SlideShare a Scribd company logo

eBPF Basics

Download as PPTX, PDF
Michael Kehoe
Michael Kehoe

This document provides an overview of cBPF and eBPF. It discusses the history and implementation of cBPF, including how it was originally used for packet filtering. It then covers eBPF in more depth, explaining what it is, its history, implementation including different program types and maps. It also discusses several uses of eBPF including networking, firewalls, DDoS mitigation, profiling, security, and chaos engineering. Finally, it introduces XDP and DPDK, comparing XDP's benefits over DPDK.

Engineering
1 of 63
(c|e)BPF Basics Michael Kehoe Sr Staff Site Reliability Engineer
Agenda
Today’s agenda 1 Introduction 2 cBPF Introduction, History & Implementation 3 eBPF Introduction, History & Implementation 5 eBPF Uses 6 XDP 7 DPDK
Introduction
Michael Kehoe $ WHOAMI • Sr Staff Site Reliability Engineer @ LinkedIn • Production-SRE Team • What I do: • Disaster Recovery • (Organizational) Visibility Engineering • Incident Management • Reliability Research
(c)BPF Introduction & History & Implementation
“BPF is a highly flexible and efficient virtual machine-like construct in the Linux kernel allowing to execute bytecode at various hook points in a safe manner. It is used in a number of Linux kernel subsystems, most prominently networking, tracing and security (e.g. sandboxing).” C i l i u m
What is cBPF? • cBPF – Classic BPF • Also known as “Linux Packet Filtering” • BPF was first introduced in 1992 by Steven McCanne and Van Jacobson in BSD • Better known as the packet filter language in tcpdump
What is cBPF? • Network packet filtering, Seccomp • Filter Expressions  Bytecode  Interpret • Small, in-kernel VM, Register based, switch dispatch interpreter, few instructions • BPF uses a simple, non-shared buffer model made possible by today’s larger address space
History
History of BPF • Before BPF, each OS (Sun, DEC, SGI etc) had its own packet filtering API • In 1993: Steven McCanne & Van Jacobsen released a paper titled the BSD Packet Filter (BPF) • Implemented as “Linux Socket Filter” in kernel 2.2 • While maintaining the BPF language (for describing filters), uses a different internal architecture
Implementation
BPF (original) implementation • Open a special-purpose character-device, namely /dev/bpfn, for dealing with raw packets. • Associate the previous device with a network interface by using the ioctl(2) system call https://www.tcpdump.org/papers/bpf-usenix93.pdf
BPF (original) implementation • Set various BPF parameters, (e.g. buffer size, attach some BPF filters ) This is done using the ioctl(2) system call • Read packets from the kernel, or send raw packets, by reading/writing to the corresponding file descriptor of /dev/bpf using read(2)/write(2) system callshttps://www.tcpdump.org/papers/bpf-usenix93.pdf
BPF (LSF) implementation • Utilizes sockets for passing/receiving packets to/from the kernel-space • Filters are attached with the setsockopt(2) system call https://www.tcpdump.org/papers/bpf-usenix93.pdf
BPF (LSF) implementation • Create a special-purpose socket (i.e., PF_PACKET) 2 • Attach a BPF program to the socket using the setsockopt(2) system call https://www.tcpdump.org/papers/bpf-usenix93.pdf
BPF (LSF) implementation • Set the network interface to promiscuous mode with ioctl(2) (optionally) • Read packets from the kernel, or send raw packets, by reading/writing to the file descriptor of the socket using recvfrom(2)/sendto(2) system calls https://www.tcpdump.org/papers/bpf-usenix93.pdf
BPF (LSF) implementation TCPDUMP EXAMPLE https://static.sched.com/hosted_files/kccnceu19/b8/KubeCon-Europe-2019-Beatriz_Martinez_eBPF.pdf
(e)BPF Introduction & History & Implementation
(e)BPF 1 Introduction 2 History 3 Implementation 5 Program Types 6 Maps
“eBPF is Linux’s new superpower” G a u r a v G u p t a
“eBPF does to Linux what JavaScript does to HTML” B r e n d a n G r e g g
“Run code in the kernel without having to write a kernel module” L i z R i c e
“Stateful, programmable in-kernel decisions for networking, tracing and security” S u c h a k r a p a n i D a t t S h a r m a
What is eBPF? • eBPF – extended Berkeley Packet Filter • User-defined, sandboxed bytecode executed by the kernel • VM that implements a RISC-like assembly language in kernel space • All interactions between kernel/ user space are done through eBPF “maps” • eBPF does not allow loops
What is eBPF? • Similar to LSF, but with the following improvements: • More registers, JIT compiler (flexible/ faster), verifier • Attach on Tracepoint, Kprobe, Uprobe, USDT • In-kernel trace aggregation & filtering • Control via bpf() • Designed for general event processing within the kernel • All interactions between kernel/ user space are done through eBPF “maps”
History
History of BPF • 3.15: Optimization of BPF Interpreter’s instruction set • 3.18: Linux eBPF was released (bpf() syscall) • 3.19: Socket supports, BPF Maps • 4.1: Kprobe support • 4.4: Perf events • 4.7: Attach to tracepoints • 4.8: XDP core • 4.10: cgroups support • 4.18: bpfilter released http://hsdm.dorsal.polymtl.ca/system/files/eBPF-5May2017%20%281%29.pdf
Implementation
