SlideShare a Scribd company logo
1 of 29
Download to read offline
Introduction of eBPF
時下最夯的Linux Technology
梁維恩
Jace Liang
SW / Infra. engineer at ITRI
Facebook: jace.liang
github: mJace
TOC Votes to Move Falco into CNCF Incubator
By Jessie January 8, 2020 in Blog
Today, the Cloud Native Computing Foundation (CNCF) Technical Oversight Committee (TOC) voted to accept
Falco as an incubation-level hosted project.
Falco, which entered the CNCF Sandbox in October 2018, is an open source Kubernetes runtime security
project. It provides intrusion and abnormality detection for cloud native platforms such as Kubernetes,
Mesosphere, and Cloud Foundry.
BPF security capabilities
• Which processes are being
executed? By which processes?
• What network connections are
being made? By which processes?
• What permission denied errors
are happening on the system?
• Is this kernel/user function being
executed with these arguments?
Take away
• What’s eBPF
• Use eBPF based tools to debug
• New design idea
You don't need to know how to operate an X-ray machine,
but you do need to know that if you swallow a penny, an X-ray is an option!
www.bredangregg.com
What’s BPF?
• BPF全名為Berkeley Packet Filter, Introduced by Lawrence Berkeley
National Laboratory, 1992.
• 當時推出的目的是為了提高 BSD-based Kernel過濾封包的效率。
原理是將封包的過濾程式編譯後由Kernel中類似虛擬機的環境執
行。
• 和原先在Userspace過濾封包相比有更好的效能。
且透過編譯以及在核心內沙盒中執行的特性,能夠避免使用者把
Kernel搞壞掉。
Example of BPF – Tcpdump
Example of BPF – Tcpdump cont.
#檢查是否為IPV6,如果不是(jf),則視為IPV4 (GOTO Line:006)
#檢查是否為TCP
#檢查dst port是否為7070(0x1b9e),if so (jt) L014
#檢查是否為 ipv4封包
#檢查是否為 tcp封包
#檢查是否為 ip fragment packet
#找到tcp封包中 dest port 的所在位置
#檢查dst port是否為7070,若為真(jt) GOT L014
#Packet Match!
#Packet Mis-match!
How about eBPF (enhanced BPF)?
• 原先Kernel內bpf虛擬機的設計過時,不支援新硬體CPU架構
• eBPF相對bpf有更佳的硬體相容性,支援更大的register
• eBPF相對bpf有更快的編譯速度,在過濾網路封包時的效能也更好
• eBPF於2014年的版本後,便可直接從userspace操作
“Super powers have finally come to Linux“ – Brendan Gregg, Linux Conf. 2017
eBPF Architecture.
What can you do with eBPF?
• Filter traffic, at the lowest entry of linux network stack.
• Programs can be attached to tracepoints, kprobes, system calls, perf events,
etc.
Velocity 2017: Performance Analysis Superpowers with Linux eBPF - Brendan Gregg
https://www.youtube.com/watch?v=bj3qdEDbCD4
Use case of eBPF – Userspace tracing
https://github.com/iovisor/kubectl-trace
relationship between userspace threads
fnc
tid/pid/arg/ret
fnc
tid/pid/arg/ret
pkt
pkt
pkt
pkt
enqueue
tid/pid/arg/ret
dequeue
tid/pid/arg/ret
Get relationship by en/dequeue args and retval
https://github.com/mJace/ebpfKit/blob/master/Examples/cpp/README.md
eBPF related projects – XDP (express data path)
• Since Kernel v4.8
• Based on eBPF
• DDOS Protection
• Network security
• Network accelerate
eBPF related projects – sysdig
• Embed Security, Compliance and Performance Into Your DevOps Workflows
eBPF related projects – Falco
• Cloud-Native Runtime Security
