Jump to content

Recommended Posts



In the year to come, we will start to see a change in the Linux kernel architecture, as a new component, eBPF, starts taking over more monitoring, security and networking duties from individual kernel modules.


eBPF is “Linux’s newest superpower,” said SAP Labs’ developer Gaurav Gupta, during a talk that he gave about using the technology for low-overhead tracing at KubeCon in Copenhagen earlier this year.


A virtual machine for the Linux kernel, eBPF could set the stage for advanced, low-overhead tracing inside the kernel itself, offering insight into I/O and file system latency, CPU usage by process, stack tracing and other metrics useful for debugging. It could also play a role in system security, potentially offering a way to thwart DDOS attacks, to monitor for intrusion detection, and even replace IPtables. It also offers a cleaner alternative to installing drivers.


It is a step towards moving Linux to the microkernel model, where more functionality is defined and run in the user-space, rather than kernel space.


Andrew Tanenbaum must be feeling pretty smug right now. Back to the Future, a.k.a. Return of the Microkernel.



Link to post
Share on other sites

Andrew Tanenbaum must be feeling pretty smug right now. Back to the Future, a.k.a. Return of the Microkernel.

Indeedy, and not for the first time. When the 2.0 kernel introduced modules, it was seen as a brilliant compromise between ye olde "monolithic" kernel and the microkernel model, blending some advantages of both.


The FUSE device layer was another attempt to bring microkernel-like capabilities to Linux, with mixed success. It does provide a safer, easier way to provide a device interface to userspace filesystem implementations.


With FUSE, bugs in the implementation cannot corrupt kernelspace, which is great, but it has a reputation for being slow, which is also the historical drawback to microkernels in general. Since every module's capabilities are gated by a robustly isolating interface, it introduces overhead to every cross-module function call.


FUSE has improved in the meantime, and hardware has gotten faster, which has made it a more useful tool, and eBPF looks poised to reduce FUSE-related overhead further:



Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...