Thomas Graf, profile picture
Uploaded byThomas Graf
PDF, PPTX1,866 views

eBPF - Rethinking the Linux Kernel

The document discusses the evolution of the Linux kernel architecture, particularly focusing on enhancing it with programmability through technologies like eBPF. It highlights the advantages of eBPF, including native execution, continuous delivery, and the ability to run untrusted code safely within the kernel. Additionally, it covers community contributions and various eBPF projects aimed at improving networking, security, and performance in modern environments, such as Kubernetes.

Embed presentation

Download as PDF, PPTX
Rethinking the Linux kernel Thomas Graf Cilium Project, Co-Founder & CTO, Isovalent
2Cameron Askin: Cameron’s World Remember GeoCities?
3 Markup Only (HTML) What enabled this evolution? Programmable Platform
Programmability Essentials 4 Untrusted code runs in the browser of the user. → Sandboxing Allow evolution of logic without requiring to constantly ship new browser versions. → Deploy anytime with seamless upgrades Programmability must be provided with minimal overhead. → Native Execution (JIT compiler) Safety Continuous Delivery Performance
Kernel Architecture 5 TCP/IPVFS Linux Kernel Network DeviceBlock Device AdminProcess Process Network Hardware Storage Hardware Configuration (sysfs,netlink,procfs,...) Sockets recvmsg()sendmsg() Syscall read() File Descriptor write() Syscall User Space HW
Cons: ● You likely need to ship a different module for each kernel version ● Might crash your kernel ● Change kernel source code ● Expose configuration API ● Wait 5 years for your users to upgrade 6 Kernel Development 101 ● Write kernel module ● Every kernel release will break it Cons: Option 1 Native Support Option 2 Kernel Module
How about we add JavaScript-like capabilities to the Linux Kernel? 7
8
9 Process Scheduler execve() Linux Kernel Syscall
eBPF Runtime 10 Controller Sockets bpf() Linux Kernel TCP/IP Network Device recvmsg()sendmsg() Process Syscall Verifier JIT Compiler BPF Program BPF Program BPF Program approved x86_64 Syscall Safety & Security The verifier will reject any unsafe program and provides a sandbox. Continuous Delivery Programs can be exchanged without disrupting workloads. Performance The JIT compiler ensures native execution performance. bytecode
eBPF Hooks 11 Process Storage Hardware Sockets TCP/IP Network Device read() File Descriptor VFS Block Device write() Linux Kernel Network Hardware Process SyscallSyscall Where can you hook? kernel functions (kprobes), userspace functions (uprobes), system calls, fentry/fexit, tracepoints, network devices (tc/xdp), network routes, TCP congestion algorithms, sockets (data level) recvmsg()sendmsg()
eBPF Maps 12 Controller Sockets Linux Kernel TCP/IP Network Device Process Syscall Syscall Admin BPF Map Syscall Map Types: - Hash tables, Arrays - LRU (Least Recently Used) - Ring Buffer - Stack Trace - LPM (Longest Prefix match) What are Maps used for? ● Program state ● Program configuration ● Share data between programs ● Share state, metrics, and statistics with user space recvmsg()sendmsg()
eBPF Helpers 13 Sockets Linux Kernel TCP/IP Network Device Process Syscall What helpers exist? ● Random numbers ● Get current time ● Map access ● Get process/cgroup context ● Manipulate network packets and forwarding ● Access socket data ● Perform tail call ● Access process stack ● Access syscall arguments ● ... [...] num = bpf_get_prandom_u32(); [...] recvmsg()sendmsg()
eBPF Tail and Function Calls 14 Linux Kernel What are Tail Calls used for? ● Chain programs together ● Split programs into independent logical components ● Make BPF programs composable What are Functions Calls used for? ● Reuse functionality inside of a program ● Reduce program size (avoid inlining)
15 Community 287 contributors: (Jan 2016 to Jan 2020) ● 466 Daniel Borkmann (Cilium; maintainer) ● 290 Andrii Nakryiko (Facebook) ● 279 Alexei Starovoitov (Facebook; maintainer) ● 217 Jakub Kicinski (Facebook) ● 173 Yonghong Song (Facebook) ● 168 Martin KaFai Lau (Facebook) ● 159 Stanislav Fomichev (Google) ● 148 Quentin Monnet (Cilium) ● 148 John Fastabend (Cilium) ● 118 Jesper Dangaard Brouer (Red Hat) ● [...]
