stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill Mulligan
NETWAYS
34 views
72 slides
Jul 02, 2024
Slide 1 of 72
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
About This Presentation
The buzz around the Linux kernel technology eBPF is growing quickly and it can be hard to know where to start or how to keep up with this technology that is reshaping our infrastructure stack. In this talk, Bill will trace how he got into eBPF, explore some of the applications leveraging eBPF today,...
Slide Content
Buzzing Across the eBPF
Landscape and Into the
Hive
Bill Mulligan | @breakawaybilly
Community Pollinator, Isovalent at Cisco
Landscape and Into the
Hive
Bill Mulligan | @breakawaybilly
Community Pollinator, Isovalent at Cisco
@breakawaybilly
@breakawaybilly
A Vision for eBPF Inside
A Vision for eBPF Inside
eBPF
Buzz or Byte?
Buzz or Byte?
@breakawaybilly
Kernel Space/User Space “Paradox”
●Kernel: System awareness,
but lacks flexibility
●User space:
Programmable, but no
direct access to kernel
structures, resources
●Kernel modules: Difficult,
unsafe, not stable
Flexibility
Performance
Visibility
Kernel Space/User Space “Paradox”
●Kernel: System awareness,
but lacks flexibility
●User space:
Programmable, but no
direct access to kernel
structures, resources
●Kernel modules: Difficult,
unsafe, not stable
Flexibility
Performance
Visibility
@breakawaybilly
Kernel Space/User Space “Paradox”
Can we have programmability in
the kernel?
Flexibility
Performance
Visibility
Kernel Space/User Space “Paradox”
Can we have programmability in
the kernel?
Flexibility
Performance
Visibility
@breakawaybilly
What is ?
What is ?
@breakawaybilly
What is ?
eBPF makes the Linux kernel programmable
What is ?
eBPF makes the Linux kernel programmable
@breakawaybilly
Makes the Linux kernel
programmable in a secure
and efficient way.
“What JavaScript is to the
browser, eBPF is to the
Linux Kernel”
Makes the Linux kernel
programmable in a secure
and efficient way.
“What JavaScript is to the
browser, eBPF is to the
Linux Kernel”
@breakawaybilly
"BPF has actually been really useful, and the real power of it
is how it allows people to do specialized code that isn't
enabled until asked for"
- Linus Torvalds
"BPF has actually been really useful, and the real power of it
is how it allows people to do specialized code that isn't
enabled until asked for"
- Linus Torvalds
Dynamically Change Kernel
Behavior
Behavior
@breakawaybilly
@breakawaybilly
@breakawaybilly
“Superpowers for Linux”
- Brendan Gregg
“Superpowers for Linux”
- Brendan Gregg
@breakawaybilly
Vision
Vision
@breakawaybilly
eBPF is the Cloud Native App Store
https://commons.wikimedia.org/wiki/File:Steve_Jobs_presents_iPhone.jpg
eBPF is the Cloud Native App Store
https://commons.wikimedia.org/wiki/File:Steve_Jobs_presents_iPhone.jpg
Safe and Performant
Changes to Kernel Behavior
Changes to Kernel Behavior
@breakawaybilly
Run eBPF programs on events
Attachment points
●Kernel functions (kprobes)
●Userspace functions
(uprobe)
●System calls
●Tracepoints
●Sockets (data level)
●Network devices (packet
level)
●Network device (DMA
level) [XDP]
●...
Run eBPF programs on events
Attachment points
●Kernel functions (kprobes)
●Userspace functions
(uprobe)
●System calls
●Tracepoints
●Sockets (data level)
●Network devices (packet
level)
●Network device (DMA
level) [XDP]
●...
@breakawaybilly
Safety: eBPF Verifier
●Programs will run to completion
●Does not crash or otherwise harm the system
●Only priviledged users allowed to load
Safety: eBPF Verifier
●Programs will run to completion
●Does not crash or otherwise harm the system
●Only priviledged users allowed to load
@breakawaybilly
Performance: In Kernel & JIT Compiler
●Translate program bytecode into the machine specific
instruction set to optimize execution speed of the program
●Runs as efficiently as natively compiled kernel code
Performance: In Kernel & JIT Compiler
●Translate program bytecode into the machine specific
instruction set to optimize execution speed of the program
●Runs as efficiently as natively compiled kernel code
@breakawaybilly
Performance
Performance
@breakawaybilly
Shared Memory: BPF maps
Between eBPF programs and between kernel and user space
●No data loss
●More performant
Shared Memory: BPF maps
Between eBPF programs and between kernel and user space
●No data loss
●More performant
eBPF
Today
Today
userspace
kernel
network call
read file
run process
podcontainer
pod containercontainer
One kernel
per host
kernel
network call
read file
run process
podcontainer
pod containercontainer
One kernel
per host
@breakawaybilly
userspace
kernel
app
app
pods
networking
access files
create
containersKernel aware of
everything on the
host
userspace
kernel
app
app
pods
networking
access files
create
containersKernel aware of
everything on the
host
userspace
app
kernel
app
pods
network call
read file
run process
eBPF programs
can see
everything
userspace
podcontainer
pod containercontainer
app
kernel
app
pods
network call
read file
run process
eBPF programs
can see
everything
userspace
podcontainer
pod containercontainer
userspace
app
kernel
app
pods
network call
read file
run process
eBPF programs
can see
everything
No changes to
code or config
userspace
podcontainer
pod containercontainer
app
kernel
app
pods
network call
read file
run process
eBPF programs
can see
everything
No changes to
code or config
userspace
podcontainer
pod containercontainer
Flexibility
Performance
Visibility
eBPF in Kernel Space
In the kernel but flexible
Safety, performance, observability,
and programmability
Available by default
Performance
Visibility
eBPF in Kernel Space
In the kernel but flexible
Safety, performance, observability,
and programmability
Available by default
Real world
Use Cases
Use Cases
Networking
-Networking
-Security
-Observability
-Service Mesh & Ingress
-based:
Foundation Technology
31
Over 120 USERS.md entries
-Security
-Observability
-Service Mesh & Ingress
-based:
Foundation Technology
31
Over 120 USERS.md entries
Vision
Inent & identity-based, high performance
container networking platform built using eBPF
The Beginning
Inent & identity-based, high performance
container networking platform built using eBPF
The Beginning
Network Security 1.0
Cluster Mesh
Adding reach to end-to-end network security and observability
Adding reach to end-to-end network security and observability
Load Balancer
Adding reach to end-to-end network security and observability
Adding reach to end-to-end network security and observability
@breakawaybilly
Observability
Observability
Hubble
eBPF networking +
observability
$ hubble observe --namespace demo-app --label "app=frontend" --protocol tcp
Oct 12 06:06:05.907: demo-app/frontend-5f47758b4c-ltk46: 55028 (ID:14943) ->
demo-app/worker-dcdc797d9-n9fj2: 8000 (ID:15426) policy-verdict:L3-L4 ALLOWED (TCP Flags: SYN)
Oct 12 06:06:05.907: demo-app/frontend-5f47758b4c-ltk46: 55028 (ID:14943) ->
demo-app/worker-dcdc797d9-n9fj2: 8000 (ID:15426) policy-verdict:L3-L4 ALLOWED (TCP Flags: SYN)
Oct 12 06:06:05.907: demo-app/frontend-5f47758b4c-ltk46: 55028 (ID:14943) ->
demo-app/worker-dcdc797d9-n9fj2: 8000 (ID:15426) to-endpoint FORWARDED (TCP Flags: SYN)
Oct 12 06:06:06.920: demo-app/frontend-5f47758b4c-ltk46: 55028 (ID:14943) ->
demo-app/worker-dcdc797d9-n9fj2: 8000 (ID:15426) to-endpoint FORWARDED (TCP Flags: SYN)
Oct 12 06:06:08.934: demo-app/frontend-5f47758b4c-ltk46: 55028 (ID:14943) ->
demo-app/worker-dcdc797d9-n9fj2: 8000 (ID:15426) to-endpoint FORWARDED (TCP Flags: SYN)
observability
$ hubble observe --namespace demo-app --label "app=frontend" --protocol tcp
Oct 12 06:06:05.907: demo-app/frontend-5f47758b4c-ltk46: 55028 (ID:14943) ->
demo-app/worker-dcdc797d9-n9fj2: 8000 (ID:15426) policy-verdict:L3-L4 ALLOWED (TCP Flags: SYN)
Oct 12 06:06:05.907: demo-app/frontend-5f47758b4c-ltk46: 55028 (ID:14943) ->
demo-app/worker-dcdc797d9-n9fj2: 8000 (ID:15426) policy-verdict:L3-L4 ALLOWED (TCP Flags: SYN)
Oct 12 06:06:05.907: demo-app/frontend-5f47758b4c-ltk46: 55028 (ID:14943) ->
demo-app/worker-dcdc797d9-n9fj2: 8000 (ID:15426) to-endpoint FORWARDED (TCP Flags: SYN)
Oct 12 06:06:06.920: demo-app/frontend-5f47758b4c-ltk46: 55028 (ID:14943) ->
demo-app/worker-dcdc797d9-n9fj2: 8000 (ID:15426) to-endpoint FORWARDED (TCP Flags: SYN)
Oct 12 06:06:08.934: demo-app/frontend-5f47758b4c-ltk46: 55028 (ID:14943) ->
demo-app/worker-dcdc797d9-n9fj2: 8000 (ID:15426) to-endpoint FORWARDED (TCP Flags: SYN)
eBPF networking +
observability
observability
@breakawaybilly
Security
Security
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "etc-files"
spec:
kprobes:
- call: "fd_install"
…
matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/"
…
$ kubectl logs ds/tetragon -c export-stdout -f | tetragon
observe
?????? process default/xwing /usr/bin/vi /etc/passwd
?????? open default/xwing /usr/bin/vi /etc/passwd
?????? close default/xwing /usr/bin/vi
?????? open default/xwing /usr/bin/vi /etc/passwd
?????? write default/xwing /usr/bin/vi /etc/passwd 1275 bytes
?????? close default/xwing /usr/bin/vi
?????? exit default/xwing /usr/bin/vi /etc/passwd 0
Security observability
kind: TracingPolicy
metadata:
name: "etc-files"
spec:
kprobes:
- call: "fd_install"
…
matchArgs:
- index: 1
operator: "Prefix"
values:
- "/etc/"
…
$ kubectl logs ds/tetragon -c export-stdout -f | tetragon
observe
?????? process default/xwing /usr/bin/vi /etc/passwd
?????? open default/xwing /usr/bin/vi /etc/passwd
?????? close default/xwing /usr/bin/vi
?????? open default/xwing /usr/bin/vi /etc/passwd
?????? write default/xwing /usr/bin/vi /etc/passwd 1275 bytes
?????? close default/xwing /usr/bin/vi
?????? exit default/xwing /usr/bin/vi /etc/passwd 0
Security observability
Runtime Enforcement
Security Observability &
Runtime Enforcement
43
Runtime Enforcement
43
@breakawaybilly
Tracing and Profiling
Tracing and Profiling
@breakawaybilly
Tracing and Profiling
Tracing and Profiling
@breakawaybilly
eBPF tools provide rich,
context-aware event streams
eBPF tools provide rich,
context-aware event streams
eBPF everything???
