Zero-overhead Container Networking with eBPF and Netkit by Liz Rice
ScyllaDB
1,109 views
24 slides
Oct 16, 2024
Slide 1 of 24
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
About This Presentation
Introducing Netkit: a new eBPF enhancement replacing veth connections in container networking. Say goodbye to the overhead slowing down container apps. With Netkit, container networking now matches the speed of host networking. Fast, efficient, and ready to deploy. #DevOps #eBPF
Slide Content
A ScyllaDB Community
Zero-overhead Container Networking
with eBPF and Netkit
Liz Rice
Chief Open Source Officer, Isovalent @ Cisco
Zero-overhead Container Networking
with eBPF and Netkit
Liz Rice
Chief Open Source Officer, Isovalent @ Cisco
?????? Hi, I’m Liz (she/her)
Chief Open Source Officer, Isovalent @ Cisco
■Previously chair of CNCF’s Technical
Oversight Committee
■Early career: writing networking code
■Containers / security / eBPF / cloud
native
■Often found on a bike or playing music
Chief Open Source Officer, Isovalent @ Cisco
■Previously chair of CNCF’s Technical
Oversight Committee
■Early career: writing networking code
■Containers / security / eBPF / cloud
native
■Often found on a bike or playing music
Container networking overhead
Traditional host networking
Host
app
eth0
network stack
(IP, netfilter,
routing, …)
Network interface card
socket
Host
app
eth0
network stack
(IP, netfilter,
routing, …)
Network interface card
socket
Container networking
Host
Container app
eth0
network stack
(IP, netfilter,
routing, …)
network interface card
veth
veth
virtual
Ethernet
connection
Host’s network
namespace
Container’s network
namespace
network
stack
socket
Host
Container app
eth0
network stack
(IP, netfilter,
routing, …)
network interface card
veth
veth
virtual
Ethernet
connection
Host’s network
namespace
Container’s network
namespace
network
stack
socket
Container networking
Host
Container app
eth0
network stack
(IP, netfilter,
routing, …)
network interface card
veth
veth
virtual
Ethernet
connection
Host’s network
namespace
Container’s network
namespace
network
stack
socket
Traffic passes
through network
stack twice ??????
TCP back
pressure
breakages ??????
Host
Container app
eth0
network stack
(IP, netfilter,
routing, …)
network interface card
veth
veth
virtual
Ethernet
connection
Host’s network
namespace
Container’s network
namespace
network
stack
socket
Traffic passes
through network
stack twice ??????
TCP back
pressure
breakages ??????
Use eBPF programs to do
host routing
New eBPF helper functions in 5.10
host routing
New eBPF helper functions in 5.10
Host routing with eBPF - ingress
Host
Container app
eth0
network stack
(IP, netfilter,
routing, …)
veth
veth
Host’s network
namespace
Container’s network
namespace
network
stack
socket
eBPF
programs
Ingress: bpf_redirect_peer()
Switch packet’s netns✕
Host
Container app
eth0
network stack
(IP, netfilter,
routing, …)
veth
veth
Host’s network
namespace
Container’s network
namespace
network
stack
socket
eBPF
programs
Ingress: bpf_redirect_peer()
Switch packet’s netns✕
Host routing with eBPF - egress
Host
Container app
eth0
veth
veth
Host’s network
namespace
Container’s network
namespace
network
stack
socket
eBPF
programs
Egress: bpf_redirect_neigh()
FIB lookup + fill in L2 info
network stack
(IP, netfilter,
routing, …)✕
Host
Container app
eth0
veth
veth
Host’s network
namespace
Container’s network
namespace
network
stack
socket
eBPF
programs
Egress: bpf_redirect_neigh()
FIB lookup + fill in L2 info
network stack
(IP, netfilter,
routing, …)✕
Host routing with eBPF
Host
Container app
eth0
veth
veth
Host’s network
namespace
Container’s network
namespace
network
stack
socket
eBPF
programs
network stack
(IP, netfilter,
routing, …)✕
eBPF
programs
Host
Container app
eth0
veth
veth
Host’s network
namespace
Container’s network
namespace
network
stack
socket
eBPF
programs
network stack
(IP, netfilter,
routing, …)✕
eBPF
programs
So far so good, but still some overhead
veth backlog queue
12
Deferral to
ksoftirqd
12
Deferral to
ksoftirqd
Host routing with eBPF
Host
Container app
eth0
veth
veth
Host’s network
namespace
Container’s network
namespace
network
stack
socket
eBPF
programs
network stack
(IP, netfilter,
routing, …)✕
eBPF
programs
Egress packets
can go on per-CPU
backlog queue ??????
Ingress packets
skip per-CPU
backlog queue
Host
Container app
eth0
veth
veth
Host’s network
namespace
Container’s network
namespace
network
stack
socket
eBPF
programs
network stack
(IP, netfilter,
routing, …)✕
eBPF
programs
Egress packets
can go on per-CPU
backlog queue ??????
Ingress packets
skip per-CPU
backlog queue
tcx - TC express
TC = traffic control subsystem
in kernel network stack
TC = traffic control subsystem
in kernel network stack
eBPF program attachment in TC
Before kernel 6.6
Before kernel 6.6
eBPF program attachment in TC
Before kernel 6.6 New style: tcx
59 cycles -> 33 cycles to
BPF program entry
Before kernel 6.6 New style: tcx
59 cycles -> 33 cycles to
BPF program entry
Replace veth devices
with netkit devices
Minimal eBPF-programmable devices
with netkit devices
Minimal eBPF-programmable devices
Netkit devices
Host
Container
netkit
primary
netkit
peer
Host’s network
namespace
Container’s network
namespace
eBPF
programs
eBPF
programs
Only primary can manage eBPF
programs
Host
Container
netkit
primary
netkit
peer
Host’s network
namespace
Container’s network
namespace
eBPF
programs
eBPF
programs
Only primary can manage eBPF
programs
Netkit devices
Host
Container app
eth0
netkit
netkit
Host’s network
namespace
Container’s network
namespace
network
stack
socket
eBPF
programs
eBPF
programs
Fast netns
switching and no
queuing for both
ingress and
egress
network stack
(IP, netfilter,
routing, …)✕
Host
Container app
eth0
netkit
netkit
Host’s network
namespace
Container’s network
namespace
network
stack
socket
eBPF
programs
eBPF
programs
Fast netns
switching and no
queuing for both
ingress and
egress
network stack
(IP, netfilter,
routing, …)✕
veth vs netkit: backlog queue
20
Pod with veth:
Pod with
netkit:
Remains in process
context all the way,
leading to better process
scheduler decisions.
Deferral to
ksoftirqd
20
Pod with veth:
Pod with
netkit:
Remains in process
context all the way,
leading to better process
scheduler decisions.
Deferral to
ksoftirqd
Container networking overhead eliminated!
Throughput as
high as host
baseline
Throughput as
high as host
baseline
Container networking overhead eliminated!
Latency as
low as host
baseline
Latency as
low as host
baseline
Netkit support now in Cilium
Thank you!
Liz Rice
@lizrice
isovalent.com/blog
Liz Rice
@lizrice
isovalent.com/blog
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 1,109
- Slides 24
- Age 412 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
46 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
46 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
21 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views