## Containers and BPF: twagent story Andrey Ignatov, Facebook eBPF Summit ## twagent • a daemon - runs on every Facebook server • manages all Facebook containers - a part of the bigger TW system v2 • ... other usual building blocks ... • cgroup-bpf programs ## cgroup-bpf Vast majority of twagent tasks have one or more cgroup-bpf features enabled: • mostly networking: ☐ IP assignment (when network is IPv6 only • Every server has /64 IPv6 prefix - Convenient to have a unique IPv6 per twagent task (e.g. for QoS tagging) - Many services don’t need full L2 isolation like that of netns and