Cfgmgmtcamp 2023 — eBPF Superpowers
Download as PPTX, PDF0 likes163 views
The document discusses eBPF (Extended Berkeley Packet Filter), highlighting its capabilities to enhance the Linux kernel for observability, networking, and security. It emphasizes eBPF's dynamic programmability, making it a powerful tool for performance improvements and real-time event handling. The document also mentions various projects and resources related to eBPF, such as Cilium and Hubble, showcasing practical applications and future developments.
![Networking: NAT46/NAT64
IPv6 / IPv4 bridge
DNS64
NAT64
[64:ff9b::<z>] -> [<z>]
IPv6 Single Stack
K8s cluster
bar.com
A 4.3.2.1
DNS
bar.com
AAAA 64:ff9b::4.3.2.1
SYN 64:ff9b::4.3.2.1
IPv4 / Internet
SYN 4.3.2.1
ext. node
(Dual Stack)
https://www.youtube.com/watch?v=Kvdh78TURck
@raphink | @raphink@mastodon.social](https://image.slidesharecdn.com/cfgmgmtcamp2023ebpf-230207134243-65eb0532/85/Cfgmgmtcamp-2023-eBPF-Superpowers-58-320.jpg)
Cfgmgmtcamp 2023 — eBPF Superpowers
- 1. eBPF Superpowers Raphaël Pinson | @raphink | @[email protected] A dynamic Kernel Solutions Architect, Isovalent
- 2. ⬢ What is eBPF? eBPF Superpowers A dynamic Kernel
- 3. ⬢ What is eBPF? ⬢ Principles eBPF Superpowers A dynamic Kernel
- 4. ⬢ What is eBPF? ⬢ Principles ⬢ Observability eBPF Superpowers A dynamic Kernel
- 5. ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking eBPF Superpowers A dynamic Kernel
- 6. ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security eBPF Superpowers A dynamic Kernel
- 7. ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future eBPF Superpowers A dynamic Kernel
- 8. ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs eBPF Superpowers A dynamic Kernel
- 9. The Linux Kernel The Power Behind Modern Technology - From cars to servers to fridges - Foundation of the GNU/Linux operating system - Most widely used operating system in the world - Powers the vast majority of: - embedded systems / IoT - Cloud Server - Super Computers @raphink | @[email protected]
- 12. Have you used eBPF? eBPF is already used in many places - Load balancing - DDOS protection on large Internet platforms - Kernel live-patching (5.7+ with LSM/eBPF) - Android (e.g. app data stats) @raphink | @[email protected]
- 13. Who am I Raphaël Pinson Solutions Architect @ Isovalent
- 14. ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs eBPF Superpowers A dynamic Kernel
- 15. Makes the Linux kernel programmable in a secure and efficient way. “What JavaScript is to the browser, eBPF is to the Linux Kernel” @raphink | @[email protected]
- 17. eBPF Superpowers A dynamic Kernel ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs
- 18. How does it work? @raphink | @[email protected]
- 19. How does it work? @raphink | @[email protected]
- 20. How does it work? @raphink | @[email protected]
- 21. How does it work? @raphink | @[email protected]
- 22. How does it work? @raphink | @[email protected]
- 23. How does it work? @raphink | @[email protected]
- 24. How does it work? @raphink | @[email protected]
- 25. How does it work? @raphink | @[email protected]
- 28. BPF / user-space communication @raphink | @[email protected]
- 35. @raphink | @[email protected] Cloud Native Identities
- 36. eBPF Projects & SDKs @raphink | @[email protected]
- 37. Cilium & Friends - performance gains (no need for iptables, bypass TCP/IP) - simpler architecture (e.g. no sidecar proxy for Service Mesh) Cilium @raphink | @[email protected]
- 38. Cilium & Friends Hubble - fine-grained network observability - exports to SIEM - support for OpenTelemetry - performance gains (no need for iptables, bypass TCP/IP) - simpler architecture (e.g. no sidecar proxy for Service Mesh) Cilium @raphink | @[email protected]
