Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bringing the Power of eBPF to Open vSwitch

Published byJack Miles Modified over 5 years ago

Similar presentations

Presentation on theme: "Bringing the Power of eBPF to Open vSwitch"— Presentation transcript:

1 Bringing the Power of eBPF to Open vSwitch
Linux Plumber 2018 William Tu, Joe Stringer, Yifeng Sun, Yi-Hung Wei VMware Inc. and Cilium.io

2 Outline Introduction and Motivation OVS-eBPF Project
OVS-AF_XDP Project Conclusion

3 What is OVS? ovs-vswitchd Slow Path Fast Path Datapath
SDN Controller OpenFlow ovs-vswitchd Slow Path This is how the existing kernel work, then next slide this is how the bpf program work Ovs dp consists of three components, parse, lookup and actions previous approach Potential Benefits Extend new OVS features quickly Reduce the maintenance and compatibility issue Fast Path Datapath

4 OVS Linux Kernel Datapath
ovs-vswitchd socket Slow path in userspace Fast Path in Kernel IP/routing OVS Kernel module Device RX Hook This is how the existing kernel work, then next slide this is how the bpf program work Ovs dp consists of three components, parse, lookup and actions previous approach Potential Benefits Extend new OVS features quickly Reduce the maintenance and compatibility issue driver Hardware

5 OVS-eBPF

6 OVS-eBPF Motivation Maintenance cost when adding a new datapath feature: Time to upstream and time to backport Maintain ABI compatibility between different kernel and OVS versions. Different backported kernel, ex: RHEL, grsecurity patch Bugs in compat code are easy to introduce and often non-obvious to fix Implement datapath functionalities in eBPF Reduce dependencies on different kernel versions More opportunities for experiements With eBPF, both userspace version and eBPF programs to be loaded into kernel. --- How can we leverage eBPF in OVS? Match the kernel version with features with OVS versions Add application specific functions without worrying kernel ABI Extend OVS features more quickly Reduce maintenance and compatibility issue

7 What is eBPF? A way to write a restricted C program and runs in Linux kernel A virtual machine running in Linux kernel Safety guaranteed by BPF verifier Maps Efficient key/value store resides in kernel space Can be shared between eBPF prorgam and user space applications Helper Functions A core kernel defined set of functions for eBPF program to retrieve/push data from/to the kernel Helper functions are a concept that lets eBPF programs con- sult a core kernel defined set of function calls in order to re- trieve/push data from/to the kernel. Available helper func- tions may differ for each eBPF program type,

8 OVS-eBPF Project Goal Re-write OVS kernel datapath entirely with eBPF
ovs-vswitchd Goal Re-write OVS kernel datapath entirely with eBPF ovs-vswitchd controls and manages the eBPF DP eBPF map as channels in between eBPF DP will be specific to ovs-vswitchd Slow path in userspace eBPF maps Fast Path in Kernel IP/routing eBPF Datapath TC hook Previous approach introducing BPF_ACTION Tc is a Kernel packet queuing subsystem, provide QoS …. Ovs-vswitch creates map, load ebpf programs, etc Parse Lookup Actions driver Hardware

9 Headers/Metadata Parsing
Define a flow key similar to struct sw_flow_key in kernel Parse protocols on packet data Parse metadata on struct __sk_buff Save flow key in per-cpu eBPF map Difficulties Stack is heavily used Program is very branchy No longer stick to kernel ABI Start by writing our own parser but it’s pretty standard and should reuse existing code Pretty standard and can be reused Extra md: linux skb specific, not defined in P4

10 Review: Flow Lookup in Kernel Datapath
Slow Path Ingress: lookup miss and upcall ovs-vswitchd receives, does flow translation, and programs flow entry into flow table in OVS kernel module OVS kernel DP installs the flow entry OVS kernel DP receives and executes actions on the packet Fast Path Subsequent packets hit the flow cache ovs-vswitchd 2. miss upcall (netlink) 3. flow installation (netlink) Flow Table (emc + megaflow) When a packet arrives on a vport, the kernel module processes it by extracting its flow key and looking it up in the flow table. If there is a matching flow, it executes the associated actions. If there is no match, it queues the packet to userspace for processing (as part of its processing, userspace will likely set up a flow to handle further packets of the same type entirely in-kernel). Parser will walk through the protocol headers, create hash, and lookup eBPF hash map eBPF comes with a fast and efficient way of messaing using perf ring buffer Parser 4. actions 1. Ingress

