-
-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
73 additions
and
87 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,103 +1,37 @@ | ||
| # Bpftime: A High-Performance User-Space eBPF Runtime | ||
| # Introducing bpftime: Revolutionizing eBPF Runtime in Userspace for Enhanced Performance and Flexibility | ||
|
|
||
| Yusheng Zheng, Tong Yu | ||
|
|
||
| Today, we are thrilled to introduce Bpftime, a Open-sourced full-featured, high-performance eBPF runtime, designed to operate in user space. It supports eBPF kernel features like uprobe, syscall trace, can be attached to other process, having a shared interprocess map, with LLVM jit, a handcrafted x86 jit. It also can be used with existing eBPF toolchains like libbpf and clang without any changed. | ||
| In the evolving landscape of system-level programming, Extended Berkeley Packet Filter (eBPF) has emerged as a cornerstone, transforming how we interact with Linux kernels. However, its potential in kernel space is often hampered by inherent limitations. Enter bpftime: a revolutionary eBPF runtime that operates in userspace, breaking free from these constraints. This blog post delves into bpftime, a high-performance, feature-rich solution designed to optimize and simplify Uprobe and Syscall hook processes. By leveraging advanced techniques like binary rewriting, bpftime not only enhances performance but also ensures efficient and safe hooking capabilities, redefining the eBPF landscape. | ||
|
|
||
| It can speed up eBPF programs by 10x compared to kernel uprobes, and can be used in embedded systems, IoT, edge computing, smart contracts, and cloud-native solutions. | ||
| ## Why we need bpftime | ||
|
|
||
| The github repo is: <https://github.com/eunomia-bpf/bpftime> | ||
| ## **Key Features of bpftime** | ||
|
|
||
| ## Bpftime vs. Alternatives | ||
| - Discuss the innovation of Uprobe and Syscall hooks via binary rewriting, emphasizing how this technique differs from traditional methods. | ||
| - Present data or scenarios demonstrating bpftime's superior performance compared to kernel uprobe. | ||
| - Highlight its compatibility with existing eBPF toolchains, making it an accessible upgrade for developers. | ||
|
|
||
| ### WebAssembly (Wasm) in User Space | ||
| ## **Technical Innovations in bpftime** | ||
|
|
||
| While Wasm has its advantages, it also comes with limitations: | ||
| - Explain the significance of JIT (Just-In-Time) support and how it contributes to cross-platform compatibility. | ||
| - Emphasize the non-intrusive nature of bpftime, allowing it to run without instrumentation and in tandem with kernel eBPF. | ||
|
|
||
| - High performance costs due to security concerns with external APIs like Wasi, which require additional validation and runtime checks, often necessitating extra memory copies. | ||
| - Manual integration needed, with embedding in compile times instead of dynamic uprobe/kprobe. | ||
| - Less adaptable to API version changes due to lack of BTF CO-RE support. | ||
| - Reliance on underlying libraries for complex operations. | ||
| ## **Use Cases and Applications** | ||
|
|
||
| ### eBPF in Kernel Space | ||
| - Provide examples of how bpftime can be applied in real-world scenarios, such as system monitoring and software development. | ||
| - Discuss the potential impact of bpftime on these fields, underscoring its practical benefits. | ||
|
|
||
| The kernel space eBPF also presents its own set of challenges: | ||
| ## **Getting Started with bpftime** | ||
|
|
||
| - Kernel UProbe implementation necessitates two kernel context switches, resulting in significant performance overhead. | ||
| - Limited features and unsuitability for plugin or other use cases. | ||
| - Running eBPF programs in kernel mode requires root access, increasing the attack surface and posing risks like container escape. | ||
| - Inherent vulnerabilities in eBPF can lead to Kernel Exploits. | ||
