istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/archive/v1.13/blog/2022/merbridge/index.html

16 lines
35 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html><html lang=en itemscope itemtype=https://schema.org/WebPage><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=theme-color content="#466BB0"><meta name=title content="Merbridge - Accelerate your mesh with eBPF"><meta name=description content="Replacing iptables rules with eBPF allows transporting data directly from inbound sockets to outbound sockets, shortening the datapath between sidecars and services."><meta name=author content="Kebe Liu (DaoCloud), Xiaopeng Han (DaoCloud), Hui Li (DaoCloud)"><meta name=keywords content="microservices,services,mesh,Istio,ebpf,iptables,sidecar"><meta property="og:title" content="Merbridge - Accelerate your mesh with eBPF"><meta property="og:type" content="website"><meta property="og:description" content="Replacing iptables rules with eBPF allows transporting data directly from inbound sockets to outbound sockets, shortening the datapath between sidecars and services."><meta property="og:url" content="/v1.13/blog/2022/merbridge/"><meta property="og:image" content="https://raw.githubusercontent.com/istio/istio.io/master/static/img/istio-whitelogo-bluebackground-framed.svg"><meta property="og:image:alt" content="Istio Logo"><meta property="og:image:width" content="1024"><meta property="og:image:height" content="1024"><meta property="og:site_name" content="Istio"><meta name=twitter:card content="summary"><meta name=twitter:site content="@IstioMesh"><title>Istioldie 1.13 / Merbridge - Accelerate your mesh with eBPF</title><script async src="https://www.googletagmanager.com/gtag/js?id=UA-98480406-2"></script>
<script>window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","UA-98480406-2")</script><link rel=alternate type=application/rss+xml title="Istio Blog" href=/v1.13/blog/feed.xml><link rel=alternate type=application/rss+xml title="Istio News" href=/v1.13/news/feed.xml><link rel=alternate type=application/rss+xml title="Istio Blog and News" href=/v1.13/feed.xml><link rel="shortcut icon" href=/v1.13/favicons/favicon.ico><link rel=apple-touch-icon href=/v1.13/favicons/apple-touch-icon-180x180.png sizes=180x180><link rel=icon type=image/png href=/v1.13/favicons/favicon-16x16.png sizes=16x16><link rel=icon type=image/png href=/v1.13/favicons/favicon-32x32.png sizes=32x32><link rel=icon type=image/png href=/v1.13/favicons/android-36x36.png sizes=36x36><link rel=icon type=image/png href=/v1.13/favicons/android-48x48.png sizes=48x48><link rel=icon type=image/png href=/v1.13/favicons/android-72x72.png sizes=72x72><link rel=icon type=image/png href=/v1.13/favicons/android-96x96.png sizes=96xW96><link rel=icon type=image/png href=/v1.13/favicons/android-144x144.png sizes=144x144><link rel=icon type=image/png href=/v1.13/favicons/android-192x192.png sizes=192x192><link rel=mask-icon href=/v1.13/favicons/safari-pinned-tab.svg color=#466bb0><link rel=manifest href=/v1.13/manifest.json><meta name=apple-mobile-web-app-title content="Istio"><meta name=application-name content="Istio"><meta name=msapplication-config content="/browserconfig.xml"><meta name=msapplication-TileColor content="#466BB0"><meta name=theme-color content="#466BB0"><link rel=stylesheet href=/v1.13/css/all.css><link rel=preconnect href=https://fonts.gstatic.com><link rel=stylesheet href="https://fonts.googleapis.com/css2?family=Barlow:ital,wght@0,400;0,500;0,600;0,700;1,400;1,600&display=swap"><script src=/v1.13/js/themes_init.min.js></script></head><body class="language-unknown archive-site"><script>const branchName="release-1.13",docTitle="Merbridge - Accelerate your mesh with eBPF",iconFile="/v1.13/img/icons.svg",buttonCopy="Copy to clipboard",buttonPrint="Print",buttonDownload="Download"</script><script src="https://www.google.com/cse/brand?form=search-form" defer></script>