11 Flow Lookup in eBPF Datapath
Slow Path Ingress: lookup miss and upcall Perf ring buffer carries packet and its metadata to ovs-vswitchd ovs-vswitchd receives, does flow translation, and programs flow entry into eBPF map ovs-vswitchd sends the packet down to trigger lookup again Fast Path Subsequent packets hit the flow cache ovs-vswitchd 2. miss upcall (perf ring buf) 3. flow installation (TLV -> fixed array -> eBPF map) Flow Table (eBPF hash map) Avoid forward and backward flow key compatibility issue Parser will walk through the protocol headers, create hash, and lookup eBPF hash map eBPF comes with a fast and efficient way of messaing using perf ring buffer Network protocols evolve over time. New protocols become important and existing protocols it must be possible for newer versions to parse additional protocols as part of the flow key. It might even be desirable, someday, to drop support for parsing protocols that have become obsolete.  Probably framing it more like "existing datapath uses TLVs for matches and TLVs for actions. In eBPF, we can get rid of the TLV-formatted matches and use fixed binary views of the flow since we don't need to handle different versions of kernel vs. userspace.. But for actions they are logically a list so we need something list-like or array-like. The challenge is that eBPF makes it difficult to validate/verify TLVs. The solution we're using is just to expand the actions out to a fixed length array. This works for now, but may be an area for improvement in future.". Parser 4. actions 1. Ingress Limitation on flow installation: TLV format currently not supported in BPF verifier Solution: Convert TLV into fixed length array

12 Review: OVS Kernel Datapath Actions
A list of actions to execute on the packet Example cases of DP actions Flooding: Datapath actions= output:9,output:5,output:10,… Mirror and push vlan: Datapath actions= output:3,push_vlan(vid=17,pcp=0),output:2 Tunnel: Datapath actions: set(tunnel(tun_id=0x5,src= ,dst= ,ttl=64,flags(df|key))),output:1 FlowTable Act1 Act2 Act3 Datapath actions: 9,55,10,55,66,11,77,88,9,1 Datapath actions: set(ipv4(ttl=1)),2,4 [Datapath actions: 3,push_vlan(vid=17,pcp=0),2 set(tunnel(tun_id=0x5,src= ,dst= ,ttl=64,flags(df|key))),1 Datapath actions: 10,set(ipv4(src= )),11,set(ipv4(src= )),13 Datapath actions: set(ipv4(src= )),10,set(ipv4(src= )),11 Datapath actions: trunc(100),3,push_vlan(vid=17,pcp=0),2

13 eBPF Datapath Actions A list of actions to execute on the packet
Challenges Limited eBPF program size (maximum 4K instructions) Variable number of actions: BPF disallows loops to ensure program termination Solution: Make each action type an eBPF program, and tail call the next action Side effects: tail call has limited context and does not return Solution: keep action metadata and action list in a map FlowTable Map lookup eBPF Act1 Tail Call Map lookup eBPF Act2 Tail Call The verifier also disallows any program containing loops, thus ensuring that all programs will terminate.

14 Performance Evaluation
14.88Mpps br0 sender 16-core Intel Xeon E GHz 32GB memory DPDK packet generator BPF eth0 eth1 Intel X3540-AT2 Dual port 10G NIC + eBPF Datapath Ingress Egress Sender sends 64Byte, 14.88Mpps to one port, measure the receiving packet rate at the other port OVS receives packets from one port, forwards to the other port Compare OVS kernel datapath and eBPF datapath Measure single flow, single core performance with Linux kernel 4.9-rc3 on OVS server Compare Linux kernel 4.9-rc3

15 OVS Kernel and eBPF Datapath Performance
OVS Kernel DP Actions Mpps Output 1.34 Set dst_mac 1.23 Set GRE tunnel 0.57 eBPF DP Actions Mpps Redirect(no parser, lookup, actions) 1.90 Output 1.12 Set dst_mac 1.14 Set GRE tunnel 0.48 The goal is not the absolute number This is single flow core and single core We could scale At this stage Not comparable with other people’s other how the bpf architecture the way that af Distribute over multiple cores Get an how the bpf arch fits the way we design This is not mean to show the raw performance of OVS, but to show relative performance of eBPF compare current OVS Relative speaking the overhead involved All measurements are based on single flow, single core.

