Linux kernel holds key for advanced container networking


Networking has always been  when working with containers. Even Kubernetes—fast becoming the technology of choice for container orchestration—has limitations in how it implements networking. Tricky stuff like network security is, well, even trickier.

Now an named , which is , is attempting to provide a new networking methodology for containers based on technology used in the Linux kernel. Its goal is to give containers better network security and a simpler model for networking.

Networking the BPF way

Network security mechanisms in Linux, such as iptables, typically only work at the network, packet, and address level—level 3 of the . Those mechanisms don’t speak to protocols like HTTP.

Cilium uses Linux’s  (BPF) technology to enforce network security policies at both the network and HTTP layer for Docker containers or Kubernetes .


According to Cilium’s GitHub repo documentation, Cilium works by generating kernel-level BPF programs that work directly with containers. Rather than create overlay networks for containers, Cilium allows each container to be assigned an IPv6 address (or an IPv4 one on top of that) and uses container labels rather than network routing rules to enforce isolation between containers. It also includes integrations for orchestration systems to handle creating and enforcing Cilium policies.

Two big reasons Cilium uses BPF are speed and convenience. BPF programs are compiled to native machine code, so they run as fast as any other kernel code. Changes to BPF programs used by Cilium don’t require a reboot or even a container restart. Cilium’s creators also claim BPF programs are optimized on a per-container basis, so “a feature that a particular container does not need can just be compiled out.”

Experimental and maybe eventually essential

A potential issue with Cilium is that it requires a very recent Linux kernel—4.8.0 or later, with 4.9.17 recommended—as well as LLVM 3.7.1 or later. That said, Cilium’s feature set isn’t bound to any specific Linux version— for example, “the addition of additional statistics not provided by the Linux kernel” or “additional forwarding logic.”

 and added its OpenDaylight-like network fabric . That solution comes default with Docker, but in theory it can be swapped out for other networking products that play nice with the Docker APIs.

Cilium’s strength is that it’s built along the same lines as containers, using existing Linux kernel technologies; Docker-style containers are essentially a repackaging of capabilities that have long existed in the Linux kernel. Likewise, Cilium works with an existing technology that’s been in the wild for some time, has a well-understood set of use cases, and is as close to the container level in the kernel as the containers themselves.