Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Unleashing the kernel with eBPF

Liz Rice
April 10, 2024
0
13

Unleashing the kernel with eBPF

For QCon London in the Efficient Programming Languages track

Liz Rice

April 10, 2024
Tweet

More Decks by Liz Rice

See All by Liz Rice
eBPF's Abilities and Limitations: The Truth
lizrice
0
36
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
16
When is a Secure Connection not encrypted? And other stories
lizrice
1
17
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
lizrice
1
460
How Many Proxies Do You Need
lizrice
1
100
eBPF for Security Observability
lizrice
0
1k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
2k
Contributing to Open Source - what's in it for my business?
lizrice
0
35
Cloud Native eBPF Superpowers
lizrice
0
220

Featured

See All Featured
The Cost Of JavaScript in 2023
addyosmani
18
3.9k
The Cult of Friendly URLs
andyhume
74
5.7k
Happy Clients
brianwarren
92
6.4k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
275
13k
Testing 201, or: Great Expectations
jmmastey
29
6.4k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
20
1.7k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.1k
Faster Mobile Websites
deanohume
300
30k
Automating Front-end Workflow
addyosmani
1357
200k
StorybookのUI Testing Handbookを読んだ
zakiyama
13
4.6k
YesSQL, Process and Tooling at Scale
rocio
165
13k
The Mythical Team-Month
searls
216
42k

Transcript

  1. Unleashing the kernel with eBPF Liz Rice | @lizrice Chief

    Open Source Officer, Isovalent Emeritus Chair, CNCF Technical Oversight Committee | CNCF & OpenUK boards

  2. @lizrice What is ? extended Berkeley Packet Filter

  3. @lizrice What is ? eBPF is a kernel technology enabling

    high-performance, low overhead tools for networking, security and observability

  4. @lizrice What is ? Makes the kernel programmable

  5. @lizrice userspace kernel app event system calls eBPF program Run

    custom code in the kernel

  6. @lizrice SEC("kprobe/sys_execve") int hello(void *ctx) { bpf_printk("Hello!"); return 0; }

    $ sudo ./hello bash-20241 [004] d... 84210.752785: 0: I'm alive! bash-20242 [004] d... 84216.321993: 0: I'm alive! bash-20243 [004] d... 84225.858880: 0: I'm alive! Info about process that called execve syscall + userspace code to load eBPF program eBPF Hello World

  7. @lizrice Packet of Death mitigation

  8. @lizrice host eth0 Packet of Death

  9. @lizrice host eth0 Packet of Death Discard?

  10. @lizrice SEC("xdp/bye") int goodbye_ping(struct xdp_md *ctx) { ... if (iph->protocol

    == IPPROTO_ICMP) return XDP_DROP; return XDP_PASS; } eBPF Packet Drop

  11. @lizrice Dynamically change kernel behaviour

  12. @lizrice

  13. @lizrice

  14. @lizrice eBPF code has to be safe userspace kernel app

    event system calls eBPF program 🔍 verifier

  15. @lizrice eBPF code runs as native instructions userspace kernel app

    event system calls eBPF program ✍ JIT compiler

  16. @lizrice Custom behaviour without transitions

  17. @lizrice userspace kernel app XDP event system calls eBPF program

    eXpress Data path - ingress, before network stack network packet XDP_DROP network stack XDP_TX XDP_PASS

  18. @lizrice userspace kernel app event system calls eBPF program Run

    custom code on network packets network packet Program triggered by packet No polling from user space Packet in kernel memory Per CPU eBPF maps

  19. @lizrice Improved network performance (eBPF) (eBPF) (eBPF) (not eBPF) Miano

    et al: A Framework for eBPF-Based Network Functions in an Era of Microservices

  20. @lizrice cilium.io/blog/2022/04/12/cilium-standalone-L4LB-XDP/ - Seznam case study Improved network performance

  21. @lizrice Improved performance for container networking

  22. @lizrice host pod app socket veth veth eth0 iptables conntrack

    iptables INPUT Linux routing iptables PREROUTING mangle iptables conntrack iptables FORWARD Linux routing iptables PREROUTING nat iptables POSTROUTING mangle iptables PREROUTING mangle iptables POSTROUTING nat

  23. @lizrice host pod app socket veth veth eth0 iptables conntrack

    iptables INPUT Linux routing iptables PREROUTING mangle Linux routing

  24. @lizrice cilium.io/blog/2021/05/11/cni-benchmark TCP RR (higher is better) legacy host-routing

