Understanding BPF Tokens in Linux eBPF

Understanding BPF Tokens in Linux eBPF

BPF Token Version 6.9 The BPF token is a mechanism that allows privileged processes (such as container runtimes, located in the init namespace) to delegate certain functionalities of the BPF subsystem to unprivileged processes (such as processes within containers, located in the user namespace). eBPF and Linux Capabilities When eBPF was first introduced in the … Read more

Understanding KFuncs in Linux eBPF

Understanding KFuncs in Linux eBPF

KFuncs v5.13 KFunc (Kernel Function) refers to functions in the kernel that are specially annotated and explicitly allowed to be called from eBPF programs. KFuncs complement traditional eBPF helper functions, providing a new way to achieve similar functionality. Formally, KFuncs are unstable. Unlike helper functions, KFuncs do not have a User Space Application Programming Interface … Read more

Dynamic Pointers in Linux eBPF

Dynamic Pointers in Linux eBPF

Dynamic Pointers in Linux eBPF Dynamic Pointers (Dynptrs) The term “dynptr” (dynamic pointer) is a concept within the Linux eBPF verifier. It is a pointer that carries additional metadata, allowing certain safety checks to be performed at runtime. This mechanism is particularly useful when it is difficult to statically prove the safety of operations. For … Read more

Understanding eBPF Timers in Linux

Understanding eBPF Timers in Linux

eBPF Timers v5.15 Timers allow eBPF programs to schedule the execution of an eBPF function at a later time. Use cases for this functionality include garbage collection of mapping values or performing periodic checks. For example, if the TTL (Time to Live) of a DNS record has expired, we may want to remove those records … Read more

Concept of Tail Calls in Linux eBPF

Tail calls A tail call is a mechanism that allows eBPF developers to split logic into multiple parts and jump from one part to another. Unlike traditional function calls, the control flow never returns to the code that initiated the tail call; it works more like a <span>goto</span> statement. To use tail calls, developers need … Read more

Golden Rules for Linux Performance Tuning: Addressing CPU, Memory, and I/O Bottlenecks

Introduction Starting with a painful downtime incident. The response time of the online business system skyrocketed from 200ms to 8 seconds, yet the CPU usage (65%), memory (30% free), and disk I/O appeared “normal”. The core issue: judging system health based on a single metric ignores the complexity of Linux performance, which is a complex … Read more

Linux eBPF – The JavaScript of the Linux Kernel

Linux kernel programming is a skill that most developers have either never encountered or are intimidated by. Just thinking about it can be daunting; what if the kernel crashes? The eBPF technology alleviates concerns about kernel programming, providing an impulse to give it a try. eBPF (extended Berkeley Packet Filter) is a revolutionary technology in … Read more

Types of eBPF Programs in Linux

Program types (Linux) eBPF programs can be used for a wide variety of purposes that are constantly expanding. To accommodate these different use cases, the kernel provides various types of eBPF programs. Since different types of programs execute in different locations within the kernel, the Linux kernel restricts or allows certain functionalities based on the … Read more

Overview of eBPF Implementation on Linux

eBPF on Linux Programs The core component of eBPF is the programs. eBPF programs can be attached to various locations in the kernel and invoked like functions. These programs have a wide range of applications, such as logging information, modifying data, making decisions, or triggering side effects. The locations where a program can be attached … Read more