What is eBPF? http://hsdm.dorsal.polymtl.ca/system/files/eBPF-5May2017%20%281%29.pdf
Program Types
(e)BPF Program Types • prog_type determines the subset of kernel helper functions that the program may call • Determines the program input (bpf_context) https://www.tcpdump.org/papers/bpf-usenix93.pdf
(e)BPF Program Types SOCKET-RELATED • SOCKET_FILTER: Filtering actions (e.g. drop packets) • SK_SKB: Access SKB and docket details with a view to redirect SKB’s • SOCK_OPS – Catch socket operations • XDP: Allows access to packet data as early as possible (DDoS mitigation/ Load-balancing) https://www.tcpdump.org/papers/bpf-usenix93.pdf
(e)BPF Program Types XDP • XDP: Allows access to packet data as early as possible (DDoS mitigation/ Load-balancing) https://www.tcpdump.org/papers/bpf-usenix93.pdf
(e)BPF Program Types KPROBES, TRACEPOINTS & PERF • KPROBE – Instrument code in any kernel function • TRACEPOINT – Instrument tracepoints in kernel code • PERF_EVENT: Instrument software and hardware perf events https://www.tcpdump.org/papers/bpf-usenix93.pdf
(e)BPF Program Types CGROUPS • CGROUP_SKB – Allow or deny network access on IP egress/ ingress • CGROUP_SOCK – Allow or deny network access at various socket-lreated events • CGROUP_DEVICE – Determine if a device operation should be permitted https://www.tcpdump.org/papers/bpf-usenix93.pdf
(e)BPF Program Types LIGHTWEIGHT TUNNELS • LWT_IN – Examine inbound packets for lightweight tunnel de- encapsulation • LWT_OUT – Implement encapsulation tunnels for specific destination routes • LWT_XMIT – Allowed to modify content and prepend a L2 header https://www.tcpdump.org/papers/bpf-usenix93.pdf
(e)BPF Program Types TRAFFIC CONTROL • SCHED_CLS: A network traffic-control classifier • SCHED_ACT: A network traffic-control action https://www.tcpdump.org/papers/bpf-usenix93.pdf
Maps
(e)BPF Maps • Generic structure for storage of different types of data • Allow sharing of data between: • eBPF kernel program • Kernel and user-space https://www.tcpdump.org/papers/bpf-usenix93.pdf
(e)BPF Maps • Each map has the following attributes: • Type • Max number of elements • Key Size (bytes) • Value Size (bytes) http://man7.org/linux/man-pages/man2/bpf.2.html
(e)BPF Maps • HASH - A hash table • ARRAY- An array map, optimized for fast lookup speeds • PROG_ARRAY - An array of FD’s corresponding to eBPF programs • PERCPU_ARRAY - A per-CPU array, used to implement histograms • PERF_EVENT_ARRAY - Stores pointers to struct perf_event • CGROUP_ARRAY – Stores pointers to control groups https://lwn.net/Articles/740157/
(e)BPF Maps • LRU_HASH - A hash table that only retains the most recently used items • LRU_PER_CPU_HASH - A per-CPU hash table that only retains the most recently used items • LPM_TRIE - A longest-prefix match true, good for matching IP addresses • STACK_TRACE - Stores stack traces • ARRAY_OF_MAPS - A map-in-map data structure • HASH_OF_MAPS – A map-in-map data structurehttps://lwn.net/Articles/740157/
(e)BPF Maps • DEVICE_MAP - For storing and looking up network device references • SOCKET_MAP – Stores and looks up sockets and allows redirection https://lwn.net/Articles/740157/
eBPF Uses
What can BPF be used for? 1 Networking (e.g. load balancing) 2 Firewalls 3 DDOS mitigation 4 Profiling & Tracing 5 Container Security 6 Device Drivers 7 Chaos Engineering
What can BPF be used for NETWORKING • Load-balancing • Katran (Facebook) • General networking • Cilium • Extending the TCP stack • Network Monitoring • Flowmill • Weaveworks
What can BPF be used for FIREWALLS • Bpfilter (Linux 4.18)
What can BPF be used for DDOS MITIGATION • Use of eBPF & XDP to perform infra-wide DDoS mitigation • Facebook • Cloudflare
What can BPF be used for PROFILE & TRACING • Sysdig • bpftrace
What can BPF be used for SECURITY • Cilium • Seccomp BPF
What can BPF be used for DEVICE DRIVERS • eBPF provides a pseudo device driver  possible to extend this in multiple ways
What can BPF be used for CHAOS ENGINEERING • Use Cilium to inject latency, packet-loss, L7 HTTP errors (via a Go extension)
Introduction to XDP
Introduction to XDP • XDP – eXpress Data Path • High performance, programmable network data path (IO Visor Project) • Linux Kernels answer for DPDK (Released in 4.8)
Introduction to XDP • Features: • Does not require specialized hardware • Does not require kernel bypass • Does not replace TCP/ IP stack • Works with TCP/ IP stack with eBPF
Introduction to XDP • XDP program runs as soon as the packet gets to the network driver • XDP program needs to edit with an action: • XDP_TX • XDP_DROP • XDP_PASS
Introduction to DPDK
Introduction to DPDK • DPDK – Data Plane Development Kit • Created in 2010 by Intel • Collection of data plane libraries & NIC drivers for fast packet processing • Open-Source under Linux Foundation • Support for multiple CPU architectures
DPDK Architecture https://core.dpdk.org/
XDP & DPDK
XDP & DPDK BENEFITS OF XDP • No 3rd party code • Option of busy polling or interrupt driven networking • Removes the need to: • Allocate large pages • Dedicated CPU’s • Inject packets into the kernel from 3rd party user space • Define a new security model https://www.iovisor.org/technology/xdp
eBPF Basics

