eBPF Beyond Networking: Creative Uses of eBPF to Extend the Kernel Functionality
CEME 1210 | Fri 07 Aug 4:30 p.m.–5:15 p.m.
Presented by
-
Rafael is a software engineer who has been building systems software in C++ and contributing to open source projects since 2005. He is a maintainer of OpenTelemetry eBPF Instrumentation (OBI), where he works on eBPF-based application observability and auto-instrumentation. Prior to OBI, he contributed to Grafana Beyla before its donation to the OpenTelemetry project.
Earlier in his career, Rafael worked extensively with the Qt project, serving as the maintainer of Qt's QNX integration plugin and contributing to QtCore, QtMultimedia, Qt Creator, and qmake. While at Blackmagic Design, he architected a declarative UI framework for the company's embedded real-time operating systems, laying the foundation for interfaces used across products including digital cinema cameras and ATEM switchers.
His work has often sat at the boundary between applications and operating systems, spanning embedded user interfaces, developer tools, kernel-level instrumentation, and observability systems that help explain what software is really doing.
-
Nikola Grcevski has worked as a software engineer for more than 20 years, mostly in the field of compilers, managed runtimes and performance optimization. Most recently he's working on low level application instrumentation with eBPF at Grafana Labs. He's currently a maintainer of two OpenTelemetry projects: OpenTelemetry eBPF Instrumentation and OpenTelemetry Injector.
Rafael is a software engineer who has been building systems software in C++ and contributing to open source projects since 2005. He is a maintainer of OpenTelemetry eBPF Instrumentation (OBI), where he works on eBPF-based application observability and auto-instrumentation. Prior to OBI, he contributed to Grafana Beyla before its donation to the OpenTelemetry project.
Earlier in his career, Rafael worked extensively with the Qt project, serving as the maintainer of Qt's QNX integration plugin and contributing to QtCore, QtMultimedia, Qt Creator, and qmake. While at Blackmagic Design, he architected a declarative UI framework for the company's embedded real-time operating systems, laying the foundation for interfaces used across products including digital cinema cameras and ATEM switchers.
His work has often sat at the boundary between applications and operating systems, spanning embedded user interfaces, developer tools, kernel-level instrumentation, and observability systems that help explain what software is really doing.
Nikola Grcevski has worked as a software engineer for more than 20 years, mostly in the field of compilers, managed runtimes and performance optimization. Most recently he's working on low level application instrumentation with eBPF at Grafana Labs. He's currently a maintainer of two OpenTelemetry projects: OpenTelemetry eBPF Instrumentation and OpenTelemetry Injector.
Abstract
eBPF is often associated with networking, security, and performance analysis. Those are still some of its most visible uses, but modern eBPF gives us enough hooks to build tools that understand application behavior across several layers of the system.
This talk uses OpenTelemetry eBPF Instrumentation (OBI) as a case study, but the focus is eBPF rather than OpenTelemetry. We will look at how OBI combines different eBPF program types to connect things that normally live in separate worlds: processes, sockets, syscalls, protocol payloads, request metadata, and distributed trace context.
The talk will cover how eBPF can be used to discover application traffic, track socket lifecycles, detect protocols, associate network activity with processes, augment application standard output and correlate requests across services. We will also look at one of the stranger tricks in OBI: propagating context by intercepting traffic and injecting trace information without modifying application code.
The goal is to show how eBPF can be used as a practical instrumentation toolkit, where the interesting part is not one hook or one program type, but how several of them can be combined to make sense of real applications.
eBPF is often associated with networking, security, and performance analysis. Those are still some of its most visible uses, but modern eBPF gives us enough hooks to build tools that understand application behavior across several layers of the system. This talk uses OpenTelemetry eBPF Instrumentation (OBI) as a case study, but the focus is eBPF rather than OpenTelemetry. We will look at how OBI combines different eBPF program types to connect things that normally live in separate worlds: processes, sockets, syscalls, protocol payloads, request metadata, and distributed trace context. The talk will cover how eBPF can be used to discover application traffic, track socket lifecycles, detect protocols, associate network activity with processes, augment application standard output and correlate requests across services. We will also look at one of the stranger tricks in OBI: propagating context by intercepting traffic and injecting trace information without modifying application code. The goal is to show how eBPF can be used as a practical instrumentation toolkit, where the interesting part is not one hook or one program type, but how several of them can be combined to make sense of real applications.