PATTERN Cited by 1 source
Sidecar eBPF flow exporter¶
Deploy a per-host sidecar (or host-level daemon set) that uses eBPF attached to TCP tracepoints to observe socket state changes. On socket close (and/or other transitions) emit a flow record with pre-resolved local workload identity, remote IP + port, timestamps, and socket statistics.
Why a sidecar (not a kernel module)¶
- Safety. eBPF verifier guarantees bounded runtime + memory.
- Cross-kernel portability. With CO-RE, the same bytecode runs on multiple kernel versions.
- Independent deploy. Updates ship via the sidecar image, not via kernel rebuilds.
- Observational scope. Tracepoints expose a stable ABI that survives kernel upgrades, unlike kprobes.
Why local identity resolution belongs in the sidecar¶
The host knows its own identity cheaply — from a boot-time cert (EC2) or from a per-container eBPF map populated at container launch (patterns/ebpf-map-for-local-attribution). Resolving the local side in the sidecar means every flow record arrives at the backend pre-tagged, reducing the backend's attribution problem to the remote side only.
This is the architectural split that unlocks
heartbeat-derived IP
ownership maps in the backend: because every flow from the
sidecar is already a statement "this local IP was owned by this
workload during [t_start, t_end]," the backend can accumulate
heartbeats without a separate control-plane event stream.
Canonical instance¶
- systems/netflix-flowexporter — per-host sidecar on the
Netflix AWS fleet; ~5M records/sec; 1-minute batch reporting;
EC2 + Titus both supported; IPv6→IPv4
translation disambiguation via a second
(IP, port)→ workload eBPF map.
Related variants¶
- Scheduler tracepoint sibling: same Netflix shop uses the same pattern shape — eBPF + kernel tracepoints + eBPF map + userspace agent — for run-queue-latency observation (sources/2024-09-11-netflix-noisy-neighbor-detection-with-ebpf).
- Pure-observability vs. attribution-first: many eBPF flow loggers (Hubble, Pixie) stop at emitting raw flow tuples; the attribution-first pattern bakes local identity resolution into the sidecar so downstream attribution is tractable.
Seen in¶
- sources/2025-04-08-netflix-how-netflix-accurately-attributes-ebpf-flow-logs — canonical wiki instance.