Understanding Ruby with BPF Javier Honduvilla Coto October 28th-29th, 2020 Why BPF? Why BPF? - Flexibility Why BPF? - Flexibility - Low overhead Why BPF? - Flexibility - Low Low overhead - Continuous profiling Why BPF? - Flexibility - Low overhead - Continuous profiling - No modifications of the tracee rbperf rbperf - Profile Ruby programs rbperf - Profile Ruby programs syscall, etc) BPF code (bpf/rbperf.c) Read frame Driver (rbperf.py) 1. Adds info (pid to profile, thread address) 3. Receives stacktrace 4. Serialisation and persistence BPF tail-calls Bounded

Containers and BPF: twagent story Andrey Ignatov, Facebook October 28, 2020 1 ● a daemon ● runs on every Facebook server ● manages all Facebook containers ● a part of the bigger TW system, see the ● cgroup v2 ● ... other usual building blocks ... ● cgroup-bpf programs 2 Vast majority of twagent tasks have one or more cgroup-bpf features enabled: ● mostly networking: ○ IP assignment (when sysctl access control Let’s look at some of them .. Example of cgroup-bpf programs (bpftool cgroup tree ): cgroup-bpf 3 Task IP assignment (aka IP-per-task) ● Facebook DC network is IPv6

Debugging the BPF Virtual Machine Lorenzo Fontana October 28, 2020 ● Debugging is useful to understand how things work ● Sometimes, eBPF programs can’t even load ● I couldn’t find good resources on this this, so, here I am ● I break lots of eBPF programs ● The BPF Virtual machine is not easy to understand Why ? The BPF subsystem lives in the kernel AND The kernel can be debugged using gdb The build/vmlinux (gdb) target remote localhost:1234 (gdb) bpf/syscall.c:4180 (gdb) bpf/syscall.c:796 (gdb) b bpf/syscall.c:121 (gdb) b kernel/bpf/ringbuf.c:159 Debug! Remember to: - Load the eBPF program

North-South Load Balancing of Kubernetes Services with eBPF/XDP Martynas Pumputis (Isovalent) October 28, 2020 10.0.0.1 10.0.0.2 10.0.0.3 httpd httpd “httpd” service 10.0.0.1:30000 10.0.0.2:30000 -j REJECT --reject-with icmp-port-unreachable COMMIT httpd httpd void loadbalance(skb) { svc = bpf_map_lookup_elem(..); if (svc) { b = select_backend(svc); dnat(skb, b); snat(skb); FORWARD filter FORWARD mangle POSTROUTING nat POSTROUTING TC egress host httpd pod lxc0 eth0 XDP httpd httpd 1010101010111 1010101010111 1010101010111 DSR httpd httpd 1010101010111 1010101010111

How to ship BPF with your Go project Lorenz Bauer October 28, 2020 Goal ● Count the number of packets on lo ● Print the count to the console ● From a single Go binary Use the source, Luke github github.com/lmb/ship-bpf-with-go github.com/cilium/ebpf

Steering connections to sockets with BPF socket lookup hook Jakub Sitnicki, Cloudflare @jkbs0 @cloudflare October 28-29, 2020 Who am I? ● Software Engineer at Cloudflare Spectrum TCP/UDP reverse proxy proxy, Linux kernel, ... ● Contributor to Linux kernel networking & BPF subsystems Goal Run a TCP echo service on ports 7, 77, and 777 … using one TCP listening socket. Fun? We will need… ❏ VM Network Driver XDP TC ingress alloc_skb Ring Buffer forward Wikipedia - Packet flow in Netfilter and General Networking Receive path for local delivery Service dispatch with BPF socket lookup packet

