Jump to content



  • Please log in to reply
2 replies to this topic

#1 Ivanhoe


    purposeful grimace

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 33,187 posts

Posted 29 December 2018 - 1115 AM



In the year to come, we will start to see a change in the Linux kernel architecture, as a new component, eBPF, starts taking over more monitoring, security and networking duties from individual kernel modules.


eBPF is “Linux’s newest superpower,” said SAP Labs’ developer Gaurav Gupta, during a talk that he gave about using the technology for low-overhead tracing at KubeCon in Copenhagen earlier this year.


A virtual machine for the Linux kernel, eBPF could set the stage for advanced, low-overhead tracing inside the kernel itself, offering insight into I/O and file system latency, CPU usage by process, stack tracing and other metrics useful for debugging. It could also play a role in system security, potentially offering a way to thwart DDOS attacks, to monitor for intrusion detection, and even replace IPtables. It also offers a cleaner alternative to installing drivers.


It is a step towards moving Linux to the microkernel model, where more functionality is defined and run in the user-space, rather than kernel space.


Andrew Tanenbaum must be feeling pretty smug right now. Back to the Future, a.k.a. Return of the Microkernel. 



  • 0

#2 Murph


    Hierophant Lord

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 20,628 posts

Posted 29 December 2018 - 1239 PM

Cool!  I hope it works out.

  • 0

#3 TTK Ciar

TTK Ciar


  • Members
  • PipPip
  • 2,097 posts

Posted 01 January 2019 - 1905 PM

Andrew Tanenbaum must be feeling pretty smug right now. Back to the Future, a.k.a. Return of the Microkernel.

Indeedy, and not for the first time. When the 2.0 kernel introduced modules, it was seen as a brilliant compromise between ye olde "monolithic" kernel and the microkernel model, blending some advantages of both.

The FUSE device layer was another attempt to bring microkernel-like capabilities to Linux, with mixed success. It does provide a safer, easier way to provide a device interface to userspace filesystem implementations.

With FUSE, bugs in the implementation cannot corrupt kernelspace, which is great, but it has a reputation for being slow, which is also the historical drawback to microkernels in general. Since every module's capabilities are gated by a robustly isolating interface, it introduces overhead to every cross-module function call.

FUSE has improved in the meantime, and hardware has gotten faster, which has made it a more useful tool, and eBPF looks poised to reduce FUSE-related overhead further:

  • 0