Operations

eBPF

Run sandboxed programs in the Linux kernel without loading modules.

In plain terms

Originally for packet filtering (Berkeley Packet Filter); now used for tracing, networking (Cilium), security (Tetragon), observability.

Origin

Berkeley Packet Filter (1992); extended BPF merged into Linux 3.18 (2014) by Alexei Starovoitov. Now used for tracing (bpftrace), networking (Cilium), security (Tetragon), and observability.

Where it shows up in production

Cilium eBPF-based CNI for Kubernetes. Replaces iptables with much faster in-kernel programs.
bpftrace DTrace-like one-liners for Linux. Brendan Gregg's Linux tools page is the reference.
Falco / Tetragon Runtime security — detect unexpected syscalls / processes via eBPF.

Sources & further reading

Docs ebpf.io — official
Article Brendan Gregg — eBPF intro

Found this useful?