Falco efficiently leverages Extended Berkeley Packet Filter (eBPF), a secure
mechanism, to capture system calls and gain deep visibility. By adding
Kubernetes application context and Kubernetes API audit events, teams can
understand who did what.
Other eBPF related implementations…
• Cilium – XDP based CNI
• Weavescope – ebpf based monitor tool
• Iptables – Bpfilter implementations to optimize ingress/outgress security
rules
• Calicio – Just release a alpha version that lavages ebpf
• Systemtap – Support eBPF now.
eBPF related projects – BCC
• BPF Compiler Collection (BCC)
BCC is a toolkit for creating efficient kernel tracing and manipulation programs, and includes several useful
tools and examples
https://github.com/iovisor/bcc
BCC tools example – tcpconlat (tcp latency)
BCC tools example – execsnoop ( trace syscall- exec)
bpftrace tool example – cpuwalk.
Demo 1 – containerized ebpf tool
• Bcc tools inside a container, and trace other container’s processes.
Target
container
ebpf
container
Host Machine
Kernel
ebpf
program
ebpf
map
https://github.com/mJace/ebpfKit/blob/master/Examples/bcc-demo/demo-01.md
Demo 2.
• Namespace-based tracing.
ebpf
container
Target Container
P3
P2
P1 How to trace all processes?????
Even process just created?
https://github.com/mJace/ebpfKit/blob/master/Examples/bcc-demo/demo-02.md
Software stack for ebpf related project
bpf,ebpf – main framework
XDP – Express data plane powered by ebpf
Bcc lib – library for higher app to communicate with bpf
go-bpf – golang lib for bpf
Bcc tools – userspace tool like tcptracer to trace all tcp status
bpftrace – high level userspace bpf based trace tool.
bpfebpf
Bcc lib
Kernel Space
User Space
Bcc tools
go-bpf
bpftrace tools
XDP
The future of eBPF
Kernel operations structures in BPF
what has been merged for 5.6 is not just a mechanism for hooking in TCP congestion-control algorithms……
this new infrastructure can be used to allow a BPF program to replace any "operations structure“ (in kernel)
https://lwn.net/Articles/811631/?fbclid=IwAR3otEAmjW4GS5i3hcWHzsy6hfmTIJwb_nUGHcT-
sS2aCOX1xcn9DuTfcwA
➢Update kernel without building kernel, even rebooting
➢Dynamic driver? Runtime configurable kernel driver, without re-bulding
➢Kernel layer cloud native application?
Q n’ A / Take away
• What’s eBPF
• 一種Linux內的技術,能讓人動態的觀察系統內的行為
• Use eBPF based tools to debug
• ebpf tool產生的overhead,遠低於傳統userspace monitor tool
• 可觀測幾乎所有系統內行為,從kernel到userspace
• New design idea
• eBPF打破以往kernel layer application可攜性極低的問題
You don't need to know how to operate an X-ray machine,
but you do need to know that if you swallow a penny, an X-ray is an option!
www.bredangregg.com
Reference.
• http://www.brendangregg.com/blog/2019-01-01/learn-ebpf-tracing.html
• https://hackmd.io/@sysprog/SJTuuG9a7?type=view
• https://github.com/iovisor/bpftrace
• https://github.com/iovisor/bcc
• https://github.com/iovisor/kubectl-trace

More Related Content

What's hot

Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Brendan Gregg
 
Computing Performance: On the Horizon (2021)
Computing Performance: On the Horizon (2021)Computing Performance: On the Horizon (2021)
Computing Performance: On the Horizon (2021)Brendan Gregg
 
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdfKCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdfRaphaël PINSON
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFoholiab
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPFAlex Maestretti
 
Go logging using eBPF
Go logging using eBPFGo logging using eBPF
Go logging using eBPFZain Asgar
 
UM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of SoftwareUM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of SoftwareBrendan Gregg
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)Brendan Gregg
 
Understanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicUnderstanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicJoseph Lu
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network InterfacesKernel TLV
 
ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!Mr. Vengineer
 
CXL_説明_公開用.pdf
CXL_説明_公開用.pdfCXL_説明_公開用.pdf
CXL_説明_公開用.pdfYasunori Goto
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceSUSE Labs Taipei
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
IntelON 2021 Processor Benchmarking
IntelON 2021 Processor BenchmarkingIntelON 2021 Processor Benchmarking
IntelON 2021 Processor BenchmarkingBrendan Gregg
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumScyllaDB
 
plotnetcfg入門 | Introduction to plotnetcfg
plotnetcfg入門 | Introduction to plotnetcfgplotnetcfg入門 | Introduction to plotnetcfg
plotnetcfg入門 | Introduction to plotnetcfgKentaro Ebisawa
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsHisaki Ohara
 

What's hot (20)

Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
 
Computing Performance: On the Horizon (2021)
Computing Performance: On the Horizon (2021)Computing Performance: On the Horizon (2021)
Computing Performance: On the Horizon (2021)
 
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdfKCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
KCD Zurich 2023 — Bridge Dev & Ops with eBPF.pdf
 
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPFA Kernel of Truth: Intrusion Detection and Attestation with eBPF
A Kernel of Truth: Intrusion Detection and Attestation with eBPF
 
Security Monitoring with eBPF
Security Monitoring with eBPFSecurity Monitoring with eBPF
Security Monitoring with eBPF
 
eBPF Basics
eBPF BasicseBPF Basics
eBPF Basics
 
Go logging using eBPF
Go logging using eBPFGo logging using eBPF
Go logging using eBPF
 
UM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of SoftwareUM2019 Extended BPF: A New Type of Software
UM2019 Extended BPF: A New Type of Software
 
BPF Internals (eBPF)
BPF Internals (eBPF)BPF Internals (eBPF)
BPF Internals (eBPF)
 
Understanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panicUnderstanding a kernel oops and a kernel panic
Understanding a kernel oops and a kernel panic
 
Fun with Network Interfaces
Fun with Network InterfacesFun with Network Interfaces
Fun with Network Interfaces
 
ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!ARM Trusted FirmwareのBL31を単体で使う!
ARM Trusted FirmwareのBL31を単体で使う!
 
CXL_説明_公開用.pdf
CXL_説明_公開用.pdfCXL_説明_公開用.pdf
CXL_説明_公開用.pdf
 
eBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to UserspaceeBPF Trace from Kernel to Userspace
eBPF Trace from Kernel to Userspace
 
Linux Network Stack
Linux Network StackLinux Network Stack
Linux Network Stack
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux Kernel
 
IntelON 2021 Processor Benchmarking
IntelON 2021 Processor BenchmarkingIntelON 2021 Processor Benchmarking
IntelON 2021 Processor Benchmarking
 
Using eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in CiliumUsing eBPF for High-Performance Networking in Cilium
Using eBPF for High-Performance Networking in Cilium
 
plotnetcfg入門 | Introduction to plotnetcfg
plotnetcfg入門 | Introduction to plotnetcfgplotnetcfg入門 | Introduction to plotnetcfg
plotnetcfg入門 | Introduction to plotnetcfg
 
Intel DPDK Step by Step instructions
Intel DPDK Step by Step instructionsIntel DPDK Step by Step instructions
Intel DPDK Step by Step instructions
 

Similar to Introduction of eBPF - 時下最夯的Linux Technology

eBPF — Divulging The Hidden Super Power.pdf
eBPF — Divulging The Hidden Super Power.pdfeBPF — Divulging The Hidden Super Power.pdf
eBPF — Divulging The Hidden Super Power.pdfSGBSeo
 
Dataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and toolsDataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and toolsStefano Salsano
 
story_of_bpf-1.pdf
story_of_bpf-1.pdfstory_of_bpf-1.pdf
story_of_bpf-1.pdfhegikip775
 
Using eBPF to Measure the k8s Cluster Health
Using eBPF to Measure the k8s Cluster HealthUsing eBPF to Measure the k8s Cluster Health
Using eBPF to Measure the k8s Cluster HealthScyllaDB
 
eBPF — Divulging The Hidden Super Power.pdf
eBPF — Divulging The Hidden Super Power.pdfeBPF — Divulging The Hidden Super Power.pdf
eBPF — Divulging The Hidden Super Power.pdfseo18
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!Affan Syed
 
Kernel bug hunting
Kernel bug huntingKernel bug hunting
Kernel bug huntingAndrea Righi
 
When to use Serverless? When to use Kubernetes?
When to use Serverless? When to use Kubernetes?When to use Serverless? When to use Kubernetes?
When to use Serverless? When to use Kubernetes?Niklas Heidloff
 
Calico-eBPF-Dataplane-CNCF-Webinar-Slides.pdf
Calico-eBPF-Dataplane-CNCF-Webinar-Slides.pdfCalico-eBPF-Dataplane-CNCF-Webinar-Slides.pdf
Calico-eBPF-Dataplane-CNCF-Webinar-Slides.pdfyingxinwang4
 
"APIs for Accelerating Vision and Inferencing: Options and Trade-offs," a Pre...
"APIs for Accelerating Vision and Inferencing: Options and Trade-offs," a Pre..."APIs for Accelerating Vision and Inferencing: Options and Trade-offs," a Pre...
"APIs for Accelerating Vision and Inferencing: Options and Trade-offs," a Pre...Edge AI and Vision Alliance
 
給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗William Yeh
 
DISTRIBUTED PERFORMANCE ANALYSIS USING INFLUXDB AND THE LINUX EBPF VIRTUAL MA...
DISTRIBUTED PERFORMANCE ANALYSIS USING INFLUXDB AND THE LINUX EBPF VIRTUAL MA...DISTRIBUTED PERFORMANCE ANALYSIS USING INFLUXDB AND THE LINUX EBPF VIRTUAL MA...
DISTRIBUTED PERFORMANCE ANALYSIS USING INFLUXDB AND THE LINUX EBPF VIRTUAL MA...InfluxData
 
DEF CON 27 - JEFF DILEO - evil e bpf in depth
DEF CON 27 - JEFF DILEO - evil e bpf in depthDEF CON 27 - JEFF DILEO - evil e bpf in depth
DEF CON 27 - JEFF DILEO - evil e bpf in depthFelipe Prado
 
Os Grossupdated
Os GrossupdatedOs Grossupdated
Os Grossupdatedoscon2007
 
What's New in Docker - February 2017
What's New in Docker - February 2017What's New in Docker - February 2017
What's New in Docker - February 2017Patrick Chanezon
 
eBPF - Observability In Deep
eBPF - Observability In DeepeBPF - Observability In Deep
eBPF - Observability In DeepMydbops
 
Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Patrick Chanezon
 
How to Contribute to Cloud Native Computing Foundation
How to Contribute to Cloud Native Computing FoundationHow to Contribute to Cloud Native Computing Foundation
How to Contribute to Cloud Native Computing FoundationCodeOps Technologies LLP
 
How to contribute to cloud native computing foundation (CNCF)
How to contribute to cloud native computing foundation (CNCF)How to contribute to cloud native computing foundation (CNCF)
How to contribute to cloud native computing foundation (CNCF)Krishna-Kumar
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024Cloud Native NoVA
 

Similar to Introduction of eBPF - 時下最夯的Linux Technology (20)

eBPF — Divulging The Hidden Super Power.pdf
eBPF — Divulging The Hidden Super Power.pdfeBPF — Divulging The Hidden Super Power.pdf
eBPF — Divulging The Hidden Super Power.pdf
 
Dataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and toolsDataplane programming with eBPF: architecture and tools
Dataplane programming with eBPF: architecture and tools
 
story_of_bpf-1.pdf
story_of_bpf-1.pdfstory_of_bpf-1.pdf
story_of_bpf-1.pdf
 
Using eBPF to Measure the k8s Cluster Health
Using eBPF to Measure the k8s Cluster HealthUsing eBPF to Measure the k8s Cluster Health
Using eBPF to Measure the k8s Cluster Health
 
eBPF — Divulging The Hidden Super Power.pdf
eBPF — Divulging The Hidden Super Power.pdfeBPF — Divulging The Hidden Super Power.pdf
eBPF — Divulging The Hidden Super Power.pdf
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!
 
Kernel bug hunting
Kernel bug huntingKernel bug hunting
Kernel bug hunting
 
When to use Serverless? When to use Kubernetes?
When to use Serverless? When to use Kubernetes?When to use Serverless? When to use Kubernetes?
When to use Serverless? When to use Kubernetes?
 
Calico-eBPF-Dataplane-CNCF-Webinar-Slides.pdf
Calico-eBPF-Dataplane-CNCF-Webinar-Slides.pdfCalico-eBPF-Dataplane-CNCF-Webinar-Slides.pdf
Calico-eBPF-Dataplane-CNCF-Webinar-Slides.pdf
 
"APIs for Accelerating Vision and Inferencing: Options and Trade-offs," a Pre...
"APIs for Accelerating Vision and Inferencing: Options and Trade-offs," a Pre..."APIs for Accelerating Vision and Inferencing: Options and Trade-offs," a Pre...
"APIs for Accelerating Vision and Inferencing: Options and Trade-offs," a Pre...
 
給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗
 
DISTRIBUTED PERFORMANCE ANALYSIS USING INFLUXDB AND THE LINUX EBPF VIRTUAL MA...
DISTRIBUTED PERFORMANCE ANALYSIS USING INFLUXDB AND THE LINUX EBPF VIRTUAL MA...DISTRIBUTED PERFORMANCE ANALYSIS USING INFLUXDB AND THE LINUX EBPF VIRTUAL MA...
DISTRIBUTED PERFORMANCE ANALYSIS USING INFLUXDB AND THE LINUX EBPF VIRTUAL MA...
 
DEF CON 27 - JEFF DILEO - evil e bpf in depth
DEF CON 27 - JEFF DILEO - evil e bpf in depthDEF CON 27 - JEFF DILEO - evil e bpf in depth
DEF CON 27 - JEFF DILEO - evil e bpf in depth
 
Os Grossupdated
Os GrossupdatedOs Grossupdated
Os Grossupdated
 
What's New in Docker - February 2017
What's New in Docker - February 2017What's New in Docker - February 2017
What's New in Docker - February 2017
 
eBPF - Observability In Deep
eBPF - Observability In DeepeBPF - Observability In Deep
eBPF - Observability In Deep
 
Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017
 
How to Contribute to Cloud Native Computing Foundation
How to Contribute to Cloud Native Computing FoundationHow to Contribute to Cloud Native Computing Foundation
How to Contribute to Cloud Native Computing Foundation
 
How to contribute to cloud native computing foundation (CNCF)
How to contribute to cloud native computing foundation (CNCF)How to contribute to cloud native computing foundation (CNCF)
How to contribute to cloud native computing foundation (CNCF)
 
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
A Love Story with Kubevirt and Backstage from Cloud Native NoVA meetup Feb 2024
 

Recently uploaded

Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slidesvaideheekore1
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonApplitools
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesVictoriaMetrics
 
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jGraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jNeo4j
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptxVinzoCenzo
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITmanoharjgpsolutions
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxAndreas Kunz
 
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfEnhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfRTS corp
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Rob Geurden
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolsosttopstonverter
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...OnePlan Solutions
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdfPros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdfkalichargn70th171
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsJean Silva
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 

Recently uploaded (20)

Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slides
 
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + KobitonLeveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
Leveraging AI for Mobile App Testing on Real Devices | Applitools + Kobiton
 
What’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 UpdatesWhat’s New in VictoriaMetrics: Q1 2024 Updates
What’s New in VictoriaMetrics: Q1 2024 Updates
 
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4jGraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
GraphSummit Madrid - Product Vision and Roadmap - Luis Salvador Neo4j
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
Osi security architecture in network.pptx
Osi security architecture in network.pptxOsi security architecture in network.pptx
Osi security architecture in network.pptx
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 
Best Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh ITBest Angular 17 Classroom & Online training - Naresh IT
Best Angular 17 Classroom & Online training - Naresh IT
 
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptxUI5ers live - Custom Controls wrapping 3rd-party libs.pptx
UI5ers live - Custom Controls wrapping 3rd-party libs.pptx
 
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdfEnhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
Enhancing Supply Chain Visibility with Cargo Cloud Solutions.pdf
 
Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...Simplifying Microservices & Apps - The art of effortless development - Meetup...
Simplifying Microservices & Apps - The art of effortless development - Meetup...
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration tools
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdfPros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
 
Strategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero resultsStrategies for using alternative queries to mitigate zero results
Strategies for using alternative queries to mitigate zero results
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 

Introduction of eBPF - 時下最夯的Linux Technology

  • 2. 梁維恩 Jace Liang SW / Infra. engineer at ITRI Facebook: jace.liang github: mJace
  • 3. TOC Votes to Move Falco into CNCF Incubator By Jessie January 8, 2020 in Blog Today, the Cloud Native Computing Foundation (CNCF) Technical Oversight Committee (TOC) voted to accept Falco as an incubation-level hosted project. Falco, which entered the CNCF Sandbox in October 2018, is an open source Kubernetes runtime security project. It provides intrusion and abnormality detection for cloud native platforms such as Kubernetes, Mesosphere, and Cloud Foundry.
  • 4. BPF security capabilities • Which processes are being executed? By which processes? • What network connections are being made? By which processes? • What permission denied errors are happening on the system? • Is this kernel/user function being executed with these arguments?
  • 5. Take away • What’s eBPF • Use eBPF based tools to debug • New design idea You don't need to know how to operate an X-ray machine, but you do need to know that if you swallow a penny, an X-ray is an option! www.bredangregg.com
  • 6. What’s BPF? • BPF全名為Berkeley Packet Filter, Introduced by Lawrence Berkeley National Laboratory, 1992. • 當時推出的目的是為了提高 BSD-based Kernel過濾封包的效率。 原理是將封包的過濾程式編譯後由Kernel中類似虛擬機的環境執 行。 • 和原先在Userspace過濾封包相比有更好的效能。 且透過編譯以及在核心內沙盒中執行的特性,能夠避免使用者把 Kernel搞壞掉。
  • 7. Example of BPF – Tcpdump
  • 8. Example of BPF – Tcpdump cont. #檢查是否為IPV6,如果不是(jf),則視為IPV4 (GOTO Line:006) #檢查是否為TCP #檢查dst port是否為7070(0x1b9e),if so (jt) L014 #檢查是否為 ipv4封包 #檢查是否為 tcp封包 #檢查是否為 ip fragment packet #找到tcp封包中 dest port 的所在位置 #檢查dst port是否為7070,若為真(jt) GOT L014 #Packet Match! #Packet Mis-match!
  • 9. How about eBPF (enhanced BPF)? • 原先Kernel內bpf虛擬機的設計過時,不支援新硬體CPU架構 • eBPF相對bpf有更佳的硬體相容性,支援更大的register • eBPF相對bpf有更快的編譯速度,在過濾網路封包時的效能也更好 • eBPF於2014年的版本後,便可直接從userspace操作 “Super powers have finally come to Linux“ – Brendan Gregg, Linux Conf. 2017
  • 11. What can you do with eBPF? • Filter traffic, at the lowest entry of linux network stack. • Programs can be attached to tracepoints, kprobes, system calls, perf events, etc.
  • 12. Velocity 2017: Performance Analysis Superpowers with Linux eBPF - Brendan Gregg https://www.youtube.com/watch?v=bj3qdEDbCD4
  • 13. Use case of eBPF – Userspace tracing https://github.com/iovisor/kubectl-trace
  • 14. relationship between userspace threads fnc tid/pid/arg/ret fnc tid/pid/arg/ret pkt pkt pkt pkt enqueue tid/pid/arg/ret dequeue tid/pid/arg/ret Get relationship by en/dequeue args and retval https://github.com/mJace/ebpfKit/blob/master/Examples/cpp/README.md
  • 15.
  • 16. eBPF related projects – XDP (express data path) • Since Kernel v4.8 • Based on eBPF • DDOS Protection • Network security • Network accelerate
  • 17. eBPF related projects – sysdig • Embed Security, Compliance and Performance Into Your DevOps Workflows
  • 18. eBPF related projects – Falco • Cloud-Native Runtime Security Falco efficiently leverages Extended Berkeley Packet Filter (eBPF), a secure mechanism, to capture system calls and gain deep visibility. By adding Kubernetes application context and Kubernetes API audit events, teams can understand who did what.
  • 19. Other eBPF related implementations… • Cilium – XDP based CNI • Weavescope – ebpf based monitor tool • Iptables – Bpfilter implementations to optimize ingress/outgress security rules • Calicio – Just release a alpha version that lavages ebpf • Systemtap – Support eBPF now.
  • 20. eBPF related projects – BCC • BPF Compiler Collection (BCC) BCC is a toolkit for creating efficient kernel tracing and manipulation programs, and includes several useful tools and examples https://github.com/iovisor/bcc
  • 21. BCC tools example – tcpconlat (tcp latency)
  • 22. BCC tools example – execsnoop ( trace syscall- exec)
  • 23. bpftrace tool example – cpuwalk.
  • 24. Demo 1 – containerized ebpf tool • Bcc tools inside a container, and trace other container’s processes. Target container ebpf container Host Machine Kernel ebpf program ebpf map https://github.com/mJace/ebpfKit/blob/master/Examples/bcc-demo/demo-01.md
  • 25. Demo 2. • Namespace-based tracing. ebpf container Target Container P3 P2 P1 How to trace all processes????? Even process just created? https://github.com/mJace/ebpfKit/blob/master/Examples/bcc-demo/demo-02.md
  • 26. Software stack for ebpf related project bpf,ebpf – main framework XDP – Express data plane powered by ebpf Bcc lib – library for higher app to communicate with bpf go-bpf – golang lib for bpf Bcc tools – userspace tool like tcptracer to trace all tcp status bpftrace – high level userspace bpf based trace tool. bpfebpf Bcc lib Kernel Space User Space Bcc tools go-bpf bpftrace tools XDP
  • 27. The future of eBPF Kernel operations structures in BPF what has been merged for 5.6 is not just a mechanism for hooking in TCP congestion-control algorithms…… this new infrastructure can be used to allow a BPF program to replace any "operations structure“ (in kernel) https://lwn.net/Articles/811631/?fbclid=IwAR3otEAmjW4GS5i3hcWHzsy6hfmTIJwb_nUGHcT- sS2aCOX1xcn9DuTfcwA ➢Update kernel without building kernel, even rebooting ➢Dynamic driver? Runtime configurable kernel driver, without re-bulding ➢Kernel layer cloud native application?
  • 28. Q n’ A / Take away • What’s eBPF • 一種Linux內的技術,能讓人動態的觀察系統內的行為 • Use eBPF based tools to debug • ebpf tool產生的overhead,遠低於傳統userspace monitor tool • 可觀測幾乎所有系統內行為,從kernel到userspace • New design idea • eBPF打破以往kernel layer application可攜性極低的問題 You don't need to know how to operate an X-ray machine, but you do need to know that if you swallow a penny, an X-ray is an option! www.bredangregg.com
  • 29. Reference. • http://www.brendangregg.com/blog/2019-01-01/learn-ebpf-tracing.html • https://hackmd.io/@sysprog/SJTuuG9a7?type=view • https://github.com/iovisor/bpftrace • https://github.com/iovisor/bcc • https://github.com/iovisor/kubectl-trace