<script src=/v1.13/js/all.min.js data-manual defer></script><header class=main-navigation><nav class="main-navigation-wrapper container-l"><div class=main-navigation-header><a id=brand href=/v1.13/ aria-label=logotype><span class=logo><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></span></a><button id=hamburger class=main-navigation-toggle aria-label="Open navigation"><svg class="icon menu-hamburger"><use xlink:href="/v1.13/img/icons.svg#menu-hamburger"/></svg></button>
<button id=menu-close class=main-navigation-toggle aria-label="Close navigation"><svg class="icon menu-close"><use xlink:href="/v1.13/img/icons.svg#menu-close"/></svg></button></div><div id=header-links class=main-navigation-links-wrapper><ul class=main-navigation-links><li class=main-navigation-links-item><a class="main-navigation-links-link has-dropdown"><span>About</span><svg class="icon dropdown-arrow"><use xlink:href="/v1.13/img/icons.svg#dropdown-arrow"/></svg></a><ul class=main-navigation-links-dropdown><li class=main-navigation-links-dropdown-item><a href=/v1.13/about/service-mesh class=main-navigation-links-link>Service mesh</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.13/about/solutions class=main-navigation-links-link>Solutions</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.13/about/case-studies class=main-navigation-links-link>Case studies</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.13/about/ecosystem class=main-navigation-links-link>Ecosystem</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.13/about/deployment class=main-navigation-links-link>Deployment</a></li><li class=main-navigation-links-dropdown-item><a href=/v1.13/about/faq class=main-navigation-links-link>FAQ</a></li></ul></li><li class=main-navigation-links-item><a href=/v1.13/blog/ class=main-navigation-links-link><span>Blog</span></a></li><li class=main-navigation-links-item><a href=/v1.13/news/ class=main-navigation-links-link><span>News</span></a></li><li class=main-navigation-links-item><a href=/v1.13/get-involved/ class=main-navigation-links-link><span>Get involved</span></a></li><li class=main-navigation-links-item><a href=/v1.13/docs/ class=main-navigation-links-link><span>Documentation</span></a></li></ul><div class=main-navigation-footer><button id=search-show class=search-show title="Search this site" aria-label=Search><svg class="icon magnifier"><use xlink:href="/v1.13/img/icons.svg#magnifier"/></svg></button>
<a href=/v1.13/docs/setup/getting-started class="btn btn--primary" id=try-istio>Try Istio</a></div></div><form id=search-form class=search name=cse role=search><input type=hidden name=cx value=002184991200833970123:iwwf17ikgf4>
<input type=hidden name=ie value=utf-8>
<input type=hidden name=hl value=en>
<input type=hidden id=search-page-url value=/search>
<input id=search-textbox class="search-textbox form-control" name=q type=search aria-label="Search this site" placeholder=Search>
<button id=search-close title="Cancel search" type=reset aria-label="Cancel search"><svg class="icon menu-close"><use xlink:href="/v1.13/img/icons.svg#menu-close"/></svg></button></form></nav></header><div class=banner-container></div><article class=post itemscope itemtype=http://schema.org/BlogPosting><div class=header-content><h1>Merbridge - Accelerate your mesh with eBPF</h1><p>Replacing iptables rules with eBPF allows transporting data directly from inbound sockets to outbound sockets, shortening the datapath between sidecars and services.</p></div><p class=post-author>Mar 7, 2022 <span>|</span> By Kebe Liu - DaoCloud, Xiaopeng Han - DaoCloud, Hui Li - DaoCloud</p><div><p>The secret of Istios abilities in traffic management, security, observability and policy is all in the Envoy proxy. Istio uses Envoy as the &ldquo;sidecar&rdquo; to intercept service traffic, with the kernel&rsquo;s <code>netfilter</code> packet filter functionality configured by iptables.