Recommended

Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDP
lcplcp1
 
Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!
Ray Jenkins
 
Introduction to eBPF
Introduction to eBPFIntroduction to eBPF
Introduction to eBPF
RogerColl2
 
eBPF/XDP
eBPF/XDP eBPF/XDP
eBPF/XDP
Netronome
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
SUSE Labs Taipei
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
SUSE Labs Taipei
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf
 

Recommended

Introduction to eBPF and XDP
Introduction to eBPF and XDPIntroduction to eBPF and XDP
Introduction to eBPF and XDP
lcplcp1
 
Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!Understanding eBPF in a Hurry!
Understanding eBPF in a Hurry!
Ray Jenkins
 
Introduction to eBPF
Introduction to eBPFIntroduction to eBPF
Introduction to eBPF
RogerColl2
 
eBPF/XDP
eBPF/XDP eBPF/XDP
eBPF/XDP
Netronome
 
eBPF maps 101
eBPF maps 101eBPF maps 101
eBPF maps 101
SUSE Labs Taipei
 
eBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux KerneleBPF - Rethinking the Linux Kernel
eBPF - Rethinking the Linux Kernel
Thomas Graf
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
SUSE Labs Taipei
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDPDockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
Thomas Graf
 
BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
Alexei Starovoitov
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
Taeung Song
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
eBPF Workshop
eBPF WorkshopeBPF Workshop
eBPF Workshop
Michael Kehoe
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
Alex Maestretti
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
Michelle Holley
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
Viller Hsiao
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
Marian Marinov
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
PLUMgrid
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDP
Thomas Graf
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in Cilium
ScyllaDB
 
UM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of SoftwareUM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of Software
Brendan Gregg
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
Denys Haryachyy
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
Kernel TLV
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF Abyss
Sasha Goldshtein
 
Container Network Interface: Network Plugins for Kubernetes and beyond
Container Network Interface: Network Plugins for Kubernetes and beyondContainer Network Interface: Network Plugins for Kubernetes and beyond
Container Network Interface: Network Plugins for Kubernetes and beyond
KubeAcademy
 
Dataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and toolsDataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and tools
Stefano Salsano
 
Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology
Jace Liang
 

More Related Content

What's hot

BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
Alexei Starovoitov
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
Daniel T. Lee
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
Taeung Song
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
Brendan Gregg
 
eBPF Workshop
eBPF WorkshopeBPF Workshop
eBPF Workshop
Michael Kehoe
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
Alex Maestretti
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
Brendan Gregg
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
Michelle Holley
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
Viller Hsiao
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
Marian Marinov
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
PLUMgrid
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDP
Thomas Graf
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in Cilium
ScyllaDB
 
UM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of SoftwareUM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of Software
Brendan Gregg
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
Denys Haryachyy
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
Thomas Graf
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
Kernel TLV
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF Abyss
Sasha Goldshtein
 
Container Network Interface: Network Plugins for Kubernetes and beyond
Container Network Interface: Network Plugins for Kubernetes and beyondContainer Network Interface: Network Plugins for Kubernetes and beyond
Container Network Interface: Network Plugins for Kubernetes and beyond
KubeAcademy
 

What's hot (20)

BPF - in-kernel virtual machine
BPF - in-kernel virtual machineBPF - in-kernel virtual machine
BPF - in-kernel virtual machine
 
Faster packet processing in Linux: XDP
Faster packet processing in Linux: XDPFaster packet processing in Linux: XDP
Faster packet processing in Linux: XDP
 
BPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLabBPF / XDP 8월 세미나 KossLab
BPF / XDP 8월 세미나 KossLab
 
BPF: Tracing and more
BPF: Tracing and moreBPF: Tracing and more
BPF: Tracing and more
 
eBPF Workshop
eBPF WorkshopeBPF Workshop
eBPF Workshop
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
 
DPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet ProcessingDPDK & Layer 4 Packet Processing
DPDK & Layer 4 Packet Processing
 
Meet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracingMeet cute-between-ebpf-and-tracing
Meet cute-between-ebpf-and-tracing
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDKDoS and DDoS mitigations with eBPF, XDP and DPDK
DoS and DDoS mitigations with eBPF, XDP and DPDK
 
EBPF and Linux Networking
EBPF and Linux NetworkingEBPF and Linux Networking
EBPF and Linux Networking
 
Cilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDPCilium - Container Networking with BPF & XDP
Cilium - Container Networking with BPF & XDP
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in Cilium
 
UM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of SoftwareUM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of Software
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating SystemBPF & Cilium - Turning Linux into a Microservices-aware Operating System
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
 
Building Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCCBuilding Network Functions with eBPF & BCC
Building Network Functions with eBPF & BCC
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF Abyss
 
Container Network Interface: Network Plugins for Kubernetes and beyond
Container Network Interface: Network Plugins for Kubernetes and beyondContainer Network Interface: Network Plugins for Kubernetes and beyond
Container Network Interface: Network Plugins for Kubernetes and beyond
 

Similar to eBPF Basics

Dataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and toolsDataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and tools
Stefano Salsano
 
Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology
Jace Liang
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!
Affan Syed
 
BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!
Linaro
 
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Michelle Holley
 
Meetup 2009
Meetup 2009Meetup 2009
Meetup 2009
HuaiEnTseng
 
DEF CON 27 - JEFF DILEO - evil e bpf in depth
DEF CON 27 - JEFF DILEO - evil e bpf in depthDEF CON 27 - JEFF DILEO - evil e bpf in depth
DEF CON 27 - JEFF DILEO - evil e bpf in depth
Felipe Prado
 
