Is there anything stopping the ebpf agent from running outside of k8s?

[ewollesen]

I've been reading through the docs here and I'm wondering if the ebpf agent can be deployed without k8s?

I have a small edge router that I'd like to gather IPFIX data from. Is there any architectural reason I couldn't compile and run the agent locally, without k8s or the the k8s operator? Would this be an uphill battle at every step? Any gotchas to look out for?

PS- Apologies if there's a better place to ask this kind of question. I didn't see any information about an IRC channel / discord / mailing list, etc.

[jotak]

Hi @ewollesen

Yeah there should be nothing stopping from using it outside of k8s. A while ago, a contributor created a systemd unit example. It's not something we officially support (ie. we won't test actively), but I don't see a technical blocker for that. The agent itself is kube-agnostic. The Makefile has targets to build not containerized.

PS- Apologies if there's a better place to ask this kind of question. I didn't see any information about an IRC channel / discord / mailing list, etc.

No worries, this is fine (currently our public board is there: https://github.com/netobserv/network-observability-operator/discussions , despite being in the operator repo - we might create a more general one at some point)

[jotak]

(please let us know if you find issues while building - the dev team tends to use all a similar environment, so you might hit some)

[ewollesen]

Thanks @jotak !

Thanks for confirming, and for the systemd example, that will be useful.

I was able to build it no problem, but I haven't had any time to get much further yet. It seems to run, but I don't have a collector connected up to it yet to really know.

[jotak]

@ewollesen if you don't want to write your own collector you may use our flowlogs-pipeline and even start the agent with the "direct-FLP" mode (it's the same as running the agent + flowlogs-pipeline, except that flowlogs-pipeline doesn't run as a separate process but is directly run within the agent process)
flowlogs-pipeline can be useful as it has more exporting options, allows to define custom filtering/mapping rules, allows to generate prometheus or opentelemtry metrics out of flow logs, etc.

For a simple quick start with this, you can run:

export EXPORT="direct-flp"
export FLP_CONFIG='{"pipeline":[{"name": "writer","follows": "preset-ingester"}],"parameters":[{"name": "writer","write": {"type": "stdout","stdout": {"format":"json"}}}]}'
sudo -E bin/netobserv-ebpf-agent 

Your terminal should output logs like that:

{"AgentIP":"192.168.1.18","Bytes":568,"DnsErrno":0,"Dscp":0,"DstAddr":"192.168.1.18","DstMac":"...","DstPort":40596,"Duplicate":false,"Etype":2048,"Flags":16,"FlowDirection":0,"Interface":"enp0s20f0u2u1u2","Packets":1,"Proto":6,"SrcAddr":"...","SrcMac":"...","SrcPort":443,"TimeFlowEndMs":1709539879400,"TimeFlowStartMs":1709539879400,"TimeReceived":1709539884}
{"AgentIP":"192.168.1.18","Bytes":113,"DnsErrno":0,"Dscp":0,"DstAddr":"...","DstMac":"...","DstPort":51412,"Duplicate":false,"Etype":34525,"Flags":16,"FlowDirection":0,"Interface":"enp0s20f0u2u1u2","Packets":1,"Proto":6,"SrcAddr":"...","SrcMac":"...","SrcPort":443,"TimeFlowEndMs":1709539880887,"TimeFlowStartMs":1709539880887,"TimeReceived":1709539884}
etc.

[ewollesen]

@jotak thanks the additional resources, I appreciate it.

I have a collector that I've written myself now. It's up and running, and working well.

I'm curious to have a look through the flowlogs-pipeline code though, to see how it does a few things, I bet I can learn a trick or two.

Thanks again. :)