API gateway and service mesh company Solo.io started the year with the open source BumbleBee, a project to help build eBPF programs.
eBPF is short for Extended Berkeley Packet Filter, a technology for running sandboxed programs in an operating system (Linux) kernel without loading kernel modules or modifying kernel source code. In recent years, eBPF has also gained traction in the container space for observability, security, and networking projects, primarily due to a number of security mechanisms and for performance reasons. Popular eBPF projects include the Cilium network connectivity tool and the BCC kernel tracing kit.
eBPF programs can hook into various kernel functionality such as file operations or network communication and serve as a sort of event handler, making them a good choice for use cases where a glimpse system processes is required. BumbleBee is intended to aid in the creation and distribution of eBPF programs through the automatic generation of userspace components and wizards for building and storing programs as OCI images.
According to Idit Levine, Founder of Solo.io, BumbleBee was developed to address recurring challenges when using eBPF to improve enterprise service mesh. She also describes it as bringing “a docker-like experience to automate critical steps” to the eBPF programming process.
Users interested in the tool can install BumbleBee via an installer script, go or get the Apache-2 licensed code from the Releases section of the project’s GitHub repository. For help creating a new eBPF program, they should then run the
bee init order. BumbleBee will then ask some questions regarding the type of program it is supposed to code for and come up with a template for it in a next step.
The project currently only supports writing code in C, although Rust is also planned to be added. The choice of possible programs is currently limited to network- or filesystem-based programs, with users being able to choose between ring buffers and hash maps for communication between userspace and space. core. By default, output can be emitted as text/logs (print output type) or counter and gauge type metrics. Future releases may also see the addition of histograms.
After the initialization process is complete, developers get a base code scaffold (nicely commented) to which they can add the code needed to implement the desired kernel functionality. The result can be turned into an OCI packaged image for sharing by running the
bee build command, which can then be tagged and pushed to a registry with
bee tag and
bee push – similar to Docker. Running an eBPF program also follows Docker syntax, which means a
bee run followed by the name of the generated probe will allow you to check if the newly created code does what it should.
Additional resources for the BumbleBee project can be found in the deposit.