16 eBPF Projects Katran High-performance L4 Loadbalancer facebookincubator/katran Android & Security kernel runtime security instrumentation (KRSI), Android BPF loader, eBPF traffic monitor bcc, bpftrace Performance troubleshooting & profiling iovisor/bcc Traffic Optimization DDoS mitigation, QoS, traffic optimization, load balancer cloudflare/bpftools Falco Container runtime security, behavior analysis falcosecurity/falco Cilium Networking, security and load-balancing for k8s cilium/cilium et al.
Tracing & Profiling with 17 Sockets Linux Kernel TCP/IP Process Syscall Verifier JIT Compiler Syscall BPF Program Python BCC BPF Maps BCC: github.com/iovisor/bcc recvmsg()sendmsg() # tcptop Tracing... Output every 1 secs. Hit Ctrl-C to end <screen clears> 19:46:24 loadavg: 1.86 2.67 2.91 3/362 16681 PID COMM LADDR RADDR RX_KB TX_KB 16648 16648 100.66.3.172:22 100.127.69.165:6684 1 0 16647 sshd 100.66.3.172:22 100.127.69.165:6684 0 2149 14374 sshd 100.66.3.172:22 100.127.69.165:25219 0 0 14458 sshd 100.66.3.172:22 100.127.69.165:7165 0 0
bpftrace bpftrace - DTrace for Linux 18 File Descriptors Linux Kernel VFS Process Syscall Verifier JIT Compiler Syscall bpftrace Program BPF Maps bpftrace: github.com/iovisor/bpftrace # bpftrace -e 'kprobe:do_sys_open { printf("%s: %sn", comm, str(arg1)) }' Attaching 1 probe... git: .git/objects/da git: .git/objects/pack git: /etc/localtime systemd-journal: /var/log/journal/72d0774c88dc4943ae3d34ac356125dd DNS Res~ver #15: /etc/hosts ^C open()
Networking, load-balancing and security for Kubernetes 19 Sockets Linux Kernel TCP/IP Container Syscall Verifier JIT Compiler Syscall Clium BPF Maps Network Device Sockets Container Syscall Network Device Network Hardware TCP/IP Kubernetes
20 Container Networking ● Highly efficient and flexible networking ● Routing, Overlay, Cloud-provider native ● IPv4, IPv6, NAT46 ● Multi cluster routing Service Load balancing: ● Highly scalable L3-L4 load balancing ● Kubernetes services (replaces kube-proxy) ● Multi-cluster ● Service affinity (prefer zones) Container Security ● Identity-based network security ● API-aware security (HTTP, gRPC, Kafka, Cassandra, memcached, ..) ● DNS-aware policies ● Encryption ● SSL data visibility via kTLS Visibility ● Service topology map & live visualization ● Advanced network metrics & alerting Servicemesh: ● Minimize overhead when injecting servicemesh sidecar proxies ● Istio integration
21 Hubble: eBPF Visibility for Kubernetes # hubble observe --since=1m -t l7 -j | jq 'select(.l7.dns.rcode==3) | .destination.namespace + "/" + .destination.pod_name' | sort | uniq -c | sort -r 42 "starwars/jar-jar-binks-6f5847c97c-qmggv"
Development Program Maps Runtime Go Development Toolchain 22 clang -target bpf Sockets Linux Kernel TCP/IP recvmsg()sendmsg() Process Verifier JIT Compiler Syscall BPF Program C source BPF Program bytecode BPF Map Syscall Go Library Go Library: https://github.com/cilium/ebpf
23 Outlook: Future of is turning the Linux kernel into a microkernel. ● An increasing amount of new kernel functionality is implemented with eBPF. ● 100% modular and composable. ● New additions can evolve at a rapid pace. Much quicker than normal kernel development. Example: The linux kernel is not aware of containers and microservices (it only knows about namespaces). Cilium is making the Linux kernel container and Kubernetes aware. could enable the Linux kernel hotpatching we always dreamed about. Problem: ● Linux kernel vulnerability requires to patch kernel. ● Rebooting 20’000 servers takes a very long time without risking extensive downtime. Function Function Function Hotfix Linux Kernel
Thank You eBPF Maintainers Daniel Borkmann, Alexei Starovoitov Cilium Team André Martins, Jarno Rajahalme, Joe Stringer, John Fastabend, Maciej Kwiek, Martynas Pumputis, Paul Chaignon, Quentin Monnet, Ray Bejjani, Tobias Klauser Facebook Team Andrii Nakryiko, Andrey Ignatov, Jakub Kicinski, Martin KaFai Lau, Roman Gushchin, Song Liu, Yonghong Song Google Team Chenbo Feng, KP Singh, Lorenzo Colitti, Maciej Żenczykowski, Stanislav Fomichev, BCC & bpftrace Alastair Robertson, Brendan Gregg, Brenden Blanco Kernel Team Björn Töpel, David S. Miller, Edward Cree, Jesper Brouer, Toke Høiland-Jørgensen 24 ● BPF Getting Started Guide BPF and XDP Reference Guide ● Cilium github.com/cilium/cilium ● Twitter @ciliumproject ● Contact the speaker @tgraf__ All images: Pixabay

