TIL: eBPF is awesome

https://filipnikolovski.com/posts/ebpf/

  • I’ve heard of this before but this is the first time I’m actually seeing eBPF code.
  • This could also be very useful to instrument processes that you can’t stop and re-run in strace - postgres is a prime example!

You can pick any function from the kernel and execute the program every time that function runs.

To nullify the security and stability risks when running a user space program inside the kernel, several checks are performed to ensure that the code we run is safe and that it terminates so our computer won’t freeze up.
How is this possible? 🤔

Even more interesting than the eBPF write-up is this graphic that describes observability options at different levels:

Edit