CN115543531A - eBPF-based container network implementation method, device, equipment and medium - Google Patents

eBPF-based container network implementation method, device, equipment and medium Download PDF

Info

Publication number
CN115543531A
CN115543531A CN202211142782.3A CN202211142782A CN115543531A CN 115543531 A CN115543531 A CN 115543531A CN 202211142782 A CN202211142782 A CN 202211142782A CN 115543531 A CN115543531 A CN 115543531A
Authority
CN
China
Prior art keywords
ebpf
program
network
target
data packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211142782.3A
Other languages
Chinese (zh)
Inventor
姚夏冰
吴典秋
朱浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Qianhai Huanrong Lianyi Information Technology Service Co Ltd
Original Assignee
Shenzhen Qianhai Huanrong Lianyi Information Technology Service Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Qianhai Huanrong Lianyi Information Technology Service Co Ltd filed Critical Shenzhen Qianhai Huanrong Lianyi Information Technology Service Co Ltd
Priority to CN202211142782.3A priority Critical patent/CN115543531A/en
Publication of CN115543531A publication Critical patent/CN115543531A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/30Creation or generation of source code
    • G06F8/37Compiler construction; Parser generation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/4557Distribution of virtual machine instances; Migration and load balancing
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method, a device, equipment and a medium for realizing a container network based on eBPF, wherein the method comprises the following steps: converting the prestored eBPF program into an executable target eBPF program according to the input conversion instruction; if the network data packet is detected to reach the network equipment, triggering a network hook of the fast network path XDP to call a corresponding target eBPF program; running the target eBPF program to process the network data packet and return a corresponding processing result; and when the returned processing result is pass, sending the network data packet to a target network stack. By the method, the processing speed and efficiency of the network data packet in network communication can be improved, and the effect of high delay performance is reduced.

Description

eBPF-based container network implementation method, device, equipment and medium
Technical Field
The invention relates to the technical field of computers, in particular to a container network implementation method, device, equipment and medium based on eBPF.
Background
The industry container network schemes are very many, different network plug-ins have advantages, a large number of optimization measures aiming at network performance, network delay and four-layer load balance are provided, business requirements can be further met through a multi-network plug-in and optimization mode, and the problems that a support scene is not universal enough, the performance bottleneck is caused in a high IO scene, and the safety capability is not realized exist.
At present, most of the security policy technologies of the existing container networks are implemented based on the Iptables, so that the problem of poor performance of the Iptables cannot be solved, and particularly, a large number of Iptables rules/routes are set on each node, which causes great difficulty in operation and maintenance; the number of routes realized by the BGP scheme adopted for improving the performance of the container network is the same as that of the containers, and the routing number is very easy to exceed the processing capacity of a router, three-layer switching and a host machine, so that the expansion of the whole network is limited; meanwhile, the BPG mode does not have the packet/unpack process of the overlay mode, and requires all devices in network communication to support BGP.
Disclosure of Invention
The embodiment of the invention provides a container network implementation method, a device, equipment and a medium based on eBPF, and aims to solve the problems of low processing speed, low efficiency and high delay performance of network data packets in network communication in the prior art.
In a first aspect, an embodiment of the present invention provides an eBPF-based container network implementation method, where the method includes:
converting the prestored eBPF program into an executable target eBPF program according to the input conversion instruction;
if the network data packet is detected to reach the network equipment, triggering a network hook of the fast network path XDP to call a corresponding target eBPF program;
the target eBPF program is operated to process the network data packet and return a corresponding processing result;
and when the returned processing result is that the network data packet passes, sending the network data packet to a target network stack.
In a second aspect, an embodiment of the present invention provides an eBPF-based container network implementation apparatus, which includes:
the program conversion unit is used for converting the prestored eBPF program into an operable target eBPF program according to the input conversion instruction;
the trigger unit is used for triggering a network hook of the XDP to call a corresponding target eBPF program if the network data packet is detected to reach the network equipment;
the operation unit is used for operating the target eBPF program so as to process the network data packet and return a corresponding processing result;
and the first processing unit is used for sending the network data packet to a target network stack when the returned processing result is pass.
