What Is eBPF - Fork My Brain

# What Is eBPF? ![rw-book-cover](https://ebpf.io/static/ogimage-9c3319d2fb74cca866c85c7e7118706a.png) URL:: https://ebpf.io/what-is-ebpf Author:: ebpf.io ## Highlights > eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules. ([View Highlight](https://read.readwise.io/read/01fp7maznmnt7p26vt3vrrprrn)) > ![](https://ebpf.io/static/overview-bf463455a5666fc3fb841b9240d588ff.png) ([View Highlight](https://read.readwise.io/read/01fp7mbg8arakctq5cv6ntefsz)) > eBPF changes this formula fundamentally. By allowing to run sandboxed programs within the operating system, application developers can run eBPF programs to add additional capabilities to the operating system at runtime. The operating system then guarantees safety and execution efficiency as if natively compiled with the aid of a Just-In-Time (JIT) compiler and verification engine. This has led to a wave of eBPF-based projects covering a wide array of use cases, including next-generation networking, observability, and security functionality. ([View Highlight](https://read.readwise.io/read/01fp7mchxjf5k55bqmnhcr7nnv)) > Today, eBPF is used extensively to drive a wide variety of use cases: Providing high-performance networking and load-balancing in modern data centers and cloud native environments, extracting fine-grained security observability data at low overhead, helping application developers trace applications, providing insights for performance troubleshooting, preventive application and container runtime security enforcement, and much more. The possibilities are endless, and the innovation that eBPF is unlocked has only just begun. ([View Highlight](https://read.readwise.io/read/01fp7mcmebk85ah7xcen3ngf3s)) > eBPF programs are event-driven and are run when the kernel or an application passes a certain hook point. Pre-defined hooks include system calls, function entry/exit, kernel tracepoints, network events, and several others. ([View Highlight](https://read.readwise.io/read/01fp7md7j59tfyfwykvk30efrg)) > ![](https://ebpf.io/static/syscall_hook-b4f7d64d4d04806a1de60126926d5f3a.png) ([View Highlight](https://read.readwise.io/read/01fp7md8gaghd829q63hzw551e)) > In a lot of scenarios, eBPF is not used directly but indirectly via projects like [Cilium](https://ebpf.io/projects/), [bcc](https://ebpf.io/projects/), or [bpftrace](https://ebpf.io/projects/) which provide an abstraction on top of eBPF and do not require to write programs directly but instead offer the ability to specify intent-based definitions which are then implemented with eBPF. ([View Highlight](https://read.readwise.io/read/01fp7meg7vpgejp0pr8a75tprr)) > Let’s start with an analogy. Do you remember GeoCities? 20 years ago, web pages used to be almost exclusively written in static markup language (HTML). A web page was basically a document with an application (browser) able to display it. Looking at web pages today, web pages have become full-blown applications and web-based technology has replaced a vast majority of applications written in languages requiring compilation. What enabled this evolution? ([View Highlight](https://read.readwise.io/read/01fpa3kaftbamvvt6sj2x2dzgw)) > The short-answer is programmability with the introduction of JavaScript. It unlocked a massive revolution resulting in browsers to evolve into almost independent operating systems. ([View Highlight](https://read.readwise.io/read/01fpa3kdcwx9akprzzq5rnxdwq)) > Instead of convincing standards bodies that a new HTML tag was needed, the availability of the necessary building blocks decoupled the pace of innovation of the