ebpf

Linux Kernel 6.14 and 6.15: Powering the Future of eBPF, WASM, and Serverless

ebpf, linux, serverless, webassembly / / April 30, 2025

The Linux kernel continues to evolve at a rapid pace, and the 6.14 and 6.15 releases bring a host of new features that are particularly relevant to cutting-edge technologies like eBPF, WebAssembly (Wasm), and serverless computing. Let’s delve into the key highlights from these releases.

Linux 6.14: Strengthening the Foundations

  • Improved Security: Kernel hardening and various security enhancements provide a more robust base for all applications, including those leveraging eBPF.
  • Enhanced Hardware Support: New drivers and architecture updates ensure compatibility with the latest hardware, which is crucial for serverless deployments.
  • General Performance Improvements: Optimizations across the kernel contribute to better performance for all workloads.

Although the article doesn’t specifically call out features directly beneficial to eBPF, WASm, or serverless, any improvements to core kernel functionality are generally advantageous for these technologies.

Linux 6.15: A Leap Forward

Linux 6.15 builds upon the foundation of 6.14, offering more concrete advancements in areas that directly impact eBPF, WASm, and serverless:

  • Expanded File Name Support: A significant change in 6.15 is the increased filename length limit for user-space filesystems (FUSE), jumping from 1024 to 4096 bytes. This enhancement, while seemingly minor, can be beneficial in complex serverless environments where dealing with uniquely named resources or containers is common.
  • Improved Storage and Filesystem Capabilities: EXT4 file system hardening and various enhancements to F2FS contribute to improved reliability and performance. Furthermore, Btrfs sees improvements with Zstandard compression.
  • Hardware Advancements: Support for newer AMD and Intel processors translates directly to improved performance for serverless functions, especially those running on bare metal or in virtualized environments.
  • Networking Improvements: While details need more investigation, any improvements to networking within the kernel directly enhance the performance and reliability of serverless functions and containerized applications, a key component of WASm and eBPF deployment scenarios.
  • Security Updates: Linux 6.15 incorporates vital security measures, including broader mitigation strategies against different types of attacks. This enhanced overall security is vital for eBPF and WASm applications, and for serverless environments.

Implications for eBPF Development

eBPF thrives on a stable and feature-rich kernel. The performance and security improvements in both 6.14 and 6.15 make them excellent choices for eBPF development and deployment. Specific features that are likely beneficial include the stability updates and enhanced hardware compatibility.

Benefits for WASM

WebAssembly runtimes, particularly those running outside of the browser (e.g., in serverless functions or on the edge), benefit from a robust kernel. The general performance increases and security enhancements in these kernel releases are beneficial.

Impact on Serverless Computing

Serverless platforms rely heavily on kernel features for resource management, isolation, and networking. The improvements in 6.14 and especially the enhancements in networking, storage and the larger filename support in 6.15 can translate to more efficient and scalable serverless deployments. The ability to handle larger filenames is surprisingly relevant in complex serverless environments where container names and unique resource identifiers are common.

Conclusion

Linux 6.14 and 6.15 provide a solid foundation for the continued growth of eBPF, WASm, and serverless computing. While some features offer indirect benefits by improving overall kernel stability and performance, other changes, especially related to storage, networking, and the expanded filename lengths directly address the needs of these demanding technologies. As these technologies continue to mature, the ongoing evolution of the Linux kernel will be critical to their success.

Linux Kernel 6.14 and 6.15: Powering the Future of eBPF, WASM, and Serverless Read More »

eBPF: Revolutionizing Security Across Applications, Kubernetes, Mobile, IoT, and Beyond

artificial intelligence, ebpf, security / / April 27, 2025

Introduction

eBPF (extended Berkeley Packet Filter) is a powerful technology that allows users to run sandboxed programs within the operating system kernel. This capability provides unprecedented visibility and control over system behavior without requiring modifications to the kernel source code. Initially designed for network packet filtering, eBPF has evolved into a versatile tool for enhancing security across various domains, including application security, Kubernetes, mobile devices, IoT, and more.

eBPF for Application Security

eBPF enhances application security by enabling detailed monitoring and control over internal processes and system calls. It allows developers to enforce security policies that prevent unauthorized access to critical resources. Run Security’s RS Prevent platform, for instance, utilizes eBPF to collect telemetry data directly from the Linux kernel, improving the accuracy of threat identification and reducing false positives.

