The industry is really excited about the possibilities with this, and there have been projects around observability and traffic management that have proven how powerful this functionality is.

業界對這種可能性感到非常興奮，圍繞可觀測性和流量管理開展的一些項目已經證明了這種功能的強大。

So let's get into how this technology works.

讓我們來了解一下這項技術的工作原理。

So let's draw a server from an operating system perspective.

是以，讓我們從作業系統的角度來繪製服務器。

I'm going to break it up into logical layers.

我要把它抽成邏輯層次。

And I'm going to start with the kernel layer.

我將從內核層開始。

So that's this layer in the middle here.

這就是中間的這一層。

And this is the core of an operating system, and it goes in between the other layers.

這是作業系統的核心，它位於其他層之間。

Then I'm going to draw a physical layer down here.

然後，我要在下面畫一個物理層。

And this represents all of the physical aspects of the server.

這代表了服務器的所有物理方面。

So there could be things like the network, and the storage, and the memory down here.

是以，這裡可能有網絡、存儲和內存等設備。

Now the kernel, it knows how to address all of these physical components of the server.

現在，內核知道如何尋址服務器的所有這些物理組件。

And then a layer above that is going to be the user layer.

上面一層是用戶層。

This is the layer where applications are installed and run.

這是安裝和運行應用程序的層。

And these applications need to have universal ability to talk to the server components to do what they need to do.

這些應用程序需要具備與服務器組件對話的通用能力，以完成它們需要做的事情。

Now an application doesn't want to know how to talk to every single type of network interface card that exists out there.

現在，應用程序並不想知道如何與現有的每一種網絡接口卡對話。

So it just has to worry about talking to the kernel.

是以，它只需擔心如何與內核對話。

And then the kernel can worry about the communications from there.

然後，內核就可以擔心通信問題了。

Now this communication happens as events, and eBPF is event-driven.

現在，這種通信以事件的形式發生，而 eBPF 是事件驅動型的。

Inside of the kernel, there are events that can happen when a system call is made in between the kernel and user land. eBPF functions can then be triggered at the time of an event in order to do something.

在內核內部，當系統調用發生在內核和用戶界面之間時，就會發生一些事件。 eBPF 函數可以在事件發生時被觸發，以執行一些操作。

Now the kernel is meant to be very stable as a lot of things rely on it, and it needs to be rock solid.

現在，內核應該是非常穩定的，因為很多東西都依賴於它，它需要堅如磐石。

And so one reason why eBPF is so exciting is that it provides extensibility at a layer where normally it would be quite difficult to implement.

是以，eBPF 如此令人興奮的一個原因是，它在一個通常很難實現的層上提供了可擴展性。

Normally this would require kernel modules to extend functionality.

通常，這需要內核模塊來擴展功能。

Kernel modules are difficult to maintain because there are changes with each kernel revision that can often break compatibility.

內核模塊很難維護，因為每次內核修訂都會有變化，而這些變化往往會破壞兼容性。

And depending on your risk tolerance, you may not even want to do this in production in case there are bugs in the kernel module that you want to install.

根據你的風險承受能力，你甚至可能不想在生產中這樣做，以防你要安裝的內核模塊存在錯誤。

With eBPF, you can isolate the risk and extend kernel functionality safely.

有了 eBPF，您就可以隔離風險，安全地擴展內核功能。

You also don't have to restart the kernel in order to deploy or undeploy eBPF applications.

在部署或取消部署 eBPF 應用程序時，也無需重啟內核。

Another reason why this is exciting is because of the performance advantages.

另一個令人興奮的原因是其性能優勢。

Because eBPF runs at the logical junction in between the kernel and hardware devices, it's able to make decisions early when receiving inputs from those devices.

由於 eBPF 運行在內核和硬件設備之間的邏輯交界處，是以當接收到這些設備的輸入時，它能及早做出決定。

This makes it much more performant while observing traffic.

這使得它在觀測流量時的性能大大提高。

You can implement hooks into almost any device the kernel is managing, such as memory and networking and storage.

你可以對內核管理的幾乎所有設備（如內存、網絡和存儲）實施鉤子。

And all of these hook points will be able to have links back to programs running in user space if needed.

如果需要，所有這些掛鉤點都可以鏈接回用戶空間中運行的程序。

So let's talk about the use cases we're seeing with this technology.

讓我們來談談這項技術的使用案例。

Some of the main use cases the industry is excited about is network filtering, observability, and security policies.

業界對網絡過濾、可觀察性和安全策略等主要用例感到興奮。

Network Filtering eBPF can enforce simple to complex rules very early in the receive path.

網絡過濾 eBPF 可在接收路徑的早期執行從簡單到複雜的規則。

This is done very efficiently and tailored to specific processes, network namespaces, or application types.

這樣做的效率非常高，而且是針對特定進程、網絡命名空間或應用程序類型量身定製的。

And this filter can also do egress filtering for the use cases of loss prevention or content filtering.

該過濾器還可以進行出口過濾，用於防止丟失或內容過濾。

Observability So I'm just going to draw a couple of magnifying glasses here.

可觀察性 我在這裡畫幾個放大鏡。

And I'm also going to draw this, which is a representation of a process tree.

我還要畫這個，這是流程樹的表示。

And so eBPF can see traffic from any device on the server and the behavior of any process in the process tree.

是以，eBPF 可以看到來自服務器上任何設備的流量以及進程樹中任何進程的行為。

And so as applications get broken down into microservices, I'm going to represent those with these boxes here.

是以，當應用程序被分解成微服務時，我將用這些方框來表示。

It's increasingly difficult to bolt on observability in the user land.

要在用戶領域實現可觀察性越來越難。

And using eBPF, it allows for user space processes such as system monitors, process visualizers, and tracing tools to have a kernel space point of view.

通過使用 eBPF，用戶空間進程（如系統監視器、進程可視化器和跟蹤工具）可以從內核空間的角度來看待問題。

This is an alternative to service meshes, which implement distributed tracing using sidecar proxies, which each add some performance burden.

這是服務網格的替代方案，服務網格使用側向代理實現分佈式跟蹤，而側向代理會增加一些性能負擔。

Instead, performing this at the kernel level has already proven to be advantageous for performance.

事實證明，在內核級執行這一功能更有利於提高性能。

Another use case comes around security.

另一個用例與安全有關。

So now that you have all this information, you've identified devices and process flows and you have observability to detect anomalous behavior, you can combine that to trigger policies and you can use eBPF to enforce those policies by asking the kernel to kill processes or you can restrict certain behaviors directly, or you can filter network traffic to and from the device itself. eBPF opens up a number of possibilities that were previously difficult to scale at the same pace of application modernization.

現在，您已經掌握了所有這些資訊，識別了設備和進程流，並具備了檢測異常行為的可觀察性，您可以將這些資訊結合起來觸發策略，並使用 eBPF 通過要求內核殺死進程來執行這些策略，或者直接限制某些行為，或者過濾進出設備本身的網絡流量。

Solutions that take advantage of eBPF will be able to provide a high degree of functionality without the challenges of performance degradation and kernel stability.

利用 eBPF 的解決方案將能夠提供高度的功能，而不會面臨性能下降和內核穩定性的挑戰。

So thanks for checking out this Brightboard lesson.

感謝您觀看這節 Brightboard 課程。

Hit like if you enjoyed this content, leave a comment down below if you have any questions.

如果您喜歡本內容，請點擊 "喜歡"，如果您有任何問題，請在下方留言。

Hit subscribe if you want to see more of these and I will see you on the next one.

如果你想看更多，請點擊訂閱，我們下期再見。