eBPF’s Abilities and Limitations: The Truth - Liz Rice & John Fastabend, Isovalent

00:00

good morning thank you so much for

00:02

coming to our session this morning just

00:04

about still morning right uh I hope

00:06

everybody's able to find a seat if you

00:08

have got a seat next to you maybe

00:10

shuffle along and and let people in uh

00:13

yes so my name's Liz rice uh myself and

00:17

John here do you want to say hi yeah hi

00:19

my name is John fman I'm engineer night

00:21

surveillance and excited to talk about

00:23

BPF today I've been you know working on

00:25

it for almost 10 years now so hopefully

00:27

you guys get as excited as um as I am

00:30

yeah

00:32

so I mean as John says he's he works in

00:34

the Kel right he is a proper expert in

00:39

ebpf let's just quickly recap to make

00:42

sure everybody understands what we're

00:43

talking about with ebpf it allows us to

00:46

run custom programs in the

00:49

kernel so we can change the way the

00:52

kernel behaves by loading ebpf programs

00:55

there and attaching them to events why

00:57

is the kernel interesting well the

01:00

kernel is the part of the operating

01:01

system that is involved whenever we're

01:04

doing anything with Hardware so if

01:06

you're accessing a file or sending

01:09

receiving over a network or uh even

01:12

allocating memory the Kernel's going to

01:15

be involved the Kernel's also um

01:18

managing the processes running on a

01:20

system so it's looking after things like

01:22

permissions and privileges so the kernel

01:25

is involved in pretty much everything

01:27

interesting with ef we can change the

01:30

way that it

01:32

behaves so already there are lots of

01:36

really great infrastructure tools built

01:40

using ebpf I mean we're both very

01:42

involved in psyllium and uh cium sub

01:44

project tetragon doing things like

01:47

networking security observability there

01:51

are also loads of other great projects

01:53

out there and great products out there

01:55

that are doing things in these kind of

01:57

infrastructure tooling spaces

02:02

but sometimes you'll hear statements

02:04

that give the impression that there are

02:07

limits to what you can do with ebpf so

02:11

for example we've heard people saying

02:13

yeah you can't really Implement like

02:16

layer seven paing that's just too

02:18

complex for ebpf or another thing that

02:21

you'll quite often hear people saying is

02:24

yeah but there are limits to what you

02:25

can do with ebpf because it's not cheer

02:27

and complete right so do we think those

02:30

statements are true well a hint here is

02:34

these things were not said by people who

02:35

are working on

02:37

ebpf we're going to explore these kind

02:40

of statements

02:42

today so I've said the term cheering

02:45

completeness this is not going to be a

02:47

computer science class it's not going to

02:49

be like super pedantic about

02:52

terminology but really what true

02:55

incompleteness about is about is can we

02:58

process some on arbitrarily complex task

03:02

can we process an arbitrary amount of

03:05

data can we continue processing for an

03:09

unbounded amount of time do we have the

03:12

ability to store States so that we can

03:15

continue sort of process state so this

03:17

is broadly speaking what true

03:20

incompleteness is about

03:23

right so I I think it's interesting um

03:26

just to talk a little bit about some

03:28

concrete examples right I mean we could

03:30

talk about the like mathematical

03:32

formulation of turn complete but that's

03:34

perhaps not interesting to everyone here

03:36

so like typically when we think about

03:38

turning completeness people really

03:39

talking about like your general purpose

03:41

languages C C++ Java python go all the

03:45

things that we um programmers love um

03:48

but I I also want to point out that

03:49

there's a lot of like really also

03:51

interesting but maybe less interesting

03:53

for programmers you know nobody really

03:55

wants to write um your uh application in

03:59

the one instruction set computer so

04:02

that's a totally valid turing machine it

04:05

is Turing complete but you know try to

04:07

write a proxy with just the move

04:10

instruction and it might not be quite as

04:12

fun as you want um another example is

04:14

The Game of Life that will go back to

04:16

but there's just loads of these things

04:18

and you know the the point is try not to

04:20

equate I think turn completeness um with

04:22

sort of usefulness as a programming

04:24

language to um you know developers right

04:28

um I also want to note that there's some

04:30

like actual benefits of not being fully

04:32

tur and complete sometimes um you might

04:34

be interested for example in having a a

04:37

parser um that is bounded and why would

04:40

you want that you might want that

04:42

because you don't want to receive a

04:43

