►
Description
eBPF is hard. There are more and more docs and blogs, but the learning curve seems to be really steep. Where could you possibly start to play around with this new technology? In this talk, I will briefly introduce the (e)BPF landscape, then show you one of the easiest way to get started with eBPF. We will explore existing tools, and see what it takes to drop them into a Kubernetes cluster, and learn how can you expose their output as Prometheus metrics with only a few keystrokes.
A
A
B
All
right,
good
morning,
everyone,
this
presentation
will
be
about
evpf
I'm,
not
sure
how
many
of
you
are
already
familiar
with
eppf.
Yes,
if
you
could
raise
your
hand,
please,
oh
nearly
everyone.
Are
there
any
ebpf
experts
in
the
audience
Maybe
there
are
some
lights
coming
in,
but
I
cannot
see
any
last
time.
I
gave
this
talk
that
for
that
cube,
hudder
in
Edinburgh
last
at
the
end
of
last
year,
and
there
were
lots
of
EVP
after
all,
there
and
yeah.
B
B
So
first
some
introduction,
my
name
is
Christian
fakete
I'm,
a
field
engineer
at
solo.io.
You
can
find
the
contact
information
of
me
on
this
slide,
the
company
itself.
We
are
an
application
networking
company
founded
not
that
long
ago
we
are
based
in
Cambridge
Massachusetts
in
the
us,
but
we
have
multiple
locations.
We
are
all
working
remotely
around
the
globe.
B
We
are
doing
mostly
application,
networking
related
stuff,
but
that's
a
quite
extensive
field,
so
we
are
nowadays
covering
multiple
layers
in
the
application
networking
stack,
starting
from
the
kernel
and
ending
at
the
regular
traditional
application,
networking
layer,
application
layer
that
is
layer
7
in
the
oci
model.
B
Our
products
are
open
core
Enterprise
application
model,
but
we
also
have
a
few
open
source
completely
open
source
project
as
well,
for
example,
bumblebee
that
that
I
will
talk
about
quite
soon.
We
have
many
happy
customers.
We
are
well
funded.
We
are
also
hiring
so
if
this
is
something
interesting
for
you,
please
reach
out
well
and
come
and
say
hi
at
our
booth
and
enter
to
win
adrone.
B
So,
first
my
background,
because
this
presentation
has
a
title
of
how
I
like
to
how
I
get
to
know
and
love
ebpf
itself,
so
it
makes
sense
to
include
a
little
bit
of
background
of
me.
First,
as
you
can
see,
I
was
mostly
six
times:
infrastructure,
devops,
SRE
personal
engineer
over
professional
life.
I
was
mostly
doing
the
same
thing
in
all
of
my
positions,
producer
positions,
but
you
can
see
the
trend
how
the
name
of
the
position
changed
over
the
years.
B
My
main
focus
is
invoice
of
celebrity
most
of
the
time,
so
I
designed
and
operated
off
the
royalty
solutions
for
video
streaming
clusters,
hundreds
of
VMS
in
on-premise
data
centers
across
the
globe,
and
these
were
serving
millions
of
users.
I
was
an
SRE
at
a
password
manager,
company,
that's
quite
famous
nowadays,
maybe
you
can
guess
the
name
and
I
was
also
operating
clusters.
B
Planning,
kubernetes
and
istio.
Ebpf
is
quite
a
hard
topic
nowadays.
As
you
also
know,
it
also
has
a
steep
learning
curve
and
fast
forward
to
last
April
when
I
joined,
solo.io
I
got
to
get
familiar
with
this
technology.
I
was
able
to
make
some
contribution
to
our
bumblebee
project
and
to
to
the
BCC
framework
as
well,
which,
as
you
will
see,
is
basically
the
the
the
first
generation
of
evpf
based
tools
out
there.
B
B
B
Multiple
use
cases
regarding
EVPs.
This
can
be
sorted
into
four
main
families,
for
example,
security,
tracing
profiling,
networking
Authority
monitoring.
Security
is
quite
real
because
evpf,
as
you
want
to
already
know,
is
based
on
kernel
events,
so
you
are
able
to
track
actual
C
scores
happening
in
your
in
your
system.
Tracing
and
profiling
is
also
quite
important
because
you
can
get
a
unified
overview
of
your
actual
process
running
in
the
user
space,
and
you
can
get
some
information
about
this
process
from
the
kernel
space.
