SlideShare a Scribd company logo
1 of 27
Download to read offline
BPF
Turning Linux into a
Microservices-aware
Operating System
About the Speaker
Thomas Graf
● Linux kernel developer for ~15 years working on
networking and security
● Helped write one of the biggest monoliths ever
● Worked on many Linux components over the years (IP,
TCP, routing, netfilter/iptables, tc, Open vSwitch, …)
● Creator of Cilium to leverage BPF in a cloud native and
microservices context
● Co-Founder & CTO of the company building Cilium
2
Agenda
● Evolution of running applications
○ From single task processes to microservices
● Problems of the Linux kernel
○ The kernel
● What is BPF?
○ Turning Linux into a modern, microservices-aware operating system
● Cilium - BPF-based networking security for microservices
○ What is Cilium?
○ Use Cases & Deep Dive
● Q&A
3
Evolution: Running applications
Split the CPU and
memory. Shared
libraries, package
management, Linux
distributions.
4
Virtualization
Microservices
Containers
Multi tasking
Ship the OS together
with application and run
it in a VM for better
resource isolation.
Virtualized hardware
and software defined
infrastructure.
Dark Age:
Single tasking
The simple age. Back to a shared
operating system.
Applications directly
interact with the host
operating system again.
Problems of the
Linux Kernel in the
age of microservices
5
Problem #1: Abstractions
6
ProcessProcess
HW
System Call Interface
IPv4
Netdevice / Drivers
Sockets
Ethernet
TCP
IPv6
Netfilter
UDP Raw
Traffic Shaping
Bridge OVS ..
The Linux kernel is split into layers to
provide strong abstractions.
Pros:
● Strong userspace API compatibility
guarantee. A 20 years old binary still
works.
● Majority of Linux source code is not
hardware specific.
Cons:
● Every layer pays the cost of the
layers above and below.
● Very hard to bypass layers.
Problem #2: Per subsystem APIs
7
ProcessProcess
HW
System Call Interface
IPv4
Netdevice / Drivers
Sockets
Ethernet
TCP
IPv6
Netfilter
UDP Raw
Traffic Shaping
Bridge OVS
iptablesseccomp tcethtool
..
ip
brctl /
ovsctl
tcpdump
8
Problem #3: Development Process
The Good:
● Open and transparent process
● Excellent code quality
● Stability
● Available everywhere
● Almost entirely vendor neutral
The Bad:
● Hard to change
● Shouting is involved (getting better)
● Large and complicated codebase
● Upstreaming code is hard, consensus has to
be found.
● Upstreaming is time consuming
● Depending on the Linux distribution,
merged code can take years to become
generally available
● Everybody maintains forks with 100-1000s
backports
9
Problem #4: What is a container?
What the kernel knows about:
● Processes & thread groups
● Cgroups
○ Limits and accounting of CPU,
memory, network, … Configured by
container runtime.
● Namespaces
○ Isolation of process, CPU, mount,
user, network, IPC, cgroup, UTS
(hostname). Configured by container
○ runtime
● IP addresses & port numbers
○ Configured by container networking
● System calls made & SELinux context
○ Optionally configured by container
runtime
What the kernel does not know:
● Containers or Kubernetes pods
○ There is no container ID in the kernel
● Exposure requirements
○ The kernel no longer knows whether
an application should be exposed
outside of the host or not.
● API calls made between containers/pods
○ Awareness stops at layer 4 (ports).
While SELinux can control IPC, it can’t
control service to service API calls.
● Servicemesh, huh?
What now? Alternatives?
Linus was wrong. The
app should provide its
own OS.
10
Move OS to
Userspace
Rewrite
Everything?Unikernel
We don’t need kernel
mode for most of the
logic. Build on top of a
minimal Linux.
Examples: ClickOS,
MirageOS, Rumprun, ...
Give user
space access
to hardware
Examples: User mode
Linux, gVisor, ...
Expose the hardware
directly to user space.
It will be fine.
Examples: DPDK,
UDMA, ..
Total Estimated Cost
to Develop Linux
(average salary =
$75,662.08/year,
overhead = 2.40).
$1,372,340,206
What is BPF?
Highly efficient sandboxed
virtual machine in the Linux
kernel making the Linux kernel
programmable at native
execution speed.
Jointly maintained by Cilium
and Facebook with
collaborations from Google,
Red Hat, Netflix, Netronome,
and many others.
11
$ clang -target bpf -emit-llvm -S 
32-bit-example.c
$ llc -march=bpf 32-bit-example.ll
$ cat 32-bit-example.s
cal:
r1 = *(u32 *)(r1 + 0)
r2 = *(u32 *)(r2 + 0)
r2 += r1
*(u32 *)(r3 + 0) = r2
exit
The Linux kernel is event driven
12
Process Process
CPU RAM MMU NIC Disk Disk
System Call Interface
USB
Drivers
12M lines of source code
Process Process
System calls
Interrupts
Run BPF program on event
13
Process
NICDisk
Process
BPF
BPF
BPF
IORead
Sendnetwork
packet
connect()
Sockets
TCP/IP
Network Device
BPF
TCP
retrans
BPF
read()
File Descriptor
VFS
Block Device
Attachment points
● Kernel functions (kprobes)
● Userspace functions (uprobe)
● System calls
● Tracepoints