In a third aspect, an embodiment of the present invention further provides a computer device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, and when the processor executes the computer program, the processor implements the eBPF-based container network implementation method described in the first aspect.
In a fourth aspect, the present invention further provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program, and the computer program, when executed by a processor, causes the processor to execute the eBPF-based container network implementation method according to the first aspect.
The embodiment of the invention provides a container network implementation method, a device, equipment and a medium based on eBPF, wherein the method comprises the steps of converting a prestored eBPF program into an executable target eBPF program according to an input conversion instruction; if the network data packet is detected to reach the network equipment, triggering a network hook of the fast network path XDP to call a corresponding target eBPF program; running the target eBPF program to process the network data packet and return a corresponding processing result; and when the returned processing result is pass, sending the network data packet to a target network stack. By the method, the embodiment of the invention can realize the effects of low processing speed, low efficiency and high delay performance on the network data packet in network communication.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic flowchart of a method for implementing an eBPF-based container network according to an embodiment of the present invention;
FIG. 2 is a schematic sub-flow chart of a method for implementing an eBPF-based container network according to an embodiment of the present invention;
FIG. 3 is a schematic block diagram of an eBPF-based container network implementing apparatus according to an embodiment of the present invention;
FIG. 4 is a schematic block diagram of a program conversion unit of an eBPF-based container network implementation apparatus according to an embodiment of the present invention;
FIG. 5 is a schematic block diagram of a computer device provided by an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It will be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It is also to be understood that the terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should be further understood that the term "and/or" as used in this specification and the appended claims refers to and includes any and all possible combinations of one or more of the associated listed items.
Referring to fig. 1, fig. 1 is a schematic flow chart illustrating a method for implementing an eBPF-based container network according to an embodiment of the present invention; the container network implementation method based on the eBPF can be applied to a management server, the management server can call a target eBPF program to process a network data packet after converting a preset eBPF program into an executable target eBPF program, and correspondingly process the network data packet after receiving a processing result. The present embodiment will be described below in the perspective of a management server. As shown in fig. 1, the method includes steps S110 to S160.
And S110, converting the prestored eBPF program into an operable target eBPF program according to the input conversion instruction.
The eBPF is a Packet filtering technique, and is extended from a BPF (Berkeley Packet Filter) technique. The BPF provides a mechanism for safely injecting codes when kernel events and user program events occur, and the eBPF gradually expands the original single packet filtering event to kernel mode functions, user mode functions, trace points, performance events (perf _ events), security control and the like, and meanwhile, the eBPF not only expands the number of registers, but also introduces a brand new BPF mapping storage. After the eBPF is used, the processing link of the network data packet is shortened greatly, the eBPF is supported to run in the network card driver, the network flow packet does not need to be sent to a responsible protocol stack for processing, and the processing speed and the processing efficiency of the network data packet are improved.
The server is pre-stored with at least one eBPF program, and when the server detects a conversion instruction input by a user, a preset eBPF program corresponding to the conversion instruction can be obtained and converted into an executable target eBPF program. The eBPF program pre-stored in the server may be an eBPF program generated in response to a user control command, and the eBPF program may be a program developed through C language.
For example, the development process of the eBPF program specifically includes:
kube-apiserver, a component in Kubernets that interacts directly with Etcd, controls changes in core resources in Kubernets, receives a request to create a workload.
2. After the request passes through the Kube-scheduler and the Kubelet, the Kubelet monitors the change from the Pod event, creates a corresponding sandbox environment, adds a network interface including a network namespace, and loads a CNI plug-in.
Among the responsibilities of the CNI plug-in are:
a) Creating a Veth pair connecting a container name space and a host name space;
b) Allocating IP to the container;
c) Configuring an internal routing table of a container name space;
d) Setting a Sysctl parameter;
e) Generating an eBPF rule;
f) And compiling the Agent into a corresponding eBPF program according to the eBPF rule generated by the CNI plug-in.
Specifically, in one embodiment, as shown in FIG. 2, step S110 includes sub-steps S111-S114.
