In 1992, the Berkeley Packet Filter (BPF) was introduced in Unix circles as a new, improved network packet filter. Nice, but not that big a deal. Then, in 2014, it was changed and brought into the Linux kernel as extended BPF (eBPF). Again, that was okay. Just okay. Soon thereafter though, developers started using it to run user-space code inside a virtual machine (VM) on the Linux kernel. And, then it was a huge deal. As Netflix computer performance expert Brendan Gregg said, with eBPF, "superpowers have finally come to Linux."
What superpowers? eBPF gives you the power to run programs in the Linux kernel without changing the kernel source code or adding additional modules. In effect, it acts as a lightweight (VM) inside the Linux kernel space. There, programs that can run in eBPF run much faster, while taking advantage of kernel features unavailable to other higher-level Linux programs.
Of course, running applications that close to the kernel even with eBPF isn't easy. That's where Solo.io, an application networking company, comes in with its new open-source project, BumbleBee. BumbleBee simplifies building, packaging, and distributing eBPF tools by automatically generating boilerplate user-space code for developing eBPF tools.
If that sounds a bit like Docker, you're right it does. That's by design. BumbleBee's code also enables you to plug its programs into other Open Container Initiative (OCI) image workflows for publishing and distribution. Does this mean you could incorporate eBPF programs into a Continuous Integration/Continuous Development (CI/CD) workflow? Yes, it does.
Typically eBPF is used as a safe way to enhance the kernel with observability, networking, and security technologies. These programs run in response to events such as network packets arriving. Typically, eBPF programs are written in a higher-level language, such as C, and then Just in Time (JIT) compiled into x86 assembly for maximum performance and safety.
The eBPF architecture expects eBPF programs to be loaded as bytecode, and the kernel has data structures and formats that are specific to each kernel version. It's not, in big capital letters, easy. In addition, packaging and distributing these binary programs is tedious, time-consuming, and error-prone. BumbleBee's goal is to simplify the development, packaging, and sharing of eBPF tools and speed up eBPF's adoption.
"At Solo.io, we see eBPF as a critical enabling technology that will improve application networking. We've been working during the last year to leverage eBPF technology with Gloo Mesh, our Istio-based service mesh offering for the enterprise," said Idit Levine, Solo.io's founder and CEO. "While developing eBPF extensions, we have faced many technical challenges—and this led us to develop BumbleBee to help streamline our eBPF efforts. Since we truly believe in the benefits of eBPF, we are happy to share BumbleBee with the community to accelerate eBPF adoption."
BumbleBee includes a command-line interface (CLI) that automatically generates the user-space code for eBPF programs by exposing maps automatically as logs, metrics, and histograms. The developer only has to worry about writing the eBPF code.
Solo.io built BumbleBee using libbpf, a new toolset for building BPG programs. With it, for example, you can write eBPF probes with zero userspace code. BumbleBee automatically detects and displays maps in your program that allow the user space and kernel space programs to share data. This is accomplished through the use of special BPF conventions and keywords.
If you're working with eBPF, BumbleBee demands your attention. Even at this early stage, it can help you write eBPF programs more quickly and safely.