Since the advent of Docker and Kubernetes about 10 years ago, one of the biggest drawbacks of containers has been that they are difficult to monitor. Collecting monitoring data from containers in an efficient and effective manner is difficult due to the ephemeral nature of containers and the abstraction of the servers hosting them.
Fortunately, there are promising new technologies that offer solutions to container monitoring conundrums. is called eBPFIt is likely to overturn traditional approaches to monitoring Docker and Kubernetes workloads.
Container Monitoring: The Traditional Approach
Traditionally, developers and IT engineers who want to monitor containers face a number of challenges:
- An application can consist of dozens or hundreds of individual containers. Each container must be monitored individually, increasing the work required to deploy monitoring agents and collect the required data from each container.
- Data stored inside a container disappears when the container exits, and it is often impossible to predict exactly when a container will exit. Therefore, monitoring data cannot be obtained periodically. I need a way to collect from all containers in real time.
- Host-based monitoring approaches don’t work well because containers are abstracted from the operating system of the server hosting them, and servers can be moved. You can’t easily run an agent on each server and use it to monitor all containers.
There are several ways to address these issues, but the most popular is to use what is known as the sidecar pattern for deploying container monitoring agents. In the sidecar pattern, the monitoring agent runs inside a special container that runs alongside the container it monitors. This approach is more effective than deploying monitoring agents on hosts. It also eliminates the need to expose monitoring data directly within the application’s logic, which would require complex changes to the source code.
However, the sidecar pattern has major drawbacks. It’s just that it’s not a very efficient use of resources. Having to deploy a sidecar container with each container hosting real workloads means you end up running more containers. Every additional container requires CPU and memory resources, leaving fewer resources available for the main workload.
A Better Approach to Container Monitoring: eBPF
eBPF provides a way to square this circle by monitoring each container without high resource consumption.
Introduced in 2015eBPF is a Linux feature that allows programs to run directly in the Linux kernel, as opposed to running programs in “userland”, which does not have direct access to kernel resources.
Because they run in the kernel, eBPF programs use minimal resources. They can also access data generated by any process running on the servers they operate.
To monitor containers, you can write an eBPF program that intercepts the processes associated with each container and uses it to collect monitoring data. You end up with a monitoring solution that uses far fewer resources than a traditional sidecar container.
At the same time, there is no need to compromise on the amount of data you can collect for monitoring purposes. Almost all the information you want about the health and performance of each container is available through the kernel.
An eBPF-based approach to monitoring also simplifies deployment and management. Instead of deploying and orchestrating many sidecar containers, you can simply run your eBPF program on each node in the cluster.
Status of eBPF for container monitoring
If eBPF is a great solution for container monitoring, why isn’t everyone already using it?
A possible reason is that eBPF is relatively new and immature when containers started becoming widely used about 5 years ago. That’s why most existing container monitoring tools are designed to use the sidecar pattern instead of leveraging eBPF.
But this is already changing. tools such as cilia We are already using eBPF to improve efficiency and increase visibility. Many observability vendors — e.g. vmware, Splunk, and New RelicI’m also talking about the potential of eBPF to give a few examples.
So, if you’re tired of being content with under-applied or resource-hungry, unmanageable container monitoring approaches, a better world is ahead. eBPF is poised to revolutionize the way we monitor containers, among other things.
About the authorChristopher Tozzi is a technology analyst with expertise in cloud computing, application development, open source software, virtualization, containers, and more. He also teaches at leading universities in the Albany, New York area. His book “For Fun and Profit: A History of the Free and Open Source Software Revolution” was published by MIT Press.