</p><p>There are shortcomings in using iptables to perform this interception. Since netfilter is a highly versatile tool for filtering packets, several routing rules and data filtering processes are applied before reaching the destination socket. For example, from the network layer to the transport layer, netfilter will be used for processing for several times with the rules predefined, like <code>pre_routing</code>, <code>post_routing</code> and etc. When the packet becomes a TCP packet or UDP packet, and is forwarded to user space, some additional steps like packet validation, protocol policy processing and destination socket searching will be performed. When a sidecar is configured to intercept traffic, the original data path can become very long, since duplicated steps are performed several times.</p><p>Over the past two years, <a href=https://ebpf.io/>eBPF</a> has become a trending technology, and many projects based on eBPF have been released to the community. Tools like <a href=https://cilium.io/>Cilium</a> and <a href=http://px.dev>Pixie</a> show great use cases for eBPF in observability and network packet processing. With eBPFs <code>sockops</code> and <code>redir</code> capabilities, data packets can be processed efficiently by directly being transported from an inbound socket to an outbound socket. In an Istio mesh, it is possible to use eBPF to replace iptables rules, and accelerate the data plane by shortening the data path.</p><p>We have created an open source project called Merbridge, and by applying the following command to your Istio-managed cluster, you can use eBPF to achieve such network acceleration.</p><pre><code class=language-bash data-expandlinks=true data-repo=istio>$ kubectl apply -f https://raw.githubusercontent.com/merbridge/merbridge/main/deploy/all-in-one.yaml
</code></pre><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.13/img/icons.svg#callout-warning"/></svg></div><div class=content>Attention: Merbridge uses eBPF functions which require a Linux kernel version ≥ 5.7.</div></aside></div><p>With Merbridge, the packet datapath can be shortened directly from one socket to another destination socket, and here&rsquo;s how it works.</p><h2 id=using-ebpf-sockops-for-performance-optimization>Using eBPF <code>sockops</code> for performance optimization</h2><p>Network connection is essentially socket communication. eBPF provides a function <code>bpf_msg_redirect_hash</code>, to directly forward the packets sent by the application in the inbound socket to the outbound socket. By entering the function mentioned before, developers can perform any logic to decide the packet destination. According to this characteristic, the datapath of packets can noticeably be optimized in the kernel.</p><p>The <code>sock_map</code> is the crucial piece in recording information for packet forwarding. When a packet arrives, an existing socket is selected from the <code>sock_map</code> to forward the packet to. As a result, we need to save all the socket information for packets to make the transportation process function properly. When there are new socket operations — like a new socket being created — the <code>sock_ops</code> function is executed. The socket metadata is obtained and stored in the <code>sock_map</code> to be used when processing packets. The common key type in the <code>sock_map</code> is a &ldquo;quadruple&rdquo; of source and destination addresses and ports. With the key and the rules stored in the map, the destination socket will be found when a new packet arrives.</p><h2 id=the-merbridge-approach>The Merbridge approach</h2><p>Let&rsquo;s introduce the detailed design and implementation principles of Merbridge step by step, with a real scenario.</p><h3 id=istio-sidecar-traffic-interception-based-on-iptables>Istio sidecar traffic interception based on iptables</h3><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:59.21469284357188%><a data-skipendnotes=true href=/v1.13/blog/2022/merbridge/1.png title="Istio Sidecar Traffic Interception Based on iptables"><img class=element-to-stretch src=/v1.13/blog/2022/merbridge/1.png alt="Istio Sidecar Traffic Interception Based on iptables"></a></div><figcaption>Istio Sidecar Traffic Interception Based on iptables</figcaption></figure><p>When external traffic hits your applications ports, it will be intercepted by a <code>PREROUTING</code> rule in iptables, forwarded to port 15006 of the sidecar container, and handed over to Envoy for processing. This is shown as steps 1-4 in the red path in the above diagram.