packet and then have your parser Loop

04:45

forever really would like the thing to

04:47

stop at some point um you know it's the

04:50

same way like in BPF space where we do

04:51

like CIS call and tetron we'll watch CIS

04:53

calls or watch kernel functions right we

04:55

really like to have an upper bound on

04:56

the time that we're going to kind of

04:58

impact the application or the operating

05:00

system and when you do that you want to

05:02

say like it's really nice to say you

05:04

know this will not run longer than a

05:06

millisecond or you know 500 NCS or

05:08

something like this right and that

05:10

really is not touring Complete because

05:11

we're putting a bound on that

05:13

environment but um there you know

05:16

there's really concrete advantages to

05:17

that as well so just want to you know

05:19

kind of lay that out there and and kind

05:21

of give you some examples of of turning

05:23

complete things that are both useful and

05:24

not useful and an example of maybe why

05:26

you you know would want some bounded

05:28

properties as well

05:30

and true and completeness talks about an

05:32

infinite tape right and there is no

05:35

infinite tape in the world so in reality

05:37

we're always dealing with just large

05:39

rather than infinite yep

05:42

exactly so that previous slide mentioned

05:45

Conway's Game of Life and this is an

05:47

example of something that's cheering

05:48

complete so this is something that uh

05:52

every step it it goes through

05:54

generations every step and each of those

05:58

steps the state of one cell is

06:01

determined by it the state of the

06:03

previous state of the cells around it so

06:06

it's a little bit like an actual living

06:08

cell if the cell has no uh living cells

06:12

around it it's going to die of

06:14

loneliness if it has too many cells

06:16

around it that are alive it's going to

06:18

dive overcrowding but if it's got the

06:20

right number of cells uh around an empty

06:22

space the cell will actually uh come to

06:25

life so this is an example of something

06:27

that can kind of go on for ever

06:30

generating these

06:33

patterns very kind of common example of

06:35

something that's uh used as an

06:37

equivalent of cheing completeness yeah

06:40

so if this is an example of something

06:41

that's cheing complete is it something

06:44

that we can write in

06:47

ebpf and one reason why you might

06:50

think I don't think it can is because of

06:53

this thing the ebpf

06:56

verifier so when you load a program into

06:58

the kernel the verifier is going to run

07:02

o over this program and analyze the

07:04

program and establish whether it's safe

07:07

to run and one of the things I would

07:09

normally say when I talk about whether

07:11

it's safe to run I'll say it's not going

07:13

to crash the kernel but I would also say

07:15

that it's going to run to completion we

07:17

might pause on that

07:20

later you want to dive intoit more what

07:23

what it's really doing yeah yeah so I I

07:26

think um users of ebpf or or even people

07:29

that are in the stack you know they

07:31

might think about the verifier as this

07:32

kind of thing that is there stopping you

07:34

from writing interesting programs

07:36

perhaps um as a konel developer though I

07:40

want to kind of lay out what do we as

07:42

developers of the Kel that we want to

07:44

ensure that the Colonel's safe to run

07:45

and all this kind what do we think the

07:47

verifier is doing right and and

07:48

specifically this is kind of my criteria

07:51

um you know the first thing we always

07:52

want to do when we load a BPF program in

07:54

to the colonels we want to make sure

07:55

that we can only read memory that is

07:57

allowed by that program and by your

08:00

permissions that you have when you load

08:01

that program and and BPF has a whole

08:03

series of places you can hook in the

08:04

kernel you can hook kernel functions you

08:06

can hook the networking stack um you can

08:08

even hook user space and and depending

08:10

on where you hook you'll have different

08:12

permissions on what kind of memory you

08:13

can read right so we want to make sure

08:15

that your program is only reading memory

08:16

it's supposed to and we definitely 100%

08:19

want to make sure that you're only

08:20

writing to memory that you're allowed to

08:22

you know want to make sure that you're

08:23

not writing to random spots in memory

08:24

you're only writing to you know valid

08:26

locations in your vpf program um the

08:29

next one is we want to make sure that

08:30

the control flow is well formed and that

08:33

it's valid and in bounds we don't want

08:34

you to jump your BPF program off into

08:36

the kernel somewhere and run an

08:37

arbitrary code and crash the kernel

08:39

right don't want to make sure that

08:40

happens and I think the fourth Point

08:42

here is really interesting because we'