underlying browser from the application running on top. ([View Highlight](https://read.readwise.io/read/01fpa3mrnfcd1ksvc8bnvpqak1)) > let's look at a couple of key aspects that were vital in the introduction of JavaScript: > • **Safety:** Untrusted code runs in the browser of the user. This was solved by sandboxing JavaScript programs and abstracting access to browser data. > • **Continuous Delivery:** Evolution of program logic must be possible without requiring to constantly ship new browser versions. This was solved by providing the right low-level building blocks sufficient to build arbitrary logic. > • **Performance:** Programmability must be provided with minimal overhead. This was solved with the introduction of a Just-in-Time (JIT) compiler. ([View Highlight](https://read.readwise.io/read/01fpa3n1cgqy6kvjt8991k4zbe)) > ![](https://ebpf.io/static/kernel_arch-560d57883f7df9beafb47eee1d790247.png) ([View Highlight](https://read.readwise.io/read/01fpa3np2zgqzgdrb3a5g58aff)) > The main purpose of the Linux kernel is to abstract the hardware or virtual hardware and provide a consistent API (system calls) allowing for applications to run and share the resources. ([View Highlight](https://read.readwise.io/read/01fpa3pa0wsmfmhrp1dkst4kpy)) > • Change kernel source code and convince the Linux kernel community that the change is required. > • Wait several years for the new kernel version to become a commodity. > • Write a kernel module > • Fix it up regularly, as every kernel release may break it > • Risk corrupting your Linux kernel due to lack of security boundaries ([View Highlight](https://read.readwise.io/read/01fpa3qxdte3mmd8t4rd9g0v97)) > With eBPF, a new option is available that allows for reprogramming the behavior of the Linux kernel without requiring changes to kernel source code or loading a kernel module. In many ways, this is very similar to how JavaScript and other scripting languages unlocked the evolution of systems which had become difficult or expensive to change. ([View Highlight](https://read.readwise.io/read/01fpa3r5ykw3ej6c5xzd1pe4js)) > Development Toolchains > Several development toolchains exist to assist in the development and management of eBPF programs. All of them address different needs of users: ([View Highlight](https://read.readwise.io/read/01fpa3tc15z2qhmy4bqrexb6he)) > BCC is a framework that enables users to write python programs with eBPF programs embedded inside them. The framework is primarily targeted for use cases which involve application and system profiling/tracing where an eBPF program is used to collect statistics or generate events and a counterpart in user space collects the data and displays it in a human readable form. Running the python program will generate the eBPF bytecode and load it into the kernel. ([View Highlight](https://read.readwise.io/read/01fpa3rt7shv8fhxs8hqp23dyz)) > ![](https://ebpf.io/static/bcc-def942c66b8c7565f0cfeab1c1017a80.png) ([View Highlight](https://read.readwise.io/read/01fpa3t56h1epy7b5skbh5kgwa)) > bpftrace is a high-level tracing language for Linux eBPF and available in recent Linux kernels (4.x). bpftrace uses LLVM as a backend to compile scripts to eBPF bytecode and makes use of BCC for interacting with the Linux eBPF subsystem as well as existing Linux tracing capabilities: kernel dynamic tracing (kprobes), user-level dynamic tracing (uprobes), and tracepoints. The bpftrace language is inspired by awk, C and predecessor tracers such as DTrace and SystemTap. ([View Highlight](https://read.readwise.io/read/01fpa3t2zn4gj9d4ap1k2ces5y)) > The eBPF Go library provides