</p><p>Envoy processes the traffic using the policies issued by the Istio control plane. If allowed, the traffic will be sent to the actual container port of the application container.</p><p>When the application tries to access other services, it will be intercepted by an <code>OUTPUT</code> rule in iptables, and then be forwarded to port 15001 of the sidecar container, where Envoy is listening. This is steps 9-12 on the red path, similar to inbound traffic processing.</p><p>Traffic to the application port needs to be forwarded to the sidecar, then sent to the container port from the sidecar port, which is overhead. Moreover, iptables&rsquo; versatility determines that its performance is not always ideal because it inevitably adds delays to the whole datapath with different filtering rules applied. Although iptables is the common way to do packet filtering, in the Envoy proxy case, the longer datapath amplifies the bottleneck of packet filtering process in the kernel.</p><p>If we use <code>sockops</code> to directly connect the sidecars socket to the applications socket, the traffic will not need to go through iptables rules, and thus performance can be improved.</p><h3 id=processing-outbound-traffic>Processing outbound traffic</h3><p>As mentioned above, we would like to use eBPFs <code>sockops</code> to bypass iptables to accelerate network requests. At the same time, we also do not want to modify any parts of Istio, to make Merbridge fully adaptive to the community version. As a result, we need to simulate what iptables does in eBPF.</p><p>Traffic redirection in iptables utilizes its <code>DNAT</code> function. When trying to simulate the capabilities of iptables using eBPF, there are two main things we need to do:</p><ol><li>Modify the destination address, when the connection is initiated, so that traffic can be sent to the new interface.</li><li>Enable Envoy to identify the original destination address, to be able to identify the traffic.</li></ol><p>For the first part, we can use eBPFs <code>connect</code> program to process it, by modifying <code>user_ip</code> and <code>user_port</code>.</p><p>For the second part, we need to understand the concept of <code>ORIGINAL_DST</code> which belongs to the <code>netfilter</code> module in the kernel.</p><p>When an application (including Envoy) receives a connection, it will call the <code>get_sockopt</code> function to obtain <code>ORIGINAL_DST</code>. If going through the iptables <code>DNAT</code> process, iptables will set this parameter, with the &ldquo;original IP + port&rdquo; value, to the current socket. Thus, the application can get the original destination address according to the connection.</p><p>We have to modify this call process through eBPFs <code>get_sockopts</code> function. (<code>bpf_setsockopt</code> is not used here because this parameter does not currently support the optname of <code>SO_ORIGINAL_DST</code>).</p><p>Referring to the figure below, when an application initiates a request, it will go through the following steps:</p><ol><li>When the application initiates a connection, the <code>connect</code> program will modify the destination address to <code>127.x.y.z:15001</code>, and use <code>cookie_original_dst</code> to save the original destination address.</li><li>In the <code>sockops</code> program, the current socket information and the quadruple are saved in <code>sock_pair_map</code>. At the same time, the same quadruple and its corresponding original destination address will be written to <code>pair_original_dest</code>. (Cookie is not used here because it cannot be obtained in the <code>get_sockopt</code> program).