eBPF
At the core of Pulsar there is eBPF (enhanced Barkeley's Packet Filters) technology. eBPF is the state of the art of Linux kernel tracing and instrumentation technology. An eBPF virtual machine is a virtual machine capable of running "BPF programs" inside the Linux kernel.
eBPF Technology
eBPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change the kernel source code or load additional kernel modules.
While being a relatively new technology, eBPF is already used to drive solutions in a wide variety of areas — most notably:
Providing
high-performance networkingand load-balancing in modern data centers and cloud native environments;Extracting
fine-grained security observabilitydata with little overhead;Helping application developers
trace applications;Providing insights for
performance troubleshooting;Preventive application and container
runtime security enforcement.
This is not an exhaustive list. The possibilities brought by eBPF are endless as more use-cases are unlocked and shared.
Advantages
Reasons for running a full VM inside the kernel revolve around convenience and safety: while all operations done by eBPF programs can be handled via standard kernel modules, direct kernel programming is a really dangerous endeavour - it can cause lock-ups, memory corruption, crash processes, cause security vulnerabilities and other unwanted effects especially on production devices (eBPF is very often used to inspect systems in production), so running native-fast JIT-compiled kernel code via a safe VM becomes valuable for security monitoring and sandboxing, network filtering, program tracing, profiling, debugging and so on.