16 Conclusion and Future Work
Features Megaflow support and basic conntrack in progress Packet (de)fragmentation and ALG under discussion Lesson Learned Writing large eBPF code is still hard for experienced C programmers Lack of debugging tools OVS datapath logic is difficult Not clear whether there is performance head

17 OVS-AF_XDP

18 OVS-AF_XDP Motivation
Pushing all OVS datapath features into eBPF is hard A large flow key on stack Variety of protocols and actions Dynamic number of actions applied for each flow Idea Retrieve packets from kernel as fast as possible Reuse the userspace datapath for flow processing Less kernel compatibility than OVS kernel module ushing the complete OVS datapath logic into the kernel is difficult due to how generic the OVS kernel module is (with respect to a flow-based model that supports a wide variety of protocols and actions to perform on a packet), so perhaps a better path is to instead attempt to retrieve packets from the kernel even earlier than today, then reuse the userspace datapath to implement forwarding. The use

19 OVS Userspace Datapath (dpif-netdev)
SDN Controller ovs-vswitchd Both slow and fast path in userspace This is how the existing kernel work, then next slide this is how the bpf program work Ovs dp consists of three components, parse, lookup and actions previous approach Potential Benefits Extend new OVS features quickly Reduce the maintenance and compatibility issue Userspace Datapath DPDK library Hardware

20 XDP and AF_XDP XDP: eXpress Data path AF_XDP:
An eBPF hook point at the network device driver level AF_XDP: A new socket type that receives/sends raw frames with high speed Use XDP program to trigger receive Userspace program manages Rx/Tx ring and Fill/Completion ring. Zero Copy from DMA buffer to user space memory, umem From “DPDK PMD for AF_XDP”

21 OVS-AF_XDP Project Goal
ovs-vswitchd Goal Use AF_XDP socket as a fast channel to usersapce OVS datapath Flow processing happens in userspace User space Userspace Datapath AF_XDP socket Network Stacks Previous approach introducing BPF_ACTION Tc is a Kernel packet queuing subsystem, provide QoS …. Ovs-vswitch creates map, load ebpf programs, etc Kernel Driver + XDP Hardware

22 AF_XDP umem and rings Introduction
umem memory region: multiple 2KB chunk elements 2KB Descriptors pointing to umem elements Receive Users receives packets For kernel to receive packets Rx Ring desc Fill Ring Transmit Users sends packets For kernel to signal send complete Tx Ring Completion Ring One Rx/Tx pair per AF_XDP socket One Fill/Comp. pair per umem region

23 OVS-AF_XDP: Packet Reception (0)
umem consisting of 8 elements Umem mempool = {1, 2, 3, 4, 5, 6, 7, 8} addr: Fill Ring Rx Ring

24 OVS-AF_XDP: Packet Reception (1)
umem consisting of 8 elements Umem mempool = {5, 6, 7, 8} X addr: X: elem in use GET four elements, program to Fill ring Fill Ring 1 2 3 4 Rx Ring

25 OVS-AFXDP: Packet Reception (2)
umem consisting of 8 elements Umem mempool = {5, 6, 7, 8} X addr: X: elem in use Kernel receives four packets Put them into the four umem chunks Transition to Rx ring for users Fill Ring Rx Ring 1 2 3 4

26 OVS-AFXDP: Packet Reception (3)
umem consisting of 8 elements Umem mempool = {} X addr: X: elem in use GET four elements Program Fill ring Fill Ring 5 6 7 8 (so kernel can keeps receiving packets) Rx Ring 1 2 3 4

