Awesome BPF Resources
Awesome BPF resources that I’ve ever read (and would like to read many times).
1 Introduction & Overview
Elena Zannoni, New (and Exciting!) Developments in Linux Tracing, LinuxCon, 2015
Matt Fleming, A thorough introduction to eBPF, lwn.net, 2017
This article explains how eBPF evolved how it works, and how it is used in the kernel.
Cilium Blog, Why is the kernel community replacing iptables with BPF? — Cilium, cilium.io, 2018
- 张亦鸣, eBPF 简史, IBM Developer, 2017
2 Design & Implementation Details
Jonathan Corbet, A JIT for packet filters, lwn.net, 2011
A retrospection to classic BPF (since 1990s) in Linux kernel, and the first eBPF patch for modern kernels.
Classic BPF is implemented in
net/core/filter.cin Linux kernel tree, only thousands lines of code.
Jonathan Corbet, BPF tracing filters, lwn.net, 2013
BPF progress for packet filtering. Another interesting topic in this article is the licensing scope of future BPF code.
Jonathan Corbet, BPF: the universal in-kernel virtual machine, lwn.net, 2014
Road from a JIT compiler to the universal in-kernel virtual machine.
PLUMgrid, BPF – in-kernel virtual machine, LinuxCon, 2015
Lots of design and implementation details, and byte code examples.
Linux Programmer’s Manual,
bpf(2)system call, man7.org, 2019+
Introduction to eBPF design/architecture and data structures, official definition of BPF terminologies, e.g. BPF maps. Also including code and examples.
Linux source tree, BPF Source Code, 2019+
Matt Fleming, An introduction to the BPF Compiler Collection, lwn.net, 2017
One of eBPF’s biggest challenges for newcomers is that writing programs requires compiling and linking to the eBPF library from the kernel source. Kernel developers might always have a copy of the kernel source within reach, but that’s not so for engineers working on production or customer machines. Addressing this limitation is one of the reasons that the BPF Compiler Collection was created.
4 Use Cases
Tracking & Monitoring
eBPF programs can access kernel data structures, developers can write and test new debugging code without recompiling the kernel.
Container Network Security (Cilium)
Thomas Graf, How to Make Linux Microservice-Aware with Cilium and eBPF, InfoQ, 2019
Chinese translated：如何基于 Cilium 和 eBPF 打造可感知微服务的 Linux 。
Fast Datapath (XDP)
Facebook, Open-sourcing Katran, a scalable network load balancer, fb.com, 2019+
Facebook’s L4 LB, based on XDP and eBPF. Some talks mentioned that this is
10xfaster than their first generation LVS-based L4 LB.
Security Computation (seccomp)
5 Similar Reading Lists
It was later after I started this list that I found this similar purpose post. It’s great, however, I think it’s more than extensive for me, e.g. including resouces of many unstable, experimenting, or even toy projects. Pick up your own pieces from it.