</li><li>After Envoy receives the connection, it will call the <code>get_sockopt</code> function to read the destination address of the current connection. <code>get_sockopt</code> will extract and return the original destination address from <code>pair_original_dst</code>, according to the quadruple information. Thus, the connection is completely established.</li><li>In the data transport step, the <code>redir</code> program will read the sock information from <code>sock_pair_map</code> according to the quadruple information, and then forward it directly through <code>bpf_msg_redirect_hash</code> to speed up the request.</li></ol><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:70%><a data-skipendnotes=true href=/v1.13/blog/2022/merbridge/2.png title="Processing Outbound Traffic"><img class=element-to-stretch src=/v1.13/blog/2022/merbridge/2.png alt="Processing Outbound Traffic"></a></div><figcaption>Processing Outbound Traffic</figcaption></figure><p>Why do we set the destination address to <code>127.x.y.z</code> instead of <code>127.0.0.1</code>? When different pods exist, there might be conflicting quadruples, and this gracefully avoids conflict. (Pods&rsquo; IPs are different, and they will not be in the conflicting condition at any time.)</p><h3 id=inbound-traffic-processing>Inbound traffic processing</h3><p>The processing of inbound traffic is basically similar to outbound traffic, with the only difference: revising the port of the destination to 15006.</p><p>It should be noted that since eBPF cannot take effect in a specified namespace like iptables, the change will be global, which means that if we use a Pod that is not originally managed by Istio, or an external IP address, serious problems will be encountered — like the connection not being established at all.</p><p>As a result, we designed a tiny control plane (deployed as a DaemonSet), which watches all pods — similar to the kubelet watching pods on the node — to write the pod IP addresses that have been injected into the sidecar to the <code>local_pod_ips</code> map.</p><p>When processing inbound traffic, if the destination address is not in the map, we will not do anything to the traffic.</p><p>Otherwise, the steps are the same as for outbound traffic.</p><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:70.817843866171%><a data-skipendnotes=true href=/v1.13/blog/2022/merbridge/3.png title="Processing Inbound Traffic"><img class=element-to-stretch src=/v1.13/blog/2022/merbridge/3.png alt="Processing Inbound Traffic"></a></div><figcaption>Processing Inbound Traffic</figcaption></figure><h3 id=same-node-acceleration>Same-node acceleration</h3><p>Theoretically, acceleration between Envoy sidecars on the same node can be achieved directly through inbound traffic processing. However, Envoy will raise an error when accessing the application of the current pod in this scenario.</p><p>In Istio, Envoy accesses the application by using the current pod IP and port number. With the above scenario, we realized that the pod IP exists in the <code>local_pod_ips</code> map as well, and the traffic will be redirected to the pod IP on port 15006 again because it is the same address that the inbound traffic comes from. Redirecting to the same inbound address causes an infinite loop.</p><p>Here comes the question: are there any ways to get the IP address in the current namespace with eBPF? The answer is yes!</p><p>We have designed a feedback mechanism: When Envoy tries to establish the connection, we redirect it to port 15006. However, in the <code>sockops</code> step, we will determine if the source IP and the destination IP are the same. If yes, it means the wrong request is sent, and we will discard this connection in the <code>sockops</code> process. In the meantime, the current <code>ProcessID</code> and <code>IP</code> information will be written into the <code>process_ip</code> map, to allow eBPF to support correspondence between processes and IPs.