 Thanks for joining this session. Today, we're going to be talking about eBPF programs and the way to simplify to monitor your system. And we're going to be talking about an open source project we have at Solotio called Bumblebee. Just a way to simplify your eBPF. So just a quick intro to the speaker today. My name is Adams. I'm a field engineer at Solotio. Basically, I've been dealing with API getways and service mesh for quite a while now. But we started looking to kind of a deeper layer now, even at Solotio. And we're operating way deeper layer. So instead of being at L7, where it's mainly application, now we're looking to the L3, L4, dealing with, for example, now, we try to deal with eBPF, seeing how we can leverage it to enhance monitoring, security, and so on. So it's pretty new to me. I'm still learning it. And it's very interesting, because that falls exactly where Bumblebee is. To simplify the way to provide the eBPF application to someone that is just getting up to speed in the technology. And with me, Jim Barton, I think he just went to get his laptop. He's a field engineer with me and the team. We pair work together. All right. So again, thanks for joining. OK, so quick intro to eBPF, what it is. eBPF stands for Extended Vehicle Packet Filter. I think everyone using TCP dump, for example, have been using the eBPF technology in the past. It's even based, basically, as a way to create some code that runs in the kernel, in kind of a sandboxed way, so secure manner. And we can interact with that code. We can interact either to get data or to provide features like security and so on. So the way we see it again, so you're going to create a code that will run in the kernel. That code will be tied to a hook, so an event. And then we're going to have a process that will interact with that code to read data and process it. And we're going to see that more into details later in the workshop. All right, so why eBPF? Why would you care about this? I was talking a little bit earlier what we do at Solo, and I mentioned that we've been historically dealing with L7 type systems where you have the gateway. A gateway can produce some monitoring stack, like metrics and so on, or security and so on. But that's a way to hide layer. So if you want a security system, you want to secure it in depth. I mean, by that is what matters first. In terms of security, obviously, if you want to secure a network to not talk to another, I think the first one is basically having these two networks not being connected to each other. So that's physical. That's the most secure. From there, I think the layer after that, in terms of security, let's say they're connected now, is to deal with lower levels in the model. For example, L3, L4, when you deal with TCP and network, you'll say, hey, so now we are segregating these two networks or these two services. They can't talk to each other. We block in the communication there. Because when it hits the L7 layer, so when it hits the application layer, it's sometimes pretty late. So it's more challenging to enforce strong security when it deals only with the top level L7 policies, which is, for example, HTTP. So yeah, why ABPF? It operates super low in the model. You can create code that goes directly in the kernel. So you have access data fast, operate fast, enhance security. I think one of the main advantages of ABPF is observability. So you have a program running in your kernel, listening to events, for example, network connections or file opens or things that are really low level and acts on that, either operate that to enforce a policy or capture that metric and transform it, send it to a program that can read it, and, for example, display metrics and so on. So observability, I think, that's one of the key features of ABPF and what we can do with it. And I talked a bit about the other features, mainly networking, allowing you to kind of use this technology to plug multiple systems or reroute or deal anything that comes to traffic itself. And when I talk about that, I can mention security as part of the same bundle, security, securing services to service communication, and so on at a way lower level. For example, I'm not allowing this group of IPs to talk to this group of IPs. So it's touching to networking plus security. And I think, I don't know if you guys are familiar with Cilium, for example. Cilium use ABPF for networking. That's a good example of use cases where we can use ABPF. All right, so the way how it works. As I mentioned earlier, there's a program, what we call a kernel program, that runs within the kernel. It's a code that would be listening on certain events and reacting, producing data. When this data is produced, it's put into a map. And then you're going to have what we call a user space program that this one will look into that map, read data from it, and do something. Either, I don't know, print it, format it into metrics, do anything you want. But basically, it's two-part system. You have one running in a kernel, producing the, that's the most important one, producing what you want. And there's another one, which is the user space program. That's the one that actually listen to the data and do something with it. All right, so now, if I'm going to write an ABPF program, what can I do today? There's multiple ways. I think, historically, the first one is BCC, right? So