Advanced Vocabulary #ebpf#linux#observability

eBPF Vocabulary

5 exercises — Practice eBPF vocabulary in English: kernel hook points (tracepoints, kprobes, XDP), eBPF maps, the verifier, JIT compilation, Cilium networking, and Falco security monitoring.

Core eBPF vocabulary clusters
  • Hook types: kprobe/kretprobe (kernel functions), uprobe (user functions), tracepoint (static trace points), XDP (network driver), TC hook, LSM hook
  • Data structures: eBPF map (hash, array, ring buffer, per-CPU, LRU), pinned map, BPF filesystem
  • Runtime: verifier (safety check), JIT compiler, bytecode, helper functions, CO-RE (Compile Once Run Everywhere)
  • Tooling: BCC (BPF Compiler Collection), libbpf, bpftrace, Cilium (networking/security), Falco (runtime security), Pixie (observability)
0 / 5 completed
1 / 5
A kernel engineer explains eBPF to a developer interested in observability:
"eBPF — extended Berkeley Packet Filter — lets you run sandboxed programs in the Linux kernel without writing a kernel module. Before eBPF, instrumenting the kernel meant either using static kernel tracepoints (limited) or writing a kernel module (risky — one bug crashes the system). With eBPF, you load a small program written in restricted C, verified for safety by the kernel verifier, and it runs at hook points: every time a kernel function is called, a network packet arrives, a system call fires. Your program can record data into eBPF maps — shared memory between kernel and user space — which your tooling reads."
What is the eBPF verifier and why is it essential for kernel safety?