Kernel bug hunting
Kernel bug huntingKernel bug hunting
Kernel bug hunting
Andrea Righi
 
Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017
Cheng-Chun William Tu
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native Environments
Gergely Szabó
 
story_of_bpf-1.pdf
story_of_bpf-1.pdfstory_of_bpf-1.pdf
story_of_bpf-1.pdf
hegikip775
 
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)
Yuuki Takano
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]
Mahmoud Hatem
 
Make Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsMake Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance Tools
Kernel TLV
 
Making our networking stack truly extensible
Making our networking stack truly extensible Making our networking stack truly extensible
Making our networking stack truly extensible
Olivier Bonaventure
 
Comprehensive XDP Off‌load-handling the Edge Cases
Comprehensive XDP Off‌load-handling the Edge CasesComprehensive XDP Off‌load-handling the Edge Cases
Comprehensive XDP Off‌load-handling the Edge Cases
Netronome
 
DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesDPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith Wiles
Jim St. Leger
 
SC'18 BoF Presentation
SC'18 BoF PresentationSC'18 BoF Presentation
SC'18 BoF Presentation
rcastain
 
Segment Routing v6 (SRv6) Academy Update
Segment Routing v6 (SRv6) Academy Update Segment Routing v6 (SRv6) Academy Update
Segment Routing v6 (SRv6) Academy Update
Chunghan Lee
 
BPF Hardware Offload Deep Dive
BPF Hardware Offload Deep DiveBPF Hardware Offload Deep Dive
BPF Hardware Offload Deep Dive
Netronome
 

Similar to eBPF Basics (20)

Dataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and toolsDataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and tools
 
Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology Introduction of eBPF - 時下最夯的Linux Technology
Introduction of eBPF - 時下最夯的Linux Technology
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!
 
BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!BKK16-103 OpenCSD - Open for Business!
BKK16-103 OpenCSD - Open for Business!
 
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
Install FD.IO VPP On Intel(r) Architecture & Test with Trex*
 
Meetup 2009
Meetup 2009Meetup 2009
Meetup 2009
 
DEF CON 27 - JEFF DILEO - evil e bpf in depth
DEF CON 27 - JEFF DILEO - evil e bpf in depthDEF CON 27 - JEFF DILEO - evil e bpf in depth
DEF CON 27 - JEFF DILEO - evil e bpf in depth
 
Kernel bug hunting
Kernel bug huntingKernel bug hunting
Kernel bug hunting
 
Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017Compiling P4 to XDP, IOVISOR Summit 2017
Compiling P4 to XDP, IOVISOR Summit 2017
 
Efficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native EnvironmentsEfficient System Monitoring in Cloud Native Environments
Efficient System Monitoring in Cloud Native Environments
 
story_of_bpf-1.pdf
story_of_bpf-1.pdfstory_of_bpf-1.pdf
story_of_bpf-1.pdf
 
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)
 
The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]The power of linux advanced tracer [POUG18]
The power of linux advanced tracer [POUG18]
 
Make Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance ToolsMake Your Containers Faster: Linux Container Performance Tools
Make Your Containers Faster: Linux Container Performance Tools
 
Making our networking stack truly extensible
Making our networking stack truly extensible Making our networking stack truly extensible
Making our networking stack truly extensible
 
Comprehensive XDP Off‌load-handling the Edge Cases
Comprehensive XDP Off‌load-handling the Edge CasesComprehensive XDP Off‌load-handling the Edge Cases
Comprehensive XDP Off‌load-handling the Edge Cases
 
DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesDPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith Wiles
 
SC'18 BoF Presentation
SC'18 BoF PresentationSC'18 BoF Presentation
SC'18 BoF Presentation
 
Segment Routing v6 (SRv6) Academy Update
Segment Routing v6 (SRv6) Academy Update Segment Routing v6 (SRv6) Academy Update
Segment Routing v6 (SRv6) Academy Update
 
BPF Hardware Offload Deep Dive
BPF Hardware Offload Deep DiveBPF Hardware Offload Deep Dive
BPF Hardware Offload Deep Dive
 

More from Michael Kehoe

Code Yellow: Helping operations top-heavy teams the smart way
Code Yellow: Helping operations top-heavy teams the smart wayCode Yellow: Helping operations top-heavy teams the smart way
Code Yellow: Helping operations top-heavy teams the smart way
Michael Kehoe
 
QConSF 2018: Building Production-Ready Applications
QConSF 2018: Building Production-Ready ApplicationsQConSF 2018: Building Production-Ready Applications
QConSF 2018: Building Production-Ready Applications
Michael Kehoe
 
Helping operations top-heavy teams the smart way
Helping operations top-heavy teams the smart wayHelping operations top-heavy teams the smart way
Helping operations top-heavy teams the smart way
Michael Kehoe
 
AllDayDevops: What the NTSB teaches us about incident management & postmortems
AllDayDevops: What the NTSB teaches us about incident management & postmortemsAllDayDevops: What the NTSB teaches us about incident management & postmortems
AllDayDevops: What the NTSB teaches us about incident management & postmortems
Michael Kehoe
 
Linux Container Basics
Linux Container BasicsLinux Container Basics
Linux Container Basics
Michael Kehoe
 
Papers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet Drops
Papers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet DropsPapers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet Drops
Papers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet Drops
Michael Kehoe
 
