 The EVPF program is loaded into the kernel. I'm sorry, I'm not sure what happens. Sorry about it. It's OK. OK. Yeah, so the EVPF program are loaded into the kernel, but you are not the one sees what's happening, right? As a user, you typically would run a user space program that tells you what's going on with your EVPF program in terms of maybe you pass some parameters to your user space program. Then the user space program kind of displays some data for you. For example, based on maybe TCP dumpers example, or maybe based on a TCP connector, or maybe based on out-of-memory events. So the user space program essentially tells the Linux kernel, hey, go ahead, load my other EVPF program or somebody else's EVPF program. If I can trust and load it and attach it to the right event. So essentially, you can write the EVPF user space program in any languages that have libraries to allow you to easily load the EVPF programs. These days, most common way is load through the EVPF. The caveat, though, is not all the programming language that you have API to or libraries to allow you to invoke the EVPF. So most common are using C or Rust or using Python. Actually, most common are using C and Rust. Now, let's talk about BCC. It's actually overwhelming when I first started any EVPF programs using BCC. BCC is a popular toolkit to get started with the EVPF for learning purposes. It's a really provide many, many samples. And it has all these examples, a compiler collection for you to use. But one thing I find issues with BCC as part of my learning is the user space program is written in Python. And as part of the user space program, you would have the kernel program written in C. So which means it's really odd if you look at this line here at the end, right? So that, if I believe, is your EVPF program. And then on top of that, you also have your user space program also in this here, like print out something, display all that, passing some parameters all in Python. So it's an interesting environment to operate. And everything is actually compiled at runtime. So even though you saw this Python program, you know you have Python compiler on your machine, it's actually most likely it's not going to work. It needs to require the system to run EVPF program, must have the kernel header installed. It needs a particular version or above of Linux kernel. And they use a lot of the significant resources during starting because it needs to compile and then run. So one thing I find out, I'm a Mac user. And I had to actually find out what is the right way to run my first Hollywood DCC sample. It actually took me quite a while to find out. So this is back to my point about the runtime environment. The headers, the right kernel version, it all needs to be in place before you can actually execute your simple EVPF program. So with that, the industry innovated on LibBPF and the query, which is compile once and run everywhere. How many of you are using Java or Goland today? I'm sure you appreciate the fact that somebody else compelled it for you. You could just grab and run it, right? So that's this LibBPF and the BPF code run. It's really essentially for you for EVPF programs. So with LibBPF, you can write both the kernel and the user space program in C, and then you can compile them in advance. Then you can execute them on any of the system as long as it has the recent kernel version, because it needs to have the right kernel version. I believe it's 5.4, 5.5 that has BPF enabled so that you can run your EVPF program that's loaded through LibBPF. So let's go through how it works rating a simple EVPF program. So as you can see, we have an EVPF program that's written in C. That's a simple source code. We essentially said if it's the enter into the TCP connector events, we're going to execute this method. And if it's the exit into the TCP connector events, we're going to execute this method. And then you can use your compiler, which in this case is Clon, to compile your EVPF code, which is generate the byte code we mentioned earlier, that is the BPF.O, which is the executable linkable format alpha file with EVPF byte code. Now when you run the EVPF program, that's when you need the user space as a user to interact with it. So you typically have a loader that's part of your user space that loads the byte code. We talked about earlier from the compiler. And then you create the map from the user space. And then your kernel program typically also interacts with the map. And the user space loads the BPF program and then attach it to the right hook point. In our example is TCP V4 Connect. And as the events of TCP V4 Connect happens on your Linux system, it triggers the events where your EVPF program would act on the event at the entry or exit. And then the EVPF program can update the map accordingly to whichever data that's interest to you. And then finally, your user space program can read the map and then display whatever is important to your user. So now this triggers a question. This user space, kernel