BPF Internals

Note: Presentation times are in Pacific Daylight Time (PDT).

Tuesday, June 01, 2021 - 12:45 pm1:30 pm

Brendan Gregg


Extended BPF (aka eBPF) is a new type of software for secure, performant, event-driven programs, and has seen widespread adoption. Your Linux servers may already be running BPF programs; Netflix cloud instances run 15 by default, and Facebook over 40. These programs are for networking, performance tools, security policies, device drivers, application proxies, and more. Many have said that BPF is taking over Linux.

This talk is a deep dive that describes how BPF works internally and dissects some modern performance observability tools. Details covered include the kernel BPF implementation: the verifier, JIT compilation, and the BPF execution environment; the BPF instruction set; different event sources; and how BPF is used by user space, using bpftrace programs as an example. This includes showing how bpftrace is compiled to LLVM IR and then BPF bytecode, and how per-event data and aggregated map data are fetched from the kernel.

Brendan Gregg[node:field-speakers-institution]

Brendan Gregg is an industry expert in computing performance and cloud computing. He is a senior performance architect at Netflix, where he does performance design, evaluation, analysis, and tuning. He is the author of Systems Performance and BPF Performance Tools (Addison-Wesley), and received the USENIX LISA Award for Outstanding Achievement in System Administration. Brendan has created numerous performance analysis tools, visualizations, and methodologies for performance analysis, including flame graphs.

Core Principles
@conference {272781,
author = {Brendan Gregg},
title = {{BPF} Internals},
year = {2021},
publisher = {{USENIX} Association},
month = jun,