What the NTSB teaches us about incident management & postmortems
What the NTSB teaches us about incident management & postmortemsWhat the NTSB teaches us about incident management & postmortems
What the NTSB teaches us about incident management & postmortems
Michael Kehoe
 
PyBay 2018: Production-Ready Python Applications
PyBay 2018: Production-Ready Python ApplicationsPyBay 2018: Production-Ready Python Applications
PyBay 2018: Production-Ready Python Applications
Michael Kehoe
 
Helping operations top-heavy teams the smart way
Helping operations top-heavy teams the smart wayHelping operations top-heavy teams the smart way
Helping operations top-heavy teams the smart way
Michael Kehoe
 
The Next Wave of Reliability Engineering
The Next Wave of Reliability EngineeringThe Next Wave of Reliability Engineering
The Next Wave of Reliability Engineering
Michael Kehoe
 
Building Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSFBuilding Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSF
Michael Kehoe
 
SF Chaos Engineering Meetup: Building Disaster Recovery via Resilience Engine...
SF Chaos Engineering Meetup: Building Disaster Recovery via Resilience Engine...SF Chaos Engineering Meetup: Building Disaster Recovery via Resilience Engine...
SF Chaos Engineering Meetup: Building Disaster Recovery via Resilience Engine...
Michael Kehoe
 
SRECon-Europe-2017: Reducing MTTR and False Escalations: Event Correlation at...
SRECon-Europe-2017: Reducing MTTR and False Escalations: Event Correlation at...SRECon-Europe-2017: Reducing MTTR and False Escalations: Event Correlation at...
SRECon-Europe-2017: Reducing MTTR and False Escalations: Event Correlation at...
Michael Kehoe
 
SRECon-Europe-2017: Networks for SREs
SRECon-Europe-2017: Networks for SREsSRECon-Europe-2017: Networks for SREs
SRECon-Europe-2017: Networks for SREs
Michael Kehoe
 
Velocity San Jose 2017: Traffic shifts: Avoiding disasters at scale
Velocity San Jose 2017: Traffic shifts: Avoiding disasters at scaleVelocity San Jose 2017: Traffic shifts: Avoiding disasters at scale
Velocity San Jose 2017: Traffic shifts: Avoiding disasters at scale
Michael Kehoe
 
Reducing MTTR and False Escalations: Event Correlation at LinkedIn
Reducing MTTR and False Escalations: Event Correlation at LinkedInReducing MTTR and False Escalations: Event Correlation at LinkedIn
Reducing MTTR and False Escalations: Event Correlation at LinkedIn
Michael Kehoe
 
APRICOT 2017: Trafficshifting: Avoiding Disasters & Improving Performance at ...
APRICOT 2017: Trafficshifting: Avoiding Disasters & Improving Performance at ...APRICOT 2017: Trafficshifting: Avoiding Disasters & Improving Performance at ...
APRICOT 2017: Trafficshifting: Avoiding Disasters & Improving Performance at ...
Michael Kehoe
 
Couchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedIn
Couchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedInCouchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedIn
Couchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedIn
Michael Kehoe
 
Couchbase Connect 2016
Couchbase Connect 2016Couchbase Connect 2016
Couchbase Connect 2016
Michael Kehoe
 
Using SaltStack to Auto Triage and Remediate Production Systems
Using SaltStack to Auto Triage and Remediate Production SystemsUsing SaltStack to Auto Triage and Remediate Production Systems
Using SaltStack to Auto Triage and Remediate Production Systems
Michael Kehoe
 

More from Michael Kehoe (20)

Code Yellow: Helping operations top-heavy teams the smart way
Code Yellow: Helping operations top-heavy teams the smart wayCode Yellow: Helping operations top-heavy teams the smart way
Code Yellow: Helping operations top-heavy teams the smart way
 
QConSF 2018: Building Production-Ready Applications
QConSF 2018: Building Production-Ready ApplicationsQConSF 2018: Building Production-Ready Applications
QConSF 2018: Building Production-Ready Applications
 
Helping operations top-heavy teams the smart way
Helping operations top-heavy teams the smart wayHelping operations top-heavy teams the smart way
Helping operations top-heavy teams the smart way
 
AllDayDevops: What the NTSB teaches us about incident management & postmortems
AllDayDevops: What the NTSB teaches us about incident management & postmortemsAllDayDevops: What the NTSB teaches us about incident management & postmortems
AllDayDevops: What the NTSB teaches us about incident management & postmortems
 
Linux Container Basics
Linux Container BasicsLinux Container Basics
Linux Container Basics
 
Papers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet Drops
Papers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet DropsPapers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet Drops
Papers We Love Sept. 2018: 007: Democratically Finding The Cause of Packet Drops
 
What the NTSB teaches us about incident management & postmortems
What the NTSB teaches us about incident management & postmortemsWhat the NTSB teaches us about incident management & postmortems
What the NTSB teaches us about incident management & postmortems
 
PyBay 2018: Production-Ready Python Applications
PyBay 2018: Production-Ready Python ApplicationsPyBay 2018: Production-Ready Python Applications
PyBay 2018: Production-Ready Python Applications
 
Helping operations top-heavy teams the smart way
Helping operations top-heavy teams the smart wayHelping operations top-heavy teams the smart way
Helping operations top-heavy teams the smart way
 
The Next Wave of Reliability Engineering
The Next Wave of Reliability EngineeringThe Next Wave of Reliability Engineering
The Next Wave of Reliability Engineering
 
Building Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSFBuilding Production-Ready Microservices: DevopsExchangeSF
Building Production-Ready Microservices: DevopsExchangeSF
 
SF Chaos Engineering Meetup: Building Disaster Recovery via Resilience Engine...
SF Chaos Engineering Meetup: Building Disaster Recovery via Resilience Engine...SF Chaos Engineering Meetup: Building Disaster Recovery via Resilience Engine...
SF Chaos Engineering Meetup: Building Disaster Recovery via Resilience Engine...
 
