container being moved with other containers

How eBPF will revolutionize container monitoring

Since the advent of Docker and Kubernetes nearly a decade ago, one of the main drawbacks of containers has been the difficulty of monitoring them. The ephemeral nature of containers, combined with their abstraction from the servers hosting them, has made it difficult to effectively and efficiently collect container monitoring data.

Fortunately, there is a promising new technology that offers a solution to the container monitoring conundrum. It’s called eGMPand there’s a good chance it will upend conventional approaches to monitoring Docker and Kubernetes workloads.

Container Monitoring: The Traditional Approach

Traditionally, developers and IT engineers who wanted to monitor containers faced a number of challenges:

  • A single application may consist of dozens or even hundreds of individual containers. Each container must be monitored separately, which increases the work required to deploy monitoring agents and collect the necessary data from each container.
  • Data stored inside containers disappears when containers shut down, and it’s often impossible to predict exactly when a container might shut down. For this reason, you cannot periodically retrieve monitoring data. You need a way to collect it from each container in real time.
  • Because containers are abstracted from the operating system of the servers hosting them, and they can move between servers, host-based monitoring approaches don’t work well. You can’t easily run an agent on every server and use it to monitor all of your containers.

There are different ways to solve these problems, but the most popular is to use what has come to be known as the sidecar pattern to deploy container monitoring agents. As part of the sidecar model, monitoring agents run in special containers, which run alongside the containers they are monitoring. This approach is more efficient than trying to deploy monitoring agents on the host. It also eliminates the need to expose monitoring data directly in an application’s logic, which would require complex source code changes.

However, the sidecar model has a major drawback: it does not use resources very efficiently. Having to deploy a sidecar container next to every container that hosts your actual workload means you end up running a lot more containers. Since all of these additional containers require CPU and memory resources, they leave fewer resources available for your core workloads.

A better approach to container monitoring: eBPF

eBPF offers a way to square the circle by monitoring every container without high resource consumption.

Introduced in 2015eBPF is a Linux feature that allows programs to be run directly in the Linux kernel, instead of running them in “user space”, where they don’t have direct access to kernel resources.

Because they run in the kernel, eBPF programs consume minimal resources. They also have access to data produced by any process running on the server on which they operate.

If you want to monitor containers, then you can write an eBPF program that intercepts the processes associated with each container and uses it to collect monitoring data. You would end up with a much less resource-intensive surveillance solution than traditional sidecar containers.

At the same time, you wouldn’t have to compromise on the amount of data you could collect for monitoring purposes. Virtually all the information you want about the status and performance of each container is available through the kernel.

Even deployment and management are easier with an eBPF-based monitoring approach. Instead of having to deploy and orchestrate a bunch of sidecar containers, you can simply run an eBPF program on each node in your cluster.

eBPF status for container monitoring

If eBPF is such a great solution for container monitoring, why isn’t everyone already using it?

The likely reason is that eBPF is still relatively new and was not mature when containers became widely used about five years ago. For this reason, most existing container monitoring tools were designed to use a sidecar model, instead of leveraging eBPF.

But that is already changing. tools like the eyelash are already using eBPF to gain efficiency and visibility. Many observability providers – like vmware, Splunk, and New relicto name a few – also talk about the potential of eBPF.

So if you’re tired of settling for container monitoring approaches that starve your applications or resources and are difficult to manage, a better world is coming. eBPF is about to revolutionize (among other things) the way we monitor containers.

About the Author

Portrait of Christopher TozziChristopher Tozzi is a technology analyst specializing in cloud computing, application development, open source software, virtualization, containers, and more. He also teaches at a major university in the Albany, New York area. His book, “For Fun and Profit: A History of the Free and Open Source Software Revolution”, was published by MIT Press.

#eBPF #revolutionize #container #monitoring

Leave a Comment

Your email address will not be published. Required fields are marked *