ebpf based container networking
play

eBPF Based Container Networking A Network Performance Comparison - PowerPoint PPT Presentation

Feb 13, 2023 •9 likes •309 views

eBPF Based Container Networking A Network Performance Comparison Nick de Bruijn July 4, 2017 University of Amsterdam Introduction Figure 1: Microservices and Containers 1 1

  1. eBPF Based Container Networking A Network Performance Comparison Nick de Bruijn July 4, 2017 University of Amsterdam

  2. Introduction Figure 1: Microservices and Containers 1 1 https://www.slideshare.net/Docker/cilium-network-and-application-security-with- bpf-and-xdp-thomas-graf-covalent-io 1/28

  3. Introduction - Iptables Iptables: • $ iptables -A INPUT -p tcp -s 10.0.0.23 –dport 80 -m conntrack –ctstate NEW -j ACCEPT 2/28

  4. Research Goal Research goal: • Evaluate the usability of Cilium as a packet filtering system in a container (Microservices) infrastructure. 3/28

  5. Research Questions • What throughput and latency we get in the case of using Cilium’s eBPF program and Linux’s Iptables as packet filter? • What effect does the number of security policies have on the throughput and latency in both cases? • Is there a turn point in performance when increasing the number of security policies? 4/28

  6. Background 5/28

  7. Docker Networking • Endpoints (Container eth0) • Virtual Ethernet devices (veth) • Bridge on the host (docker0) 1 Figure: https://success.docker.com/Architecture/Docker R eference A rchitecture 6/28

  8. Docker Networking - Communication • Endpoints (Container eth0) • Virtual Ethernet devices (veth) • Bridge on the host (docker0) Packet filtering: • On container 7/28

  9. Docker Networking - Communication Components: • Endpoints (Container eth0) • Virtual Ethernet devices (veth) • Bridge on the host (docker0) Packet filtering: • On container • On the bridge 8/28

  10. Iptables - Performance penalty? 2 • Uses chains with rules • Each chain contains 0 or more rules • Top down approach • Checks until match is found • So placement is important 2 Figure: http://www.iptables.info/en/structure-of-iptables.html 9/28

  11. What is Cilium? • Opensource project • Adds a layer on top of the existing container environment (Docker) • To improve container networking and policy enforcement • No Iptables / bridges • Relies on eBPF programs 10/28

  12. What is eBPF (extended Berkeley Packet Filter)? eBPF is used to extend the functionality of the kernel at runtime. • It’s effectively a small kernel based machine • 10 64bit registers • 512 byte stack • Data structures are known as maps • Has a verifier to ensure the program is safe • No loops, max 4k instructions, no more then 64 maps. 11/28

  13. eBPF Figure 2: eBPF Overview 3 3 https://www.slideshare.net/Docker/cilium-bpf-xdp-for-containers-66969823 12/28

  14. extended Berkley Packet Filter - Functionality 1. Rewrite packet content 2. Extend/trim packet size 3. Redirect to other netdevices 4. Enforce policies 5. On the fly program generation 13/28

  15. Cilium - Network with eBPF Figure 3: eBPF with Cilium 4 14/28 4 https://www.slideshare.net/Docker/cilium-bpf-xdp-for-containers-66969823

  16. Cilium - Policies Figure 4: Cilium Policy Using Json 15/28

  17. Approach 16/28

  18. Approach - Docker environment 17/28

  19. Approach - Cilium environment 18/28

  20. Approach - Scenario Performed tests on two scenarios: • Localhost • And Multi-host For each scenario we are interested in: • The throughput and latency with no additional policies/rules. • The change in performance whenever we start to increase the number of policies/rules. 19/28

  21. Approach - Experiments • Using Iperf3 to send a TCP STREAM • Using Netperf to send a TCP RR (Request Response) • Every test runs 1 minute. Every test is performed 10 times to determine the variation • Every test runs with 0, 1, 5, 10, 25, 50, 100, and 200 policies 20/28

  22. Results 21/28

  23. Results - Throughput Localhost Figure 5: Throughput - localhost (Higher is better) • Cilium’s eBPF approach outperforms the IPtable approach. • Number of Cilium policies does not affect the throughput • Number of no matching Iptables rules greatly affect the throughput 22/28

  24. Results - Latency Localhost Figure 6: TCP Latency - localhost (Lower is better) • Same observation as the throughput • Cilium’s eBPF approach has a lower latency 23/28

  25. Results - Throughput Remote Containers Figure 7: TCP Throughput - Remote Host (Higher is better) • Different observation than on Localhost • Cilium’s eBPF seems to perform less • Iptables show no performs penalty until 1000 policies 24/28

  26. Results - Latency Remote Containers Figure 8: TCP Latency - Remote Host (Lower is better) • Same observation as the remote throughput • Cilium’s eBPF approach has a higher latency 25/28

  27. Conclusion 26/28

  28. Conclusion Overal: 1. Cilium seems like a promising project. 2. We can define L3, L4, and L7 policies Performance wise: 1. The performance is not influenced by number of policies. 2. Cilium shows to perform better in the situation of local containers. 3. Room for improvements for multi-host enviornments 27/28