- 39. Cilium & Friends Tetragon - observe & export kernel events - act on events (e.g. SIGKILL) - performance gains (no need for iptables, bypass TCP/IP) - simpler architecture (e.g. no sidecar proxy for Service Mesh) Cilium Hubble - fine-grained network observability - exports to SIEM - support for OpenTelemetry @raphink | @[email protected]
- 40. eBPF Superpowers A dynamic Kernel ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs
- 41. Observability Observe directly in the kernel - Low-overhead tracing/observability - Example: network performance / SRTT / micro-bursts - HTTP / TLS in-kernel visibility - Troubleshooting prod on the fly (see bpftrace) @raphink | @[email protected]
- 42. Observability Example software - BCC - bpftrace - Pixie - Cilium (network) - Cilium Tetragon (system) @raphink | @[email protected] Observe directly in the kernel - Low-overhead tracing/observability - Example: network performance / SRTT / micro-bursts - HTTP / TLS in-kernel visibility - Troubleshooting prod on the fly (see bpftrace)
- 44. Observability: Hubble (CLI) @raphink | @[email protected] $ kubectl get pods NAME READY STATUS RESTARTS AGE tiefighter 1/1 Running 0 2m34s xwing 1/1 Running 0 2m34s deathstar-5b7489bc84-crlxh 1/1 Running 0 2m34s deathstar-5b7489bc84-j7qwq 1/1 Running 0 2m34s $ hubble observe --follow -l class=xwing # DNS lookup to coredns default/xwing:41391 (ID:16092) -> kube-system/coredns-66bff467f8-28dgp:53 (ID:453) to-proxy FORWARDED (UDP) kube-system/coredns-66bff467f8-28dgp:53 (ID:453) -> default/xwing:41391 (ID:16092) to-endpoint FORWARDED (UDP) # ... # Successful HTTPS request to www.disney.com default/xwing:37836 (ID:16092) -> www.disney.com:443 (world) to-stack FORWARDED (TCP Flags: SYN) www.disney.com:443 (world) -> default/xwing:37836 (ID:16092) to-endpoint FORWARDED (TCP Flags: SYN, ACK) www.disney.com:443 (world) -> default/xwing:37836 (ID:16092) to-endpoint FORWARDED (TCP Flags: ACK, FIN) default/xwing:37836 (ID:16092) -> www.disney.com:443 (world) to-stack FORWARDED (TCP Flags: RST) # ... # Blocked HTTP request to deathstar backend default/xwing:49610 (ID:16092) -> default/deathstar:80 (ID:16081) Policy denied DROPPED (TCP Flags: SYN)
- 46. Observability: Cilium + Grafana ❤️ @raphink | @[email protected]
- 47. Observability: Network Metrics (Hubble) @raphink | @[email protected]
- 48. Observability: HTTP Metrics (Hubble) @raphink | @[email protected]
- 49. Observability: Network Policy Verdicts @raphink | @[email protected]
- 51. Observability: Combined Network & Runtime @raphink | @[email protected]
- 52. eBPF Superpowers A dynamic Kernel ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs
- 53. Networking Bypass native kernel network stack: - eXpress Data Path (XDP) - TCP improvements (bandwidth manager, BBR, Big TCP) - NAT64/NAT46 - Performant load-balancing algorithms (Maglev) - Network Policies - Cluster Mesh - Egress Gateway - Sidecar-free service mesh - etc. @raphink | @[email protected]
- 54. Networking: XDP Drop packets before they reach the kernel - E.g. packet of death, DDOS - XDP allows to drop packets before they reach the kernel routing stack @raphink | @[email protected]
- 55. Networking: XDP Efficient Cloud Native LB - E.g. Socket Load Balancer @raphink | @[email protected] Drop packets before they reach the kernel - E.g. packet of death, DDOS - XDP allows to drop packets before they reach the kernel routing stack
- 56. Networking: IPtables vs eBPF kube-proxy / iptables - Linear list / sieve - All rules have to be replaced as a whole eBPF based - Per-CPU hash table ⇒ more performant - Native metadata (e.g. Pod labels) ⇒ Cloud Native routing 🏆 @raphink | @[email protected]
- 57. Networking: BBR (TCP Congestion) @raphink | @[email protected] https://isovalent.com/blog/post/accelerate-network-performance-with-cilium-bbr/
- 58. Networking: NAT46/NAT64 IPv6 / IPv4 bridge DNS64 NAT64 [64:ff9b::<z>] -> [<z>] IPv6 Single Stack K8s cluster bar.com A 4.3.2.1 DNS bar.com AAAA 64:ff9b::4.3.2.1 SYN 64:ff9b::4.3.2.1 IPv4 / Internet SYN 4.3.2.1 ext. node (Dual Stack) https://www.youtube.com/watch?v=Kvdh78TURck @raphink | @[email protected]
- 59. Networking: BIG TCP https://www.youtube.com/watch?v=Kvdh78TURck Back to back: AMD Ryzen 9 3950X @ 3.5 GHz, 128G RAM @ 3.2 GHz, PCIe 4.0, ConnectX-6 Dx, mlx5 driver netperf -t TCP_RR -H <remote pod> -- -r 80000,80000 -O MIN_LATENCY,P90_LATENCY,P99_LATENCY,THROUGHPUT 2.2x lower p99 latency @raphink | @[email protected]
- 60. Networking: Sidecar-free Service Mesh @raphink | @[email protected]
- 61. eBPF Superpowers A dynamic Kernel ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs
- 62. Security Observe and manipulate kernel events in real time - Performant and transparent process visibility - Metadata - Fix kernel bugs on the fly - Catch & kill @raphink | @[email protected]
- 63. Security Visibility & Enforcement Traditional approaches - App instrumentation / LD_PRELOAD ⇒ bypassed by statically linked executables - ptrace(2) ⇒ TOCTTOU with syscalls - Existing Kernel Runtime Enforcement ⇒ can benefit from BPF (BPF LSM with kernel 5.7+) - Kernel module ⇒ stability & maintenance @raphink | @[email protected]
- 64. Security Visibility & Enforcement with eBPF @raphink | @[email protected]
- 65. Security: Catch & Kill @raphink | @[email protected]
- 66. eBPF Superpowers A dynamic Kernel ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs
- 67. To Infinity… … and beyond 🚀 - Improved device I/O perf with eBPF (XRP) - Support for 100% of C (in a safe way) - Cross-platform: - archs - compilers (LLVM/gcc) - platforms (Linux, Windows, etc.) - Towards a micro-kernel approach? @raphink | @[email protected]
- 68. All major cloud providers have picked -based Networking & Security for their Kubernetes platforms @raphink | @[email protected] How about you?
- 69. eBPF resources eCHO eBPF YouTube podcast: https://www.youtube.com/channel/UCJFUxkVQTBJh3LD1wYB WvuQ eBPF & Cilium Slack http://slack.cilium.io/ eCHO News Bi-weekly eBPF newsletter: https://cilium.io/newsletter/ @raphink | @[email protected]
- 70. ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future ⬢ Practical Labs eBPF Superpowers A dynamic Kernel
- 71. Practical Labs … to become a Cilium & eBPF Jedi 📅 Come tomorrow 2023-02-08, 09:00–13:00 🏛️ In room B.2.015 💻 Bring your laptop (web-based labs) Get badges 🏅 and goodies 👕! @raphink | @[email protected]
- 72. Thank you!
Editor's Notes
- #10: Linux is used on tons of devices, with a very wide range of device types and sizes, and usages
- #11: It’s not uncommon to require adding new features to Linux (esp in Cloud Native: security, networking, etc.). However, sending patches is a very long process, and it might take years before the patches end up in a stable distribution.
- #53: Cloud Native Identities in eBPF
- #61: BBR = Bottleneck Bandwidth and Round-trip propagation time vs Cubic algo Google saw up to a staggering 2,700x improvement in throughput in their tests
- #62: Stateful or stateless e.g. k8s on IPv6 on IPv4 network, or the opposite
- #63: Overcoming the current 64KB TSO/GRO packet limit size for IPv6 traffic using IPv6 jumbogram extension header Not supported in most Linux kernels
- #68: TOCTTOU = Time-of-check to time-of-use