This is an automated email from the ASF dual-hosted git repository.

wusheng pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking-website.git


The following commit(s) were added to refs/heads/master by this push:
     new 2c5dd4c0f51 blog: Monitoring kubernetes network traffic by using eBPF 
(#693)
2c5dd4c0f51 is described below

commit 2c5dd4c0f5162b7ff559d248919ebdcc7a319de2
Author: mrproliu <741550...@qq.com>
AuthorDate: Thu Mar 21 09:14:35 2024 +0000

    blog: Monitoring kubernetes network traffic by using eBPF (#693)
---
 .../index.md                                       | 193 +++++++++++++++++++++
 .../kubernetes-service-enpoint.png                 | Bin 0 -> 27871 bytes
 .../kubernetes-service-http.png                    | Bin 0 -> 70954 bytes
 .../kubernetes-service-list.png                    | Bin 0 -> 69935 bytes
 .../kubernetes-service-tcp-1.png                   | Bin 0 -> 102362 bytes
 .../kubernetes-service-tcp.png                     | Bin 0 -> 184945 bytes
 .../kubernetes-service-topology.png                | Bin 0 -> 76597 bytes
 7 files changed, 193 insertions(+)

diff --git 
a/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/index.md 
b/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/index.md
new file mode 100644
index 00000000000..0922a41222d
--- /dev/null
+++ b/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/index.md
@@ -0,0 +1,193 @@
+---
+title: "Monitoring Kubernetes network traffic by using eBPF"
+date: 2024-03-18
+author: Han Liu
+description: This article demonstrates how SkyWalking uses eBPF technology to 
monitor network traffic on Kubernetes.
+---
+
+## Background
+
+
+[Apache SkyWalking](https://skywalking.apache.org/) is an open-source 
Application Performance Management system that helps users gather logs, traces, 
metrics, and events from various platforms and display them on the UI.
+With version 9.7.0, SkyWalking can collect access logs from probes in multiple 
languages and from Kubernetes, generating corresponding topologies, links, and 
other data. However, it could not initially collect and map access logs from 
applications in Kubernetes environments. This article explores how the 10.0.0 
version of Apache SkyWalking employs eBPF technology to collect and store 
application access logs, addressing this limitation.
+
+## Why eBPF?
+
+To monitor the network traffic in Kubernetes, the following features support 
be support:
+
+1. **Cross Language**: Applications deployed in Kubernetes may be written in 
any programming language, making support for diverse languages important.
+2. **Non-Intrusiveness**: It's imperative to monitor network traffic without 
making any modifications to the applications, as direct intervention with 
applications in Kubernetes is not feasible.
+3. **Kernel Metrics Monitoring**: Often, diagnosing network issues by 
analyzing traffic performance at the user-space level is insufficient. A deeper 
analysis incorporating kernel-space network traffic metrics is frequently 
necessary.
+4. **Support for Various Network Protocols**: Applications may communicate 
using different transport protocols, necessitating support for a range of 
protocols.
+
+Given these requirements, eBPF emerges as a capable solution. In the next 
section, we will delve into detailed explanations of how Apache SkyWalking 
Rover resolves these aspects.
+
+## Kernel Monitoring and Protocol Analysis
+
+In previous articles, we've discussed how to monitor network traffic from 
programs written in various languages.
+This technique remains essential for network traffic monitoring, allowing for 
the collection of traffic data without language limitations.
+However, due to the unique aspects of our monitoring trigger mechanism and the 
specific features of kernel monitoring, these two areas warrant separate 
explanations.
+
+### Kernel Monitoring
+
+Kernel monitoring allows users to gain insights into network traffic 
performance based on the execution at the kernel level,
+specifically from Layer 2 (Data Link) to Layer 4 (Transport) of the OSI model.
+
+Network monitoring at the kernel layer is deference from the syscall 
(user-space) layer in terms of the metrics and identifiers used.
+While the syscalls layer can utilize file descriptors to correlate various 
operations, kernel layer network operations primarily use packets as unique 
identifiers.
+This discrepancy necessitates a mapping relationship that SkyWalking Rover can 
use to bind these two layers together for comprehensive monitoring.