BPF Compile Collection. This one will allow you to create some code. I think it's easier to see this way. It allows you to create some code in C for what I call kernel programs. So the code that runs in the kernel is written in C. And then you're going to execute that code. You're going to embed it into a binding technology. For example, we can use Python. Where in Python, you're going to use your user program to execute the user part of it. So in the same Python script, you see the example here, you're going to have the user program, so the one that actually, the user space program, the one that's going to read data. And you can also have C, a kernel code, C embedded into your Python. And this is fine. It allows you to write your ABPF programs, though it has some drawbacks. And I think the main one is that it is actually compiled on the go. So every time you run that specific program, it's going to compile everything. So take some time there to run the system, to run the binary. So time plus, it is really dependent on the platform. So let's say you have, you're running it on a certain system. You can't guarantee that this binary or this code will work somewhere else. It's going to really tie to your environment. So yeah, not that great. OK, so let's think about what's a better solution there. A better solution would be to run what you call the BPF plus BPF query. Query stands for compile once, run everywhere. So it's more like if you look into just a bad comparison here, but you look at the go code, for example, it would probably compile once. You're going to create your program, compile once in a specific environment. It's going to be able to copy this somewhere else and it's going to still work. So it is a better way. It's better than the previous way, like with the VCC. LibBPF allows us to create the code only once, it's compiled once, so we don't have to compile every time. And you can transport it from environment to another. Though what you have to do here, you still have to create your user space program plus the kernel one, so both of them, right? You still need to create both of them. And that will work with any ABPF who always need to create both, but this here is better than VCC. And we're going to see an example of all this, and we're going to create multiple programs using the platform later on in the workshop. We're going to compare different technologies and see how it works. All right, now why Bumblebee? So we talked about VCC, we said it's all right. Now we talked about LibBPF, we said, hey, it's better. Now let's make it great. And to make it great, quite if I have a library or program or something that would help me to create an EBPF program, I would care only about the kernel code, so I'm not going to care about the user space code. I'm just going to just write what matters, and what matters is basically the code running in the kernel. And what if I want a tool that's packaged all that, so build it and package it and put it somewhere where I can be able to reuse, have a good user experience where I can be able to reuse my binaries. And that's actually what Bumblebee is trying to solve here. It's a tool that allows us to care only about the kernel code, so I'm going to create only the kernel code. Plus I'm going to be having a good user experience into building and compiling, building, and distributing my binary. And if you guys use Docker, I'm pretty sure everyone uses Docker here, it's kind of a similar experience. So you're going to create your code, then you're going to build it, and then you're going to package it into an OCI image, then you're going to be able to push it somewhere to a registry, and then you're going to be able to pull it when you need it on a specific environment. So we're going to do this later. So again, that's just what I said right now, focusing on kernel code first, not dealing much with the user space one and also all the user experience around it. So okay, let's get hands on here, let's start on this. I don't know if you guys were in the workshop yesterday, kind of the same thing, we will just, everything you guys need today, gonna be on a browser. So you need nothing else, you just need a browser, you're going to have to go on the specific link here and then gain access to your environment, and then we're going to do the same thing. I'm going to do the exact same instructions with you guys, okay, I'm going to do it here on, if you don't have any laptops, you're going to follow with me here on the screen. If you want to do it, just use your laptop right now and we're going to do it in the same time. I just want to mention that at the end of this workshop, we're offering a certification, okay? So if there is a quiz at the end, and if you pass 80% of the questions, you receive a badge that can be, you can link it to LinkedIn or it's basically a certification based on fundamentals to EBPF since we're gonna be creating some EBPF programs today. And I'm going to share the link to the quiz at the end of the session, okay? So again, please join this link here. I'm going to click on it to show you guys how it's going to look like and I'm pretty sure I'm going to do it into, let's say I'm going to do it in like a Cognito one, just to make it easier. All right, there you go. So what you guys are going to see is you're going to have to gain access to your