space, what if we could only write the kernel programs? We don't have to worry about the user space. This is exactly what Bumblebee is. Bumblebee is an open source project. In fact, we are taking the Bumblebee to CNCF as a sandbox project. It's pending approval. So Bumblebee is designed to help you easily build your EVPF program, to publish your EVPF program to OCR registry, to actually run your EVPF program or somebody else's EVPF program just by using or what wronger. So if you scan that QR code, that would take you to bumblebee.io. So with Bumblebee, you can focus on writing your EVPF code. And then Bumblebee take care of the user space program for you automatically. And on top of that, Bumblebee also exposes your data as metrics and logs so you can plug into your premises, for example. Bumblebee also provide the live BPF compatible BPF code. So we only support the newer Linux kernel. That's based on the BPF 5455. Then you can use the push, build, run, the whole lifecycle with OCI compliance registry, like Google registry, GitHub registry. So let's talk about how Bumblebee works. So first, we provide a pre-build, containerized build environment, which is this builder. For example, this builder images in the GitHub registry, container registry. Well, in this image, we would have the LLVM client compiler. We also have the common BPF headers for you. When you need to build your EVPF program, you can leverage our builder using build command. And it would build your EVPF program into an EVPF image so that you can take that images, plug into your common GitHub pipeline to interact with image registry. So we would build the EVPF.C into the L file, the bytecode file we talked about early, and then package it into a image which you can push to whichever registry that supports OCI images. When you distribute your images with Bumblebee, by the way, Bumblebee recently support CoSign now. So you can push your images to OCI registry using B push command. And then you can also pull somebody out. You can run using Brunler. So that could be the image locally on your machine, or it could be images from a public image from a GitHub registry, or Google registry, or any other OCI registry that are out there from somebody else that you trust. And then you can run it on your machine. So essentially, how does the running with Bumblebee works? So when you specify B wrong command with the image, we're going to read the BPF program from the image. That's the bytecode we talked about. So we're going to load that. We're going to create a map. And we're going to attach it to the right hook point so that your program will be loaded into the kernel. And you also have the map in there. And the user space program would display the data from the map for you. So when you run with the Bumblebee, we on top of all that, we also output the data and emit the metrics for you so you can well up with your popular metrics program like premises. So with that, we talk about five minutes. So we're going to do a demo. Hopefully that's the most interesting part of the talk. Can you guys see my screen? Good. OK, let me maximize it. So yeah, so I basically developed this demo for the conference. We're using a platform called Instruct, which it's a really nice platform. I really like it. So actually, sorry, this is not the right program. I'm sorry. I actually have another talk tomorrow. So this is the program for the other talk. So let me find out the right program first. It needs to say five minutes in there, which that one didn't. OK, this is the right one. Sorry about that. All right, so let me go ahead and restart this. So what this is going to do, right? So I'm running this in my cloud. I could run it in my VM, but my VM could have some issue. It's just so much easy. If I'm presenting from somebody else's machine, it can run in the cloud. So what this does is it's provisioning a virtual machine in the cloud. That's close to me, and it's trying to set up the environment for the demo for me. With that, we're going to try to develop a really hallowed, very simple, EVPF programs in five minutes, hopefully. And then we'll also pull down somebody else's program and then try to run it. So let's see how the environment stood up. But typically, the environment does take a minute. So I should pre-start everything. But I want to take a part, see if anyone have any questions, where we stand up the environment. All right, we have a question in the room, I guess for the online people. Yeah, if you speak on the microphone, they can hear too. That's a great question. EVPF and WebAssembly, I know WebAssembly supports C as a language, right? It supports lots of languages, yes. Yes, I'm curious. I don't think that's something we looked at at the moment. But as a company, we're very interested in WebAssembly also. What's your specific user case as far as WebAssembly and EVPF? Maybe we should connect offline. I don't know, I'll tell you later. Yeah, because that's a really interesting thought. All right, my environment is