In several parts of the globe, February is traditionally about love, and pancakes. eBPF sure received a lot of love over the last weeks! Blogging, conferencing, and kernel development have resumed full speed after the quiet period at the end of the year. Here are all the latest updates, plus a section focusing on program size limits. Alas, uncertainty remains as for eBPF getting pancakes.
Security
Building on the foundation of seeing and understanding all system calls and
combining that with a packet and socket-level view of all networking operations
allows for revolutionary new approaches to securing systems. While aspects of
system call filtering, network-level filtering, and process context tracing
have typically been handled by completely independent systems, eBPF allows for
combining the visibility and control of all aspects to create security systems
operating on more context with better level of control.
Networking
The combination of programmability and efficiency makes eBPF a natural fit for
all packet processing requirements of networking solutions. The programmability
of eBPF enables adding additional protocol parsers and easily program any
forwarding logic to meet changing requirements without ever leaving the packet
processing context of the Linux kernel. The efficiency provided by the JIT
compiler provides execution performance close to that of natively compiled
in-kernel code.
Tracing & Profiling
The ability to attach eBPF programs to trace points as well as kernel and user
application probe points allows unprecedented visibility into the runtime
behavior of applications and the system itself. By giving introspection
abilities to both the application and system side, both views can be combined,
allowing powerful and unique insights to troubleshoot system performance
problems. Advanced statistical data structures allow to extract meaningful
visibility data in an efficient manner, without requiring the export of vast
amounts of sampling data as typically done by similar systems.
Observability & Monitoring
Instead of relying on static counters and gauges exposed by the operating
system, eBPF enables the collection & in-kernel aggregation of custom metrics
and generation of visibility events based on a wide range of possible sources.
This extends the depth of visibility that can be achieved as well as reduces
the overall system overhead significantly by only collecting the visibility
data required and by generating histograms and similar data structures at the
source of the event instead of relying on the export of samples.