08:44

we've actually evolved this over time

08:46

it's like what does it mean for ebfp

08:48

programs to be bounded in the kernel and

08:51

if you think where the original BPF that

08:53

meant the program ran to completion but

08:56

over time we've sort of evolved BPF now

08:59

BPF programs know how to sleep we know

09:01

how to do callbacks and iterations we

09:03

know how to keep a program running and

09:05

we'll go into that in a little bit um

09:07

and really what we want to verify in the

09:09

verifier is that we don't get a Program

09:12

stuck on the CPU so long that it looks

09:14

and feels like the system is hung right

09:16

and for kernel developers or or people

09:19

that are really system level programmers

09:20

I think this is a sort of intuitive

09:22

concept because you've been writing in

09:23

this low level if you're if you're a

09:25

higher up in the stack and maybe an

09:26

application programmer or um kind of a

09:29

distrib systems programmer somewhere in

09:30

there it may be foreign because um you

09:33

don't have to worry about this stuff

09:34

because the OS is doing all the context

09:36

switching right you you never in never

09:38

write an application in user space C++ C

09:41

go whatever where you go like at this

09:43

point I need to make sure that I release

09:45

the CPU right because the the OS just

09:47

deals with that for you right once you

09:49

get yourself into the kernel into you

09:50

kind of the deep system stuff you really

09:52

need to um tell the OS when it's okay to

09:57

um to let your program off the CP view

09:59

right the reason we do this is really if

10:01

you're in an interrupt context if you're

10:03

uh trying to write some kind of locking

10:05

and stuff like this we can't just you

10:06

know release it um at any arbitrary

10:09

Point um and then the last thing we want

10:11

to do with the verifier is we want to

10:12

make sure like locks and references are

10:13

all accounted for and that that's sort

10:14

of a an accounting detail but it's

10:16

important if you're going to like

10:17

reference a socket or reference a file

10:20

um walk a path you want to make sure

10:21

that those things exist when you're

10:23

doing that and that's just a um kind of

10:25

a correctness property so th those are

10:27

the things um you know that

10:30

that I think about when I'm working on

10:31

the verifier or improving the verifier

10:33

um over time

10:35

so and I think as we'll see later this

10:37

idea that ebpf continues to evolve and

10:40

continues to improve over time because

10:42

of the work that people like John are

10:44

doing this is why we're able to perhaps

10:48

do more with ebpf than you might imagine

10:50

because it continues to improve yeah so

10:54

all right John can we run Game of Life

10:56

in ebpf all right we're gonna give it a

10:58

try here because we like to do demos so

11:01

what you see here is um this is just

11:03

basically tetragon um but we added a new

11:05

sensor to tetragon called Game of Life

11:09

all right and so we're going to kick it

11:12

off um what it did here is it just

11:14

iterate created the very similar to what

11:16

Liz just showed you with that um web app

11:19

is it created a a

11:21

map filled in some cells with some

11:23

random pattern and we could load it from

11:25

a BPF map or something if we wanted to

11:27

but for the for the demo it's just a

11:28

random map

11:29

and now it's running and it's there it

11:33

goes all right so while that's running

11:35

Let's uh dig into how you were able to

11:38

get this to to work

11:41

yeah so this is just a brief I'm not

11:43

going to go into all the details of

11:45

everything here but this is basically

11:47

the core um code that is running right

11:50

now in the background and we'll get back

11:52

to it but the important pieces I do want

11:54

to call out is that very far left for

11:57

you guys is do game this is our core

12:01

game logic for life here and you can see

12:03

kind of three things we copy the cell

12:05

map it's basically taking the Old State

12:07

copying it into the new state so that we

12:09

have a good State for the next iteration

