Frequently Asked Question

What is eBPF and why is everyone talking about it?

eBPF (extended Berkeley Packet Filter) is an in-kernel virtual machine that lets you load and run small, sandboxed programs at strategic hook points; tracepoints, kprobes, uprobes, network sockets, scheduler events, syscall entry and exit, and gather data into kernel maps that user space can read. A verifier in the kernel statically checks each program for safety (terminating loops, no out-of-bounds memory access, no privileged instructions) before it runs, so unlike kernel modules, an eBPF program cannot crash the kernel.

The result is observability and instrumentation that used to require recompiling the kernel, but with near-zero overhead and no reboots. Tools built on eBPF, bpftrace, the bcc toolkit (opensnoop, execsnoop, biolatency, tcplife, etc.), bpftop, Cilium's networking, the bpf_program__attach()-based system tracers, answer questions previous generations of Unix admins could only dream about. It is the most important Linux observability development of the last decade and worth learning even casually.