Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Cilium
Networking & Security for Containers with BPF & XDP
Docker Distributed Systems Summit
Thomas Graf
The Network becomes the Application bus
We have to deal with networks that ...
○ contain millions of endpoints
○ are noisy...
Cilium Architecture
What is BPF?
BPF Code Generation at Container Startup
● Generate networking code at container startup
○ Tailored to each individual con...
Make all tasks globally addressable on the
Internet
● Global IPv6 addresses
○ No NAT!
○ Native IPv4/NAT46 + NAT for compat...
Scaling Policy Specification
● How to specify policy for millions of endpoints?
● Decouple policy specification from addre...
Scaling Policy Specification
● How to specify policy for millions of endpoints?
● Decouple policy specification from addre...
Scaling Policy Enforcement
● Distributed fixed cost policy enforcement
○ Per-CPU BPF-map hashtable
FE
BE
LB Prod
QA
Prod
P...
Extensibility & Safety in the Kernel
● Decouple datapath functionality from kernel version
○ Support new protocols
○ Add a...
Scaling the Delivery of Cat Pictures
● Distributed L3/L4 LB w/ DSR
● Like IPVS but completely programmable
● LB for N-S, E...
Performance
Demo
Q&A
Start hacking on BPF for containers:
https://github.com/cilium/cilium
Slack: Twitter
cilium.slack.com @tgraf__
Thank Y...
● L3 forwarding (IPv6 & IPv4)
● Host connectivity
● Encapsulation
(VXLAN/Geneve/GRE)
● ICMPv6 & ICMP generation
● NDisc & ...
Upcoming SlideShare
Loading in …5
×

Cilium - BPF & XDP for containers

3,265 views

Published on

Cilium - BPF & XDP for containers by Thomas Graf (Noiro Networks)
Cilium - https://github.com/cilium/cilium
Liveblogging: http://canopy.mirage.io/Liveblog/NetworkingDDS2016

Published in: Technology
  • Be the first to comment

Cilium - BPF & XDP for containers

  1. 1. Cilium Networking & Security for Containers with BPF & XDP Docker Distributed Systems Summit Thomas Graf
  2. 2. The Network becomes the Application bus We have to deal with networks that ... ○ contain millions of endpoints ○ are noisy (nMpps) ○ are insecure with multiple tenants ○ operate unreliably ○ are constantly evolving WRT protocols
  3. 3. Cilium Architecture
  4. 4. What is BPF?
  5. 5. BPF Code Generation at Container Startup ● Generate networking code at container startup ○ Tailored to each individual container ○ Leads to minimal code required ⇒ faster ⇒ smaller attack surface (unikernel like) ● Majority of configuration (IP, MAC, ports, ... ) becomes constant, the compiler can optimize heavily ● Regeneration at runtime without breaking connections
  6. 6. Make all tasks globally addressable on the Internet ● Global IPv6 addresses ○ No NAT! ○ Native IPv4/NAT46 + NAT for compat ● Host scope address allocator ○ Lockless allocation ● Task mobility ○ ILA
  7. 7. Scaling Policy Specification ● How to specify policy for millions of endpoints? ● Decouple policy specification from addressing ○ IP+port ACLs are unsuitable for containers ○ Policy specification based on container labels Frontend BackendLB FE BE LB LB FE FE BE LB
  8. 8. Scaling Policy Specification ● How to specify policy for millions of endpoints? ● Decouple policy specification from addressing ○ IP+port ACLs are unsuitable for containers ○ Policy specification based on container labels Frontend BackendLB FE BE LB LB FE FE BE LB Prod Frontend BackendLB FE BELB QA Prod QA Prodrequires requires QA QA
  9. 9. Scaling Policy Enforcement ● Distributed fixed cost policy enforcement ○ Per-CPU BPF-map hashtable FE BE LB Prod QA Prod Prod FE BE LB QA QA 10 11 12 13 14 15 16 Cluster Wide Label ID Table: This ID is carried in the network packet and used to reconstruct the label context at the receiving host. Policy enforcement cost is reduced to a single hashtable lookup regardless of complexity.
  10. 10. Extensibility & Safety in the Kernel ● Decouple datapath functionality from kernel version ○ Support new protocols ○ Add arbitrary statistics ○ Safety guaranteed by Verifier ● All at runtime for already running containers
  11. 11. Scaling the Delivery of Cat Pictures ● Distributed L3/L4 LB w/ DSR ● Like IPVS but completely programmable ● LB for N-S, E-W & Intra-node FE BE LB LB ECMP FE FE BE BE BE Small HTTP GET Large Cat Pictures/Videos
  12. 12. Performance
  13. 13. Demo
  14. 14. Q&A Start hacking on BPF for containers: https://github.com/cilium/cilium Slack: Twitter cilium.slack.com @tgraf__ Thank You
  15. 15. ● L3 forwarding (IPv6 & IPv4) ● Host connectivity ● Encapsulation (VXLAN/Geneve/GRE) ● ICMPv6 & ICMP generation ● NDisc & ARP responder ● Access Control ● Port mapping ● Connection tracking ● L3/L4 Load balancer w/ DSR ● Statistics ● Events (perf ring buffer) ● Debugging framework ● NAT46 Building Blocks

×