class and you're going to see here, EBPF workshop loaded into my exclusives, right? And just click on the track and then click on start track, okay? So three steps there. First click on the link and then you're going to add it and then click on start track. Once you click here, well, because it's in Cognito, it's going to recapture me here, so I'm doing the exercise. Very good. And then we see that now, the environment is creating, right? It's going to take a couple of seconds to get probably a minute or two to get ready and after that I'll do the exam from here. So going back to my slides, just to go back and show you basically the certification. First thing, click on the link. You're going to have access to the workshop, just add it and then click on start track. Then you're going to be ready to follow with us. And then once ready, you're going to see like a green button in a corner saying that your environment is ready to start and then we're going to click on it and we're going to start our workshop. So again, the badge is going to be a fundamentals for EBPF, all the things needed is to pass with 80%. If you, you can always retake the test if you miss the first time, the only thing you have to create it will use a different email to retry the quiz and the badge will be issued in a couple of weeks, okay? So we're going to send that badge to a specific email in a couple of weeks. Alrighty, so there you go. I think we start here, we're good. We go to start. Link reduction to EBPF. So in this workshop, we're going to do three things. We're going to start by creating a BPF program using BCC, right? And then we're going to create a same program using libbpf. And at the end, we're going to use the same thing but creating the same program but using Bumblebee, okay? So first step, let's see how to create a BPF program using BCC. So to do this, we're going to go straight to the code. And as I mentioned earlier, when you create a BCC program, you're going to create your kernel code plus you're going to create a user space, user space program. If you guys have, yeah, all good? Sorry. Oh, okay, sorry. Oh, man, I didn't notice that. Sorry about that. All good? Let's go back to it. Maybe there's someone on the chat that missed it. Yeah. So where was the... Oh, man. I needed a coffee when I created this link. Yeah. All right, sorry about that. It's eBPF, but yeah, just click on that link, I guess. Queer with typo. Yeah, sorry about that. That's what we do when we multitask, right? Okay, going back to... So yeah, can you check in the chat? I don't know if you have access. I can do it. Just check if anyone needs help there. All right, well, you guys good now? Awesome, awesome. All right, so, again, let's try to create an eBPF program using VCC this time. So as I mentioned, to create one using VCC, you're gonna create everything in Python. Like you're gonna write in Python, you're gonna have the C code for the kernel. Sorry, I just ran it directly. But you're gonna write the C code in Python, and you're gonna have also the user program written in Python, right? So we're gonna show you guys this in a second. So let's see, start by that. So let's start here and take a look at an eBPF program using VCC. So what we do here is gonna see that we have some C code, which is starting from here, all the way, I don't know if it's too small. Yeah, but starting from around here, all the way down to, I don't know what's going on with my UI now. I'm gonna just refresh. Let's go back. You're gonna see that you have some C++ code, I'm sorry, some C code all the way down here. That's basically for our kernel code. That's the one, the program we were writing right now, just gonna grab any IP communication and print it, okay? So it's gonna be attached to basically a TCP for connect, and it's gonna print anything, like if there is any IP interaction, let's say you call out somewhere, or there is a service calling something, we're gonna print it, okay? That's the program we were writing right now. So to do this, we're gonna have to do two things. Mainly the first part would be creating what we call the kernel code, the kernel program, and that's in C, and that is tied to the TCP connection event, and then it's gonna put that address, it's gonna put that IP into a map, as I mentioned. Okay, I was like, maybe it's a question here. And then once the kernel code will grab that IP when detect there is a connection there, you're gonna put it in the map, and then you're gonna have the user program, that's one is in Python, gonna read that map and print it, and that basically what's happening here on the second part of the Python code here. We'll see that we are just looping on all everything in that map, and then we're gonna print it, okay? So again, kernel code will get the data, is listening to the event, grabbing the data, any connection, grabbing the IP, putting it in the map. The user program is connecting that specific map and fetching data there and just printing it, okay? That's basically how ABPF programs are. Now, let's try to do the same thing. So, okay, again, let's go back here and let's just run it. So again, if you run this Python three data, if you run the same Python code, we're just looking at here, we see that we are capturing all the IP communication here, okay? So source address to destination address what's happening in