Английская Википедия:EBPF

Шаблон:Short description Шаблон:Lowercase title Шаблон:Infobox software

eBPF is a technology that can run programs in a privileged context such as the operating system kernel.^[1] It is the successor to the Berkeley Packet Filter (BPF) filtering mechanism in Linux, and is also used in other parts of the Linux kernel as well.

It is used to safely and efficiently extend the capabilities of the kernel at runtime without requiring changes to kernel source code or loading kernel modules.^[2] Safety is provided through an in-kernel verifier which performs static code analysis and rejects programs which crash, hang or otherwise interfere with the kernel negatively.^[3][4]

This validation model differs from sandboxed environments, where the execution environment is restricted and the runtime has no insight about the program.^[5] Examples of programs that are automatically rejected are programs without strong exit guarantees (i.e. for/while loops without exit conditions) and programs dereferencing pointers without safety checks.^[6]

Design

Loaded programs which passed the verifier are either interpreted or in-kernel just-in-time compiled (JIT compiled) for native execution performance. The execution model is event-driven and with few exceptions run-to-completion,^[7] meaning, programs can be attached to various hook points in the operating system kernel and are run upon triggering of an event. eBPF use cases include (but are not limited to) networking such as XDP, tracing and security subsystems.^[1] Given eBPF's efficiency and flexibility opened up new possibilities to solve production issues, Brendan Gregg famously dubbed eBPF "superpowers for Linux".^[8] Linus Torvalds said, "BPF has actually been really useful, and the real power of it is how it allows people to do specialized code that isn't enabled until asked for".^[9] Due to its success in Linux, the eBPF runtime has been ported to other operating systems such as Windows.^[10]

History

eBPF was built on top of the Berkeley Packet Filter (cBPF). At the lowest level, it introduced the use of ten 64-bit registers (instead of two 32-bit long registers for cBPF), different jump semantics, a call instruction and corresponding register passing convention, new instructions, and a different encoding for these instructions.^[11]

Most significant milestones in the evolution of eBPF

Date	Event
April 2011	The first in-kernel Linux just-in-time compiler (JIT compiler) for the classic Berkeley Packet Filter got merged.[12]
January 2012	The first non-networking use case of the classic Berkeley Packet Filter, seccomp-bpf,[13] appeared; it allows filtering of system calls using a configurable policy implemented through BPF instructions.
March 2014	David S. Miller, primary maintainer of the Linux networking stack, accepted the rework of the old in-kernel BPF interpreter. It was replaced by an eBPF interpreter and the Linux kernel internally translates classic BPF (cBPF) into eBPF instructions.[14]
March 2015	The ability to attach eBPF to kprobes as first tracing use case was merged.[16] In the same month, initial infrastructure work got accepted to attach eBPF to the networking traffic control (tc) layer allowing to attach eBPF to the core ingress and later also egress paths of the network stack, later heavily used by projects such as Cilium.[17][18][19]
August 2015	The eBPF compiler backend got merged into LLVM 3.7.0 release.[20]
September 2015	Brendan Gregg announced a collection of new eBPF-based tracing tools as the bcc project, providing a front-end for eBPF to make it easier to write programs.[21]
July 2016	eBPF got the ability to be attached into network driver's core receive path. This layer is known today as eXpress DataPath (XDP) and was added as a response to DPDK to create a fast data path which works in combination with the Linux kernel rather than bypassing it.[22][23][24]
August 2016	Cilium was initially announced during LinuxCon as a project providing fast IPv6 container networking with eBPF and XDP. Today, Cilium has been adopted by major cloud provider's Kubernetes offerings and is one of the most widely used CNIs.[25][19][26]
November 2016	Netronome added offload of eBPF programs for XDP and tc BPF layer to their NIC.[27]
May 2017	Meta's layer 4 load-balancer, Katran, went live. Every packet towards facebook.com since then has been processed by eBPF & XDP.[28]
November 2017	eBPF becomes its own kernel subsystem to ease the continuously growing kernel patch management. The first pull request by eBPF maintainers was submitted.[29]
September 2017	Bpftool was added to the Linux kernel as a user space utility to introspect the eBPF subsystem.[30]
January 2018	A new socket family called AF_XDP was published, allowing for high performance packet processing with zero-copy semantics at the XDP layer.[31] Today, DPDK has an official AF_XDP poll-mode driver support.[32]
February 2018	The bpfilter prototype has been published, allowing translation of a subset of iptables rulesets into eBPF via a newly developed user mode driver. The work has caused controversies due to the ongoing nftables development effort and has not been merged into mainline.[33][34]
October 2018	The new bpftrace tool has been announced by Brendan Gregg as DTrace 2.0 for Linux.[35]
November 2018	eBPF introspection has been added for kTLS in order to support the ability for in-kernel TLS policy enforcement.[36]
November 2018	BTF (BPF Type Format) has been added to the Linux kernel as an efficient meta data format which is approximately 100x smaller in size than DWARF.[37]
December 2019	The first 880-page long book on BPF, written by Brendan Gregg, was released.[38]
March 2020	Google upstreamed BPF LSM support into the Linux kernel, enabling programmable Linux Security Modules (LSMs) through eBPF.[39]
September 2020	The eBPF compiler backend for GNU Compiler Collection (GCC) was merged.[40]

Branding

The alias eBPF is often interchangeably used with BPF,^[7][41] for example by the Linux kernel community. eBPF and BPF is referred to as a technology name like LLVM.^[7] eBPF evolved from the Berkeley Packet Filter as an extended version, but its use case outgrew networking, and today eBPF as a pseudo-acronym is preferred.^[7]

The bee is the official logo for eBPF. At the first eBPF Summit there was a vote taken and the bee mascot was named "eBee".^[42][43] The logo has originally been created by Vadim Shchekoldin.^[43] Earlier unofficial eBPF mascots have existed in the past,^[44] but haven't seen widespread adoption.

Governance

The eBPF Foundation was created in August 2021 with the goal to expand the contributions being made to extend the powerful capabilities of eBPF and grow beyond Linux.^[45] Founding members include Meta, Google, Isovalent, Microsoft and Netflix. The purpose is to raise, budget and spend funds in support of various open source, open data and/or open standards projects relating to eBPF technologies^[46] to further drive the growth and adoption of the eBPF ecosystem. Since inception, Red Hat, Huawei, Crowdstrike, Tigera, DaoCloud, Datoms, FutureWei also joined.^[47]

Adoption

eBPF has been adopted by a number of large-scale production users, for example:

• Meta uses eBPF through their Katran layer 4 load-balancer for all traffic going to facebook.com^{[48][49][50][28]}
• Google uses eBPF in GKE, developed and uses BPF LSM to replace audit and it uses eBPF for networking^{[26][51][52][53]}
• Cloudflare uses eBPF for load-balancing and DDoS protection and security enforcement^{[54][55][56][57][58]}
• Netflix uses eBPF for fleet-wide network observability and performance diagnosis^[59][60]
• Dropbox uses eBPF through Katran for layer 4 load-balancing^[61]
• Android uses eBPF for NAT46 and traffic monitoring^[62][63][64]
• Samsung Galaxy uses eBPF for Networking solutions ^[65]
• Yahoo! Inc uses eBPF through Cilium for layer 4 load balancing^[66]
• LinkedIn uses eBPF for infrastructure observability^[67]
• Alibaba uses eBPF for Kubernetes Pod load-balancing^[68]
• Datadog uses eBPF for Kubernetes Pod networking and security enforcement^[69][70][71]
• Trip.com uses eBPF for Kubernetes Pod networking^[72][73]
• Shopify uses eBPF for intrusion detection through Falco^[74]
• DoorDash uses eBPF through BPFAgent for kernel level monitoring^[75]
• Microsoft ported eBPF and XDP to Windows^[76][77][78]
• Seznam uses eBPF through Cilium for layer 4 load-balancing^[79]
• DigitalOcean uses eBPF and XDP to rate limit access to internal services in their virtual network^[80]
• CapitalOne uses eBPF for Kubernetes Pod networking^[81]
• Bell Canada uses eBPF to moderize telco networking with SRv6^[82]
• Elastic_NV uses eBPF for code profiling as part of their observability offering ^[83]
• Apple uses eBPF for Kubernetes Pod security^[84]
• Sky uses eBPF for Kubernetes Pod networking^[85]
• Walmart uses eBPF for layer 4 load-balancing^[86][87]
• Huawei uses eBPF through their DIGLIM secure boot system^[88]
• Ikea uses eBPF for Kubernetes Pod networking^[89]
• The New York Times uses eBPF for networking^[90]
• Red Hat uses eBPF at scale for load balancing and tracing in their private cloud
• Palantir Technologies uses eBPF to debug networking problems in large scale Kubernetes clusters^[91]