There
are
multiple
providers
tools
currently
that
are
quite
popular.
B
These
are
nowadays
the
more
modern
ones
are
based
on
ebpf
as
well,
for
example,
Parker
networking
use
case.
You
can
do,
for
example,
layer,
4,
load,
balancing
and
other
similar
things
with
ebpf
again
via
radical,
so
this
can
be
quite
performant
and
and
safe
to
do
so.
So
that's
that's
another
great
use
case.
For
example,
psyllium
can
come
to
mind
if
you
are
familiar
with
that
open
source
project
and
the
last
family
is
observability
and
monitoring,
and
this
is
that
I
will
cover
in
this
talk.
B
B
This
diagram
is
probably
my
favorite
eppr
diagram,
because
it's
quite
simple,
but
still
it's
I-
think
the
best
way
to
understand
what
evpf
is
and
how
it
works
in
your
system.
On
the
left
hand
side
you
can
see
the
user
program
on
the
right.
You
can
see
the
kernel
Space
Program
when
you
have
an
ebpf
program.
You
have
to
take
into
consideration
both
sides,
because
the
user
space
program
is
the
one
that
the
user
will
interact
with.
This
will
display
the
statistics.
B
For
example,
if
you
are
getting
some
statistics
out
of
out
of
the
kernel
and
the
kernel
side,
logic
is
basically
where
your
actual
ebpf
logic
is
so
first,
it
looks
like
that
the
user
program
is
responsible
for
generating
the
BPF
byte
code.
This
is
just
some
life
cycle
management
for
reactor
BPF
code,
but
this
also
has
to
be
done
by
the
by
the
user
Space
Program.
Then
after
the
BPF
byte
code
is
generated,
it
will
load
into
the
kernel
and,
as
I
mentioned,
ebpf
is
safe.
B
B
So
after
the
verifier
is
passed,
you
have
that
BPF
rectangular
there.
That's
your
actual
BPF
logic.
Ebpf
BPF
is
basically
event
based,
so
you
can
specify
multiple
events.
B
B
The
last
piece
in
the
car
on
the
Cardinal
side
are
maps.
Maps
is
a
way
to
exchange
data
between
kernel,
space
and
userspace.
So
once
you
have
your
data
that
you
are
interested
in
in
the
kernel,
you
have
to
populate
your
various
BPF
maps
in
the
on
the
calendar
side
and
from
these
Maps
you
will
be
able
to
read
the
data
from
the
user
program,
and
this
is
basically
how
you,
for
example,
visualize
this
data.
B
Okay,
so
now
we
know
that
what
evpf
is
to
some
extent,
we
know
that.
But
why
is
why
it's
important,
as
I
mentioned
it's
important,
because
it
can
be
a
solution
to
impossible
tasks
and
scaling
issues
scaling
issues
I
mentioned
that
when
I
was
talking
about
Network
day
networking
use
case,
category
ABC
has
quite
common
performance.
It's
it's
in
the
kernel,
for
example,
you
can
do
some
really
effective
copy
operations
that
way
between
your
network
interfaces.
B
It
can
be
also
solution
for
other
impossible
tasks,
for
example
Authority
related
ones.
If
there
are
some
sres
here,
I
guess
you
had
some
hard
time
to
catch
out
of
memory
exceptions
in
kubernetes
clusters,
because
there
are
very
there
are
a
few
error
problems
to
to
catch
those.
If
you
want
to
export
those
as
Primitives
metrics,
then
you
have
an.
You
might
haven't
even
heard
this
time,
because
there
are
no
real
exporters.
You
have
to
either
Mount
the
docker
socket
someplace
and
get
data
from
there.
B
The
fee
advisor
doesn't
really
cover
all
of
the
use
cases
of
out
of
memory
exceptions,
so
it's
quite
hard
to
get
it
right.
For
example,
this
is
a
great
example
where
ebpf
can
have
and
it's
important,
because
there
are
multiple
personals,
for
example,
application
developers,
SRX
device
engineers
and
network
operators
who
could
benefit
from
this.