a generic eBPF library that decouples the process of getting to the eBPF bytecode and the loading and management of eBPF programs. eBPF programs are typically created by writing a higher level language and then use the clang/LLVM compiler to compile to eBPF bytecode. ([View Highlight](https://read.readwise.io/read/01fpa3tfegt78k8maj5630nbe7)) > The libbpf library is a C/C++-based generic eBPF library which helps to decouple the loading of eBPF object files generated from the clang/LLVM compiler into the kernel and generally abstracts interaction with the BPF system call by providing easy to use library APIs for applications. ([View Highlight](https://read.readwise.io/read/01fpa3v9cs981rv0xpf11kp6tr)) > Further Reading > If you would like to learn more about eBPF, continue reading using the following additional materials: > Documentation > • [BPF & XDP Reference Guide](https://cilium.readthedocs.io/en/stable/bpf/) > Cilium Documentation, Aug 2020 > • [BPF Documentation](https://www.kernel.org/doc/html/latest/bpf/index.html) > BPF Documentation in the Linux Kernel > • [BPF Design Q&A](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/bpf/bpf_design_QA.rst) > FAQ for kernel-related eBPF questions > Tutorials > • [Learn eBPF Tracing: Tutorial and Examples](http://www.brendangregg.com/blog/2019-01-01/learn-ebpf-tracing.html) > Brendan Gregg's Blog, Jan 2019 > • [XDP Hands-On Tutorials](https://github.com/xdp-project/xdp-tutorial) > Various authors, 2019 > • [BCC, libbpf and BPF CO-RE Tutorials](https://facebookmicrosites.github.io/bpf/blog/) > Facebook's BPF Blog, 2020 > TalksGeneric > • [eBPF and Kubernetes: Little Helper Minions for Scaling Microservices](https://www.youtube.com/watch?v=99jUcLt3rSk) ([Slides](https://kccnceu20.sched.com/event/ZemQ/ebpf-and-kubernetes-little-helper-minions-for-scaling-microservices-daniel-borkmann-cilium)) > Daniel Borkmann, KubeCon EU, Aug 2020 > • [eBPF - Rethinking the Linux Kernel](https://www.infoq.com/presentations/facebook-google-bpf-linux-kernel/) ([Slides](https://docs.google.com/presentation/d/1AcB4x7JCWET0ysDr0gsX-EIdQSTyBtmi6OAW7bE0jm0)) > Thomas Graf, QCon London, April 2020 > • [BPF as a revolutionary technology for the container landscape](https://www.youtube.com/watch?v=U3PdyHlrG1o&t=7) ([Slides](https://fosdem.org/2020/schedule/event/containers_bpf/attachments/slides/4122/export/events/attachments/containers_bpf/slides/4122/BPF_as_a_revolutionary_technology_for_the_container_landscape.pdf)) > Daniel Borkmann, FOSDEM, Feb 2020 > • [BPF at Facebook](https://www.youtube.com/watch?v=ZYBXZFKPS28) > Alexei Starovoitov, Performance Summit, Dec 2019 > • [The ubiquity but also the necessity of eBPF as a technology](https://www.youtube.com/watch?v=mFxs3VXABPU) > David S. Miller, Kernel Recipes, Oct 2019 > Deep Dives > • [BPF and Spectre: Mitigating transient execution attacks](https://www.youtube.com/watch?v=6N30Yp5f9c4) ([Slides](https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf)) > Daniel Borkmann, eBPF Summit, Aug 2021 > Cilium > • [Advanced BPF Kernel Features for the Container Age](https://www.youtube.com/watch?v=PJY-rN1EsVw) ([Slides](https://fosdem.org/2021/schedule/event/containers_ebpf_kernel/attachments/slides/4358/export/events/attachments/containers_ebpf_kernel/slides/4358/Advanced_BPF_Kernel_Features_for_the_Container_Age_FOSDEM.pdf)) > Daniel Borkmann, FOSDEM, Feb 2021 > • [Kubernetes Service Load-Balancing at Scale with BPF & XDP](https://www.youtube.com/watch?v=UkvxPyIJAko&t=21s) ([Slides](https://linuxplumbersconf.org/event/7/contributions/674/attachments/568/1002/plumbers_2020_cilium_load_balancer.pdf)) > Daniel