eBPF – The Next Frontier In Linux (Introduction)

by | 15.10.2021 | Engineering

The three great giants of the operating system even today are well regarded as Linux, Windows and Mac OS. But when it comes to creating all purpose and open source applications, Linux still takes the reign as a crucial piece of a developer’s toolkit. However, you shouldn’t forget working with Linux comes with a mixed bag of issues and other security problems. Users still have to content themselves with challenges of modifying kernels, adding modules and with the new wave of AI/IoT based devices, challenges of debugging, infrastructure development, tracking and modifying instances.

Extended  Berkeley Packet Filter (eBPF) solves both of these problems by posing itself as a kernel technology (starting in Linux 4.x) to help programs run without the need to edit kernel source code or adding any additional modules for running applications. eBPF can be best described as a smaller and lighter virtual machine linked with Linux kernels, where programmers can run BPF bytecode with all kernel resources available in a single location.

So effective has eBPF been in bringing new changes to Linux development that it became a part of the Cloud Native Computing Foundation’s(CNCF) quite recently along with a mix of other Linux centric tools.

eBPF and its deployment architecture
eBPF and its deployment architecture Source: eBPF

eBPF and How It Fits With Linux

The steep learning curve for Linux brought about its need for packages and dependencies can make it a bit challenging to pick up and run Linux. eBPF’s main addition to the Linux environment is to provide containerized versions of the operating system in the form of sandbox styled programs that can be run at ease during runtime. The operating system that the virtual machine uses guarantees safety and execution efficiency as if natively compiled with the help of a Just-In-Time (JIT) compiler and verification engine.

This instantaneous compiling and execution has led to a new generation of eBPF enabled products that are well spread over a large number of areas including security, AI, IoT, manufacturing, tracking and so on.

The main purpose of any Linux kernel is to connect to both the hardware and software ends of the application while providing consistent API calls(system calls) that help the applications to run smoothly on any system. eBPF helps users in generating these connections by applying a wide set of subsystems and layers, often maintained to look over a number of different application access requests and responsibilities. Each subsystem typically has its own set of rules and configuration maps to account for different needs of users. If the user wishes to change the kernel configuration, it would have to be implemented before the kernel is distributed and deployed.

eBPF Applications In Practice

eBPF executes programs in an event driven format by attaching a metadata code to the original path of the Linux system or application. The code path contains specific triggers—called hooks— that play the role of an application engine for executing all eBPF programs once they’re compiled and passed. Some examples of hooks that users can utilize include network events, system calls, function entries, and kernel tracepoints.

From an internal perspective, once the metadata code is triggered, it results in the code for linux kernel being compiled first to the BPF bytecode. In turn, the bytecode is validated by the system before it runs, ensuring that it doesn’t create a loop. This method helps in preventing the program from generating potential security vulnerabilities for the Linux kernel either accidentally or on purpose.

This sandbox style of generating virtual machines has made eBPF a favourite of monitoring and tracking security frameworks as well as tracing potential agents that can cause untoward behaviour. Some of the use cases where it is used include:-

1. Providing high-performance networking and load-balancing for data centres through cloud native environments.

2. Extracting security data and generate test scripts for frameworks related to Linux kernels.

3.Helping application developers trace applications, develop reports for troubleshooting, preventive application development and container runtime security enforcement

Tracing with eBPF
Tracing with eBPF Source: eBPF

The Good & The Bad: Where It All Comes Together

It’s fast and it’s well equipped with all the modern applications for a monitoring system, without the added hassle of setup times or hardware needs. eBPF has projected packet processing rates that are remarkably impeccable, given its adherence to Just-in-time (JIT) compilation.

When leveraged as a debugger, eBPF can help users get into the deeper elements of a program without the need to stop it every second to note its condition or extract meaningful data about any troublemakers. The sandbox nature of the program also allows the kernel code to remain well defended against steps. And don’t be fooled by the verification methods used by eBPF. They are designed to avoid programs getting choked in the pipeline when users grow rapidly.

eBPF also gives users a single framework that can be simply plugged to an existing kernel for tracing processes, rather than having to code the entire source again on a different machine to study it. Unlike most other tracing applications, users can store data between eBPF events instead of dumping it midway due to storage issues.