B
In
this
presentation,
I
will
focus
on
the
essay
leader
of
the
engineered
Parts,
because
back
in
the
day,
I
was
also
okay
by
ebpf
is
query
because
some
can
think
that
it's
scary,
because
basically
it's
the
kernel
and
that
that
just
doesn't
have
a
quite
nice
ring
to
it.
Nowadays
everyone
is
speeding
up
new
web
applications,
microservices
and
kubernetes
clusters.
Everyone
is
parsing
Json,
you
might
have
a
Kafka
queue
in
the
middle
of
your
stack,
but
basically
most
of
the
engineers
nowadays
are
not
quite
used
to
do
some
low-level
systems.
B
Engineering
work
so
when
they
hear
that
ABP
is
something
related
to
together
aside
to
Kernel,
it
can
be.
Scary
can
be
also
scary
because
of
the
lack
of
the
documentation
I'm,
not
saying
that
there's
no
documentation,
there
are
some
it's
getting
better
and
better,
but
you
have
to
either
seek
out
Arcane
blog
post
by
various
ebpf.
B
Outdoors
or
you
have
to
check
out
the
the
kernel
mailing
lists
and
the
user
experiences
is
not
that
under
the
great
most
of
the
people
again
are
not
really
used
to
check
out
the
kernel
mailing
list.
If,
if
you
want
to
troubleshoot
a
bug
in
your
Json
parser
web
application,
ebpf
can
be
also
scary,
because
people
don't
really
know
where
they
can
start
to
get
familiar
with
it.
B
There
are
lots
of
emerging
tools,
there's
a
new
ebpf
based
tool
every
other
week,
so
it
can
be
quite
daunting
to
to
find
the
right
one
there
where
you
can
get
familiar
with
this
technology
and
I
mentioned
it
already.
Is
the
kernel
and
I
think
that
this
is
the?
This
is
the
the
thing
that
that
can
be
discouraged
of
all.
B
Let's
take
a
look
at
the
BPF
landscape.
On
the
slide,
you
can
see
the
application
landscape
of
of
ebpf.
This
logo
collection
is
from
the
end
of
last
week,
when
I
last
gave
this
presentation.
I
was
thinking
about
updating
it
with
the
new
logos,
but
it
was
also
quite
hard
to
get
this
on
this
slide.
So
I
decided
not
to.
There
are
a
few
new
tools
out
there,
but,
as
you
can
see,
it's
a
it's
a
quite
extensive
landscape.
B
So
again
it
can
be
quite
hard
where
to
start
with
getting
familiar
with
this
technology,
to
make
it
simpler,
let's
focus
on
obserability
and
for
obserability
we
can
follow
the
advice
of
Brandon
Gregg.
Some
of
you
might
might
have
heard
of
him.
He
was.
He
is
a
great
contributor,
one
of
the
biggest
contributors
to
the
evpf
ecosystem.
B
This
quote
means
that
you
should
not
reinvent
the
wheel
all
the
time
you
should
not
start
from
sketch.
You
should
not
program
your
way
to
everything.
If
there
are
tools
available,
let's
just
use
them,
because
people
spend
hard
hours
to
get
to
the
point
where
those
tools
are
are
working
properly
and
we
should
really
benefit
from
using
those.
In
the
first
place
on
the
slide,
you
can
see
the
the
BCC
screenshot
of
BCC.
B
There
are
multiple,
basically
they'll,
multiple
layers
are
here,
and
there
are
some
BCC
ebpf
tools
attached
to
all
these
layers.
So,
for
example,
if
you
want
to
troubleshoot,
let's
say
system
libraries,
then,
for
example,
qsnoop
can
be
a
good
solution
to
to
get
started,
finding
performance
issues
or
troubleshoot
issues.
Then
there
are
multiplier
programs
targeting
different
areas.
This
is
basically
a
GitHub
repository,
so
you
can
go
to
github.com
and
find
a
business
repository,
and
you
should.
You
should
find
all
these
all
these
traditional
VCC
tools
in
the
in
the
tools
folder.
B
If
you
want
to
run
this,
you
have
to
do
it
like
this.
First,
you
write
a
single
group
Python
program
and
that
single
Python
program
will
contain
the
user.
Space
Program
I
was
talking
about
that's
written
in
Python
and
the
cardinal
space
program,
that's
written
in
C.
But
how
is
that
possible?
How
can
two
languages
be
in
a
single
program?
