►
From YouTube: StackRox Community Office Hours E2 eBPF 101 — Implementing Security & Monitoring Kubernetes
Description
Streaming live on openshift.tv: eBPF is the behind-the-scenes subsystem of the Linux kernel that enables new and simpler methods of profiling, networking, and security for Kubernetes without compromising speed and safety.
Join our monthly Office Hours to get your eBPF questions answered. We’ll start with an overview of the capabilities that eBPF provides.
A
A
A
B
A
B
B
Ultimately,
you
can
think
about.
You
know
I
like
to
use
the
analogy,
and
it's
I
know
this
has
been
used
before
from
the
perspective
of
a
web.
Browser
without
javascript
is
kind
of
like
a
linux
kernel
without
evpf,
and
you,
if
you,
if
you,
if
you
think
about
all
the
things
you
can
build
with
javascript
in
a
web
browser
and
the
the
way
that
linux
kernel
development
used
to
go,
is
that
you
would
have
to.
If
you
wanted
some
new
feature
in
the
linux
kernel.
B
A
B
To
think
about
the
use
cases
of
ebpf,
are
you
know,
I
don't
know
your
persona
or
you
know,
what
is
your
role
and
you
know
what
problem
you're
trying
to
solve
the
the
kind
of
the
first
way
and
I'm
going
to
give
a
demo
in
a
few
minutes
that
I
think
about
it
is
in
terms
of
just
debugging.
So
I
want
to
know
is
this.
You
know,
like
think
about
a
break
point
in
your
code.
I
want
to
know
what's
happening
when.
B
Within
the
kernel
is
being
called,
or
you
know
how
many
times
it's
being
called
that
sort
of
thing,
so
performance
counters
things
like
that
there
have
been
sub-systems
built
into
the
linux
kernel,
but
ultimately,
you
run
into
you
know.
Well,
this
feature
isn't
available
in
the
subsystem
like
the
perf
subsystem,
the
audit
subsystem.
B
These
things
are
not
extensible
and
what
ebpf
allows
you
to
do
is
attach
small
programs
on
these
events
and
then
report
data
back
into
user
space.
So
you
can
have
a
user
space
program
that
understands
what's
going
on.
In
addition,
you
can
actually
write
new
networking
stacks
within
the
kernel
in
ebpf
and
then,
if
you
need
to
update
them
or
change
them
or
configure
them
you're
able
to
to
do
that.
B
Yeah
so
there's
there's
several
ways.
So
let's
say
we
have
a
kate's
cluster
up
and
running
openshift
cluster
and
we
want
to
understand
what's
going
on
within
the
cluster,
so
we
have
a
performance
issue,
for
example,
and
maybe
it's
related
to
disk
activity.
You
could
use
evpf
scripts
and
tools
and
piece
together
kind
of
an
idea
of
what's
going
on
by
just
extracting
the
data
and
getting
performance
metrics.
So
this
is,
you
know
observable
from
the
observability
standpoint.
B
Another
use
case
is
if
you
want
to
actually
use
ebpf
to
help
with
security,
so
visibility
less
less
about
getting
sampling
and
aggregate
information
from
the
kernel.
But
more.
I
want
to
see
an
audit
of
all
of
these
events
and
have
it
correlated
with
additional
pieces
of
data
like
the
container
id
or
the
network
connection
that
a
process
made
or
something
like
that,
and
so
that's
that's
one
way
to
get
uc
bpf
in
your
cluster.
B
I
think
from
the
individual
perspective,
the
debugging
is
kind
of
the
debugging
and
performance
analysis
is
the
first
entry
point
it
you
know
it
actually
requires
just
like
building
a
large
web
application
on
javascript.
A
lot
of
effort
building
a
platform
that's
built
on
ebpf,
is
you
know,
a
significant
effort,
and
so
there's
a
lot
of
existing
platforms
and
tools
and
things
that
are
that
are
available.
B
So,
for
example,
the
stackrocks
product
now
acs
is
uses
ebpf
to
extract
process
executions
as
well
as
network
connections
from
the
kernel
and
what's
great
about
ebpf.
Is
it
allows
us
to
operate
on
any
kernel
version
kind
of
going
back
to
that
challenge
of
you
know
any
recent
kernel
version
that
challenge
of
you
know
we're
not
able
to
add
stackrock's
specific
features
into
the
linux
kernel.
We
don't
want
the
customer
to
have
to
have
a
special
kernel.
A
Cool
so,
like
I
think,
of
the
ebpf,
and
I
think
of
like
tracing
and
kind
of
the
same
vein
right,
you
said
debugging
right,
like
there's
nothing
better
than
running
an
s
trace
on
a
process
right
really
seeing
where
it's
breaking
right
does
ebpf.
Give
us
more
insight,
less
insight,
I
mean
what
is
that?
What
is
it
yes,.
B
So
you
you
can
print
every
system
call
that
an
application
is
running
and
that's
super
useful
for
determining
you
know
what
actually
is
happening
when
I'm
reading
a
file-
or
you
know,
and
so
the
the
problem
is
that
s
trace
has
a
huge
performance
overhead,
oh
because
it's
essentially
you
know
adding
an
extra
round
trip
between
user
space
and
kernel
space.
The
the
the
cool
thing
about
ebpf
is
that
you
can.
You
know,
of
course,
evpf
can
introduce
overhead
because
you're
doing
work.
B
A
B
Is
that
visible,
chris,
yes,
cool
so
kind
of?
As
I
was
saying,
you
know,
we
have
the
linux
kernel
which
is
hard
to
update,
and
then
we
have
our
application
stack
on
the
right.
That's
just
a
set
of
processes,
and
you
know
these
could
be
running
within
containers
in
our
cluster.
But
ultimately
the
processes
are
sending
information
on
the
network,
reading,
writing
files
or
launching
other
processes-
and
you
know,
since
the
the
the
unix
api,
the
postx
apis
were
created.
B
B
So
we
have
this
stable
api
for
our
user
space
programs,
but
we
don't
necessarily
have
a
good
way
to
extend
the
kernel
without
you
know
a
lot
of
effort.
So
what
ebpf
lets
us
do
is
add
hooks
within
the
linux
kernel
and
you
know
whatever
we
can
add
the
hooks
at
the
syscall
level.
So
that's
thinking
about
s
trace
where
we
want
to
see
all
the
interactions
between
a
given
process
and
the
kernel
via
syscalls,
or
we
can
attach
ebpf
programs
to
any
any
function
really
within
the
linux
kernel.
B
Of
course,
the
syscall
layer
is
going
to
be
more
stable,
so
I
think
the
you
know
the
easiest
way
to
get
up
and
running.
If
you
have
a
kubernetes
cluster
and
run
some
uvbf
programs
is
to
use
a
a
really
nice
tool,
called
coop
cuddle
trace
and
that's
what
I
was
going
to
give
you
the
demo
of
here.
So
this
is
a
available
here
at
this
github
url
and
the
prerequisites
are
really
just.
You
need
a
kubernetes
cluster
up
and
running.
B
B
So
these
are
running
ubuntu
20.4,
linux,
kernel
5.4.
So
that's
you
know
you're!
Normally,
when
you
have
a
case
cluster
you're,
not
really
thinking
about
the
node
level.
Nodes
are
cattle,
they
come
and
go,
and
what
ebpf
allows
us
to
do
is
kind
of
get
into
the
the
linux
kernel
on
the
host,
so
we're
kind
of
getting
underneath
our
containers
and
seeing
what's
happening
right
now.
This
is
a
completely
empty
cluster.
A
B
Base
containers
that
are
actually
running
in
kubernetes
so,
even
though
there's
no
applications
running
in
this
cluster
there's
still
stuff
going
on.
So
what
we
can
do
is
use
coop,
cuddle,
trace
and
coop.
Cuddle
trace
is
a
coupe
cuddle.
Plugin.
There
is
essentially
it
allows
us
to
still
use
the
coop
couple
command,
but
then
it
calls
out
to
another
process,
and
so
we
can
run
coop
cuddle.
