
Rust at CloudFlare - steveklabnik
https://docs.google.com/presentation/d/1ERVTXZbYBMZf-9Zk3YsWw2oV14C5j0i1PsVgGywSsAI/mobilepresent?slide=id.g244c4c34_09
======
steven_pack
Here are the videos and slides... (from the May 2018 Bay Area Rust Meetup,
which was hosted at Cloudflare)

Rust at Cloudflare Video:
[https://watch.cloudflarestream.com/4d5d6da3c6217c24f4e44564e...](https://watch.cloudflarestream.com/4d5d6da3c6217c24f4e44564e041f772)
Slides:
[https://docs.google.com/presentation/d/1ERVTXZbYBMZf-9Zk3YsW...](https://docs.google.com/presentation/d/1ERVTXZbYBMZf-9Zk3YsWw2oV14C5j0i1PsVgGywSsAI/edit?usp=sharing)

TrustDNS Video:
[https://watch.cloudflarestream.com/e14e0d2335ffb94ae505289f5...](https://watch.cloudflarestream.com/e14e0d2335ffb94ae505289f55552142)
Slides:
[https://drive.google.com/drive/folders/1gQn9Uuj34TxS4cfUoW1N...](https://drive.google.com/drive/folders/1gQn9Uuj34TxS4cfUoW1Ng4o8axI9r8kq?usp=sharing)

Rust Perf with lolbench Video:
[https://watch.cloudflarestream.com/5774ee39218ed516521adb74c...](https://watch.cloudflarestream.com/5774ee39218ed516521adb74c3acddb5)
Slides:
[https://docs.google.com/presentation/d/1BEI7zXhEiCwEd93-UUpW...](https://docs.google.com/presentation/d/1BEI7zXhEiCwEd93-UUpWv-
Yv5azRmBa5caPH0rCAh_Q/edit?usp=sharing)

edit: context about the event edit2: formatting

~~~
manigandham
Thanks for the info. 1 thing: I know you guys have your own Stream video
service but Youtube is still much nicer for viewing...

~~~
dikaiosune
The official (I think?) youtube channel has them:
[https://www.youtube.com/channel/UCaYhcUwRBNscFNUKTjgPFiA](https://www.youtube.com/channel/UCaYhcUwRBNscFNUKTjgPFiA).

~~~
steveklabnik
It is.

------
kornish
I like the quote from Slide 10:

> Why Rust (for CloudFlare)

> ...

> \- Safe (we had a bug once...)

> ...

Funny because according to Algolia, the bug in question is the 7th-most-
upvoted HN post of all time, clocking in at about 1k comments.

Great to see Rust gaining industry adoption.

edit: to clarify, I like that Cloudflare can look back at a bug in their C
code, chuckle about it, and then start to move on to something safer. This is
the bug in question:
[https://news.ycombinator.com/item?id=13718752](https://news.ycombinator.com/item?id=13718752)

~~~
hellofunk
Could you provide a link to it?

~~~
lobster_johnson
I suspect it's this bug: [https://blog.cloudflare.com/incident-report-on-
memory-leak-c...](https://blog.cloudflare.com/incident-report-on-memory-leak-
caused-by-cloudflare-parser-bug/)

HN:
[https://news.ycombinator.com/item?id=13718752](https://news.ycombinator.com/item?id=13718752)

~~~
hellofunk
I can't tell if the OP is suggesting the bug they had was due to Rust, or if
they adopted Rust for a safe language they once had a bug?

~~~
lobster_johnson
The latter. I think it's a sheepish admission that the bug (caused by unsafe C
code) is a reason to prefer Rust's safety, which should help them prevent
another one like it.

~~~
StavrosK
It is, the person presenting says so in the video.

------
buro9
I'm the Engineering Manager @ Cloudflare for the "Wireshark but at the Edge"
thing. Happy to answer any questions, though I'll be clear... this isn't
something you can play with yet and we're in early days with this feature.

The goal is "customers should be able to create filters that target traffic
passing through our system and then do things" so this is definitely a thing
we wish to give to customers rather than an internal toy.

~~~
Rapzid
I wouldn't mind hearing some details on perf. I would imagine a lot of
filtering can happen at the true edge via BPF, kernel mods, or otherwise
zerocopy mechanisms.

Looks like Linux added in kernel tls termination; sounds like even layer 7
inspection could all happen in kernel space as well...