B
It's
possible
because
the
C
program
is
basically
a
string,
and
yes,
this
is
one
of
the
reasons
why
ebpf
can
be
have
to
have
to
start
with.
You
can
see
a
screenshot
here.
This
is
actually
the
room
killer,
troubleshooting
Tool.
You
can
see
the
BPF
code
written
in
C
inside
the
Python
program.
That's
this
was
the
traditional
way
to
get
started
with
dbpf.
B
Then
during
execution,
BCC
will
call
clang,
llvm
and
platform
had
a
lookup
to
know
where
the
certain
points
in
the
kernel
are
VM
and
the
kernel
headers
have
to
be
present
on
the
target
machine.
Where
you
would
execute
for
your
program,
then
you
have
to
compile
your
code
at
runtime,
but
this
can
be
quite
problematic
because,
let's
say
you
are
operating,
let's
say
VMS
in
production
and
you
don't
like
to
underutilize
these
VMS.
B
So
let's
say
these
VMS
are
consuming
I,
don't
know:
70
percent
of
the
available
resources,
for
example
CPU
or
memory,
and
if
you
let's
say
you
want
to
troubleshoot
something
so,
for
example,
try
to
catch
out
of
our
receptions.
So
we
go
sshing
to
the
machine,
deploy
the
script.
You
have
clang
llvm
there.
That's
quite
huge.
You
have
the
current
headers
available,
but
you
have
to
compile
your
program
and
you
have
a
virtual
machine
that
is
basically
consuming
the
proper
amount
of
resources.
B
But
if
you
compile
your
traditional
BCC
code
on
that
production
machine,
the
SRA
teams
will
be
at
your
door
at
your
door.
In
a
few
seconds,
because
those
machines
can
easily
tip
over
because
you
were
operating
at
the
at
the
desired
resource
utilization
and
now
you
are
performing
a
very
resource,
heavy
operation,
so
it's
it
might
not
be
a
good
fit
for
for
collection
use
cases.
B
That
is
a
better
way
to
do
this,
and
this
is
by
following
the
BPF
core
methodology.
Core
means
compilations
run
everywhere.
For
this
you
have
to
have
the
BTF
type
information
available.
This
is
usually
done
by
having
a
VM
linux.h
header
file
available
on
your
system.
This
will
make
sure
that
you
can
run
this
everywhere.
You
will
still
use
Clank
as
a
compiler
and
the
libbf
user
space
loader
Linker
Library,
and
if
you
have
all
these
things
together,
you
are
on
the
route
to
create
portable
and
better,
more
modern,
evpf
programs.
B
B
You
can
just
compile
it
in
advance
ship
to
the
Target
machine
where
you
want
to
execute
it,
and
as
long
as
the
requirements
are
met,
you
can
easily
run
an
abpf
code
in
a
quite
efficient
manner
on
a
production
system,
but
we
can
do
even
better
than
this.
You
could
only
it's
also
possible
to
focus
on
only
on
the
cardinal
space
program.
As
you
would
imagine,
the
Canada
space
program
is
where
the
really
exciting
and
interesting
surface
is
the
user.
Space
is
basically
just
Plumping.
B
You
have
to
manage
the
life
cycle
of
of
loading,
the
code
and
cleaning
up
then
visualizing.
The
data-
that's
not
something
that
that's
very
interesting,
so
focusing
on
the
cardinal
space
program
can
be,
can
be
much
more
interesting.
B
So
back
to
the
original
question,
we
have
to
start
to
learn
evpf.
The
answer
can
be,
for
example,
with
the
Bumblebee
project,
which
is
an
open
source
project
by
solo.io.
You
can
go
to
brandberry.io
or
find
the
repository
under
the
solo
IO
organization.
Basically,
it's
fully
open
source.
There
are
multiple
examples
there,
so
it's
a
great
way
to
to
get
started
with
abpf.
B
What
bumblebees
bumblebee
can
help
you
to
build,
run
and
distribute
ebpf
programs
as
oci
compatible
images,
and
it
can
even
expose
these
events
as
Prometheus
compatible
metrics,
which
is
quite
nice,
because
you
most
probably
already
have
Primitives,
so
it's
quite
real
to
hook
it
into
Primitives
and
visualize
your
your
data
that
way,
and
if
you
are
talking
about
the
authority
use
case,
it's
also
quite
true
to
use
the
the
factor.
