In the Container world, there is a need to build observability around apps and backing services running in containers. The observability should allow to capture on demand low level metrics at a low overhead. The proposal is to use ebpf as the tracing technology to capture details at kernel & user level, and generate on demand flamegraphs, heat maps for applications & backing services. The Linux kernel has a built-in BPF JIT compiler, and an in-kernel verifier which is used to validate eBPF programs. This allows user defined instrumentation on a live kernel image that can never crash, hang or interfere with the kernel negatively. eBPF provides in-kernel implementation of storage maps such as histograms and hash-maps, which helps in efficient copy of summarized monitoring data from kernel to user space with low overhead.
These features make eBPF programs safe to run in production and allow admins and engineers to collect crucial data from systems for performance analysis and monitoring.
5. You don't need to know how to operate an X-ray machine,
but you do need to know that if you swallow a penny, an X-ray is an option!
~ www.bredangregg.com
6. -----------------------------------------------------------------------
CLASSIC PKT. FILTERING
BPF VIRTUAL
MACHINE
EXTENDED BPF
BPF SYSTEM CALL
ADDTL. PROBES
1993
Before 1992 2013
2014
Today
EVOLUTION OF BPF
STACK BASED
KERNEL -> USPACE COPIES
REGISTER BASED (2)
LESSER COPIES
IMPROVED ISA & eBPF MAPS
MORE REGISTERS (10)
EXPOSED TO USER SPACE
KERNEL FILTERS
UPROBES, KPROBES
USDT, TRACEPOINTS
24. BPF Implementations…
- Seccomp
• Control system calls made by a process
- Cilium
• Controls Networking, Security and Load Balancing for containers
- Weavescope
• Observability into containerized application stacks like Docker and Kubernetes
- Iptables
• Bpfilter implementations to optimize ingress/outgress security rules
- Systemtap
• BPF backend for optimizations