search

openservicemesh / osm

Open Service Mesh (OSM) is a lightweight, extensible, cloud native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.
https://openservicemesh.io/
Apache License 2.0
2.58k stars 277 forks source link

feat: eBPF based traffic interception method #5314

Closed reaver-flomesh closed 1 year ago

reaver-flomesh commented 1 year ago

Description:

Add eBPF based traffic interception method. We have added eBPF interception functionality to osm fork osm-edge and contributing those changes to upstream. This PR comes with complete code changes along with eBPF code, and provide an installation flag to end user making to enable this functionality. Traffic interception mode settings can set during installation via setting osm.trafficInterceptionMode to any of:

  1. iptables - default settings
  2. ebpf - Use eBPF as an interception method
  3. none - Disable interception

Testing done:

PR comes with unit tests, but for a complete E2E working demo, one can follow below steps to install and test this functionality.

Prerequisites:

Assuming you are testing this on debian based system, if you are on different OS, make sure to set arch var accordingly.

system=$(uname -s | tr [:upper:] [:lower:])
arch=$(dpkg --print-architecture)
release=v1.0.0-ebpf-rc.1
curl -L https://github.com/flomesh-io/osm/releases/download/${release}/osm-${release}-${system}-${arch}.tar.gz | tar -vxzf -
./${system}-${arch}/osm version
sudo cp ./${system}-${arch}/osm /usr/local/bin/

export osm_namespace=osm-system 
export osm_mesh_name=osm 
osm install \
    --mesh-name "$osm_mesh_name" \
    --osm-namespace "$osm_namespace" \
    --set=osm.image.registry=flomesh \
    --set=osm.image.tag=1.0.0-ebpf-rc.1 \
    --set=osm.image.pullPolicy=Always \
    --set=osm.enablePermissiveTrafficPolicy=true \
    --set=osm.envoyLogLevel=debug \
    --set=osm.controllerLogLevel=debug \
    --set=osm.trafficInterceptionMode=ebpf \
    --set=osm.osmInterceptor.kernelTracing=true \
    --set=osm.osmInterceptor.cniMode=true \
    --timeout=900s --verbose
Affected area: Functional Area
New Functionality [x]
CI System [ ]
CLI Tool [ ]
Certificate Management [ ]
Control Plane [ ]
Demo [ ]
Documentation [ ]
Egress [ ]
Ingress [ ]
Install [ ]
Networking [x]
Observability [ ]
Performance [ ]
SMI Policy [ ]
Security [ ]
Sidecar Injection [ ]
Tests [ ]
Upgrade [ ]
Other [ ]

Please answer the following questions with yes/no.

  1. Does this change contain code from or inspired by another project? Yes

    • Did you notify the maintainers and provide attribution? Yes

  2. Is this a breaking change? No

  3. Has documentation corresponding to this change been updated in the osm-docs repo (if applicable)? N/A

github-actions[bot] commented 1 year ago

This PR will be closed due to a long period of inactivity. If you would like this PR to remain open then please comment or update.

github-actions[bot] commented 1 year ago

PR closed due to inactivity.