Standards.
B
It's
working
like
taking
the
existing
libertarian
space
code
and
generating
the
user
space
code
for
you,
without
even
knowing
what
that
user
effect
would
will
be,
and
we
also
wanted
to
focus
on
the
user
experience
and
the
developer
experience.
So
with
bumblebee,
you
have
a
Docker
like
experience,
meaning
you
can
use
basically
very
similar
comments,
then
that
you
would
use
with
Docker.
B
You
can
see
a
very
short
video
of
Bumblebee
in
action.
You
can
see
an
example.
It's
a
C
file,
that's
the
kernel
space
logic!
That's
all
you
need
after
you
have
the
file.
You
can
do
something
like
B,
build
and
use
the
local
file
there.
After
that,
the
image
is
built.
You
can
push
it
into
a
local
or
remote
registry.
After
it's
pushed,
you
can
just
run
it
and
it
even
has
a
user
interface
like
this.
B
Basically,
for
this,
it's
quite
nice
because
you
can
use
the.
If
you
go
to
the
VCC
repository,
you
can
find
the
lib
PF
tools
folder
inside
this
repository,
and
there
you
find
most
of
the
time
two
files
per
tool
and
these
files
are
basically
Rewritten
to
use
the
core
principle,
which
is
quite
nice.
These
are
the
more
modern
equivalent
of
the
traditional
tools
and
you
can
take
examples
from
this
folder
and
pour
these
into
bumblebee
for
this.
B
Currently,
you
only
have
to
take
care
of
a
single
thing,
and
that
is,
you
have
to
have
compatible
map
types
with
with
bumblebee.
Currently
only
hashmap
and
ring
buffer
is
supported,
so
there
are
a
few
tools
that
are
using
perv
buffer.
That
was
on
the
traditional
map
type.
You
have
to
pour
that
to
ring
buffer
first,
but
after
that
you
can
basically
just
put
it
into
Bumblebee,
and
your
code
will
work
and
you
have
Prometheus
metrics
with
the
exposed
data
on
this
slide.
You
can
see
a
few
differences
between
purple
foreign
buffer.
B
One
of
them
is
using
buffers
per
CP,
with
the
other
one
is
using
a
share
buffer.
There
are
performance
differences.
The
event
ordering
is
is
much
better.
These
developer
experiences
also
much
better.
There's
a
reserve
submit
API
to
make
sure
that
you
can
write
more
write,
better
code.
The
requirements
are
to
have
a
fairly
new
Linux
version,
but
most
of
the
I
think
most
of
the
cloud
providers
are
already
shipping
links
versions
newer
than
this,
so
it
these
are
not
really
hard
requirements.
B
I
would
have
a
demo,
but
I
will
skip
this.
Please
find
me
if
you
are
interested
in
a
live
demo.
I
can
do
it
at
our
booths
or
somewhere
around
here.
I
will
just
skip
this
to
to
go
to
the
finishing
slides.
You
can
see
the
reward
map
for
bumblebee
here
we
are
trying
to
keep
up
to
date
with
Libby
BF.
There's
an
active
development
going
on
with
the
Libby
PF
tools,
there's,
for
example,
a
new
compact
layer
that
can
make
it
that
can
abstract
away
the
the
actual
map
type
that
you
would
use.
B
So,
for
example,
if
you
are
using,
if
you
are
running
your
code
on
an
older
Linux
where
or
only
path
buffer,
the
the
older
map
type
is
supported,
then
it
will
fall
back
on
that.
If
a
newer
one,
for
example,
ring
buffer
is
available,
it
will
use
that.
So
these
are
quite
nice
improvements
and
we
are
aiming
to
keep
bumblebee
updated
to
to
be
able
to
use
these
changes.
We
are
also
working
on
tighter
kubernetes
integration,
for
example,
to
get
correlation
with
pod
names
easier
and
there's
an
operator
work
already
in
progress.
B
Basically,
that
can
enable
you
to
have
bumblebee
deployed
into
kubernetes
clusters
as
a
demon
set
and
that
demonstrate
can
load
the
OCR
images
into
itself
and
Export
the
data
as
it
as
it
goes
along.
