Can someone explain like I’m five what eBPF is here?
You can think of it like scripting for the Linux Kernel. It allows one to write small programs that are loaded into the kernel at runtime, and executed in kernel space. This is huge because previously the only way to do such a thing would be to either write a kernel module, or re-compile a custom kernel. eBPF allows similar functionality that can be loaded and unloaded on a live kernel.
This works by writing in some language (typically a subset of C, but the linked repository above allows using Rust) which is compiled via LLVM to a BPF byte code, this byte code is then loaded into the kernel by a userspace program, the kernel then runs safety and verification checks against the code, and if all checks pass it is JITed and run natively.
These programs can be loaded at different injection points depending on the desired use case. The various injection points provide different visibility of various kernel data structures. For example, some eBPF programs will be loaded super low in the network stack (as low as inside the NIC driver, or even on the NIC hardware itself using a sub-category of eBPF programs called XDP [eXpress Data Path]) to do processing/accounting/mangling of network packets, while others may be triggered by a particular kernel function or syscall and provide access to the functions arguments live, etc.
In practice eBPF is done in a few steps:
2 and 3 can, and often are combined into the same program. Additionally, 2 will sometimes also compile the source for the eBPF program before loading into the kernel however using a new-ish technology called BTF (eBPF Type Format) it’s becoming possible to compile the eBPF program once, and simply load the BTF byte code into the kernel as a binary blob.
There are two additional terms you’ll run across when looking into eBPF and those are BCC and bpftrace. It took me a while to wrap my head around what these are and how they fit into the eBPF picture.
BCC - BPF Compiler Collection is essentially a a library and set of APIs to allow including BPF programs (i.e. C) into things like Python scripts with the necessary plumbing provided to load/unload these programs and communicate via the maps.
bpftrace - is a tool that provides somewhat of a C like DSL for writing eBPF programs along with the being the actual program to compile/load/unload these programs. bpftrace makes it possible to write very short, even one line scripts that are focused on tracing/accounting kernel structures and functions.
Both BCC and bpftrace provide a bunch of utilities that showcase what they can do, and also provide some quick and interesting insights into the kernel.
What are the five-year-olds in your life like?! ;-) But seriously that was a very helpful explanation, thank you.
I guess what remains unclear to me is what eBPF is good for. Is it just, like… everything you would use a kernel module for, but easier? I saw you mention tracing what the Linux kernel is doing, and maybe messing with internet packets. Is there a killer app for eBPF?
Sorry, I’m known for being long winded ;-)
Big uses I’ve seen are:
Keep in mind you’re not limited to a single BPF program, you can have many working in concert all writing to various maps, and a userspace program taking in all this data and processing/presenting it in a way that is useful to the user. So while a single tracepoint might seem silly, seeing multiple related tracepoints and all the context associated with all of them can draw a big clear picture.
Its difficult to say exactly all the use cases of eBPF because its such a wide open topic. Its kind of like asking what can one do with Python.
I don’t know that there is a killer app for eBPF (yet). It’s still very new and only just now starting to really take off into what I would say the beginnings of mainstream (enthusiasts). Cilium is a major player which provides policy based container network monitoring/routing/security (to the best of my knowledge, I’m not super familiar with Cilium other than their generic eBPF/XDP documentation which is incredible and borderline must read material for anyone trying to get into eBPF). There are other sandboxing tools built on eBPF that are pretty great, but still in the proof of concept phase. Likewise there are tons of low level tools that use eBPF behind the scenes, but I don’t think that counts as a killer app.
dtrace, better firewall (bpf is originally berkeley packet filter), performance (less kernel/user space ctx switching), …