Dear Santa, welcome to this interview! We just finished 2023’s tour. How did it go, this year? These are great news. How do you explain the progress you’ve made? What infrastructure? And what were you using before Cilium? How did these previous solutions work for you? So why did you try Cilium? How did Cilium change the situation? Rumour has it you renamed the reindeers, can you tell more about that? What do you plan for the year ahead? Many thanks for your replies! We wish you a very Hap...| Whirl Offload
One of my first contributions to the eBPF ecosystem was to list the available resources about eBPF, to help people get started with the topic (and, let’s be honest, so I could remember where to find these resources myself when I needed them). Since then, eBPF has gained in notoriety, and we now have many more available resources, from books to tutorials, a variety of blog posts, better kernel documentation, and a lot more. The website https://ebpf.io is an excellent starting point to learn ...| Whirl Offload
The journeyBees, and more bees Bee smokers Hannah the Honeyguide At last, bpftool has a logo! But finding the right one was a long process. The journey I have thought about a logo for bpftool for a while. Something that would accurately represent the tool, and its relationship with BPF objects. I’m decently creative, and I don’t lack ideas; I’ve just been struggling to find the idea, the one that passes the bar that I mentally set. And I know how to fiddle with Inkscape, but I’ve got ...| Whirl Offload
This post was left aside as a draft for a long time. Most of it was written in August 2022, but it should still be accurate as of its publication. Networking eBPF programs take a pointer ctx to a struct __sk_buff (or a struct xdp_md) as their only argument. This struct is a lighter version of the socket buffer, SKB (or an XDP equivalent), that contains some metadata about the packet to process. In particular, it contains 32-bit long unsigned integers (__u32), ctx->data and ctx->data_end, poin...| Whirl Offload
Gearing up with open-source components Taking marks Picking a direction The road ahead The journey is just starting This article was initially published in June 2021 on LWN.net. Extended BPF (eBPF), the general-purpose execution engine inside of the Linux kernel, has proved helpful for tracing and monitoring the system, for processing network packets, or generally for extending the behavior of the kernel. So helpful, in fact, that developers working on other operating systems have been watchi...| Whirl Offload
This explanation on eBPF program size limit was initially published in February 2021 by the Cilium community as part of the eBPF Updates #4 on ebpf.io. Do you know what the maximum size of an eBPF program is? You may have heard of programs limited to 4k instructions, but this has changed some time ago. One particularity of eBPF programs, enforced at load time by the kernel verifier, is that they must run and eventually terminate within a relatively short delay. Allowing for long runs would sl...| Whirl Offload
This brief description of the eBPF virtual filesystem was initially published in January 2021 by the Cilium community as part of the eBPF Updates #3 on ebpf.io. eBPF objects, such as a program or a map, reside in kernel memory until they are no longer needed. Internally, the kernel uses reference counters to keep track of the number of “handles” pointing to such objects. When the number of references comes down to zero, the program or the map is destroyed. The references to a program woul...| Whirl Offload
This brief description of CO-RE was initially published in December 2020 by the Cilium community as part of the eBPF Updates #2 on ebpf.io. CO-RE (Compile Once, Run Everywhere) is a mechanism used with eBPF to ensure portability of the programs, mainly those intended for tracing. It addresses the issue that arises when a given structure is modified between two kernel versions. Tracing programs may attempt to access a field from a given structure by reading at a specific offset in that structu...| Whirl Offload
“Hi, I have the pleasure to announce the availability of a mirror for bpftool on GitHub, at the following URL: https://github.com/libbpf/bpftool This mirror is similar in spirit to the one for libbpf, and its creation was lead by the following motivations. The first goal is to provide a simpler way to build bpftool. So far, building a binary would require downloading the entire kernel repository. By contrast, the code in the GitHub mirror is mostly self-sufficient (it still requires libelf ...| Whirl Offload