eBPF at LINE’s Private Cloud Yutaro Hayakawa October 28, 2020 • Messaging & many family services • 185 million global MAU • 3Tbps+ network traffic in total LINE Verda: LINE’s Private Cloud Service com/watch?v=UE6rPA1Js2s&fe ature=emb_title • https://speakerdeck.com/line_devday2019/software- engineering-that-supports-line-original-lbaas ipftrace // Trace the TCP packets with destination 10.0 Contributed to find the bug in SRv6 GSO handling • Upstream change • https://github.com/torvalds/linux/ commit/62ebaeaedee7591c257543 d040677a60e35c7aec eth VM1 VM2 VM3 SRv6 + iptables Security Policy

Training Enterprise support Security Bugs Operations System Requirements Summary Linux Distribution Compatibility Matrix Linux Kernel Required Kernel Versions for Advanced Features Key-Value store clang+LLVM Hubble Architecture Hubble server Hubble Relay Reference Command Cheatsheet Command utilities: Command examples: Kubernetes examples: Command Reference cilium-agent cilium cilium-health cilium-operator connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes. At the foundation of Cilium is a new Linux kernel technology called eBPF, which enables the

Security Bugs Operations System Requirements Summary Architecture Support Linux Distribution Compatibility & Considerations Linux Kernel Required Kernel Versions for Advanced Features Key-Value store clang+LLVM network policy creation Security Identities Reference Command Cheatsheet Command utilities: Command examples: Kubernetes examples: Command Reference cilium-agent cilium cilium-health cilium-operator connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes. At the foundation of Cilium is a new Linux kernel technology called eBPF, which enables the

Mesos/Marathon Envoy Envoy Go Extensions Administration System Requirements Summary Linux Distribution Compatibility Matrix Linux Kernel Advanced Features and Required Kernel Version Key-Value store clang+LLVM the API Compatibility Guarantees API Reference Reference Command Cheatsheet Command utilities: Command examples: Kubernetes examples: Command Reference cilium-agent cilium cilium-health cilium-operator connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes. At the foundation of Cilium is a new Linux kernel technology called BPF, which enables the

Enterprise support Security Bugs Operations System Requirements Summary Linux Distribution Compatibility & Considerations Linux Kernel Required Kernel Versions for Advanced Features Key-Value store clang+LLVM collection Derivative network policy creation Reference Command Cheatsheet Command utilities: Command examples: Kubernetes examples: Command Reference cilium-agent cilium cilium-health cilium-operator connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes. At the foundation of Cilium is a new Linux kernel technology called eBPF, which enables the

Mesos/Marathon Envoy Envoy Go Extensions Administra�on System Requirements Summary Linux Distribu�on Compa�bility Matrix Linux Kernel Key-Value store clang+LLVM iproute2 Firewall Rules Privileges Upgrade Guide access the API Compa�bility Guarantees API Reference Reference Command Cheatsheet Command u�li�es: Command examples: Kubernetes examples: Command Reference cilium-agent cilium cilium-health Key-Value Store connec�vity between applica�on services deployed using Linux container management pla�orms like Docker and Kubernetes. At the founda�on of Cilium is a new Linux kernel technology called BPF, which enables the

Help FAQ Slack GitHub Security Bugs Operations System Requirements Summary Linux Distribution Compatibility Matrix Linux Kernel Required Kernel Versions for Advanced Features Key-Value store clang+LLVM Hubble Architecture Hubble server Hubble Relay Reference Command Cheatsheet Command utilities: Command examples: Kubernetes examples: Command Reference cilium-agent cilium cilium-health cilium-operator connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes. At the foundation of Cilium is a new Linux kernel technology called BPF, which enables the

Mesos/Marathon Envoy Envoy Go Extensions Administration System Requirements Summary Linux Distribution Compatibility Matrix Linux Kernel Advanced Features and Required Kernel Version Key-Value store clang+LLVM Package Compatibility Guarantees API Reference Reference Command Cheatsheet Command utilities: Command examples: Kubernetes examples: Command Reference cilium-agent cilium cilium-health cilium-operator connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes. At the foundation of Cilium is a new Linux kernel technology called BPF, which enables the

Who am I? ● Software Engineer at Cloudflare Spectrum TCP/UDP reverse proxy, Linux kernel, ... ● Contributor to Linux kernel networking & BPF subsystems Goal Run a TCP echo service on ports 7, 77 77, and 777 … using one TCP listening socket. Fun? We will need… ❏ VM running Linux kernel 5.9+ ❏ bpftool 5.9+ ❏ libbpf headers ❏ kernel headers vm $ uname -r 5.9.1-36.vanilla.1.fc32.x86_64 vm __u32 remote_port; __u32 local_ip4; __u32 local_port; /* ... */ }; /usr/include/linux/bpf.h 7 77 777 echo_ports BPF HASH map Ncat socket echo_socket BPF SOCKMAP (2) is local port

to all was the cramped engine room, Its critical systems of metal and fire. eBPF originates from Linux, an operating system that runs on billions of devices around the world and is divided into user space needed a fast way to replace items, Adapt quickly to meet demand and make business boom. Because Linux is such a large and important project, updates to the kernel can take years to reach end users running Tux, “I will come to your aid”: He trained them and made sure they could see through the smog. The Linux kernel expects eBPF programs to be loaded in the form of bytecode. Typically, eBPF developers write