Solo.io, a company that develops products for running cloud systems, microservices, isolated containers and serverless computing, has published BumbleBee, an open source toolkit aimed at simplifying the preparation, distribution and launch of eBPF programs running in a special virtual machine inside the Linux kernel and allowing processing network operations, control access and monitor systems. The code is written in Go and distributed under the Apache 2.0 license.
BumbleBee makes it possible to package an eBPF program as a container image in the OCI (Open Container Initiative) format, which can be run on any system without recompilation and the use of additional components in user space. Interaction with the eBPF code in the core, including processing of data coming from the eBPF handler, is taken over by BumbleBee, which automatically exports this data in the form of metrics, histograms or logs, which can be accessed, for example, using the curl utility. The proposed approach allows the developer to focus on writing eBPF code and not be distracted by organizing interaction with this code from user space, assembly and loading into the kernel.
To manage eBPF programs, a Docker-style “bee” utility is offered, with which you can immediately download the eBPF handler of interest from an external repository and run it on the local system. The toolkit allows you to generate a code framework in C for eBPF handlers of a selected topic (currently only handlers for network and file operations that intercept calls to the network stack and file systems are supported). Based on the generated framework, the developer can quickly implement the functionality he is interested in.
Unlike BCC (BPF Compiler Collection), BumbleBee does not completely rebuild the handler code for each version of the Linux kernel (BCC uses on-the-fly compilation using Clang every time the eBPF program is launched). To solve problems with portability, the CO-RE and libbpf tools are being developed, allowing you to build code only once and use a special universal loader that adapts the loaded program to the current kernel and BTF Type Format. BumbleBee is an add-on to libbpf and provides additional types for automatic interpretation and display of data located in the standard eBPF map structures RingBuffer and HashMap.
To build the final eBPF program and save it as an OCI image, just run the command “bee build file_with_code name:version”, and to run the command “bee run name:version”. By default, events received from the handler will be output to the terminal window, but if necessary, you can obtain data by using curl or wget utilities to the network port bound to the handler. Handlers can be distributed through OCI-compatible repositories, for example, to run an external handler from the ghcr.io repository (GitHub Container Registry), you can run the command “bee run ghcr.io/solo-io/bumblebee/tcpconnect:$(bee version)”. To place a handler in the repository, the “bee push” command is proposed, and to bind a version, “bee tag”.
Source: opennet.ru