How eBPF Actually Works
03-17, 10:15–10:45 (Europe/Paris), Arena

You’ve seen the eBPF architecture diagram many times now in presentations: “…and then we compile some C code and attach it to a function in the kernel…”, before moving on. Have you ever wondered what that really means, and what actually happens when you do that? This talk is for you.

We’ll take a simple eBPF program and step through everything that happens to it. How it’s compiled, what is eBPF bytecode and what it looks like, how the kernel loads it, how the verifier works, how the JIT compiles it and what to, and finally how the kernel hooks its own function calls with the compiled eBPF. At each step we’ll follow through our example, from source code, to eBPF byte code, to JIT compiled for the running platform. We’ll investigate some relevant parts of the Linux kernel source code, and learn what’s really happening when you run eBPF code.

See also:

James is a software engineer specialising in cloud native software and distributed systems. Currently he's a Senior Solutions Architect at Isovalent. Previously, he's worked at Jetstack as a Staff Solutions Engineer, and an engineer in fintech before.

James was on the Kubernetes release team from v1.18 though v1.24, culminating in being the Release Team Lead for Kubernetes v1.24 "Stargazer" 🔭. He's also served as the Emeritus Adviser for Kubernetes v1.27 "Chill Vibes" 🦥.