  * Every kernel release will break it&#x20;
  * Cons
    * You likely to ship a different module for each kernel version
    * Might crash your kernel&#x20;

#### How about we add JS-like capabilities to the Linux Kernel?

* eBPF

  * Take that syscall, and run a program that takes over on behalf of the system call and then returns&#x20;
  * ![](/files/NSsUSmwPv9JUV1YWYqSx)
  * Extract the metadata from the system call, and send that through a bpf map, for tracing purpose and provide context&#x20;

* **eBPF runtime**: how does that work?&#x20;
  * Runtime: ensure that we fulfill all the programmability essentials that we cover earlier
  * BPF bytecode: the compiled version of the code above &#x20;
    * Safety & security: the verifier will reject any unsafe program and provides a sandbox&#x20;
      * Major difference compared to the Linux module&#x20;
      * Privilege, access / expose control&#x20;
      * Similar to JS (software-based sandbox)&#x20;
    * Performance: JIT compiler --> ensures native execution performance&#x20;
      * Portable&#x20;
    * Continuous Delivery&#x20;
      * Programs can be exchanged without disrupting workloads&#x20;

![](/files/pgOeVk5I0FStLodAEvs2)

* eBPF Hooks&#x20;

![Hooks](/files/4sLx4Sbm31g7ewZUnrOF)

* **What can you hook?**&#x20;
  * Kernel functions (kprobes)
  * Userspace functions (uprobes)&#x20;
    * Functions in your application! Profile application&#x20;
  * System calls&#x20;
  * Tracepoints&#x20;
    * Function names in kernel that will stay stable&#x20;
    * Instrument the entire Linux kernel
  * Network devices (tc / xdp)
  * Network routes&#x20;
  * TCP congestion algorithms
  * Sockets (data level)&#x20;

#### eBPF Maps&#x20;

![](/files/SEmlnDDj9QHuz8mHGLmd)

* BPF program: only instructions, no data&#x20;
* States are stored in BPF maps, separate from the programs&#x20;
  * Keep the maps alive, while replacing the programs
    * E.x. LPM --> routing table&#x20;
  * Seamless upgrades&#x20;
* Used for&#x20;
  * Retrieve and configure&#x20;

#### eBPF helpers&#x20;

![](/files/eASgvkjtlVIcV9fJ1uqa)

* Linux module can call any kernel functions&#x20;
  * Downsides: abuse or misuse --> crash the kernel, and are not stable&#x20;
* BPF programs
  * Helpers: used to interact with OS, and they are stable over time&#x20;
  * Interactions with OS are done via helpers
  * Portable across kernel versions&#x20;

#### eBPF Tail and Function calls&#x20;

![](/files/iO5lT8Tbpz5WV8LtCewW)

* Tail calls: chain, and will not return to the old programs&#x20;
  * Hook: run multiple logical pieces&#x20;
* Tail / function calls&#x20;

  * Composable&#x20;
  * Reduce the size of the programs&#x20;

![](/files/eqiUhHjyoscrVgN4HEVM)

#### Applications&#x20;

* Tracing & Profiling with eBPF&#x20;
  * BCC: BPF compiler collection&#x20;
    * Allow application developers to run a python program, which contains the actual BPF program and the logic in python to read the state / metrics from BPF maps and displays it in some way&#x20;
  * bpftrace - Dtrace for Linux&#x20;
    * Creating BPF maps, read it, and so on&#x20;
  * Cilium: networking, load-balancing, and security for Kubernetes&#x20;
    * Network policies, Kubernetes services and so on&#x20;
    * Introspect the data&#x20;

![](/files/l5kw0eLzSCIIzM2RXcSx)

![](/files/se9LNEJ2oPkuqAEgAPB0)

![](/files/ws8XZChBmcveXhnLUvNk)

![](/files/2iplE4wiIH7GO0OAd9Sk)

![](/files/gKiOF6FAm06MzJIbg8GY)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sliu583.gitbook.io/blog/specific-work/seminar-and-talk/fall-21-reading-list/ebpf-rethinking-the-linux-kernel.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.