Gentle Introduction to eBPF

What if you could safely program the Linux kernel without changing its code? Discover how eBPF makes it possible for observability, security, and networking.

#1about 1 minute

The challenge of extending the Linux kernel

Adding new features to the Linux kernel is a slow and complex process, creating a bottleneck for developers who need new observability or security capabilities.

#2about 1 minute

Introducing eBPF as a kernel programmability solution

eBPF allows running custom programs in a sandboxed virtual machine inside the kernel, enabling new features without changing kernel source code.

#3about 1 minute

How eBPF programs are event-driven and written

eBPF programs are triggered by kernel events called hooks, and they are typically written in C or Python using libraries like BCC and compiled with LLVM.

#4about 1 minute

A practical "Hello World" eBPF code example

A simple program demonstrates how to write an eBPF function in C and use a Python script to load it and attach it to the execve system call.

#5about 1 minute

The eBPF runtime, verifier, and JIT compiler

Before execution, eBPF bytecode is validated by a verifier for safety and then compiled by a Just-In-Time (JIT) compiler into native machine code for performance.

#6about 1 minute

Using eBPF maps to share data efficiently

eBPF maps are key-value data structures that enable efficient data sharing between eBPF programs in the kernel and applications in user space.

#7about 2 minutes

Popular projects and companies using eBPF

Major open-source projects like Cilium, Falco, and Pixie leverage eBPF for networking and observability, and it is widely adopted by large tech companies.