eBPF Documentary

Blog page

TechnologyExternal

Live-patching security vulnerabilities inside the Linux kernel with eBPF Linux Security Module

Learn how to patch Linux security vulnerabilities without rebooting the hardware and how to tighten the security of your Linux operating system with eBPF Linux Security Module

Read more
How-ToExternal

Production ready eBPF, or how we fixed the BSD socket API

We are open sourcing the production tooling we’ve built for the sk_lookup hook we contributed to the Linux kernel, called tubular.

Read more
TechnologyExternal

BPF CO-RE reference guide

A practical reference guide to using the full power of BPF CO-RE (Compile Once – Run Everywhere).

Read more
TechnologyExternal

eBPF Instruction Sets

Not everyone who develops BPF programs knows that several versions of the instruction set exist. This isn’t really surprising given documentation on the subject is scarce. So let’s go through the different eBPF instruction sets, why they exist, and why their choice matters.

Read more
How-ToExternal

Features of bpftool: the thread of tips and examples to work with eBPF objects

Working with eBPF? Discover how bpftool can help you load, inspect, update your eBPF programs, maps, and more.

Read more
How-ToExternal

How To Add eBPF Observability To Your Product

There's an arms race to add eBPF to commercial observability products, and in this post I'll describe how to quickly do that. This is also applicable for people adding it to their own in-house monitoring systems.

Read more
TechnologyExternal

BPF tips & tricks: the guide to bpf_trace_printk() and bpf_printk()

Any non-trivial BPF program always needs some amount of debugging to get it working correctly. Unfortunately, there isn't a BPF debugger yet, so the next best thing is to sprinkle printf()-like statements around and see what's going on in the BPF program. BPF equivalent of printf() is the bpf_trace_printk() helper. In this blog post we'll look at how to use it, what are its limitations, and how to work around them.

Read more
Update

eBPF Updates #5: CNCF Proposals, Kinvolk Acquired, eCHO, the Cost of Tail Calls, Systemd Features, Reverse Debugging, Static Linking

Spring is back in the Northern Hemisphere, and with it all kinds of features are blooming for eBPF. Kernel 5.12 is out and version 5.13 is on track to bring new exciting functionalities. At the same time, new projects hatch and companies are enjoying renewed activity. Several eBPF-related projects applied to join or upgrade their status in the bosom of CNCF. After some delay, no doubt caused by winter hibernation, welcome to the fifth issue of the eBPF Updates!

Read more
TechnologyExternal

BMC: Accelerating Memcached using Safe In-kernel Caching and Pre-stack Processing

Tomorrow, Yoann Ghigoff et al. will present their paper BMC: Accelerating Memcached using Safe In-kernel Caching and Pre-stack Processing at NSDI 2021. In this paper, the authors propose to speed up Memcached using eBPF by implementing a transparent, first-level cache at the XDP hook. It’s not everyday we see BPF being used on application protocols!

Read more
TechnologyExternal

The Cost of BPF Tail Calls

For an upcoming blog post, I wanted to measure the cost of BPF tail calls. Tail calls allow you to jump from one BPF program to another. Their overhead varied a lot in recent kernels, with a first increase caused by Spectre mitigations and a decrease thanks to improvements in Linux 5.5.

Read more