| - Offer a step-by-step guide or link to resources for beginners to set up and run a basic bpftime application, making the technology approachable. | ||
|
|
||
| ### Other User-Space eBPF Runtimes | ||
| ## **The Future of bpftime** | ||
|
|
||
| There are other user-space eBPF runtimes available, such as Ubpf and Rbpf: | ||
| - Share insights into ongoing developments and future plans for bpftime. | ||
| - Encourage community involvement, inviting readers to contribute to the project. | ||
|
|
||
| - Ubpf: Ubpf offers ELF parsing, a simple hash map, and JIT for arm64 and x86. | ||
| - Rbpf: Rbpf provides a helper mechanism, x86 JIT, and a VM. | ||
| ## **Conclusion** | ||
|
|
||
| However, it has several limitations: | ||
|
|
||
| - Complex integration and usage. | ||
| - Inability to use kernel eBPF libraries and toolchains like libbpf, bpftrace, or clang. | ||
| - Lack of attach support. | ||
| - Absence of interprocess maps. | ||
| - Limited functionality in user space. | ||
| - JIT support only for arm64 or x86. | ||
|
|
||
| Despite these limitations, existing user-space eBPF runtimes have been used in several innovative projects, including: | ||
|
|
||
| - **Qemu+uBPF**: This project combines Qemu, an open-source machine emulator and virtualizer, with uBPF to enhance its capabilities. You can check out a demonstration in this [video](https://www.youtube.com). | ||
| - **Oko**: Oko extends Open vSwitch-DPDK with BPF, enhancing tools for better integration. More details are available on its [GitHub](https://github.com/oko) page. | ||
| - **Solana**: Solana uses user-space eBPF for high-performance smart contracts. You can explore more on its [GitHub](https://github.com/solana-labs/solana) page. | ||
| - **DPDK eBPF**: DPDK eBPF provides libraries for fast packet processing, further enhanced by user-space eBPF. | ||
| - **eBPF for Windows**: This project brings eBPF toolchains and runtime to the Windows kernel, expanding the reach of eBPF. | ||
|
|
||
| Additionally, user-space eBPF runtimes have been discussed in academic papers like "Rapidpatch: Firmware Hotpatching for Real-Time Embedded Devices" and "Femto-Containers: Lightweight Virtualization and Fault Isolation For Small Software Functions on Low-Power IoT Microcontrollers". | ||
|
|
||
| These projects demonstrate the versatility and potential of user-space eBPF runtimes in diverse areas such as network plugins, edge runtime, smart contracts, hotpatching, and even Windows support. The future of eBPF is indeed promising! | ||
|
|
||
| ## Why Bpftime? | ||
|
|
||
| Bpftime addresses these limitations and offers a host of powerful features: | ||
|
|
||
| - Runs eBPF in user space just like in the kernel, achieving a 10x speedup vs. kernel uprobes. | ||
| - Uses shared eBPF maps for data & control. | ||
| - Compatible with clang, libbpf, and existing eBPF toolchains; supports CO-RE & BTF. | ||
| - Supports `external functions`(ffi) and pointers like kfunc. | ||
| - Includes a cross-platform interpreter, fast LLVM JIT compiler, and a handcrafted x86 JIT in C for limited resources. | ||
| - Can inject eBPF runtime into any running process without the need for a restart or manual recompilation. | ||
| - Runs not only in Linux but also in all Unix systems, Windows, and even IoT devices. | ||
|
|
||
| ## benchmark | ||
|
|
||
| How is the performance of `userspace uprobe` compared to `kernel uprobes`? Let's take a look at the following benchmark results: | ||
|
|
||
| TODO: results | ||
|
|
||
| It can be attached to functions in running process just like the kernel uprobe does. | ||
|
|
||
| How is the performance of LLVM JIT/AOT compared to other eBPF userspace runtimes, native code or wasm runtimes? Let's take a look at the following benchmark results: | ||
|
|
||
| You can find detail benchmark results in [https://github.com/eunomia-bpf/bpf-benchmark](https://github.com/eunomia-bpf/bpf-benchmark) | ||
|
|
||
| ## AI for eBPF Code Generation | ||
|
|
||
