SYSTEM Cited by 1 source
Netflix IPMan¶
IPMan is Netflix's container IP address assignment service for the Titus container platform. It assigns and unassigns IPs for container workloads as they start and stop.
IPManAgent daemon¶
A daemon named IPManAgent runs on every Titus container host. Responsibilities:
- Assign an IP to each container at launch; release it at termination.
- Write the IP-address → workload-ID mapping into an eBPF map that FlowExporter's BPF programs can read at TCP-tracepoint time to attribute the socket's local IP to the owning workload identity.
Role in local attribution¶
On a container host, one host runs many workloads with different identities, so the socket-to-workload mapping must be queried per-socket. IPMan's eBPF map is the load-bearing primitive that enables in-kernel local identity resolution without userspace round-trips during the hot path.
This is the canonical patterns/ebpf-map-for-local-attribution instance: a userspace control-plane (IPManAgent) writes identity state; in-kernel data-plane (FlowExporter BPF) reads it on every socket event.
Interaction with NAT64-free IPv6→IPv4 translation¶
Netflix also runs a connect syscall hook to replace IPv6-only
container sockets with sockets using a shared host IPv4. Because
multiple containers on a host share this shared IPv4, a second map —
written by Titus on the connect
interception — keys on (local IPv4, local port) → workload-ID to
disambiguate. This map is distinct from IPMan's IP-only map but
serves the same broader goal of keeping workload identity resolvable
per-socket from in-kernel BPF.
Seen in¶
- sources/2025-04-08-netflix-how-netflix-accurately-attributes-ebpf-flow-logs — IPMan named as container-host IP assignment service; IPManAgent named as the daemon writing to the eBPF map; clear separation from the second, port-keyed map that Titus writes on NAT'd connects.