More Related Content

PPTX
eBPF Basics
byMichael Kehoe
 
PPTX
Understanding eBPF in a Hurry!
byRay Jenkins
 
PDF
Introduction to eBPF and XDP
bylcplcp1
 
PDF
Replacing iptables with eBPF in Kubernetes with Cilium
byMichal Rostecki
 
PDF
Introduction to eBPF
byRogerColl2
 
PDF
Kubernetes Networking with Cilium - Deep Dive
byMichal Rostecki
 
PDF
Meet cute-between-ebpf-and-tracing
byViller Hsiao
 
ODP
eBPF maps 101
bySUSE Labs Taipei
 
eBPF Basics
byMichael Kehoe
 
Understanding eBPF in a Hurry!
byRay Jenkins
 
Introduction to eBPF and XDP
bylcplcp1
 
Replacing iptables with eBPF in Kubernetes with Cilium
byMichal Rostecki
 
Introduction to eBPF
byRogerColl2
 
Kubernetes Networking with Cilium - Deep Dive
byMichal Rostecki
 
Meet cute-between-ebpf-and-tracing
byViller Hsiao
 
eBPF maps 101
bySUSE Labs Taipei
 

What's hot

PDF
DPDK: Multi Architecture High Performance Packet Processing
byMichelle Holley
 
PDF
eBPF/XDP
byNetronome
 
PDF
Accelerating Envoy and Istio with Cilium and the Linux Kernel
byThomas Graf
 
PDF
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
PDF
eBPF Trace from Kernel to Userspace
bySUSE Labs Taipei
 
PDF
LinuxCon 2015 Linux Kernel Networking Walkthrough
byThomas Graf
 
PDF
BPF: Tracing and more
byBrendan Gregg
 
PDF
High-Performance Networking Using eBPF, XDP, and io_uring
byScyllaDB
 
PDF
Cilium - Fast IPv6 Container Networking with BPF and XDP
byThomas Graf
 
PDF
Performance Wins with eBPF: Getting Started (2021)
byBrendan Gregg
 
PDF
EBPF and Linux Networking
byPLUMgrid
 
PDF
BPF Internals (eBPF)
byBrendan Gregg
 
PDF
Building Network Functions with eBPF & BCC
byKernel TLV
 
PDF
The linux networking architecture
byhugo lu
 
PDF
Xdp and ebpf_maps
bylcplcp1
 
PDF
Cilium - Container Networking with BPF & XDP
byThomas Graf
 
PDF
DoS and DDoS mitigations with eBPF, XDP and DPDK
byMarian Marinov
 
PDF
Linux Networking Explained
byThomas Graf
 
PPTX
Understanding DPDK
byDenys Haryachyy
 
PDF
Fun with Network Interfaces
byKernel TLV
 
DPDK: Multi Architecture High Performance Packet Processing
byMichelle Holley
 
eBPF/XDP
byNetronome
 
Accelerating Envoy and Istio with Cilium and the Linux Kernel
byThomas Graf
 
DockerCon 2017 - Cilium - Network and Application Security with BPF and XDP
byThomas Graf
 
