Development and challenges of eeBPF technology

1、 Why eeBPF changed Linux

The figure above shows the traditional operating system model, which has lasted for 50 years and includes four levels, from top to bottom, including application, system call, kernel and hardware.

With eeBPF, the operating system model has evolved into the architecture shown above.

The content of the traditional operating system still exists, but the upper two layers are divided into two parts. On the right is the application of kernel-mode, and the system call becomes a set of system calls of eBPF. The eBPF program builds a bridge between user mode and kernel mode. It can write programs in user mode and inject them into the kernel after being verified by the verifier. Many of these processes are completed by BPF Helper Calls, which also makes us focus on Linux kernel functions.

The traditional operating system process is divided into three basic states, namely, waiting state, sleeping state and ready state. When the process is in the ready state, the scheduler can schedule it to the CPU for execution, called On-CPU, and other processes from the CPU are called Off-CPU.

It can be seen that the traditional operating system scheduling is based on the state, and only the process in the ready state can be on the CPU.

With eBPF, the state model has changed to event-driven. That is, the BPF program will not be executed until the event occurs; If the event does not occur, even if the process is executed, the CPU is still down. This model is also known as modern Linux.

Modern Linux is an event-based application, while the scheduler, interrupt and other core contents are in the core, and even some schedulers of the application may be transferred outside the core, and the structure of the operating system has changed substantially.

EBPF has turned modern Linux into a microkernel architecture, which has brought a great impact on Linux. The kernel of Linux has become very small, and the bootstrap, file system, and scheduler have all existed outside the kernel in the form of eBPF, which also brings us more imagination space.

2、 EBPF-related projects

Netflix's bcc and bpftrace are well-known projects of eBPF and also the infrastructure of eBPF. On top of the infrastructure, there is Citrium cloud computing, which is used to support microservices and is committed to becoming the OS of microservices. Other eBPF also include Facebook's L4 load balancing, DDoS open source projects on security, etc.

The first China eBPF conference will be held soon. We have collected about 20 projects, covering many aspects such as tracing, memory overflow, lightweight development framework, network, etc.

The above figure shows the relevant content of the Linux kernel tour live broadcast, which is also a good way to understand eBPF in depth.

There have been a large number of open source projects in eBPF. The live content and project content include framework, observability, network, cloud computing and security.

3、 EBPF Opportunities and Challenges

At present, eBPF is facing many opportunities, such as kernel programmability, continuous improvement of eBPF usability, and linking to various industries.

To modify eBPF, you can write scheduling algorithms by writing eBPF programs in user mode, and you can write your own scheduling algorithms for applications.

In the traditional scenario, when the user hands over the program to the operating system, the user has no control right, and the control right is all handed over to the operating system. In the user mode, the scheduling algorithm is written by writing eBPF program, which provides a very large imagination space for the development, customization and personalization of the future operating system.

Combining eBPF with WASM technology and using WebAssembly makes it easier and lighter to write, distribute, load and run eBPF programs.

As an infrastructure, the operating system can run programs on it, but it cannot be modified. If eBPF is used as a linker to link with various industry fields through eBPF, it can be cloud computing, security, Internet of Things, network and other fields. As the application becomes more and more extensive, the possibility of linking with various fields will gradually emerge.

However, eBPF also inevitably faces some challenges, such as kernel security, eBPF program management and integration.

For example, malicious use of bpftrace may cause security attacks, malware, detection engineering and other problems. EBPF has root privileges, so despite the strong security detection of the verifier, it is still unable to avoid the existence of vulnerabilities.

Wal Mart is currently studying a project on the whole life cycle management of eBPF. Its core is "Kernel Functions as a Service". It is expected that this project can output the most valuable features of the kernel.

We hope that we can really link BPF technology, kernel technology and various fields, benefit from technology and gain a sense of achievement from the project.

Related Articles

Explore More Special Offers

  1. Short Message Service(SMS) & Mail Service

    50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00

phone Contact Us