Security

Due to the ease of programmability, eBPF has been used as a tool for implementing microarchitectural timing side-channel attacks such as Spectre against vulnerable microprocessors.^[92] While unprivileged eBPF implemented mitigations against transient execution attacks,^[93] unprivileged use has ultimately been disabled by the kernel community by default to protect from use against future hardware vulnerabilities.^[94]

See also

• Express Data Path

References

Шаблон:Reflist

Further reading

• Шаблон:Cite book
• Шаблон:Cite book
• Шаблон:Cite book
• Шаблон:Cite book
• Шаблон:Cite book

External links

• eBPF.io - Introduction, tutorials & eBPF community resources
• eBPF.foundation - Linux Foundation's eBPF Foundation site

Партнерские ресурсы
Криптовалюты	Обмен криптовалют - www.bestchange.ru Криптовалютная биржа CoinEx Криптовалютная биржа Binance HIVE OS - операционная система для майнинга e4pool - Мультивалютный пул для майнинга.
Магазины	AliExpress — глобальная виртуальная (в Интернете) торговая площадка, предоставляющая возможность покупать товары производителей из КНР; computeruniverse.net - Интернет-магазин компьютеров(Промо код 5 Евро на первую покупку:FWWC3ZKQ);
Хостинг	DigitalOcean - американский провайдер облачных инфраструктур, с главным офисом в Нью-Йорке и с центрами обработки данных по всему миру;
Разное	Викиум - Онлайн-тренажер для мозга Like Центр - Центр поддержки и развития предпринимательства. Gamersbay - лучший магазин по бустингу для World of Warcraft. Ноотропы OmniMind N°1 - Усиливает мозговую активность. Повышает мотивацию. Улучшает память. Санкт-Петербургская школа телевидения - это федеральная сеть образовательных центров, которая имеет филиалы в 37 городах России. Lingualeo.com — интерактивный онлайн-сервис для изучения и практики английского языка в увлекательной игровой форме. Junyschool (Джунискул) – международная школа программирования и дизайна для детей и подростков от 5 до 17 лет, где ученики осваивают компьютерную грамотность, развивают алгоритмическое и креативное мышление, изучают основы программирования и компьютерной графики, создают собственные проекты: игры, сайты, программы, приложения, анимации, 3D-модели, монтируют видео. Умназия - Интерактивные онлайн-курсы и тренажеры для развития мышления детей 6-13 лет SkillBox - это один из лидеров российского рынка онлайн-образования. Среди партнеров Skillbox ведущий разработчик сервисного дизайна AIC, медиа-компания Yoola, первое и самое крупное русскоязычное аналитическое агентство Tagline, онлайн-школа дизайна и иллюстрации Bang! Bang! Education, оператор PR-рынка PACO, студия рисования Draw&Go, агентство performance-маркетинга Ingate, scrum-студия Sibirix, имидж-лаборатория Персона. «Нетология» — это университет по подготовке и дополнительному обучению специалистов в области интернет-маркетинга, управления проектами и продуктами, дизайна, Data Science и разработки. В рамках Нетологии студенты получают ценные теоретические знания от лучших экспертов Рунета, выполняют практические задания на отработку полученных навыков, общаются с экспертами и единомышленниками. Познакомиться со всеми продуктами подробнее можно на сайте https://netology.ru, линейка курсов и профессий постоянно обновляется. StudyBay Brazil – это онлайн биржа для португалоговорящих студентов и авторов! Студент получает уникальную работу любого уровня сложности и больше свободного времени, в то время как у автора появляется дополнительный заработок и бесценный опыт. Автор24 — самая большая в России площадка по написанию учебных работ: контрольные и курсовые работы, дипломы, рефераты, решение задач, отчеты по практике, а так же любой другой вид работы. Сервис сотрудничает с более 70 000 авторов. Более 1 000 000 работ уже выполнено. StudyBay – это онлайн биржа для англоязычных студентов и авторов! Студент получает уникальную работу любого уровня сложности и больше свободного времени, в то время как у автора появляется дополнительный заработок и бесценный опыт.