● Network devices (packet level)
● Sockets (data level)
● Network device (DMA level) [XDP]
● ...
Process
BPF Maps
14
BPF
BPF Maps
BPF map use cases:
● Hold program state
● Share state between programs
● Share state with user space
● Export metrics & statistics
● Configure programs
Map types:
● Hash tables
● Arrays
● LRU (Least recently used)
● Ring buffer
● Stack trace
● LPM (Longest prefix match)
BPF Helpers
15
bpf_get_prandom_u32()
BPF
BPF helpers:
● Stable kernel API exposed to BPF
programs to interact with the kernel
● Includes ability to:
○ Get process/cgroup context
○ Manipulate network packets
and forwarding
○ Access BPF maps
○ Access socket data
○ Send metrics to user space
○ ...
bpf_skb_store_bytes()
bpf_redirect()
bpf_get_current_pid_tgid()
bpf_perf_event_output()
BPF Tail Calls
16
BPF
BPF
BPF tail calls:
● Chain logical programs together
● Implement function calls
● Must be within same program type
BPF
BPF
BPF
BPF JIT Compiler
17
JIT Compiler
● Ensures native execution
performance without requiring to
understand CPU
● Compiles BPF bytecode to CPU
architecture specific instruction set
Supported architectures:
● X86_64, arm64, ppc64, s390x, mips64,
sparc64, arm
Byte
code
Byte
code
x86_64
generic
Byte
code
generic
JIT
BPF Contributors
380 Daniel Borkmann (Cilium, Maintainer)
161 Alexei Starovoitov (Facebook, Maintainer)
160 Jakub Kicinski Netronome
110 John Fastabend (Cilium)
96 Yonghong Song (Facebook)
95 Martin KaFai Lau (Facebook)
94 Jesper Dangaard Brouer (Red Hat)
74 Quentin Monnet (Netronome)
45 Roman Gushchin (Facebook)
45 Andrey Ignatov (Facebook)
Top contributors of
the total 186
contributors to BPF
from January 2016 to
November 2018.
18
BPF Use Cases
● L3-L4 Load balancing
● Network security
● Traffic optimization
● Profiling
https://code.fb.com/open-s
ource/linux/
● QoS & Traffic optimization
● Network Security
● Profiling
● Replacing iptables with BPF
(bpfilter)
● NFV & Load balancing (XDP)
● Profiling & Tracing
● Performance
Troubleshooting
● Tracing & Systems Monitoring
● Networking
19
Simple Kprobe Example
20
Example: BPF program using gobpf/bcc:
What is Cilium?
At the foundation of Cilium is the new Linux kernel
technology BPF, which enables the dynamic insertion
of powerful security, visibility, and networking control
logic within Linux itself. Besides providing traditional
network level security, the flexibility of BPF enables
security on API and process level to secure
communication within a container or pod.
Read More
Cilium is open source software for transparently
providing and securing the network and API
connectivity between application services deployed
using Linux container management platforms like
Kubernetes, Docker, and Mesos.
21
Project Goals
22
Approachable BPF
● Make the efficiency and flexibility of BPF
available in an approachable way
● Automate program creation and
management
● Provide an extendable platform
Microservices-aware Linux
● Use the flexibility of BPF to make the Linux
kernel aware of cloud native concepts
such as containers and APIs.
Security
● Use the additional visibility of BPF to
provide security for microservices
including:
○ API awareness
○ Identity based enforcement
○ Process level context enforcement
Performance
● Leverage the execution performance and
JIT compiler to provide a highly efficient
implementation.
Cilium Use Cases
23
Container Networking
● Highly efficient and flexible
networking
● CNI and CMM plugins
● IPv4, IPv6, NAT46, direct routing,
encapsulation
● Multi cluster routing
Service Load balancing:
● Highly scalable L3-L4 load balancing
implementation
● Kubernetes service implementation or
API driven.
Microservices Security
● Identity-based L3-L4 network security
● Accelerated API-aware security via
Envoy (HTTP, gRPC, Kafka, Cassandra,
memcached, ..)
● DNS aware policies
● SSL data visibility via kTLS
Servicemesh acceleration:
● Minimize overhead when injecting
servicemesh sidecar proxies
BPF-based servicemesh
Acceleration
24
Service
Container
Sidecar proxy
Service
Container
Sidecar proxy
How it really looks:
BPF-based servicemesh
Acceleration
25
Accelerate the service to
sidecar communication
~3.5x performance improvement
Other BPF projects
26
Tracing / Profiling:
● BPFTrace - DTrace for Linux (Brendan
Gregg, et al.)
● bpfd - Load BPF programs into entire
clusters (Joel Fernandes, Google)
Frameworks:
● gobpf - Go based framework to write BPF
programs
● BCC - Python framework to write BPF
programs
Load balancing:
● Katran - Source code of Facebook’s
primary L3-L4 LB (Facebook team)
Security:
● Seccomp - Advanced BPF version of
Seccomp (Kernel team)
DDoS mitigation:
● bpftools - DDOS mitigation tool with
iptables like syntax (Cloudflare)
… and many more
Thank you!
Source Code:
https://github.com/cilium/cilium
BPF reference guide:
http://docs.cilium.io/en/stable/bpf/
Twitter:
@ciliumproject
Website:
https://cilium.io/

