애플리케이션
Toolkit and library for efficient BPF-based kernel tracing
BCC is a toolkit for creating efficient kernel tracing and manipulation programs built upon eBPF, and includes several useful command-line tools and examples. BCC eases writing of eBPF programs for kernel instrumentation in C, includes a wrapper around LLVM, and front-ends in Python and Lua. It also provides a high-level library for direct integration into applications.
eBPF-based Networking, Security, and Observability
Cilium is an open source project that provides eBPF-powered networking, security and observability. It has been specifically designed from the ground up to bring the advantages of eBPF to the world of Kubernetes and to address the new scalability, security and visibility requirements of container workloads.
High-level tracing language for Linux eBPF
bpftrace is a high-level tracing language for Linux eBPF. Its language is inspired by awk and C, and predecessor tracers such as DTrace and SystemTap. bpftrace uses LLVM as a backend to compile scripts to eBPF bytecode and makes use of BCC as a library for interacting with the Linux eBPF subsystem as well as existing Linux tracing capabilities and attachment points.
Cloud Native Runtime Security
Falco is a behavioral activity monitor designed to detect anomalous activity in applications. Falco audits a system at the Linux kernel layer with the help of eBPF. It enriches gathered data with other input streams such as container runtime metrics and Kubernetes metrics, and allows to continuously monitor and detect container, application, host, and network activity.
Scriptable observability for Kubernetes
Pixie is an open source observability tool for Kubernetes applications. Pixie uses eBPF to automatically capture telemetry data without the need for manual instrumentation. Developers can use Pixie to view the high-level state of their cluster (service maps, cluster resources, application traffic) and also drill down into more detailed views (pod state, flame graphs, individual full body application requests).
Pluggable eBPF-based networking and security for containers and Kubernetes
Calico Open Source is designed to simplify, scale, and secure container and Kubernetes networks. Calico's eBPF dataplane utilizes the power, speed, and efficiency of eBPF programs to deliver networking, load-balancing, and in-kernel security enforcement for your environment.
A high performance layer 4 load balancer
Katran is a C++ library and eBPF program to build a high-performance layer 4 load balancing forwarding plane. Katran leverages the XDP infrastructure from the Linux kernel to provide an in-kernel facility for fast packet processing. Its performance scales linearly with the number of NIC's receive queues and it uses RSS friendly encapsulation for forwarding to L7 load balancers.
Continuous Profiling Platform
Track memory, CPU, I/O bottlenecks broken down by method name, class name, and line number over time. Without complex overhead, in any language or framework. Using Parca's UI the data can be globally explored and analyzed using various visualizations to quickly and efficiently identify bottlenecks in code. Parca uses eBPF to collect profiling data and uses libbpf-go to interact with the kernel.
eBPF-based Security Observability & Runtime Enforcement
Tetragon provides eBPF-based transparent security observability combined with real-time runtime enforcement. The deep visibility is achieved without requiring application changes and is provided at low overhead thanks to smart Linux in-kernel filtering and aggregation logic built directly into the eBPF-based kernel-level collector. The embedded runtime enforcement layer is capable of performing access control on kernel functions, system calls and at other enforcement levels.
Continuous Profiling Platform
Pyroscope is an open source project centered around continuous profiling, particularly in a Kubernetes context. It leverages eBPF as its core technology along with a custom storage engine to offer system-wide continuous profiling with minimal overhead as well as efficient storage and querying capabilities. We support Linux 4.9 and up thanks to CO-RE and libbpf.
SSL/TLS capture tool using eBPF
eCapture is a Go language-written tool that can capture HTTPS/TLS plaintext without a CA certificate. It supports TLS encryption libraries such as openssl, boringssl, gnutls, and nspr. It can run on x86_64 CPU architectures with Linux kernel 4.18 or higher, and aarch64 CPU architectures with Linux/Android kernel 5.5 or higher, supporting both CO-RE and non-CO-RE modes without BTF.
Network, Service & Security Observability for Kubernetes using eBPF
Hubble is a fully distributed networking and security observability platform for cloud native workloads. It is built on top of Cilium and eBPF to enable deep visibility into the communication and behavior of services as well as the networking infrastructure in a completely transparent manner.
