Containers and BPF: twagent story Andrey Ignatov, Facebook October 28, 2020 1 ● a daemon ● runs on every Facebook server ● manages all Facebook containers ● a part of the bigger TW system, see the the TW paper in OSDI'20 [0] [0] https://sites.google.com/site/tangchq/papers/Twine-OSDI20.pdf twagent Container (aka “task”): ● namespaces: cgroup, mount, pid and optionally: ipc, net, user, uts ● cgroup v2 ● ... other usual building blocks ... ● cgroup-bpf programs 2 Vast majority of twagent tasks have one or more cgroup-bpf features enabled: ● mostly networking: ○ IP assignment (when