Hi everyone! I've been hearing from friends who are infra/sec engineers about how eBPF is a big deal and a game changer. Since I barely understand the associated jargon and the value, it provides, I was wondering if someone can explain in simple words, how it is a game changer?
It's a scripting language for the kernel (well, a language VM). There's something like 2500 different tracepoints you can attach scripts to, in addition all of network I/O. The programs you load with eBPF are very unlikely to disrupt the system, because of the limitations of the eBPF verifier.<p>Other people are talking about observability stuff, but for comparison, we build features on it: <a href="https://fly.io/blog/bpf-xdp-packet-filters-and-udp/" rel="nofollow">https://fly.io/blog/bpf-xdp-packet-filters-and-udp/</a>
eBPF gives access to kernel-level information that's normally hidden from userland tools.<p>For example, I once wanted to find out which processes were sending out DNS queries.<p>It sounds like a simple problem but common tools like netstat or wireshark can't tell you the process which sent out a DNS query, only the sending port.<p>The reason is that the sending port is a short-lived randomly selected ephemeral port which the kernel opens, sends a quick chirp of data and closes within milliseconds. The sending process isn't traceable even using more complex tools like strace or auditd.<p>I used eBPF / bcc APIs to instrument a kernel-level function and data structures in UDP networking code and report the PID and port every time a DNS query is sent out.<p>It's like attaching a user-friendly debugger to large portions of the linux kernel.
Not sure if this is jargon-free enough, but maybe it helps: <a href="https://www.joyfulbikeshedding.com/blog/2019-01-31-full-system-dynamic-tracing-on-linux-using-ebpf-and-bpftrace.html" rel="nofollow">https://www.joyfulbikeshedding.com/blog/2019-01-31-full-syst...</a>