Révolution eBPF - un noyau dynamique
Download as PPTX, PDF0 likes220 views
The document discusses eBPF (extended Berkeley Packet Filter), highlighting its role in making the Linux kernel programmable for functionalities like observability, networking, and security. It covers various use cases and existing projects such as Cilium for enhanced performance and security in cloud-native environments. The future of eBPF is also explored, indicating potential advancements in interoperability across platforms and improved device performance.
![Networking: NAT46/NAT64
#KCDFrance 2023
DNS64
NAT64
[64:ff9b::<z>] -> [<z>]
IPv6 Single Stack
K8s cluster
bar.com
A 4.3.2.1
DNS
bar.com
AAAA 64:ff9b::4.3.2.1
SYN 64:ff9b::4.3.2.1
IPv4 / Internet
SYN 4.3.2.1
ext. node
(Dual Stack)
@raphink | @raphink@hachyderm.io https://www.youtube.com/watch?v=Kvdh78TURck](https://image.slidesharecdn.com/kcdparis2023ebpf-230308080258-60bfef34/85/Revolution-eBPF-un-noyau-dynamique-57-320.jpg)
Révolution eBPF - un noyau dynamique
- 1. Révolution eBPF Un noyau Linux dynamique Speaker : Raphaël Pinson, @raphink | @raphink@hachyderm.io #KCDFrance 2023
- 2. ⬢ What is eBPF? #KCDFrance 2023 Agenda @raphink | @raphink@hachyderm.io
- 3. ⬢ What is eBPF? ⬢ Principles #KCDFrance 2023 Agenda @raphink | @raphink@hachyderm.io
- 4. ⬢ What is eBPF? ⬢ Principles ⬢ Observability #KCDFrance 2023 Agenda @raphink | @raphink@hachyderm.io
- 5. ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking #KCDFrance 2023 Agenda @raphink | @raphink@hachyderm.io
- 6. ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security #KCDFrance 2023 Agenda @raphink | @raphink@hachyderm.io
- 7. ⬢ What is eBPF? ⬢ Principles ⬢ Observability ⬢ Networking ⬢ Security ⬢ The Future #KCDFrance 2023 Agenda @raphink | @raphink@hachyderm.io
- 8. The Linux Kernel #KCDFrance 2023 The Power Behind Modern Technology - From cars to servers to fridges - Foundation of the GNU/Linux operating system - Most widely used operating system in the world - Powers the vast majority of: - embedded systems / IoT - Cloud Server - Super Computers @raphink | @raphink@hachyderm.io
- 9. Before #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 10. With #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 11. Have you used eBPF? #KCDFrance 2023 eBPF is already used in many places - Load balancing - DDOS protection on large Internet platforms - Kernel live-patching (5.7+ with LSM/eBPF) - Android (e.g. app data stats) @raphink | @raphink@hachyderm.io
- 12. Who am I #KCDFrance 2023 Raphaël Pinson Solutions Architect @ Isovalent @raphink | @raphink@hachyderm.io
- 13. #KCDFrance 2023 What is eBPF? @raphink | @raphink@hachyderm.io
- 14. #KCDFrance 2023 Makes the Linux kernel programmable in a secure and efficient way. “What JavaScript is to the browser, eBPF is to the Linux Kernel” @raphink | @raphink@hachyderm.io
- 15. #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 16. #KCDFrance 2023 Principles @raphink | @raphink@hachyderm.io
- 17. How does it work? #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 18. How does it work? #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 19. How does it work? #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 20. How does it work? #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 21. How does it work? #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 22. How does it work? #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 23. How does it work? #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 24. How does it work? #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 25. eBPF Helpers #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 26. Stacks & hooks #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 27. BPF / user-space communication #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 28. SDK (cilium/ebpf) #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 29. SDK (cilium/ebpf) #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 30. SDK (cilium/ebpf) #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 31. SDK (cilium/ebpf) #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 32. Safety #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 33. Performance #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 34. Cloud Native Identities #KCDFrance 2023 eBPF “understands” Cloud Native identities: - in kernel observability - in network traffic - in kernel security @raphink | @raphink@hachyderm.io
- 35. eBPF Projects and SDKs #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 36. Cilium & Friends #KCDFrance 2023 - performance gains (no need for iptables, bypass TCP/IP) - simpler architecture (e.g. no sidecar proxy for Service Mesh) Cilium @raphink | @raphink@hachyderm.io
- 37. Cilium & Friends #KCDFrance 2023 - performance gains (no need for iptables, bypass TCP/IP) - simpler architecture (e.g. no sidecar proxy for Service Mesh) Cilium Hubble - fine-grained network observability - exports to SIEM - support for OpenTelemetry @raphink | @raphink@hachyderm.io
- 38. Cilium & Friends #KCDFrance 2023 - performance gains (no need for iptables, bypass TCP/IP) - simpler architecture (e.g. no sidecar proxy for Service Mesh) Cilium Hubble - fine-grained network observability - exports to SIEM - support for OpenTelemetry Tetragon - observe & export kernel events - act on events (e.g. SIGKILL) @raphink | @raphink@hachyderm.io
- 39. #KCDFrance 2023 Observability @raphink | @raphink@hachyderm.io
- 40. Observability #KCDFrance 2023 Observe directly in the kernel - Low-overhead tracing/observability - Example: network performance / SRTT / micro-bursts - HTTP / TLS in-kernel visibility - Troubleshooting prod on the fly (see bpftrace) @raphink | @raphink@hachyderm.io
- 41. Observability #KCDFrance 2023 Observe directly in the kernel - Low-overhead tracing/observability - Example: network performance / SRTT / micro-bursts - HTTP / TLS in-kernel visibility - Troubleshooting prod on the fly (see bpftrace) Example software - BCC - bpftrace - Cilium (network) - Cilium Tetragon (system) @raphink | @raphink@hachyderm.io
- 42. Observability: bpftrace #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 43. $ kubectl get pods NAME READY STATUS RESTARTS AGE tiefighter 1/1 Running 0 2m34s xwing 1/1 Running 0 2m34s deathstar-5b7489bc84-crlxh 1/1 Running 0 2m34s deathstar-5b7489bc84-j7qwq 1/1 Running 0 2m34s Observability: Hubble (CLI) #KCDFrance 2023 @raphink | @raphink@hachyderm.io $ hubble observe --follow -l class=xwing # ... # Successful HTTPS request to www.disney.com default/xwing:37836 (ID:16092) -> www.disney.com:443 (world) to-stack FORWARDED (TCP Flags: SYN) www.disney.com:443 (world) -> default/xwing:37836 (ID:16092) to-endpoint FORWARDED (TCP Flags: SYN, ACK) www.disney.com:443 (world) -> default/xwing:37836 (ID:16092) to-endpoint FORWARDED (TCP Flags: ACK, FIN) default/xwing:37836 (ID:16092) -> www.disney.com:443 (world) to-stack FORWARDED (TCP Flags: RST) # DNS lookup to coredns default/xwing:41391 (ID:16092) -> kube-system/coredns-66bff467f8-28dgp:53 (ID:453) to-proxy FORWARDED (UDP) kube-system/coredns-66bff467f8-28dgp:53 (ID:453) -> default/xwing:41391 (ID:16092) to-endpoint FORWARDED (UDP) # ... # Blocked HTTP request to deathstar backend default/xwing:49610 (ID:16092) -> default/deathstar:80 (ID:16081) Policy denied DROPPED (TCP Flags: SYN)
- 44. Observability: Hubble (UI) #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 45. Observability: Cilium + Grafana ❤️ #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 46. Observability: Network Metrics (Hubble) #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 47. Observability: HTTP Metrics (Hubble) #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 48. Observability: Network Policy Verdicts #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 49. Observability: TLS (Tetragon) #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 50. Observability: Combined Network & Runtime #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 51. #KCDFrance 2023 Networking @raphink | @raphink@hachyderm.io