eBPF Trace from Kernel to Userspace
bySUSE Labs Taipei
 
LinuxCon 2015 Linux Kernel Networking Walkthrough
byThomas Graf
 
BPF: Tracing and more
byBrendan Gregg
 
High-Performance Networking Using eBPF, XDP, and io_uring
byScyllaDB
 
Cilium - Fast IPv6 Container Networking with BPF and XDP
byThomas Graf
 
Performance Wins with eBPF: Getting Started (2021)
byBrendan Gregg
 
EBPF and Linux Networking
byPLUMgrid
 
BPF Internals (eBPF)
byBrendan Gregg
 
Building Network Functions with eBPF & BCC
byKernel TLV
 
The linux networking architecture
byhugo lu
 
Xdp and ebpf_maps
bylcplcp1
 
Cilium - Container Networking with BPF & XDP
byThomas Graf
 
DoS and DDoS mitigations with eBPF, XDP and DPDK
byMarian Marinov
 
Linux Networking Explained
byThomas Graf
 
Understanding DPDK
byDenys Haryachyy
 
Fun with Network Interfaces
byKernel TLV
 

Similar to eBPF - Rethinking the Linux Kernel

PDF
Security Monitoring with eBPF
byAlex Maestretti
 
PDF
Cloud Native Networking & Security with Cilium & eBPF
byRaphaël PINSON
 
PPTX
Dataplane programming with eBPF: architecture and tools
byStefano Salsano
 
PDF
ebpf and IO Visor: The What, how, and what next!
byAffan Syed
 
PDF
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
byRaphaël PINSON
 
PDF
Explore the World of Cilium, Tetragon & eBPF
byRaphaël PINSON
 
PDF
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...
byDocker, Inc.
 
PDF
CNTUG x SDN Meetup #33 Talk 1: 從 Cilium 認識 cgroup ebpf - Ruian
byHanLing Shen
 
PDF
Cilium: Kernel Native Security & DDOS Mitigation for Microservices with BPF
byDocker, Inc.
 
PDF
Kernel bug hunting
byAndrea Righi
 
PDF
DCSF 19 eBPF Superpowers
byDocker, Inc.
 
PDF
SRE NL MeetUp - eBPF.pdf
bySiteReliabilityEngin
 
PDF
Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF
byCynthia Thomas
 
PDF
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
byThomas Graf
 
PDF
Spying on the Linux kernel for fun and profit
byAndrea Righi
 
PDF
Efficient System Monitoring in Cloud Native Environments
byGergely Szabó
 
PDF
eBPF — Divulging The Hidden Super Power.pdf
bySGBSeo
 
PPTX
Cfgmgmtcamp 2023 — eBPF Superpowers
byRaphaël PINSON
 
PDF
eBPF — Divulging The Hidden Super Power.pdf
byseo18
 
PDF
Linux Native, HTTP Aware Network Security
byThomas Graf
 
Security Monitoring with eBPF
byAlex Maestretti
 
Cloud Native Networking & Security with Cilium & eBPF
byRaphaël PINSON
 
Dataplane programming with eBPF: architecture and tools
byStefano Salsano
 
ebpf and IO Visor: The What, how, and what next!
byAffan Syed
 
ContainerDays Hamburg 2023 — Cilium Workshop.pdf
byRaphaël PINSON
 
Explore the World of Cilium, Tetragon & eBPF
byRaphaël PINSON
 
Cilium - Network and Application Security with BPF and XDP Thomas Graf, Cova...
byDocker, Inc.
 
CNTUG x SDN Meetup #33 Talk 1: 從 Cilium 認識 cgroup ebpf - Ruian
byHanLing Shen
 
Cilium: Kernel Native Security & DDOS Mitigation for Microservices with BPF
byDocker, Inc.
 
