![[Unfinished Draft] Fast Prototyping with DPDK &
eBPF in Containernet
July 18, 2018](https://image.slidesharecdn.com/draftfastprototypingwithdpdkandebpfincontainernet-180720185101/85/Draft-Fast-Prototyping-with-DPDK-and-eBPF-in-Containernet-1-320.jpg)
![Containernet
• Containernet is a fork of the mininet project, which supports using Docker containers as hosts in
emulated networks.
- https://containernet.github.io/
• How does it work?
- Uses network namespaces to simulate multiple networking stacks (i.e., hosts) in a single machine
- Uses veth to connect hosts
- Written mostly in Python that wraps all the network namespace and veth setup and configuration
- Exports an API that can be used to create a network on the fly
- Supports executing commands in the individual hosts
• In a nutshell:
- Containernet creates a virtual network on which we can deploy our applications
- Easily scalable (think how many containers can run in a host, as opposed to how many same
spec’ed VMs can coexist in a host)
- Access to all hosts in the virtual network
- Ability to change network conditions to trigger failures/testing scenarios
[Unfinished Draft] Fast Prototyping with DPDK & eBPF in Containernet2](https://image.slidesharecdn.com/draftfastprototypingwithdpdkandebpfincontainernet-180720185101/85/Draft-Fast-Prototyping-with-DPDK-and-eBPF-in-Containernet-2-320.jpg)
![eBPF in Containernet
• eBPF stands for extended Berkely Packet Filter. It allows a user defined program to process
packets inside the kernel without having to stop or recompile the kernel.
• How does it work?
- Linux kernel since 3.15, more features added to later kernel versions
- Small VM inside the kernel that can load and execute compiled code from user space
- Verifier and loop free requirements to guarantee program will finish
- Has multiple helper functions that can actually modify the packets in kernel
- Programs can be attached to multiple points. We will examine 2 points:
- Ingress at a node at XDP (Express Data Path)
- Egress at tc (traffic controller in kernel)
- iovisor/bcc project https://github.com/iovisor/bcc facilitates loading and setup of programs. We will
show how it can be setup to load filters at the 2 points mentioned above
• In a nutshell
- Supports in-kernel packet filtering at a running server without having to modify the kernel
(assuming certain conditions are met)
- Transparent to applications, have access to packets before and after applications have processed
them, so one ideal place where we can apply network function
[Unfinished Draft] Fast Prototyping with DPDK & eBPF in Containernet3](https://image.slidesharecdn.com/draftfastprototypingwithdpdkandebpfincontainernet-180720185101/85/Draft-Fast-Prototyping-with-DPDK-and-eBPF-in-Containernet-3-320.jpg)
![DPDK & eBPF in Containernet
• DPDK stands for Data Plane Development Kit. It is an open source project managed by the Linux
Foundation and supports fast packet processing via a set of libraries and drivers for NICs.
• How does it work?
- DPDK provides an Environmental Abstraction Layer (EAL) that lets DPDK work in different
hardware and operating systems.
- Devices in the host are released from the kernel and bound directly to the DPDK application via
EAL’s drivers and libraries (there is a kernel module just to initialize the device and assign the PCI
interface only).
- Techniques to improve speed:
- Packets arriving are processed directly by the DPDK app, without going through kernel
processing
- Use of Poll Mode Driver (instead of interrupts)
- …
• In a nutshell:
- Fast packet processing achieves high throughput so we can use commodity hardware to perform
specialized network functions
[Unfinished Draft] Fast Prototyping with DPDK & eBPF in Containernet4](https://image.slidesharecdn.com/draftfastprototypingwithdpdkandebpfincontainernet-180720185101/85/Draft-Fast-Prototyping-with-DPDK-and-eBPF-in-Containernet-4-320.jpg)
![Fast Prototyping with DPDK & eBPF in Containernet
• DPDK and eBPF are great tools for developing network functions
- DPDK can be used where we want to use commodity hardware to perform specialized network
functions
- eBPF can be used to support functionality needed on application server without disrupting the
host
• Prototyping with the 2 of them require a testbed where to run the functions written
- Multiple VMs on a single server can quickly exhaust the resources in the server
- Lab environment can be slow and/or hard to scale for testing purposes
- Production networks are (understandably) fiercely guarded by network operators to prevent
disruptions
• Containernet is the ideal environment to prototype network functions
- Scales much better than the VM scenario
- DPDK has PMD that supports running applications in Containernet (so we can verify correct
functionality of the functions we write)
- eBPF filters can be deployed in Containernet
- Access to all hosts in the network and most tools needed for debugging (wireshark, tcpdump,
dropwatch on the host, etc)
- Easily verify outcome of the functions written, rewrite fast and re-verify fast
[Unfinished Draft] Fast Prototyping with DPDK & eBPF in Containernet5](https://image.slidesharecdn.com/draftfastprototypingwithdpdkandebpfincontainernet-180720185101/85/Draft-Fast-Prototyping-with-DPDK-and-eBPF-in-Containernet-5-320.jpg)
![Demo Proposed
• Create a network in Containernet, go through steps of the python script and show how the network
is setup and configured
• Run GoBGP containers and show how routes can be altered (truly emulate a real network)
• Run client DPDK application generating traffic
• Run network function developed in DPDK to forward traffic to application server