B
We
can
install
crew
cuddle
trace
using
crew,
which
is
a
coupe
cuddle,
plugin
manager
or
just
downloading
the
binaries
directly
and
coop
cuddle
trace,
allows
us
to
run
bpf
programs,
and
particularly
a
particular
type
of
bpf
program,
called
a
bpf
trace
program,
which
is
a
higher
level
scripting
language,
that's
built
on
top
of
bpf
and,
as
I
said,
this
is,
I
think,
the
easiest
way
to
get
started
with
running
ebpf
in
your
in
your
case
clusters.
So
what
we
can
do
is,
let's,
let's
see
what
processes
are
running
on
a
particular
node.
B
B
So,
what's
key
about
this
is
it's
running
a
container
that
is
actually
just
cuddle
trace
bp
of
trace
and
it.
The
other
kind
of
key
thing
here
is
that
it's
running
in
with
admin
privileges,
so
the
security
context
here
is
privileged
and
if
we're
going
to
execute
bpf
programs
within
a
container,
we
need
to
be
privileged
because
the
bpf
system
call,
which
is
you
know,
we're
monitoring
system
calls
or
observing
system
calls.
We
also
use
a
system
call
to
insert
the
the
program
it
requires.
A
B
B
A
B
B
B
And
this
is
kind
of
when
I
was
saying
earlier
about
how
you
know
one
of
the
first
places
I
think
people
you
end
up
using
ebpf
is
to
diagnose
performance
or
other
kind
of
issues
in
their
cluster.
So
you
know
you
might
want
to
see
what's
running
in
a
pod
or
that
sort
of
thing,
and
this
bpf
program
is
very
simple.
I
mean
here's
the
here's
the
code
right
here.
B
B
These
programs
can
be
run
using
on
any
linux
system.
I
think
all
distributions
have
these
tools
available
in
their
package
repositories.
This
is
I'm
talking
like
if
you're,
if
you're,
not
on
kubernetes
customers
on
the
linux
box,
yum
install
bcc
tools
or
yum
apt-get
pcc
tools
you'll
actually
be
provided
with
a
lot
of
these
programs.
B
A
B
B
A
B
B
B
Cool
okay,
so
this
is
just
a
snapshot
of
connections
that
were
being
streamed
via
this
ebpf
program
and
we're
getting
the
the
pid
the
command
of
the
program.
So
this
is
the
the
command
is
going
to
be.
You
know,
stored
in
the
kernel
and
just
reading
that
data
look
at
the
source
address
the
destination
address,
and
so
we
can
see
all
of
the
connections
that
are
being
made
and
which
program
is
making
those
connections.
A
B
B
Of
course
you
know
you
could
you
could
attach
to
every
function
in
the
kernel
and
just
completely,
you
know
dos
your
system
or
you
can
have
you
know,
kind
of
targeted
and
events
that
you
want
to
get
information
about,
and
there
are
a
lot
of
ways
to
aggregate
data.
So
ebpf
provides
different
techniques
for
for
getting
data
of
the
kernel.
B
B
B
B
B
A
B
B
B
A
A
B
Yeah,
I
think
that
the
the
best
way,
probably
the
one
of
the
the
most
full-featured
toolkits
for
generating
data
like
that
is
the
vector,
subsystem
or
vector
system
from
a
performance
monitoring
system.
That's
netflix
has
open
source
and
also
you
know
these.
You
can
generate
flame
graphs
in
different
ways.
A
A
B
Yeah,
so
you
know
the
kind
of
going
back
to
the
you
know.
What
are
the
alternatives
to
running?
You
know
you're
this,
this
container,
that
is
inserting
these
bpf
programs
is
running
and
is
privileged.
So
of
course
you
want
to
make
sure
that
your
user
space
code,
that's
managing
and
running
your
ebpf
programs
is,
is
secure
and
managed
properly
the
verifier.
B
You
know
there's
there's
kind
of
two
angles
to
that
question.