More Related Content

What's hot

Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumMichal Rostecki
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDPlcplcp1
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumScyllaDB
 
Cloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFCloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFRaphaël PINSON
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingViller Hsiao
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
Cilium - overview and recent updates
Cilium - overview and recent updatesCilium - overview and recent updates
Cilium - overview and recent updatesMichal Rostecki
 
eBPF - Observability In Deep
eBPF - Observability In DeepeBPF - Observability In Deep
eBPF - Observability In DeepMydbops
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityThomas Graf
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPThomas Graf
 
Cilium - BPF & XDP for containers
 Cilium - BPF & XDP for containers Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containersDocker, Inc.
 
Xdp and ebpf_maps
Xdp and ebpf_mapsXdp and ebpf_maps
Xdp and ebpf_mapslcplcp1
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondAnne Nicolas
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and moreBrendan Gregg
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF AbyssSasha Goldshtein
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Brendan Gregg
 
Kernel advantages for Istio realized with Cilium
Kernel advantages for Istio realized with CiliumKernel advantages for Istio realized with Cilium
Kernel advantages for Istio realized with CiliumCynthia Thomas
 

What's hot (20)

Replacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with CiliumReplacing iptables with eBPF in Kubernetes with Cilium
Replacing iptables with eBPF in Kubernetes with Cilium
 
Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDP
 
eBPF/XDP
eBPF/XDP eBPF/XDP
eBPF/XDP
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in Cilium
 
Cloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPFCloud Native Networking & Security with Cilium & eBPF
Cloud Native Networking & Security with Cilium & eBPF
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
 
Cilium - overview and recent updates
Cilium - overview and recent updatesCilium - overview and recent updates
Cilium - overview and recent updates
 
eBPF - Observability In Deep
eBPF - Observability In DeepeBPF - Observability In Deep
eBPF - Observability In Deep
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and SecurityCilium - Bringing the BPF Revolution to Kubernetes Networking and Security
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDP
 
