eBPF

 eBPF (extended Berkeley Packet Filter) was first introduced in 2014. 

The technology was created by Alexei Starovoitov and Daniel Borkmann. It was officially merged into the Linux kernel with the release of version 3.18 in December 2014, which exposed the eBPF virtual machine directly to user space. 

Key Historical Context

• Predecessor (Classic BPF): eBPF is an evolution of the original Berkeley Packet Filter (BPF), which was invented in 1992 by Steven McCanne and Van Jacobson at Lawrence Berkeley Laboratory.
• Primary Motivation: While classic BPF was limited primarily to network packet filtering, eBPF was designed to be a general-purpose, high-performance in-kernel virtual machine.
• Infrastructure Evolution: Since its 2014 release, eBPF has expanded beyond networking into observability, security, and tracing, leading to the creation of the eBPF Foundation in 2021 by major tech companies like Google, Meta, and Microsoft. 

The mascot of eBPF foundation is eBee  

eBPF (extended Berkeley Packet Filter) is a technology that allows you to run custom, sandboxed programs inside the Linux kernel without changing its source code or loading dangerous kernel modules. 

Think of it like JavaScript for the operating system: just as JavaScript lets you add dynamic features to a static webpage without changing the browser's engine, eBPF lets you add custom logic to the kernel at runtime. 

Key Benefits

• Safety: Every program passes through a verifier that checks for infinite loops and illegal memory access before execution, ensuring the system won't crash.
• Performance: Programs are Just-In-Time (JIT) compiled into native machine code, running at near-native speed.
• Efficiency: By processing data directly in the kernel, it avoids the expensive overhead of moving data back and forth between "kernel space" and "user space".
• No Reboots: You can load or update eBPF programs on a live system without restarting the machine or the kernel. 

Common Use Cases

The eBPF Foundation highlights three main pillars where this technology is transforming infrastructure:

• Networking: Building high-performance load balancers and firewalls (e.g.,Cilium) that process packets before they even reach the standard network stack.
• Observability: Gathering deep insights into system performance and application behavior with almost zero overhead, which is essential for Kubernetes monitoring.
• Security: Detecting and blocking malicious activity (like unexpected file access or network connections) in real-time at the kernel level. 

How it Works

1. Write Code: Developers write programs, usually in a restricted version of C.
2. Compile: The code is compiled into eBPF bytecode.
3. Verify & Load: The kernel's verifier checks the bytecode for safety; if it passes, the JIT compiler turns it into machine instructions.
4. Attach to Hooks: The program is attached to "hooks"—specific events like a system call, a network packet arriving, or a function being called.
5. Data Sharing: eBPF programs use maps (efficient key-value stores) to share data with other programs or user-space applications.