Borkmann & Martynas Pumputis, Linux Plumbers, Aug 2020 > • [Liberating Kubernetes from kube-proxy and iptables](https://www.youtube.com/watch?v=bIRwSIwNHC0) ([Slides](https://docs.google.com/presentation/d/1cZJ-pcwB9WG88wzhDm2jxQY4Sh8adYg0-N3qWQ8593I/edit#slide=id.g7055f48ba8_0_0)) > Martynas Pumputis, KubeCon US 2019 > • [Understanding and Troubleshooting the eBPF Datapath in Cilium](https://www.youtube.com/watch?v=Kmm8Hl57WDU) ([Slides](https://static.sched.com/hosted_files/kccncna19/20/eBPF%20and%20the%20Cilium%20Datapath.pdf)) > Nathan Sweet, KubeCon US 2019 > • [Transparent Chaos Testing with Envoy, Cilium and BPF](https://www.youtube.com/watch?v=gPvl2NDIWzY) ([Slides](https://static.sched.com/hosted_files/kccnceu19/54/Chaos%20Testing%20with%20Envoy%2C%20Cilium%20and%20eBPF.pdf)) > Thomas Graf, KubeCon EU 2019 > • [Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security](https://www.youtube.com/watch?v=QmmId1QEE5k) ([Slides](https://www.slideshare.net/ThomasGraf5/cilium-bringing-the-bpf-revolution-to-kubernetes-networking-and-security)) > Thomas Graf, All Systems Go!, Berlin, Sep 2018 > • [How to Make Linux Microservice-Aware with eBPF](https://www.youtube.com/watch?v=_Iq1xxNZOAo) ([Slides](https://www.slideshare.net/InfoQ/how-to-make-linux-microserviceaware-with-cilium-and-ebpf)) > Thomas Graf, QCon San Francisco, 2018 > • [Accelerating Envoy with the Linux Kernel](https://www.youtube.com/watch?v=ER9eIXL2_14) > Thomas Graf, KubeCon EU 2018 > • [Cilium - Network and Application Security with BPF and XDP](https://www.youtube.com/watch?v=ilKlmTDdFgk) ([Slides](https://www.slideshare.net/ThomasGraf5/dockercon-2017-cilium-network-and-application-security-with-bpf-and-xdp)) > Thomas Graf, DockerCon Austin, Apr 2017 > Hubble > • [Hubble - eBPF Based Observability for Kubernetes](https://static.sched.com/hosted_files/kccnceu20/1b/Aug19-Hubble-eBPF_Based_Observability_for_Kubernetes_Sebastian_Wicki.pdf) > Sebastian Wicki, KubeCon EU, Aug 2020 > Books > • [Systems Performance: Enterprise and the Cloud, 2nd Edition](http://www.brendangregg.com/systems-performance-2nd-edition-book.html) > Brendan Gregg, Addison-Wesley Professional Computing Series, 2020 > • [BPF Performance Tools](http://www.brendangregg.com/bpf-performance-tools-book.html) > Brendan Gregg, Addison-Wesley Professional Computing Series, Dec 2019 > • [Linux Observability with BPF](https://www.oreilly.com/library/view/linux-observability-with/9781492050193/) > David Calavera, Lorenzo Fontana, O'Reilly, Nov 2019 > Articles & Blogs > • [BPF for security - and chaos - in Kubernetes](https://lwn.net/Articles/790684/) > Sean Kerner, LWN, Jun 2019 > • [Linux Technology for the New Year: eBPF](https://thenewstack.io/linux-technology-for-the-new-year-ebpf/) > Joab Jackson, Dec 2018 > • [A thorough introduction to eBPF](https://lwn.net/Articles/740157/) > Matt Fleming, LWN, Dec 2017 > • [Cilium, BPF and XDP](https://opensource.googleblog.com/2016/11/cilium-networking-and-security.html) > Google Open Source Blog, Nov 2016 > • [Archive of various articles on BPF](https://lwn.net/Kernel/Index/#Berkeley_Packet_Filter) > LWN, since Apr 2011 > • [Various articles on BPF by Cloudflare](https://blog.cloudflare.com/tag/ebpf/) > Cloudflare, since March 2018 > • [Various articles on BPF by Facebook](https://facebookmicrosites.github.io/bpf/blog/) > Facebook, since August 2018 ([View Highlight](https://read.readwise.io/read/01fsy136cz741fsmea15xwy1pb)) --- Title: What Is eBPF? Author: ebpf.io Tags: readwise, articles date: 2024-01-30 --- # What Is