Kernel bug hunting
byAndrea Righi
 
DCSF 19 eBPF Superpowers
byDocker, Inc.
 
SRE NL MeetUp - eBPF.pdf
bySiteReliabilityEngin
 
Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF
byCynthia Thomas
 
BPF & Cilium - Turning Linux into a Microservices-aware Operating System
byThomas Graf
 
Spying on the Linux kernel for fun and profit
byAndrea Righi
 
Efficient System Monitoring in Cloud Native Environments
byGergely Szabó
 
eBPF — Divulging The Hidden Super Power.pdf
bySGBSeo
 
Cfgmgmtcamp 2023 — eBPF Superpowers
byRaphaël PINSON
 
eBPF — Divulging The Hidden Super Power.pdf
byseo18
 
Linux Native, HTTP Aware Network Security
byThomas Graf
 

More from Thomas Graf

PDF
Cilium - API-aware Networking and Security for Containers based on BPF
byThomas Graf
 
PDF
DevConf 2014 Kernel Networking Walkthrough
byThomas Graf
 
PDF
Cilium - Network security for microservices
byThomas Graf
 
PDF
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
byThomas Graf
 
PDF
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
byThomas Graf
 
PDF
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
byThomas Graf
 
PDF
Open vSwitch - Stateful Connection Tracking & Stateful NAT
byThomas Graf
 
PDF
SDN & NFV Introduction - Open Source Data Center Networking
byThomas Graf
 
PDF
LinuxCon 2015 Stateful NAT with OVS
byThomas Graf
 
PDF
2015 FOSDEM - OVS Stateful Services
byThomas Graf
 
PDF
BPF: Next Generation of Programmable Datapath
byThomas Graf
 
PDF
Cilium - BPF & XDP for containers
byThomas Graf
 
Cilium - API-aware Networking and Security for Containers based on BPF
byThomas Graf
 
DevConf 2014 Kernel Networking Walkthrough
byThomas Graf
 
Cilium - Network security for microservices
byThomas Graf
 
Cilium - Bringing the BPF Revolution to Kubernetes Networking and Security
byThomas Graf
 
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)
byThomas Graf
 
The Next Generation Firewall for Red Hat Enterprise Linux 7 RC
byThomas Graf
 
Open vSwitch - Stateful Connection Tracking & Stateful NAT
byThomas Graf
 
SDN & NFV Introduction - Open Source Data Center Networking
byThomas Graf
 
LinuxCon 2015 Stateful NAT with OVS
byThomas Graf
 
2015 FOSDEM - OVS Stateful Services
byThomas Graf
 
BPF: Next Generation of Programmable Datapath
byThomas Graf
 
Cilium - BPF & XDP for containers
byThomas Graf
 

Recently uploaded

PPTX
Fast-tracking quality for hundreds applications with automated testing layers
byBogdan Plieshka
 
PDF
One Agent to Rule Them All - The Fellowship of AI Agents
byIvo Andreev
 
PDF
TNG_Architecting Green Software - An Introduction_Nils-Oliver Linden&Alexande...
byQAware GmbH
 
PDF
Revolutionising-SQL-Data-Modelling-with-SqlDBM.pdf
bySQL DBM
 
PDF
Constraints First - Why Our On-Prem Ticketing System Starts With Limits, Not ...
bySpirit Face
 
PPTX
SNG460-CNG489_Week6_3-7Nov25_Chp6-Part1.pptx
byberayseray382
 
PDF
What Is A Woman (WIAW) Token – Smart Contract Security Audit Report by EtherA...
byEtherAuthority
 
PPTX
Why Your Business Needs Snowflake Consulting_ From Data Silos to AI-Ready Cloud
byChetu
 
PPTX
GDS Integration Solution | GDS Integration Service
byyugababu033
 
PDF
Cloud-Based Underwriting Software for Insurance
byInsurance Tech Services
 
PDF
IT Estate Modernization: Transform Your Infrastructure for the Future .pdf
byAstuteBusiness
 
PDF
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
PDF
Jeremy Millul - An NYU Computer Science Graduate
byJeremy Millul
 