And S111, determining a corresponding preset eBPF program according to the input conversion instruction.
If the management server receives the input conversion instruction, the management server can match a corresponding preset eBPF program according to information such as a program name, a program version number, a hash value and the like of the program in the conversion instruction, namely according to detailed information of the program in the conversion instruction.
And S112, compiling the determined eBPF program into an object file by using the LLVM.
In the present embodiment, the LLVM is a set of modular and reusable compiler and tool chain technologies, which can compile the determined eBPF program into an object file, where the object file may refer to BPF byte code (e.g., foo.
S113, loading the object file to a kernel.
Wherein, the kernel may refer to Linux kernel. The management server may load the object file to the kernel. Alternatively, the management server may load the object file into the kernel via the eBPF Loader.
S114, instantly compiling the object file into a corresponding local code, and determining the local code as an executable target eBPF program.
The management server can compile the object file into corresponding local codes in time through a just-in-time compiler, and the local codes are codes which can directly run on a bottom platform (such as X86), so that the performance consumption is reduced, and the processing efficiency of subsequent network data packets is improved. The corresponding obtained target eBPF program is operable, so that the corresponding network data packet can be processed after operation.
In an embodiment, after the step S113, the method includes:
s113', controlling the checker to check the object file;
if a verification passing instruction sent by the verifier is received, the object file is immediately compiled into a corresponding local code, and the local code is determined to be an executable target eBPF program.
Specifically, the management server may further control the verifier to verify the object file to determine that the object file cannot contain infinite loops and cannot cause a kernel crash, and at the same time, the object file must be completed within a limited time, and the eBPF bytecode (object file) passing the verification can be submitted to the just-in-time compiler to perform the just-in-time compilation.
In an embodiment, the method further comprises the steps of:
and S115, the control kernel runs the target eBPF program and saves the corresponding running state into the BPF mapping.
The eBPF is divided into a user space program and a kernel program; the user space program is responsible for loading BPF byte codes to the kernel, and also is responsible for reading statistical information or event details returned by the kernel if necessary; the BPF bytecode in the kernel is responsible for executing specific events in the kernel, and if necessary, the execution result is sent to a user space through a Maps or Perf-event, wherein the user space program and the kernel BPF bytecode program can realize bidirectional communication by using a Maps structure, which provides more flexible control for the BPF bytecode program running in the kernel.
The management server can control the kernel to run the target eBPF program, and the corresponding running state can be obtained by running the target eBPF program, and the running state can be saved in the BPF mapping. In particular, BPF mapping may be used to implement functionality where native code running on a kernel and user space programs that load the native code may communicate with each other using message passing at runtime.
In an embodiment, the method further comprises the steps of:
and S116, if a query instruction sent by the user program is received, querying the running state of the corresponding target eBPF program through BPF mapping.
Wherein, the BPF program can be stored by using BPF mapping (Maps), and the user program usually needs to interact with the BPF program running in the kernel through the BPF mapping; the BPF program collects kernel operating states for storage in the map, from which the user program reads the states.
Specifically, the kernel verifies the security of the object file (BPF bytecode), and ensures that a correct eBPF program is called when a corresponding event occurs, and if a state needs to be saved, the state is written into a corresponding BPF map; the user program can acquire the running state of the bytecode by inquiring the BPF mapping content.
Therefore, the management server converts the written eBPF program into an object file (BPF byte code) by means of the LLVM, and then calls and submits the object file to the kernel for execution, and the kernel checks the byte code by the verifier before executing the BPF byte code, so that the usability of the eBPF program is improved.
S120, if the network data packet is detected to reach the network equipment, triggering the network hook of the fast network path XDP to call the corresponding target eBPF program.
Specifically, a user compiles the eBPF program into an eBPF instruction, and then loads the eBPF instruction to a specific mount point of the kernel through a BPF system call, and the execution of the eBPF bytecode (object file) is triggered by a specific event, that is, the arrival of a network packet at the network device is detected as the specific event. When the eBPF instruction is mounted, the kernel can be fully verified, and the condition that the eBPF byte codes (object files) influence the safety and the stability of the kernel is avoided. In addition, the kernel can also be compiled through a just-in-time compiler to translate eBPF byte codes (object files) into local instructions or local codes, so that the performance overhead is reduced.