Linux Runtime Security and Forensics using eBPF
Tracee uses eBPF technology to detect and filter operating system events, helping you expose security insights, detect suspicious behavior, and capture forensic indicators.
eBPF-based Linux kernel network packet tracer
pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allows fine-grained introspection of kernel state to facilitate debugging network connectivity issues.
Highly Automated Observability Platform powered by eBPF
DeepFlow is a highly automated observability platform built for cloud native developers. Based on eBPF, DeepFlow innovatively implements an automated distributed tracing mechanism: AutoTracing. Microservice processes, service mesh sidecars, and network interfaces along the way are included as tracing spans, for every distributed transaction, without any code instrumentation. DeepFlow can automatically generate golden RED metrics for any process in cloud native environment.
Schedule bpftrace programs on your Kubernetes cluster
kubectl-trace is a kubectl plugin that allows for scheduling the execution of bpftrace(8) programs in Kubernetes clusters. kubectl-trace does not require installation of any components directly onto a Kubernetes cluster in order to execute bpftrace programs. When pointed to a cluster, it schedules a temporary job called trace-runner that executes bpftrace.
Linux high-performance transparent proxy solution
dae, means goose, is a high-performance transparent proxy solution. To enhance traffic split performance as much as possible, dae employs the transparent proxy and traffic split suite within the Linux kernel using eBPF. As a result, dae can enable direct traffic to bypass the proxy application's forwarding, facilitating genuine direct traffic passage. Through this remarkable feat, there is minimal performance loss and negligible additional resource consumption for direct traffic.
Introspecting and debugging Kubernetes applications using eBPF "gadgets"
Inspektor Gadget is a collection of tools (or gadgets) to debug and inspect Kubernetes resources and applications. It manages the packaging, deployment and execution of eBPF programs in a Kubernetes cluster, including many based on BCC tools, as well as some developed specifically for use in Inspektor Gadget. It automatically maps low-level kernel primitives to high-level Kubernetes resources, making it easier and quicker to find the relevant information.
Security Observability
Sysmon for Linux is a tool that monitors and logs system activity including process lifetime, network connections, file system writes, and more. Sysmon works across reboots and supports advanced filtering to help identify malicious activity as well as how intruders and malware operate on your network.
eBPF based Kubernetes service map
Caretta is a Kubernetes service map that uses eBPF to trace network traffic between pods. It can be used to visualize the network traffic between services in a Kubernetes cluster, and gain additional insights into the network traffic and the relationships between services.
Container-aware Runtime Security Enforcement System
KubeArmor is a container-aware runtime security enforcement system that restricts the behavior (such as process execution, file access, networking operation, and resource utilization) of containers at the system level, using LSMs and eBPF.
Zero-code automatic instrumentation with eBPF and OpenTelemetry
Beyla is a vendor agnostic, OpenTelemetry and Prometheus application auto-instrumentation tool, which lets you easily get started with Application Observability. eBPF is used to automatically inspect application executables and the OS networking layer, allowing us to capture essential application observability events for HTTP/S and gRPC services. From these captured eBPF events, we produce OpenTelemetry web transaction trace spans and Rate-Errors-Duration (RED) metrics. As with most eBPF tools, all data capture and instrumentation occurs without any modifications to your application code or configuration.
A dynamic tracer for Linux
ply is a dynamic tracer for Linux which is built upon eBPF. It has been designed with embedded systems in mind, is written in C and all that ply needs to run is libc and a modern Linux kernel with eBPF support, meaning, it does not depend on LLVM for its program generation. It has a C-like syntax for writing scripts and is heavily inspired by awk(1) and dtrace(1).
Kubernetes-based Efficient Power Level Exporter
Kepler (Kubernetes-based Efficient Power Level Exporter) is a Prometheus exporter. It uses eBPF to probe CPU performance counters and Linux kernel tracepoints. These data and stats from cgroup and sysfs are fed into ML models to estimate energy consumption by Pods.
A modular runtime security framework for the IoT
Pulsar is an event-driven framework for monitoring the activity of Linux devices. It allows you to collect runtime activity events from the Linux kernel through its modules and evaluate each event against your own set of security policies. Powered by eBPF and written in Rust, Pulsar is lightweight and safe by design.
Use eBPF to speed up your Service Mesh like crossing an Einstein-Rosen Bridge
Merbridge is designed to make traffic interception and forwarding more efficient for service mesh. With Merbridge, developers can use eBPF instead of iptables to accelerate their service mesh without any additional operations or code changes. Currently, Merbridge already supports Istio, Linkerd, and Kuma.
eBPF-based Cloud Native Monitoring & Profiling Tool
Kindling is a monitoring tool that aims to help users understand the execution behavior of programs from kernel space to user space to pinpoint the root cause of critical incidents. It can obtain L4/L7 network performance metrics and build service maps. Kindling implements a mechanism, Trace Profiling, that can display how each trace is executing on-CPU with thread-level flame graph, and how it is slowed down by off-CPU events with related metrics.
UI for interactive eBPF-based userspace performance debugging
Wachy is a profiler that uses eBPF to trace arbitrary compiled binaries and functions at runtime. It aims to make eBPF uprobe-based debugging much easier to use by displaying traces in a UI next to the source code, and allowing interactive drilldown analysis.
Effortless, Low-Overhead, eBPF-based Kubernetes Monitoring
Alaz is an open source Anteon eBPF agent that can inspect and collect Kubernetes service traffic without the need for code instrumentation, sidecars, or service restarts. Alaz uses eBPF to create a Service Map that helps identify golden signals and problems like high latencies, 5xx errors, zombie services, slow HTTP requests, and SQL queries.
eBPF programs in a WASM module or JSON
Eunomia-bpf is a dynamic loading library, based on libbpf, and a compiler toolchain. Eunomia-bpf simplifies building eBPF tools and allows you to package, distribute, and run eBPF programs in JSON format or as a WASM module. With eunomia-bpf, you can write kernel eBPF code and automatically expose your data from the kernel and interact with eBPF program in user space with a WASM runtime.
Network monitoring & diagnosis suite for Kubernetes
KubeSkoop is a toolset designed to assist users in monitoring and diagnosing network-related issues within Kubernetes environments. It uses eBPF to provide pod-level kernel metrics and anomaly events, enabling users quickly detect and solve network issues in their Kubernetes clusters.
Complete lifecycle management of eBPF programs
L3AF is a platform to launch and manage eBPF programs in distributed environments. L3AF empowers users to compose multiple eBPF programs together to solve unique problems in different environments. Using the APIs provided by L3AF, these eBPF programs can be reconfigured, updated, inspected, and reordered on-the-fly. L3AF also provides configurable metrics for the eBPF programs it has launched.
APM, Application Performance Monitoring System
Apache SkyWalking is an application performance monitor tool for distributed systems, especially designed for microservices, cloud native and container-based (Kubernetes) architectures. SkyWalking Rover is an agent in the SkyWalking ecosystem, as a metrics collector and profiler powered by eBPF to diagnose CPU, I/O and L4/L7(TLS) network performance. Also, Rover provides add-on events for spans in the distributed tracing.
eBPF based cloud-native load-balancer for 5G Edge
LoxiLB is an open-source cloud-native "external" service load-balancer for cloud-native 5G/edge workloads written from scratch using eBPF as its core-engine and based on Go Language. LoxiLB turns Kubernetes network load balancing for 5G/Edge services into high speed, flexible and programmable LB services.
System manager and Kubernetes operator for eBPF programs
bpfman is a software stack that aims to make it easy to load, unload, modify and monitor eBPF programs whether on a single host, or in a Kubernetes cluster. It provides insights into how eBPF is utilized on a system, includes a built-in program loader that supports program cooperation for XDP and TC programs, and manages the eBPF filesystem, facilitating the deployment of eBPF applications without requiring additional privileges
Layer 4 Kubernetes load-balancer
Blixt is a layer 4 load-balancer for Kubernetes. It has a control-plane implemented using Gateway API and a data-plane built using eBPF and Rust.
Flow based observability platform
NetObserv eBPF agent empowers the collection of essential network metrics, including the tracking of network flow statistics. It conducts in-depth DNS latency analysis for DNS over UDP and TCP, allowing for the measurement of the time it takes for DNS requests to be processed. Additionally, it calculates TCP round trip latency on a per-flow basis, aiding in the identification of latency-related issues within TCP connections. The agent also provides insights into packet drops, offering protocol-specific drop metrics along with the reasons for packet drops. Furthermore, NetObserv eBPF offers filter-based capabilities for capturing raw network packets, enabling administrators to focus on specific network events or issues of interest. These captured packets are stored in the widely supported .pcap format, facilitating easy post-analysis and compatibility with various network analysis tools.