your system right now, okay? And you see this is really powerful. So now we can definitely monitor what's going on, all the interaction, IP interaction that you have within your same system. Now, let's try to do the same thing, but this time we're gonna try to do it using libbpf. All right, to do this, let's go to a specific folder and then we're just gonna copy all the code that we need. Again, as I mentioned earlier, the main difference between bcc and libbpf, in the bcc, what we did, we had Python that, you know, taking care of our user program code and we just embedded the C code for the kernel within the same Python script. In libbpf, everything is in C, both a user program and your kernel code, okay? So we're gonna see how this one worked. Now we copied everything, our example here, let's just do a make and test it out first. So we're gonna make our binary, I think also something I mentioned with libbpf, the binary you're gonna create, this one can be reused on other platform, okay? It's not only tied to a specific environment compared to the first code we did. Now that we have our binary, let's just run it. Okay, and we see basically it's kind of the same thing. We are capturing the traffic, we're capturing the source destination and, you know, the target destination and printing both IPs here, okay? It's kind of the exact same functionalities. If we take a look at how this one is implemented, you guys are gonna see that, let's look at the source code. I think we should focus on mainly, we should focus on mainly what we need here is defining, sorry, just messed up here. Let's talk about this here, right? So in your code, as I mentioned earlier, you always use a map to communicate between your current program and your user space program. And through that, you're gonna use a map and there's basically two main ways of doing it. Either you can use a hash map, which is basically a key value store, or you can use ring buffer, right? So basically it's just like a queue. So you're putting data in a certain queue and then we are fetching it on the other side. That basically, like what we're using right now, right? No, sorry, we're using a hash map here. But basically you're gonna define the structure of the data you're gonna send to your user program. All right, so once this one is defined, then we're gonna look into what are we doing and the other part important here is that we are tying our kernel code to a K-Prop TCPv4 connect. So again, as I mentioned earlier, when you create your kernel code in ABPF in the kernel, you tie it to a specific event, right? So this code is watching for something and reacting to it. In our use case here, we are listening to a TCPv4 connect, okay? So we are checking any communication going on and then processing this data and putting it in the map, kind of the exact same situation we have previously. Only difference here, both codes are in C. Okay, so now we saw the kernel code at this stage. We saw how we defined the structure of the data we need. Like we see here that we need a map and the data actually that you mentioned that, but the data you see that we are sending here that we're looking for, we're looking for, we know we're capturing this two field here. Basically that's what we are sending through our map. We are sending the address, the source address and the destination address, kind of, like if you're looking at, like if you're writing any code, like you're familiar with like definition of structures, you're gonna define like what kind of objects you wanna transport from like, through a map or through like a channel if you're doing go or something. So basically here we're defining that we need to capture, populate the source address and the destination address we're gonna define all this dimension and use it to put it through the map. All right, so that was the kernel code. Now let's take a look at the user space application. So as I mentioned earlier, once the data is processed on the kernel, now we need to connect to it and read it and do something with it, okay? And in this case, it's basically just going through the list. It's just going through the list and printing whatever it gets, right? We are going to connect to that map, capture the data and just print it. There's nothing magic here. Now the thing is, so the thing is that you need to be aware of here, there is no mainly difference, like at the end, the two, the BCC program and the Libbpia program are behaving exactly the same, though this time we create something more efficient. So we just, you know, we built it once, okay, we had to create our user, we had to create our user space program, but basically we just built it once and now we can reuse the same binary on a different environment, right? You can even like copy it to somewhere else and run the same thing, it's gonna always work. I mean, as long as you're running on kind of a new kernel. All right, so I hope you guys see at least the difference between BCC and Libbpia. Now, let's simplify this even a bit further. So let's try to make a simplified application. To do this, we're gonna use Bumblebee, okay? First, just a question here, are you guys on the same lab? Are you guys right here? Are you good? All right, awesome, okay. Okay, so we saw how to do an eBPF program. So at this stage, you guys can create eBPF programs, right? Right? All right, proud