So
one
is:
what's
this
you
know.
Is
this
going
to
crash
my
kernel?
Is
this
going
to
crash
my
host
and
then
the
other
angles
you
know
is
this?
Is
this
secure
and
I
would
say
that
you
know
there
have
been
some
there
haven't
been
an
edpf
attack,
but
there
has
been
some
data
leaks
and
things
that
enabled
with
ebpf,
but
really
the
any
user
of
ebpf
has
super
user
privileges,
and
so
that's
that's
something
to
watch
out
for
now.
B
Now,
of
course,
the
the
verifier
essentially
that
your
program
must
pass
is
built
into
the
linux
kernel
and
it
will.
The
verifier
will
ensure
that
it,
the
the
code,
terminates
and
isn't
going
to
get
into
any
infinite
loops.
In
fact,
unbounded
loops
aren't
allowed
in
bpf
programs.
The
bpf
instruction
set
is
actually
quite
quite
constrained
in
what
you
can
do
and
that
actually,
that
helps
a
lot
of
security
null
d
references,
a.
A
B
A
B
B
A
A
B
You
know,
I
think,
the
the
there
really
are
no
downsides,
because
it's
and
you
know,
of
course,
that's
a
very
blanket
statement,
but
you
know
the
maybe
what
are
the
you
know?
What
are
the
issues
that
it
can
bring?
I
guess
is
maybe
a
different
way
to
think
about
it,
and
so
the
I
think
one
one
challenge
is
making
sure
that
you're
running
on
a
kernel
that
has
you
know
you
really
need
to
be
on
a
more
recent
kernel.
B
B
Extending
the
linux
kernel,
and
in
order
to
do
that,
you
need
to
know
what
is
the
layout
of
a
particular
struct
that
I
want
to
get
data
from
and
across
linux
kernel
versions
that
those
struct
layouts
will
change,
and
so
in
the
coop
cuddle
example
demo.
I
just
showed
the
what
actually
is
happening
is
we
need
the
linux
kernel
headers
in
order
to
run
the
the
bpf
program.
B
So
when
we
compiled
that
script
into
bpf
bytecode
before
it's
inserted
into
the
kernel,
the
headers
are
needed
and
that
can
be
very
challenging
because,
especially
if
you're
trying
to
support
you
know
you're
developing
software,
that
you
want
to
run
on
a
like
a
variety
of
different
linux
kernels.
You
know
and
coming
from
someone
who's
worked
on
a
security
product
that
you
want
to
run
on
a
lot
of
linux.
Kernels!
That's
a
challenge!
B
I
mean
that's
something
that
the
community,
the
dpf
community,
is
very
well
aware
of
and
they've
been
adding
features
to
export
the
struct
formats
and
the
data
types
within
the
kernel,
so
that
you
can
just
subscribe
to
that.
It's
called
btf
or
bpf
type
format
and
there's
a
another
initiative
called
that
uses.
B
Btf
called
core
or
compile
ones
run
everywhere,
and
that's
kind
of
the
the
ideal
in
state
for
these
tools
is
that
you're
able
to
write
a
bpf
program
and
and
run
it
anywhere,
but
right
now
that
can
be
challenging,
because
only
the
most
like
recent
kernels
support
that
you
know,
depending
on,
if
you're,
if
you're
on
a
cloud,
if
you're
in
the
cloud,
it's
it's
going
to
be
supported,
but
otherwise,
maybe
not
that's
just
something
you
have
to
look
into
yeah.
You
know
the
other.
B
A
A
B
A
B
Difficult,
you
know
any
time,
you're
you're,
adding
overhead
within
the
kernel.
If
your
application's
slowing
down-
maybe
that's
that-
can
be
difficult
to
diagnose.
There
are
tools
and
techniques
being
kind
of
developed
for
performance
counters
and
measuring
okay.
I
want
to
see
you
know
how
much
time
is
being
taken
every
time.
A
B
Yeah,
let
me
let
me
go
back
to
this
this
slide
here
and
I
you
know.