Key benefits of eBPF in application security include:

  • Real-time Threat Detection: eBPF facilitates deep packet inspection and traffic filtering, enabling the detection of irregular patterns indicative of DDoS attacks, unauthorized access, or data exfiltration attempts.
  • Runtime Analysis: eBPF automates the triage of vulnerabilities by verifying if a vulnerable code path exists within the application’s runtime context.
  • Precise Control: eBPF allows for fine-grained control over application processes and system calls, enhancing security policies.

eBPF in Kubernetes

In Kubernetes environments, eBPF provides deep visibility into network traffic and application performance, making it essential for monitoring, auditing, and traffic routing. It allows for efficient management of containerized applications and helps ensure that processes run optimally.

eBPF aids Kubernetes management by:

  • Deep Observability: Providing real-time insights into networking, CPU usage, memory, and system calls.
  • Enhanced Security: Enforcing fine-grained security policies directly in the kernel, securing pod-to-pod and external communications.
  • Optimized Performance:1 Operating with minimal overhead, reducing the need for intrusive agents or sidecars.

Tools like Cilium, Falco, and Inspektor Gadget leverage eBPF to enhance security and observability within Kubernetes clusters.

eBPF in Mobile Devices

eBPF plays a crucial role in modern mobile operating systems like Android. It is used for network traffic monitoring, firewalling, and high-speed packet processing.

Specific use cases in Android include:

  • Data Usage Accounting: Monitoring and controlling data usage by applications.
  • Network Restrictions: Implementing firewall rules and network restrictions to save power in battery saver mode.
  • Packet Processing: Handling high-speed packet processing tasks like tethering and IPv4 connectivity over IPv6 networks.

eBPF in IoT

In the Internet of Things (IoT), eBPF enhances the observability and security of connected devices. Its ability to monitor system behavior at a granular level and capture real-time events makes it ideal for securing IoT environments.

eBPF helps in:

  • Real-time Observability: Tracking system calls and kernel events to monitor performance and identify issues.
  • Security Monitoring: Detecting malicious activities like unauthorized file access and enforcing security policies.
  • Performance Optimization: Monitoring resource usage to spot inefficient code or misconfigurations.

The Future of eBPF in Security

The future of eBPF in security is promising, with potential applications in AI-driven threat detection and automated security policy enforcement. It is expected to become a standard tool for security professionals, providing deeper insights and control over system behavior.

Key trends include:

  • AI Integration: Combining eBPF with AI and machine learning to detect anomalies and respond to threats in real-time.
  • Windows Support: The upcoming release of eBPF for Windows will expand its applicability across different operating systems.
  • Enhanced Security Measures: Using eBPF to create security systems that operate on more context and with a better level of control.

eBPF and AI Solutions

The integration of eBPF with AI offers significant potential for enhancing security. By leveraging eBPF for real-time data collection and AI for pattern matching and anomaly detection, security systems can achieve unprecedented levels of accuracy and efficiency.

Examples of eBPF and AI integration include:

  • Anomaly Detection: Using AI/ML algorithms to analyze network behavior and identify irregularities.
  • Threat Detection: Combining eBPF’s real-time data collection with AI to detect vulnerabilities and automatically correlate CVEs.
  • Automated Response: Developing systems that can automatically respond to security threats based on AI-driven analysis of eBPF data.

Conclusion

eBPF is revolutionizing security by providing unparalleled visibility and control over system behavior. Its applications span across diverse domains, including application security, Kubernetes, mobile devices, and IoT. As eBPF continues to evolve, particularly with the integration of AI, it is poised to play an increasingly critical role in safeguarding modern computing environments.

eBPF: Revolutionizing Security Across Applications, Kubernetes, Mobile, IoT, and Beyond Read More »

Exploring Tetragon and eBPF Technology

cloud, CNCF, ebpf, linux, monitoring, observability, security / / October 8, 2024

Introduction

In the rapidly evolving landscape of cloud-native technologies, Tetragon has emerged as a powerful tool leveraging eBPF (extended Berkeley Packet Filter) to enhance security observability and runtime enforcement in Kubernetes environments. This blog post delves into the intricacies of Tetragon, its underlying eBPF technology, and how it compares to other solutions in the market.

