bpf
play

BPF Turning Linux into a Microservices-aware Operating System - PowerPoint PPT Presentation

Jan 08, 2023 •237 likes •520 views

BPF Turning Linux into a Microservices-aware Operating System About the Speaker Thomas Graf Linux kernel developer for ~15 years working on networking and security Helped write one of the biggest monoliths ever Worked on many

  1. BPF Turning Linux into a Microservices-aware Operating System

  2. About the Speaker Thomas Graf ● Linux kernel developer for ~15 years working on networking and security Helped write one of the biggest monoliths ever ● Worked on many Linux components over the years (IP, ● TCP, routing, netfilter/iptables, tc, Open vSwitch, …) ● Creator of Cilium to leverage BPF in a cloud native and microservices context Co-Founder & CTO of the company building Cilium ● 2

  3. Agenda Evolution of running applications ● ○ From single task processes to microservices Problems of the Linux kernel ● ○ The kernel What is BPF? ● ○ Turning Linux into a modern, microservices-aware operating system Cilium - BPF-based networking security for microservices ● ○ What is Cilium? Use Cases & Deep Dive ○ ● Q&A 3

  4. Evolution: Running applications Dark Age: Microservices Multi tasking Virtualization Single tasking Containers Ship the OS together Back to a shared Split the CPU and The simple age. with application and run memory. Shared operating system. it in a VM for better libraries, package Applications directly resource isolation. interact with the host management, Linux Virtualized hardware operating system again. distributions. and software defined infrastructure. 4

  5. Problems of the Linux Kernel in the age of microservices 5

  6. Problem #1: Abstractions Process Process The Linux kernel is split into layers to provide strong abstractions. System Call Interface Sockets Pros: TCP UDP Raw Strong userspace API compatibility ● guarantee. A 20 years old binary still Netfilter works. IPv4 IPv6 Majority of Linux source code is not ● hardware specific. Ethernet Traffic Shaping Cons: Netdevice / Drivers Every layer pays the cost of the ● HW Bridge OVS .. layers above and below. ● Very hard to bypass layers. 6

  7. Problem #2: Per subsystem APIs brctl / Process Process seccomp iptables tc tcpdump ethtool ip ovsctl System Call Interface Sockets TCP UDP Raw Netfilter IPv4 IPv6 Ethernet Traffic Shaping Netdevice / Drivers HW Bridge OVS .. 7

  8. Problem #3: Development Process The Good: The Bad: ● Open and transparent process ● Hard to change ● Excellent code quality ● Shouting is involved (getting better) Stability Large and complicated codebase ● ● Available everywhere Upstreaming code is hard, consensus has to ● ● ● Almost entirely vendor neutral be found. ● Upstreaming is time consuming Depending on the Linux distribution, ● merged code can take years to become generally available ● Everybody maintains forks with 100-1000s backports 8

  9. Problem #4: What is a container? What the kernel knows about: What the kernel does not know: ● Processes & thread groups ● Containers or Kubernetes pods ● Cgroups ○ There is no container ID in the kernel Limits and accounting of CPU, Exposure requirements ○ ● memory, network, … Configured by The kernel no longer knows whether ○ container runtime. an application should be exposed ● Namespaces outside of the host or not. Isolation of process, CPU, mount, API calls made between containers/pods ○ ● user, network, IPC, cgroup, UTS Awareness stops at layer 4 (ports). ○ (hostname). Configured by container While SELinux can control IPC, it can’t ○ runtime control service to service API calls. IP addresses & port numbers Servicemesh, huh? ● ● Configured by container networking ○ ● System calls made & SELinux context ○ Optionally configured by container runtime 9

  10. What now? Alternatives? Give user Rewrite Move OS to space access Unikernel Everything? Userspace to hardware Expose the hardware We don’t need kernel Total Estimated Cost Linus was wrong. The mode for most of the directly to user space. app should provide its to Develop Linux It will be fine. logic. Build on top of a own OS. (average salary = minimal Linux. $75,662.08 /year, overhead = 2.40). Examples: ClickOS, Examples : User mode Examples: DPDK, $1,372,340,206 Linux, gVisor, ... MirageOS, Rumprun, ... UDMA, .. 10

  11. What is BPF? Highly efficient sandboxed virtual machine in the Linux kernel making the Linux kernel programmable at native execution speed. $ clang -target bpf -emit-llvm -S \ 32-bit-example.c $ llc -march=bpf 32-bit-example.ll Jointly maintained by Cilium $ cat 32-bit-example.s cal: and Facebook with r1 = *(u32 *)(r1 + 0) r2 = *(u32 *)(r2 + 0) collaborations from Google, r2 += r1 Red Hat, Netflix, Netronome, *(u32 *)(r3 + 0) = r2 exit and many others. 11