Therefore, the fast network path XDP includes a network hook used for hooking the target eBPF program in the LINUX network processing flow, and when the management server detects that the network data packet reaches the network device, the network hook of the fast network path XDP is triggered to call the corresponding target eBPF program, so as to implement the operation of the target eBPF program.
And S130, operating the target eBPF program to process the network data packet and return a corresponding processing result.
And the management server processes the network data packet by operating the target eBPF program and returns a corresponding processing result. Through the analysis of the processing structure, the corresponding processing of the data packet can be realized.
And S140, when the returned processing result is that the network data packet passes, sending the network data packet to a target network stack.
In an embodiment, the eBPF-based container network implementation method further includes:
and step S150, when the returned processing result is redirection, sending the network data packet to other hosts.
In a further embodiment, the eBPF-based container network implementation method further includes:
and step S160, when the returned processing result is discarding, discarding the network data packet.
Wherein, the eBPF is based on a group of interfaces provided by the kernel, the management server runs a just-in-time compiler to perform the just-in-time compilation on the object file (BPF byte code), and returns the calculation result to the kernel, and the kernel only concerns whether the XDP program is returned through, discarded or redirected. If the returned processing result is passed, the network data packet is sent to a target network stack and then processed to an upper layer; when the returned processing result is redirection, the network data packet is sent to other hosts; and when the returned processing result is discarding, discarding the network data packet, thereby realizing the processing of the network data packet.
In the container network implementation method based on eBPF provided by the embodiment of the invention, the method comprises the steps of converting a prestored eBPF program into a target eBPF program according to an input conversion instruction; if the network data packet is detected to reach the network equipment, triggering a network hook of the fast network path XDP to call a corresponding target eBPF program; running the target eBPF program to process the network data packet and return a corresponding processing result; and when the returned processing result is pass, sending the network data packet to a target network stack. By the method, the embodiment of the invention can realize the effects of low processing speed, low efficiency and high delay performance on the network data packet in network communication.
The embodiment of the present invention further provides an eBPF-based container network implementation apparatus, where the eBPF-based container network implementation apparatus may be configured in a user terminal or a management server, and the eBPF-based container network implementation apparatus is configured to implement any embodiment of the eBPF-based container network implementation method. Specifically, referring to fig. 3, fig. 3 is a schematic block diagram of an eBPF-based container network implementation apparatus according to an embodiment of the present invention.
As shown in fig. 3, the eBPF-based container network implementing device 100 includes a program converting unit 110, a triggering unit 120, an executing unit 130, and a first processing unit 140. Wherein, the first and the second end of the pipe are connected with each other,
the program conversion unit 110 is used for converting the pre-stored eBPF program into an executable target eBPF program according to the input conversion instruction.
The eBPF is a Packet filtering technique, and is extended from a BPF (Berkeley Packet Filter) technique. The BPF provides a mechanism for safely injecting codes when kernel events and user program events occur, and the eBPF gradually expands the original single packet filtering event to kernel mode functions, user mode functions, trace points, performance events (perf _ events), security control and the like, and meanwhile, the eBPF not only expands the number of registers, but also introduces a brand new BPF mapping storage. After the eBPF is used, the processing link of the network data packet is shortened greatly, the eBPF is supported to run in the network card driver, the network flow packet does not need to be sent to a responsible protocol stack for processing, and the processing speed and the processing efficiency of the network data packet are improved.
The server is pre-stored with at least one eBPF program, and when the server detects a conversion instruction input by a user, a preset eBPF program corresponding to the conversion instruction can be obtained and converted into an executable target eBPF program. The eBPF program pre-stored in the server may be an eBPF program correspondingly generated according to a user control instruction, and the eBPF program may be a program developed through C language.
For example, the development process of the eBPF program specifically includes:
kube-apiserver, a component in Kubernets that interacts directly with Etcd, controls changes in core resources in Kubernets, receives a request to create a workload.