12:12

we do the next iteration which is all of

12:14

those rules are run that Liz was talking

12:16

about you check to see if your um if

12:18

your neighbors are alive Al or you

12:20

create a new cell or you remove a new

12:22

cell so that's the sort of the business

12:24

logic of this program and then we send

12:26

an update all right so what the update

12:29

it does is it sends that map State up to

12:31

user space you know unfortunately you

12:34

know I don't have a a BPF Graphics

12:37

Library yet so you know if somebody's

12:40

interested and they have like a GPU

12:41

Shader from BPF or something to come

12:43

talk to me let's make it happen but I

12:46

couldn't do it from BPF so I had to send

12:47

the map up to user space slightly

12:50

disappointing but doesn't really impact

12:51

you know the the logic of the game right

12:54

so the user space is actually taking

12:55

that BPF map and just drawing it on the

12:57

screen there is what you were seeing and

12:59

then the last piece is this run next

13:01

which just reruns the business log but

13:03

goes back to the beginning of du game

13:04

and runs it again every two seconds all

13:06

right and we'll talk about how that

13:08

happens other slides you can get to in

13:10

in your in your spare time later if

13:11

you're

13:12

interested so you may have heard that

13:16

ebpf programs are limited to only a

13:19

small number of instructions so maybe

13:21

let's dive into that yeah um this is you

13:24

know what what's really interesting here

13:26

is you know when we first landed BPF and

13:29

414 um back in like 2015 kind of the

13:32

first

13:33

iterations um we really started at 4,000

13:37

instructions and like why did we pick

13:39

4,000 instructions because it seemed

13:40

like a good number it's you know Colonel

13:42

developers like you know like numbers

13:44

with k at the end of them 496 sounds

13:46

good right

13:48

um that was interesting but we very

13:50

quickly realized that you know 496 is

13:53

kind of small right you might want more

13:55

instructions um and the the other thing

13:57

I think is important

14:00

why do we have to have a limit was not

14:03

primarily because um we need the program

14:05

to terminate in some finite time and we

14:07

decided 4K instructions was a good

14:09

amount of time but I think it's really

14:11

if you think about it we have to verify

14:12

that program and we really want to make

14:14

sure that when you load a program into

14:15

the kernel it takes some reasonable

14:19

amount of time you know less than a

14:20

second right if you loaded a 20 million

14:24

um line code program perhaps maybe it

14:27

would take 20 seconds and you know we

14:28

kind of thought well a long time right

14:30

so keep it bounded but at one some point

14:33

we decided that 4K was just too limiting

14:35

people want to write things that are

14:36

bigger than 4K and so in 54 Colonels we

14:39

went to 1 million um and and kind of

14:43

beefed up that allow allowable

14:46

limit um just kind of follow up you

14:49

might wonder like that's interesting

14:51

John but give me some kind of reference

14:53

you know like how many instructions

14:54

really is a million instructions and so

14:56

what I did is just this is kind of a

14:58

napkin approach you know know go look at

15:00

a few programs I had on my laptop of

15:01

course I had Doom right got to have Doom

15:03

there so you know I took a look it's you

15:06

know less than a,k instructions for a

15:08

for a basic kind of Doom clone if you

15:11

think of the like the original Dune and

15:13

then I had Envoy on my system because um

15:15

you know we work on celium and tetragon

15:16

and that uses Envoy as a kind of one one

15:19

option for doing proxies I took a look

15:21

15 million instructions and then clang

15:25

uh you know compiler stuff 26 million

15:27

instructions so that's kind of where

15:28

we're at

15:29

um you know you might come back and say

15:31

okay Doom is only maybe less than a

15:33

thousand 100,000 instructions but John

15:35

it might have some Loops how are you

15:36

going to deal with that right and then

15:38