Cilium - BPF & XDP for containers
 Cilium - BPF & XDP for containers Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containers
 
Xdp and ebpf_maps
Xdp and ebpf_mapsXdp and ebpf_maps
Xdp and ebpf_maps
 
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric LeblondKernel Recipes 2017 - EBPF and XDP - Eric Leblond
Kernel Recipes 2017 - EBPF and XDP - Eric Leblond
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF Abyss
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
 
Kernel advantages for Istio realized with Cilium
Kernel advantages for Istio realized with CiliumKernel advantages for Istio realized with Cilium
Kernel advantages for Istio realized with Cilium
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
 

Similar to BPF & Cilium - Turning Linux into a Microservices-aware Operating System

Feedback on Big Compute & HPC on Windows Azure
Feedback on Big Compute & HPC on Windows AzureFeedback on Big Compute & HPC on Windows Azure
Feedback on Big Compute & HPC on Windows AzureAntoine Poliakov
 
Dataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and toolsDataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and toolsStefano Salsano
 
Webinar: OpenEBS - Still Free and now FASTEST Kubernetes storage
Webinar: OpenEBS - Still Free and now FASTEST Kubernetes storageWebinar: OpenEBS - Still Free and now FASTEST Kubernetes storage
Webinar: OpenEBS - Still Free and now FASTEST Kubernetes storageMayaData Inc
 
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)Kevin Lynch
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFoholiab
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon
 
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...Puppet
 
Comparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetesComparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetesAdam Hamsik
 
Kernel bug hunting
Kernel bug huntingKernel bug hunting
Kernel bug huntingAndrea Righi
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetesJuraj Hantak
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersMichelle Holley
 
Making our networking stack truly extensible
Making our networking stack truly extensible Making our networking stack truly extensible
Making our networking stack truly extensible Olivier Bonaventure
 
P4_tutorial.pdf
P4_tutorial.pdfP4_tutorial.pdf
P4_tutorial.pdfPramodhN3
 
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)Docker, Inc.
 
Building Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMBuilding Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMSherif Mousa
 
Linux rumpkernel - ABC2018 (AsiaBSDCon 2018)
Linux rumpkernel - ABC2018 (AsiaBSDCon 2018)Linux rumpkernel - ABC2018 (AsiaBSDCon 2018)
Linux rumpkernel - ABC2018 (AsiaBSDCon 2018)Hajime Tazaki
 
Using eBPF to Measure the k8s Cluster Health
Using eBPF to Measure the k8s Cluster HealthUsing eBPF to Measure the k8s Cluster Health
Using eBPF to Measure the k8s Cluster HealthScyllaDB
 

Similar to BPF & Cilium - Turning Linux into a Microservices-aware Operating System (20)

Feedback on Big Compute & HPC on Windows Azure
Feedback on Big Compute & HPC on Windows AzureFeedback on Big Compute & HPC on Windows Azure
Feedback on Big Compute & HPC on Windows Azure
 
Dataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and toolsDataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and tools
 
Webinar: OpenEBS - Still Free and now FASTEST Kubernetes storage
Webinar: OpenEBS - Still Free and now FASTEST Kubernetes storageWebinar: OpenEBS - Still Free and now FASTEST Kubernetes storage
Webinar: OpenEBS - Still Free and now FASTEST Kubernetes storage
 
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
Kubernetes @ Squarespace (SRE Portland Meetup October 2017)
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
 
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
DevSecCon London 2019: A Kernel of Truth: Intrusion Detection and Attestation...
 
State of ARM-based HPC
State of ARM-based HPCState of ARM-based HPC
State of ARM-based HPC
 
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...
PuppetConf 2016: Why Network Automation Matters, and What You Can Do About It...
 
Comparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetesComparison of existing cni plugins for kubernetes
Comparison of existing cni plugins for kubernetes
 
Kernel bug hunting
Kernel bug huntingKernel bug hunting
Kernel bug hunting
 
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
4. CNCF kubernetes Comparison of-existing-cni-plugins-for-kubernetes
 
Using VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear ContainersUsing VPP and SRIO-V with Clear Containers
Using VPP and SRIO-V with Clear Containers
 
Hackerworkshop exercises
Hackerworkshop exercisesHackerworkshop exercises
Hackerworkshop exercises
 
Making our networking stack truly extensible
Making our networking stack truly extensible Making our networking stack truly extensible
Making our networking stack truly extensible
 
P4_tutorial.pdf
P4_tutorial.pdfP4_tutorial.pdf
P4_tutorial.pdf
 
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
LinuxKit: the first five months by Justin Cormack & Riyaz Faizullabhoy (Docker)
 
HOW Series: Knights Landing
HOW Series: Knights LandingHOW Series: Knights Landing
HOW Series: Knights Landing
 
Building Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMBuilding Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARM
 
Linux rumpkernel - ABC2018 (AsiaBSDCon 2018)
Linux rumpkernel - ABC2018 (AsiaBSDCon 2018)Linux rumpkernel - ABC2018 (AsiaBSDCon 2018)
Linux rumpkernel - ABC2018 (AsiaBSDCon 2018)
 
Using eBPF to Measure the k8s Cluster Health
Using eBPF to Measure the k8s Cluster HealthUsing eBPF to Measure the k8s Cluster Health
Using eBPF to Measure the k8s Cluster Health
 

More from Thomas Graf

Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPThomas Graf
 
BPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable DatapathBPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable DatapathThomas Graf
 
Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containersCilium - BPF & XDP for containers
Cilium - BPF & XDP for containersThomas Graf
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPThomas Graf
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking ExplainedThomas Graf
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSThomas Graf
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughThomas Graf
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
 
2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful ServicesThomas Graf
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATThomas Graf
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThomas Graf
 
SDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingThomas Graf
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014   Kernel Networking WalkthroughDevConf 2014   Kernel Networking Walkthrough
DevConf 2014 Kernel Networking WalkthroughThomas Graf
 

More from Thomas Graf (14)

Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
 
BPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable DatapathBPF: Next Generation of Programmable Datapath
BPF: Next Generation of Programmable Datapath
 
Cilium - BPF & XDP for containers
Cilium - BPF & XDP for containersCilium - BPF & XDP for containers
Cilium - BPF & XDP for containers
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDPCilium - Fast IPv6 Container Networking with BPF and XDP
Cilium - Fast IPv6 Container Networking with BPF and XDP
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
LinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVSLinuxCon 2015 Stateful NAT with OVS
LinuxCon 2015 Stateful NAT with OVS
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking WalkthroughLinuxCon 2015 Linux Kernel Networking Walkthrough
LinuxCon 2015 Linux Kernel Networking Walkthrough
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
 
2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services2015 FOSDEM - OVS Stateful Services
2015 FOSDEM - OVS Stateful Services
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NATOpen vSwitch - Stateful Connection Tracking & Stateful NAT
Open vSwitch - Stateful Connection Tracking & Stateful NAT
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RCThe Next Generation Firewall for Red Hat Enterprise Linux 7 RC
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
 
SDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center NetworkingSDN & NFV Introduction - Open Source Data Center Networking
SDN & NFV Introduction - Open Source Data Center Networking
 
DevConf 2014 Kernel Networking Walkthrough
DevConf 2014   Kernel Networking WalkthroughDevConf 2014   Kernel Networking Walkthrough
DevConf 2014 Kernel Networking Walkthrough
 

Recently uploaded

Key Steps in Agile Software Delivery Roadmap
Key Steps in Agile Software Delivery RoadmapKey Steps in Agile Software Delivery Roadmap
Key Steps in Agile Software Delivery RoadmapIshara Amarasekera
 
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdfPros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdfkalichargn70th171
 
Advantages of Cargo Cloud Solutions.pptx
Advantages of Cargo Cloud Solutions.pptxAdvantages of Cargo Cloud Solutions.pptx
Advantages of Cargo Cloud Solutions.pptxRTS corp
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesVictoriaMetrics
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...OnePlan Solutions
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics
 
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdfSteve Caron
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptxVinzoCenzo
 