SRECon-Europe-2017: Reducing MTTR and False Escalations: Event Correlation at...
SRECon-Europe-2017: Reducing MTTR and False Escalations: Event Correlation at...SRECon-Europe-2017: Reducing MTTR and False Escalations: Event Correlation at...
SRECon-Europe-2017: Reducing MTTR and False Escalations: Event Correlation at...
 
SRECon-Europe-2017: Networks for SREs
SRECon-Europe-2017: Networks for SREsSRECon-Europe-2017: Networks for SREs
SRECon-Europe-2017: Networks for SREs
 
Velocity San Jose 2017: Traffic shifts: Avoiding disasters at scale
Velocity San Jose 2017: Traffic shifts: Avoiding disasters at scaleVelocity San Jose 2017: Traffic shifts: Avoiding disasters at scale
Velocity San Jose 2017: Traffic shifts: Avoiding disasters at scale
 
Reducing MTTR and False Escalations: Event Correlation at LinkedIn
Reducing MTTR and False Escalations: Event Correlation at LinkedInReducing MTTR and False Escalations: Event Correlation at LinkedIn
Reducing MTTR and False Escalations: Event Correlation at LinkedIn
 
APRICOT 2017: Trafficshifting: Avoiding Disasters & Improving Performance at ...
APRICOT 2017: Trafficshifting: Avoiding Disasters & Improving Performance at ...APRICOT 2017: Trafficshifting: Avoiding Disasters & Improving Performance at ...
APRICOT 2017: Trafficshifting: Avoiding Disasters & Improving Performance at ...
 
Couchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedIn
Couchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedInCouchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedIn
Couchbase Connect 2016: Monitoring Production Deployments The Tools – LinkedIn
 
Couchbase Connect 2016
Couchbase Connect 2016Couchbase Connect 2016
Couchbase Connect 2016
 
Using SaltStack to Auto Triage and Remediate Production Systems
Using SaltStack to Auto Triage and Remediate Production SystemsUsing SaltStack to Auto Triage and Remediate Production Systems
Using SaltStack to Auto Triage and Remediate Production Systems
 

Recently uploaded

RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
thanhdowork
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
JoytuBarua2
 
Architectural Portfolio Sean Lockwood
Architectural Portfolio Sean LockwoodArchitectural Portfolio Sean Lockwood
Architectural Portfolio Sean Lockwood
seandesed
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
Kamal Acharya
 
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdfWater Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation & Control
 
English lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdfEnglish lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdf
BrazilAccount1
 
Railway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdfRailway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdf
TeeVichai
 
Gen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdfGen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdf
gdsczhcet
 
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxCFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
R&R Consult
 
Final project report on grocery store management system..pdf
Final project report on grocery store management system..pdfFinal project report on grocery store management system..pdf
Final project report on grocery store management system..pdf
Kamal Acharya
 
power quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptxpower quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptx
ViniHema
 
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
zwunae
 
ML for identifying fraud using open blockchain data.pptx
ML for identifying fraud using open blockchain data.pptxML for identifying fraud using open blockchain data.pptx
ML for identifying fraud using open blockchain data.pptx
Vijay Dialani, PhD
 
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
ydteq
 
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
obonagu
 
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdfH.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
MLILAB
 
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
SamSarthak3
 
Immunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary AttacksImmunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary Attacks
gerogepatton
 
Hierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power SystemHierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power System
Kerry Sado
 
The role of big data in decision making.
The role of big data in decision making.The role of big data in decision making.
The role of big data in decision making.
ankuprajapati0525
 

Recently uploaded (20)

RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
RAT: Retrieval Augmented Thoughts Elicit Context-Aware Reasoning in Long-Hori...
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
 
Architectural Portfolio Sean Lockwood
Architectural Portfolio Sean LockwoodArchitectural Portfolio Sean Lockwood
Architectural Portfolio Sean Lockwood
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
 
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdfWater Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdf
 
English lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdfEnglish lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdf
 
Railway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdfRailway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdf
 
Gen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdfGen AI Study Jams _ For the GDSC Leads in India.pdf
Gen AI Study Jams _ For the GDSC Leads in India.pdf
 
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxCFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptx
 
Final project report on grocery store management system..pdf
Final project report on grocery store management system..pdfFinal project report on grocery store management system..pdf
Final project report on grocery store management system..pdf
 
power quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptxpower quality voltage fluctuation UNIT - I.pptx
power quality voltage fluctuation UNIT - I.pptx
 
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
一比一原版(IIT毕业证)伊利诺伊理工大学毕业证成绩单专业办理
 
ML for identifying fraud using open blockchain data.pptx
ML for identifying fraud using open blockchain data.pptxML for identifying fraud using open blockchain data.pptx
ML for identifying fraud using open blockchain data.pptx
 
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
一比一原版(UofT毕业证)多伦多大学毕业证成绩单如何办理
 
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
在线办理(ANU毕业证书)澳洲国立大学毕业证录取通知书一模一样
 
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdfH.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
 
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
 
Immunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary AttacksImmunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary Attacks
 
Hierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power SystemHierarchical Digital Twin of a Naval Power System
Hierarchical Digital Twin of a Naval Power System
 