- 52. Networking #KCDFrance 2023 Bypass native kernel network stack: - eXpress Data Path (XDP) - TCP improvements (bandwidth manager, BBR, Big TCP) - NAT64/NAT46 - Performant load-balancing algorithms (Maglev) - Network Policies - Cluster Mesh - Egress Gateway - Sidecar-free service mesh - etc. @raphink | @raphink@hachyderm.io
- 53. Networking: XDP #KCDFrance 2023 Drop packets before they reach the kernel - E.g. packet of death, DDOS - XDP allows to drop packets before - they reach the kernel routing stack @raphink | @raphink@hachyderm.io
- 54. Networking: XDP #KCDFrance 2023 Drop packets before they reach the kernel - E.g. packet of death, DDOS - XDP allows to drop packets before - they reach the kernel routing stack Efficient Cloud Native LB - E.g. Socket Load Balancer @raphink | @raphink@hachyderm.io
- 55. Networking: IPtables vs eBPF #KCDFrance 2023 kube-proxy / iptables - Linear list / sieve - All rules have to be replaced as a whole eBPF based - Per-CPU hash table ⇒ more performant - Native metadata (e.g. Pod labels) ⇒ Cloud Native routing 🏆 @raphink | @raphink@hachyderm.io
- 56. Networking: BBR (TCP Congestion) #KCDFrance 2023 @raphink | @raphink@hachyderm.io https://isovalent.com/blog/post/accelerate-network-performance-with-cilium-bbr/
- 57. Networking: NAT46/NAT64 #KCDFrance 2023 DNS64 NAT64 [64:ff9b::<z>] -> [<z>] IPv6 Single Stack K8s cluster bar.com A 4.3.2.1 DNS bar.com AAAA 64:ff9b::4.3.2.1 SYN 64:ff9b::4.3.2.1 IPv4 / Internet SYN 4.3.2.1 ext. node (Dual Stack) @raphink | @raphink@hachyderm.io https://www.youtube.com/watch?v=Kvdh78TURck
- 58. Networking: Big TCP #KCDFrance 2023 2.2x lower p99 latency @raphink | @raphink@hachyderm.io https://www.youtube.com/watch?v=Kvdh78TURck
- 59. Networking: Sidecar-free Service Mesh #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 60. #KCDFrance 2023 Security @raphink | @raphink@hachyderm.io
- 61. Security #KCDFrance 2023 Observe and manipulate kernel events in real time - Performant and transparent process visibility - Metadata - Fix kernel bugs on the fly - Catch & kill @raphink | @raphink@hachyderm.io
- 62. Security Visibility & Enforcement #KCDFrance 2023 Traditional approaches - App instrumentation / LD_PRELOAD ⇒ bypassed by statically linked executables - ptrace(2) ⇒ TOCTTOU with syscalls - Existing Kernel Runtime Enforcement ⇒ can benefit from BPF (BPF LSM with kernel 5.7+) - Kernel module ⇒ stability & maintenance @raphink | @raphink@hachyderm.io
- 63. Security Visibility & Enforcement with eBPF #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 64. Security: Catch & Kill #KCDFrance 2023 @raphink | @raphink@hachyderm.io
- 65. #KCDFrance 2023 The Future @raphink | @raphink@hachyderm.io
- 66. To Infinity… and beyond 🚀 #KCDFrance 2023 - Improved device I/O perf with eBPF (XRP) - Support for 100% of C (in a safe way) - Cross-platform: - archs - compilers (LLVM/gcc) - platforms (Linux, Windows, etc.) - Towards a micro-kernel approach? @raphink | @raphink@hachyderm.io
- 67. #KCDFrance 2023 @raphink | @raphink@hachyderm.io All major cloud providers have picked -based Networking & Security for their Kubernetes platforms How about you?
- 68. eBPF resources #KCDFrance 2023 @raphink | @raphink@hachyderm.io eCHO eBPF YouTube podcast: https://www.youtube.com/channel/UCJFUxkVQTBJh3LD1w YBWvuQ eBPF & Cilium Slack http://slack.cilium.io/ eCHO News Bi-weekly eBPF newsletter: https://cilium.io/newsletter/
- 69. Workshops #KCDFrance 2023 @raphink | @raphink@hachyderm.io Paris 23 mai 2023 🌐 isovalent.com/workshop-tour