Cilium - Container Networking with BPF & XDP

15

Transcript of Cilium - Container Networking with BPF & XDP

Page 1: Cilium - Container Networking with BPF & XDP
Page 2: Cilium - Container Networking with BPF & XDP
Page 3: Cilium - Container Networking with BPF & XDP

●○○

Page 4: Cilium - Container Networking with BPF & XDP

●○

●○○

Page 5: Cilium - Container Networking with BPF & XDP
Page 6: Cilium - Container Networking with BPF & XDP

●○○○

●○○

Page 7: Cilium - Container Networking with BPF & XDP

●●

○○

Frontend BackendLB

FE BELB

LBFE

FE BE

LB

Page 8: Cilium - Container Networking with BPF & XDP

●●

○○

Frontend BackendLB

FE BELB

LBFE

FE BE

LB

Prod

Frontend BackendLB

FE BELBQA

Prod

QA

Prodrequires

requires QA

QA

Page 9: Cilium - Container Networking with BPF & XDP

●○

FE

BE

LB Prod

QA

Prod

Prod

FE

BE

LB

QA

QA

10111213141516

Cluster Wide Label ID Table: This ID is carried in the network packet and used to reconstruct the label context at the receiving host.

Policy enforcement cost is reduced to a single hashtable lookup regardless of complexity.

Page 10: Cilium - Container Networking with BPF & XDP

●●●

FE

BE

LB

LBECMP

FE

FE

BE

BE

BE

Small HTTP GET

Ultra HD Cat Pictures/Videos

Page 11: Cilium - Container Networking with BPF & XDP
Page 12: Cilium - Container Networking with BPF & XDP

Intel Xeon 3.5Ghz Sandy Bridge, 24 cores, 1 TCP flow per core, netperf -t TCP_SENDFILE, 10’000 policies

Page 13: Cilium - Container Networking with BPF & XDP
Page 14: Cilium - Container Networking with BPF & XDP
https://github.com/cilium/cilium
https://github.com/cilium/cilium
Page 15: Cilium - Container Networking with BPF & XDP

●●●

●●●

●●●●●●●


XDP – eXpress Data Path - Netfilterpeople.netfilter.org/hawk/presentations/xdp2016/xdp...1/23 XDP – eXpress Data Path XDP – eXpress Data Path Intro and future use-cases Linux

XDP – eXpress Data Path - Netfilterpeople.netfilter.org/hawk/presentations/xdp2016/xdp...1/23 XDP – eXpress Data Path XDP – eXpress Data Path Intro and future use-cases Linux

Multiqueue BPF support and other BPF feature

Multiqueue BPF support and other BPF feature

Cilium Documentation

Cilium Documentation

eBPF Hardware Offload to SmartNICs: cls bpf and XDP · cls bpf has two distinct modes of operation that need to be supported, the traditional mode of calling the TC actions, and

eBPF Hardware Offload to SmartNICs: cls bpf and XDP · cls bpf has two distinct modes of operation that need to be supported, the traditional mode of calling the TC actions, and

ISA XDP (EXPERIENTIAL DESIGN PROGRAM) XDP 2019... · ISA ‘s XDP understands that the community of “influencers,” such as experiential graphic designers, architects, brand managers,

ISA XDP (EXPERIENTIAL DESIGN PROGRAM) XDP 2019... · ISA ‘s XDP understands that the community of “influencers,” such as experiential graphic designers, architects, brand managers,

XDP INTEGRATED FEED CLIENT SPECIFICATION - … · XDP INTEGRATED FEED CLIENT SPECIFICATION ... Global OTC is an Alternative Trading System ... ICE/NYSE XDP INTEGRATED FEED CLIENT

XDP INTEGRATED FEED CLIENT SPECIFICATION - … · XDP INTEGRATED FEED CLIENT SPECIFICATION ... Global OTC is an Alternative Trading System ... ICE/NYSE XDP INTEGRATED FEED CLIENT

XDP – eXpress Data Path - iptablespeople.netfilter.org/hawk/presentations/LLC2017/XDP_DDoS... · 3/37 XDP – eXpress Data Path Overview What is XDP – eXpress Data Path Using

