Considerations Linux Kernel Required Kernel Versions for Advanced Features Key-Value store clang+LLVM iproute2 Firewall Rules Mounted eBPF filesystem Privileges Upgrade Guide Running pre-flight check (Required) Tail Calls BPF to BPF Calls JIT Hardening Offloads Toolchain Development Environment LLVM iproute2 bpftool BPF sysctls Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types path /public/.*. Deny all other requests. Allow service1 to produce on Kafka topic topic1 and service2 to consume on topic1. Reject all other Kafka messages. Require the HTTP header X-Token: [0-9]+ to be

Considerations Linux Kernel Required Kernel Versions for Advanced Features Key-Value store clang+LLVM iproute2 Firewall Rules Mounted eBPF filesystem Privileges Upgrade Guide Running pre-flight check (Required) Tail Calls BPF to BPF Calls JIT Hardening Offloads Toolchain Development Environment LLVM iproute2 bpftool BPF sysctls Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types path /public/.*. Deny all other requests. Allow service1 to produce on Kafka topic topic1 and service2 to consume on topic1. Reject all other Kafka messages. Require the HTTP header X-Token: [0-9]+ to be

Matrix Linux Kernel Advanced Features and Required Kernel Version Key-Value store clang+LLVM iproute2 Firewall Rules Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Micro Versions path /public/.*. Deny all other requests. Allow service1 to produce on Kafka topic topic1 and service2 to consume on topic1. Reject all other Kafka messages. Require the HTTP header X-Token: [0-9]+ to be 0 as described in the Kubernetes Docs [https://kubernetes.io/docs/tasks/tools/install-kubectl/]. 2. Install minikube >= v1.3.1 as per minikube documentation: Install Minikube [https://kubernetes.io

Matrix Linux Kernel Advanced Features and Required Kernel Version Key-Value store clang+LLVM iproute2 Firewall Rules Privileges Upgrade Guide Running pre-flight check (Required) Upgrading Cilium Step Tail Calls BPF to BPF Calls JIT Hardening Offloads Toolchain Development Environment LLVM iproute2 bpftool BPF sysctls Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types path /public/.*. Deny all other requests. Allow service1 to produce on Kafka topic topic1 and service2 to consume on topic1. Reject all other Kafka messages. Require the HTTP header X-Token: [0-9]+ to be

Matrix Linux Kernel Required Kernel Versions for Advanced Features Key-Value store clang+LLVM iproute2 Firewall Rules Mounted eBPF filesystem Privileges Upgrade Guide Running pre-flight check (Required) Tail Calls BPF to BPF Calls JIT Hardening Offloads Toolchain Development Environment LLVM iproute2 bpftool BPF sysctls Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program Types path /public/.*. Deny all other requests. Allow service1 to produce on Kafka topic topic1 and service2 to consume on topic1. Reject all other Kafka messages. Require the HTTP header X-Token: [0-9]+ to be

Matrix Linux Kernel Required Kernel Versions for Advanced Features Key-Value store clang+LLVM iproute2 Firewall Rules Mounted eBPF filesystem Privileges Upgrade Guide Running pre-flight check (Required) Tail Calls BPF to BPF Calls JIT Hardening Offloads Toolchain Development Environment LLVM iproute2 bpftool BPF sysctls Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous Program path /public/.*. Deny all other requests. Allow service1 to produce on Kafka topic topic1 and service2 to consume on topic1. Reject all other Kafka messages. Require the HTTP header X-Token: [0-9]+ to be

Requirements Summary Linux Distribu�on Compa�bility Matrix Linux Kernel Key-Value store clang+LLVM iproute2 Firewall Rules Privileges Upgrade Guide Running a pre-flight DaemonSet Upgrading Micro Versions Upgrading /public/.* . Deny all other requests. Allow service1 to produce on Ka�a topic topic1 and service2 to consume on topic1 . Reject all other Ka�a messages. Require the HTTP header X-Token: [0-9]+ to coredns-86c58d9df4-4g7dd 0/1 ContainerCreating 0 coredns-86c58d9df4-4l6b2 0/1 ContainerCreating 0 It may take a couple of minutes for the etcd-operator

FORWARD mangle POSTROUING nat POSTROUING tc egress veth pod 2 veth process kernel < 5.10 tailCall-> to-container: redirect kernel >= 5.10 redirect_peer 网卡之间快速转发， 能够完全 bypass 内核协议族的处理。 在某测试场景下， 跨节点间的 pod 通 信的 tcp 性能，比 node间应用通信的 tcp 性能还稍高 woker node2 woker node1 pod1 process kernel network stack tc ingress kernel network stack netfilter eth0 tc ingress tc egress redirect_peer redirect_neigh kernel network stack netfilter pod2 process kernel network stack tc ingress kernel network stack netfilter tc egress veth veth

cgroup, mount, pid and optionally: ipc, net, user, uts ● cgroup v2 ● ... other usual building blocks ... ● cgroup-bpf programs 2 Vast majority of twagent tasks have one or more cgroup-bpf features Convenient to have a unique IPv6 per twagent task (e.g. for QoS tagging) ● Many services don’t need full L2 isolation like that of netns and don’t want to pay for it ● TCP and UDP is enough Solution: ● Make Move TCP/UDP servers to task IP: ● bind(2): ctx.user_ip6 = task_ip Make TCP/UDP clients use task IP as source IP: ● connect(2): bpf_bind(task_ip) ● sendmsg(2): bpf_bind(task_ip) Handle TCP client A

iterations. func computeE(iterations int64) float64 { res := 2.0 fact := 1.0 for i := int64(2); i < iterations; i++ { fact *= float64(i) res += 1 / fact } return res } Let’s iterations. func computeE(iterations int64) float64 { res := 2.0 fact := 1.0 for i := int64(2); i < iterations; i++ { fact *= float64(i) res += 1 / fact } return res } What re-deploy. ○ This can be simple log statements, or ○ More comprehensive like Open tracing. Option 2: Debugger ○ GDB ○ Delve Option 3: Linux tracing utility ○ strace/ftrace ○ LTTng/USDT Option 4: