API gateway and service mesh company Solo.io started the year with open sourcing BumbleBee, a project meant to help with the creation of eBPF programs.
eBPF is short for extended Berkeley Packet Filter, a technology for running sandboxed programs in an operating system kernel (Linux) without loading kernel modules or changing the source code of the kernel. In recent years, eBPF also gained traction in the container space for observability, security, and networking projects – mainly due to a number of safety mechanisms and for performance reasons. Popular eBPF projects include network connectivity tool Cilium and kernel tracing kit BCC.
eBPF programs can hook into various kernel functionalities such as file operations or network communication and serve as a sort of event handler, which makes them a good choice for use cases in which insight into system processes is required. BumbleBee is meant to help with creating and distributing eBPF programs through automatic generation of user space components and helpers for building and storing programs as OCI images.
According to Solo.io founder Idit Levine, BumbleBee was developed to tackle recurring challenges when using eBPF for enhancements to the company’s service mesh. She also describes it as bringing “a docker-like experience for automating critical steps” to the eBPF programming process.
Users interested in the tool can install BumbleBee via an install script, go, or get the Apache-2-licensed code from the Releases section of the project’s GitHub repository. To get help with creating a new eBPF program, they then have to run the
bee init command. BumbleBee will go on to pose some questions regarding the kind of program it is supposed to create code for and come up with a corresponding template in a next step.
The project currently only supports writing code in C, though Rust is planned to be added as well. The choice of programs possible is restricted to either network or file-system based programs for now, with users being able to select between ring buffers and hash maps for communication between user and kernel space. Out of the box, output can be emitted in the form of text/logs (print output type) or counter and gauge type metrics. Future releases might also see the addition of histograms.
Once the init process is done, developers get a (nicely commented) basic code scaffold to which they can add the code needed to implement the wanted kernel functionality. The result can be turned into an OCI packaged image for sharing by running the
bee build command, which can then be tagged and pushed to a registry with
bee tag and
bee push – similar to Docker. Running an eBPF program also follows the Docker syntax, meaning a
bee run followed by the name of the generated probe will let you check whether the newly created code does what it should.
Additional resources for the BumbleBee project can be found in the project’s repo.