PDF
How Modern Custom Software is Revolutionizing Mortgage Lending Processes -Ma...
byMatellio
 
PDF
Here’s the case study that shows how companies lose ₹2–6 Cr annually due to m...
bysiddhantdazzlo
 
PDF
Design and Analysis of Algorithms(DAA): Unit-II Asymptotic Notations and Basi...
byKuvempu University
 
PPTX
SAP FICO Training Agenda for new learners
bysasidhar unnagiri
 
PDF
Intelligent CRM for Insurance Brokers: Managing Clients with Precision
byInsurance Tech Services
 
PPTX
1_MIL_Introduction_Influence-of-Media-and-Information-on-Communication (1).pptx
byDeltaDomsMamas1
 
PDF
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 
Fast-tracking quality for hundreds applications with automated testing layers
byBogdan Plieshka
 
One Agent to Rule Them All - The Fellowship of AI Agents
byIvo Andreev
 
TNG_Architecting Green Software - An Introduction_Nils-Oliver Linden&Alexande...
byQAware GmbH
 
Revolutionising-SQL-Data-Modelling-with-SqlDBM.pdf
bySQL DBM
 
Constraints First - Why Our On-Prem Ticketing System Starts With Limits, Not ...
bySpirit Face
 
SNG460-CNG489_Week6_3-7Nov25_Chp6-Part1.pptx
byberayseray382
 
What Is A Woman (WIAW) Token – Smart Contract Security Audit Report by EtherA...
byEtherAuthority
 
Why Your Business Needs Snowflake Consulting_ From Data Silos to AI-Ready Cloud
byChetu
 
GDS Integration Solution | GDS Integration Service
byyugababu033
 
Cloud-Based Underwriting Software for Insurance
byInsurance Tech Services
 
IT Estate Modernization: Transform Your Infrastructure for the Future .pdf
byAstuteBusiness
 
Cybersecurity Alert- What Organisations Must Watch Out For This Christmas Fes...
byCybernetic Global Intelligence
 
Jeremy Millul - An NYU Computer Science Graduate
byJeremy Millul
 
How Modern Custom Software is Revolutionizing Mortgage Lending Processes -Ma...
byMatellio
 
Here’s the case study that shows how companies lose ₹2–6 Cr annually due to m...
bysiddhantdazzlo
 
Design and Analysis of Algorithms(DAA): Unit-II Asymptotic Notations and Basi...
byKuvempu University
 
SAP FICO Training Agenda for new learners
bysasidhar unnagiri
 
Intelligent CRM for Insurance Brokers: Managing Clients with Precision
byInsurance Tech Services
 
1_MIL_Introduction_Influence-of-Media-and-Information-on-Communication (1).pptx
byDeltaDomsMamas1
 
Database Management Systems(DBMS):UNIT-II Relational Data Model BCA SEP SEM ...
byKuvempu University
 