The Ultimate Guide to Performance Testing in Low-Code, No-Code Environments (...
The Ultimate Guide to Performance Testing in Low-Code, No-Code Environments (...The Ultimate Guide to Performance Testing in Low-Code, No-Code Environments (...
The Ultimate Guide to Performance Testing in Low-Code, No-Code Environments (...kalichargn70th171
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdfAndrey Devyatkin
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver
 
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jGraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jNeo4j
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITmanoharjgpsolutions
 
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfEnhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfRTS corp
 
Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfmaor17
 
Understanding Plagiarism: Causes, Consequences and Prevention.pptx
Understanding Plagiarism: Causes, Consequences and Prevention.pptxUnderstanding Plagiarism: Causes, Consequences and Prevention.pptx
Understanding Plagiarism: Causes, Consequences and Prevention.pptxSasikiranMarri
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolsosttopstonverter
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 

Recently uploaded (20)

Key Steps in Agile Software Delivery Roadmap
Key Steps in Agile Software Delivery RoadmapKey Steps in Agile Software Delivery Roadmap
Key Steps in Agile Software Delivery Roadmap
 
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdfPros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
 
Advantages of Cargo Cloud Solutions.pptx
Advantages of Cargo Cloud Solutions.pptxAdvantages of Cargo Cloud Solutions.pptx
Advantages of Cargo Cloud Solutions.pptx
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
 
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News UpdateVictoriaMetrics Q1 Meet Up '24 - Community & News Update
VictoriaMetrics Q1 Meet Up '24 - Community & News Update
 
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptx
 
The Ultimate Guide to Performance Testing in Low-Code, No-Code Environments (...
The Ultimate Guide to Performance Testing in Low-Code, No-Code Environments (...The Ultimate Guide to Performance Testing in Low-Code, No-Code Environments (...
The Ultimate Guide to Performance Testing in Low-Code, No-Code Environments (...
 
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
2024-04-09 - From Complexity to Clarity - AWS Summit AMS.pdf
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
 
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jGraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
 
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfEnhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
 
Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdf
 
Understanding Plagiarism: Causes, Consequences and Prevention.pptx
Understanding Plagiarism: Causes, Consequences and Prevention.pptxUnderstanding Plagiarism: Causes, Consequences and Prevention.pptx
Understanding Plagiarism: Causes, Consequences and Prevention.pptx
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration tools
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 

