The article presents nine diagrams that illustrate Linux performance tooling categories—including observability, static analysis, benchmarking, tuning, sar, perf-tools, tracing, and BPF tools—providing a quick visual reference for system engineers.
The ClawLess framework, developed by researchers from Southern University of Science and Technology and Hong Kong University of Science and Technology, combines formal security policies, physical sandboxing, user‑space kernels and BPF‑based system‑call interception to protect highly autonomous AI agents from rogue behavior and external attacks.
A recent K8s host‑level deployment triggered massive service timeouts because runc 1.1.5 passed incorrect CPU‑binding masks to systemd, causing containers to share cores, inflating load and starving workloads, a problem uncovered with Perfetto, BPF tracing and a targeted bug‑fix upgrade.
HUATUO, Didi's open‑source cloud‑native observability project, leverages BPF‑based low‑overhead kernel tracing, unified metric and event frameworks, automatic flame‑graph generation, and seamless integration with Prometheus, Grafana and Elasticsearch to provide panoramic, zero‑intrusive monitoring and continuous performance profiling for complex production environments.
This article explains the problem of internal and external memory fragmentation in Linux systems, introduces eBPF as a powerful tracing tool, and provides step‑by‑step guidance for building, loading, and running eBPF programs to analyze and mitigate fragmentation on both Linux and Android platforms.
UprobeStats, introduced in Android 15, uses the Linux kernel eBPF uprobe mechanism to dynamically insert probes into user‑space methods, capture timestamps and arguments, load BPF programs, and forward the data to StatsD via configurable protobufs, enabling flexible, source‑free instrumentation with minimal overhead.
The article explains how to add runtime‑configurable filtering of kernel function arguments in eBPF programs by parsing a C‑style expression, validating its AST, converting it to BPF instructions using BTF metadata, and injecting the generated code into the probe, with a complete example for skb filtering.
The article explains how eBPF‑based sched_ext enables painless design, implementation and deployment of new Linux schedulers, offering faster iteration, better observability, lower entry barriers, and showcases simple FIFO examples, advanced LAVD and rustland schedulers, their adoption in major distros, and performance gains for gaming workloads.
The article outlines six distinct kernel‑level bugs affecting the eBPF tailcall feature across multiple Linux versions, explains the underlying causes and the commits that fixed them, and introduces a detection tool to verify whether a running kernel is affected.
The article explains why backtracing with eBPF fentry on arm64 is harder than on x86, details the stack layout differences, shows how recent commits changed register saving, and provides a practical detection routine to locate the frame pointer and retrieve the tracee's instruction pointer.
This article provides a comprehensive technical walkthrough of Linux's sched_ext scheduler extension, explaining how BPF enables custom scheduling policies, detailing the underlying CFS and EEVDF concepts, the new SCHED_EXT class, dispatch queues, kernel configuration, and practical code examples for building and testing BPF‑based schedulers.
This article explains the fundamentals of TCP RST packets, distinguishes active and passive resets, outlines common kernel scenarios that generate them, and provides practical debugging methods using tcpdump, bpftrace, and source‑code analysis to resolve real‑world network incidents.
The article investigates why BPF LSM programs fail to load on aarch64 kernels, uses ftrace‑based tools such as bpftrace and trace‑cmd to trace kernel execution, discovers missing arch_prepare_bpf_trampoline support in 5.15 and 6.1, and shows that a patch merged into the mainline kernel restores functionality for upcoming releases.
Didi’s observability platform leverages non‑intrusive eBPF probes to automatically capture and validate service‑to‑service call tuples, supplement missing SDK data, achieve roughly 80 % core‑path coverage, and address verification challenges while planning future user‑space VM hooks and deeper MTL integration.
By profiling the OCI runtime with hyperfine and applying a series of kernel patches, seccomp hash optimizations, and BPF compilation caching, the author reduced container start‑up time from roughly 160 ms in 2017 to just over 5 ms today—a near 30‑fold speedup.
Researchers from Intezer and BlackBerry uncovered Symbiote, a novel Linux rootkit that loads as a shared library via LD_PRELOAD, hijacks libc and libpcap, uses BPF hooking to hide malicious traffic, and targets credential theft and remote access, especially in Latin American financial sectors.
This article walks through creating a Linux packet sniffer that bypasses libpcap, explains PF_PACKET raw sockets, shows how to bind to a specific interface, enable promiscuous mode, attach a BPF filter compiled with tcpdump, and parse Ethernet and IP headers in a continuous receive loop.
This article explains how DNS operates inside Kubernetes, enumerates common failure causes, describes CoreDNS's built‑in observability plugins, introduces BPF‑based client‑side diagnostics, and provides a step‑by‑step troubleshooting workflow to identify and resolve DNS issues in cloud‑native environments.
The article explains how Android’s shift to Linux kernel 4.x/5.x introduced the eBPF framework, detailing its advantages over iptables, the programming model with helper macros and maps, and its implementation in netd and HAL to collect network statistics, enforce traffic control, and support power‑saving Doze policies.
This article introduces the fundamentals of BPF and its extended version eBPF, explains their kernel‑resident virtual machine architecture, demonstrates simple packet‑filtering examples, outlines the eBPF program lifecycle, describes key BPF system‑call commands, and surveys the various eBPF map types used for efficient data handling in Linux.
The article explains eBPF’s evolution from packet filtering to a C‑compiled, sandboxed kernel framework, describes its core concepts of bytecode, JIT, and maps, and walks through building, loading, and using an Android eBPF program that counts system calls per PID via tracepoint hooks.
A production Kubernetes cluster experienced intermittent network jitter caused by the IPVS estimation_timer soft‑interrupt, and the article details how BPF tracing, perf analysis, and a kpatch live‑patch were used to identify and eliminate the latency without rebooting the nodes.
This article explains Kubernetes' core networking model, details the various Service types (PodIP, HostPort, NodePort, ExternalIP, LoadBalancer, ClusterIP), describes Cilium's eBPF/XDP implementation for high‑performance load balancing, and presents performance benchmarks and recent BPF kernel extensions.
Linux 5.10 brings a slew of network upgrades—including bundled BPF programs, support for over 255 IPv4 multicast interfaces, MPTCP refinements, Intel IGB XDP support, new Wi‑Fi driver chips, up to 20% performance gains for Mellanox NICs, and a BPF helper that boosts TCP throughput from 10 Gbps to 15 Gbps.
Linux Kernel 4.20, the largest release in over a year, arrived just before Christmas, bringing major updates such as BPF network parsing, new hardware support, C‑SKY architecture, pressure‑stall detection, XArray data structures, and early NVIDIA HDMI 2.0 driver support.
Linus Torvalds has resumed his role as lead maintainer of the Linux kernel, prompting discussions on merge windows, the new Code of Conduct, BPF’s growing influence, and how these changes may shape the community’s collaborative workflow and future innovations.
