eBPF
eBPF runs “sandboxed programs within the operating system” (the Linux kernel) without changing kernel source or loading modules — programmability “decoupled from the kernel release cycle.” It is the technology beneath the low-overhead flow telemetry in netflix-service-topology and networking tools like Cilium, and this page answers the spoke’s eBPF operational-cost open question. Source: official ebpf.io.
How it works
Programs attach to kernel hooks (syscalls, function entry/exit, network events, tracepoints), then:
- a verifier proves they “always run to completion” and stay in-bounds (safety);
- JIT compiles bytecode to native speed;
- maps (hashes, ring buffers) share state with userspace.
Why it matters — and what it costs
Gives “fine-grained … data at low overhead” for observability, networking, and security without kernel patches. But the operational constraints the synthesis asked about are real: needs CAP_BPF privileges, the verifier caps program size/complexity (“finite complexity”, all paths evaluated), and features depend on kernel version — the coverage eBPF buys is gated on fleet kernel currency.
Related
observability · netflix-service-topology · service-topology · platform-ops · opentelemetry