跳转至

What Is eBPF? | Introduction to eBPF

What Is eBPF?

eBPF evolved from the original Berkeley Packet Filter (BPF), which was created in the early 1990s for network packet filtering in Unix systems.

Google, Facebook, Red Hat, and others developed eBPF further for better performance and security monitoring in their data centers. Introduced in Linux kernel 3.15 in 2014, eBPF can now do much more than packet filtering, such as tracing and monitoring various kernel activities.

Although BPF is now obsolete, the terms eBPF and BPF are often used interchangeably to refer to the modern eBPF. The name eBPF remains for historical reasons but doesn't fully capture its current capabilities, which include networking, debugging, tracing, firewalls, and more.

How Does eBPF Work?

eBPF allows safe and efficient execution of custom code within the Linux kernel while not modifying the kernel itself. It works by loading small programs into the kernel. These programs are written in a very restricted version of the C programming language. The programs are compiled directly into eBPF bytecode suitable for kernel-level execution. These programs can attach various hooks in the kernel and run in response to specific events. Predefined hooks include system calls, function entry and exit, kernel tracepoints, network events, and others.

Note: Programming hooks are special points in a program where you can add your own code to change or extend its behavior without modifying the original code.

p2

When an eBPF program is triggered at its hook point, it can call a helper function—a special function that enhances eBPF's capability by performing wide array of tasks, such as:

  • Searching, updating, and deleting key-value pairs in tables
  • Generating pseudo-random numbers
  • Collecting and flagging metadata
  • Chaining eBPF programs together
  • Performing tasks with sockets, like binding, retrieving cookies, and redirecting packets

p3

An eBPF map is a key-value store, where values are treated as any type of data (binary blobs). A vital aspect of an eBPF program is the ability to share collected information and to store state. For this purpose, eBPF programs can leverage the concept of eBPF maps to store and retrieve data in a wide set of data structures. eBPF maps can be accessed from eBPF programs as well as from applications in the user space via a system call.

p4

eBPF helps ensure safety by doing very strict verification during program loading, preventing operations that could compromise system stability or security. eBPF is a sandboxed program in privileged context (that is, the kernel), meaning that the application developers can run eBPF programs to extend the capabilities of the operating system at runtime.

eBPF: Better Way to Extend Kernel Functionality

Here are the benefits of using eBPF to extend kernel functionality:

  • Ease of use: You can embed eBPF code (written in C) into high-level languages like Python, Rust, or Go. While these high-level languages are not used for directly writing kernel-level code because of performance considerations, they excel in handling the orchestration and dynamic interaction parts of the process. This makes the development and testing of eBPF programs more accessible and versatile.
  • Dynamic changes: eBPF allows for dynamic loading and updating of programs without requiring a system reboot, facilitating quick iterations and updates.
  • Performance advantages: Because eBPF runs logically between the kernel and the hardware devices, it is able to make decisions early, when receiving inputs from those devices. The just-in-time compiler further enhances performance by optimizing the execution of eBPF programs. In other words, the just-in-time compiler, which translates eBPF programs into machine code right before they run, makes eBPF programs run faster and more efficiently.
  • Built-in security: eBPF stands out from LKMs by having strict safety checks. If these checks are passed, the program is loaded into the kernel, ready to run when triggered, allowing safe execution of custom code without changing the kernel source code. While it will not replace LKMs entirely, eBPF enables custom interactions with hardware with minimal risk.
  • Great tooling: eBPF has a growing ecosystem, including tools like BCC and bpftrace, making it easier to develop, debug, and deploy eBPF programs.

Keep going!

Skip to table of contents

Introduction to eBPF