I
think
that
so
we
have
this
bottom
layer
of
the
linux
kernel,
and
you
know
this
is
the.
I
would
consider
this
slide
from
the
kind
of
the
road
map
of
edpf
there's
you
know,
ebpf
is
being
added
to
linux.
Kernel.
Microsoft
has
been
adding
an
ebpf
layer
to
windows.
A
B
From
the
perspective
of
security,
the
coolest
thing
is
be
to
be
able
to
have
a
way
to
not
only
get
data
from
the
kernel
but
actually
take
action
within
ebpf,
and
so
that's
where
I
think,
when
you
start
writing
when
people
start
writing-
and
this
has
already
begun-
writing
ebpf
programs
that
actually
can
take
action
within
the
kernel,
then
there's
a
lot
of
really
interesting
tools
and
platforms
that
can
be
built.
So,
from
the
perspective
of
security,
there
is
a
new
linux
security
module
based
on
ebpf
called.
In
fact,
I'm
not
sure.
B
If
I
get
this
right,
but
kernel
security,
it's
ksri,
okay,
kernel
or
maybe
I
got
the
snr
swapped
kernel,
runtime
security
instrumentation,
there
you
go
and
what
what
that
allows
you
to
do
is
is
actually
have
checks.
So
you
know,
is
this
process
authorized
to
take
this
action
and
you
can
just
deny
it,
and
so
those
types
of
rules
can
be
updated
and
tied
into
the
higher
application
or
authorization
frameworks.
And,
what's
great
about
that,
is
it's.
B
You
know
anytime
you're,
taking
action
within
the
kernel,
it's
performant
because
it's
not
requiring
you
to
go
back
and
forth
between
user
space
and
kernel
space.
The
the
other
place.
That's
really
interesting,
is
just
observability.
So
there's
a
lot
of
observability
frameworks.
Pixy
is
is
one
observability
framework
and
I
think
in
general,
if
you're
doing
any
kind
of
application,
tracing
or
monitoring,
it's
gonna
ultimately
be
based
on
ebpf,
and
I
haven't
really
specified
this
or
kind
of
gone
into
detail
about
it.
B
B
Opens
up
a
whole
world
of
observability
and
you
know
just
flame
graphs
are
kind
of
like
the
beginning
of
all
the
different
ways
you
can
like
right
dive
down
into
what's
what's
happening
so
security
in
actually
doing
enforcement.
That's
one
area,
that's,
I
think
super
cool,
the
observability
frameworks
that
are
being
built
on
top
of
ebpf
and
then
finally,
service
meshes
and
networking.
So.
B
A
B
Provides
is
again
you're
able
to
not
have
to
use
ip
tables
to
manage
the
connections
between
deployments
or
even
between
clusters.
This
can
all
be
configured
within
ebpf,
and
you
know
you.
There
are
there's
a
component
of
the
linux
kernel
called
xdp
the
express
data
path
that
is
used
often
by
hardware
manufacturers
to
tie
you
know
as
a
as
a
way
to
integrate
their
nics
with
the
linux
kernel,
but
then
also
you
can
have
essentially
a
software
layer
built
in
there,
and
so
that's
that's
what
what
psyllium
is?
A
B
B
What
the
questioner
is
asking
in
terms
of
where
they
think
where
they're
going
is
that,
of
course,
if
you
are
writing
a
bpf
program
and
it's
inserted
into
kernel,
there
actually
is
a
gpl
license
check
in
the
verifier,
and
so,
as
you
know,
I'm
I'm
not
a
lawyer,
but
you
still
have
to
you
know.
If
you're
going
to
be
interacting
with
a
gpl
api
within
the
kernel,
then
your
bpf
code
needs
to
be
open
source
as
well.
So
you
know,
I
think,
that's
an
interesting
idea.
B
A
A
I
think
safer
is
kind
of
the
right
like
yeah.
Easiness
aside,
this
is
just
safer
to
do
than
like
building
kernel
modules
left
and
right.
That's
right,
yeah,
yeah,
and,
to
be
honest
with
you,
I
don't
know
where
eighth
doctor
was
going
with
the
question.
