Henry Du Blog

think digital, act analog

Reading Notes: Netfilter and iptables (1)

reading notes of Understanding Linux Network Internals

Reading Notes: Netfilter and iptables Netfilter is firewalling subsystem in the Linux kernel as a modular[1]. For example, some fields are included in the sk_buf data structure only if the kernel is compiled with support for Netfilter feature. struct sk_buff is defined in linux/include/skbuff.h. There is a well defined document on the top of the file. It include the netfilter common header file #if IS_ENABLED(CONFIG_NF_CONNTRACK) #include <linux/netfilter/nf_conntrack_common.h>#endif Firewalling, essentially, hooks into certain places in the network stack code that packets always pass through when the packets or the kernel meet certain conditions.

Cross-host Container Networks

VXLAN Mode

Cross-host Container Networks - VXLAN mode VXLAN We have reviewed the UDP mode of cross-host container networks. We realized that there will be a performance issue because the IP packets have to be processed by the user space application. VXLAN allows us to handle the encapsulation/decapsulation in Linux kernel space. Virtual Extensible LAN a.k.a VXLAN (RFC7348) is supported by Linux kernel. It is able to encapsulate the IP packets by another layer and construct the overlay networks like the UDP tunnel does.

Cross-host Container Networks

UDP Mode

Cross-host Container Networks - UDP mode In the previous article, we walked through containers network in one Linux host. However, by default Docker configuration, one container is unable to communicate with the other container in different host. In order to solve cross-host container communication problem, there are many solutions. We will go through some of them one by one. First and very famous one is Flannel CNI. Flannel CNI Flannel CNI project is the one of the projects developed by CoreOS.

K8S Runtime: With or Without Docker

K8S Container Runtime Evolution With Docker In Kubernetes v1.20 release note, the major change is to deprecate dockershim, which means, K8S will never use Docker as container runtime. The Kubernetes community has written a blog post about this in detail. The docker runtime is just one component of Docker suite. Developers still use Docker to compile a docker image, and use docker hub to store docker images, as a docker image repository.

Cilium: K8S Service Load Balancing - Part 2

Cilium’s service LB based on eBPF/XDP The first part introduced K8S service. Now, we can focus on Cilium’s service LB based on eBPF/XDP. Cilium agent Cilium service LB implements data path for all K8s service types via BPF. cilium-agent on each node watches kube-apiserver. cilium-agent observes the changes in K8S service. cilium-agent dynamically update BPF configuration according to changes in K8S service. As the diagram shown above, there are two components realized the service