Exploring the Capabilities of eBPF

On this week’s episode of Dev Interrupted, we talk to Liz Rice, Chief Open Source Officer at Isovalent and author of the book Learning eBPF: Programming the Linux Kernel for Enhanced Observability, Networking, and Security.

Liz is an expert on open source, containers, and cloud-native technologies, and joins us to discuss her book, what she describes as some of the eBPF "superpowers" people are talking about, and some of the fascinating projects surrounding eBPF like Project Kepler.

Liz also gives advice to engineers looking to try their hand at writing a book.

Episode Highlights:

• (1:38) Liz's background
• (6:20) What is eBPF?
• (12:30) Advice for engineers who want to write a book
• (15:35) What is Cilium?
• (18:09) Security and visibility
• (27:27) Project Kepler
• (31:50) The future of cloud-native

Episode Excerpt:

Dan Lines: Let's actually define eBPF. Like, what is it? What does that mean? What does it stand for?

Liz Rice: Yeah, we have to because it's a set of letters, we have to say what it stands for, and it stands for extended Berkeley Packet Filter. But now you can erase those words from your mind because, although it has its roots in packet filtering, it is capable of so much more than the acronym is pretty much meaningless now.

So, we just think of it as a term, eBPF, and what it allows us to do is run custom programs inside the kernel. It is also possible these days to run eBPF in Windows as well. So it's becoming adopted by other operating systems, but the sort of history of it and it's certainly, most, most widely adopted in Linux.

And that's where I'm most familiar as well. It allows us to write custom programs, load them dynamically into the kernel, attach them to any event on the system, and then our program could be collecting information about the event. So we might use it for observability. We can even influence the way the kernel behaves.

So we can use it to do things like modify network packets or redirect network packets to build networking functionality, or potentially make policy decisions for security reasons. Whether that's dropping network packets or permitting or denying certain activities to happen from a security perspective, having the ability to modify how the kernel behaves and modify it dynamically gives us superpowers.

And that's why I am really excited about it.

Dan Lines: Yeah, no, that sounds amazing. In terms of the type of person that would be interested in this or who you would recommend to catch up on your book? What types of developers or like any person, like who, who is the audience really here?

Liz Rice: So the slightly ironic thing is I don't really think very many people will need to write their own eBPF code. So I've written a book that I think nobody needs to read, but a lot of the time, you do things not because you need to but because you're interested and you want to, and I'm the sort of person who doesn't learn very well from pictures and diagrams. I need to feel the thing working. I need to try it out for myself, and I need to see the code. And that's what I've tried to do in the book. So, explain for people who are interested in what is this eBPF thing that people are talking about and how it achieves all these amazing superpowers that people are talking about.

In the book, I'm trying to show you and build that up. And I think the best way to explain it is through code. So if you do, then subsequently want to go and write eBPF code; hopefully, it's a good starting point to do that. But I think for most of us it will be okay. This gives me a feel for how the concepts work.

It gives me a mental model I can understand. How other tools are built on eBPF, how they're working, and hopefully, get some interest from that.

Read the full transcript here.