5 exercises on eBPF vocabulary for observability and networking.
0 / 5 completed
1 / 5
What is the eBPF verifier?
eBPF verifier: runs inside the kernel as part of the bpf() syscall. Checks: control flow graph is a DAG (no infinite loops), all memory accesses within known bounds, register types tracked (pointer vs scalar), stack ≤512 bytes, instruction limit (4K to 1M depending on kernel version and privileges), only whitelisted helper functions called. Result: verified programs cannot crash the kernel. After verification, the JIT compiler (separate step) converts bytecode to native instructions for near-native performance.
2 / 5
What is an eBPF map?
eBPF map types: HASH: key-value, O(1), for connection tracking. ARRAY: integer-indexed, for global counters. PERCPU_ARRAY: per-CPU copy, lock-free, sum across CPUs in user space — for high-frequency counters. RINGBUF: ring buffer for streaming events to user space (epoll), variable-size entries, memory-mapped — the modern choice for observability. LRU_HASH: bounded connection table with LRU eviction. SOCKMAP/SOCKHASH: stores sockets for redirection. Maps are pinned to /sys/fs/bpf/ to persist after program exits.
3 / 5
What is an XDP (eXpress Data Path) hook?
XDP: earliest possible hook in the Linux network stack. Return codes: XDP_DROP (drop packet), XDP_PASS (continue to kernel stack), XDP_TX (retransmit on same NIC), XDP_REDIRECT (send to another interface or AF_XDP socket). XDP modes: Native (in NIC driver — fastest, requires driver support), Generic (after sk_buff allocation — all NICs, slower), Offloaded (on SmartNIC itself). Typical XDP performance: 10-20M packets/second per core for DROP — far exceeding what iptables can handle. Used by Cilium, Katran (Facebook's load balancer), Cloudflare's DDoS mitigation.
4 / 5
What does Cilium use eBPF for in Kubernetes?
Cilium features: kube-proxy replacement: BPF_MAP_TYPE_HASH maps service ClusterIP → endpoints. O(1) lookup regardless of cluster size. NetworkPolicy: L3/L4 (IP/port) and L7 (HTTP path, gRPC method, Kafka topic) enforcement in eBPF — iptables only supports L3/L4. Hubble: built on eBPF ring buffers. Records every network flow: source, destination, protocol, verdict (forwarded/dropped), DNS queries. UI: service map, flow filtering. CLI: hubble observe --verdict DROPPED. WireGuard encryption: transparent pod-to-pod encryption without sidecars. CNCF graduated project.
5 / 5
What is a kprobe and how does it enable observability without code changes?
kprobe: dynamic — attach to any kernel function at runtime by name. kprobe:tcp_connect fires on every TCP connection attempt. Access: function arguments via BPF context. kretprobe: fires on function return — access return value. Example: kretprobe:sys_read / { @bytes = hist(retval); } — histogram of read() byte counts. tracepoint: static — defined in kernel source at specific stable locations. More stable across kernel versions. Example: tracepoint:syscalls:sys_enter_openat. uprobe: like kprobe but for user-space functions — requires binary and symbol information. USDT: User Statically Defined Tracepoints — baked into applications (Node.js, Python, PostgreSQL) for stable instrumentation points.