Loading...
Loading...
eBPF’s evolution into a versatile in-kernel VM is driving new tooling and edge-focused use cases. Gobee brings a Go-first workflow, letting developers write BPF programs in a safe subset of Go and transpiling to libbpf-compatible C objects with strong debuggability, CO-RE support, and typed userspace bindings. That ecosystem shift complements lightweight, practical eBPF applications like Cerberus, which uses in-kernel event capture and ML‑Lite analytics for resource-constrained edge gateways. Together with broader recognition of bytecode VMs’ role in safely extending kernel behavior and tooling, these trends underscore eBPF’s growing reach across languages, observability, and constrained deployments.
eBPF as an in-kernel VM and new language toolchains lower barriers for systems and cloud-native developers, enabling safer, portable, and debuggable kernel extensions. For tech professionals this opens practical paths to deploy observability, networking, and edge analytics on resource-constrained devices without heavy cloud dependencies.
Dossier last updated: 2026-05-26 06:07:51
KernelScript 0.1, an open-source language for eBPF development released under the Apache 2.0 license, aims to lower the high barrier of writing eBPF programs by generating C code, user-space programs, Makefiles and kernel integration from a single source file. The experimental 0.1 release supports common eBPF program types—XDP, TC, kprobes/uprobes tracing and perf-based counters—and exposes language-level abstractions for maps (hash, per-CPU arrays, LRU, fixed) to simplify state sharing with user-space and reduce libbpf boilerplate. It also provides features like automatic tail-call orchestration, transparent dynptr handling, program lifecycle checks, struct_ops and built-in kfunc integration. The project is marked experimental and may change APIs without backward-compatibility guarantees.
Gobee lets developers write eBPF programs in a safe subset of Go, transpiling them to readable BPF C, generating typed Go userspace bindings, sourcemaps for verifier errors, and kernel-version gating at load time. The project reuses clang’s mature backend (producing .bpf.o) instead of implementing a new compiler backend like Aya for Rust; it targets tighter Go-centered workflows where kernel and userspace live in one Go module. Gobee supports many program types (XDP, tracepoints, kprobes, uprobes, TC, LSM, etc.), 19 map types, and ~200 typed helper stubs from libbpf v1.5.0. It emphasizes debuggability, CO-RE via clang, and integration with existing Go tooling, positioning itself as an alternative to writing raw C or using other ecosystems.
An engineer built Cerberus, an edge-friendly anomaly detector for ARM gateways after cloud-native tools proved too heavy or network-dependent. Using eBPF, the system captures compact network metadata in-kernel and streams 208-byte events to userspace, avoiding payload copies and large agents. Cerberus applies “ML‑Lite” — lightweight, explainable analytics: 30‑second windowed feature vectors, baselines via median/MAD and EWMA, and online learning instead of neural nets — prioritizing low CPU/memory use and operator actionable insights (what changed). The design matters for industrial and remote edge deployments where connectivity, RAM, and GPUs are constrained.
Most people associate bytecode VMs with languages like Python or JavaScript, but Patrick Dubroy highlights several surprising places they appear — and why it matters. He traces eBPF’s evolution from a simple packet filter to a full in-kernel register-based VM with JIT and rich APIs for hooking subsystems, enabling fast, safe, extensible kernel logic. He also covers DWARF expressions, a stack-based bytecode used by debuggers (GDB/LLDB) to compute variable values across optimizations, and GDB agent expressions that run on remote targets. These embedded VMs let complex logic be expressed compactly, safely sandboxed, and efficiently JIT-compiled, which has major implications for observability, performance, and extensibility in system tooling and OS kernels.