+
+Let's dive into the details of how data is monitored in both sending and 
receiving modes.
+
+#### Observe Sending
+
+When sending data, tracking the status and timing of each packet is crucial 
for understanding the state of each transmission.
+Within the kernel, operations progress from Layer 4 (L4) down to Layer 2 (L2), 
maintaining the same thread ID as during the syscalls layer, which simplifies 
data correlation.
+
+SkyWalking Rover monitors several key kernel functions to observe packet 
transmission dynamics, listed from L4 to L2:
+
+1. **kprobe/tcp_sendmsg**: Captures the time when a packet enters the L4 
protocol stack for sending and the time it finishes processing.
+   This function is essential for tracking the initial handling of packets at 
the transport layer.
+2. **kprobe/tcp_transmit_skb**: Records the total number of packet 
transmissions and the size of each packet sent.
+   This function helps identify how many times a packet or a batch of packets 
is attempted to be sent, which is critical for understanding network throughput 
and congestion.
+3. **tracepoint/tcp/tcp_retransmit_skb**: Notes whether packet retransmission 
occurs, providing insights into network reliability and connection quality.
+   Retransmissions can significantly impact application performance and user 
experience.
+4. **tracepoint/skb/kfree_skb**: Records packet loss during transmission and 
logs the reason for such occurrences.
+   Understanding packet loss is crucial for diagnosing network issues and 
ensuring data integrity.
+5. **kprobe/__ip_queue_xmit**: Records the start and end times of processing 
by the L3 protocol. This function is vital for understanding the time taken for 
IP-level operations, including routing decisions.
+6. **kprobe/nf_hook_slow**: Records the total time and number of occurrences 
spent in Netfilter hooks, such as iptables rule evaluations.
+   This monitoring point is important for assessing the impact of firewall 
rules and other filtering mechanisms on packet flow.
+7. **kprobe/neigh_resolve_output**: If resolving an unknown MAC address is 
necessary before sending a network request,
+   this function records the occurrences and total time spent on this 
resolution. MAC address resolution times can affect the initial packet 
transmission delay.
+8. **kprobe/__dev_queue_xmit**: Records the start and end times of entering 
the L2 protocol stack, providing insights into the data link layer's processing 
times.
+9. **tracepoint/net/net_dev_start_xmit** and **tracepoint/net/net_dev_xmit**: 
Records the actual time taken to transmit each packet at the network interface 
card (NIC).
+   These functions are crucial for understanding the hardware-level 
performance and potential bottlenecks at the point of sending data to the 
physical network.
+
+According to the interception of the above method, Apache SkyWalking Rover can 
provide key execution time and metrics for each level when sending network data,
+from the application layer (Layer 7) to the transport layer (Layer 4), and 
finally to the data link layer (Layer 2).
+
+#### Observe Receiving
+
+When receiving data, the focus is often on the time it takes for packets to 
travel from the network interface card (NIC) to the user space.
+Unlike the process of sending data, data receiving in the kernel proceeds from 
the data link layer (Layer 2) up to the transport layer (Layer 4), until the 
application layer (Layer 7) retrieves the packet's content.
+In SkyWalking Rover, monitors the following key system functions to observe 
this process, listed from L2 to L4:
+1. **tracepoint/net/netif_receive_skb**: Records the time when a packet is 
received by the network interface card.
+   This tracepoint is crucial for understanding the initial point of entry for 
incoming data into the system.
+2. **kprobe/ip_rcv**: Records the start and end times of packet processing at 
the network layer (Layer 3).
+   This probe provides insights into how long it takes for the IP layer to 
handle routing, forwarding, and delivering packets to the correct application.
+3. **kprobe/nf_hook_slow**: Records the total time and occurrences spent in 
Netfilter hooks, same with the sending traffic flow.
+4. **kprobe/tcp_v4_rcv**: Records the start and end times of packet processing 
at the transport layer (Layer 4).
+   This probe is key to understanding the efficiency of TCP operations, 
including connection management, congestion control, and data flow.