BPF & Cilium - Turning Linux into a Microservices-aware Operating System

  • 1. BPF Turning Linux into a Microservices-aware Operating System
  • 2. About the Speaker Thomas Graf ● Linux kernel developer for ~15 years working on networking and security ● Helped write one of the biggest monoliths ever ● Worked on many Linux components over the years (IP, TCP, routing, netfilter/iptables, tc, Open vSwitch, …) ● Creator of Cilium to leverage BPF in a cloud native and microservices context ● Co-Founder & CTO of the company building Cilium 2
  • 3. Agenda ● Evolution of running applications ○ From single task processes to microservices ● Problems of the Linux kernel ○ The kernel ● What is BPF? ○ Turning Linux into a modern, microservices-aware operating system ● Cilium - BPF-based networking security for microservices ○ What is Cilium? ○ Use Cases & Deep Dive ● Q&A 3
  • 4. Evolution: Running applications Split the CPU and memory. Shared libraries, package management, Linux distributions. 4 Virtualization Microservices Containers Multi tasking Ship the OS together with application and run it in a VM for better resource isolation. Virtualized hardware and software defined infrastructure. Dark Age: Single tasking The simple age. Back to a shared operating system. Applications directly interact with the host operating system again.
  • 5. Problems of the Linux Kernel in the age of microservices 5
  • 6. Problem #1: Abstractions 6 ProcessProcess HW System Call Interface IPv4 Netdevice / Drivers Sockets Ethernet TCP IPv6 Netfilter UDP Raw Traffic Shaping Bridge OVS .. The Linux kernel is split into layers to provide strong abstractions. Pros: ● Strong userspace API compatibility guarantee. A 20 years old binary still works. ● Majority of Linux source code is not hardware specific. Cons: ● Every layer pays the cost of the layers above and below. ● Very hard to bypass layers.
  • 7. Problem #2: Per subsystem APIs 7 ProcessProcess HW System Call Interface IPv4 Netdevice / Drivers Sockets Ethernet TCP IPv6 Netfilter UDP Raw Traffic Shaping Bridge OVS iptablesseccomp tcethtool .. ip brctl / ovsctl tcpdump
  • 8. 8 Problem #3: Development Process The Good: ● Open and transparent process ● Excellent code quality ● Stability ● Available everywhere ● Almost entirely vendor neutral The Bad: ● Hard to change ● Shouting is involved (getting better) ● Large and complicated codebase ● Upstreaming code is hard, consensus has to be found. ● Upstreaming is time consuming ● Depending on the Linux distribution, merged code can take years to become generally available ● Everybody maintains forks with 100-1000s backports
  • 9. 9 Problem #4: What is a container? What the kernel knows about: ● Processes & thread groups ● Cgroups ○ Limits and accounting of CPU, memory, network, … Configured by container runtime. ● Namespaces ○ Isolation of process, CPU, mount, user, network, IPC, cgroup, UTS (hostname). Configured by container ○ runtime ● IP addresses & port numbers ○ Configured by container networking ● System calls made & SELinux context ○ Optionally configured by container runtime What the kernel does not know: ● Containers or Kubernetes pods ○ There is no container ID in the kernel ● Exposure requirements ○ The kernel no longer knows whether an application should be exposed outside of the host or not. ● API calls made between containers/pods ○ Awareness stops at layer 4 (ports). While SELinux can control IPC, it can’t control service to service API calls. ● Servicemesh, huh?
  • 10. What now? Alternatives? Linus was wrong. The app should provide its own OS. 10 Move OS to Userspace Rewrite Everything?Unikernel We don’t need kernel mode for most of the logic. Build on top of a minimal Linux. Examples: ClickOS, MirageOS, Rumprun, ... Give user space access to hardware Examples: User mode Linux, gVisor, ... Expose the hardware directly to user space. It will be fine. Examples: DPDK, UDMA, .. Total Estimated Cost to Develop Linux (average salary = $75,662.08/year, overhead = 2.40). $1,372,340,206
  • 11. What is BPF? Highly efficient sandboxed virtual machine in the Linux kernel making the Linux kernel programmable at native execution speed. Jointly maintained by Cilium and Facebook with collaborations from Google, Red Hat, Netflix, Netronome, and many others. 11 $ clang -target bpf -emit-llvm -S 32-bit-example.c $ llc -march=bpf 32-bit-example.ll $ cat 32-bit-example.s cal: r1 = *(u32 *)(r1 + 0) r2 = *(u32 *)(r2 + 0) r2 += r1 *(u32 *)(r3 + 0) = r2 exit
  • 12. The Linux kernel is event driven 12 Process Process CPU RAM MMU NIC Disk Disk System Call Interface USB Drivers 12M lines of source code Process Process System calls Interrupts
  • 13. Run BPF program on event 13 Process NICDisk Process BPF BPF BPF IORead Sendnetwork packet connect() Sockets TCP/IP Network Device BPF TCP retrans BPF read() File Descriptor VFS Block Device Attachment points ● Kernel functions (kprobes) ● Userspace functions (uprobe) ● System calls ● Tracepoints ● Network devices (packet level) ● Sockets (data level) ● Network device (DMA level) [XDP] ● ...
  • 14. Process BPF Maps 14 BPF BPF Maps BPF map use cases: ● Hold program state ● Share state between programs ● Share state with user space ● Export metrics & statistics ● Configure programs Map types: ● Hash tables ● Arrays ● LRU (Least recently used) ● Ring buffer ● Stack trace ● LPM (Longest prefix match)
  • 15. BPF Helpers 15 bpf_get_prandom_u32() BPF BPF helpers: ● Stable kernel API exposed to BPF programs to interact with the kernel ● Includes ability to: ○ Get process/cgroup context ○ Manipulate network packets and forwarding ○ Access BPF maps ○ Access socket data ○ Send metrics to user space ○ ... bpf_skb_store_bytes() bpf_redirect() bpf_get_current_pid_tgid() bpf_perf_event_output()
  • 16. BPF Tail Calls 16 BPF BPF BPF tail calls: ● Chain logical programs together ● Implement function calls ● Must be within same program type BPF BPF BPF
  • 17. BPF JIT Compiler 17 JIT Compiler ● Ensures native execution performance without requiring to understand CPU ● Compiles BPF bytecode to CPU architecture specific instruction set Supported architectures: ● X86_64, arm64, ppc64, s390x, mips64, sparc64, arm Byte code Byte code x86_64 generic Byte code generic JIT
  • 18. BPF Contributors 380 Daniel Borkmann (Cilium, Maintainer) 161 Alexei Starovoitov (Facebook, Maintainer) 160 Jakub Kicinski Netronome 110 John Fastabend (Cilium) 96 Yonghong Song (Facebook) 95 Martin KaFai Lau (Facebook) 94 Jesper Dangaard Brouer (Red Hat) 74 Quentin Monnet (Netronome) 45 Roman Gushchin (Facebook) 45 Andrey Ignatov (Facebook) Top contributors of the total 186 contributors to BPF from January 2016 to November 2018. 18
  • 19. BPF Use Cases ● L3-L4 Load balancing ● Network security ● Traffic optimization ● Profiling https://code.fb.com/open-s ource/linux/ ● QoS & Traffic optimization ● Network Security ● Profiling ● Replacing iptables with BPF (bpfilter) ● NFV & Load balancing (XDP) ● Profiling & Tracing ● Performance Troubleshooting ● Tracing & Systems Monitoring ● Networking 19
  • 20. Simple Kprobe Example 20 Example: BPF program using gobpf/bcc:
  • 21. What is Cilium? At the foundation of Cilium is the new Linux kernel technology BPF, which enables the dynamic insertion of powerful security, visibility, and networking control logic within Linux itself. Besides providing traditional network level security, the flexibility of BPF enables security on API and process level to secure communication within a container or pod. Read More Cilium is open source software for transparently providing and securing the network and API connectivity between application services deployed using Linux container management platforms like Kubernetes, Docker, and Mesos. 21
  • 22. Project Goals 22 Approachable BPF ● Make the efficiency and flexibility of BPF available in an approachable way ● Automate program creation and management ● Provide an extendable platform Microservices-aware Linux ● Use the flexibility of BPF to make the Linux kernel aware of cloud native concepts such as containers and APIs. Security ● Use the additional visibility of BPF to provide security for microservices including: ○ API awareness ○ Identity based enforcement ○ Process level context enforcement Performance ● Leverage the execution performance and JIT compiler to provide a highly efficient implementation.
  • 23. Cilium Use Cases 23 Container Networking ● Highly efficient and flexible networking ● CNI and CMM plugins ● IPv4, IPv6, NAT46, direct routing, encapsulation ● Multi cluster routing Service Load balancing: ● Highly scalable L3-L4 load balancing implementation ● Kubernetes service implementation or API driven. Microservices Security ● Identity-based L3-L4 network security ● Accelerated API-aware security via Envoy (HTTP, gRPC, Kafka, Cassandra, memcached, ..) ● DNS aware policies ● SSL data visibility via kTLS Servicemesh acceleration: ● Minimize overhead when injecting servicemesh sidecar proxies
  • 25. BPF-based servicemesh Acceleration 25 Accelerate the service to sidecar communication ~3.5x performance improvement
  • 26. Other BPF projects 26 Tracing / Profiling: ● BPFTrace - DTrace for Linux (Brendan Gregg, et al.) ● bpfd - Load BPF programs into entire clusters (Joel Fernandes, Google) Frameworks: ● gobpf - Go based framework to write BPF programs ● BCC - Python framework to write BPF programs Load balancing: ● Katran - Source code of Facebook’s primary L3-L4 LB (Facebook team) Security: ● Seccomp - Advanced BPF version of Seccomp (Kernel team) DDoS mitigation: ● bpftools - DDOS mitigation tool with iptables like syntax (Cloudflare) … and many more
  • 27. Thank you! Source Code: https://github.com/cilium/cilium BPF reference guide: http://docs.cilium.io/en/stable/bpf/ Twitter: @ciliumproject Website: https://cilium.io/