Or not?
Or not?
@breakawaybilly
Still not a magic bullet
Still not a magic bullet
userspace
kernel
network call
read file
run process
podcontainer
pod containercontainer
“Add product X to cart”
open file 345
forward packet to 6.7.8.9
read file 111
create a socket
…
…
query service A
write to database
…
kernel
network call
read file
run process
podcontainer
pod containercontainer
“Add product X to cart”
open file 345
forward packet to 6.7.8.9
read file 111
create a socket
…
…
query service A
write to database
…
●eBPF doesn’t have business context!
●Requires kernel knowledge
●the data volume can be absurd
eBPF is challenging
●Requires kernel knowledge
●the data volume can be absurd
eBPF is challenging
Buzzing
Community
Community
@breakawaybilly
Kernel Community
Happy 10th Birthday ??????
Kernel Community
Happy 10th Birthday ??????
@breakawaybilly
eBPF Landscape
eBPF Landscape
@breakawaybilly
eBPF
Landscape
eBPF
Landscape
@breakawaybilly
eBPF Landscape
eBPF Landscape
@breakawaybilly
eBPF Acquisitions
•Flowmill ➡ Splunk (November 2020) Security
•Kinvolk ➡ Microsoft (April 2021) Observability
•Pixie ➡ New Relic (July 2021) Observability
•Cmd ➡ Elastic (October 2021) Security
•Optimyze ➡ Elastic (August 2021) Profiling
•Seekret ➡ Datadog (August 2022) Observability
•Pyroscope ➡ Grafana (March 2023)Profiling
•Akita ➡ Postman (July 2023) Observability
•Isovalent ➡ Cisco (April 2024) Networking, Observability, Security
•StackState ➡ SUSE (June 2024) Observability
eBPF Acquisitions
•Flowmill ➡ Splunk (November 2020) Security
•Kinvolk ➡ Microsoft (April 2021) Observability
•Pixie ➡ New Relic (July 2021) Observability
•Cmd ➡ Elastic (October 2021) Security
•Optimyze ➡ Elastic (August 2021) Profiling
•Seekret ➡ Datadog (August 2022) Observability
•Pyroscope ➡ Grafana (March 2023)Profiling
•Akita ➡ Postman (July 2023) Observability
•Isovalent ➡ Cisco (April 2024) Networking, Observability, Security
•StackState ➡ SUSE (June 2024) Observability
@breakawaybilly
eBPF for Windows
eBPF for Windows
@breakawaybilly
eBPF Research Funding
eBPF Research Funding
Where to go
Next
Next
@breakawaybilly
eBPF Wikipedia
eBPF Wikipedia
@breakawaybilly
ebpf.io
ebpf.io
@breakawaybilly
ebpf.io
en Frrançais
Italiano
Português
Swahili
Español
繁體中文
简体中文
ebpf.io
en Frrançais
Italiano
Português
Swahili
Español
繁體中文
简体中文
@breakawaybilly
ebpf.io
Looking for
help
translating
ebpf.io
Looking for
help
translating
@breakawaybilly
ebpf.io Labs
ebpf.io Labs
@breakawaybilly
eBPF Summit
September 11th
eBPF Summit
September 11th
@breakawaybilly
eBPF Newsletter
eBPF Newsletter
@breakawaybilly
eBPF Documentary - ebpfdocumentary.com
eBPF Documentary - ebpfdocumentary.com
@breakawaybilly
The Illustrated Children’s Guide to eBPF
The Illustrated Children’s Guide to eBPF
@breakawaybilly
State of eBPF
State of eBPF
A Vision for
eBPF Inside
eBPF Inside
@breakawaybilly
A Vision for eBPF Inside
A Vision for eBPF Inside
Thank you
ebpf.io
@breakawaybilly
ebpf.io
Download from
isovalent.com
ebpf.io
@breakawaybilly
ebpf.io
Download from
isovalent.com
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 34
- Slides 72
- Age 517 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
44 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views