  12. The Linux kernel is event driven Process Process Process Process System calls System Call Interface 12M lines of source code Drivers Interrupts CPU RAM MMU NIC Disk Disk USB 12

  13. Run BPF program on event Attachment points Process Process ● Kernel functions (kprobes) connect() read() BPF ● Userspace functions (uprobe) BPF System calls ● Tracepoints ● TCP File Descriptor Sockets ● Network devices (packet level) retrans ● Sockets (data level) VFS TCP/IP Network device (DMA level) [XDP] ● Block Device Network Device ... ● BPF Send network IO Read packet BPF BPF NIC Disk 13

  14. BPF Maps BPF map use cases: ● Hold program state Process ● Share state between programs Share state with user space ● Export metrics & statistics ● ● Configure programs BPF Map types: Hash tables ● Maps BPF ● Arrays ● LRU (Least recently used) Ring buffer ● Stack trace ● ● LPM (Longest prefix match) 14

  15. BPF Helpers BPF helpers: bpf_get_prandom_u32() ● Stable kernel API exposed to BPF BPF programs to interact with the kernel bpf_skb_store_bytes() Includes ability to: ● bpf_redirect() Get process/cgroup context ○ ○ Manipulate network packets bpf_get_current_pid_tgid() and forwarding Access BPF maps bpf_perf_event_output() ○ Access socket data ○ ○ Send metrics to user space ○ ... 15

  16. BPF Tail Calls BPF tail calls: ● Chain logical programs together BPF BPF ● Implement function calls Must be within same program type ● BPF BPF BPF 16

  17. BPF JIT Compiler generic JIT Compiler Byte code ● Ensures native execution performance without requiring to understand CPU Compiles BPF bytecode to CPU ● architecture specific instruction set x86_64 generic Byte Byte code code JIT Supported architectures: ● X86_64, arm64, ppc64, s390x, mips64, sparc64, arm 17

  18. BPF Contributors 380 Daniel Borkmann (Cilium, Maintainer) Top contributors of 161 Alexei Starovoitov (Facebook, Maintainer) the total 186 160 Jakub Kicinski Netronome contributors to BPF 110 John Fastabend (Cilium) from January 2016 to 96 Yonghong Song (Facebook) November 2018. 95 Martin KaFai Lau (Facebook) 94 Jesper Dangaard Brouer (Red Hat) 74 Quentin Monnet (Netronome) 45 Roman Gushchin (Facebook) 45 Andrey Ignatov (Facebook) 18

  19. BPF Use Cases L3-L4 Load balancing Replacing iptables with BPF ● ● ● Network security (bpfilter) Traffic optimization NFV & Load balancing (XDP) ● ● ● Profiling ● Profiling & Tracing https://code.fb.com/open-s ource/linux/ ● Performance ● QoS & Traffic optimization Troubleshooting Network Security ● ● Tracing & Systems Monitoring ● Profiling Networking ● 19

  20. Simple Kprobe Example Example: BPF program using gobpf/bcc: 20

  21. What is Cilium? Cilium is open source software for transparently providing and securing the network and API connectivity between application services deployed using Linux container management platforms like Kubernetes, Docker, and Mesos. At the foundation of Cilium is the new Linux kernel technology BPF, which enables the dynamic insertion of powerful security, visibility, and networking control logic within Linux itself. Besides providing traditional network level security, the flexibility of BPF enables security on API and process level to secure communication within a container or pod. Read More 21

  22. Project Goals Approachable BPF Security ● Make the efficiency and flexibility of BPF ● Use the additional visibility of BPF to available in an approachable way provide security for microservices Automate program creation and including: ● management ○ API awareness ● Provide an extendable platform ○ Identity based enforcement Process level context enforcement ○ Microservices-aware Linux Performance ● Use the flexibility of BPF to make the Linux ● Leverage the execution performance and kernel aware of cloud native concepts JIT compiler to provide a highly efficient such as containers and APIs. implementation. 22

  23. Cilium Use Cases Container Networking Microservices Security ● Highly efficient and flexible ● Identity-based L3-L4 network security networking Accelerated API-aware security via ● CNI and CMM plugins Envoy (HTTP, gRPC, Kafka, Cassandra, ● ● IPv4, IPv6, NAT46, direct routing, memcached, ..) encapsulation ● DNS aware policies Multi cluster routing SSL data visibility via kTLS ● ● Servicemesh acceleration: Service Load balancing: ● Minimize overhead when injecting ● Highly scalable L3-L4 load balancing servicemesh sidecar proxies implementation Kubernetes service implementation or ● API driven. 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

12/13/2010

12/13/2010

12/13/2010

290 views • 3 slides
Divya Venkataraman February 2013 Universit` a degli Studi di Genova Dipartimento di Ingegneria

Divya Venkataraman February 2013 Universit` a degli Studi di Genova Dipartimento di Ingegneria

Department of Civil, Chemical and Environmental Engineering University of Genova, Italy Flow control using a porous, compliant coating of feather-like actuators A thesis submitted to the University of Genova for the degree of DOCTOR OF

1.65k views • 150 slides
Optics of the Human Eye Optics of the Human Eye Optics of the Human Eye Optics of the Human Eye

Optics of the Human Eye Optics of the Human Eye Optics of the Human Eye Optics of the Human Eye

Optics of the Human Eye Optics of the Human Eye Optics of the Human Eye Optics of the Human Eye David Atchison David Atchison School of Optometry & Institute of Health and Biomedical School of Optometry & Institute of Health and

419 views • 19 slides
Perception of Risks in the Chinese People: Research on risk perception in Hong Kong A Hong

Perception of Risks in the Chinese People: Research on risk perception in Hong Kong A Hong

Outline Perception of Risks in the Chinese People: Research on risk perception in Hong Kong A Hong Kong Chinese Perspective Lai et al. (2003); Lai & Tao (2003) Cognitive representation of environmental hazards in Hong Kong

178 views • 5 slides
eBPF Based Container Networking A Network Performance Comparison Nick de Bruijn July 4, 2017

eBPF Based Container Networking A Network Performance Comparison Nick de Bruijn July 4, 2017

eBPF Based Container Networking A Network Performance Comparison Nick de Bruijn July 4, 2017 University of Amsterdam Introduction Figure 1: Microservices and Containers 1 1

309 views • 30 slides
Evaluation of virtualization and traffic filtering methods for container networks ukasz

Evaluation of virtualization and traffic filtering methods for container networks ukasz

Evaluation of virtualization and traffic filtering methods for container networks ukasz Makowski Cees de Laat Paola Grosso makowski@uva.nl delaat@uva.nl pgrosso@uva.nl Our goal: Improving on scientific workloads Digital data sharing

251 views • 21 slides
Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018 William Tu, Joe Stringer, Yifeng Sun, Yi-Hung Wei VMware Inc. and Cilium.io 1 Outline Introduction and Motivation OVS-eBPF Project

612 views • 45 slides
SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54 What are Containers? A package/image that can be deployed anywhere (thats running a Linux Kernel) Developers create a layered image of their

996 views • 53 slides
Rethinking the Linux kernel Thomas Graf Cilium Project, Co-Founder & CTO, Isovalent

Rethinking the Linux kernel Thomas Graf Cilium Project, Co-Founder & CTO, Isovalent

Rethinking the Linux kernel Thomas Graf Cilium Project, Co-Founder & CTO, Isovalent Remember GeoCities? 2 Cameron Askin: Camerons World What enabled this evolution? Programmable Platform Markup Only (HTML) 3 Programmability

467 views • 24 slides
Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018 William Tu, Joe Stringer, Yifeng Sun, Yi-Hung Wei VMware Inc. and Cilium.io 1 Outline Introduction and Motivation OVS-eBPF Project

429 views • 39 slides
Kubernetes networking with Calico Hemanth Nakkina, Solution Architect, Ericsson Abhijeet Singh,

Kubernetes networking with Calico Hemanth Nakkina, Solution Architect, Ericsson Abhijeet Singh,

Kubernetes networking with Calico Hemanth Nakkina, Solution Architect, Ericsson Abhijeet Singh, Director, AT&T Uday T Kumar, Solution Architect, Ericsson There is no such thing as Container Networking Kelsey Hightower,

928 views • 9 slides
Low-Overhead System Tracing With eBPF Akshay Kapoor DevOps Engineer @ SAP Labs May 2018

Low-Overhead System Tracing With eBPF Akshay Kapoor DevOps Engineer @ SAP Labs May 2018

Low-Overhead System Tracing With eBPF Akshay Kapoor DevOps Engineer @ SAP Labs May 2018 Low-Overhead System Tracing With eBPF Low-Overhead System Tracing With eBPF Low-Overhead System Tracing With eBPF You don't need to know how to operate

632 views • 26 slides
Life on Earth FROM CHEMISTRY TO BIOLOGY You re all atoms, in Earthly proportions. By number

Life on Earth FROM CHEMISTRY TO BIOLOGY You re all atoms, in Earthly proportions. By number

Life on Earth FROM CHEMISTRY TO BIOLOGY You re all atoms, in Earthly proportions. By number of atoms: H 55% O 28% C 10% N 5% Water is Special Three-quarters of the Earth s surface is submerged in water The abundance of

453 views • 29 slides
KO UNIVERSITY the perfect partner for R&D http://www.ku.edu.tr ABOUT KO UNIVERSITY

KO UNIVERSITY the perfect partner for R&D http://www.ku.edu.tr ABOUT KO UNIVERSITY

