“How the Hive Came To Bee” – a story of eBPF and Cilium so far
Who created eBPF ? Which challenges led to its creation? Does eBPF actually stand for anything? How does eBPF allow us to rethink the way we solve problems?
What are the use cases solved by eBPF? How does eBPF make Cilium a fundamentally better dataplane?
To answer these questions, we asked the creators and maintainers of these projects. In a recent webinar series called “How the Hive Came to Bee”, we heard from the experts who were there from the beginning, and who have continued to shape and develop eBPF and Cilium over the years. They shared their insights, experiences, and perspectives on the history, challenges, and future of these technologies.
Part 1: The History of eBPF
In the first video, John Fastabend (Tetragon Lead & Cilium Maintainer) covers the history of eBPF, from its early days to its current state.
John starts by going back to the “early days” of 2014 and the main projects, companies and players that influenced the landscape of Linux networking at the time. It was around then that he saw a “switch-o-pocalypse” where virtual networkings protocols and models were being built seemingly every other day (VXLAN, STT, OVS, etc…). Meanwhile, it was around that time that containerization started to take off and that Kubernetes’ first commit was made.
The highly dynamic networking requirements from containerized applications required speed of innovation that simply wasn’t possible due the slow feedback loop in the Linux development model.
And that’s really how and why eBPF got started.
In the video, John goes back to the original e-mails discussing the proposed changes from BPF to eBPF, eBPF-related projects such as BCC, TC BPF, BTF, XDP, BPFTrace and when eBPF started to be fully enabled in the Linux kernel. Of course, John highlights Cilium as one of the first popular projects using eBPF but also discusses other tools, such as Katran Load Balancer (from Facebook/Meta) or L4Drop (from CloudFlare) for DDoS protection.
John finally get to eBPF now: the launch of the eBPF foundation and the continuous growth of eBPF and eBPF-based tools across cloud providers, operating systems and use cases.
Part 2: A Technical Deep Dive of eBPF
In the second video, Daniel Borkmannn (eBPF & Cilium co-creator) picked up where John left off and walked through a technical deep dive of eBPF. Daniel starts by answering the question “What is BPF/eBPF?” (“a framework to extend the OS kernel”) before covering, at a high-level, the ever-growing list of use cases (networking, observability, security enforcement, tracing and profiling, etc…).
Daniel explains some of the differences between user, kernel and BPF software – some of the pros and cons of each model and in particular some of the security benefits of eBPF. As you’ll see in the video, eBPF is becoming a common denominator for many projects in networking, tracing and security.
Daniel takes us through a “toy” eBPF program and the various steps in its deployment (from BPF C code, to BPF compiler backend, to BPF loader to finally BPF runtime). He takes the time to walk through complex parts of BPF, such as the safety provided by the BPF verifier and how it works by simulating execution of all paths of the program.
Watch the video to understand all the eBPF minutiae, BPF bytecode, BPF hooks, why XDP is fast, how it compares to DPDK and some of the many XDP use cases, such as Load-Balancing.
Part 3: Cilium as an eBPF use case
Finally, in the last part of the series (presented by Cilium maintainer Joe Stringer), we explore practical eBPF use cases. Joe starts by going back to Kubernetes networking basics, in particular Kubernetes Services and kube-proxy. He explains the limitations of iptables and IPVS in kube-proxy and how eBPF improves performance by orders of magnitude faster.
Next, Joe explains why traditional IP-based security is no longer feasible in the highly dynamic world of cloud native application. Joe talks about the intent of security policies (they are not based on where the app is but who the app is) and how eBPF and Cilium can enforce network policies based on much richer data (in addition to IP addresses: Kubernetes namespace, labels, DNS-awareness, SPIFFE, etc…). Policies can be written and be enforced using these precise identities.
Observability is another major use case of eBPF. Joe takes us back to the ancestor of eBPF (tcpdump) and how useful it was to dissect the traffic but he also highlights its limitations in the world of cloud native when users need more than just an IP address to identify traffic – they want to associate it with a container/Pod. Hubble provides the ability to link the identities previously discussed with their actual flow metadata: Ethernet headers, IP & ICMP headers, UDP & TCP ports, HTTP/DNS/Kafka, etc… Hubble works seamlessly with Cilium by even reporting when flows are dropped by a specific Cilium Network Policy.
To conclude the session, Joe recaps how eBPF allows us to rethink the way we solve problems and how eBPF makes a fundamentally better dataplane.
We sincerely hope you enjoyed the series and that it helped you understand more about eBPF and its revolutionary potential. If you’d like to know more, check out the resources below.