Currently,
it's
already
possible
to
use
Bumblebee
with
with
kubernetes
clusters,
for
that
you
just
have
to
package
it
as
a
demon
Set,
the
the
original
CLI
tool
can
be
packaged
as
a
demo
set,
and
it's
and
it's
working
quite
well.
B
If
you
are
interested
in
a
demo,
please
find
and
find
us
at
our
booth
and
I
can
show
it
to
you.
We
are
supplying
to
a
new
map
ties.
We
also
plan
to
have
logging
integration,
so
you
can,
for
example,
log
all
the
events
that
you
would
want
to
expose
and
you
can
inject
these
locks
in
just
these
logs
into
your
logging
platform.
We
are
don't
currently
support,
histogram,
metrics
types
for
the
events.
B
We
just
only
support
gauges
and
counters,
but
histogram
is
something
we
are
also
working
on
and
we
are
all
the
time
working
on
adding
new
libypf
examples
to
the
Bumblebee
Repository,
and
you
are
also
all
welcomed
to
to
contribute
to
to
those
examples.
My
key
takeaways
from
learning
ebpf
with
bumblebee
are,
can
be
seen
here.
Basically,
I
know
that
I
know
the
tbpo
is
really
a
game.
Changer,
focusing
on
only
the
kernel
space
is
fun.
It's
much
better
than
doing
all
the
plumbing
with
the
user
space
code.
B
Integration
is
key
because,
for
example,
for
observability,
it's
really
nice
to
have
integration
with
with
promotics
right
away,
and
we
are
just
getting
started
and
we
would
like
to.
We
would
like
to
all
of
you
to
benefit
from
the
edpf
ecosystem,
so
feel
free
to
take
bumblebee
for
a
ride
and
please
reach
out.
If
you
have
further
questions.
A
Beautiful,
thank
you
very
much.
Christian
I
before
you
before
you
get
off.
I
I
actually
have
a
question
that
is
not
evpf.
B
Excellent
question
ambient
just
got
merged
Upstream
last
week,
I
think
or
maybe
this
week,
I
don't
know,
I
think
it
was
last
week
and
I
have
to
double
check
it,
but
I
think
the
next
fto
version,
istio
118,
will
include
this
profile,
so
you
can
already
it's
it's
basically
yeah
you
can.
If
you
go
to
the
istio
repository,
you
can
find
the
ambient
specific
part
of
the
readme.
B
You
can
download
the
artifact
there
if
you,
if
you
want
to
try
it
out,
you
can
also
check
out
the
academic
throw
that
I
O
website
where
we
have
a
virtual
environment
running
it's
a
free
course.
You
can
take
mbn
for
a
ride
there
as
well,
but
I
think
the
next.
If
you
release,
will
already
include
ambient
as
a
profile.
So
that's
that's
also
a
quite
nice
way
to
experiment
with
it.
Thank.
C
My
question
is:
can
we
monitor
from
in
the
observability
space
of
ebbf?
Can
we
only
see
L3
L4
level
metrics
or
we
can
also
see
L7
level
metrics
and
if
it
is
l3l4
only
then
will
it
be
my
primary
observability
or
will
it
be
my
default
level
observability?
If
nothing
can
capture,
then
evvf
captures
I,
don't
know
if
I
make
sense,
yeah.
B
Yeah
that
absolutely
makes
sense,
ebpf
can
use
for
relax
of
things,
and
it
can
also
it
can
even
parse
user
space
logic
as
well,
and
it
can
also
it's
also
possible
to
generate
layer,
7
Matrix.
Basically,
so
it's
definitely
possible.
B
You
just
have
to
think
about
the
most
efficient
way
to
to
do
things,
and
you
also
have
to
take
maintainability
into
considerations.
So
if
there
are
tools
available
that
are,
that
might
not
already
use
ebpf
but
are
solving
your
problem,
then
it
might
make
sense
to
to
use
that
for
that
purpose.
But,
for
example,
let's
say
if
you,
if
you
take
monitoring
as
an
example
in
The
Primitives
ecosystem
node
exporter,
is,
is
the
default
standard
to
monitor
host
that
can
solve
a
lot
of
problems
that
you
might
already
have.
