In the year to come, we will start to see a change in the Linux kernel architecture, as a new component, eBPF, starts taking over more monitoring, security and networking duties from individual kernel modules.
eBPF is “Linux’s newest superpower,” said SAP Labs’ developer Gaurav Gupta, during a talk that he gave about using the technology for low-overhead tracing at KubeCon in Copenhagen earlier this year.
A virtual machine for the Linux kernel, eBPF could set the stage for advanced, low-overhead tracing inside the kernel itself, offering insight into I/O and file system latency, CPU usage by process, stack tracing and other metrics useful for debugging. It could also play a role in system security, potentially offering a way to thwart DDOS attacks, to monitor for intrusion detection, and even replace IPtables. It also offers a cleaner alternative to installing drivers.
It is a step towards moving Linux to the microkernel model, where more functionality is defined and run in the user-space, rather than kernel space.
Andrew Tanenbaum must be feeling pretty smug right now. Back to the Future, a.k.a. Return of the Microkernel.