Development / Linux / Monitoring

eBPF Finds a Home with a New Foundation

12 Aug 2021 9:08am, by

Facebook, Google, Isovalent, Microsoft and Netflix have joined together to create the eBPF Foundation under the umbrella of the Linux Foundation, giving the eBPF project a vendor-neutral home for its future endeavors.

The Extended Berkeley Packet Filter (eBPF) was originally created in 2014, as a follow-on to the original Berkeley Packet Filter created in 1992. Despite the name, eBPF is more than an extension of the original. eBPF is a fully separate project that provides backward compatibility to BPF, and has been referred to as “Linux’s newest superpower.” eBPF provides a way for the Linux kernel to execute customized operations on the user’s behalf using a just-in-time (JIT) compiler while also providing a fully sandboxed environment. In essence, eBPF allows you to extend the Linux kernel without actually changing it.

“eBPF started out in 2014 for a very simple reason: the Linux kernel community was no longer capable of agreeing on every change. Companies like Google and Facebook came in and they asked for certain changes, and it was no longer possible to find consensus among everybody that this change makes sense for all the interested parties. So, some aspect of programmability was required. eBPF was the answer for that,” explained Thomas Graf, co-founder and chief technology officer of Isovalent, the company behind Cilium. “Now, instead of having to convince the entire Linux kernel community that your change is important for everybody, you can load an eBPF program, very similar to how a web developer no longer has to convince every single that browser vendor to bring a new feature, but instead can write JavaScript code.”

Functionality such as this was only previously available to either companies that could employ a kernel team to fork the Linux kernel and maintain their own branch, or to those using Linux kernel modules, explained Graf. While the first option was cost prohibitive, Linux kernel modules posed another problem — any bug could crash the Linux kernel entirely, and eventually, many cloud providers wouldn’t even allow them anymore for certain distributions.

“Unless you could host and maintain and employ your own kernel team, you were kind of stuck with the capabilities that the Linux kernel of your distribution would provide,” said Graf. “eBPF changes this. That’s kind of the third option now. You can make your own changes, you can maintain your own changes, but you don’t have to maintain a downstream fork.”

Graf compares eBPF to the JavaScript environment, in that it offers both a sandboxed environment and a JIT compiler, which also means that changes don’t require the kernel to be recompiled, but instead can run immediately. For those building an application using eBPF, there is an API, and SDKs are available for C++, Go, Python, and Rust.

In recent years, eBPF has seen quite a bit of growth, with the project forming the basis for a variety of tools in the realms of networking, security, application profiling/tracing and performance troubleshooting. Recently, eBPF was ported to Windows, where eBPF for Windows will bring this functionality to Windows 10 and Windows Server 2016, and Graf says that a port to BSD is also in the works. This recent interest, said Graf, is part of the reason behind forming the eBPF Foundation.

“The eBPF foundation brings everybody together and creates a governance structure that allows for safe innovation between everybody,” said Graf. “eBPF is becoming incredibly popular, so there have been more parties that want control over it like we have seen with many other open source technologies. The foundation makes sure that the governance, running things like events, making technical decisions, defining the requirements to be an eBPF certified runtime — all of these decisions are done by a foundation that is steering control by the parties, by the engineers, or by the people that have created eBPF. It is important that everybody feels safe to contribute. That’s the goal.”

At launch, the eBPF Foundation will start with a number of established projects and libraries, including some emerging use cases, and the foundation will be home to future open source eBPF projects and technologies, as well. The foundation will also serve to help host community events and summits, such as the free and virtual eBPF Summit taking place next week on Aug. 18 and 19.

The New Stack is a wholly owned subsidiary of Insight Partners. TNS owner Insight Partners is an investor in the following companies: Bit.

A newsletter digest of the week’s most important stories & analyses.