stay tuned we'll talk about how to get

15:40

these kind of much larger cases going

15:43

forward so there's also this idea that

15:47

and it was true in the early days that

15:49

you couldn't do loops in BPF because you

15:51

were only able to jump forwards in a

15:53

program yeah so this was something that

15:55

we put in and it not because necessarily

15:58

PF like um folks that were working on

16:00

BPF thought hey Loops are somehow bad it

16:03

was purely like the verifier needs to

16:05

somehow ensure that this isn't going to

16:07

run forever right um and that was the

16:10

early days and so we simplest thing to

16:14

do is look at your program and ensure

16:16

that you don't have any jumps to code

16:18

that you've already been to right we

16:20

want to make sure that the program

16:21

control flow is a d basically a graph

16:24

and no Loops in that graph um so early

16:28

PR programming what we did is we did

16:30

something called called an unroll

16:31

basically you tell the compiler I'm not

16:34

allowed to do loops please just cut and

16:35

paste this code right it'd be very

16:37

similar to a developer just doing like

16:38

cut cut paste their Loop many many times

16:42

you kind of do that but you can see very

16:43

quickly that you're not going to be able

16:45

to get things to to run very long right

16:48

especially in 4k instructions but even

16:49

with a million instructions you know

16:51

you're kind of only so much can be

16:55

done yeah so clearly not a not an

16:57

approximation of forever right when

16:59

you're kind of in this space um the next

17:03

piece here is we

17:04

have we as we were evolving BPF this

17:08

became a very obvious sort of limitation

17:11

right the fact that the limitation in

17:13

two way two ways I'd say is one is it

17:15

makes it hard to write programs and two

17:16

it makes it hard for the compiler to

17:17

compile things you know optimize your

17:19

code basically so we added Loops this is

17:22

this allows the verifier to look at a

17:24

loop and verify that that Loop is going

17:25

to terminate um and then we added an

17:28

actually helper call for cases where you

17:31

want the BPF program to do a loop but

17:33

the compiler human and verifier are

17:34

having trouble all agreeing on how that

17:36

Loop is going to look like actually and

17:38

if you think about the assmbly code and

17:39

object code when it's loaded in the

17:41

compiler and once you have this you can

17:42

write statements like that at the bottom

17:44

where you have a four Loop H here is a

17:46

um is a you know kind of a pound Define

17:49

or a global variable that tells you the

17:50

max loop size and and the verifier is

17:52

perfectly happy with this um today so

17:55

that's we're allowed to Loop but we're

17:57

not allowed to Loop indefinitely at this

17:59

point right correct yep that's why we

18:00

have that Max there and so if you just

18:03

kind of take a layout of what kernels

18:05

these were added in you know you 414 and

18:07

419 we had our kind of basic cut and

18:09

paste model 54 we added Loop support so

18:12

the colonel could figure out how if

18:14

these Loops are going to terminate 515

18:16

made a bunch of technical improvements

18:17

to that so the verifier got much better

18:19

at finding these things and then 61 we

18:21

added this um call that you can do to

18:23

basically you as the human can tell the

18:26

verifier through the compiler that hey

18:28

this is going to be a loop please take a

18:30

look at it and make sure that it

18:31

terminates yeah and I just wanted to

18:33

call this out because um you know we

18:34

have people working on this the the BPF

18:36

site is just evolving continuously so

18:39

there's another type of loop coming

18:40

we're not going to talk about it here

18:41

find me afterwards if you want but even

18:44

even uh more improved version of looping

18:46

is is on the way

18:49

so Okay so we've

18:51

got a limit to how many uh instructions

18:55

but it's quite a big limit we can Loop

18:58

yeah yeah

19:00

what about these big program what about

19:01

these big programs can we do Envoy or

19:03

Clan could you write in theory a $15