  29. Open issues & Future work • Test the VXLAN overlay overhead used by Docker and Cilium • Do Kernel traces to get a better understanding of which path packets take in the kernel. • Optimize both approaches to see what the best possible throughput and latency can be reached for each approach. • Test Cilium using XDP to offload the system. 28/28

  30. Thank you for your attention, Questions? 28/28

Recommend

Simplify Container Networking With iCAN Huawei Cloud Network Lab Container Network Defined By

Simplify Container Networking With iCAN Huawei Cloud Network Lab Container Network Defined By

Simplify Container Networking With iCAN Huawei Cloud Network Lab Container Network Defined By Application 2 What we face today Automation Deployment and Orchestration: Automate deploy resource for application based on Application SLA

561 views • 18 slides
eBPF Offload to Hardware: cls_bpf and XDP Motivation - Avoiding Whack-a-mole Motivation - Why

eBPF Offload to Hardware: cls_bpf and XDP Motivation - Avoiding Whack-a-mole Motivation - Why

eBPF Offload to Hardware: cls_bpf and XDP Motivation - Avoiding Whack-a-mole Motivation - Why eBPF? Target architecture (NFP based NIC) RX Path Flow of eBPF Packet The Flow Processing Core (Fully Programmable) Mapping eBPF -> NFP

668 views • 24 slides
eBPF and XDP walkthrough and recent updates Daniel Borkmann <daniel@iogearbox.net> cilium

eBPF and XDP walkthrough and recent updates Daniel Borkmann <daniel@iogearbox.net> cilium

eBPF and XDP walkthrough and recent updates Daniel Borkmann <daniel@iogearbox.net> cilium project fosdem17, February 4, 2017 Daniel Borkmann eBPF in tcs cls bpf and XDP February 4, 2017 1 / 11 Big Picture: eBPF and Networking eBPF:

476 views • 11 slides
Calico Networking with eBPF Shaun Crampton, Core Developer for Project Calico Chris Hoge,

Calico Networking with eBPF Shaun Crampton, Core Developer for Project Calico Chris Hoge,

Calico Networking with eBPF Shaun Crampton, Core Developer for Project Calico Chris Hoge, Developer Advocate for Project Calico What prompted the team to add another dataplane to Calico? Calicos Pluggable Dataplane What is eBPF?

312 views • 20 slides
Up Cloud Native Networking with eBPF Next Technical Track Presentation Raymond Maika

Up Cloud Native Networking with eBPF Next Technical Track Presentation Raymond Maika

Up Cloud Native Networking with eBPF Next Technical Track Presentation Raymond Maika Engineering Team Lead Agenda Cloud Native networking CNI Plugin landscape Cilium Overview Policy Overview Policy Enforcement in Cilium

532 views • 12 slides
Networking approaches in a Container World Who we are Flavio Castelli Neil Jerram Antoni

Networking approaches in a Container World Who we are Flavio Castelli Neil Jerram Antoni

Networking approaches in a Container World Who we are Flavio Castelli Neil Jerram Antoni Segura Puimedon Engineering Manager Senior Sw. Engineer Principal Sw. Engineer Disclaimer There a many container engines, well focus on Docker

489 views • 36 slides
Endless Network Programming An Update from eBPF Land Quentin Monnet @qeole Outline Q.

Endless Network Programming An Update from eBPF Land Quentin Monnet @qeole Outline Q.

FOSDEM20 Brussels, 2020-02-01 Endless Network Programming An Update from eBPF Land Quentin Monnet @qeole Outline Q. Monnet eBPF Update 2/18 eBPF Basics New Features eBPF Universe eBPF Basics Q. Monnet

531 views • 18 slides
gobpf utilizing eBPF from Go FOSDEM 2017-02-05 michael@kinvolk.io

gobpf utilizing eBPF from Go FOSDEM 2017-02-05 michael@kinvolk.io

gobpf utilizing eBPF from Go FOSDEM 2017-02-05 michael@kinvolk.io bpf_trace_printk("hello"); Michael, Software Engineer at Kinvolk We mostly work on Linux core system software (kernel, container, etc.) and like it!

924 views • 32 slides
Scalable VM and Container Networking using /32bit subnets and BGP routing Andrew Yongjoon Kong 2

Scalable VM and Container Networking using /32bit subnets and BGP routing Andrew Yongjoon Kong 2

L.T.H. Scalable VM and Container Networking using /32bit subnets and BGP routing Andrew Yongjoon Kong 2 nd largest search and portal The Peaceful operation When were running out of resources ( cpu, memory, disk ), Just add new( or

628 views • 33 slides
The NSX Terraform Provider The NSX Terraform provider gives the NSX administrator a way to

The NSX Terraform Provider The NSX Terraform provider gives the NSX administrator a way to

The NSX Terraform Provider The NSX Terraform provider gives the NSX administrator a way to automate NSX to provide virtualized networking and security services using both ESXi and KVM based hypervisor hosts as well as container networking and

1.68k views • 150 slides
Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers

Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers

Scaling container policy management with kernel features Joe Stringer Cilium.io Linux Plumbers 2019, Lisbon, Portugal Joe Stringer Scaling container policy with eBPF Sep 11, 2019 1 / 29 Overview 1 Background 2 Deploying fast datapaths fast

831 views • 53 slides
DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x Galley Container 1x Medical Container 1x Feed Water Container 1x Water Treatment Container 2x Generator Container 1x

569 views • 8 slides
Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena

Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena

Secure Kubernetes Container Workloads with Production-Grade Networking Cynthia Thomas Irena Berezovsky Tim Hockin CIA IT operations have top secret apps for their agents, most of which require isolation Antoni is in Ops and wants to help CIA

458 views • 31 slides
Container Networking Gaetano Borgione Gaetano Borgione Sr. Staff Engineer @ VMware Sr. Staff

Container Networking Gaetano Borgione Gaetano Borgione Sr. Staff Engineer @ VMware Sr. Staff

Container Networking Gaetano Borgione Gaetano Borgione Sr. Staff Engineer @ VMware Sr. Staff Engineer Gaetano Borgione Senior Staff Engineer Cloud Native Applications VMWare SDN Technologies @ PLUMgrid Data Center Networking @ Cisco

680 views • 57 slides
A Gentle Introduction to Container-based CI for Coq projects rik Martin-Dorel ACADIE team /

A Gentle Introduction to Container-based CI for Coq projects rik Martin-Dorel ACADIE team /

Introduction to Container-based CI/CD Presentation of docker-coq About docker-keeper and concluding remarks A Gentle Introduction to Container-based CI for Coq projects rik Martin-Dorel ACADIE team / IRIT lab. / Univ. Toulouse III - Paul

524 views • 25 slides
Beyond per-CPU atomics and rseq syscall: subset of eBPF bytecode for the do_on_cpu syscall

Beyond per-CPU atomics and rseq syscall: subset of eBPF bytecode for the do_on_cpu syscall

Linux Plumbers Conference 2019 eBPF conf Beyond per-CPU atomics and rseq syscall: subset of eBPF bytecode for the do_on_cpu syscall mathieu.desnoyers@efcios.com Restartable Sequences (RSEQ) in a nutshell System call registering

457 views • 9 slides
Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018 William Tu, Joe Stringer, Yifeng Sun, Yi-Hung Wei VMware Inc. and Cilium.io 1 Outline Introduction and Motivation OVS-eBPF Project

612 views • 45 slides
Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018

Bri Bring nging ng the the Power r of eB eBPF to to Open vSwitch ch Linux Plumber 2018 William Tu, Joe Stringer, Yifeng Sun, Yi-Hung Wei VMware Inc. and Cilium.io 1 Outline Introduction and Motivation OVS-eBPF Project

429 views • 39 slides
Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal

Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal

Replacing iptables with eBPF in Kubernetes with Cilium Cilium, eBPF, Envoy, Istio, Hubble Michal Rostecki Swaminathan Vasudevan Software Engineer Software Engineer mrostecki@suse.com svasudevan@suse.com mrostecki@opensuse.org Whats

2.06k views • 52 slides
Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene

Introduction Container Library Container Tools FUSE Container File System Evaluation Container Library and FUSE Container File System Softwarepraktikum f ur Fortgeschrittene Michael Kuhn Parallele und Verteilte Systeme Institut f ur

353 views • 22 slides
Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of

Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of

Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of Internet Speaking to a host end-to-end channel Communication security container-based authenticity: X.509, Certificate

678 views • 57 slides
Security Monitoring with eBPF ALEX MAESTRETTI - MANAGER, SIRT BRENDAN GREGG - Sr ARCHITECT,

Security Monitoring with eBPF ALEX MAESTRETTI - MANAGER, SIRT BRENDAN GREGG - Sr ARCHITECT,

Security Monitoring with eBPF ALEX MAESTRETTI - MANAGER, SIRT BRENDAN GREGG - Sr ARCHITECT, PERFORMANCE The Brief. Extended Berkley Packet Filter (eBPF) is a new Linux feature which allows safe and efficient monitoring of kernel functions.

593 views • 27 slides
New (and Exciting!) Developments in Linux Tracing Elena Zannoni (elena.zannoni@oracle.com) Linux

New (and Exciting!) Developments in Linux Tracing Elena Zannoni (elena.zannoni@oracle.com) Linux

<Insert Picture Here> New (and Exciting!) Developments in Linux Tracing Elena Zannoni (elena.zannoni@oracle.com) Linux Engineering, Oracle America Linuxcon Japan 2015 Overview BPF eBPF eBPF main concepts and elements eBPF

601 views • 42 slides
Troubleshooting for Intent-based Networking Joon-Myung Kang and Mario A. Snchez Hewlett

Troubleshooting for Intent-based Networking Joon-Myung Kang and Mario A. Snchez Hewlett

Open Networking Summit 2017 Troubleshooting for Intent-based Networking Joon-Myung Kang and Mario A. Snchez Hewlett Packard Labs Intent-based Networking Policy Graph Abstraction and Demo Troubleshooting and Demo QnA 2 Software-Defined

613 views • 37 slides

More recommend