The art of writing eBPF programs

_1yvc · on Feb 28, 2019

I logged in just to say this: I love the sysdig engineering blog. Please don't stop writing blogposts. sysdig and clouflare are becoming my favorite engineering blogs.

deanmoriarty · on Feb 28, 2019

I agree. One of my all time favorites was https://sysdig.com/blog/container-isolation-gone-wrong/, it kept me hooked til the last line, like a thriller ^_^

tzhenghao · on Feb 28, 2019

There's also this 2017 LWN article on eBPF [1] which I find very interesting.

[1] - https://lwn.net/Articles/740157/

mjcohen · on Feb 28, 2019

Took me a while to find that eBPF was extended/enhanced Berkeley Packet Filter. Wikipedia was no help.

aargh_aargh · on Feb 28, 2019

While that's the original meaning of the acronym, it was generalized into a virtual machine, so it has come far from being able to just filter packets.

More details under "BPF kernel internals" here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/lin...

blunte · on Feb 28, 2019

Just one place early on this page using the full words instead of the acronym would have done the job. Such a small change would make such an immense difference for outsiders.

deanmoriarty · on Feb 27, 2019

This is very interesting. I dabbled with eBPF before using the more traditional bcc tools and the canned scripts, but this deep dive really gives a good perspective on the implementation underneath.

I wonder how long before we will see more critical parts of the kernel machinery being implemented completely in eBPF (like XDP currently). Fascinating technology!