XDP – eXpress Data Path - iptablespeople.netfilter.org/hawk/presentations/LLC2017/XDP_DDoS... · 3/37 XDP – eXpress Data Path Overview What is XDP – eXpress Data Path Using

10分でわかる Cilium と XDP / BPF

10分でわかる Cilium と XDP / BPF

XDP-Programmable Data Path in the ff˝ ˙ˆˆˇ˘˝ Linux Kernel · XDP-Programmable Data Path in the Linux Kernel Extended BPF Linux 3.18 had the first implementation of extended

XDP-Programmable Data Path in the ff˝ ˙ˆˆˇ˘˝ Linux Kernel · XDP-Programmable Data Path in the Linux Kernel Extended BPF Linux 3.18 had the first implementation of extended

The cilium 1 microscopic structure

The cilium 1 microscopic structure

Cilium: Seattle Kubernetes MeetUp Dec 2017

Cilium: Seattle Kubernetes MeetUp Dec 2017

Replacing iptables with eBPF in Kubernetes with Cilium · 2020-01-30 · TC BPF XDP CILIUM AGENT DAEMON CILIUM CLI CILIUM MONITOR CILIUM HEALTH CILIUM HEALTH NAMESPACE PLUGIN Build

Replacing iptables with eBPF in Kubernetes with Cilium · 2020-01-30 · TC BPF XDP CILIUM AGENT DAEMON CILIUM CLI CILIUM MONITOR CILIUM HEALTH CILIUM HEALTH NAMESPACE PLUGIN Build

BPF infrastructure in kernel · 2019. 8. 8. · 2) bpf to bpf call 3. Loading BPF Controller (User App) BPF library: libbpf prog/map load, attach, control. . . BPF LOAD 과정: 1.

BPF infrastructure in kernel · 2019. 8. 8. · 2) bpf to bpf call 3. Loading BPF Controller (User App) BPF library: libbpf prog/map load, attach, control. . . BPF LOAD 과정: 1.

Trace Aggregation and Collection with eBPFsuchakra/eBPF-5May2017.pdf · 2017-05-05 · BPF Code Traffic Control/XDP - TC with cls_bpf [Borkmann, 2016] act_bpf and XDP BPF Code eth0

Trace Aggregation and Collection with eBPFsuchakra/eBPF-5May2017.pdf · 2017-05-05 · BPF Code Traffic Control/XDP - TC with cls_bpf [Borkmann, 2016] act_bpf and XDP BPF Code eth0

Flagellum (Cilium)

Flagellum (Cilium)

Cilium - Fast IPv6 Container Networking with BPF and XDP

Cilium - Fast IPv6 Container Networking with BPF and XDP

eBPF/XDP - SIGCOMM€¦ · • C is LLVM compiled to BPF bytecode • Verifier checked • JIT converts to assembly Hooks into the kernel in many places • Final packet handling

eBPF/XDP - SIGCOMM€¦ · • C is LLVM compiled to BPF bytecode • Verifier checked • JIT converts to assembly Hooks into the kernel in many places • Final packet handling

TAQ XDP PRODUCTS CLIENT SPECIFICATION INTEGRATED, BBO ...€¦ · ICE/NYSE TAQ XDP PRODUCTS CLIENT SPECIFICATION V2.1G TAQ XDP Products Client Specification v2.1g 6 1. TAQ XDP Integrated,

TAQ XDP PRODUCTS CLIENT SPECIFICATION INTEGRATED, BBO ...€¦ · ICE/NYSE TAQ XDP PRODUCTS CLIENT SPECIFICATION V2.1G TAQ XDP Products Client Specification v2.1g 6 1. TAQ XDP Integrated,

eBPF Hardware Offload to SmartNICs: cls bpf and XDPeBPF Hardware Offload to SmartNICs: cls bpf and XDP Jakub Kicinski, Nicolaas Viljoen Netronome Systems Cambridge, United Kingdom

eBPF Hardware Offload to SmartNICs: cls bpf and XDPeBPF Hardware Offload to SmartNICs: cls bpf and XDP Jakub Kicinski, Nicolaas Viljoen Netronome Systems Cambridge, United Kingdom

Cilium: Kernel Native Security & DDOS Mitigation for Microservices with BPF

Cilium: Kernel Native Security & DDOS Mitigation for Microservices with BPF