B
But,
for
example,
out
of
number
exceptions
is
a
problem
that
it
that
it
cannot
so
it
may,
it
might
make
sense
to
use
ebpf
for
that
one
or
let's
say
you
cannot
use
node
export
for
some
reason
and
you
will,
but
you
only
need
a
subset
of
the
features
that
that
know
the
spot
and
can
provide.
Then
it's
also
possible
to
to
write
some
ebpf
code
and
with
covering
those
features
that
you
are
interested
in,
so
you
can
have
a
more
lightweight
and
efficient
lightweight
yeah
node
exporter
based
on
ebpf.
D
Thank
you
for
your
presentation.
I
have
a
question,
so
you
presented
a.
E
B
For
example,
there
might
be
some
cases
where
security
is
taken
quite
seriously
and
running
ebpf
might
require
Advanced
privileges.
There
are
improvements
happening
on
this
area
as
well,
so
there's
currently
a
capability
that
is,
that
is
aiming
to
provide
the
least
necessary
privileges
that
are
needed
to
run
the
mvpf
code.
So
we
are
getting
there,
but
there
are
still
some
security
Concepts.
B
Maybe
that
might
raise
some
security
eyebrows
if
you
want
to
to
run
ebpf
in
those
cases,
another
example
would
be
might
be
I'm
not
sure,
but
the
first,
the
the
previous
question
about
layer,
7
metrics
that
that's
basically
solved
with
layer,
7
components,
for
example,
invoy
proxies.
If
you're
running
a
service
mesh,
you
get
observability
out
of
box
to
cover
all
these
metrics.
This
can
be
solved
with
dbps
to
some
extent,
but,
for
example,
invoice
and
the
steel
sidecars
are
are
great
and
well
adopted.
Fit
for
this
use
case
as
well.
B
I
I
would
work
mainly
with
dbpf.
I
would
focus
on
really
hard
observability
challenges,
because
I
think
this
is
the
area
where
ebpf
can
shine
and
if
you
have
fine
integration
with
with
the
authority
ecosystem,
then
again
it's
it's
a
great
fit
to
to
solve
these
challenges.
Running
little
dbbf
programs
and
exporting
those
as
permutix
Matrix
is
quite
lightweight
and
quite
efficient.
B
A
Well,
I'll
take
it
then
I
have
one
question:
Christian,
no
one
more
so
I
have
I,
have
had
the
chance
of
trying
to
play
around
with
ebpf
and
try
on
maybe
20
or
21
of
the
most
common
25
sys
calls
and
I
saw.
The
Bumblebee
makes
things
a
little
bit
easier,
preparing
the
framework
for
the
type
of
program
that
I
have
to
run,
but
still
I
think
it's
a
very
steep
learning
curve
and
a
very
hard
adoption
for
consumers
of
tech.
B
Yeah
so,
for
example,
this
is
our
product
is
using
kbpf
to
some
extent
under
the
hood,
for
example,
to
accelerate
the
service
mesh.
We
are
also
generating
metrics
based
on
eBay
ebpf,
and
we
are
using
some
part
of
the
open
source
bumblebee
code
in
our
product
to
to
do
that,
but
we
open
source
bumblebee
for
this
exact
reason
to
make
it
all
easier
and
we
are
not.
B
For
example,
one
area
where
we
still
have
some
work
to
do
operator
is
a
great
step
in
that
direction,
but
being
able
to
correlate
to
actual
Port
names
can
always
make
make
it
easier,
because
without
this
you
still
to
do
some
user
space
Plumbing
on
your
own
to
to
get
the
actual
data.
So
the
answer
is
yes,
we
are
still
working
on
improving
Bumblebee
and
it's
open
source.
B
So
if
you
have
any
idea
or
feature
request,
feel
free
to
to
fire
GitHub
issue
or
even
contribute
to
the
project,
it's
it's
quite
a
small
project
still
and
it's
I
think
it's
it's
one
of
the
easiest
way
to
get
started
with
dbps.
So
we
are
happy
to
onboard
you
to
the
open
source
project.
If
you,
if
you
are
interested
in
that.
A
Thank
you
very
much.
Christian
I
am
sure
that
everyone
was
very
interested
and
no
one
there
to
say
that
they
were
ebpf
experts
thanks
Christian,
please
give
it
up
for
Kristen.
A
We
are
going
to
have
a
little
bit
20
minutes,
21
minutes
break.
We
are
going
to
start
again.