of you guys. Yeah, so let's say now, I'm kind of, you know, that's what I was like mentioning when I started talk. I think the beauty of Bumblebee, you're gonna see it now, it's still, I mean, it's still like, it's gonna still be C code and all that stuff, but it's kind of simplifying the way we create eBPF programs. I think that's the main goal of it, and we're trying to simplify things through technology. If we have to still deal with low-level libraries, it's gonna be complicated, though here, we still have to deal partially with some low-level libraries, but there's a lot of other toolings that can simplify our life. And that's the goal of Bumblebee. We see the complexity, let's try to reduce it, and I'm gonna solve it completely, but let's try to make it better. Okay, so let's install Bumblebee here. Okay, now we have Bumblebee installed. So if you run just B, sorry, too many E's. You should see it installed. So let's go and do B init. So B init will just create kind of a placeholder-type project within in your system and allow you to create your first eBPF program. So you do B init and then, okay, so which kind of language we wanna use today? Today we're just, we can only use C, but in the future we're looking to using Rust, too. So, okay, I wanna a C-based eBPF program. Now let's take a look on what we wanna do. Are we looking into doing network stuff? Are we looking into capturing data from the network, or are we looking more into kind of file system things? Are we looking to capturing who is opening certain files or so on? Okay, at this time, in this example, let's do a network point. Now, in term of what we wanna do, you know, I mentioned the map, like I mentioned the map that contains the data sent from the kernel code to the user space program. What kind of type, what type of map you want? At this stage, let's say I want a hash map, okay? So I don't want just a queue, I want a key value store. And now, the last one is basically how, so the data I'm gonna get from my kernel, the data I'm gonna get from my kernel program, what I wanna do with it? Am I gonna want it as a metric, like a counter, or wanna as a node, I want it just maybe to print it. And this is what we're gonna do right now. We're just gonna print the data coming from the kernel program, okay? And then, let's say we just want this into a file called probe.c. All right, now we good. Alrighty, so let's take a look at probe.c. Probe.c. And we can see that now, at this stage, it's kind of just a placeholder of what kind of data you're looking for, okay? In this case, you saw earlier, we define our structure of the data we're looking for, and here, we didn't define anything, right? The dimension is empty, so we didn't find any data we wanna process, but we're gonna do it later. And then, we're gonna define basically the configuration of the map that we need for transporting data from the kernel all the way to the user program. And at this stage, we are actually connecting basically just kind of a hailware example, but in this case, we are connecting to TCPv4 connect, okay? So because we said it's a network ABPF program we created right now, we are watching the event for any TCPv4 connects, right? Now, let's do something. Let's do a difference between, a diff between the previous, we do a, let's do a diff between how we do, create a user kernel program in just libpf, comparing that with how we do it in bumblebee. If we run it here, we're gonna see that the only difference, so basically, bumblebee behind the scene to use to create like a kernel programs, it's still using libpf, okay? So the only difference here is that we added like a way to say how we wanna process this specific data, okay? And we see here, like in the old, basically on the libpf one we did previously, we just use the map. This time, we're saying, okay, we want a map, but basically we want also a counter based on that, okay? And we'll see how useful is this in the future. All right, so now let's just get the code of the libpf we did previously, which is gonna get up the same one this time, just the kernel program one, okay? We're not gonna get the user program one, we're just gonna do the kernel program, copy it and just modify the specific line that's calls only that put data in map, we're gonna put maps.counter. All right, so let's copy this, now we have it, all right. So, okay, so at this stage, we have a libpf type program, so we have a bumblebee program only for the kernel program, we didn't write the user space one that actually reads the data, and the only thing we modified here is that on the map, we did map.counter, so we are gonna count the data. Now, we decide that as a counter metric. Now, why bumblebee is important here? How's it gonna make our life easier? At this stage, we'll see no difference, right? We just saw, we still wrote, we still have to write a libpf program on the kernel. Well, the good news is, you don't need to create the user space program, you don't have to write that anymore. So this is gonna be taken care of by bumblebee, right? So if we go back to the previous, I don't know if we can go back to the previous example, but if you guys remember the second example we had to create two C files, and this time we have to create only one, which is just the kernel one, only the one that matters, okay? All right, so let's do, and now let's