eBPF’s Abilities and Limitations: The Truth

A talk by Isovalent with a full room (one of the large ones).

Baseline

eBPF lets you run custom code in the kernel -> close to hardware
Typical use cases: Networking, Observability, Tracing/Profiling, security
Question: Is eBPF truing complete and can it be used for more complex scenarios (TLS, LK7)?

A random game of life map
Implemented as a tetragon plugin
Layout: Main control loop that loads the map, generates the next generation, and returns a next run function
The timer callback pattern is used for infinite run

Instruction limit to let the verifier actually verify the program in reasonable time
- Limit is based on: Instruction limit and verifier step limit
- nowadays the limit it 4096 unprivileged calls and 1 million privileged instructions
Only jump forward -> No loops
- Is a basic limitation to ensure no infinite loops can ruin the day
- Limitation: Only finite iterations can be performed
- Loops: Newer versions support loops with upper bounds (for x=0;: x<100)
Is the instruction limit hard?
- Solution: subprogram (aka function) and the limit is only for each function -> x*subprogramms = x*limit
- Limit: Needs real skill
Programs have to terminate
- Well eBPF really only wants to release the CPU, the program doesn’t have to end per se
- Iterator: walk arbitrary lists of objects
- Sleep on page fault or other memory operations
- Timer callbacks (including the timer 0 for run me asap)
Memory allocation
- Maps are used as the memory management system