</p><p>When the next request is sent, the same process need not be performed again. We will check directly from the <code>process_ip</code> map if the destination address is the same as the current IP address.</p><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.13/img/icons.svg#callout-warning"/></svg></div><div class=content>Envoy will retry when the request fails, and this retry process will only occur once, meaning subsequent requests will be accelerated.</div></aside></div><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:70.11884550084889%><a data-skipendnotes=true href=/v1.13/blog/2022/merbridge/4.png title="Same-node acceleration"><img class=element-to-stretch src=/v1.13/blog/2022/merbridge/4.png alt="Same-node acceleration"></a></div><figcaption>Same-node acceleration</figcaption></figure><h3 id=connection-relationship>Connection relationship</h3><p>Before applying eBPF using Merbridge, the data path between pods is like:</p><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:60.411311053984576%><a data-skipendnotes=true href=/v1.13/blog/2022/merbridge/5.png title="iptables's data path"><img class=element-to-stretch src=/v1.13/blog/2022/merbridge/5.png alt="iptables's data path"></a></div><figcaption>iptables's data path</figcaption></figure><p>After applying Merbridge, the outbound traffic will skip many filter steps to improve the performance:</p><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:61.20358514724712%><a data-skipendnotes=true href=/v1.13/blog/2022/merbridge/6.png title="eBPF's data path"><img class=element-to-stretch src=/v1.13/blog/2022/merbridge/6.png alt="eBPF's data path"></a></div><figcaption>eBPF's data path</figcaption></figure><p>If two pods are on the same machine, the connection can even be faster:</p><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:55.346650998824906%><a data-skipendnotes=true href=/v1.13/blog/2022/merbridge/7.png title="eBPF's data path on the same machine"><img class=element-to-stretch src=/v1.13/blog/2022/merbridge/7.png alt="eBPF's data path on the same machine"></a></div><figcaption>eBPF's data path on the same machine</figcaption></figure><h2 id=performance-results>Performance results</h2><div><aside class="callout warning"><div class=type><svg class="large-icon"><use xlink:href="/v1.13/img/icons.svg#callout-warning"/></svg></div><div class=content>The below tests are from our development, and not yet validated in production use cases.</div></aside></div><p>Let&rsquo;s see the effect on overall latency using eBPF instead of iptables (lower is better):</p><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:56.84007707129094%><a data-skipendnotes=true href=/v1.13/blog/2022/merbridge/8.png title="Latency vs Client Connections Graph"><img class=element-to-stretch src=/v1.13/blog/2022/merbridge/8.png alt="Latency vs Client Connections Graph"></a></div><figcaption>Latency vs Client Connections Graph</figcaption></figure><p>We can also see overall QPS after using eBPF (higher is better). Test results are generated with <code>wrk</code>.</p><figure style=width:100%><div class=wrapper-with-intrinsic-ratio style=padding-bottom:59.25233644859813%><a data-skipendnotes=true href=/v1.13/blog/2022/merbridge/9.png title="QPS vs Client Connections Graph"><img class=element-to-stretch src=/v1.13/blog/2022/merbridge/9.png alt="QPS vs Client Connections Graph"></a></div><figcaption>QPS vs Client Connections Graph</figcaption></figure><h2 id=summary>Summary</h2><p>We have introduced the core ideas of Merbridge in this post. By replacing iptables with eBPF, the data transportation process can be accelerated in a mesh scenario. At the same time, Istio will not be changed at all. This means if you do not want to use eBPF any more, just delete the DaemonSet, and the datapath will be reverted to the traditional iptables-based routing without any problems.</p><p>Merbridge is a completely independent open source project. It is still at an early stage, and we are looking forward to having more users and developers to get engaged. It would be greatly appreciated if you would try this new technology to accelerate your mesh, and provide us with some feedback!