The role of big data in decision making.
The role of big data in decision making.The role of big data in decision making.
The role of big data in decision making.
 

eBPF Basics

  • 1. (c|e)BPF Basics Michael Kehoe Sr Staff Site Reliability Engineer
  • 3. Today’s agenda 1 Introduction 2 cBPF Introduction, History & Implementation 3 eBPF Introduction, History & Implementation 5 eBPF Uses 6 XDP 7 DPDK
  • 5. Michael Kehoe $ WHOAMI • Sr Staff Site Reliability Engineer @ LinkedIn • Production-SRE Team • What I do: • Disaster Recovery • (Organizational) Visibility Engineering • Incident Management • Reliability Research
  • 6. (c)BPF Introduction & History & Implementation
  • 7. “BPF is a highly flexible and efficient virtual machine-like construct in the Linux kernel allowing to execute bytecode at various hook points in a safe manner. It is used in a number of Linux kernel subsystems, most prominently networking, tracing and security (e.g. sandboxing).” C i l i u m
  • 8. What is cBPF? • cBPF – Classic BPF • Also known as “Linux Packet Filtering” • BPF was first introduced in 1992 by Steven McCanne and Van Jacobson in BSD • Better known as the packet filter language in tcpdump
  • 9. What is cBPF? • Network packet filtering, Seccomp • Filter Expressions  Bytecode  Interpret • Small, in-kernel VM, Register based, switch dispatch interpreter, few instructions • BPF uses a simple, non-shared buffer model made possible by today’s larger address space
  • 11. History of BPF • Before BPF, each OS (Sun, DEC, SGI etc) had its own packet filtering API • In 1993: Steven McCanne & Van Jacobsen released a paper titled the BSD Packet Filter (BPF) • Implemented as “Linux Socket Filter” in kernel 2.2 • While maintaining the BPF language (for describing filters), uses a different internal architecture
  • 13. BPF (original) implementation • Open a special-purpose character-device, namely /dev/bpfn, for dealing with raw packets. • Associate the previous device with a network interface by using the ioctl(2) system call https://www.tcpdump.org/papers/bpf-usenix93.pdf
  • 14. BPF (original) implementation • Set various BPF parameters, (e.g. buffer size, attach some BPF filters ) This is done using the ioctl(2) system call • Read packets from the kernel, or send raw packets, by reading/writing to the corresponding file descriptor of /dev/bpf using read(2)/write(2) system callshttps://www.tcpdump.org/papers/bpf-usenix93.pdf
  • 15. BPF (LSF) implementation • Utilizes sockets for passing/receiving packets to/from the kernel-space • Filters are attached with the setsockopt(2) system call https://www.tcpdump.org/papers/bpf-usenix93.pdf
  • 16. BPF (LSF) implementation • Create a special-purpose socket (i.e., PF_PACKET) 2 • Attach a BPF program to the socket using the setsockopt(2) system call https://www.tcpdump.org/papers/bpf-usenix93.pdf
  • 17. BPF (LSF) implementation • Set the network interface to promiscuous mode with ioctl(2) (optionally) • Read packets from the kernel, or send raw packets, by reading/writing to the file descriptor of the socket using recvfrom(2)/sendto(2) system calls https://www.tcpdump.org/papers/bpf-usenix93.pdf
  • 18. BPF (LSF) implementation TCPDUMP EXAMPLE https://static.sched.com/hosted_files/kccnceu19/b8/KubeCon-Europe-2019-Beatriz_Martinez_eBPF.pdf
  • 19. (e)BPF Introduction & History & Implementation
  • 20. (e)BPF 1 Introduction 2 History 3 Implementation 5 Program Types 6 Maps
  • 21. “eBPF is Linux’s new superpower” G a u r a v G u p t a
  • 22. “eBPF does to Linux what JavaScript does to HTML” B r e n d a n G r e g g
  • 23. “Run code in the kernel without having to write a kernel module” L i z R i c e
  • 24. “Stateful, programmable in-kernel decisions for networking, tracing and security” S u c h a k r a p a n i D a t t S h a r m a
  • 25. What is eBPF? • eBPF – extended Berkeley Packet Filter • User-defined, sandboxed bytecode executed by the kernel • VM that implements a RISC-like assembly language in kernel space • All interactions between kernel/ user space are done through eBPF “maps” • eBPF does not allow loops
  • 26. What is eBPF? • Similar to LSF, but with the following improvements: • More registers, JIT compiler (flexible/ faster), verifier • Attach on Tracepoint, Kprobe, Uprobe, USDT • In-kernel trace aggregation & filtering • Control via bpf() • Designed for general event processing within the kernel • All interactions between kernel/ user space are done through eBPF “maps”
  • 28. History of BPF • 3.15: Optimization of BPF Interpreter’s instruction set • 3.18: Linux eBPF was released (bpf() syscall) • 3.19: Socket supports, BPF Maps • 4.1: Kprobe support • 4.4: Perf events • 4.7: Attach to tracepoints • 4.8: XDP core • 4.10: cgroups support • 4.18: bpfilter released http://hsdm.dorsal.polymtl.ca/system/files/eBPF-5May2017%20%281%29.pdf
  • 32. (e)BPF Program Types • prog_type determines the subset of kernel helper functions that the program may call • Determines the program input (bpf_context) https://www.tcpdump.org/papers/bpf-usenix93.pdf
