eBPF | Honeycomb


eBPF is a technology that allows the Linux kernel to be extended and perform additional tasks without needing to change the kernel source code or load more modules. eBPF works for both user and OS applications and can apply cross-cutting tasks such as observability, security, and networking functionality. It is highly efficient because the operating system executes its extended capabilities by using a Just-In-Time (JIT) compiler.

eBPF programs are executed when configured kernel or application hook points are triggered. Pre-defined hooks include system calls, function entry and exit, kernel tracepoints, network events, and several others. If a pre-defined hook does not exist, additional kernel probes (Kprobes) or user probes (Uprobes) can be created to attach eBPF programs almost anywhere in kernel or user applications.

How eBPF Impacts Observability 

Typically, applications use language-specific instrumentation libraries to generate application telemetry for generic tasks like routing HTTP traffic, executing SQL queries, counting number of requests, and capturing logs. Developers can add instrumentation libraries to an application either by using an automatic instrumentation tool to automatically configure them or by adding them manually during application start-up, which requires code changes.

Because using an automatic instrumentation tool does not require code changes, generally, you can implement automatic instrumentation more easily than manually-configured instrumentation. Unfortunately, not all languages have an automatic instrumentation tool, so sometimes developers must configure instrumentation libraries manually.

For applications written in languages lacking automatic instrumentation tools, using eBPF allows developers to still experience a low cost way to implement observability. You can leverage eBPF to generate telemetry outside of the application space by using kernel probes to detect when specific actions are being executed, such as network activity. In addition, eBPF probes have access to system resources that applications typically do not, such as memory and CPU utilization, network interface connection usage and metrics, and more.

How eBPF Works With OpenTelemetry 

OpenTelemetry is developing an automatic instrumentation tool for Golang using eBPF. The first release should include a small subset of the functionality provided by the OpenTelemetry instrumentation libraries available in Go–hooks to instrument HTTP clients/servers, gRPC clients/servers, and the gorilla/mux HTTP router–but more should be added in the future.

Automatic instrumentation tools for other languages, such as C++ and Rust, using eBPF may also be developed in the future.

Honeycomb is committed to working with the OpenTelemetry community to contribute and advance the automatic and manual instrumentation experience for all users and languages.