Linux > eBPF

A set of live-coding talks and the accompanying code examples, introducing eBPF programming using a variety of libraries and program types.

by Toke Høiland-Jørgensen, Jesper Dangaard Brouer, Daniel Borkmann, John Fastabend, Tom Herbert, David Ahern and David Miller, all being essential eBPF and XDP contributors.

A description of the work done with BTF to provide debugging information for BPF programs.

An eBPF CPU written for FPGAs.

Computational Storage simulation (QEMU) platform with FUSE LFS filesystem for Zoned Namespaces NVMe SSDs using uBPF for compute kernel offloading, all in userspace.

project (GitHub repository) is a technology relying on eBPF and XDP to provide "fast in-kernel networking and security policy enforcement for containers based on eBPF programs generated on the fly". Many presentations available (with overlap):

Extreme Performance Tuning guide - Mark II.

Calico is an open source networking and network security solution for containers, virtual machines, and native host-based workloads. Calico's eBPF data plane delivers a low latency, high throughput data plane with a rich network security policy model.

Use eBPF to speed up your Service Mesh. Merbridge replaces iptables rules with eBPF to intercept traffic. It also combines msg_redirect to reduce latency with a shortened datapath between sidecars and services.

An open source C++ library for capturing, parsing and crafting network packets. It features a C++ interface for creating AF_XDP sockets, making it easy to send and receive packets through them.

A high performance and lightweight captive portal solution for wireless networks. It leverages eBPF for traffic control and deep packet inspection capabilities, with plans to gradually replace nftables firewall functionality with eBPF-based solutions.

A proof-of-concept IPX implementation for Linux using eBPF.

Observability for Kubernetes using eBPF. Features include protocol tracing, application profiling, and support for distributed bpftrace deployments.

Apache SkyWalking is an open-source Application Performance Monitoring (APM) platform specially designed for distributed systems with microservices, cloud-native and container-based (Kubernetes) architectures. SkyWalking Rover is an eBPF-based profiler and metrics collector for C, C++, Golang, and Rust applications.

eBPF based always-on continuous profiler for analysis of CPU and memory usage, down to the line number and throughout time.

Sampling profiler and tracer for Ruby.

Sub-millisecond system monitoring using eBPF tracepoints on schedswitch, schedprocessexit, and schedprocess_free, with zero heap allocations in steady state.

Network, service and security observability for Kubernetes using eBPF.

eBPF-based GPU causal observability agent. Traces CUDA Runtime and Driver APIs via uprobes and host kernel events via tracepoints to build causal chains explaining GPU latency, with <2% overhead.

Instant Kubernetes service dependency map generated by eBPF, right to a Grafana instance.

Instant observability for cloud-native and AI applications based on eBPF.

Coroot is an open-source APM and observability tool, a DataDog and NewRelic alternative.

Kyanos is an eBPF-based network issue analysis tool that enables you to capture network requests, such as HTTP, Redis, and MySQL requests.

eTraceGen is a Linux telemetry engine built with eBPF and Modern C++ that captures kernel-level events for processes, files, system calls, and network with a modular pipeline for decoding, enrichment, filtering, and JSON output.

A security monitoring tool. It depends on SysinternalsEBPF.

A runtime security and forensics tool for Linux which uses eBPF technology to trace the system and applications at runtime, and analyze collected events to detect suspicious behavioral patterns.

A set of BPF programs that gather security relevant event data from the Linux kernel. The BPF programs are combined into a single ELF file from which individual probes can be selectively loaded, depending on the running operating system and kernel version.

An eBPF driven security tool for locking and auditing Linux machines.

Kubernetes-aware, eBPF-based security observability and runtime enforcement.

Trace syscalls from user-space functions, by using eBPF.

Extended detection and response (XDR) with eBPF-powered firewall and proxy, to protect your Linux servers.

BpfJailer is an eBPF-based process jailing system that provides mandatory access control (MAC) for Linux.

An eBPF-based security agent written entirely in Rust using the Aya library and built on LSM (Linux Security Module) BPF hooks.

Open source agent that implements a stateful Sigma rules engine focused on monitoring and prevention using eBPF LSM.

sched_ext schedulers and tools.

Gthulhu optimizes cloud-native workloads using the Linux Scheduler Extension for different application scenarios.

A disassembler for both BPF flavors and could be highly useful for JIT debugging.

Written in C. Contains an interpreter, a JIT compiler for x86_64 architecture, an assembler and a disassembler.

With support for FreeBSD kernel, FreeBSD user space, Linux kernel, Linux user space and macOS user space. Used for the VALE software switch's BPF extension module.

Written in Rust. Interpreter for Linux, macOS and Windows, and JIT-compiler for x86_64 under Linux.

A user space verifier for eBPF using an abstract interpretation layer, with support for loops.

A tracing profiler that aims to make eBPF uprobe-based debugging easier to use. This is done by displaying traces in a UI next to the source code and allowing interactive drilldown analysis.

This project is a work-in-progress that allows using existing eBPF toolchains and APIs familiar in the Linux ecosystem to be used on top of Windows.