Cilium - BPF & XDP for containers
-
Upload
docker-inc -
Category
Technology
-
view
468 -
download
3
Transcript of Cilium - BPF & XDP for containers
![Page 1: Cilium - BPF & XDP for containers](https://reader031.fdocuments.in/reader031/viewer/2022021502/586e8c1e1a28aba0038b8311/html5/thumbnails/1.jpg)
CiliumNetworking & Security for Containers with BPF & XDP
Docker Distributed Systems SummitThomas Graf
![Page 2: Cilium - BPF & XDP for containers](https://reader031.fdocuments.in/reader031/viewer/2022021502/586e8c1e1a28aba0038b8311/html5/thumbnails/2.jpg)
The Network becomes the Application bus
We have to deal with networks that ...
○ contain millions of endpoints
○ are noisy (nMpps)
○ are insecure with multiple tenants
○ operate unreliably
○ are constantly evolving WRT protocols
![Page 3: Cilium - BPF & XDP for containers](https://reader031.fdocuments.in/reader031/viewer/2022021502/586e8c1e1a28aba0038b8311/html5/thumbnails/3.jpg)
Cilium Architecture
![Page 4: Cilium - BPF & XDP for containers](https://reader031.fdocuments.in/reader031/viewer/2022021502/586e8c1e1a28aba0038b8311/html5/thumbnails/4.jpg)
What is BPF?
![Page 5: Cilium - BPF & XDP for containers](https://reader031.fdocuments.in/reader031/viewer/2022021502/586e8c1e1a28aba0038b8311/html5/thumbnails/5.jpg)
BPF Code Generation at Container Startup
● Generate networking code at container startup
○ Tailored to each individual container
○ Leads to minimal code required
⇒ faster
⇒ smaller attack surface (unikernel like)
● Majority of configuration (IP, MAC, ports, ... ) becomes
constant, the compiler can optimize heavily
● Regeneration at runtime without breaking connections
![Page 6: Cilium - BPF & XDP for containers](https://reader031.fdocuments.in/reader031/viewer/2022021502/586e8c1e1a28aba0038b8311/html5/thumbnails/6.jpg)
Make all tasks globally addressable on the Internet● Global IPv6 addresses
○ No NAT!
○ Native IPv4/NAT46 + NAT for compat
● Host scope address allocator
○ Lockless allocation
● Task mobility
○ ILA
![Page 7: Cilium - BPF & XDP for containers](https://reader031.fdocuments.in/reader031/viewer/2022021502/586e8c1e1a28aba0038b8311/html5/thumbnails/7.jpg)
Scaling Policy Specification● How to specify policy for millions of endpoints?
● Decouple policy specification from addressing
○ IP+port ACLs are unsuitable for containers
○ Policy specification based on container labels
Frontend BackendLB
FE BELB
LBFE
FE BE
LB
![Page 8: Cilium - BPF & XDP for containers](https://reader031.fdocuments.in/reader031/viewer/2022021502/586e8c1e1a28aba0038b8311/html5/thumbnails/8.jpg)
Scaling Policy Specification● How to specify policy for millions of endpoints?
● Decouple policy specification from addressing
○ IP+port ACLs are unsuitable for containers
○ Policy specification based on container labels
Frontend BackendLB
FE BELB
LBFE
FE BE
LB
Prod
Frontend BackendLB
FE BELBQA
Prod
QA
Prodrequires
requires QA
QA
![Page 9: Cilium - BPF & XDP for containers](https://reader031.fdocuments.in/reader031/viewer/2022021502/586e8c1e1a28aba0038b8311/html5/thumbnails/9.jpg)
Scaling Policy Enforcement
● Distributed fixed cost policy enforcement
○ Per-CPU BPF-map hashtable
FE
BE
LB Prod
QA
Prod
Prod
FE
BE
LB
QA
QA
10111213141516
Cluster Wide Label ID Table: This ID is carried in the network packet and used to reconstruct the label context at the receiving host.
Policy enforcement cost is reduced to a single hashtable lookup regardless of complexity.
![Page 10: Cilium - BPF & XDP for containers](https://reader031.fdocuments.in/reader031/viewer/2022021502/586e8c1e1a28aba0038b8311/html5/thumbnails/10.jpg)
Extensibility & Safety in the Kernel
● Decouple datapath functionality from kernel version
○ Support new protocols
○ Add arbitrary statistics
○ Safety guaranteed by Verifier
● All at runtime for already running containers
![Page 11: Cilium - BPF & XDP for containers](https://reader031.fdocuments.in/reader031/viewer/2022021502/586e8c1e1a28aba0038b8311/html5/thumbnails/11.jpg)
Scaling the Delivery of Cat Pictures● Distributed L3/L4 LB w/ DSR
● Like IPVS but completely programmable
● LB for N-S, E-W & Intra-node
FE
BE
LB
LBECMP
FE
FE
BE
BE
BE
Small HTTP GET
Large Cat Pictures/Videos
![Page 12: Cilium - BPF & XDP for containers](https://reader031.fdocuments.in/reader031/viewer/2022021502/586e8c1e1a28aba0038b8311/html5/thumbnails/12.jpg)
Performance
![Page 13: Cilium - BPF & XDP for containers](https://reader031.fdocuments.in/reader031/viewer/2022021502/586e8c1e1a28aba0038b8311/html5/thumbnails/13.jpg)
Demo
![Page 14: Cilium - BPF & XDP for containers](https://reader031.fdocuments.in/reader031/viewer/2022021502/586e8c1e1a28aba0038b8311/html5/thumbnails/14.jpg)
Q&A
Start hacking on BPF for containers:
https://github.com/cilium/cilium
Slack: Twitter
cilium.slack.com @tgraf__
Thank You
![Page 15: Cilium - BPF & XDP for containers](https://reader031.fdocuments.in/reader031/viewer/2022021502/586e8c1e1a28aba0038b8311/html5/thumbnails/15.jpg)
● L3 forwarding (IPv6 & IPv4)
● Host connectivity
● Encapsulation
(VXLAN/Geneve/GRE)
● ICMPv6 & ICMP generation
● NDisc & ARP responder
● Access Control
● Port mapping
● Connection tracking
● L3/L4 Load balancer w/ DSR
● Statistics
● Events (perf ring buffer)
● Debugging framework
● NAT46
Building Blocks