</p><h2 id=see-also>See also</h2><ul><li><a href=https://github.com/merbridge/merbridge>Merbridge on GitHub</a></li><li><a href=https://developpaper.com/kubecon-2021-%EF%BD%9C-using-ebpf-instead-of-iptables-to-optimize-the-performance-of-service-grid-data-plane/>Using eBPF instead of iptables to optimize the performance of service grid data plane</a> by Liu Xu, Tencent</li><li><a href=https://jimmysong.io/en/blog/sidecar-injection-iptables-and-traffic-routing/>Sidecar injection and transparent traffic hijacking process in Istio explained in detail</a> by Jimmy Song, Tetrate</li><li><a href=https://01.org/blogs/xuyizhou/2021/accelerate-istio-dataplane-ebpf-part-1>Accelerate the Istio data plane with eBPF</a> by Yizhou Xu, Intel</li><li><a href=https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/original_dst_filter>Envoy&rsquo;s Original Destination filter</a></li></ul></div><nav class=pagenav><div class=left><a title="The conference will take place at the end of April, and the first 400 participants will receive a conference t-shirt." href=/v1.13/blog/2022/istiocon-register/ class=next-link><svg class="icon left-arrow"><use xlink:href="/v1.13/img/icons.svg#left-arrow"/></svg>Register now for IstioCon 2022!</a></div><div class=right><a title="The second annual conference for Istio will take place at the end of April." href=/v1.13/blog/2022/istiocon-2022/ class=next-link>Join us for IstioCon 2022!<svg class="icon right-arrow"><use xlink:href="/v1.13/img/icons.svg#right-arrow"/></svg></a></div></nav></article><footer class=footer><div class="footer-wrapper container-l"><div class="user-links footer-links"><a class=channel title="GitHub is where development takes place on Istio code" href=https://github.com/istio/community aria-label=GitHub><svg class="icon github"><use xlink:href="/v1.13/img/icons.svg#github"/></svg></a><a class=channel title="Access our team drive if you'd like to take a look at the Istio technical design documents" href=https://groups.google.com/forum/#!forum/istio-team-drive-access aria-label="team drive"><svg class="icon drive"><use xlink:href="/v1.13/img/icons.svg#drive"/></svg></a><a class=channel title="Interactively discuss issues with the Istio community on Slack" href=https://slack.istio.io aria-label=slack><svg class="icon slack"><use xlink:href="/v1.13/img/icons.svg#slack"/></svg></a><a class=channel title="Stack Overflow is where you can ask questions and find curated answers on deploying, configuring, and using Istio" href=https://stackoverflow.com/questions/tagged/istio aria-label="Stack Overflow"><svg class="icon stackoverflow"><use xlink:href="/v1.13/img/icons.svg#stackoverflow"/></svg></a><a class=channel title="Follow us on Twitter to get the latest news" href=https://twitter.com/IstioMesh aria-label=Twitter><svg class="icon twitter"><use xlink:href="/v1.13/img/icons.svg#twitter"/></svg></a></div><hr class=footer-separator role=separator><div class="info footer-info"><a class=logo href=/v1.13/ aria-label=logotype><svg xmlns="http://www.w3.org/2000/svg" width="128" height="60" viewBox="0 0 128 60"><path d="M58.434 48.823A.441.441.0 0158.3 48.497V22.583a.444.444.0 01.134-.326.446.446.0 01.327-.134h3.527a.447.447.0 01.325.134.447.447.0 01.134.326v25.914a.443.443.0 01-.134.326.444.444.0 01-.325.134h-3.527a.444.444.0 01-.327-.134z"/><path d="m70.969 48.477a6.556 6.556.0 01-2.818-1.955 4.338 4.338.0 01-1-2.78v-.345a.443.443.0 01.134-.326.444.444.0 01.326-.135h3.374a.444.444.0 01.326.135.445.445.0 01.134.326v.077a2.014 2.014.0 001.054 1.667 4.672 4.672.0 002.664.709 4.446 4.446.0 002.492-.633 1.862 1.862.0 00.958-1.591 1.426 1.426.0 00-.786-1.322 12.7 12.7.0 00-2.549-.939l-1.457-.46a21.526 21.526.0 01-3.3-1.227 6.57 6.57.0 01-2.262-1.783 4.435 4.435.0 01-.92-2.894 5.081 5.081.0 012.109-4.275 8.993 8.993.0 015.558-1.591 10.445 10.445.0 014.1.748 6.3 6.3.0 012.722 2.07 5 5 0 01.958 3.009.441.441.0 01-.134.326.441.441.0 01-.325.134h-3.258a.441.441.0 