eBPF - Rethinking the Linux Kernel

  • 1.
    Rethinking the Linux kernel ThomasGraf Cilium Project, Co-Founder & CTO, Isovalent
  • 2.
    2Cameron Askin: Cameron’sWorld Remember GeoCities?
  • 3.
    3 Markup Only (HTML) Whatenabled this evolution? Programmable Platform
  • 4.
    Programmability Essentials 4 Untrusted coderuns in the browser of the user. → Sandboxing Allow evolution of logic without requiring to constantly ship new browser versions. → Deploy anytime with seamless upgrades Programmability must be provided with minimal overhead. → Native Execution (JIT compiler) Safety Continuous Delivery Performance
  • 5.
    Kernel Architecture 5 TCP/IPVFS Linux Kernel Network DeviceBlockDevice AdminProcess Process Network Hardware Storage Hardware Configuration (sysfs,netlink,procfs,...) Sockets recvmsg()sendmsg() Syscall read() File Descriptor write() Syscall User Space HW
  • 6.
    Cons: ● You likelyneed to ship a different module for each kernel version ● Might crash your kernel ● Change kernel source code ● Expose configuration API ● Wait 5 years for your users to upgrade 6 Kernel Development 101 ● Write kernel module ● Every kernel release will break it Cons: Option 1 Native Support Option 2 Kernel Module
  • 7.
    How about weadd JavaScript-like capabilities to the Linux Kernel? 7
  • 8.
  • 9.
  • 10.
    eBPF Runtime 10 Controller Sockets bpf() Linux Kernel TCP/IP Network Device recvmsg()sendmsg() Process Syscall Verifier JITCompiler BPF Program BPF Program BPF Program approved x86_64 Syscall Safety & Security The verifier will reject any unsafe program and provides a sandbox. Continuous Delivery Programs can be exchanged without disrupting workloads. Performance The JIT compiler ensures native execution performance. bytecode
  • 11.
    eBPF Hooks 11 Process Storage Hardware Sockets TCP/IP Network Device read() FileDescriptor VFS Block Device write() Linux Kernel Network Hardware Process SyscallSyscall Where can you hook? kernel functions (kprobes), userspace functions (uprobes), system calls, fentry/fexit, tracepoints, network devices (tc/xdp), network routes, TCP congestion algorithms, sockets (data level) recvmsg()sendmsg()
  • 12.
    eBPF Maps 12 Controller Sockets Linux Kernel TCP/IP Network Device Process SyscallSyscall Admin BPF Map Syscall Map Types: - Hash tables, Arrays - LRU (Least Recently Used) - Ring Buffer - Stack Trace - LPM (Longest Prefix match) What are Maps used for? ● Program state ● Program configuration ● Share data between programs ● Share state, metrics, and statistics with user space recvmsg()sendmsg()
  • 13.
    eBPF Helpers 13 Sockets Linux Kernel TCP/IP Network Device Process Syscall Whathelpers exist? ● Random numbers ● Get current time ● Map access ● Get process/cgroup context ● Manipulate network packets and forwarding ● Access socket data ● Perform tail call ● Access process stack ● Access syscall arguments ● ... [...] num = bpf_get_prandom_u32(); [...] recvmsg()sendmsg()
  • 14.
    eBPF Tail andFunction Calls 14 Linux Kernel What are Tail Calls used for? ● Chain programs together ● Split programs into independent logical components ● Make BPF programs composable What are Functions Calls used for? ● Reuse functionality inside of a program ● Reduce program size (avoid inlining)
  • 15.
    15 Community 287 contributors: (Jan 2016to Jan 2020) ● 466 Daniel Borkmann (Cilium; maintainer) ● 290 Andrii Nakryiko (Facebook) ● 279 Alexei Starovoitov (Facebook; maintainer) ● 217 Jakub Kicinski (Facebook) ● 173 Yonghong Song (Facebook) ● 168 Martin KaFai Lau (Facebook) ● 159 Stanislav Fomichev (Google) ● 148 Quentin Monnet (Cilium) ● 148 John Fastabend (Cilium) ● 118 Jesper Dangaard Brouer (Red Hat) ● [...]
  • 16.
    16 eBPF Projects Katran High-performance L4 Loadbalancer facebookincubator/katran Android& Security kernel runtime security instrumentation (KRSI), Android BPF loader, eBPF traffic monitor bcc, bpftrace Performance troubleshooting & profiling iovisor/bcc Traffic Optimization DDoS mitigation, QoS, traffic optimization, load balancer cloudflare/bpftools Falco Container runtime security, behavior analysis falcosecurity/falco Cilium Networking, security and load-balancing for k8s cilium/cilium et al.
  • 17.
    Tracing & Profilingwith 17 Sockets Linux Kernel TCP/IP Process Syscall Verifier JIT Compiler Syscall BPF Program Python BCC BPF Maps BCC: github.com/iovisor/bcc recvmsg()sendmsg() # tcptop Tracing... Output every 1 secs. Hit Ctrl-C to end <screen clears> 19:46:24 loadavg: 1.86 2.67 2.91 3/362 16681 PID COMM LADDR RADDR RX_KB TX_KB 16648 16648 100.66.3.172:22 100.127.69.165:6684 1 0 16647 sshd 100.66.3.172:22 100.127.69.165:6684 0 2149 14374 sshd 100.66.3.172:22 100.127.69.165:25219 0 0 14458 sshd 100.66.3.172:22 100.127.69.165:7165 0 0
  • 18.
    bpftrace bpftrace - DTracefor Linux 18 File Descriptors Linux Kernel VFS Process Syscall Verifier JIT Compiler Syscall bpftrace Program BPF Maps bpftrace: github.com/iovisor/bpftrace # bpftrace -e 'kprobe:do_sys_open { printf("%s: %sn", comm, str(arg1)) }' Attaching 1 probe... git: .git/objects/da git: .git/objects/pack git: /etc/localtime systemd-journal: /var/log/journal/72d0774c88dc4943ae3d34ac356125dd DNS Res~ver #15: /etc/hosts ^C open()
  • 19.
    Networking, load-balancing and securityfor Kubernetes 19 Sockets Linux Kernel TCP/IP Container Syscall Verifier JIT Compiler Syscall Clium BPF Maps Network Device Sockets Container Syscall Network Device Network Hardware TCP/IP Kubernetes
  • 20.
    20 Container Networking ● Highlyefficient and flexible networking ● Routing, Overlay, Cloud-provider native ● IPv4, IPv6, NAT46 ● Multi cluster routing Service Load balancing: ● Highly scalable L3-L4 load balancing ● Kubernetes services (replaces kube-proxy) ● Multi-cluster ● Service affinity (prefer zones) Container Security ● Identity-based network security ● API-aware security (HTTP, gRPC, Kafka, Cassandra, memcached, ..) ● DNS-aware policies ● Encryption ● SSL data visibility via kTLS Visibility ● Service topology map & live visualization ● Advanced network metrics & alerting Servicemesh: ● Minimize overhead when injecting servicemesh sidecar proxies ● Istio integration
  • 21.
    21 Hubble: eBPF Visibilityfor Kubernetes # hubble observe --since=1m -t l7 -j | jq 'select(.l7.dns.rcode==3) | .destination.namespace + "/" + .destination.pod_name' | sort | uniq -c | sort -r 42 "starwars/jar-jar-binks-6f5847c97c-qmggv"
  • 22.
    Development Program Maps Runtime Go DevelopmentToolchain 22 clang -target bpf Sockets Linux Kernel TCP/IP recvmsg()sendmsg() Process Verifier JIT Compiler Syscall BPF Program C source BPF Program bytecode BPF Map Syscall Go Library Go Library: https://github.com/cilium/ebpf
  • 23.
    23 Outlook: Future of isturning the Linux kernel into a microkernel. ● An increasing amount of new kernel functionality is implemented with eBPF. ● 100% modular and composable. ● New additions can evolve at a rapid pace. Much quicker than normal kernel development. Example: The linux kernel is not aware of containers and microservices (it only knows about namespaces). Cilium is making the Linux kernel container and Kubernetes aware. could enable the Linux kernel hotpatching we always dreamed about. Problem: ● Linux kernel vulnerability requires to patch kernel. ● Rebooting 20’000 servers takes a very long time without risking extensive downtime. Function Function Function Hotfix Linux Kernel
  • 24.
    Thank You eBPF Maintainers DanielBorkmann, Alexei Starovoitov Cilium Team André Martins, Jarno Rajahalme, Joe Stringer, John Fastabend, Maciej Kwiek, Martynas Pumputis, Paul Chaignon, Quentin Monnet, Ray Bejjani, Tobias Klauser Facebook Team Andrii Nakryiko, Andrey Ignatov, Jakub Kicinski, Martin KaFai Lau, Roman Gushchin, Song Liu, Yonghong Song Google Team Chenbo Feng, KP Singh, Lorenzo Colitti, Maciej Żenczykowski, Stanislav Fomichev, BCC & bpftrace Alastair Robertson, Brendan Gregg, Brenden Blanco Kernel Team Björn Töpel, David S. Miller, Edward Cree, Jesper Brouer, Toke Høiland-Jørgensen 24 ● BPF Getting Started Guide BPF and XDP Reference Guide ● Cilium github.com/cilium/cilium ● Twitter @ciliumproject ● Contact the speaker @tgraf__ All images: Pixabay