eBPF? ![rw-book-cover](https://ebpf.io/static/ogimage-9c3319d2fb74cca866c85c7e7118706a.png) URL:: https://ebpf.io/what-is-ebpf Author:: ebpf.io ## AI-Generated Summary A detailed step by step introduction to the eBPF technology with lots of references for further reading. ## Highlights > eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules. ([View Highlight](https://read.readwise.io/read/01fp7maznmnt7p26vt3vrrprrn)) > ![](https://ebpf.io/static/overview-bf463455a5666fc3fb841b9240d588ff.png) ([View Highlight](https://read.readwise.io/read/01fp7mbg8arakctq5cv6ntefsz)) > eBPF changes this formula fundamentally. By allowing to run sandboxed programs within the operating system, application developers can run eBPF programs to add additional capabilities to the operating system at runtime. The operating system then guarantees safety and execution efficiency as if natively compiled with the aid of a Just-In-Time (JIT) compiler and verification engine. This has led to a wave of eBPF-based projects covering a wide array of use cases, including next-generation networking, observability, and security functionality. ([View Highlight](https://read.readwise.io/read/01fp7mchxjf5k55bqmnhcr7nnv)) > Today, eBPF is used extensively to drive a wide variety of use cases: Providing high-performance networking and load-balancing in modern data centers and cloud native environments, extracting fine-grained security observability data at low overhead, helping application developers trace applications, providing insights for performance troubleshooting, preventive application and container runtime security enforcement, and much more. The possibilities are endless, and the innovation that eBPF is unlocked has only just begun. ([View Highlight](https://read.readwise.io/read/01fp7mcmebk85ah7xcen3ngf3s)) > eBPF programs are event-driven and are run when the kernel or an application passes a certain hook point. Pre-defined hooks include system calls, function entry/exit, kernel tracepoints, network events, and several others. ([View Highlight](https://read.readwise.io/read/01fp7md7j59tfyfwykvk30efrg)) > ![](https://ebpf.io/static/syscall_hook-b4f7d64d4d04806a1de60126926d5f3a.png) ([View Highlight](https://read.readwise.io/read/01fp7md8gaghd829q63hzw551e)) > In a lot of scenarios, eBPF is not used directly but indirectly via projects like [Cilium](https://ebpf.io/projects/), [bcc](https://ebpf.io/projects/), or [bpftrace](https://ebpf.io/projects/) which provide an abstraction on top of eBPF and do not require to write programs directly but instead offer the ability to specify intent-based definitions which are then implemented with eBPF. ([View Highlight](https://read.readwise.io/read/01fp7meg7vpgejp0pr8a75tprr)) > Let’s start with an analogy. Do you remember GeoCities? 20 years ago, web pages used to be almost exclusively written in static markup language (HTML). A web page was basically a document with an application (browser) able to display it. Looking at web pages today, web pages have become full-blown applications and web-based technology has replaced a vast majority of applications written in languages requiring compilation. What enabled this evolution? ([View Highlight](https://read.readwise.io/read/01fpa3kaftbamvvt6sj2x2dzgw)) > The short-answer is programmability with the introduction of JavaScript. It unlocked a massive revolution resulting in browsers to evolve into almost independent operating systems. ([View Highlight](https://read.readwise.io/read/01fpa3kdcwx9akprzzq5rnxdwq)) > Instead of convincing standards bodies that a new HTML tag was needed, the availability of the necessary building blocks decoupled the pace of innovation of the underlying browser from the application running on top. ([View Highlight](https://read.readwise.io/read/01fpa3mrnfcd1ksvc8bnvpqak1)) > let's look at a couple of key aspects that were vital in the introduction of JavaScript: > • **Safety:** Untrusted code runs in the browser of the user. This was solved by sandboxing JavaScript programs and abstracting access to browser data. > • **Continuous Delivery:** Evolution of program logic must be possible without requiring to constantly ship new browser versions. This was solved by providing the right low-level building blocks sufficient to build arbitrary logic. > • **Performance:** Programmability must be provided with minimal overhead. This was solved with the introduction of a Just-in-Time (JIT) compiler. ([View Highlight](https://read.readwise.io/read/01fpa3n1cgqy6kvjt8991k4zbe)) > ![](https://ebpf.io/static/kernel_arch-560d57883f7df9beafb47eee1d790247.png) ([View Highlight](https://read.readwise.io/read/01fpa3np2zgqzgdrb3a5g58aff)) > The main purpose of the Linux kernel is to abstract the hardware or virtual hardware and provide a consistent API (system calls) allowing for applications to run and share the resources. ([View Highlight](https://read.readwise.io/read/01fpa3pa0wsmfmhrp1dkst4kpy)) > • Change kernel source code and convince the Linux kernel community that the change is required. > • Wait several years for the new kernel version to become a commodity. > • Write a kernel module > • Fix it up regularly, as every kernel release may break it > • Risk corrupting your Linux kernel due to lack of security boundaries ([View Highlight](https://read.readwise.io/read/01fpa3qxdte3mmd8t4rd9g0v97)) > With eBPF, a new option is available that allows for reprogramming the behavior of the Linux kernel without requiring changes to kernel source code or loading a kernel module. In many ways, this is very similar to how JavaScript and other scripting languages unlocked the evolution of systems which had become difficult or expensive to change. ([View Highlight](https://read.readwise.io/read/01fpa3r5ykw3ej6c5xzd1pe4js)) > Development Toolchains > Several development toolchains exist to assist in the development and management of eBPF programs. All of them address different needs of users: ([View Highlight](https://read.readwise.io/read/01fpa3tc15z2qhmy4bqrexb6he)) > BCC is a framework that enables users to write python programs with eBPF programs embedded inside them. The framework is primarily targeted for use cases which involve application and system profiling/tracing where an eBPF program is used to collect statistics or generate events and a counterpart in user space collects the data and displays it in a human readable form. Running the python program will generate the eBPF bytecode and load it into the kernel. ([View Highlight](https://read.readwise.io/read/01fpa3rt7shv8fhxs8hqp23dyz)) > ![](https://ebpf.io/static/bcc-def942c66b8c7565f0cfeab1c1017a80.png) ([View Highlight](https://read.readwise.io/read/01fpa3t56h1epy7b5skbh5kgwa)) > bpftrace is a high-level tracing language for Linux eBPF and available in recent Linux kernels (4.x). bpftrace uses LLVM as a backend to compile scripts to eBPF bytecode and makes use of BCC for interacting with the Linux eBPF subsystem as well as existing Linux tracing capabilities: kernel dynamic tracing (kprobes), user-level dynamic tracing (uprobes), and tracepoints. The bpftrace language is inspired by awk, C and predecessor tracers such as DTrace and SystemTap. ([View