+5. **tracepoint/skb/skb_copy_datagram_iovec**: When application layer 
protocols use the data, this tracepoint binds the packet to the syscall layer 
data at Layer 7.
+   This connection is essential for correlating the kernel's handling of 
packets with their consumption by user-space applications.
+
+Based on the above methods, network monitoring can help you understand the 
complete execution process and execution time from when data is received by the 
network card to when it is used by the program.
+
+#### Metrics
+
+By intercepting the methods mentioned above, we can gather key metrics that 
provide insights into network performance and behavior. These metrics include:
+
+1. **Packets**: The size of the packets and the frequency of their 
transmission or reception.
+   These metric offers a fundamental understanding of the network load and the 
efficiency of data movement between the sender and receiver.
+2. **Connections**: The number of connections established or accepted between 
services and the time taken for these connections to be set up.
+   This metric is crucial for analyzing the efficiency of communication and 
connection management between different services within the network.
+3. **L2-L4 Events**: The time spent on key events within the Layer 2 to Layer 
4 protocols.
+   This metric sheds light on the processing efficiency and potential 
bottlenecks within the lower layers of the network stack, which are essential 
for data transmission and reception.
+
+### Protocol Analyzing
+
+In previous articles, we have discussed parsing HTTP/1.x protocols. However, 
with HTTP/2.x, the protocol's stateful nature and the pre-established 
connections between services complicate network profiling.
+This complexity makes it challenging for Apache SkyWalking Rover to fully 
perceive the connection context, hindering protocol parsing operations.
+
+Transitioning network monitoring to Daemon mode offers a solution to this 
challenge. By continuously observing service operations around the clock,
+SkyWalking Rover can begin monitoring as soon as a service starts. This 
immediate initiation allows for the tracking of the complete execution context,
+making the observation of stateful protocols like HTTP/2.x feasible.
+
+#### Probes
+
+To detect when a process is started, monitoring a specific trace point 
(**tracepoint/sched/sched_process_fork**) is essential.
+This approach enables the system to be aware of process initiation events.
+Given the necessity to filter process traffic based on certain criteria such 
as the process's namespace,
+Apache SkyWalking Rover follows a series of steps to ensure accurate and 
efficient monitoring. These steps include:
+
+1. **Monitoring Activation**: The process is immediately added to a monitoring 
whitelist upon detection.
+   This step ensures that the process is considered for monitoring from the 
moment it starts, without delay.
+2. **Push to Queue**: The process's PID (Process ID) is pushed into a 
monitoring confirmation queue.
+   This queue holds the PIDs of newly detected processes that are pending 
further confirmation from a user-space program.
+   This asynchronous approach allows for the separation of immediate detection 
and subsequent processing, optimizing the monitoring workflow.
+3. **User-Space Program Confirmation**: The user-space program retrieves 
process PIDs from the queue and assesses whether
+   each process should continue to be monitored. If a process is deemed 
unnecessary for monitoring, it is removed from the whitelist.
+
+This process ensures that SkyWalking Rover can dynamically adapt its 
monitoring scope based on real-time conditions and configurations, allowing for 
both comprehensive coverage and efficient resource use.
+
+#### Limitations
+
+The monitoring of stateful protocols like HTTP/2.x currently faces certain 
limitations:
+
+1. **Inability to Observe Pre-existing Connections**: Monitoring the complete 
request and response cycle requires that monitoring be initiated before any 
connections are established.
+   This requirement means that connections set up before the start of 
monitoring cannot be observed.
+2. **Challenges with TLS Requests**: Observing TLS encrypted traffic is 
complex because it relies on **asynchronously attaching uprobes** (user-space 
attaching) for observation.
+   If new requests are made before these uprobes are successfully attached, it 
becomes impossible to access the data before encryption or after decryption.