19:05

million 15 million instruction ppf

19:09

program uh that would be great right um

19:13

the thing that is interesting and I I

19:15

think it's it's a choice we made very

19:17

early on in the BPF um kind of verifier

19:19

is we call these things subprograms and

19:22

we said subprograms must terminate

19:25

roughly equivalent a subprogram is is

19:27

really roughly equivalent to a function

19:29

and so the limits are actually on the

19:30

functions not on the entire program and

19:33

as sort of a back a napkin you can do

19:35

like um 31 function calls or 31

19:39

subprograms is what a BPF programmer

19:41

would say and really that gets you up to

19:44

you know 15 million without much trouble

19:46

31 million actually with 31 calls right

19:48

um You can actually do more in the

19:49

kernel depending on where you're

19:50

actually being where you're hooking but

19:53

sort of as a rough estimate we can

19:54

pretty easily get to 31 million

19:56

instructions which is a really big

19:57

program right you can all of clay is not

19:59

even 31 million instructions so give you

20:02

some words of warning you know this uh

20:06

the verifier is getting better and

20:08

better and better and people are working

20:09

on this and making it usable for humans

20:11

um to write code right um but really the

20:13

trick right now is the human's going to

20:15

write the code the compiler's going to

20:17

compile it and the verifier is going to

20:18

verify it and they all need to kind of

20:20

be in sync and understand what's going

20:21

on right um to get the kind of something

20:24

into the kernel right and this is why

20:25

it's just not as easy as it should be

20:27

you know the team is working on this um

20:30

I fully predict that in 5 years 10 years

20:33

something like that BPF will be easier

20:35

and easier to write and and kind of open

20:37

up that that uh number of people that

20:40

are you know willing to dive in and

20:42

really get into the BPF

20:43

space um and then the last thing you

20:46

know if you do go this way and you maybe

20:48

have the right mentality it might be

20:50

addictive you might try to write things

20:52

like Tetris and doom and Quake and Game

20:54

of Life in the kernel um you know the

20:57

utility of that is um kind of great for

20:59

cubec con talks right I'm not sure you

21:02

know like is surveillant Enterprise will

21:05

have a or you know yeah we we're doing

21:06

the I surveillant Enterprise launch of

21:08

Game of Life yeah exactly you heard it

21:10

here first yeah yep um so Game of Life

21:14

you know it goes on forever so what

21:16

about this idea of not

21:19

terminating yeah so this is an

21:21

interesting one right so like if you

21:22

want something to run forever I've told

21:24

you there's a maximum instructions

21:25

you're like well certainly you're going

21:26

to run out of those instructions at some

21:28

point right and this really goes back to

21:30

this kind of carefully worded um point

21:33

in the verifier where we said well it's

21:36

not just that we want the program to

21:38

terminate it's that we want to release

21:40

the CPU that we're on we don't want to

21:42

lock a CPU down and like we said early

21:45

on early kernel versions that meant the

21:47

program terminated there was no

21:49

exceptions to that the program was done

21:51

um but when we evolved the um kind of

21:54

Kernel and BPF and the verifier and the

21:56

compiler as well like all these pieces

21:58

are moving moving forward we developed

22:00

these kind of other ideas of kind of Rel

22:03

other ways to release the CPU um one of

22:06

them was an iterator this is a program

22:08

that can like run over every file in a

22:11

directory right it doesn't matter how

22:12

many files are in there and it'll

22:14

basically ensure that the CPU doesn't

22:16

get locked up right it's been iterating

22:17

for too long it'll release let something

22:20

else run the scheduler will come back

22:22

and say okay BPF program you can run

22:24

again um we've allowed programs to sleep

22:27

now so this is really really useful if

22:29

like you're trying to read some memory

22:30

and it gets the page fold so the memory

22:32

is not in in the page cache so you can't

22:35

just read it because it's not there um

22:38

and so you have to do something called a

22:39

page fault which requires sleeping

22:41

anyways it's it's in the details but

22:43

super important if you're be program

22:45

tries to read some memory and it you

22:46

know you don't want to get a fault we

22:48

added timer call backs this is basically

22:50

a way to say hey I've done something

22:52

useful um I'm going to release my

22:55

program let the OS do something and then

22:57

just call me back at some time you can

22:59

even set this to zero which just looks

23:01

like hey I'm done um but you know I'm

23:04

safe to release but call me as soon as

23:05

you can again

23:08

so and I guess the last thing is you

23:11

know how can an ebpf program allocate

23:14

some amount of memory yeah so the um

23:19

there's really a bunch of different ways

23:20

we can do this but the most obvious one

23:22

is that we have these array maps and the

23:25

maps are basically memory blocks that

23:27

the program can all ate or user space

23:29

can allocate and then give to the

23:31

program and um these can be actually

23:35

quite large the basic limit of these is

23:37

you know like whatever the user space is

23:38

allowed to allocate based on its cgroup

23:41

if it's not in a cgroup they can be more

23:42

or less unbounded and kind of related to

23:44

system memory and all this kind of stuff

23:45

we have some limits but those are tied

23:47

to like how much RAM you have in your

23:48

system right same type of thing that a

23:51

user space application has you can't

23:52

allocate more memory than you know your

23:54

system has available right so so we

23:57

could pot entally have a pretty big

24:00

absolutely uh sort of field of play for

24:03

our game yeah yeah and you know even you

24:05

know four gigabytes we've sort of

24:07

optimized this case in newer kernels to

24:09

allow applications up to four gigabytes

24:11

of virtual memory um amazing stuff so

24:15

with all of these component pieces put

24:17

together we've really avoided the

24:19

limitations right we don't have uh we

24:22

well we don't really have an effective

24:24

limit on how many instructions we don't

24:26

have an effective limit on how many time

24:28

times we can call a loop effectively

24:31

because we can use these timer call

24:32

backs shall we see if it's still running

24:35

what do you think is it still

24:37

running yeah so see how good I I am at

24:40

programming right if it's still running

24:42

or if it's still going so here you go

24:45

looks like it's still up and running um

24:48

you can see it's still doing its thing

24:50

um and if you go back to kind of some of

24:51

the details um I think we can talk for a

24:54

couple seconds here basically if you

24:56

think about that first program that was

24:58

doing in that due game you know what we

25:00

see here is it does a copy of the last

25:03

state into the new state runs the logic

25:06

that's what moves all these kind of

25:08

fields around on the screen right and

25:11

then um sends it up to user space and

25:14

then this is the user space just kind of

25:17

printing the dots you know one's on zero

25:20

is off printing the dots on the screen

25:22

and you can see it kind of it keeps

25:23

evolving over time every every two

25:25

seconds is the limit um just so that you

25:27

all can see it

25:28

um so there it goes and it's it's still

25:31

going you told me a pretty interesting

25:33

thing about like the fact that you can't

25:35

predict the future State yeah yeah one

25:38

of the neat things about like game and

25:40

life and and a lot of terrain machines

25:41

in general is that this thing will um

25:44

you you if you want to know what the

25:45

thousandth iteration is or the 10,000th

25:47

iteration of this there's no shortcut to

25:49

that from a from a kind of a

25:51

mathematical side you can't say tell me

25:53

I'm not going to actually run this thing

25:54

10,000 steps let me just run it two

25:56

times and then tell me what the answer

25:58