~~~
buro9
Ah, for this I'll defer until we have more data.

At the moment we have a simple(ish) implementation running at the edge purely
within Nginx and a project underway to see how it behaves, gather metrics.
That environment gives us a good place in which to control testing, and we can
easily compare it to other parts of our code where we already do more trivial
request matching (our Page Rules feature).

It'll be a couple of months before we're satisfied we know enough to say
whether we'll keep it simple or will seek to make it more specialised to our
environment. We haven't yet determined how far we're going to go with this...
could it replace our WAF? Is it cheap enough for the DDoS layer? If we do go
down those paths then it's obvious that yes we'd move the filtering to other
places.

------
squiguy7
It's cool to see CloudFlare using Rust but I wish they went into a little more
detail on the slides. I hope to see follow up blog posts or some of the code
open sourced soon.

~~~
steven_pack
That's what happens when Product Managers present the things the engineering
team is doing. :) The bigger projects are in London. I'm going to try get the
engineers out to SF next time we host and go a bit deeper. The EM is on this
thread answering questions also.

~~~
squiguy7
Ok, great. Thanks for sharing the information as it is! :)

------
Already__Taken
2 videos up on the rust channel from this and hopefully more in future -
[https://www.youtube.com/channel/UCaYhcUwRBNscFNUKTjgPFiA/vid...](https://www.youtube.com/channel/UCaYhcUwRBNscFNUKTjgPFiA/videos)

------
jiveturkey
just me, or anyone else find it odd that this is a google docs deck? don't see
those published much (usu. pdf and of course ppt).

anyway, another example of soft recruiting done right by cloudflare!

------
tormeh
Can anyone offer some context? Redox is great, but why is it a pro for
cloudflare?

~~~
jontro
It's listed under the Why rust (for me) slide. I.e. it's the authors own
reasons/pros.

~~~
weavie
Does that mean it is actually being used in production, or is it just a
potential? If so, I hadn't realised it had come on that far!

~~~
steven_pack
Rust is being used in production at Cloudflare. Redox is not used here in any
capacity.

------
brian_herman
TrustDNS awesome for 1.1.1.1

~~~
bluejekyll
We're putting the 0.9 release of the Resolver together now, hopefully for
release in the next few days. Lot's of good things, including DNS-over-TLS
with cloudflare and quad9 configs available.

------
cortesoft
Hmmm, they say only 10Tbps capacity, but they serve 10% of the internet's HTTP
traffic? That doesn't seem right.

~~~
lossolo
Only? 10 Tbps is HUGE capacity. Biggest IX (Internet Exchange) which is AMS-IX
have 5 Tbps at peak. Whole internet traffic in 2016 was around 160 Tbps. So it
seems right.

~~~
cortesoft
disclaimer: I work for a CDN, but am not representing them with this comment

Right, but this is talking about GLOBAL capacity, not at a single datacenter.
The CDN I work for has over 49tbps, and we wouldn't claim to be doing 10% of
all HTTP traffic:

[https://images.verizondigitalmedia.com/2015/12/VDMS_NetworkM...](https://images.verizondigitalmedia.com/2015/12/VDMS_NetworkMap_May2018.png)

Plus, capacity is always going to be greater than actual throughput, both for
reliability reasons and traffic patterns (i.e. you need enough capacity for
your peak traffic in a datacenter, not the average)

I really doubt the 10% claim.

~~~
lossolo
Of course capacity is always greater, average twice greater as that kind of
deals you are taking from T1 providers. But depends how much commitment you
have, what kind of deals and traffic patterns you are using. CF has 10 Tbps
capacity but probably a lot less throughput, they need high capacity because
they are DDOSed a lot.

I wasn't taking those numbers from nowhere. Read this:

[https://www.cisco.com/c/en/us/solutions/collateral/service-p...](https://www.cisco.com/c/en/us/solutions/collateral/service-
provider/visual-networking-index-vni/vni-hyperconnectivity-wp.html)

I think people are misinterpreting what they claim, It's not about 10% of
internet throughput of HTTP traffic, it's about 10% of all HTTP requests.

------
theweb1
http traffic from cloudflare is cutting edges.

------
qiqing
Also, Cloudflare is hiring.