2. After the request passes through the Kube-scheduler and the Kubelet, the Kubelet monitors the change from the Pod event, creates a corresponding sandbox environment, adds a network interface containing a network namespace, and loads a CNI plug-in.
Among the responsibilities of the CNI plug-in are:
a) Creating a Veth pair connecting a container name space and a host name space;
b) Allocating IP to the container;
c) Configuring an internal routing table of a container name space;
d) Setting a Syscttl parameter;
e) Generating an eBPF rule;
f) And compiling the Agent into a corresponding eBPF program according to the eBPF rule generated by the CNI plug-in.
In one embodiment, as shown in fig. 4, the program conversion unit 110 includes a program generation unit 111, a program compiling unit 112, a file loading unit 113, and a just-in-time compiling unit 114.
And a program generating unit 111, configured to determine a corresponding preset eBPF program according to the input conversion instruction.
If the management server receives the input conversion instruction, the management server can match a corresponding preset eBPF program according to information such as a program name, a program version number, a hash value and the like of the program in the conversion instruction, namely according to detailed information of the program in the conversion instruction.
A program compiling unit 112, configured to compile the determined eBPF program into an object file using LLVM.
In the present embodiment, the LLVM is a set of modular and reusable compiler and tool chain technologies, which can compile the determined eBPF program into an object file, where the object file may refer to BPF byte code (e.g., foo.
A file loading unit 113, configured to load the object file into the kernel.
Wherein, the kernel may refer to Linux kernel. The management server may load the object file into the kernel. Alternatively, the management server may load the object file into the kernel via the eBPF Loader.
And the just-in-time compiling unit 114 is used for compiling the object file into a corresponding local code in a just-in-time mode and determining the local code as an executable target eBPF program.
The management server can compile the object file into corresponding local codes in time through a just-in-time compiler, and the local codes are codes which can directly run on a bottom platform (such as X86), so that the performance consumption is reduced, and the processing efficiency of subsequent network data packets is improved. The corresponding obtained target eBPF program is operable, so that the corresponding network data packet can be processed after operation.
In an embodiment, the program conversion unit 110 of the eBPF-based container network implementing device 100 further includes:
a verification unit 113' for controlling a verifier to verify the object file;
if a verification passing instruction sent by the verifier is received, the object file is immediately compiled into a corresponding local code, and the local code is determined to be an executable target eBPF program.
Specifically, the management server may further control the verifier to verify the object file to determine that the object file cannot contain infinite loops and cannot cause a kernel crash, and at the same time, the object file must be completed within a limited time, and the eBPF bytecode (object file) passing the verification can be submitted to the just-in-time compiler to perform the just-in-time compilation.
In an embodiment, the program conversion unit 110 of the eBPF-based container network implementing apparatus 100 further includes:
and the saving unit 115 is used for controlling the kernel to run the target eBPF program and saving the corresponding running state into the BPF mapping.
The eBPF is divided into a user space program and a kernel program; the user space program is responsible for loading BPF byte codes to the kernel, and also is responsible for reading statistical information or event details returned by the kernel if necessary; the BPF bytecode in the kernel is responsible for executing specific events in the kernel, and if necessary, the execution result is sent to a user space through a Maps or Perf-event, wherein the user space program and the kernel BPF bytecode program can realize bidirectional communication by using a Maps structure, which provides more flexible control for the BPF bytecode program running in the kernel.
The management server can control the kernel to run the target eBPF program, and the corresponding running state can be obtained by running the target eBPF program, and the running state can be saved in the BPF mapping. In particular, BPF mapping may be used to implement functionality where native code running on a kernel and user space programs that load the native code may communicate with each other using message passing at runtime.
In an embodiment, the program conversion unit 110 of the eBPF-based container network implementing device 100 further includes:
the query unit 116 is configured to query the operating state of the corresponding target eBPF program through BPF mapping if receiving a query instruction sent by the user program.
Wherein, the BPF program can be stored by using BPF mapping (Maps), and the user program usually needs to interact with the BPF program running in the kernel through the BPF mapping; the BPF program collects kernel operating states for storage in the map, from which the user program reads the states.
