Linux kernel holds key for advanced container networking

The experimental open source Cilium project uses an existing Linux kernel feature to provide containers with fast, powerful networking

Linux kernel holds key for advanced container networking
Thinkstock

Networking has always been one of the most persistent headaches when working with containers. Even Kubernetes—fast becoming the technology of choice for container orchestration—has limitations in how it implements networking. Tricky stuff like network security is, well, even trickier.

Now an open source project named Cilium, which is partly sponsored by Google, is attempting to provide a new networking methodology for containers based on technology used in the Linux kernel. Its goal is to give containers better network security and a simpler model for networking.

Networking the BPF way

Network security mechanisms in Linux, such as iptables, typically only work at the network, packet, and address level—level 3 of the OSI model. Those mechanisms don’t speak to protocols like HTTP.

Cilium uses Linux’s Berkeley Packet Filtering (BPF) technology to enforce network security policies at both the network and HTTP layer for Docker containers or Kubernetes pods.

BPF was introduced into Linux 2.5 and has been a stable presence there ever since. Thanks to BPF, it's possible to compile and run inside the kernel small programs that provide network filtering mechanisms as well as performance analysis and tracing.

According to Cilium’s GitHub repo documentation, Cilium works by generating kernel-level BPF programs that work directly with containers. Rather than create overlay networks for containers, Cilium allows each container to be assigned an IPv6 address (or an IPv4 one on top of that) and uses container labels rather than network routing rules to enforce isolation between containers. It also includes integrations for orchestration systems to handle creating and enforcing Cilium policies.

Two big reasons Cilium uses BPF are speed and convenience. BPF programs are compiled to native machine code, so they run as fast as any other kernel code. Changes to BPF programs used by Cilium don’t require a reboot or even a container restart. Cilium’s creators also claim BPF programs are optimized on a per-container basis, so “a feature that a particular container does not need can just be compiled out.”

Experimental and maybe eventually essential

A potential issue with Cilium is that it requires a very recent Linux kernel—4.8.0 or later, with 4.9.17 recommended—as well as LLVM 3.7.1 or later. That said, Cilium’s feature set isn’t bound to any specific Linux version— for example, “the addition of additional statistics not provided by the Linux kernel” or “additional forwarding logic.”

Cilium represents an experimental solution for containers to deal with networking, but there’s still plenty of room for multiple approaches—even at this point in Docker’s evolution. Docker’s original networking methodology was clunky and hard to manage, so the company acquired SocketPlane and added its OpenDaylight-like network fabric to Docker 1.9. That solution comes default with Docker, but in theory it can be swapped out for other networking products that play nice with the Docker APIs.

Cilium’s strength is that it’s built along the same lines as containers, using existing Linux kernel technologies; Docker-style containers are essentially a repackaging of capabilities that have long existed in the Linux kernel. Likewise, Cilium works with an existing technology that’s been in the wild for some time, has a well-understood set of use cases, and is as close to the container level in the kernel as the containers themselves.