show you also how we can simplify all the process using B. When I say B is like bumblebee actually, right? So let's do a B build here, and you guys see that I'm compiling my BPF program. So it's gonna compile the example I have here for TCP connects, taking some time, and then, all right, now it's compiled, okay? Now I have my BPF program ready. I didn't have to create a user space program, okay? That's a win, right? Now, okay, so I have it compiled, I have it in OCI image. I mentioned earlier it's kind of same Docker, kind of a Docker experience. Now that I have my program I can push it somewhere, right? I can push it in any OCI compliant registry, anything that can store for example a Docker image. So here locally you can start like a Docker image registry in your environment, and then we're gonna be able to push that program, okay? So now think about it. You have your BPF program created, you have it now in the registry that you can reuse, okay? All right, so now we have the program there. So let's now just run it. Okay, we're just gonna do be run and point to that specific, you know, build and look at that, okay? Basically, we didn't have to do much. We had to create obviously the kernel code one, but you see that we have a counter automatically included and you see the values here, how many communication we have between that specific address to that specific address. And we can, even if you go on the second terminal, you can try that, go on like terminal two and do like, let's say we do curl, sorry, curl, google.com, run that, go back to your terminal, you see have new addresses, okay? These ones aren't coming from any traffic operating on your system, okay? So think about the power here, what you can do. Now we create a BPF program that we push to a registry that we can deploy anywhere we want is actually printing really valuable data, okay? All right, everybody. So let's take a look at what we can do with other data we can use. Since B is running right now, like Bumblebee is running, it's actually also providing metrics, okay? We said that this is one of the most important things providing metrics easily. So if we do a curl slash metrics, pointing out on the port 1991, since our Bumblebee service is running, let's go to another terminal and just run this command here. You guys are gonna be able to see that we are getting a lot of metrics that we can be able to use. And we're gonna see that later, but you see the first one here on top, right? I don't know if you guys see it or I can just probably zoom in. But basically we got the data, we are getting the data from source and destination, like the data that we really need as a primate as metric, right? And this kind of component we already wrote, we can reuse it. I mean, within the same enterprise or company, people can reuse like ABPF programs without having to write them. They'll be able to run it somewhere that's gonna collect data from a specific, like let's take an example here. Let's say I'm part of a company and I'm maybe an Asari or maybe just a security guy. But the thing is, they're asking me to provide a way to monitor every single cluster, communities clusters to get all the data from the traffic going from a service to another. Okay, so what I'm gonna do, let's say I have like 50 clusters. The only thing, it's pretty straightforward what I can do here. I can build my BPF program, compile it, build it, push it into a registry, and then just deploy it on every single cluster. I can just have like a, for example, Argo CD or something like that, that deploys this BPF program everywhere. It's gonna collect data from everywhere and then I'm gonna be able to see a full graph or communication between all my services, okay? So let's put, actually, we've been seeing a lot of code now. Let's see a use case. Let's see how we can use BPF in one cool example. All right, so in the next lab, we're gonna put all this together and try to see the power of, actually the BPF program with Bumblebee. Are you guys excited? Are you guys ready? All right, so are you guys done at least? Are you guys at this stage here, or am I going too fast? Good, good, awesome, awesome, yeah, cool. All right, so too much code. Let's see the fun stuff. All right, we already wrote our BPF program. We already pushed it to a registries, already ready. You don't have to do anything. You're done with that part. Let's put it in a real use case here. So let's say I have a demo application, right? Let's say, in this case, we're gonna use the book info demo application. Let's say I wanna use that one. I'm gonna deploy it on my currentest cluster. There you go. This will create my demo application with couple services. If you do a QPSTL, good bud. You're gonna see some containers getting created. Okay, so the book info application just contains like four services. It has new Y, and you can see like, you can have, I think it has like a product page and reviews and details, ratings. Does anyone here use these two? No? Okay. It's basically the demo example that you use always, okay? All right. So I have a demo application running. Think about that as your application, right? Like whatever you're using internally. It's on communities today. Now, let's actually deploy Prometheus to collect all this data and put it in Prometheus. Oh, sorry, I need to click on the right things. All right, let's