Specifically, the kernel verifies the security of the object file (BPF bytecode), and ensures that a correct eBPF program is called when a corresponding event occurs, and if a state needs to be saved, the state is written into a corresponding BPF map; the user program can acquire the running state of the bytecode by inquiring the BPF mapping content.
Therefore, the management server converts the written eBPF program into an object file (BPF bytecode) by means of the LLVM, then calls and submits the object file to the kernel for execution, and the kernel checks the BPF bytecode through the verifier before executing the BPF bytecode, so that the usability of the eBPF program is improved.
The triggering unit 120 is configured to trigger a network hook of the fast network path XDP to invoke a corresponding target eBPF program if it is detected that the network data packet reaches the network device.
Specifically, a user compiles the eBPF program into an eBPF instruction, and then loads the eBPF instruction to a specific mount point of the kernel through a BPF system call, and the execution of the eBPF bytecode (object file) is triggered by a specific event, that is, the arrival of a network packet at the network device is detected as the specific event. When the eBPF instruction is mounted, the kernel can be fully verified, and the condition that the eBPF byte codes (object files) influence the safety and the stability of the kernel is avoided. In addition, the kernel can also be compiled through a just-in-time compiler to translate eBPF byte codes (object files) into local instructions or local codes, so that the performance overhead is reduced.
Therefore, the fast network path XDP includes a network hook used for hooking the target eBPF program in the LINUX network processing flow, and when the management server detects that the network data packet reaches the network device, the network hook of the fast network path XDP is triggered to call the corresponding target eBPF program, so as to implement the operation of the target eBPF program.
And the running unit 130 is configured to run the target eBPF program to process the network data packet and return a corresponding processing result.
And the management server processes the network data packet by operating the target eBPF program and returns a corresponding processing result. Through the analysis of the processing structure, the corresponding processing of the data packet can be realized.
And the first processing unit 140 is configured to send the network data packet to the target network stack when the returned processing result is a pass.
In one embodiment, the eBPF-based container network implementing device 100 further includes:
and the second processing unit 105 is configured to send the network data packet to another host when the returned processing result is redirection.
In a further embodiment, the eBPF-based container network implementing apparatus 100 further comprises:
a third processing unit 106, configured to discard the network data packet when the returned processing result is discard.
The eBPF is based on a group of interfaces provided by the kernel, the management server runs a just-in-time compiler to just-in-time compile an object file (BPF byte code) and returns a calculation result to the kernel, and the kernel only concerns whether the XDP program is returned through, discarded or redirected. If the returned processing result is passed, the network data packet is sent to a target network stack and then processed to an upper layer; when the returned processing result is redirection, the network data packet is sent to other hosts; and when the returned processing result is discarding, discarding the network data packet, thereby realizing the processing of the network data packet.
The device for implementing the eBPF-based container network provided by the embodiment of the invention applies the method for implementing the eBPF-based container network, namely, after a preset eBPF program is converted into a target eBPF program, the target eBPF program is called to process a network data packet, and after a processing result is received, the network data packet is correspondingly processed. By the method, the effects of low processing speed, low efficiency and high delay performance of the network data packet in network communication are realized.
The above-described eBPF-based container network implementation means may be implemented in the form of a computer program which may be run on a computer device as shown in fig. 5.
Referring to fig. 5, fig. 5 is a schematic block diagram of a computer device according to an embodiment of the present invention. The computer device may be a user terminal or a management server for executing an eBPF-based container network implementation method to extract document information corresponding to an information extraction task from a document image to be processed of the information extraction task.
Referring to fig. 5, the computer device 500 includes a processor 502, memory, and a network interface 505 connected by a system bus 501, where the memory may include a storage medium 503 and an internal memory 504.
The storage medium 503 may store an operating system 5031 and computer programs 5032. The computer programs 5032, when executed, cause the processor 502 to perform eBPF-based container network implementation methods in which the storage medium 503 may be a volatile storage medium or a non-volatile storage medium.