01-.326-.134.443.443.0 01-.134-.326 1.974 1.974.0 00-.978-1.667 4.647 4.647.0 00-2.665-.671 4.741 4.741.0 00-2.435.556 1.724 1.724.0 00-.938 1.553 1.512 1.512.0 00.9 1.4 15.875 15.875.0 003.01 1.055l.843.229a27.368 27.368.0 013.412 1.246 6.67 6.67.0 012.338 1.763 4.387 4.387.0 01.958 2.933 4.988 4.988.0 01-2.146 4.275 9.543 9.543.0 01-5.712 1.552 11.626 11.626.0 01-4.227-.709z"/><path d="m97.039 32.837a.443.443.0 01-.326.135h-3.911a.169.169.0 00-.191.192v9.239a2.951 2.951.0 00.632 2.108 2.7 2.7.0 002.013.652h1.15a.444.444.0 01.325.134.441.441.0 01.134.326v2.875a.471.471.0 01-.459.5l-1.994.039a8 8 0 01-4.524-1.035q-1.495-1.035-1.533-3.91V33.166A.17.17.0 0088.164 32.974H85.978A.441.441.0 0185.652 32.839.441.441.0 0185.518 32.513V29.83a.441.441.0 01.134-.326.444.444.0 01.326-.135h2.186a.169.169.0 00.191-.192v-4.485a.438.438.0 01.134-.326.44.44.0 01.325-.134h3.336a.443.443.0 01.325.134.442.442.0 01.135.326v4.485a.169.169.0 00.191.192h3.911a.446.446.0 01.326.135.446.446.0 01.134.326v2.683a.446.446.0 01-.133.324z"/><path d="m101.694 25.917a2.645 2.645.0 01-.767-1.955 2.65 2.65.0 01.767-1.955 2.65 2.65.0 011.955-.767 2.65 2.65.0 011.955.767 2.652 2.652.0 01.767 1.955 2.647 2.647.0 01-.767 1.955 2.646 2.646.0 01-1.955.767 2.645 2.645.0 01-1.955-.767zm-.211 22.906a.441.441.0 01-.134-.326V29.79a.444.444.0 01.134-.326.446.446.0 01.326-.134h3.527a.446.446.0 01.326.134.445.445.0 01.134.326v18.707a.443.443.0 01-.134.326.443.443.0 01-.326.134h-3.527a.443.443.0 01-.326-.134z"/><path d="m114.019 47.734a8.1 8.1.0 01-3.047-4.255 14.439 14.439.0 01-.652-4.37 14.3 14.3.0 01.614-4.371A7.869 7.869.0 01114 30.56a9.072 9.072.0 015.252-1.5 8.543 8.543.0 015.041 1.5 7.985 7.985.0 013.009 4.14 12.439 12.439.0 01.69 4.37 13.793 13.793.0 01-.651 4.37 8.255 8.255.0 01-3.028 4.275 8.475 8.475.0 01-5.1 1.553 8.754 8.754.0 01-5.194-1.534zm7.629-3.1a4.536 4.536.0 001.476-2.262 11.335 11.335.0 00.383-3.221 10.618 10.618.0 00-.383-3.22 4.169 4.169.0 00-1.457-2.243 4.066 4.066.0 00-2.531-.785 3.942 3.942.0 00-2.453.785 4.376 4.376.0 00-1.5 2.243 11.839 11.839.0 00-.383 3.22 11.84 11.84.0 00.383 3.221 4.222 4.222.0 001.476 2.262 4.075 4.075.0 002.549.8 3.8 3.8.0 002.44-.809z"/><path d="m15.105 32.057v15.565a.059.059.0 01-.049.059L.069 50.25A.06.06.0 01.005 50.167l14.987-33.47a.06.06.0 01.114.025z"/><path d="m17.631 23.087v24.6a.06.06.0 00.053.059l22.449 2.507a.06.06.0 00.061-.084L17.745.032a.06.06.0 00-.114.024z"/><path d="m39.961 52.548-24.833 7.45a.062.062.0 01-.043.0L.079 52.548a.059.059.0 01.026-.113h39.839a.06.06.0 01.017.113z"/></svg></a><div class=footer-languages><a tabindex=-1 lang=en id=switch-lang-en class="footer-languages-item active"><svg class="icon tick"><use xlink:href="/v1.13/img/icons.svg#tick"/></svg>English</a>
<a tabindex=-1 lang=zh id=switch-lang-zh class=footer-languages-item>中文</a></div></div><ul class=footer-policies><li class=footer-policies-item><a class=footer-policies-link href=https://policies.google.com/privacy>Privacy policy</a> |
<a class=footer-policies-link href=https://github.com/istio/istio.io/edit/release-1.13/content/en/blog/2022/merbridge/index.md>Edit this Page on GitHub</a></li></ul><div class=footer-base><span class=footer-base-copyright>&copy; 2022 Istio Authors.</span>
<span class=footer-base-version>Version
Archive
1.13.4</span><ul class=footer-base-releases><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://istio.io/blog/2022/merbridge/"),!1'>current release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link onclick='return navigateToUrlOrRoot("https://preliminary.istio.io/blog/2022/merbridge/"),!1'>next release</a></li><li class=footer-base-releases-item><a tabindex=-1 class=footer-base-releases-link href=https://istio.io/archive>older releases</a></li></ul></div></div></footer><div id=scroll-to-top-container aria-hidden=true><button id=scroll-to-top title="Back to top" tabindex=-1><svg class="icon top"><use xlink:href="/v1.13/img/icons.svg#top"/></svg></button></div></body></html>
Reference in New Issue View Git Blame Copy Permalink