►
From YouTube: Keynote: eBPF - Everything You Need to Know in 5 Minutes - Thomas Graf, CTO, Isovalent
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Keynote: eBPF - Everything You Need to Know in 5 Minutes - Thomas Graf, CTO, Isovalent
eBPF has become the key technology for infrastructure software. This session tells you everything you need to know about eBPF in 5 minutes. Why eBPF matters and why it exists. What it can do. What it can’t do. Who uses it for what. And finally, what the future holds.
A
All
right
good
morning,
everybody,
my
name-
is
Thomas
craft,
I'm
co-founder
and
CTO
of
I
surveillance,
but
probably
more
importantly,
one
of
the
creators
of
psyllium
and
currently
the
chair
of
the
evpf
governing
board
or
ebpf
Foundation
governing
board
I'm,
trying
to
give
an
introduction
to
psyllium
to
ebpf,
not
selling
ebpf
in
five
minutes.
Let's
see
what
that
gets
us.
A
First
of
all,
what
is
ebpf,
how
many
of
you
this
is
the
first
ebpf
day
how
many
of
you
have
been
to
an
ebpf
day
before
first
ebpf
day,
all
right,
quite
a
few
excellent.
So
you
may
be
wondering
what
is
actually
BPF,
and
this
is
the
the
closest
accurate
definition
I
could
come
to.
Ebpf
is
a
programming
language
and
run
time
to
extend
operating
systems.
A
That
sounds
very
abstract.
A
more
practical
comparison
is
ebpf
is
like
JavaScript
or
Lua,
but
for
kernel
Developers
now,
maybe
you're
even
more
confused.
So
let's
look
at
this
on
the
left.
We
have
JavaScript
an
example
of
JavaScript
how
it's
commonly
used
right.
You
use
JavaScript
to
run
some
code
when
some
event
happens,
for
example,
most
common
example.
When
the
website
user
clicks
on
a
button
it
and
submits
a
form
on
the
right
side.
We
have
ebpf
very,
very
similar,
but
you
run
ebpf
programs
in
the
kernel
in
the
operating
system
when
some
event
happens.
A
Why
ebpf
that's
the
second
question:
I
usually
get
operating
systems
in
particular
Linux
has
become
incredibly
hard
to
change.
It
takes
weeks
or
months
to
even
get
a
change
upstream
and
then
years
for
consumers
for
users
to
consume
these
Linux
kernel
versions,
these
new
versions,
so
the
Innovation
cycle
is
very,
very,
very
long,
very
similar
to
hardware.
A
This
leads
to
this
problem.
That's
similar
to
what
we
have
for
CPUs.
The
operating
system
is
essentially
using
building
blocks
because
it
has
to
predict
use
cases
it
cannot
adjust
adopt
to
changing
requirements
all
the
time.
That's
why
the
kernel,
the
Linux
kernel
typically
has
system
subsystems
that
you,
as
a
user,
can
configure.
You
cannot
program
them
for
CPUs.
We
have
solved
these
problems
with
higher
level
programming.
Languages
like
Java,
go,
rust
and
so
on.
A
Edpf
is
the
same
concept
applied
to
operating
system,
so
it
gives
us
programmability
and
thus
allows
us
to
continuously
adopt
to
changing
requirements
and
thus
innovate
very
very
quickly.
That's
the
biggest
fundamental
reason
why
ebpf
exists
great,
so
we
have
programmability.
How
is
this
different
to
things
like
Lua
or
webassembly,
because
there's
lots
of
other
languages
much
much
more
widely
known
ones
that
have
been
around
for
ages
that
give
programmability?
A
A
It
can
interface
with
the
Linux
kernel,
so
it
can
call
into
kernel
apis
and
it
is
restricted
to
run
safely
in
the
kernel
context,
but
it
is
aimed
for
kernel
developers
and
thus
traditionally
very
hard
to
learn
and
use.
Lua
webassembly,
on
the
other
hand,
are
designed
to
be
embedded
into
arbitrary
applications
or
system
their
general
purpose
and
their
aimed
application
Developers
much
easier
to
learn,
but
they
cannot
run
in
the
context
of
your
of
the
operating
system.
A
A
How
does
ebpf
work?
There
is
a
language
and
there
is
a
runtime.
The
language
can
be
expressed
in
a
variety
of
different
languages.
Sudo
C
code
is
the
the
most
common
one
where
we
use
a
compiler
like
llvm
or
clang,
to
compile
that
into
bytecode,
but
there's
several
different
language:
Frameworks
IR
libpf
BCC,
to
express
ebpf
programs
in
different
higher
language,
higher
level
languages.
All
of
this
eventually
produce
so-called
ebpf
bytecode.
That
is
our
program.