But
if
that
didn't
answer
your
question
8th
doctor,
please
let
us
know
khalid
raid
says.
The
most
interesting
thing
to
me
is
how
you
can
control
network
traffic
on
layer,
seven
with
evpf,
and
that
that
is
super
awesome.
A
B
B
I
mean
that
is,
you
know,
get
essentially
you're
giving
these
kind
of
core
data
paths
context
and
you
you
know,
user
space
can
provide
the
the
context
through
evf
and
then
it's
you're
able
to
build
these
performant
networking
tools.
You
know
whether
you're
doing
packet,
inspection
or
you
know,
yeah
taking
taking
action
on
things.
You
know
I
haven't
seen
anyone
do
like
an
ids
and
ebpf,
but
those
types
of
things
that
would
be
cool,
yeah
yeah.
You
know,
I
think,
and
maybe
going
back
to
the
challenges.
B
Off
the
top
of
my
head,
how
many
there's
there's
an
instruction
limit
on
how
many
instructions
can
be
in
the
program?
And
so
you
know,
I
think,
when
you're
thinking,
if
you're
thinking
of
small
snippets
and
like
you
know,
you're
you're
building
together,
you
know
for
psyllium
falco
these
these
projects
have
large
ebpf
programs,
but
they're
really
pushing
the
limits
of
the
the
size
of
what
you
can
do.
So
you
you
can't
build
a
you
know.
B
A
Yeah
yeah
detective
conan
kudo.
He
basically
the
issue
here
is
that
proprietary
programs
for
the
kernel
that
are
tied
to
specific
kernel
versions
bring
us
back
to
the
problem
that
prevent
people
from
upgrading
kernels
in
the
first
place.
I
don't
think
ebpf
does
that
here
you
have
that
instruction
set
limit
it.
It
doesn't
live
in
the
kernel.
It
calls
the
kernel
right
like
so
it's
one
of
those
things
where
it's
like
like.
If
people
are
concerned
about
this
causing
you
to
like
stick
to
a
certain
kernel
version,
I
don't
think
that's
the
case.
A
A
A
B
You're,
not
necessarily
you
need
to
have
some
code
within
the
kernel
that
allows
you
to
do
those
actions,
and
so
I
think
it
does
from
you
know,
from
the
perspective
of
linux,
kernel
features
being
added,
knowing
that
you
can
build
a
subsystem
with
the
idea
of
users
using
evpf
to
then
make
it
what
they
need
to
be.
You
know
like
to
extend
it
the
way
they
would
like.
You
know
the
the
linux
kernel.
B
A
A
B
Call
limits
the
you
know,
I
think,
from
the
from
the
beginning.
You
know,
ebpf
is
one
of
those
acronyms
that
doesn't
really
have
any
meaning
anymore,
because
it
kind
of
we're
we're
talking
about
the
whole
ebbs
sub
system
and
all
these
platforms
and
things
when
we
say
uvpf,
but
ultimately
it's
extended
berkeley,
packet
filters
and
so
berkeley
packet
filters
and
ip
tables
have
been
around
for
a
while,
and
so
you
know
it's
I
think
it's.
B
All
all
the
different
paths
in
your
ebpf
program
are
essentially
walked
to
look
for
nullity
references
to
make
sure
that
you're.
You
know
it's
there's
no
way
that
you're
going
to
dereference
a
null
pointer
and
also
the
kernel,
provides
a
lot
of
evpf
helper
functions
and
that's
usually
what's
used
to
get
data.
So
you're
using
the
helper
functions
to
then
interact
with
the
rest
of
the
kernel
within
edpf.
B
B
So
I
I
would
definitely
want
to
mention
that
the
ebpf
dot
io
organization-
just
actually,
I
think
it
just
finished
like
an
hour
ago-
had
a
summit
yesterday
and
today
is
the
second
summit.
They
had
it
last
year
for
the
for
the
first
time
and
for
people
that
want
to
know
more
particularly
about
you
know
the
lower
level
details
of
epf,
but
also
just
different
use
cases,
definitely
check
out
the
ebpf
summit.
