eBPF Summit 2020 - Virtual - Oct 28-29, 2020 - CFP and Registration now open. Click here.
Major Projects
bcc
Toolkit and library for efficient BPF-based kernel tracing

GitHub

BCC is a toolkit for creating efficient kernel tracing and manipulation programs built upon eBPF, and includes several useful command-line tools and examples. BCC eases writing of eBPF programs for kernel instrumentation in C, includes a wrapper around LLVM, and front-ends in Python and Lua. It also provides a high-level library for direct integration into applications.

bpftrace
High-level tracing language for Linux eBPF

Website | GitHub

bpftrace is a high-level tracing language for Linux eBPF. Its language is inspired by awk and C, and predecessor tracers such as DTrace and SystemTap. bpftrace uses LLVM as a backend to compile scripts to eBPF bytecode and makes use of BCC as a library for interacting with the Linux eBPF subsystem as well as existing Linux tracing capabilities and attachment points.

Cilium
eBPF-based Networking, Security, and Observability

Website | GitHub

Cilium is an open source project that provides eBPF-powered networking, security and observability. It has been specifically designed from the ground up to bring the advantages of eBPF to the world of Kubernetes and to address the new scalability, security and visibility requirements of container workloads.

Falco
Cloud Native Runtime Security

Website | GitHub

Falco is a behavioral activity monitor designed to detect anomalous activity in applications. Falco audits a system at the Linux kernel layer with the help of eBPF. It enriches gathered data with other input streams such as container runtime metrics and Kubernetes metrics, and allows to continuously monitor and detect container, application, host, and network activity.

Katran
A high performance layer 4 load balancer

Website | GitHub

Katran is a C++ library and eBPF program to build a high-performance layer 4 load balancing forwarding plane. Katran leverages the XDP infrastructure from the Linux kernel to provide an in-kernel facility for fast packet processing. Its performance scales linearly with the number of NIC's receive queues and it uses RSS friendly encapsulation for forwarding to L7 load balancers.

Core Infrastructure
Linux Kernel
eBPF Runtime

Website | Git Trees | Mailing List | Patches | Docs

The Linux kernel contains the eBPF runtime required to run eBPF programs. It implements the bpf(2) system call for interacting with programs, maps, BTF and various attachment points where eBPF programs can be executed from. The kernel contains a eBPF verifier in order to check programs for safety and a JIT compiler to translate programs to native machine code. User space tooling such as bpftool and libbpf are also maintained as part of the upstream kernel.

LLVM Compiler
eBPF Backend

Website | GitHub

The LLVM compiler infrastructure contains the eBPF backend required to translate programs written in a C-like syntax to eBPF instructions. LLVM generates eBPF ELF files which contain program code, map descriptions, relocation information and BTF meta data. These ELF files contain all necessary information for eBPF loaders such as libbpf to prepare and load programs into the Linux kernel. The LLVM project also contains additional developer tools such as an eBPF object file disassembler.

eBPF Libraries

ebpf | gobpf

eBPF is designed as a pure Go library that provides utilities for loading, compiling, and debugging eBPF programs. It has minimal external dependencies and is intended to be used in long running processes. The gobpf is a CGo-based library which provides Go bindings for the BCC framework as well as low-level routines to load and use eBPF programs from ELF files.

libbpf

libbpf is a C/C++ based library which is maintained as part of the upstream Linux kernel. It contains an eBPF loader which takes over processing LLVM generated eBPF ELF files for loading into the kernel. libbpf received a major boost in capabilities and sophistication and closed many existing gaps with BCC as a library. It also supports important features not available in BCC such as global variables and BPF skeletons.

libbpf-rs | redbpf

libbpf-rs is a safe, idiomatic, and opinionated wrapper API around libbpf written in Rust. libbpf-rs, together with libbpf-cargo (libbpf cargo plugin) allows to write 'compile once run everywhere' (CO-RE) eBPF programs. redbpf is a Rust eBPF toolchain that contains a collection of Rust libraries to work with eBPF programs.

Emerging Projects
Hubble
Network, Service & Security Observability for Kubernetes using eBPF

Website | GitHub

Hubble is a fully distributed networking and security observability platform for cloud native workloads. It is built on top of Cilium and eBPF to enable deep visibility into the communication and behavior of services as well as the networking infrastructure in a completely transparent manner.

kubectl trace
Schedule bpftrace programs on your Kubernetes cluster

GitHub

kubectl-trace is a kubectl plugin that allows for scheduling the execution of bpftrace(8) programs in Kubernetes clusters. kubectl-trace does not require installation of any components directly onto a Kubernetes cluster in order to execute bpftrace programs. When pointed to a cluster, it schedules a temporary job called trace-runner that executes bpftrace.

ply
A dynamic tracer for Linux

Website | GitHub

ply is a dynamic tracer for Linux which is built upon eBPF. It has been designed with embedded systems in mind, is written in C and all that ply needs to run is libc and a modern Linux kernel with eBPF support, meaning, it does not depend on LLVM for its program generation. It has a C-like syntax for writing scripts and is heavily inspired by awk(1) and dtrace(1).

FAQ

Add your project

  1. Make sure that the project is meeting the requirements to be listed. See below.
  2. Open a pull request and provide the required information. Use one of the already listed projects as a template.
  3. The pull request will be reviewed by the community and merged by one of the maintainers. If you have any questions, feel free to ask on Slack.

Are you maintaining a listed project?

  • If you are maintaining one of the listed projects and would like to adjust the content. Get in touch on Slack or open a pull request directly.

Requirements for a project to be listed

  • The project must be open source. All source code must be licensed under an open source license. Any documentation must be licensed under an open license.
  • The project must be using eBPF as its underlying core technology, in other words, a project would lose its purpose if the eBPF parts are removed.
  • In order to be listed as a major project as opposed to an emerging project, the project must have more than 50 contributors, it must be activey maintained, and it must be used in production-like environments with a significant amount of users.
  • The project must be open to collaboration and have a governance model following open-source best-practices.