+
+## Demo
+
+Next, let’s quickly demonstrate the Kubernetes monitoring feature, so you can 
understand more specifically what it accomplishes.
+
+### Deploy SkyWalking Showcase
+
+SkyWalking Showcase contains a complete set of example services and can be 
monitored using SkyWalking. For more information, please check the [official 
documentation](https://skywalking.apache.org/docs/skywalking-showcase/next/readme/).
+
+In this demo, we only deploy service, the latest released SkyWalking OAP, and 
UI.
+
+```shell
+export FEATURE_FLAGS=java-agent-injector,single-node,elasticsearch, rover
+make deploy.kubernetes
+```
+
+After deployment is complete, please run the following script to open 
SkyWalking UI: http://localhost:8080/.
+
+```shell
+kubectl port-forward svc/ui 8080:8080 --namespace default
+```
+
+### Done
+
+Once deployed, Apache SkyWalking Rover automatically begins monitoring traffic 
within the system upon startup.
+Then, reports this traffic data to SkyWalking OAP, where it is ultimately 
stored in a database.
+
+In the Service Dashboard within Kubernetes, you can view a list of monitored 
Kubernetes services.
+If any of these services have HTTP traffic, this information would be 
displayed alongside them in the dashboard.
+
+[Kubernetes Service List](kubernetes-service-list.png)
+
+*Figure 1: Kubernetes Service List*
+
+Additionally, within the Topology Tab, you can observe the topology among 
related services. In each service or call relationship, there would display 
relevant TCP and HTTP metrics.
+
+![Kubernetes Service Topology](kubernetes-service-topology.png)
+
+*Figure 2: Kubernetes Service Topology*
+
+When you select a specific service from the Service list, you can view service 
metrics at both the TCP and HTTP levels for the chosen service.
+
+![Kubernetes Service TCP Metrics](kubernetes-service-tcp.png)
+
+*Figure 3: Kubernetes Service TCP Metrics*
+
+![Kubernetes Service HTTP Metrics](kubernetes-service-http.png)
+
+*Figure 4: Kubernetes Service HTTP Metrics*
+
+Furthermore, by using the Endpoint Tab, you can see which URIs have been 
accessed for the current service.
+
+![Kubernetes Service Endpoint](kubernetes-service-enpoint.png)
+
+*Figure 5: Kubernetes Service Endpoint List*
+
+## Conclusion
+
+In this article, I've detailed how to utilize eBPF technology for network 
monitoring of services within a Kubernetes cluster,
+a capability that has been implemented in Apache SkyWalking Rover.
+This approach leverages the power of eBPF to provide deep insights into 
network traffic and service interactions,
+enhancing visibility and observability across the cluster.
+
diff --git 
a/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-enpoint.png
 
b/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-enpoint.png
new file mode 100644
index 00000000000..29b484ed051
Binary files /dev/null and 
b/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-enpoint.png
 differ
diff --git 
a/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-http.png
 
b/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-http.png
new file mode 100644
index 00000000000..745c41e609c
Binary files /dev/null and 
b/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-http.png
 differ
diff --git 
a/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-list.png
 
b/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-list.png
new file mode 100644
index 00000000000..dcc7de50825
Binary files /dev/null and 
b/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-list.png
 differ
diff --git 
a/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-tcp-1.png
 
b/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-tcp-1.png
new file mode 100644
index 00000000000..196d1275d08
Binary files /dev/null and 
b/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-tcp-1.png
 differ
diff --git 
a/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-tcp.png
 
b/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-tcp.png
new file mode 100644
index 00000000000..875dcd0bdda
Binary files /dev/null and 
b/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-tcp.png
 differ
diff --git 
a/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-topology.png
 
b/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-topology.png
new file mode 100644
index 00000000000..b01a0da7e41
Binary files /dev/null and 
b/content/blog/2023-03-18-monitor-kubernetes-network-by-ebpf/kubernetes-service-topology.png
 differ

Reply via email to