Statless Ingress Node Firewall
The Ingress node firewall is orchestrated by a Kubernetes operator designed to provision stateless firewall rules at the node level. The stateless Ingress node firewall is achieved through the utilization of an eBPF XDP kernel plugin.
Real-time eBPF Program Monitoring and Performance Statistics
bpftop provides a dynamic real-time view of running eBPF programs. It displays the average runtime, events per second, and estimated total CPU % for each program. It also provides graphical views of these statistics over time. This tool minimizes overhead by enabling performance statistics only while it is active.
Whole-system, cross-language continuous profiler for Linux
The Open Telemetry eBPF-based continuous profiler offers comprehensive, low-overhead whole-system profiling for Linux systems. It supports a wide range of programming languages, including native code without debug symbols, and provides deep insights into application behavior. By leveraging the experimental OTel profiling signals, this project empowers developers to identify performance bottlenecks and optimize their applications efficiently.
이러한 프로젝트들은 eBPF Foundation 소속인가요?
- 이 페이지는 eBPF를 코어 기술로 사용하는 오픈 소스 프로젝트를 나열하고 있습니다. 이러한 프로젝트들이 모두 eBPF 재단에서 관리하는 프로젝트는 아니지만, eBPF 프로젝트 큰그림에 대한 조사의 일부로 나열되어있습니다.
여러분의 프로젝트를 추가하세요
- 해당 프로젝트가 후술되는 요구사항을 만족하는지에 대해 확인해주세요, 다음의 내용을 확인해주세요.
- Pull request를 열어주시고 필수 정보를 제공해주세요. 나열된 프로젝트를 예시로 삼아서 사용해주세요. 후술되는 애플리케이션의 순서는 GitHub의 스타 (높은순)으로 나열되어있으며, 이는 매 분기마다 업데이트됩니다.
- Pull request는 커뮤니티에서 검토를 진행하며, eBPF 프로젝트 관리자에 의해서 merge 될 것 입니다. 만일 질문이 있으시다면, Slack에 자유롭게 질문해주세요.
나열된 프로젝트를 관리하고 계신가요?
- 만일 나열된 프로젝트 중 하나를 관리하고 계시고, 내용을 수정하고 싶으시다면 Slack을 통해 연락하시거나, pull request를 직접적으로 열어주세요..
프로젝트가 목록에 등재되기 위한 요구사항들
프로젝트들은 현 페이지에서 “Major” 또는 “Emerging” 상태로 등재될 수 있습니다. “Emerging”으로 등재되기 위해서는 다음의 요구사항을 만족해야합니다:
- 해당 프로젝트는 오픈소스여야 합니다. 모든 오픈소스 코드는 오픈소스 라이센스에 의해 라이센싱 되어야합니다. 모든 공식 문서 또한 공개 라이센스에 의해 라이센싱 되어야합니다.
- 해당 프로젝트는 반드시 eBPF를 해당 프로젝트의 근간이 되는 주요 기술로 사용해야하거나 (즉, 만일 eBPF가 사용되는 부분이 없어진다면, 해당 프로젝트의 목적이 없어집니다) eBPF를 프로덕션 환경에서 사용하는 것에
- 도움을 주어야 합니다.
- 해당 프로젝트는 반드시 협력을 할 수 있는 구조여야 하며 좋은 오픈소스 관행(best-practices)들을 따르는 관리 모델을 채택해야합니다.
“Major” 프로젝트로 등재되기 위해서는, 해당 프로젝트는 상술된 모든 요구사항을 만족해야하며, 추가적으로 다음의 사항을 만족해야합니다:
- 해당 프로젝트는 50명 이상의 기여자가 있어야 합니다.
- 해당 프로젝트는 반드시 수많은 유저를 가진 프로덕션과 같은 환경에서 사용하고 있어야 합니다. 이러한 정보는 프로젝트의 링크만을 통해서 확인하기는 어려운 정보이기에, 해당 정보는 pull request 설명에 포함되어야합니다.