Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The eBPF Runtime in the Linux Kernel

Bolaji Gbadamosi, Luigi Leonardi, Tobias Pulls, Toke Høiland-Jørgensen, Simone Ferlin-Reiter, Simo Sorce, Anna Brunström

TL;DR

This paper presents the first comprehensive description of the design and implementation of the eBPF runtime in the Linux kernel, and argues that eBPF today provides a mature and safe programming environment for the kernel.

Abstract

Extended Berkeley Packet Filter (eBPF) is a runtime that enables users to load programs into the operating system (OS) kernel, like Linux or Windows, and execute them safely and efficiently at designated kernel hooks. Each program passes through a verifier that reasons about the safety guarantees for execution. Hosting a safe virtual machine runtime within the kernel makes it dynamically programmable. Unlike the popular approach of bypassing or completely replacing the kernel, eBPF gives users the flexibility to modify the kernel on the fly, rapidly experiment and iterate, and deploy solutions to achieve their workload-specific needs, while working in concert with the kernel. In this paper, we present the first comprehensive description of the design and implementation of the eBPF runtime in the Linux kernel. We argue that eBPF today provides a mature and safe programming environment for the kernel. It has seen wide adoption since its inception and is increasingly being used not just to extend, but program entire components of the kernel, while preserving its runtime integrity. We outline the compelling advantages it offers for real-world production usage, and illustrate current use cases. Finally, we identify its key challenges, and discuss possible future directions.

The eBPF Runtime in the Linux Kernel

TL;DR

This paper presents the first comprehensive description of the design and implementation of the eBPF runtime in the Linux kernel, and argues that eBPF today provides a mature and safe programming environment for the kernel.

Abstract

Extended Berkeley Packet Filter (eBPF) is a runtime that enables users to load programs into the operating system (OS) kernel, like Linux or Windows, and execute them safely and efficiently at designated kernel hooks. Each program passes through a verifier that reasons about the safety guarantees for execution. Hosting a safe virtual machine runtime within the kernel makes it dynamically programmable. Unlike the popular approach of bypassing or completely replacing the kernel, eBPF gives users the flexibility to modify the kernel on the fly, rapidly experiment and iterate, and deploy solutions to achieve their workload-specific needs, while working in concert with the kernel. In this paper, we present the first comprehensive description of the design and implementation of the eBPF runtime in the Linux kernel. We argue that eBPF today provides a mature and safe programming environment for the kernel. It has seen wide adoption since its inception and is increasingly being used not just to extend, but program entire components of the kernel, while preserving its runtime integrity. We outline the compelling advantages it offers for real-world production usage, and illustrate current use cases. Finally, we identify its key challenges, and discuss possible future directions.
Paper Structure (72 sections, 6 figures, 1 table)

This paper contains 72 sections, 6 figures, 1 table.

Table of Contents

  1. Introduction
  2. Background and Design Principles
  3. Challenges with Kernel Customization
  4. Changing the Kernel
  5. Deploying Kernel Changes
  6. Alternative Approaches and Limitations
  7. Completely Bypassing or Replacing the Kernel.
  8. Design Principles
  9. Safe and Dynamic OS Customization
  10. Rapid Deployment and Upgrades
  11. Integration with the Kernel
  12. Overview
  13. The eBPF Runtime
  14. eBPF Bytecode
  15. eBPF Userspace Loader
  16. ...and 57 more sections

Figures (6)

  • Figure 1: An overview of the eBPF key components and their correlation based on eBPFio_png.
  • Figure 2: This diagram depicts the lifecycle of eBPF objects within the kernel, with the in-kernel representation, interaction with file descriptors, and the role of pinning in the bpffs file system CiliumPinning.
  • Figure 3: Workflow diagram of an eBPF program based on CiliumPinningeBPF_workflow.
  • Figure 4: The four major passes of the eBPF verification process
  • Figure 5: Overview of the process that shows eBPF instructions translation into native machine code
  • ...and 1 more figures