It’s demerits don’t exactly overshadow the benefits but must be discussed either way. It’s strict adherence to Linux makes it an exclusive application that can only be used with the operating system, dramatically reducing its compatibility. This issue of portability also extends to the actual kernels that it can process as users need to make sure that they’re not compiling anything lower than version 4.13, since eBPF won’t run it.

Sandbox type programs like eBPF also suffer from a rather common problem of restricting user ability to source other programs that don’t link well with the primary operating system, dropping its functionality by a great degree.


eBPF: Important Components To Keep In Mind

There are an infinite number of resources and tools that users and beginners are best to keep in mind when exploring eBPF for the first time, but we’ll focus on the ones that really make it a unique tool.

LLVM Clang

LLVM Clang is a tool within eBPF used to compile C into bytecode. When eBPF was first released, executing and assembling code was still a less favourable task that had to be performed by hand. Developers then started to use the kernel’s assembler to generate bytecode. Modern users can skip this entirely by using Clang for frontend and tooling in C languages.

BCC toolkit

The best choice for use when writing BPF programs. The BPF Compiler Collection (BCC) is a toolkit for generating efficient kernel tracing and monitoring programs, and has been touted as a great addition for applications that concern performance analysis, security, and network traffic analysis.

UI and Kernel Platform

A tiny UI with not much to add or say to the user but acts as a nice gateway tool to look for currently running applications and the results from tracing programs.

Compiler sandbox and Assembly Track

A space for users to convert BPF code into lower level languages, since BPF itself is compatible with higher level languages. This also serves as an important tool for compiling and using kernels while accessing their code from a separate viewer window.

eBPF link with user spaces
eBPF link with user spaces Source: Seahorn

So What’s The Final Word

Sandboxes might seem a bit beyond their time, especially when containers and smaller cloud virtual microservices seem to be all the rage these days, but that shouldn’t put eBPF in the lurch. The tool still has a massive online presence and remains a favourite for running security programs and tracing applications. Some might even say that it’s playing a role in partially closing the gap that Linux has in mastering it, since it only requires users to run tinier programs linked to an actual kernel source code.

Whatever may be the actual use that you have for any Linux eBPF, mastering it would still require a deeper review of its interface, coding backend and some of its documentation. Tune in again as we discuss some more applications in future editions.

Happy Learning!


The DevOps Awareness Program

Subscribe to the newsletter

Join 100+ cloud native ethusiasts


Join the community Slack

Discuss all things Kubernetes, DevOps and Cloud Native

Related articles6

Introduction to GitOps

Introduction to GitOps

GitOps serves to make the process of development and operations more developer-centric. It applies DevOps practices with Git as a single source of truth for infrastructure automation and deployment, hence the name “Git Ops.” But before getting deeper into what is...

Kaniko: How Users Can Make The Best Use of Docker

Kaniko: How Users Can Make The Best Use of Docker

Whether you love or hate containers, there are only a handful of ways to work with them properly that ensures proper application use with Docker. While there do exist a handful of solutions on the web and on the cloud to deal with all the needs that come with running...

Cilium: A Beginner’s Guide To Improve Security

Cilium: A Beginner’s Guide To Improve Security

A continuation from the previous series on eBPF and security concerns; it cannot be reiterated enough number of times how important it is for developers to ensure the safety and security of their applications. With the ever expanding reach of cloud and software...

How to clean up disk space occupied by Docker images?

How to clean up disk space occupied by Docker images?

Docker has revolutionised containers even if they weren't the first to walk the path of containerisation. The ease and agility docker provide makes it the preferred engine to explore for any beginner or enterprise looking towards containers. The one problem most of...

Parsing Packages with Porter

Parsing Packages with Porter

Porter works as a containerized tool that helps users to package the elements of any existing application or codebase along with client tools, configuration resources and deployment logic in a single bundle. This bundle can be further moved, exported, shared and distributed with just simple commands.

Falco: A Beginner’s Guide

Falco: A Beginner’s Guide

Falco shines through in resolving these issues by detecting and alerting any behaviour that makes Linux system calls. This system of alerting rules is made possible with the use of Sysdig’s filtering expressions to detect potentially suspicious activity. Users can also specify alerts for specific calls, arguments related to the calls and through the properties of the calling process.