• Run eBPF filters in the application server responsible for processing incoming traffic and return
traffic directly to client
[Unfinished Draft] Fast Prototyping with DPDK & eBPF in Containernet6](https://image.slidesharecdn.com/draftfastprototypingwithdpdkandebpfincontainernet-180720185101/85/Draft-Fast-Prototyping-with-DPDK-and-eBPF-in-Containernet-6-320.jpg)
![[Draft] Fast Prototyping with DPDK and eBPF in Containernet](https://image.slidesharecdn.com/draftfastprototypingwithdpdkandebpfincontainernet-180720185101/85/Draft-Fast-Prototyping-with-DPDK-and-eBPF-in-Containernet-7-320.jpg)
[Draft] Fast Prototyping with DPDK and eBPF in Containernet
- 1. [Unfinished Draft] Fast Prototyping with DPDK & eBPF in Containernet July 18, 2018
- 2. Containernet • Containernet is a fork of the mininet project, which supports using Docker containers as hosts in emulated networks. - https://containernet.github.io/ • How does it work? - Uses network namespaces to simulate multiple networking stacks (i.e., hosts) in a single machine - Uses veth to connect hosts - Written mostly in Python that wraps all the network namespace and veth setup and configuration - Exports an API that can be used to create a network on the fly - Supports executing commands in the individual hosts • In a nutshell: - Containernet creates a virtual network on which we can deploy our applications - Easily scalable (think how many containers can run in a host, as opposed to how many same spec’ed VMs can coexist in a host) - Access to all hosts in the virtual network - Ability to change network conditions to trigger failures/testing scenarios [Unfinished Draft] Fast Prototyping with DPDK & eBPF in Containernet2
- 3. eBPF in Containernet • eBPF stands for extended Berkely Packet Filter. It allows a user defined program to process packets inside the kernel without having to stop or recompile the kernel. • How does it work? - Linux kernel since 3.15, more features added to later kernel versions - Small VM inside the kernel that can load and execute compiled code from user space - Verifier and loop free requirements to guarantee program will finish - Has multiple helper functions that can actually modify the packets in kernel - Programs can be attached to multiple points. We will examine 2 points: - Ingress at a node at XDP (Express Data Path) - Egress at tc (traffic controller in kernel) - iovisor/bcc project https://github.com/iovisor/bcc facilitates loading and setup of programs. We will show how it can be setup to load filters at the 2 points mentioned above • In a nutshell - Supports in-kernel packet filtering at a running server without having to modify the kernel (assuming certain conditions are met) - Transparent to applications, have access to packets before and after applications have processed them, so one ideal place where we can apply network function [Unfinished Draft] Fast Prototyping with DPDK & eBPF in Containernet3
- 4. DPDK & eBPF in Containernet • DPDK stands for Data Plane Development Kit. It is an open source project managed by the Linux Foundation and supports fast packet processing via a set of libraries and drivers for NICs. • How does it work? - DPDK provides an Environmental Abstraction Layer (EAL) that lets DPDK work in different hardware and operating systems. - Devices in the host are released from the kernel and bound directly to the DPDK application via EAL’s drivers and libraries (there is a kernel module just to initialize the device and assign the PCI interface only). - Techniques to improve speed: - Packets arriving are processed directly by the DPDK app, without going through kernel processing - Use of Poll Mode Driver (instead of interrupts) - … • In a nutshell: - Fast packet processing achieves high throughput so we can use commodity hardware to perform specialized network functions [Unfinished Draft] Fast Prototyping with DPDK & eBPF in Containernet4
- 5. Fast Prototyping with DPDK & eBPF in Containernet • DPDK and eBPF are great tools for developing network functions - DPDK can be used where we want to use commodity hardware to perform specialized network functions - eBPF can be used to support functionality needed on application server without disrupting the host • Prototyping with the 2 of them require a testbed where to run the functions written - Multiple VMs on a single server can quickly exhaust the resources in the server - Lab environment can be slow and/or hard to scale for testing purposes - Production networks are (understandably) fiercely guarded by network operators to prevent disruptions • Containernet is the ideal environment to prototype network functions - Scales much better than the VM scenario - DPDK has PMD that supports running applications in Containernet (so we can verify correct functionality of the functions we write) - eBPF filters can be deployed in Containernet - Access to all hosts in the network and most tools needed for debugging (wireshark, tcpdump, dropwatch on the host, etc) - Easily verify outcome of the functions written, rewrite fast and re-verify fast [Unfinished Draft] Fast Prototyping with DPDK & eBPF in Containernet5
- 6. Demo Proposed • Create a network in Containernet, go through steps of the python script and show how the network is setup and configured • Run GoBGP containers and show how routes can be altered (truly emulate a real network) • Run client DPDK application generating traffic • Run network function developed in DPDK to forward traffic to application server • Run eBPF filters in the application server responsible for processing incoming traffic and return traffic directly to client [Unfinished Draft] Fast Prototyping with DPDK & eBPF in Containernet6