Highlight](https://read.readwise.io/read/01fpa3t2zn4gj9d4ap1k2ces5y)) > The eBPF Go library provides a generic eBPF library that decouples the process of getting to the eBPF bytecode and the loading and management of eBPF programs. eBPF programs are typically created by writing a higher level language and then use the clang/LLVM compiler to compile to eBPF bytecode. ([View Highlight](https://read.readwise.io/read/01fpa3tfegt78k8maj5630nbe7)) > The libbpf library is a C/C++-based generic eBPF library which helps to decouple the loading of eBPF object files generated from the clang/LLVM compiler into the kernel and generally abstracts interaction with the BPF system call by providing easy to use library APIs for applications. ([View Highlight](https://read.readwise.io/read/01fpa3v9cs981rv0xpf11kp6tr)) > Further Reading > If you would like to learn more about eBPF, continue reading using the following additional materials: > Documentation > • [BPF & XDP Reference Guide](https://cilium.readthedocs.io/en/stable/bpf/) > Cilium Documentation, Aug 2020 > • [BPF Documentation](https://www.kernel.org/doc/html/latest/bpf/index.html) > BPF Documentation in the Linux Kernel > • [BPF Design Q&A](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/bpf/bpf_design_QA.rst) > FAQ for kernel-related eBPF questions > Tutorials > • [Learn eBPF Tracing: Tutorial and Examples](http://www.brendangregg.com/blog/2019-01-01/learn-ebpf-tracing.html) > Brendan Gregg's Blog, Jan 2019 > • [XDP Hands-On Tutorials](https://github.com/xdp-project/xdp-tutorial) > Various authors, 2019 > • [BCC, libbpf and BPF CO-RE Tutorials](https://facebookmicrosites.github.io/bpf/blog/) > Facebook's BPF Blog, 2020 > TalksGeneric > • [eBPF and Kubernetes: Little Helper Minions for Scaling Microservices](https://www.youtube.com/watch?v=99jUcLt3rSk) ([Slides](https://kccnceu20.sched.com/event/ZemQ/ebpf-and-kubernetes-little-helper-minions-for-scaling-microservices-daniel-borkmann-cilium)) > Daniel Borkmann, KubeCon EU, Aug 2020 > • [eBPF - Rethinking the Linux Kernel](https://www.infoq.com/presentations/facebook-google-bpf-linux-kernel/) ([Slides](https://docs.google.com/presentation/d/1AcB4x7JCWET0ysDr0gsX-EIdQSTyBtmi6OAW7bE0jm0)) > Thomas Graf, QCon London, April 2020 > • [BPF as a revolutionary technology for the container landscape](https://www.youtube.com/watch?v=U3PdyHlrG1o&t=7) ([Slides](https://fosdem.org/2020/schedule/event/containers_bpf/attachments/slides/4122/export/events/attachments/containers_bpf/slides/4122/BPF_as_a_revolutionary_technology_for_the_container_landscape.pdf)) > Daniel Borkmann, FOSDEM, Feb 2020 > • [BPF at Facebook](https://www.youtube.com/watch?v=ZYBXZFKPS28) > Alexei Starovoitov, Performance Summit, Dec 2019 > • [The ubiquity but also the necessity of eBPF as a technology](https://www.youtube.com/watch?v=mFxs3VXABPU) > David S. Miller, Kernel Recipes, Oct 2019 > Deep Dives > • [BPF and Spectre: Mitigating transient execution attacks](https://www.youtube.com/watch?v=6N30Yp5f9c4) ([Slides](https://ebpf.io/summit-2021-slides/eBPF_Summit_2021-Keynote-Daniel_Borkmann-BPF_and_Spectre.pdf)) > Daniel Borkmann, eBPF Summit, Aug 2021 > Cilium > • [Advanced BPF Kernel Features for the Container Age](https://www.youtube.com/watch?v=PJY-rN1EsVw) ([Slides](https://fosdem.org/2021/schedule/event/containers_ebpf_kernel/attachments/slides/4358/export/events/attachments/containers_ebpf_kernel/slides/4358/Advanced_BPF_Kernel_Features_for_the_Container_Age_FOSDEM.pdf)) > Daniel Borkmann, FOSDEM, Feb 2021 > • [Kubernetes Service Load-Balancing at Scale with BPF & XDP](https://www.youtube.com/watch?v=UkvxPyIJAko&t=21s) ([Slides](https://linuxplumbersconf.org/event/7/contributions/674/attachments/568/1002/plumbers_2020_cilium_load_balancer.pdf)) > Daniel Borkmann & Martynas Pumputis, Linux Plumbers, Aug 2020 > • [Liberating Kubernetes from kube-proxy and iptables](https://www.youtube.com/watch?v=bIRwSIwNHC0) ([Slides](https://docs.google.com/presentation/d/1cZJ-pcwB9WG88wzhDm2jxQY4Sh8adYg0-N3qWQ8593I/edit#slide=id.g7055f48ba8_0_0)) > Martynas Pumputis, KubeCon US 2019 > • [Understanding and Troubleshooting the eBPF Datapath in Cilium](https://www.youtube.com/watch?v=Kmm8Hl57WDU) ([Slides](https://static.sched.com/hosted_files/kccncna19/20/eBPF%20and%20the%20Cilium%20Datapath.pdf)) > Nathan Sweet, KubeCon US 2019 > • [Transparent Chaos Testing with Envoy, Cilium and BPF](https://www.youtube.com/watch?v=gPvl2NDIWzY) ([Slides](https://static.sched.com/hosted_files/kccnceu19/54/Chaos%20Testing%20with%20Envoy%2C%20Cilium%20and%20eBPF.pdf)) > Thomas Graf, KubeCon EU 2019 > • [Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security](https://www.youtube.com/watch?v=QmmId1QEE5k) ([Slides](https://www.slideshare.net/ThomasGraf5/cilium-bringing-the-bpf-revolution-to-kubernetes-networking-and-security)) > Thomas Graf, All Systems Go!, Berlin, Sep 2018 > • [How to Make Linux Microservice-Aware with eBPF](https://www.youtube.com/watch?v=_Iq1xxNZOAo) ([Slides](https://www.slideshare.net/InfoQ/how-to-make-linux-microserviceaware-with-cilium-and-ebpf)) > Thomas Graf, QCon San Francisco, 2018 > • [Accelerating Envoy with the Linux Kernel](https://www.youtube.com/watch?v=ER9eIXL2_14) > Thomas Graf, KubeCon EU 2018 > • [Cilium - Network and Application Security with BPF and XDP](https://www.youtube.com/watch?v=ilKlmTDdFgk) ([Slides](https://www.slideshare.net/ThomasGraf5/dockercon-2017-cilium-network-and-application-security-with-bpf-and-xdp)) > Thomas Graf, DockerCon Austin, Apr 2017 > Hubble > • [Hubble - eBPF Based Observability for Kubernetes](https://static.sched.com/hosted_files/kccnceu20/1b/Aug19-Hubble-eBPF_Based_Observability_for_Kubernetes_Sebastian_Wicki.pdf) > Sebastian Wicki, KubeCon EU, Aug 2020 > Books > • [Systems Performance: Enterprise and the Cloud, 2nd Edition](http://www.brendangregg.com/systems-performance-2nd-edition-book.html) > Brendan Gregg, Addison-Wesley Professional Computing Series, 2020 > • [BPF Performance Tools](http://www.brendangregg.com/bpf-performance-tools-book.html) > Brendan Gregg, Addison-Wesley Professional Computing Series, Dec 2019 > • [Linux Observability with BPF](https://www.oreilly.com/library/view/linux-observability-with/9781492050193/) > David Calavera, Lorenzo Fontana, O'Reilly, Nov 2019 > Articles & Blogs > • [BPF for security - and chaos - in Kubernetes](https://lwn.net/Articles/790684/) > Sean Kerner, LWN, Jun 2019 > • [Linux Technology for the New Year: eBPF](https://thenewstack.io/linux-technology-for-the-new-year-ebpf/) > Joab Jackson, Dec 2018 > • [A thorough introduction to eBPF](https://lwn.net/Articles/740157/) > Matt Fleming, LWN, Dec 2017 > • [Cilium, BPF and XDP](https://opensource.googleblog.com/2016/11/cilium-networking-and-security.html) > Google Open Source Blog, Nov 2016 > • [Archive of various articles on BPF](https://lwn.net/Kernel/Index/#Berkeley_Packet_Filter) > LWN, since Apr 2011 > • [Various articles on BPF by Cloudflare](https://blog.cloudflare.com/tag/ebpf/) > Cloudflare, since March 2018 > • [Various articles on BPF by Facebook](https://facebookmicrosites.github.io/bpf/blog/) > Facebook, since August 2018 ([View Highlight](https://read.readwise.io/read/01fsy136cz741fsmea15xwy1pb))