Introduction to eBPF (Workshop)

Mar 2025

10 Mon

11 Tue

12 Wed

13 Thu

14 Fri 04:00 PM – 08:35 PM IST

15 Sat 09:00 AM – 05:50 PM IST

16 Sun 09:00 AM – 06:05 PM IST

National Institute of Technology Calicut, Calicut

Introduction to eBPF (Workshop)

Submitted Jan 4, 2025

Prerequisites:

A Linux based operating system(Any GNU+Linux distro would do). We can run eBPF on Windows/Macos but this is usually over a virtuallized Linux middleware.
Basic understanding of system calls, kernel and user space contexts
C Programming

The workshop structure closely resembles the first few chapters of https://eunomia.dev/en/tutorials/.

Code samples, snippets and other resources will be provided, it will be a hands on session.

Estimated time: ~180 minutes

What is eBPF?

(Duration: 25-30 minutes)

BPF is a technology that can run programs in a privileged context such as the operating system kernel. It is the successor to the Berkeley Packet Filter (BPF, with the “e” originally meaning “extended”) filtering mechanism in Linux and is also used in non-networking parts of the Linux kernel as well.

It is used to safely and efficiently extend the capabilities of the kernel at runtime without requiring changes to kernel source code or loading kernel modules. Safety is provided through an in-kernel verifier which performs static code analysis and rejects programs which crash, hang or otherwise interfere with the kernel negatively.

Broadly, the agenda would be:

Understand what eBPF is? Why do we need it? Can’t we use kernel modules?
What functions does it have? What can it do in the Linux kernel? What are the types of eBPF programs and helpers (not all of them need to be known, but need to know where to find them)?
What can it be used for? For example, in which scenarios can it be used? Networking, security, observability?

(Content sourced from wikipedia)