EBPF

Extending things is what Mihalis Tsoukalos loves to do, so his heart leapt at the chance to explain the Extended Berkeley Packet Filter.

Credit: https://ebpf.io

OUR EXPERT

Mihalis Tsoukalos is a systems engineer and a technical writer. You can reach him at www. mtsoukalos.eu and @mactsouk.

The subject of this tutorial is eBPF and is the first in a series of tutorials about eBPF and its capabilities. eBPF stands for Extended Berkeley Packet Filter, but despite its name it’s not restricted to just network packet filtering.

More accurately, eBPF enables users with root privileges to load and execute custom programs inside the kernel of the operating system, which, in simple terms, is at a really low level. After a custom program is loaded, it’s verified for safety and it might be rejected if there are problems with it. However, if everything is okay then the program is attached to at least one event (this is a compulsory requirement) and is launched when that event takes place.

As a consequence, instead of changing our software and adding extra code to it, we can collect information about our software by using an existing eBPF tool or by writing our own eBPF tools.

The history of eBPF

Let’s first discuss the history of BPF and eBPF, and how they’re connected. BPF was introduced in 1992 for improving the performance of packet capture tools. In 2013 Alexei Starovoitov did a major rewrite of BPF that was included in the Linux kernel in 2014 and replaced BPF. With this rewrite, BPF, which is now called eBPF, became more versatile and can be used for a variety of tasks beyond simple network packet capture.

It’s difficult to describe precisely what eBPF can do because it has so many capabilities. It’s much easier to describe how we can use eBPF. It can be used in three main areas: networking, security and observability. This series of tutorials is going to focus on the observability capabilities (tracing) of eBPF.

The main advantage of eBPF compared to traditional performance tools is that it’s efficient, production safe and part of the Linux kernel. In practice, this means that we can use eBPF without the need to add or load any other components to the Linux kernel.

Most Linux applications are executed in user space, which is a layer without too many privileges. Although using user space is safer and more secure, it has restrictions and requires using system calls to ask the kernel for access to privileged resources. Even the simplest commands use a large amount of system calls when executed.