create a namespace for Prometheus, and then let's just install Prometheus. Do you guys use Prometheus here? All right, cool. All right, so the goal here is to collect metrics and put them, like all this data, all the connectivity data we saw in the previous lab, we're gonna put that into Prometheus and then leverage this data. All right, now Prometheus is installed. That's cool. Now let's install, actually deploy Bumblebee. So again, previously we mentioned that we can package the ABPF programs into an OCI image that can be in the registry. So now what we're gonna do is that we can deploy this ABPF program on our cluster. And to do that, we're gonna use a demon set, okay? And we're gonna make sure that we have at least one pod running on every single node in our Kubernetes cluster to collect this specific data. So just the demon set here, nothing crazy. And you can see here the only difference here. So we have Bumblebee running the, you know, just the Bumblebee Docker image. We have a package here, but the thing here, what matters is that we are pulling data from this OCI image that we pushed in the previous lab. You guys did B push to a registry, right? So that's the only thing we are doing. So we are running a Bumblebee container, but we are running actually this, the BPF program within the same pod. And then we're exposing everything through a port 1991. Now once I deploy this, this is done. So this will create a pod on every single node. And that pod will have our program that we created previously running, okay? And the metrics we saw gonna be exposed on a specific port. Now, the only thing we have to do is to configure, you know, Prometheus pod monitor in this case to look into this pod and, you know, collect data from it, collect all the metrics to send them to Prometheus. And we see that here, okay? All right, good. All right, so at this, okay, so at this stage here we have our demo application installed. We have our ABPF program running on every single node and we have Prometheus configured to listen to metrics on that specific pods. Now, the only thing we're gonna do is to run some traffic. All right, so here, just generating a traffic, imagine that's a customer playing with your environment or anything you want. So we are running traffic through multiple microservices, right, so going from a pod to another and we just need some data here. Now, so at this stage we have all our data in Prometheus. So the only thing I'm gonna do right now, actually one of my colleagues created this small program called key ABPF, it's just gonna look into Prometheus like for the data and then gonna format it in a graph. So that's the only thing that's happening right now. We're looking into Prometheus and then we're gonna collect all this data, show that as a graph. All right, there you go, we're gonna just create this system and here we are just deploying this pod key ABPF and it's looking into Prometheus, right? We're pointing it to Prometheus itself directly and that's all we need to do. This is running, this is cool. So let's see what's happening here. I don't know if you guys can see but this is what we just created, okay? So we have a Prometheus cluster of multiple nodes. We have Bumblebee installed on every single node, that's the one collecting the data and then we have our product page and details and reviews and ratings installed in our cluster. I don't know which nodes, basically it's just installed there and then we're running some traffic here to see what's going on, okay? And all this data from Bumblebee is pushed into Prometheus and then we have this KEBPF, it's just a server to process Prometheus data and show them in a certain way. So if you go to KEBPF, there you go. Look at this magic, really cool. All right, so you guys saw what happened here? So like the program we created earlier in the previous lab is producing data here. It's producing a really valuable data. We can see what's going on. We can see which service is calling which service. You see here, we can know that the traffic is originating from the product page, going to the reviews, going to details. All this data got captured by the BPF program we just created, okay? We deploy in our clusters and then how we collect them and how we process them to show some valuable data. And after you guys, I'm gonna be using like for example, Cilium, Cilium do something kind of similar with a project called Humble that will collect data and produce some sort of graph or some sort of charts, okay? So this is just a quick example of what you can do with the BPF. It's really powerful to get data directly from your notes, you can process them, you can display them this way, you can create policies to secure the traffic and so on. So I hope you guys saw the power here. That's basically the end of this workshop. I hope you guys saw what we can do with the BPF. It's a really powerful tool. I invite you guys to test Bumblebee locally. See maybe that's, maybe because I'm gonna find another use case for it. I'm gonna go back to the, I'm gonna go back to this. First thing I wanna mention basically what if you guys interested in all these technologies, right? Like a BPF, Cilium are interested into Istio, Envoy, we are hiring, we're going to company fast. You take a look there, always looking for talented people. Second thing, we are, we have a booth here