  • 33. (e)BPF Program Types SOCKET-RELATED • SOCKET_FILTER: Filtering actions (e.g. drop packets) • SK_SKB: Access SKB and docket details with a view to redirect SKB’s • SOCK_OPS – Catch socket operations • XDP: Allows access to packet data as early as possible (DDoS mitigation/ Load-balancing) https://www.tcpdump.org/papers/bpf-usenix93.pdf
  • 34. (e)BPF Program Types XDP • XDP: Allows access to packet data as early as possible (DDoS mitigation/ Load-balancing) https://www.tcpdump.org/papers/bpf-usenix93.pdf
  • 35. (e)BPF Program Types KPROBES, TRACEPOINTS & PERF • KPROBE – Instrument code in any kernel function • TRACEPOINT – Instrument tracepoints in kernel code • PERF_EVENT: Instrument software and hardware perf events https://www.tcpdump.org/papers/bpf-usenix93.pdf
  • 36. (e)BPF Program Types CGROUPS • CGROUP_SKB – Allow or deny network access on IP egress/ ingress • CGROUP_SOCK – Allow or deny network access at various socket-lreated events • CGROUP_DEVICE – Determine if a device operation should be permitted https://www.tcpdump.org/papers/bpf-usenix93.pdf
  • 37. (e)BPF Program Types LIGHTWEIGHT TUNNELS • LWT_IN – Examine inbound packets for lightweight tunnel de- encapsulation • LWT_OUT – Implement encapsulation tunnels for specific destination routes • LWT_XMIT – Allowed to modify content and prepend a L2 header https://www.tcpdump.org/papers/bpf-usenix93.pdf
  • 38. (e)BPF Program Types TRAFFIC CONTROL • SCHED_CLS: A network traffic-control classifier • SCHED_ACT: A network traffic-control action https://www.tcpdump.org/papers/bpf-usenix93.pdf
  • 39. Maps
  • 40. (e)BPF Maps • Generic structure for storage of different types of data • Allow sharing of data between: • eBPF kernel program • Kernel and user-space https://www.tcpdump.org/papers/bpf-usenix93.pdf
  • 41. (e)BPF Maps • Each map has the following attributes: • Type • Max number of elements • Key Size (bytes) • Value Size (bytes) http://man7.org/linux/man-pages/man2/bpf.2.html
  • 42. (e)BPF Maps • HASH - A hash table • ARRAY- An array map, optimized for fast lookup speeds • PROG_ARRAY - An array of FD’s corresponding to eBPF programs • PERCPU_ARRAY - A per-CPU array, used to implement histograms • PERF_EVENT_ARRAY - Stores pointers to struct perf_event • CGROUP_ARRAY – Stores pointers to control groups https://lwn.net/Articles/740157/
  • 43. (e)BPF Maps • LRU_HASH - A hash table that only retains the most recently used items • LRU_PER_CPU_HASH - A per-CPU hash table that only retains the most recently used items • LPM_TRIE - A longest-prefix match true, good for matching IP addresses • STACK_TRACE - Stores stack traces • ARRAY_OF_MAPS - A map-in-map data structure • HASH_OF_MAPS – A map-in-map data structurehttps://lwn.net/Articles/740157/
  • 44. (e)BPF Maps • DEVICE_MAP - For storing and looking up network device references • SOCKET_MAP – Stores and looks up sockets and allows redirection https://lwn.net/Articles/740157/
  • 46. What can BPF be used for? 1 Networking (e.g. load balancing) 2 Firewalls 3 DDOS mitigation 4 Profiling & Tracing 5 Container Security 6 Device Drivers 7 Chaos Engineering
  • 47. What can BPF be used for NETWORKING • Load-balancing • Katran (Facebook) • General networking • Cilium • Extending the TCP stack • Network Monitoring • Flowmill • Weaveworks
  • 48. What can BPF be used for FIREWALLS • Bpfilter (Linux 4.18)
  • 49. What can BPF be used for DDOS MITIGATION • Use of eBPF & XDP to perform infra-wide DDoS mitigation • Facebook • Cloudflare
  • 50. What can BPF be used for PROFILE & TRACING • Sysdig • bpftrace
  • 51. What can BPF be used for SECURITY • Cilium • Seccomp BPF
  • 52. What can BPF be used for DEVICE DRIVERS • eBPF provides a pseudo device driver  possible to extend this in multiple ways
  • 53. What can BPF be used for CHAOS ENGINEERING • Use Cilium to inject latency, packet-loss, L7 HTTP errors (via a Go extension)
  • 55. Introduction to XDP • XDP – eXpress Data Path • High performance, programmable network data path (IO Visor Project) • Linux Kernels answer for DPDK (Released in 4.8)
  • 56. Introduction to XDP • Features: • Does not require specialized hardware • Does not require kernel bypass • Does not replace TCP/ IP stack • Works with TCP/ IP stack with eBPF
  • 57. Introduction to XDP • XDP program runs as soon as the packet gets to the network driver • XDP program needs to edit with an action: • XDP_TX • XDP_DROP • XDP_PASS
  • 59. Introduction to DPDK • DPDK – Data Plane Development Kit • Created in 2010 by Intel • Collection of data plane libraries & NIC drivers for fast packet processing • Open-Source under Linux Foundation • Support for multiple CPU architectures
  • 62. XDP & DPDK BENEFITS OF XDP • No 3rd party code • Option of busy polling or interrupt driven networking • Removes the need to: • Allocate large pages • Dedicated CPU’s • Inject packets into the kernel from 3rd party user space • Define a new security model https://www.iovisor.org/technology/xdp

Editor's Notes

  1. Gaurav Gupta – SAP Labs