27 OVS-AFXDP: Packet Reception (4)
umem consisting of 8 elements Umem mempool = {} X addr: X: elem in use OVS userspace processes packets on Rx ring Fill Ring 5 6 7 8 Rx Ring 1 2 3 4

28 OVS-AFXDP: Packet Reception (5)
umem consisting of 8 elements Umem mempool = {1, 2, 3, 4} X addr: X: elem in use OVS userspace finishes packet processing and recycle to umempool Back to state (1) Fill Ring 5 6 7 8 Rx Ring

29 OVS-AFXDP: Packet Transmission (0)
umem consisting of 8 elements Umem mempool = {1, 2, 3, 4, 5, 6, 7, 8} addr: X: elem in use OVS userspace has four packets to send Tx Ring Completion Ring

30 OVS-AFXDP: Packet Transmission (1)
umem consisting of 8 elements Umem mempool = {5, 6, 7, 8} X addr: X: elem in use GET fours element from umem Copy packets content Place in Tx ring Tx Ring 1 2 3 4 Completion Ring

31 OVS-AFXDP: Packet Transmission (2)
umem consisting of 8 elements Umem mempool = {5, 6, 7, 8} X addr: X: elem in use Issue sendmsg() syscall Kernel tries to send packets on Tx ring Tx Ring 1 2 3 4 Completion Ring

32 OVS-AFXDP: Packet Transmission (3)
umem consisting of 8 elements Umem mempool = {5, 6, 7, 8} X addr: X: elem in use Kernel finishes sending Transition the four elements to Completion Ring for users Tx Ring Completion Ring 1 2 3 4

33 OVS-AFXDP: Packet Transmission (4)
umem consisting of 8 elements Umem mempool = {1, 2, 3, 4, 5, 6, 7, 8} addr: X: elem in use OVS knows send operation is done Recycle/PUT the four elements back to umempool Tx Ring Completion Ring

34 Optimizations OVS pmd (Poll-Mode Driver) netdev for rx/tx
Before: call poll() syscall and wait for new I/O After: dedicated thread to busy polling the Rx ring UMEM memory pool Fast data structure to GET and PUT umem elements Packet metadata allocation Before: allocate md when receives packets After: pre-allocate md and initialize it Batching sendmsg system call

35 Umempool Design umempool keeps track of available umem elements
GET: take out N umem elements PUT: put back N umem elements Every ring access need to call umem element GET/PUT Three designs: LILO-List_head: embed in umem buffer, linked by a list_head, push/pop style FIFO-ptr_ring: a pointer ring with head and tail pointer LIFO-ptr_array: a pointer array and push/pop style access

36 LIFO-ptr_array Design
top ptr_array X X X X X X X X X X X X X Multiple 2K umem chunk memory region Idea: Each ptr_array element contains a umem address Producer: PUT elements on top and top++ Consumer: GET elements from top and top--

37 Packet Metadata Allocation
Every packets in OVS needs metadata: struct dp_packet Initialize the packet data independent fields Two designs: Embedding in umem packet buffer: Reserve first 256-byte for struct dp_packet Similar to DPDK mbuf design Separate from umem packet buffer: Allocate an array of struct dp_packet Similar to skb_array design Packet metadata Packet data

38 Packet Metadata Allocation Embedding in umem packet buffer
Each 2K has: Multiple 2K umem chunk memory region Packet metadata umem buffer

39 Packet Metadata Allocation Separate from umem packet buffer
Packet metadata in another memory region One-to-one maps to umem Multiple 2K umem chunk memory region

40 Performance Evaluation
19Mpps br0 sender 16-core Intel Xeon E GHz 32GB memory DPDK packet generator eth0 Netronome NFP-4000 Intel XL710 40GbE + AFXDP Userspace Datapath ingress Egress Sender sends 64Byte, 19Mpps to one port, measure the receiving packet rate at the other port Measure single flow, single core performance with Linux kernel 4.19-rc3 and OVS 2.9 Enable AF_XDP Zero Copy mode Compare Linux kernel 4.9-rc3