KO UNIVERSITY the perfect partner for R&D http://www.ku.edu.tr ABOUT KO UNIVERSITY Established by Vehbi Ko Foundation in 1993 as a non- profit private university in stanbul, Ko University continually strives to: Be a center of

832 views • 13 slides
10 th Annual General Meeting 15 July 2020 IMPORTANT NOTICE This presentation shall be read in

10 th Annual General Meeting 15 July 2020 IMPORTANT NOTICE This presentation shall be read in

10 th Annual General Meeting 15 July 2020 IMPORTANT NOTICE This presentation shall be read in conjunction with Mapletree Industrial Trusts (MIT) financial statements for the financial year ended 31 March 2020. This presentation is for

436 views • 33 slides
Construction of a Mathematical Model of a Cell as a Challenge for Science in the 21 Century and

Construction of a Mathematical Model of a Cell as a Challenge for Science in the 21 Century and

Enabling Grids for E-sciencE Construction of a Mathematical Model of a Cell as a Challenge for Science in the 21 Century and EGEE Project Victor Lakhno Institute of Mathematical Problems of Biology RAS EGEE User Forum CERN, 01-03.03.2006

440 views • 12 slides
PRESENTATION An ISO 9001-2015 Certified Company DSIR Recognized R&D Facility D&B D-U-N-S

PRESENTATION An ISO 9001-2015 Certified Company DSIR Recognized R&D Facility D&B D-U-N-S

CORPORATE PRESENTATION An ISO 9001-2015 Certified Company DSIR Recognized R&D Facility D&B D-U-N-S Number 65-061-8049 Symphony Pharma Life Sciences July 2019 Page 2 ABOUT US Established in 2008 Technology driven organization

671 views • 20 slides
availability, affordability and price structure in Malaysia Zaheer-Ud-din Babar Mohamed Izham

availability, affordability and price structure in Malaysia Zaheer-Ud-din Babar Mohamed Izham

Evaluation of medicine prices, availability, affordability and price structure in Malaysia Zaheer-Ud-din Babar Mohamed Izham Mohamed Ibrahim Harpal Singh Nadeem Irfan Bukhari June 2006 Sampling Public Facilities (20, 5 in each region)

500 views • 11 slides
Lab 11: Morning Lark or Night Owl? Circadian Clock Internal timekeeper that regulates the

Lab 11: Morning Lark or Night Owl? Circadian Clock Internal timekeeper that regulates the

NOTEBOOK Lab 11: Morning Lark or Night Owl? Circadian Clock Internal timekeeper that regulates the bodys physiology and behavior on a cycle that repeats each day Other animals, plants, fungi and unicellular organisms have circadian

279 views • 14 slides
Continuous attractors as unreliable estimators Arvind Murugan Dept. of Physics Regression using

Continuous attractors as unreliable estimators Arvind Murugan Dept. of Physics Regression using

Continuous attractors as unreliable estimators Arvind Murugan Dept. of Physics Regression using attractors High dim config space Regression Attractor dynamics Circadian clocks as phase estimators External signal (Day-night cycle of light)

392 views • 17 slides
TECHNOLOGY OVERVIEW May 2015 COMPANY SNAPSHOT 2 Mission: - To be the

TECHNOLOGY OVERVIEW May 2015 COMPANY SNAPSHOT 2 Mission: - To be the

1 TECHNOLOGY OVERVIEW May 2015 COMPANY SNAPSHOT 2 Mission: - To be the first FDA approved diagnos7c for depression/anxiety and evalua7on of treatment response -

758 views • 48 slides
LED lighting solutions dedicated to equine sector Improve its welfare Guarantee its security

LED lighting solutions dedicated to equine sector Improve its welfare Guarantee its security

LED lighting solutions dedicated to equine sector Improve its welfare Guarantee its security Optimise its performances FUNDAMENTAL ROLE OF PROXIMAL LIGHTING WELFARE, RECOVERY COMFORT, CONCENTRATION SCIENTIFIC AND TECHNICAL APPROACH SECURITY,

280 views • 5 slides
Circadian-friendly controls and power management for outdoor luminaires Controlling the light

Circadian-friendly controls and power management for outdoor luminaires Controlling the light

Circadian-friendly controls and power management for outdoor luminaires Controlling the light for better living There is often less need to have fully lit streets and other outdoor environments late in the evening and during the night. But

511 views • 11 slides
Modifications To School Start Times School Board Information Sharing September 10, 2018 Agenda

Modifications To School Start Times School Board Information Sharing September 10, 2018 Agenda

Modifications To School Start Times School Board Information Sharing September 10, 2018 Agenda Current Process Review of Research Ancillary Services Athletics Next Steps Process National movement within districts to

635 views • 41 slides

More recommend