The processor 502 is used to provide computing and control capabilities that support the operation of the overall computer device 500.
The internal memory 504 provides an environment for the execution of the computer program 5032 in the storage medium 503, and when the computer program 5032 is executed by the processor 502, the processor 502 can be enabled to execute the eBPF-based container network implementation method.
The network interface 505 is used for network communication, such as providing transmission of data information. Those skilled in the art will appreciate that the configuration shown in fig. 5 is a block diagram of only a portion of the configuration associated with aspects of the present invention and is not intended to limit the computing device 500 to which aspects of the present invention may be applied, and that a particular computing device 500 may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
The processor 502 is configured to run a computer program 5032 stored in the memory to implement the corresponding functions in the eBPF-based container network implementation method.
Those skilled in the art will appreciate that the embodiment of a computer device illustrated in fig. 5 does not constitute a limitation on the specific construction of the computer device, and that in other embodiments a computer device may include more or fewer components than those illustrated, or some components may be combined, or a different arrangement of components. For example, in some embodiments, the computer device may only include a memory and a processor, and in such embodiments, the structures and functions of the memory and the processor are consistent with those of the embodiment shown in fig. 5, which are not described herein again.
It should be understood that, in the embodiment of the present invention, the Processor 502 may be a Central Processing Unit (CPU), and the Processor 502 may also be other general-purpose processors, digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, and the like. Wherein a general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
In another embodiment of the invention, a computer-readable storage medium is provided. The computer readable storage medium may be a volatile or non-volatile computer readable storage medium. The computer readable storage medium stores a computer program, wherein the computer program, when executed by a processor, implements the steps included in the above-described eBPF-based container network implementation method.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described apparatuses, devices and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again. Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided by the present invention, it should be understood that the disclosed apparatus, device and method can be implemented in other ways. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only a logical division, and there may be other divisions when the actual implementation is performed, or units having the same function may be grouped into one unit, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may also be an electric, mechanical or other form of connection.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one position, or may be distributed on multiple network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiments of the present invention.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention essentially contributes to the prior art, or all or part of the technical solution can be embodied in the form of a software product stored in a computer-readable storage medium, which includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned computer-readable storage media comprise: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a magnetic disk, or an optical disk.
While the invention has been described with reference to specific embodiments, the invention is not limited thereto, and various equivalent modifications and substitutions can be easily made by those skilled in the art within the technical scope of the invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A method for implementing an eBPF-based container network, the method comprising:
converting the prestored eBPF program into an executable target eBPF program according to the input conversion instruction;
if the network data packet is detected to reach the network equipment, triggering a network hook of the fast network path XDP to call a corresponding target eBPF program;
running the target eBPF program to process the network data packet and return a corresponding processing result;
and when the returned processing result is pass, sending the network data packet to a target network stack.
2. The method of claim 1, further comprising:
and when the returned processing result is redirection, sending the network data packet to other hosts.
3. The eBPF-based container network implementation method of claim 1,
and when the returned processing result is discarding, discarding the network data packet.
4. The method of claim 1, wherein the converting a pre-stored eBPF program into an executable target eBPF program according to the inputted conversion instruction comprises:
determining a corresponding preset eBPF program according to the input conversion instruction;
compiling the determined eBPF program into an object file by adopting an LLVM (file Linked management platform);
loading the object file to a kernel;
and compiling the object file into a corresponding native code in real time, and determining the native code as an executable target eBPF program.
5. The method as claimed in claim 4, wherein the step of loading the object file into the kernel is followed by the steps of:
controlling a checker to check the object file;
if a verification passing instruction sent by the verifier is received, the object file is immediately compiled into a corresponding local code, and the local code is determined to be an executable target eBPF program.
6. The eBPF-based container network implementation method of claim 5, further comprising:
and the control kernel runs the determined target eBPF program and saves the corresponding running state into the BPF mapping.
7. The eBPF-based container network implementation method of claim 6, comprising:
and if a query instruction sent by the user program is received, inquiring the running state of the target eBPF program corresponding to the query instruction through BPF mapping.
