There’s a technology running inside the Linux kernel right now — on your cloud nodes, in your Kubernetes clusters, almost certainly in any modern networking or security tool you rely on — that most engineers couldn’t explain if their on-call rotation depended on it. eBPF explained properly is rare. A new free 22-chapter series from developer Nghia Dau Lau aims to change that, and it’s one of the most serious self-published technical education efforts we’ve seen in the Linux ecosystem in years.
- eBPF explained across 22 free chapters, taking readers from virtual machine basics to writing real kernel-level tools.
- This eBPF explained series is tested on a live Kubernetes cluster running kernel 6.17 and Cilium 1.19 — not just slides.
- Readers go deep on registers, the verifier, JIT compilation, maps, XDP firewalls, LSM security, and CPU profiling.
- The series covers both C with libbpf and Go with cilium/ebpf, making it practical for backend, SRE, and security engineers.
140 eBPF Programs, Zero Kernel Recompiles
To understand why this matters, consider the setup the author uses as his lab throughout the series: a Kubernetes cluster running Linux kernel 6.17 and Cilium 1.19, with 140 live eBPF programs actively routing packets, enforcing access controls, and collecting metrics — all without a single kernel module loaded or kernel recompiled. That’s not a demo environment. That’s what production infrastructure actually looks like today at the companies shipping software at scale.
eBPF — which started life as the Extended Berkeley Packet Filter — has quietly become one of the most consequential pieces of systems infrastructure in the last decade. Meta uses it for load balancing. Google deploys it for security policy enforcement. Cloudflare runs DDoS mitigation on it. Cilium, now a graduated CNCF project, replaced kube-proxy entirely with BPF programs in Kubernetes clusters. And yet, most backend engineers who hear “Cilium does that with eBPF” in a platform meeting still nod politely without having the faintest idea what’s actually happening at the kernel level. Getting eBPF explained clearly, from fundamentals to production use, remains genuinely difficult.
eBPF Explained: What the Series Actually Covers
The series is structured in seven parts, and the scope is genuinely ambitious. Part I lays the conceptual groundwork — the eBPF virtual machine itself, its register-based instruction set, how the kernel verifier works, and why that verifier is the reason eBPF programs can’t crash the kernel the way a rogue module can. This isn’t hand-waving. The author gets into the safety proofs the verifier applies before a single instruction runs in kernel space. Having eBPF explained at this level of rigor is what separates this series from most introductory material.
Maps — the shared memory structures that bridge kernel-space eBPF programs and userspace applications — get their own dedicated treatment, as do BTF (BPF Type Format) and CO-RE (Compile Once, Run Everywhere), the mechanism that lets you write an eBPF program on one kernel version and load it on another without recompiling. CO-RE solved one of eBPF’s most annoying practical problems, and it’s increasingly the reason the tooling ecosystem has accelerated so dramatically since around 2020.
Part II moves into tracing — bpftrace one-liners, uprobes, USDT probes — including the genuinely useful trick of inspecting a running container process from the host node without touching the container itself. Part III is where things get hands-on for developers: writing actual eBPF tools in C using libbpf, and separately in Go using the cilium/ebpf library. Both paths are fully worked through with real source code, available on GitHub.
The networking section (Part IV) covers XDP — the hook that processes packets before the kernel’s networking stack even sees them — and walks through writing a working firewall. It then dissects the live Cilium datapath using tc/sched_cls, which is precisely the layer Cilium uses for its kube-proxy replacement. You can run the same bpftool commands the author uses and see your own cluster’s programs:
2871: sched_cls name tail_no_service_ipv4 tag fe7bcb57c001d434 gpl — xlated 4920B jited 2778B memlock 8192B map_ids 171,631 btf_id 758
That output — xlated being the bytecode after verifier acceptance, jited being the native machine code the JIT compiler produced — is eBPF explained in concrete terms. Not a diagram. An actual running program you can inspect.
Security and Observability: The Parts That Will Interest Platform Teams Most
Parts V and VI are likely where SRE and security engineers will spend the most time. The security section covers LSM BPF (Linux Security Module hooks driven by BPF programs), seccomp-bpf for syscall filtering in containers, and Tetragon — Isovalent’s open-source runtime security tool that goes beyond observation to active enforcement using bpf_send_signal to terminate hostile processes mid-flight. For teams evaluating these tools, having eBPF explained at the implementation level makes threat modeling and configuration far more precise.
The observability section tackles CPU profiling via perf_event — the actual mechanism underneath every flame graph you’ve ever looked at in Pyroscope or Parca — plus off-CPU analysis for scheduler latency, and a detailed walkthrough of Hubble, Cilium’s network observability layer, showing how raw eBPF events become the cluster-wide flow data you see in the Hubble UI.
The capstone project, connmon, is a node-wide TCP connection monitor the reader builds themselves. It’s exactly the kind of project that turns understanding into intuition — the difference between knowing what a map is and actually holding state across packet events in a program you wrote.
Why Good eBPF Education Has Been So Hard to Find
The eBPF documentation ecosystem has historically been scattered. The official ebpf.io site is solid on concepts. Kernel.org documentation is thorough but assumes you’re already comfortable in kernel development. Brendan Gregg’s work on BPF performance tools is excellent but skews toward observability specifically. What’s been missing is a single structured path from zero understanding to writing real programs — tested on real infrastructure, not toy VMs. In short, eBPF explained end-to-end, with working code on real clusters, simply didn’t exist in one place before this series.
Part of the problem is that eBPF spans an unusual number of disciplines simultaneously. You need to understand kernel internals, network protocols, compiler toolchains, and systems programming. Most tutorials pick one lane. This series explicitly refuses to, which is both its main strength and why it runs to 22 chapters.
The bilingual aspect — the full series exists in both English and Vietnamese — is worth flagging too. Vietnamese developer communities have historically had limited access to deep systems programming content in their own language. Publishing a series of this depth in Vietnamese alongside English is a meaningful contribution that doesn’t get mentioned enough in Western tech coverage.
eBPF Explained for the Engineers Who Actually Need It
The intended audience is specific and honest: backend engineers, platform engineers, SREs, and security practitioners who keep hearing eBPF invoked as the reason their infrastructure works and want to actually understand — and eventually write — the programs doing that work. The prerequisite is comfort on the Linux command line. Everything else is built from scratch.
What makes this series worth taking seriously isn’t just the breadth. It’s the insistence on grounding everything in verifiable reality — official kernel documentation, actual running programs, real cluster output. There are no invented simplifications that would need to be unlearned later.
eBPF’s trajectory as a technology is only pointing in one direction. Microsoft is bringing it to Windows. The security tooling built on it — Falco, Tetragon, Tracee — is proliferating rapidly across enterprise environments. Networking projects like Cilium are becoming the default CNI choice for serious Kubernetes deployments. Engineers who understand what’s actually happening inside these tools aren’t just better at debugging them; they’re better positioned to build the next generation of infrastructure on top of them. A free 22-chapter series that gets eBPF explained down to the verifier, the JIT compiler, and the live datapath is exactly the kind of resource the industry needed someone to write.
