As per this document (amongst others): https://blogs.oracle.com/linux/post/taming-tracepoints-in-the-linux-kernel
It is possible using both eBPF and other kernel-provided mechanisms to register callbacks for tracepoints or kprobes.
It seems that nowadays everybody wants to use eBPF for this task. What is the advantage of using eBPF instead of just registering tracepoints as explained e.g. here https://www.kernel.org/doc/Documentation/trace/tracepoints.txt ?
On
Registering tracepoints without using eBPF requires you to use Linux kernel modules. Contrary to eBPF programs, kernel modules are not verified at load time; they may crash your system.
See https://stackoverflow.com/a/70404149/6884590 for the longer explanation.
While traditional tracepoints and kprobes are useful for instrumentation, eBPF provides a more versatile framework for tracing and observability.
With eBPF, you can load and attach programs dynamically at runtime without needing to modify the kernel source code or restart the system.
Additionally, eBPF programs run in a secure virtual machine within the kernel, which ensures safety and prevents crashes or security vulnerabilities.
eBPF has a powerful instruction set and excellent tooling, which enables developers to express complex tracing logic. It supports various features like maps, helper functions, and tail calls, which make it easier to write sophisticated tracing programs.
eBPF programs have minimal impact on system performance and are executed efficiently in the kernel. They frequently run in parallel, resulting in low overhead for tracing operations.
The rich ecosystem of eBPF-based tools, such as bpftrace and eBPF-powered observability frameworks, further enhances the analysis and troubleshooting capabilities. eBPF programs are generally portable across different kernel versions, reducing the need for frequent updates or modifications. This portability allows you to reuse tracing logic across various kernel versions and distributions, ensuring consistency in your tracing infrastructure.