It's
free.
All
the
videos
are
online.
A
B
A
Right,
yeah,
that's
a
good
point:
the
I'm
looking
at
some
of
this
schedule.
It's
intense,
but
you
know
typical
suspects,
liz
rice,
janna,
dugan,
all
the
fun
people,
tabitha
shale,
sable,
yeah,
all
the
low-level
folks.
I
know
that
know
everything
about
syscalls
are
speaking
at
ebpf
summit,
so
that's
cool.
A
B
A
Yeah,
the
the
capture
flag
demo
that
was
done
during
kubecon
eu
was
just
fascinating
to
me
and,
like
the
second,
we
found
the
problem
because
we
were
running
out
of
time,
and
I
say
we
because
it
felt
like
we
were
all
working
on
it
together
in
the
live
stream.
It
was
just
like.
Oh
there's,
the
problem,
that's
the
naughty
bits
right
there,
let's
get
rid
of
those
and
off
we
went
but
yeah.
It
was
a
nice
yeah.
A
B
B
B
A
B
B
A
B
A
B
Haven't,
but
that
is
always
a
pain
point
when
looking
at
you
know
performance,
performance,
counters
and
things
like
that,
where
you
want
to
be
able
to.
You
know,
diagnose
issues.
I
know
that
pixie
has
done
some
work
on
performance.
You
know
kind
of
continual
performance,
monitoring
with
evpf
and
I
believe
they've
opened.
I
don't
think
they've
yet
open
sourced
their
it's.
They
have
a
community
edition,
but
they
have
some
interesting
blogs
about
performance
for
profiling
with
ebpf.
Okay.
I
can.
I
can
share
that
after
after
the
talk
yeah.
A
A
B
No,
I
mean,
I
think
that
language
is
gonna,
stay
relatively
stable.
The
instruction
said
I
mean
there.
There
are,
I
think,
there's
been
recent
work
to
add
atomics
and
also
additional,
like
linux
features
to
get
data
out
of
the
kernel,
and
so
there's
there's
several
different
ways
to
to
you
know
you
can
insert
a
bpf
program
just
using
the
bpf
system
call,
but
then
to
get
data
out.
The
program
can
write
to
a
perf
buffer
or
also
there's
bpf
ring
buffers
which
have
performant
characteristics,
and
so
I
think,
really
the
language.
A
That
makes
sense,
yeah
and
grow
awesome.
Well,
cool.
I
don't
have
anything
else
for
us
unless
you
do
or
the
audience
might
toss
in
something
here
at
the
last
second,
who
knows,
but
this
has
been
awesome.
This
has
been
very
insightful,
I'm
glad
you
came
on
today.
Thank
you
so
much.
Thank
you
to
the
audience
for
your
questions
and
participation.
This
was
awesome.
What's
next
I
mean
you
know.
Where
do
we
go
from
here
and
you
know.
A
B
Have
we
have
all
these
ephemeral
containers
and
clusters
in
our
in
our
environments
and
you
you
need
a
kind
of
a
way
to
slice
through
you
know
not
not
horizontally,
but
vertically.
What's
the
user
space
program
doing
what's
the
kernel
doing
and
ebpf
is
kind
of
like
the
the
the
best
way
to
do
that
right
now
and
so
the
the
I
think,
like
I
said,
there's
going
to
be
more
and
more
things
built
on
bpf.
A
A
That
is
incorrect,
but
so
here's
a
better
idea
subscribe
to
our
calendar
and
you'll,
get
all
the
fun
links
to
all
the
programs
that
are
coming
up
on
the
show
or
the
channel
and
yeah
highly
encourage
you
to
do
that.
So
you
can
keep
up
to
date
with
all
the
latest
and
greatest
cloud
native
fun
things
we're
doing
here
at
red,
hat,
yeah,
so
robbie
without
further
ado.
Thank
you
very
much
and
y'all
stay
safe
out.
There
see
you
soon.