8. An eBPF-based container network implementing apparatus, the apparatus comprising:
the program conversion unit is used for converting the prestored eBPF program into an executable target eBPF program according to the input conversion instruction;
the trigger unit is used for triggering a network hook of the XDP to call a corresponding target eBPF program if the network data packet is detected to reach the network equipment;
the operation unit is used for operating the target eBPF program so as to process the network data packet and return a corresponding processing result;
and the first processing unit is used for sending the network data packet to a target network stack when the returned processing result is pass.
9. A computer device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor, when executing the computer program, implements the eBPF-based container network implementation method of any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements the eBPF-based container network implementation method of any one of claims 1 to 7.
CN202211142782.3A 2022-09-20 2022-09-20 eBPF-based container network implementation method, device, equipment and medium Pending CN115543531A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211142782.3A CN115543531A (en) 2022-09-20 2022-09-20 eBPF-based container network implementation method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211142782.3A CN115543531A (en) 2022-09-20 2022-09-20 eBPF-based container network implementation method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN115543531A true CN115543531A (en) 2022-12-30

Family

ID=84727026

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211142782.3A Pending CN115543531A (en) 2022-09-20 2022-09-20 eBPF-based container network implementation method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN115543531A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116419291A (en) * 2023-06-09 2023-07-11 阿里巴巴(中国)有限公司 Method, equipment and system for extracting runtime parameters
CN116800605A (en) * 2023-08-25 2023-09-22 苏州思萃工业互联网技术研究所有限公司 Network implementation method, system, equipment and medium for running virtual machine in container

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116419291A (en) * 2023-06-09 2023-07-11 阿里巴巴(中国)有限公司 Method, equipment and system for extracting runtime parameters
CN116419291B (en) * 2023-06-09 2023-10-31 阿里巴巴(中国)有限公司 Method, equipment and system for extracting runtime parameters
CN116800605A (en) * 2023-08-25 2023-09-22 苏州思萃工业互联网技术研究所有限公司 Network implementation method, system, equipment and medium for running virtual machine in container
CN116800605B (en) * 2023-08-25 2023-12-22 苏州思萃工业互联网技术研究所有限公司 Network implementation method, system, equipment and medium for running virtual machine in container

Similar Documents

Publication Publication Date Title
CN115543531A (en) eBPF-based container network implementation method, device, equipment and medium
US20230362284A1 (en) Technologies for programming flexible accelerated network pipeline using ebpf
Tu et al. Revisiting the open vswitch dataplane ten years later
Kozen Language-Based Security: Invited Lecture
US20030014466A1 (en) System and method for management of compartments in a trusted operating system
JPH066406A (en) Apparatus and method for realizing protocol
JP2007535761A (en) System and method for generating anti-tamper code
US11709716B2 (en) Hardware offload support for an operating system offload interface using operation code verification
KR101496333B1 (en) System and method for inter connection between component in using software bus
CN113127077A (en) Server-based microkernel operating system deployment method and operating system
US20040003380A1 (en) Single pass intermediate language verification algorithm
JP4724660B2 (en) How to manage software components that are integrated into an embedded system
US7627655B2 (en) Increased performance of grid applications
US8239862B2 (en) Apparatus, method, and computer program product for processing information
JP2007527562A5 (en)
CN107368339B (en) Container entrance program operation method, system, device and storage medium
JP5030647B2 (en) Method for loading a program in a computer system including a plurality of processing nodes, a computer readable medium containing the program, and a parallel computer system
US9582299B2 (en) Electronic system, onboard modular execution platform and method ensuring partitioning of configurable decision-making rules
CN115997194A (en) Hybrid binary system supporting stream folding
US7167908B2 (en) Facilitating operation of a multi-processor system via a resolved symbolic constant
RU2521265C2 (en) System and method for automatic processing of software system errors
US11520597B2 (en) Operating system architecture for microkernel generations support
US10282331B1 (en) System and method for command processing
US20230342208A1 (en) Systems, methods, and apparatus to identify functions for computational devices
Aigner Communication in Microkernel-Based Operating Systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination