通过Golang + eBPF实现无侵入应用可观测 张海彬 阿里云 应用可观测技术专家 目 录 eBPF简介 01 eBPF在云原生场景下的应用 02 微服务可观测的挑战 03 Golang + eBPF实现数据采集 04 构建完整的应用可观测系统 05 eBPF简介 第一部分 eBPF简介 01. eBPF简介 eBPF = extended Berkeley Packet 夯机宕机，资源异 常… 应用组件异常：线程池满，数据库连接无法获取， OOM，文件读取错误… 无法自顶向下端到端 串联导致棘手问题频 发。 Kubernetes下的可观测 Golang + eBPF实现数据采 集 第四部分 eBPF在可观测领域的优势 无侵入 多语言/多协议/多框架 全栈覆盖 无侵入性 • 无需修改代码 • 无需重启应用 • Verifier保证运行安全 程序跟其他的用户空间的程序没有太大区别  编译成二进制文件，可以适应不同运行环境  libbpf 扮演bpf程序装载机角色  开发人员只需要关注bpf程序的正确性和性能，不 需要关注其他依赖关系 通过Golang加载eBPF程序 01. 副标题 func loadSync() error { // Allow the current process to lock memory for eBPF

(OS-specific) glibc-devel (32-bit) latest N/A (OS-specific) go [h�ps://golang.org/dl/] 1.12.17 N/A (OS-specific) dep [h�ps://github.com/golang/dep/] >= v0.4.1 curl https://raw.g go-bindata [h�ps://github.com/cilium/go- space viola�ons Run make to build your changes. This will also run go fmt and error out on any golang forma�ng errors. See Unit Tes�ng on how to run unit tests. See End-To-End Tes�ng Framework for how to run the end to end integra�on tests Unit Testing Cilium uses the standard go test [h�ps://golang.org/pkg/tes�ng/] framework in combina�on with gocheck [h�p://labix.org/gocheck] for richer tes�ng

Development Setup Requirements Vagrant Setup Local Development in Vagrant Box Making Changes Add/update a golang dependency Debugging Building Container Images Developer images Official release images Update posts Books Talks Further Documents API Reference Introduction How to access the API CLI Client Golang Package Compatibility Guarantees API Reference Reference Command Cheatsheet Command utilities: / where is a value that can be parsed with ParseDuration() [https://golang.org/pkg/time/#ParseDuration]. The supported units are: ns, us, ms, s, m, h. Examples: rate-limit:10/2m

Development Setup Requirements Vagrant Setup Local Development in Vagrant Box Making Changes Add/update a golang dependency Optional: Docker and IPv6 Debugging Building Container Images Developer images Official posts Books Talks Further Documents API Reference Introduction How to access the API CLI Client Golang Package Compatibility Guarantees API Reference Hubble internals Hubble Architecture Hubble server / where is a value that can be parsed with ParseDuration() [https://golang.org/pkg/time/#ParseDuration]. The supported units are: ns, us, ms, s, m, h. Examples: rate-limit:10/2m

(OS-specific) go 1.12.17 N/A (OS-specific) dep >= v0.4.1 curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh go-bindata a0ff2567cfb go get -u github.com/cilium/go-bindata/... ginkgo space violations 6. Run make to build your changes. This will also run go fmt and error out on any golang formatting errors. 7. See Unit Testing on how to run unit tests. 8. See End-To-End Testing Framework to run the end to end integration tests Unit Testing Cilium uses the standard go test [https://golang.org/pkg/testing/] framework in combination with gocheck [http://labix.org/gocheck] for richer testing

Development Setup Requirements Vagrant Setup Local Development in Vagrant Box Making Changes Add/update a golang dependency Add/update a new Kubernetes version Optional: Docker and IPv6 Debugging Building Container posts Books Talks Further Documents API Reference Introduction How to access the API CLI Client Golang Package Compatibility Guarantees API Reference Internals Hubble internals Hubble Architecture / where is a value that can be parsed with ParseDuration() [https://golang.org/pkg/time/#ParseDuration]. The supported units are: ns, us, ms, s, m, h. Examples: rate-limit:10/2m

Development Setup Requirements Vagrant Setup Local Development in Vagrant Box Making Changes Add/update a golang dependency Add/update a new Kubernetes version Optional: Docker and IPv6 Debugging Building Container posts Books Talks Further Documents API Reference Introduction How to access the API CLI Client Golang Package Compatibility Guarantees API Reference Hubble internals Hubble Architecture Hubble server / where is a value that can be parsed with ParseDuration() [https://golang.org/pkg/time/#ParseDuration]. The supported units are: ns, us, ms, s, m, h. Examples: rate-limit:10/2m

Development Setup Requirements Vagrant Setup Local Development in Vagrant Box Making Changes Add/update a golang dependency Add/update a new Kubernetes version Optional: Docker and IPv6 Debugging Building Container posts Books Talks Further Documents API Reference Introduction How to access the API CLI Client Golang Package Compatibility Guarantees API Reference Internals Hubble internals Hubble Architecture / where is a value that can be parsed with ParseDuration() [https://golang.org/pkg/time/#ParseDuration]. The supported units are: ns, us, ms, s, m, h. Examples: rate-limit:10/2m

With bees under the hood, making them go full steam. eBPF now has a variety of libraries written in Golang, Rust, C++, and others that help loading, compiling, and debugging eBPF programs across both user

同用户态程序交互， 最终实现内核数据进行修改，或者影响内核处 理请求的结果，或者改变内核处理请求的流程。 极大提升了内核处理事件的效率。 截止 linux 5.14 版本，eBPF 有32种类型程序。而 cilium 主要使用了如下类型程序： • sched_cls 。cilium在内核 TC 处实现数据包转发、负载均衡、过滤 • xdp 。cilium在内核 XDP 处实现数据包的转发、负载均衡、过滤 处实现数据包的转发、负载均衡、过滤 • cgroup_sock_addr 。cilium在 cgroup 中实现对service解析 • sock_ops + sk_msg。记录本地应用之间通信的socket，实现本地数据包的加速转发 加速同节点pod间通信 cilium 使用 eBPF 程序，借助 bpf_redirect() 或 bpf_redirect_peer() 等 helper 函数，快速帮助同宿主机间 的流量转发，节省了大量的内核协议栈 bind cilium的Host-Reachable 技术，利 用eBPF程序，拦截应用在内核connect 、 sendmsg、 recvmsg 、getpeername 、 bind等系统调用，实现 service 的地址解 析，并且伪装通信目的地址，让上层应用 无感知 DNAT 的发生 效果： • 集群内访问nodePort、LoadBalancer 的service时，能够减少数据包转发跳