at 25. You guys have any questions right now or after this talk, if you wanna just continue the conversation, please visit us there. It's gonna be always good to see you there. And lastly, I wanna just mention our badge for today. So if you go to, oh, this time I spelled it right, I guess. Yeah, so if you go to ABPF-exam or just scan the QR code, pretty small, but I don't know if you can do it, that will take you to a quiz and it's probably, like I think there's like a 15 questions on it. And if you answer them all correctly or more than 80%, we're gonna provide you a fundamental for a BPF badge. If you just wanna redo that specific exam, just use a different email and that'll totally be fine. All right, and about that, well thank you guys for listening to me. Those, hopefully that was some valuable information here. And the best thing we did in only one hour. At five p.m. in the afternoon, I guess you guys were done. If you guys didn't have any questions, I'll be here around. Hey. Yeah, so let's go back to data show here. Let's go back to it. So if you go back here, all right. So remember, Bumblebee was providing metrics directly on the server. Once it runs, it provides metrics on the port. I remember it was 991 when we can't figure it out, right? Primitives have a way to collect data and that through what they call a pod monitor, I think. Where is it? Did you look for it? Yeah, there you go. So basically, this CR here, right? We'll tell Prometheus to go and look for data from slash metrics on a specific port that we call, like for example, this time we're putting the port HTTP monitoring, okay? This CR here will configure Prometheus to aggregate data from any service, any pod basically labeled Bumblebee and that has a slash metrics on a port HTTP monitoring. We don't have to put specifically 991, just we need to label the port itself and that's gonna take care of the data collection. All right, any other questions? I'll line, okay. Yeah, don't mind me, sorry if I mispronounce anything. Yeah, go ahead. So Adam, you mentioned that the EBPF program you prepared would work on any other machine. Is it due, so would work, so yeah. Is it due to BTF? What code changes if any need to be made for an EBPF program to be portable? Oh, okay, good. All right, so mainly the portability part of it is based on two things. Like if we look just between BCC, right, and LibBPF, which let's take the comparison here because that's the main one that is allowing us to do portability. If we go back to, I'm not sure I have any program here running, well let's see if we can do that. Let's just give me a second. I'm gonna go back to the example. EBPF introduction, I'm gonna show you something here. So once you, if you create any BCC program you're dealing directly with binding methods that talk directly to the kernel, okay. Where if you do LibBPF, you have to use specific libraries, right, that kind of creating an abstraction there to allow the portability, okay. I'm gonna just try to find you an example here. It's gonna be easier to understand. Well, this is still the first example of BCC. But yeah, let's first start with BCC here. When you, yeah, when you do like, when you deal with like BCC code, you're gonna write directly, you know, you're gonna trigger BCC binding function directly. So in LibBPF, and let's be finding you this right now. Okay, let's be just finding you this. Well, maybe I can just do it here. Okay, oh yeah, maybe here. All right, there you go. Maybe I'm wrong, but okay, let's do this now. Okay, so every time you're dealing with, every time you're dealing with like, you're trying to do portability, the way you do it in LibBPF is to call this binding command, for example, this BPF core read into. This one will guarantee the portability across multiple kernels, because it's actually a binding on top. It is the one dealing with this, you know, building a binary for multiple kernels. It has this awareness because we're using an abstraction that's a framework on top of just direct code like in BCC. Okay, so that's the first part of the portability. The second part of the portability is once you create that, like once you create a LibBPF program, it's just running on Docker image, right? It's running on Docker image, and so the portability is gonna be there because even if you have another environment, it's still a Docker image running, okay? So that's how portability is assured. Hope I answered the question. Why do I get assertion error expected zero to be at least one? Okay, you got the same thing? Oh, okay, yeah, you just do, I think when you miss to do a B push, there's like this command Bombaby push basically. If you miss that specific command, I think I had the same previously. It's gonna say, you know, we have to be at least, yeah. Awesome. Well, thank you guys. Really, really, thank you for joining the session, and hope to see you soon, hope to see you on that. We offer a lot of, you know, this kind of same workshops. We provide them online, so if you join Solotio, you're gonna see we do that for Istio, we do that for like Istio, we have three, we have one which is fundamentals, one is like more advanced and one is expert, right? We do that for Envoy, we do that for like now for ABPF, so there's multiple certification you can have. So yeah, you're about to see you to see there. All right, thank you guys.