eBPF (formerly known as extended Berkeley Packet Filter) has become a foundational technology in the Linux kernel, which is getting a lot of traction. At Red Hat, we have been supportive of eBPF since its introduction and have adopted the technology throughout our portfolio.. With eBPF continually evolving with new capabilities and spanning more and more domains, this article provides a high-level overview of the way eBPF is integrated in Red Hat products, and outlines the options available to you for creating your own eBPF-powered solutions.
Red Hat's adoption of eBPF
Red Hat first introduced the technology to Red Hat Enterprise Linux 7 (RHEL) as a technology preview. We regularly contribute to various eBPF-related upstream projects, including the Linux kernel eBPF subsystem, bpftrace, and xdp-tools.
Since then, we have actively supported eBPF in RHEL, prioritising backports of the full upstream feature set for the newest RHEL releases. Today, this means that in the latest major release of RHEL, the eBPF subsystem is regularly synchronized with its upstream counterpart, ensuring users benefit from the latest features and improvements. For preceding releases, such as RHEL 9, critical fixes and security updates are consistently backported from upstream to maintain stability and reliability.
Besides providing an up-to-date eBPF infrastructure as an integral part of the platform (RHEL) and the layered products based upon it (such as Red Hat OpenShift), several Red Hat products use eBPF as the underlying technology. Among these, the most important are:
- Red Hat OpenShift uses eBPF in its network observability operator (GitHub repository) and ingress node firewall operator (GitHub repository).
- The advanced cluster security operator relies on eBPF for collecting runtime cluster information.
- The bpfman manager is now available as a developer preview in Red Hat OpenShift since version 4.16.
- The Kepler Project for measuring energy consumption of cluster components, whose development is led by Red Hat, uses eBPF to collect the necessary data.
- The Performance Co-Pilot toolkit features plug-ins for using eBPF to collect system performance metrics (see Monitoring eBPF-based metrics for more details).
- The systemd init system and the NetworkManager daemon used in RHEL both use eBPF to implement firewall and network filtering capabilities.
A note on RHEL kernel version numbers
As mentioned above, the eBPF subsystem in RHEL kernels is regularly synchronized with its upstream counterpart. However, the RHEL kernel does not follow upstream versioning. Instead, its version number is fixed at the first release of a RHEL major version (for example, 6.12.0 for RHEL 10) and only the release number (for example, -123) is gradually increased afterwards. This means that it's not obvious from the version number which eBPF features are supported in a particular RHEL version.
To help with this, the exact corresponding upstream version along with the list of the most significant features can be found in the release notes of each minor RHEL release (for example, see RHEL 9.6 Release Notes).
eBPF tools available in RHEL
We include a number of libraries and tools for writing eBPF programs in Red Hat Enterprise Linux. The most important ones are:
- libbpf: The canonical C library that provides many abstractions for writing eBPF programs and a stable API for their management. Because libbpf is developed as part of the kernel source tree, it always contains the latest and most up-to-date features.
- bpftrace: A high-level tracing language allowing to write short scripts, which are then transformed into eBPF applications. Mostly focused on system tracing and observability. Thanks to its simplicity, it is often the first choice when entering the eBPF world.
- BPF compiler collection (BCC): A framework for writing eBPF programs in Python and Lua. BCC comes with a large set of tools ready for immediate use.
- xdp-tools: A collection of utilities and libraries for developing networking eBPF programs using express data path (XDP).
Further reading
For more in-depth information on eBPF as a technology, you can visit eBPF.io and the Linux kernel documentation on eBPF. For more information on how to write eBPF applications, read eBPF application development: Beyond the basics and Using eBPF to attribute packet drops to netfilter rules. For detailed technical documentation of eBPF, refer to eBPF docs.
What's next?
As mentioned in the beginning, this article is just the beginning. In future articles, we'll describe various eBPF tools and projects, as well as concrete examples of how to use eBPF in Red Hat systems.