41 Performance Evaluation
Experiments OVS-AFXDP rxdrop: parse, lookup, and action = drop L2fwd: parse, lookup, and action = set_mac, output to the received port XDPSOCK: AF_XDP benchmark tool rxdrop/l2fwd: simply drop/fwd without touching packets LIFO-ptr_array + separate md allocation shows the best Results Not clear whether there is performance head XDPSOCK OVS-AFXDP rxdrop 19Mpps l2fwd 17Mpps 14Mpps

42 Conclusion and Discussion
Future Work Follow up new kernel AF_XDP’s optimizations Try virtual devices vhost/virtio with VM-to-VM traffic Bring feature parity between userspace and kernel datapath Discussion Usage model: # of XSK, # of queue, # of pmd/non-pmd Comparison with DPDK in terms of deployment difficulty Not clear whether there is performance head

43 Dislike? Like? Question? Thank You

44 Batching sendmsg syscall
Place a batch of 32 packets on TX ring, issue send syscall Design 1 Check this 32 packets on completion ring, then recycle If not, keep issuing send Design 2 Check any 32 packets on completion ring, then recycle Design 3 Issue sendmsg syscall

Download ppt "Bringing the Power of eBPF to Open vSwitch"

Similar presentations

Part IV: Memory Management

Part IV: Memory Management
ECE 526 – Network Processing Systems Design Software-based Protocol Processing Chapter 7: D. E. Comer.

ECE 526 – Network Processing Systems Design Software-based Protocol Processing Chapter 7: D. E. Comer.
Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.

Contiki A Lightweight and Flexible Operating System for Tiny Networked Sensors Presented by: Jeremy Schiff.
Memory Management (II)

Memory Management (II)
Chapter 13: I/O Systems I/O Hardware Application I/O Interface

Chapter 13: I/O Systems I/O Hardware Application I/O Interface
FreeBSD Network Stack Performance Srinivas Krishnan University of North Carolina at Chapel Hill.

FreeBSD Network Stack Performance Srinivas Krishnan University of North Carolina at Chapel Hill.
Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.

Hash, Don’t Cache: Fast Packet Forwarding for Enterprise Edge Routers Minlan Yu Princeton University Joint work with Jennifer.
MIDeA :A Multi-Parallel Instrusion Detection Architecture Author: Giorgos Vasiliadis, Michalis Polychronakis,Sotiris Ioannidis Publisher: CCS’11, October.

MIDeA :A Multi-Parallel Instrusion Detection Architecture Author: Giorgos Vasiliadis, Michalis Polychronakis,Sotiris Ioannidis Publisher: CCS’11, October.
1-1 Embedded Network Interface (ENI) API Concepts Shared RAM vs. FIFO modes ENI API’s.

1-1 Embedded Network Interface (ENI) API Concepts Shared RAM vs. FIFO modes ENI API’s.
Chapter 8 – Main Memory (Pgs 315 - 350). Overview  Everything to do with memory is complicated by the fact that more than 1 program can be in memory.

Chapter 8 – Main Memory (Pgs ). Overview  Everything to do with memory is complicated by the fact that more than 1 program can be in memory.
Srihari Makineni & Ravi Iyer Communications Technology Lab

Srihari Makineni & Ravi Iyer Communications Technology Lab
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Virtual Memory Hardware.

Operating Systems ECE344 Ashvin Goel ECE University of Toronto Virtual Memory Hardware.
LRPC Firefly RPC, Lightweight RPC, Winsock Direct and VIA.

LRPC Firefly RPC, Lightweight RPC, Winsock Direct and VIA.
Introduction to Operating Systems Concepts

Introduction to Operating Systems Concepts
Chapter 13: I/O Systems.

Chapter 13: I/O Systems.
ODP-VPP Integration updates

ODP-VPP Integration updates
New Approach to OVS Datapath Performance

New Approach to OVS Datapath Performance
Introduction to Kernel

Introduction to Kernel
Kernel Design & Implementation

Kernel Design & Implementation
Non Contiguous Memory Allocation

Non Contiguous Memory Allocation

Similar presentations

Ads by Google