is is so like it's interesting in that

25:59

sense is you have to you really have to

26:01

run this thing to figure it out right um

26:04

and uh we could rerun it and see what

26:06

pattern we get you know sometimes you'll

26:08

get interesting patterns this one is

26:09

still running um since it's a random

26:11

pattern we could have been unlucky right

26:12

and had like the screen be black when we

26:14

turned this on but um you know but it

26:16

didn't it work Round of Applause for a

26:18

live demo please

26:25

great perfect yep go back

26:30

amazing so we have Game of Life in ebpf

26:33

which is really a good demonstration

26:35

that you can today do arbitrarily

26:38

complex tasks with

26:42

ebpf so those statements about things

26:45

like can you do layer sing protocol

26:48

passing in

26:49

ebpf absolutely it's possible doesn't

26:53

necessarily mean that all these things

26:55

have been implemented yet but it is

26:58

possible to do you know pretty much any

27:01

processing maybe not necessarily to do

27:03

the display part yet but the actual

27:05

computation part the processing part and

27:08

and I would say the key is there not yet

27:10

I mean I I think the really interesting

27:12

thing or one takeaway I think from this

27:13

talk is like you know there's a bunch of

27:15

folks in the kernel in the compiler

27:17

community and you know we're working to

27:18

make BPF better and make BPF improve BPF

27:22

so if you have a use case and if your

27:24

use case is graphics on GPU for your

27:26

cubec con talk come talk talk to me it

27:29

would be interesting you know like so

27:31

these things can be we can make them

27:32

happen right you know in 10 years ago

27:34

when we got started we had like this

27:36

very small scope and you know it just

27:37

keeps growing and growing the community

27:39

is getting bigger you know it's kind of

27:41

its own sub Community with ebpf but um

27:44

you know I I think definitely if you

27:46

have a use case and you think there's

27:48

value in it you going come talk to us

27:49

and we can we can figure out what it

27:51

what it takes to make it happen and I

27:53

think when we think about selum you know

27:55

selum is using ebpf for lot of network

27:59

based processing and you know our vision

28:02

is to push more and more of that

28:04

processing into the kernel so yeah

28:06

there's tons of networking related

28:08

processing happening in user space today

28:11

where I'm not going to tell you that you

28:12

know we're writing it and it's going to

28:13

be released next week that's not what

28:14

I'm trying to say but I'm trying to say

28:16

the vision is that more and more of this

28:19

processing will be happening in the

28:21

kernel yeah and I I mean I I would also

28:23

just say absolutely the same for I I

28:24

work on tetron mostly these days it's

28:26

the same thing early we started on

28:27

tetron a couple years back you know

28:29

there was missing features we added the

28:31

features and then you you figure out how

28:32

to bridge the gap in the interum but if

28:34

you look forward in two three years you

28:36

can see like all the cloud providers

28:38

will have that kernel all the uh

28:40

distributions will have that kernel and

28:41

you can start to use that functionality

28:43

right and that's I think um a really

28:45

powerful kind of kind of point of the

28:47

open source effort

28:50

here so I hope that's convinced you that

28:53

ebpf is well probably more powerful than

28:55

you

28:56

thought if you want to learn more about

28:58

ebpf we have uh some books that you can

29:01

download from is surveillent.com there's

29:03

also a ton of really great Labs on the

29:05

website there is the ebpf doio site

29:08

which has loads of information about

29:09

ebpf itself and lots of projects that

29:12

are being uh built using it uh we're

29:15

also doing uh well I'm going to be

29:17

signing some books at the I surveillant

29:18

booth at 1:00 today so if you want to

29:20

come around and pick up a copy of the

29:21

book then uh please say hello and with

29:25

that I hope you have a wonderful wrap po

29:28

to the end of your

29:30

keepon