用，这是极其困难的事情。此时，eBPF 出现，它以较小的子系统改动，保障了系统 内核的稳定，还具备实时动态加载的特性，能将业务逻辑加载到内核，实现热更新的 动态执行。 eBPF 由 BPF 发 展 而 来，BPF 全 称 Berkeley Packet Filter，1992 年 由 Steven McCanne 和 Van Jacobson 提出，1997 年引入 Linux Kernel Storage、Network 等与内核交互之间； 2. 也可以在内核中的功能模块交互之间； 3. 又可以在内核态与用户态交互之间； 4. 更可以在用户态进程空间。 eBPF 的功能覆盖 XDP、TC、Probe、Socket 等，每个功能点都能实现内核态的 篡改行为，从而使得用户态完全致盲，哪怕是基于内核模块的 HIDS，一样无法感知 到这些行为。 基于 eBPF 的功能函数，从业 技术上，会如何实现呢？ XDP/TC 层修改 TCP 包 为了让后门隐藏的更好，最好是不开进程，不监听端口（当前部分我们只讨论网络层 隐藏）。而 eBPF 技术在 XDP、TC、Socket 等内核层的功能，能够实现流量信息修 改，这些功能常被应用在 L3、L4 的网络负载均衡上。比如 Cilium 的网络策略都是 基于 eBPF XDP 实现。eBPF hook 了 XDP 点后，更改了 TCP

处实现数据包转发、负载均衡、过滤 • xdp 。cilium在内核 XDP 处实现数据包的转发、负载均衡、过滤 • cgroup_sock_addr 。cilium在 cgroup 中实现对service解析 • sock_ops + sk_msg。记录本地应用之间通信的socket，实现本地数据包的加速转发 加速同节点pod间通信 cilium 使用 eBPF 程序，借助 bpf_redirect() 或 bpf_redirect_peer() iptables 等 技术，降低了访 问延时。例如在相同环境下，service 数量达到3K，kube-proxy iptables下 的的延时为0.6ms，而cilium的延时为 0.3ms XDP 加速南北向 nodePort 访问 cilium 借助 eBPF 程序 ，能快速完 成 nodePort 、 LoadBalancer service 的解析和转发，其转发性能能比肩 DPDK 压力下，节省了30%的CPU利用率 2. XDP的性能上限极高，可能是 TC 的 10 倍左右 raw PREROUTING mangle PREROUTING nat PREROUTING tc ingress conntrack filter FORWARD mangle POSTROUING nat POSTROUING tc egress routing XDP kernel

? ? In This Talk… • Different “types” of BPF programs • Write BPF programs in Rust • Add new feature in RedBPF • Use BPF maps to make stateful decisions • Load the program and protect the Rabbit(MQ) Engineer @ CCP Games • @aquarhead on GitHub, Twitter… • Rust (and Elixir) • Disclaimer: new to BPF & kernel networking, pardon my mistake and welcome corrections! Sad Rabbit Has No Memory • A faulty consumers • But adding such a feature in RabbitMQ could be a long process… Build a Limiter in BPF • Let’s use BPF to get a quick win! • Track how many “AMQP consumers” have been declared for each connection

openEuler 24.03 LTS 技术白皮书 • XDP multi-buffer 支持：允许 Jumbo frame 场景下使用 XDP 提升性能。 • Thread-based NAPI polling 支持：允许网卡 NAPI polling 移到内核线程处理，使 CPU 调度器可以合理调度提升性能。 • bpf新增kfunc特性：允许bpf通过符号方式直接调用内核和ko提供的函数，ko可 以通过注册kfunc的方式来动态提供bpf接口。 • bpf 新增 dynamic pointer 特性：在 bpf 中引用动态分配的内存，此前 bpf 使用的内存必须在 verifier 检查时已静态指定。 • perf 新增特性支持：新增支持 ARM SPE 事件的获取；支持用户态直接读取 pmu counter；显示锁的竞争情况；减少生成的 pmu 数据，提升平均处理时间。 openEuler 防止文件系统损坏。 • riscv bpf 新特性支持：支持 trampoline 特性、Zbb 扩展特性、kfunc 支持特性、cpu-v4 指令特性和原子操作指令特性等，扩 展了 bpf 的能力。 • arm64 bpf 新特性支持：新增 bpf 栈变量 ldr/str 优化、pac 支持、trampoline 支持与 cpuv4 指令支持等特性，扩展了 bpf 的能力。 • 内存可靠性分级