A
Then
we
have
a
run
time.
This
is
what's
embedded
into
the
operating
system.
The
runtime
takes,
the
bytecode
verifies
it
to
make
sure
it
is
safe
to
run
just
in
time,
compiles
it
for
efficiency
and
then
runs
it
at
the
requested
hook.
Points
in
this
example.
It
is
being
run
when
system
calls
are
being
invoked.
A
So
these
three
properties
ebpf,
is
secure.
It
has
runtime
verification,
it
has
a
Sandbox
concept,
it
has
program
signing
it
is
efficient
because
it
is
going
through
a
just
in
time,
compiler.
It
is
embedded
into
the
operating
system
and
it
offers
per
CPU
data
structures
and
it
portable.
The
bytecode
is
generic.
It
gets
just
in
time
compiled
later
on.
It
has
data
type
Discovery
BTF,
as
well
as
a
stable
API.
How
to
interface
with
the
operating
system,
who
controls
evpf
evpf
is
controlled
by
the
ebpf
foundation
and
the
open
source
communities
around
it?
A
That's
that's
nice.
Now
we
know
about
ebpf
is
where
is
ebpf
used
today?
This
may
actually
be
a
surprise.
It's
incredibly
widely
used.
We
could
look
at
the
psyllium
users
file
it's
everywhere,
but
that's
kind
of
boring
lots
of
logos.
Let's
look
at
some
more
extreme
use
cases,
Cloud
native
landscape.
We
see
a
couple
of
projects
using
evpf,
but
let's
dive
deeper
and
look
at
like
heavy
applications
of
ebpf
that
you
probably
use
every
day.
Facebook
slash
meta
is
using
ebpr
for
load
balancing
it's
called
project.
Katron.
A
It's
been
used
in
production
from
for
for
several
years,
all
ebpf
Facebook
is
using
this
exclusively
for
all
load
balancing
needs.
We
have
all
three
big
cloud
providers:
AWS
Azure,
Google
Cloud,
using
Solium
in
their
managed
kuberous
offerings.
Many
of
you
probably
use
a
managed
kubernetes
offering
gke
eks
AKs
at
some
point.
They
are
using
psyllium
and
thus
ebpf,
underneath
but
even
smartphones.
This
is
the
evpf
page
of
the
Android
operating
system.
Android
uses
ebpf,
it
has
an
ebpf
loader
and
it
uses
ebpf
pro
ebpf
programs
to
do
traffic
accounting.
A
It
uses
it
to
account
how
much
CPU
memory
each
app
uses
and
can
even
do
GPU
memory,
accounting
and
so
on.
It's
all
done
using
eppf.
So
when
you
look
at
the
traffic
statistic
of
your
app
how
much
traffic
volume
how
much
Network
volume
it
it
consumed
that
was
counted
using
BPF
multi-cloud
networking
Enterprises,
there
was
a
fantastic
presentation
at
ebpf
Summit,
a
couple
of
weeks
back
where
s
p
Global
presented
how
they're,
using
ebpf
with
sodium
for
a
multi-cloud
networking
layer
to
essentially
redefine
how
they
think
about
networking.
A
The
talk
was
absolutely
fantastic:
a
road
to
invisible,
Network,
smp's,
Global,
Network
transformation;
Journey,
you
can
go
to
ebpf.io
click
on
watch,
Summit
recordings
and
you
will
find
a
talk.
The
talk
recording,
but
there
is
one
more
thing,
because
the
biggest
aspect
of
eppf,
where
I
think
we'll
see
a
lot
more
Innovation
going
forward,
is
observability
so
really
happy
to
announce
a
absolutely
fantastic
new
partnership
between
grafana
and
I
surveillance.
A
Grafana
is
bringing
their
entire
observability
knowledge
and
tools
at
Loki,
grafana,
Tempo,
and
so
on,
and
I
surveillance
is
bringing
sodium
tetragon
Hubble
for
for
observability
and
all
of
our
ebpf
knowledge
and
together
we're
building
a
new
set
of
tools
that
you
can
use
for
observability
a
couple
of
examples:
Network
observability,
where
you
we
can
now
embed
grafana
dashboards,
directly
into
psyllium's
Hubble
UI
for
amazing
Network,
observability
metrics
for
traffic
volume.
Network
policy
drops
traffic
volume
and
so
on,
but
there
is
more.
A
This
was
a
five
minute
introduction
to
to
ebpf
and
I
tried
to
to
use
a
couple
of
real
world
examples
as
well.
Ebpf
is
already
everywhere
and
we're
using
it
every
day,
but
there's
lots
of
more
exciting
things.
Coming
and
I'm
looking
forward
to
the
to
a
whole
day
of
presentations.
Thanks
a
lot
everybody.