up, I guess, one minute is right. So on the right side, I do have a 15 minutes timer. So can you guys see it? Is it too small? OK, I'm getting a little bit of error. I'm not sure what that is, but I'll continue. So the first thing we're going to do is the font size, OK? All right, the first thing we're going to do is download Bumblebee. I did target 15, just in case I go over five. But I'll try. Oh, right, I guess it's not a great environment today. Let's see. Let's see what's going on. Doesn't look too good. Let's see again. I'm not sure what's going on. Let me actually kill this rib spin. It doesn't look a good environment to me. I did retry it. Let me actually stop this and restart. Sorry about that. It might be a bad environment that was connected to my other thing, because it was showing a program that was from my other track. Hopefully it would come up live. So just really quickly, what we are going to show is, if your search gets started with ABTF and Bumblebee, I actually wrote a blog about this on what I'm going to show you, that simple program. So the steps are all here. What I did differently is actually trying to show you in a live demo environment. In the meanwhile, I'm actually going to start my VM. So I'm sorry about that. Do a vagran VM. We'll do that. So it starts. Hopefully this time it didn't give me an arrow. All right. It looks better. Finger crossed. In the meanwhile, let me check if my, OK. I think it looks better. So the first thing we're going to do, what is that? OK. Yeah. So the first thing we are going to do, it's the same arrow. So unfortunate. With that, I'm going to count them on my VM. Flash. Yeah. So should I just type bash? As such? No, no, no. It's probably your graduation. Oh, thank you. Wow. You guys are awesome. Wee! Oh, who was that? Maybe I should have met you for at least something. All right. Thank you so much. I was just going to stand up my VM. All right. It looks like it's downloading. Let me check on my Wi-Fi. Should I use hotspot? Do you guys have Wi-Fi issues on function? They couldn't provide me a network cable here. Do you guys have Wi-Fi issues? Yeah, I did connect that. Maybe I'll try hotspot if the Wi-Fi is too slow. Let me open my hotspot. Sorry, this is the second challenge today. Personal hotspot. Sorry, five minutes is turned out to be a lot longer. Sorry about that, as everything is. OK, it's running. Oh, right. So I'll try my hotspot, see if it's better. Who knows? All right. So we have this now. And we can use be init to create what? I think it's the network now. Yeah, I'm pretty sure. So let me refresh it, see if it actually get back to it. Yeah, hopefully my hotspot is actually have better than the Wi-Fi here. Yeah, it looks like my VM is up too. All right. I have a backup environment. All right, so let's see if B is working here now. Let's type the B command. Yeah, it looks like I have to load it again. To do bash. Sorry, my hotspot is also very slow. All right, we're downloading here again. And now we're doing be init command. It's going to ask you, what languages do you want to use for your EBPF program? Currently, we only support C, but we are planning to add Rust into it. For simplicity, we're going to take the defaults. And we're going to initialize with our network program with type of map is ring buffer. As you can see, we also support hash map. And what type of output we would like, we would just want to print something like hollow word. And with that, we will go ahead and put our file locations. So that saves our skeleton BPF program hollow word. With that, I'm going to open up the program. Sorry, it's just very slow, the Wi-Fi. Sorry, as you can see, it's typed multiple things. So what we're going to do is open up this program. As you can see, the skeleton program is very simple. It has the VM Linux. These are the headers provided by B. It also have a license, which you can change it, if necessary. And the first thing we want to do is add the ring buffer struct data in the event. In this event struct. So what we want to is add some messages. Sorry, you can see I'm moving very slow. It's not because I am very slow. It's just the network is very slow. So what we want to do is we want to add, let me see, copy paste this faster than me typing. Yeah, so let me format it a little bit. So what we want to do is add a PID, which is the process ID. Whenever the process related to any of the events we are hooking to, and we want to add a message. So we said we're going to do a network events. And we want to add a message. I put 30 as the character length, because I'm thinking about hello world open source summit, which is about 25 characters. So that's the first thing we're doing. The second thing we are going to do is we're going to scroll down to the TCP we for connected. That's the network event we are targeting here. So what we are going to do is we are going to on comment. I'm going to try. I think it's back. What we're going to do is on right. I only have a few minutes. Let's see if I can