Ask HN: How is eBPF a big deal?
Hi everyone! I've been hearing from friends who are infra/sec engineers about how eBPF is a big deal and a game changer. Since I barely understand the associated jargon and the value, it provides, I was wondering if someone can explain in simple words, how it is a game changer?
4 comments
[ 3.9 ms ] story [ 16.8 ms ] threadYou’ve not been able to get all 3 of those at the same time.
For example, I once wanted to find out which processes were sending out DNS queries.
It sounds like a simple problem but common tools like netstat or wireshark can't tell you the process which sent out a DNS query, only the sending port.
The reason is that the sending port is a short-lived randomly selected ephemeral port which the kernel opens, sends a quick chirp of data and closes within milliseconds. The sending process isn't traceable even using more complex tools like strace or auditd.
I used eBPF / bcc APIs to instrument a kernel-level function and data structures in UDP networking code and report the PID and port every time a DNS query is sent out.
It's like attaching a user-friendly debugger to large portions of the linux kernel.
Other people are talking about observability stuff, but for comparison, we build features on it: https://fly.io/blog/bpf-xdp-packet-filters-and-udp/