| Bpftime is also exploring the use of AI for eBPF code generation. GPT4, with the help of AI agents, can generate eBPF code with up to 80% accuracy. More information about this can be found on: | ||
|
|
||
| - [NL2eBPF online website](https://gpt-2-bpftrace.vercel.app/) | ||
| - [GPTtrace](https://github.com/eunomia-bpf/GPTtrace). | ||
|
|
||
| ## The Future of Bpftime | ||
|
|
||
| The Bpftime project is continuously evolving, with more features in the pipeline: | ||
|
|
||
| - An AOT compiler for eBPF can be easily added based on the LLVM IR. | ||
| - More map types and distribution maps support. | ||
| - User-space eBPF to speed up fuse. | ||
| - eBPF for GPU sharing programs. | ||
| - RDMA with distribution eBPF runtimes. | ||
| - User-space eBPF syscall bypass. | ||
|
|
||
| Bpftime is an open-source project and can be found on [GitHub](https://github.com/eunomia-bpf/bpftime). | ||
|
|
||
| In conclusion, Bpftime is set to revolutionize the tech sphere with its high performance, compatibility with existing eBPF toolchains, and potential for AI-enhanced code generation. Stay tuned for more developments from this promising project! | ||
| - Summarize the transformative potential of bpftime in the eBPF ecosystem. | ||
| - Close with an invitation for feedback and experimentation from the readers. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| # bpftime: 高性能用户态 eBPF 运行时 | ||
|
|
||
| > 郑昱笙,于桐 | ||
| eBPF 是一项革命性的技术,起源于 Linux 内核,可以在操作系统的内核中运行沙盒程序。它被用来安全和有效地扩展内核的功能,而不需要改变内核的源代码或加载内核模块。 | ||
|
|
||
| 在这篇 Blog 中,我们希望向大家介绍一个全新的开源用户态 eBPF 运行时:bpftime[1]。bpftime 进一步拓展了 eBPF 的能力,使现有的 eBPF 工具和应用,例如 BCC tools, bpftrace, Deepflow 等,能够不需要进行代码修改即可在非特权用户空间运行,同时使用和内核 eBPF 相同的库和工具链。 | ||
|
|
||
| bpftime 不仅提供了 Uprobe 和系统调用追踪点等动态追踪或扩展机制,还相比内核 Uprobe 大幅提升了性能,并且和内核 eBPF 一样,无需手动进行代码插桩或重启进程。bpftime 通过用户态共享内存支持进程间 eBPF maps,同时兼容内核 eBPF maps,能够实现与内核 eBPF 基础设施的无缝操作。此外,它包含了针对多种架构的高性能 LLVM JIT/AOT 编译器,以及针对 x86 的轻量级 JIT 和解释器。通过性能数据和实际案例,我们也将展示 bpftime 如何在现实世界中发挥作用,并对其未来发展进行展望,希望 bpftime 能为系统监控、分析和扩展带来前所未有的性能和灵活性。在 Linux plumbers 23 会议上,我们也介绍了 bpftime 的设计和实现[2]。 | ||
|
|
||
| ## eBPF: 从内核态到用户态的系统扩展 | ||
|
|
||
| eBPF(扩展的 Berkeley Packet Filter)从最初的网络数据包过滤工具,已经演变为一个多功能的系统级扩展技术。自从 20 世纪 90 年代 BPF 的诞生以来,eBPF 通过扩展指令集和与内核数据结构的直接互动,显著增强了其功能。2014 年加入 Linux 内核后,eBPF 成为一个强大的字节码引擎,广泛应用于性能分析、安全策略等领域。随着计算环境的复杂化,eBPF 的实时数据采集和分析能力在现代计算中发挥了重要作用,尤其是在流量控制、负载均衡和安全策略等方面。 | ||
|
|
||
| 虽然 eBPF 最初是为内核设计的,但它在用户空间的巨大潜力,以及内核对于 `GPL LICENSE` 的限制,也催生了例如 ubpf[3] 和 rbpf[4] 这样早期的用户空间 eBPF 运行时的产生。这种运行时使开发者能够在内核之外运行 eBPF字节码,突破了 GPL 许可的限制,同时提供了更加直观和方便的调试环境。但是,编写适用于 ubpf 和 rbpf 的程序可能需要一个特定的、和内核不完全兼容的工具链,同时只有有限的单线程哈希 maps 实现,难以运行实际的 eBPF 程序。另外,ubpf 和 rbpf 本身只是一个执行 eBPF 字节码虚拟机,在实际的使用中,依然需要编写胶水代码,和其他用户空间程序进行编译、链接后才能使用,它们本身也不提供动态追踪的功能。 | ||
|
|
||
| 在实际应用中,用户态 eBPF 已被尝试扩展和应用于网络处理、区块链和安全等领域。例如,Oko 和 DPDK eBPF 支持展示了 eBPF 在网络数据处理中的灵活性和性能优势。Solana 项目利用 eBPF 实现了 JIT 编译器,为区块链智能合约执行提供支持。eBPF for Windows 项目则是将 eBPF 功能扩展到 Linux 之外,展现了 eBPF 在跨平台兼容性方面的潜力。这些应用案例不仅展示了 eBPF 强大的系统扩展能力,也突显了它在现代计算领域的重要性和广泛适用性。 | ||
|
|
||
| ## 为什么我们需要 bpftime | ||
|
|
||
| 由于操作系统内核的核心作用以及对稳定性和安全性的高要求,操作系统内核的创新和演化相对来说较慢,这也是 eBPF 出现的初衷:在不改变内核源代码的情况下,扩展内核的功能,并进一步带来更多的创新性应用场景[5]。这也是我们希望 bpftime 能够带来的影响:在不改变用户空间程序代码的情况下,借助 eBPF 带来的安全性和生态,探索更多的发展可能性,同时弥补当前内核态 eBPF, 和用户态其他扩展方案可能的不足。 | ||
|
|
||
| ### 内核态实现用户态追踪(Uprobe)的局限性 | ||
|
|
||
| ### 内核态 eBPF 安全性和扩展性的限制 | ||
|
|
||
| ### 其他用户空间扩展方案的不足 | ||
|
|
||
| ## bpftime 能做什么? | ||
|
|
||
| ## 性能数据和使用案例 | ||
|
|
||
| ## 下一步 | ||
|
|
||
| ## 总结 | ||
|
|
||
| ## 参考资料 | ||
|
|
||
| [1] bpftime Git repo: <https://github.com/eunomia-bpf/bpftime> | ||
| [2] bpftime Linux Plumbers talk: <https://lpc.events/event/17/contributions/1639/> | ||
| [3] ubpf: <https://github.com/iovisor/ubpf> | ||
| [4] rbpf: <https://github.com/qmonnet/rbpf> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| # bpftime talk draft | ||
|
|
||
| ## Introduction | ||
|
|
||
| ## Background | ||
|
|
||
| In this section, we will delve into the foundational concepts that underpin our discussion in the subsequent sections. | ||
|
|
||
| ### eBPF in Kernel | ||
|
|