Merge pull request kubernetes-retired#292 from astoycos/kpng-ebpf

Kpng ebpf backend POC

.github/workflows/backend-build.yml

@@ -55,3 +55,15 @@ jobs:
 
     - name: build backends/nft
       run: ./hack/test_backend_build.sh nft
+
+  ebpf: 
+    name: build backend package ebpf
+    needs: setup
+    runs-on: ubuntu-latest
+    steps:
+    - name: checkout
+      uses: actions/checkout@v2
+
+    - name: build backends/ebpf
+      run: ./hack/test_backend_build.sh ebpf
+

.github/workflows/docker-action.yml

@@ -12,4 +12,3 @@ jobs:
         with:
           context: .
           push: false
-

backends/ebpf/Makefile

@@ -0,0 +1,89 @@
+# The development version of clang is distributed as the 'clang' binary,
+# while stable/released versions have a version number attached.
+# Pin the default clang to a stable version.
+CLANG ?= clang-14
+STRIP ?= llvm-strip-14
+CFLAGS := -O2 -g -Wall -Werror $(CFLAGS)
+
+# Obtain an absolute path to the directory of the Makefile.
+# Assume the Makefile is in the root of the repository.
+REPODIR := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
+UIDGID := $(shell stat -c '%u:%g' ${REPODIR})
+
+# Prefer podman if installed, otherwise use docker.
+# Note: Setting the var at runtime will always override.
+CONTAINER_ENGINE ?= $(if $(shell command -v podman), podman, docker)
+CONTAINER_RUN_ARGS ?= $(if $(filter ${CONTAINER_ENGINE}, podman),, --user "${UIDGID}")
+
+IMAGE := quay.io/cilium/ebpf-builder
+VERSION := 1648566014
+
+# clang <8 doesn't tag relocs properly (STT_NOTYPE)
+# clang 9 is the first version emitting BTF
+# TARGETS := \
+# 	testdata/loader-clang-7 \
+# 	testdata/loader-clang-9 \
+# 	testdata/loader-$(CLANG) \
+# 	testdata/btf_map_init \
+# 	testdata/invalid_map \
+# 	testdata/raw_tracepoint \
+# 	testdata/invalid_map_static \
+# 	testdata/invalid_btf_map_init \
+# 	testdata/strings \
+# 	testdata/freplace \
+# 	testdata/iproute2_map_compat \
+# 	testdata/map_spin_lock \
+# 	testdata/subprog_reloc \
+# 	testdata/fwd_decl \
+# 	internal/btf/testdata/relocs \
+# 	internal/btf/testdata/relocs_read \
+# 	internal/btf/testdata/relocs_read_tgt
+
+.PHONY: all clean container-all container-shell generate
+
+.DEFAULT_TARGET = container-all
+
+# Build all ELF binaries using a containerized LLVM toolchain.
+container-all:
+	${CONTAINER_ENGINE} run --rm ${CONTAINER_RUN_ARGS} \
+		-v "${REPODIR}":/ebpf -w /ebpf --env MAKEFLAGS \
+		--env CFLAGS="-fdebug-prefix-map=/ebpf=." \
+		--env HOME="/tmp" \
+		"${IMAGE}:${VERSION}" \
+		$(MAKE) all
+
+# (debug) Drop the user into a shell inside the container as root.
+container-shell:
+	${CONTAINER_ENGINE} run --rm -ti \
+		-v "${REPODIR}":/ebpf -w /ebpf \
+		"${IMAGE}:${VERSION}"
+
+clean:
+	-$(RM) testdata/*.elf
+	-$(RM) internal/btf/testdata/*.elf
+
+format:
+	find . -type f -name "*.c" | xargs clang-format -i
+
+all: format $(addsuffix -el.elf,$(TARGETS)) $(addsuffix -eb.elf,$(TARGETS)) generate
+	ln -srf testdata/loader-$(CLANG)-el.elf testdata/loader-el.elf
+	ln -srf testdata/loader-$(CLANG)-eb.elf testdata/loader-eb.elf
+
+# $BPF_CLANG is used in go:generate invocations.
+generate: export BPF_CLANG := $(CLANG)
+generate: export BPF_CFLAGS := $(CFLAGS)
+generate:
+	go generate ./
+
+%-el.elf: %.c
+	$(CLANG) $(CFLAGS) -target bpfel -c $< -o $@
+	$(STRIP) -g $@
+
+%-eb.elf : %.c
+	$(CLANG) $(CFLAGS) -target bpfeb -c $< -o $@
+	$(STRIP) -g $@
+
+run: 
+	go generate ./
+	go build 
+	sudo ./ebpf

backends/ebpf/README.md

@@ -0,0 +1,60 @@
+# KPNG EBPF Backend Implementation
+
+## OS pre-requisites
+
+* Linux Kernel > 5.15 (hasn't be tested on earlier versions)
+* LLVM 
+    - Fedora: `sudo dnf install -y llvm-devel`
+    - Ubuntu: `apt-get install -y llvm-dev` 
+* Glibc
+    - Fedora: `sudo dnf install glibc-devel.i686` 
+    - Ubuntu: `apt-get install -y linux-libc-dev` 
+* [cilium/ebpf requirements](https://github.com/cilium/ebpf#requirements)
+* Bpf2go 
+    - `go install github.com/cilium/ebpf/cmd/bpf2go@master`
+
+## Intro
+
+NOTE: This KPNG ebpf based backend is currently a POC and is limited in functionality
+exclusively to proxying internal ClusterIP based TCP + UDP services.  Functionality 
+will be expanded moving forward to include support for the remainder of the defined 
+service features.
+
+## Compile ebpf program
+
+This will automatically use `cilium/ebpf` to compile the go program into bytecode
+using clang, and build go bindings
+
+`cd /backends/ebpf && go generate`
+
+## Start a local kpng ebpf backend kind cluster
+
+Starting a local KIND cluster with the ebpf backend will automatically install 
+bpf2go if needed, and recompile the BPF program. 
+
+`./hack/test_e2e.sh -i ipv4 -b ebpf -d`
+
+## Testing Local Changes quickly
+
+1. `docker build -t kpng:test -f Dockerfile .` 
+NOTE: If any changes was made to the c source code `go generate` must be manually run 
+prior to image building.
+
+2. `kind load docker-image kpng:test --name=kpng-e2e-ipv4-ebpf`
+
+3. `kubectl delete pods -n kube-system -l app=kpng`
+
+## See ebpf program logs
+
+`kubectl logs -f <KPNG_POD_NAME> -n kube-system -c kpng-ebpf-tools cat /tracing/trace_pipe`
+
+
+## Licensing
+
+The user space components of this example are licensed under the [Apache License, Version 2.0](/LICENSE) as is the
+rest of the code defined in KPNG.
+
+The bpf code template (defined in [`cgroup_connect3.c`](/backends/ebpf/bpf/cgroup_connect4.c)) was adapted from
+the bpf templates defined in the [Cilium Project](https://github.com/cilium/cilium) and
+continues to use the same licenses defined there, i.e the [2-Clause BSD License](/backends/ebpf/bpf/LICENSE.BSD-2-Clause)
+and [General Public License, Version 2.0 (only)](/backends/ebpf/bpf/LICENSE.GPL-2.0)

backends/ebpf/bpf/LICENSE.BSD-2-Clause

@@ -0,0 +1,25 @@
+BSD 2-Clause License
+
+Copyright (c) 2022, Andrew Stoycos
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.