  25. @lizrice cilium.io/blog/2020/06/22/cilium-18/#kubeproxy-removal

  26. @lizrice Unleashing the Power of Cilium CNI to Propel Trendyol’s

    Performance Up to 40%! 20 July 2023

  27. @lizrice eBPF for performance tracing

  28. @lizrice Measure anything (?) with eBPF

  29. @lizrice Brendan Gregg on performance improvements

  30. @lizrice Brendan Gregg on performance improvements

  31. @lizrice Brendan Gregg on performance improvements “eBPF is essential for

    such fast in-situ production analysis”

  32. @lizrice Programmable kernel in Kubernetes

  33. @lizrice userspace kernel networking access files create containers One kernel

    per host pod container pod container container

  34. @lizrice userspace kernel app app pods networking access files create

    containers Kernel aware of everything on the host

  35. @lizrice userspace app kernel app pods networking access files create

    containers eBPF programs can be aware of everything

  36. @lizrice eBPF tools work without any app or config changes

  37. @lizrice - Nathan LeClaire @dotpem

  38. @lizrice A sidecar has a view across one pod userspace

    pod container sidecar container

  39. @lizrice Sidecars need YAML userspace pod container sidecar container userspace

    pod container sidecar container my-app.yaml containers: - name: my-app ... - name: my-app-init … - name: my-sidecar ...

  40. @lizrice eBPF does not need any app changes userspace pod

    container container my-app.yaml containers: - name: my-app ... - name: my-app-init … kernel

  41. @lizrice eBPF can see ALL activity on the node userspace

    pod container container my-app.yaml containers: - name: my-app ... - name: my-app-init … kernel 👿

  42. @lizrice Reduce resource usage of per-pod sidecar Avoid sidecar config

    in every pod Avoid updating sidecar config in every pod

  43. @lizrice eBPF enables efficient sidecarless Service Mesh

  44. @lizrice Network path with sidecar

  45. @lizrice Network path for L3/4 traffic

  46. @lizrice Envoy for Layer 7 terminations when needed

  47. @lizrice “[Moving to a proxy-per-node model can] reduce costs up

    to 90% while simplifying operations and improving performance for applications” - Tetrate Sidecarless service mesh improves performance

  48. @lizrice eBPF enables high performance security tools

  49. @lizrice userspace kernel app event eBPF program Run custom code

    in the kernel Interesting for security system calls

  50. @lizrice Security observability

  51. @lizrice Security observability - Falco Event filtering in user space

  52. @lizrice kernel userspace Security observability - Falco

  53. @lizrice Security observability - Cilium Tetragon kernel userspace Tetragon

  54. @lizrice 🚀 process default/xwing /usr/bin/vi /etc/passwd 📬 open default/xwing /usr/bin/vi

    /etc/passwd 📪 close default/xwing /usr/bin/vi 📬 open default/xwing /usr/bin/vi /etc/passwd 📝 write default/xwing /usr/bin/vi /etc/passwd 1275 bytes 📪 close default/xwing /usr/bin/vi 💥 exit default/xwing /usr/bin/vi /etc/passwd 0 Cilium Tetragon observe security events Policy events Kubernetes info

  55. @lizrice “Traditional solution” = eBPF event collection, filtered in user

    space In-kernel event filtering Tetragon

  56. @lizrice Runtime security enforcement in eBPF

  57. @lizrice Traditional preventative actions from user space

  58. @lizrice Tetragon runtime security - synchronous Tetragon

  59. @lizrice 🚀 process default/xwing /usr/bin/vi /etc/passwd 📬 open default/xwing /usr/bin/vi

    /etc/passwd 📪 close default/xwing /usr/bin/vi 📬 open default/xwing /usr/bin/vi /etc/passwd 📝 write default/xwing /usr/bin/vi /etc/passwd 1269 bytes 💥 exit default/xwing /usr/bin/vi /etc/passwd SIGKILL Cilium Tetragon enforce sensitive file access Killed before write

  60. @lizrice 🚀 process default/xwing /usr/bin/curl deathstar/v1 💥 exit default/xwing /usr/bin/curl

    deathstar/v1 0 🚀 process default/xwing /usr/bin/curl example.com 🔌 connect default/xwing /usr/bin/curl tcp 10.244.1.124:49874 -> 93.184.216.34:80 💥 exit default/xwing /usr/bin/curl example.com SIGKILL Cilium Tetragon enforce network access Killed before write Policy allows in-cluster traffic

  61. @lizrice eBPF makes the kernel programmable enabling a new generation

    of powerful & efficient Cloud Native tools

  62. @lizrice Thank you ebpf.io cilium.io @lizrice Download from isovalent.com isovalent.com/labs

  63. Remember to vote and share feedback on the InfoQ App

    or online. Please vote and leave feedback! Any questions?