Understanding eBPF

eBPF is a revolutionary technology that allows sandboxed programs to run within the operating system kernel, extending its capabilities without modifying the kernel source code or loading kernel modules.

What is Tetragon?

Tetragon is an eBPF-based security observability and runtime enforcement tool designed specifically for Kubernetes.

Key Features of Tetragon

  1. Minimal Overhead: Tetragon leverages eBPF to provide deep observability with low performance overhead, mitigating risks without the latency introduced by user-space processing.
  2. Kubernetes-Aware: Tetragon extends Cilium’s design by recognizing workload identities like namespace and pod metadata, surpassing traditional observability.
  3. Real-time Policy Enforcement: Tetragon performs synchronous monitoring, filtering, and enforcement entirely within the kernel, providing real-time security.
  4. Advanced Application Insights: Tetragon captures events such as process execution, network communications, and file access, offering comprehensive monitoring capabilities.

Tetragon vs. Other Solutions

While Tetragon offers a robust set of features, it’s essential to compare it with other eBPF-based solutions to understand its unique value proposition.

  1. Cilium: As the predecessor to Tetragon, Cilium focuses primarily on networking and security for Kubernetes. While Cilium provides runtime security detection and response capabilities, Tetragon extends these features with enhanced observability and real-time enforcement.
  2. Falco: Another popular eBPF-based security tool, Falco specializes in runtime security monitoring. However, Tetragon’s integration with Kubernetes and its ability to enforce policies at the kernel level provide a more comprehensive security solution.
  3. Sysdig: Sysdig offers deep visibility into containerized environments using eBPF. While it excels in monitoring and troubleshooting, Tetragon’s focus on real-time policy enforcement and minimal overhead makes it a more suitable choice for security-centric applications.

Conclusion

Tetragon represents a significant advancement in the realm of Kubernetes security and observability. By harnessing the power of eBPF, Tetragon provides deep insights and real-time enforcement capabilities with minimal performance overhead. Its seamless integration with Kubernetes and advanced application insights make it a compelling choice for organizations looking to enhance their cloud-native security posture.

As the landscape of eBPF-based tools continues to evolve, Tetragon stands out for its comprehensive approach to security observability and runtime enforcement.

Whether you’re already using eBPF technologies or considering their adoption, Tetragon offers a robust solution that addresses the unique challenges of modern cloud-native environments.

Feel free to ask if you need more details or have any specific questions about Tetragon or eBPF!

Exploring Tetragon and eBPF Technology Read More »

How to Install Pixie on a Ubuntu VM

ebpf, linux, monitoring, observability, pixie / / November 6, 2023

Pixie is an open source observability platform that uses eBPF to collect and analyze data from Kubernetes applications. Pixie can help you monitor and debug your applications without any code changes or instrumentation. In this blog post, I will show you how to install Pixie on a stand-alone virtual machine using Minikube, a tool that lets you run Kubernetes locally.

Prerequisites

To follow this tutorial, you will need:

• A stand-alone virtual machine running Ubuntu 22.04 or later. This tutorial assumes that the VM

  • has at least 6 vCPUs and at least 16 GB RAM
  • is installed with Desktop and has a Web Browser, which will be later used for user’s authentication with Pixie Community Cloud. An alternative auth method is described here.

• Basic dev tools such as build-essential, git, curl, make, gcc, etc.

• Docker, a software that allows you to run containers.

• KVM2 driver, a hypervisor that allows you to run virtual machines.

• Kubectl, a command-line tool that allows you to interact with Kubernetes.

• Minikube, a tool that allows you to run Kubernetes locally.

• Optionally, Go and/or Python, programming languages that allow you to write Pixie scripts.

Step 1: Update and Upgrade Your System

The first step is to update and upgrade your system to ensure that you have the latest packages and dependencies. You can do this by running the following command:

sudo apt update -y && sudo apt upgrade -y

Step 2: Install Basic Dev Tools

The next step is to install some basic dev tools that you will need to build and run Pixie. You can do this by running the following command:

sudo apt install -y build-essential git curl make gcc libssl-dev bc libelf-dev libcap-dev \
clang gcc-multilib llvm libncurses5-dev git pkg-config libmnl-dev bison flex \
graphviz software-properties-common wget htop

Step 3: Install Docker

Docker is a software that allows you to run containers, which are isolated environments that can run applications. You will need Docker to run Pixie and its components. To install Docker, you can follow the instructions from the official Docker website:

# Add Docker's official GPG key:
sudo apt install -y ca-certificates curl gnupg
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
# Add the repository to Apt sources:
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update -y
# docker install
sudo apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Step 4: Add Your User to the ‘docker’ Group

By default, Docker requires root privileges to run containers. To avoid this, you can add your user to the ‘docker’ group, which will allow you to run Docker commands without sudo. To do this, you can follow the instructions from the DigitalOcean website:

sudo usermod -aG docker ${USER}

Step 5: Install KVM2 Driver

KVM2 driver is a hypervisor that allows you to run virtual machines. You will need KVM2 driver to run Minikube, which will create a virtual machine to run Kubernetes. To install KVM2 driver, you can follow the instructions from the Ubuntu website:

sudo apt-get install qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils
sudo adduser id -un libvirt
sudo adduser id -un kvm

Step 6: Install Kubectl

Kubectl is a command-line tool that allows you to interact with Kubernetes. You will need kubectl to deploy and manage Pixie and its components on Kubernetes. To install kubectl, you can follow the instructions from the Kubernetes website:

curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl.sha256"
echo "$(cat kubectl.sha256) kubectl" | sha256sum --check

This should print:

kubectl: OK
# install kubectl
sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

Test kubectl version:

kubectl version --client

Step 7: Install Minikube

Minikube is a tool that allows you to run Kubernetes locally. You will need Minikube to create a local Kubernetes cluster that will run Pixie and its components. To install Minikube, you can follow the instructions from the Minikube website:

curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64
sudo install minikube-linux-amd64 /usr/local/bin/minikube

Step 8: Reboot Your System

After installing all the required tools, you should reboot your system to ensure that the changes take effect. You can do this by running the following command:

sudo reboot

Step 9: Run Kubernetes with Minikube

After rebooting your system, you can run Kubernetes with Minikube. Minikube will create a virtual machine and install Kubernetes on it. You can specify various options and configurations for Minikube, such as the driver, the CNI, the CPU, and the memory. For example, you can run the following command to start Minikube with the KVM2 driver, the flannel CNI, 4 CPUs, and 8000 MB of memory:

minikube start --driver=kvm2 --cni=flannel --cpus=4 --memory=8000

You can also specify a profile name for your Minikube cluster, such as px-test, by adding the -p flag, if you want.

You can list all the clusters and their profiles by running the following command:

minikube profile list

This should print something like:

ProfileVM DriverRuntimeIPPortVersionStatusNodesActive
minikubekvm2docker192.168.39.1608443v1.27.4Running1*
———-———–————————-——————————-——–

Step 10: Install Pixie

Pixie is an open source observability platform that uses eBPF to collect and analyze data from Kubernetes applications. Pixie can help you monitor and debug your applications without any code changes or instrumentation. To install Pixie, you can run the following command:

bash -c "$(curl -fsSL https://withpixie.ai/install.sh)"

This will download and run the Pixie install script, which will guide you through the installation process. After installing Pixie, you should reboot your system to ensure that the changes take effect. You can do this by running the following command:

sudo reboot

Step 11: Start Kubernetes Cluster and Deploy Pixie

After rebooting your system, you can start your Kubernetes cluster again with Minikube. You can use the same command and options that you used before, or you can omit them if you have only one cluster and profile. For example:

minikube start
px deploy

Step 12: Register with Pixie Community Cloud and Check All Works

After starting your Kubernetes cluster, you can check if everything works as expected. You can use the following command to list all the pods in all namespaces and see if they are running:

kubectl get pods -A

Register with Pixie Community Cloud to see your K8s cluster’s stats.

You will have to authenticate with Pixie and log in to the Pixie platform at your VM using a web browser, which Pixie will open for you once you run:

px auth login

Step 13: Deploy Pixie’s Demo

Pixie provides a few demo apps. We deploy a demo application called px-sock-shop, which is a sample online shop that sells socks, based on an open source microservices demo. Some more information on this demo app is available here. The demo shows how Pixie can be used to monitor and debug the microservices running on Kubernetes. To deploy Pixie’s demo, run:

px demo deploy px-sock-shop

Your view in Pixie Community Cloud should be similar to this screenshot

How to Install Pixie on a Ubuntu VM Read More »