pull this together. So the second thing we are going to do is on comment this line. And then the third thing we are going to do is write this hello messages into this program. So we added, sorry, just a little bit slow. Try not type. So the third thing we're going to do is we add a simple thing called a hello open source summit. And I wanted to add it right before we submit to the event. So I'm just trying to move my cursor right to here. All right. Yes, see if we can add it. And then let's format it slightly. Then we should be good to go to save it. So let's go ahead, save it. Thank you so much for bail with me. Live demo is hard. That's one thing I learned for sure. OK, so now what we are doing is we're using the build program. We talk about we can build the EBPF program. And we can compile it to the bytecode. And we can actually generate OCI images. So in this case, we'll name the images simply as hello v1. So the images is there on my local environment. So I can list the images. As you can see, you can also see my Linux version 5.11. And to run bee, we're going to give a little bit of privilege to the bee program. Because a lot of Linux EBPF program does require some special privilege. In our case, we need to give, because it's a networking event, so we need to give a little bit of privilege just related to networking events. And look, that's my hello messages. And I'm already have TCP connect because this is a VM in the cloud. Thank you. I know I did more than five. But on the ideal network scenario, I might be able to do five. In fact, that's all five in my practice runs. All right, so if you to curl, you can see more. I guess it's closed, so I'm not going to try that. So let me get out of here. One other thing I want to show quickly with the next few minutes is you can also, oh, I already have my Docker registry. So you can push the image to a local registry. So I already have a local registry because when I try to run my registry, it failed because it's already running. And you can also use somebody else's image. So I'm pulling out this images on GitHub. So look, it's actually giving me more data. I believe it's also TCP connect, but this one has a counter. It counts source and destination address. So if you have somebody you can trust, then you can run them program easily. I guess I'm pretty much out of time. So I want you, if you guys are interested in this demo, follow my blog. We're also showing a workshop, I believe on Thursday about EBPF. So feel free to sign up for our other sessions from solo. Questions from the audience. Wow, thank you. Well, thank you everyone for bail with me. I apologize for all the technical difficulties. It never happened when I rehearsal all these. When you did that set cap command, reverse security consequences to letting anyone on the system use the B binary then, should that be like locked down to only let a certain group run? Yeah, that's a good question I think it should because especially it requires certain privileges, right? Cause you have to give, like I think I gave a couple of special high privileges to whoever runs the be wrong command. So you would require that, yeah. So typically you could, I think a common way to use this is you run be runner and then you image metrics, which I didn't get to show by the way, and then you can have your user maybe view the data on the dashboard. I think that would be a very interesting way to leverage this. Yeah, good question. You have another question? So I think B makes it very convenient clearly too. It's like running Docker and equivalent here. But does it support like some advanced features like tail call or chaining that might be there? Do you have that in there? Did you ask a day call or chaining? Tail calls, tail calls or chaining of EVP, like if you wanna run multiple EVPF programs. Oh, I see, yeah, yeah, yeah, that's a great question. Yeah, I think currently not we could look into that add into the roadmap. So far it's more focusing on enable users to run EVPF programs with easy to display power, you know, save them right in their own user space code. But chaining is actually a little bit more complicated, yeah. Yeah, I think it's on the roadmap, that would be great. Yeah, we can look into that if that's something super interesting. In fact, we are relying on the community to help us shape the roadmap of Bumblebee. Hey, I understand how packet filter is kind of in the name, but I was curious if you know of any clever novel usages of the technology for non-network domains, if it helps on coming from Intel here. So I'm more focused on hardware in general. Yeah, so one of the company we looked recently is Pixie. They provide really interesting observabilities leveraging EVPF. So the industry is going to the thoughts of, okay, you can run microservices, you can run on-way proxy, you know, in a Istio or service machine environment to collect your telemetry data. What if I don't want to run the proxy, right? What if I want to just use the EVPF to collect telemetry data?