Skip to main content

eBPF

At the core of Pulsar there is eBPF (enhanced Barkeley's Packet Filters) technology. eBPF is the state of the art of Linux kernel tracing and instrumentation technology. An eBPF virtual machine is a virtual machine capable of running "BPF programs" inside the Linux kernel.

eBPF Technology

eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change the kernel source code or load additional kernel modules.

While being a relatively new technology, eBPF is already used to drive solutions in a wide variety of areas — most notably:

  • Providing high-performance networking and load-balancing in modern data centers and cloud native environments;

  • Extracting fine-grained security observability data with little overhead;

  • Helping application developers trace applications;

  • Providing insights for performance troubleshooting;

  • Preventive application and container runtime security enforcement.

This is not an exhaustive list. The possibilities brought by eBPF are endless as more use-cases are unlocked and shared.

Advantages

Reasons for running a full VM inside the kernel revolve around convenience and safety: while all operations done by eBPF programs can be handled via standard kernel modules, direct kernel programming is a really dangerous endeavour - it can cause lock-ups, memory corruption, crash processes, cause security vulnerabilities and other unwanted effects especially on production devices (eBPF is very often used to inspect systems in production), so running native-fast JiT-compiled kernel code via a safe VM becomes valuable for security monitoring and sandboxing, network filtering, program tracing, profiling, debugging and so on.