How eBPF will revolutionize container monitoring

since advent docker And the Kubernetes Almost a decade ago, one of the biggest drawbacks of containers was that they were difficult to monitor. The temporary nature of containers, combined with their extraction from the servers that host them, has made it difficult to collect monitoring data from containers in an efficient and effective manner.

Fortunately, there is a promising new technology that offers a solution to the container control puzzle. it’s called eBPFand there is a good chance that this will change traditional approaches to monitoring Docker and Kubernetes workloads.

Container control: the traditional approach

traditionally, developers And IT engineers who wanted to monitor containers faced a number of challenges:

  • A single application can consist of dozens – perhaps hundreds – of individual containers. Each container must be monitored individually, which increases the work required to deploy monitoring agents and collect the necessary data from each container.
  • Data stored inside containers disappears when containers are closed, and it is often impossible to predict exactly when a container will be closed. For this reason, you cannot pull monitoring data periodically. You need a way to compile it from each container in real time.
  • Because containers are extracted from the operating system of the servers they host, and because they may move around the servers, host-based monitoring methods do not work well. You can’t easily run a proxy on every server and use it to monitor all of your containers.

There are different ways to solve these challenges, but the most common is using what has come to be known as Side car style To deploy container control agents. Under the sidecar pattern, monitoring agents work inside private containers, which run alongside the containers they monitor. This approach is more efficient than trying to deploy monitoring agents on the host. It also eliminates the need to expose monitoring data directly from within the application logic, which would require complex changes in the source code.

However, the side mode comes with a huge downside: it doesn’t use resources very efficiently. Having to deploy a side container alongside each container hosting the actual workload means that you will end up running many containers. Because all of these additional containers require CPU and memory resources, they leave fewer resources available for your primary workloads.

A better approach to container control: eBPF

eBPF provides a way to square this circuit by monitoring each container without consuming significant resources.

It was introduced in 2015eBPF is a Linux feature that makes it possible to run programs directly in the Linux kernel – rather than running them in “userland”, where they don’t have direct access to kernel resources.

Since they run in the kernel, eBPF programs consume minimal resources. They also have access to data generated by any process running on the server where they work.

If you want to monitor containers, you can write an eBPF program that intercepts the processes associated with each container and uses it to collect monitoring data. You will end up with a monitoring solution that is less resource hungry than traditional side containers.

At the same time, you won’t have to compromise on the amount of data you can collect for monitoring purposes. Almost every piece of information you want about the state and performance of each container is available through the kernel.

Even deployment and management is simpler with an eBPF-based approach to monitoring. Instead of having to deploy and organize a set of side containers, you can simply run an eBPF script on each node in your cluster.

eBPF status for container monitoring

If eBPF is such a great container monitoring solution, why isn’t everyone already using it?

The likely reason is that eBPF is still relatively new, and was not mature at the time containers came into widespread use about five years ago. For this reason, most existing container monitoring tools are designed to use a profile pattern, rather than taking advantage of eBPF.

But this is already changing. Tools like kelium eBPF is already being used to improve efficiency and increase visibility. Lots of note sellers – like VMwareAnd the splinkAnd the And the Fresh remainsjust to name a few – they also talk about the potential of eBPF.

So, if you are tired of settling on container monitoring methods that starve your applications or resources and are difficult to manage, a better world is coming. eBPF is poised to revolutionize (among other things) the way we monitor containers.

About the author

Christopher Tozzi, shot in the headChristopher Tozzi He is a technical analyst with substantive expertise in cloud computing, application development, open source software, virtualization, containers, and more. He also lectures at a major university in the Albany, New York area. His book, For Fun and for Profit: A History of the Free and Open Source Software Revolution, is published by MIT Press.

Leave a Comment