eBPF: The Documentary
Unlocking The Kernel - the history of the creation of revolutionary technology
Source
Book cube
Film review from Alexander Polomodov
What is eBPF
eBPF (extended Berkeley Packet Filter) is a technology for safely and efficiently extending the capabilities of the operating system at runtime. Initially it was only Linux, but then the technology was repeated for other operating systems.
The point is that to expand the capabilities of the kernel no changes to the kernel source code required, and there is no need to load individual modules. Security is achieved through a verifier inside the kernel, which performs static code analysis.
Loaded programs that pass the test are either interpreted or JIT-compiled for performance. The execution model is event driven—programs are attached to various hook points in the kernel and run when an event occurs.
Related topic
Site Reliability Engineering
Reliability and observability practices from Google
History of creation
💡 Idea
It all started with Alexei Starovoitov, while working at the startup PLUMgrid on SDN (Software Defined Network), he came up with the idea of embedding a virtual machine into the Linux kernel. He created a new instruction set based on x86 assembly with security verification in the kernel.
🔄 Evolutionary path
The idea was too revolutionary and Chris Wright from Red Hat (now CTO of Red Hat) proposed an evolutionary approach - to integrate new technology into the existing BPF subsystem. This is where the name "extended Berkeley Packet Filter" comes from.
📊 Tracing
Initially the focus was on networks, but there was already a solution for this problem. Then the focus shifted to tracing - Brendan Gregg created the tools that became bcc and bpftrace.
🚀 Hyperscalers
eBPF has shown effectiveness in Meta, Google, Netflix and other hyperscalers. Alexei Starovoitov joined Facebook in 2015 and showed outstanding results there.
Ecosystem Development
🐝 Cilium
Isovalent created Cilium, a project that brought eBPF capabilities to Kubernetes end users.
🔒 Security
eBPF has found application in security - system call monitoring, anomaly detection and runtime protection.
📈 Observability
eBPF-based tools allow you to deeply profile systems without significantly impacting performance.
🌐 Cross-platform
The technology was repeated for other operating systems - eBPF went beyond Linux.
Key people
Alexei Starovoitov
Creator of eBPF. Worked at PLUMgrid, then at Facebook/Meta.
Brendan Gregg
Productivity Expert. Creator of bcc and bpftrace.
Chris Wright
CTO Red Hat. He proposed an evolutionary path of integration into the core.
Impact on the industry
We managed to implement the original idea and change the state of affairs in the industry. Previously, writing code to run inside the kernel (rather than in userspace) was extremely difficult, time-consuming, and expensive. Now this can be done quickly and easily using eBPF.