Before eBPF
eBPF (extended Berkeley Packet Filter) is an extension of BPF (Berkeley Packet Filter). BPF was introduced in 1993 to control and filter traffic. Before BPF, packet filtering tools were limited to user space, which made them CPU-intensive and limited their capabilities.
Introduction to eBPF
eBPF stands for extended Berkeley Packet Filter. In most cases, the full form of an acronym gives us an idea about the concepts but in this case, the full form does not justify the power that eBPF brings to the table. It's a technology that runs code in the Linux kernel. eBPF is used for Kubernetes network observability, monitoring, auditing, and traffic routing. It can collect detailed metrics about network traffic and resource usage within containers. eBPF allows developers to write custom code into their kernel to change the way how kernel behaves. It is a virtual machine that allows executing programs called eBPF programs inside the Linux kernel. The programs that are written are attached to an event so that whenever the event occurs, the program is triggered.
Some key points about eBPF:
It is a lightweight virtual machine designed for safety and efficiency inside the Linux kernel.
eBPF programs are written in a restricted BPF (Berkeley Packet Filter) instruction set.
These programs can be attached at various tracepoints inside the kernel to perform filtering, monitoring, and profiling tasks.
eBPF programs have access to some in-kernel data structures and can also call some predefined helper functions.
eBPF has use cases like performance monitoring, network filtering, security analysis, tracing, etc.
eBPF programs are compiled and verified by the kernel before being executed to ensure safety.
eBPF is a powerful and flexible in-kernel infrastructure that allows extending the kernel without modifying it.
Observing applications from the kernel's perspective isn't entirely new; tools like Perf do provide such functionality but are limited to some aspects. eBPF is powerful but complex. Traditionally due to the high privilege at the kernel level, the innovation rate has also been lower, thus eBPF changes the idea and gets a clear ground.
Why eBPF?
The general and obvious question after the rise of eBPF was "Why eBPF?". Here are some reasons why eBPF is important:
Performance - eBPF programs run at near-native speeds since they are compiled into the host's machine language. This gives it very high performance.
Security - eBPF programs run in a sandboxed environment and have limited resources. This makes it more secure than traditional programs.
Versatility - eBPF can be used for a wide range of tasks like tracing, networking, security, etc. It is a general-purpose virtual machine.
Resource efficiency - eBPF programs are very memory and CPU-efficient since they are compiled into native code.
Extensibility - New uses for eBPF are being discovered constantly as it becomes more popular. It can be extended to perform new tasks.
Integration - eBPF is integrated deeply into the Linux kernel which makes it very useful for tasks related to the kernel.
Conclusion
eBPF is an enhanced and extended version of the original BPF with a more general-purpose design, a more powerful instruction set, more in-kernel access, and a wider range of use cases beyond just packet filtering. The original BPF laid the foundation for the eBPF virtual machine architecture inside the Linux kernel.
eBPF provides a safe, high-performance sandbox for running programs that can be used for many purposes related to the Linux kernel and system. This makes it a very useful and important technology for the Linux ecosystem. eBPF allows running custom programs inside the Linux kernel safely and efficiently to extend its capabilities for various use cases.