eBPF Technology and Its Application in Didi's Cloud-Native Observability: HuaTuo Platform Practice

eBPF is a revolutionary Linux kernel technology that safely and efficiently extends kernel capabilities, with broad applications especially in cloud-native observability.

The article traces the evolution of BPF from its 1993 inception as the Berkeley Packet Filter to the 2013 introduction of extended BPF (eBPF), detailing instruction set enhancements, the addition of JIT compilation, and the expansion of use cases beyond networking to dynamic tracing, performance analysis, and root cause analysis.

It then outlines Didi's production environment pain points, including traffic replay testing, service access topology, container security, and kernel root cause localization, describing the challenges posed by diverse programming languages, inconsistent network models, high customization costs, and stability concerns.

To address these challenges, Didi developed the HuaTuo eBPF platform, focusing on improving development efficiency, providing a business‑oriented interface, ensuring host stability, and guaranteeing performance through mechanisms such as BPF bytecode management, high‑performance data communication (ringbuf), stability self‑healing, and container information management.

The platform consists of four main components: BPF bytecode management, high‑performance data processing, stability management, and container information management.

Usage is supported via API and command‑line interface; a compilation example is provided: clang -O2 -g -target bpf -c $(NAME).bpf.c -o $(NAME).o .

HuaTuo has been applied in service test regression, container security, host security, service access topology, network diagnosis, and kernel root cause analysis, with a detailed walkthrough of the kernel root cause localization workflow involving deep kernel metric collection, event‑driven exception context capture, data aggregation, analysis, and reporting.

Future plans include expanding the platform to more business lines, seeking foundation incubation for broader community collaboration, and further exploring eBPF in performance optimization, CPU scheduling, and offline‑hybrid scenarios.