《What Is eBPF? 》 图解
2022-05-13 16:18:14 23 举报登录查看完整内容
《What Is eBPF?》是一篇图解文章,它详细介绍了eBPF(Extended Berkeley Packet Filter)的概念、原理和应用场景。eBPF是一种在内核中运行的轻量级虚拟机,它可以对内核事件进行跟踪和过滤,从而实现对系统性能的监控和优化。文章中通过生动的图示和实例,帮助读者更好地理解eBPF的工作原理和使用方法。总之,这篇文章为读者提供了一个全面而深入的了解eBPF的机会。
作者其他创作
大纲/内容
原作地址:https://isovalent.com/data/liz-rice-what-is-ebpf.pdf
在过去的几年里,扩展的伯克利包过滤器 (#eBPF#) 已经从相对默默无闻变成了现代基础设施计算中最热门的技术领域之一。 在这份报告中,Liz Rice 深入探讨了 eBPF,并解释了该框架如何为现代计算环境启用网络、安全和可观察性工具。 SRE、运维工程师和工程团队负责人将了解 eBPF 是什么以及它为何如此强大。
more than “Extended Berkeley Packet Filter”
Linux based but an implementation for Windows is under developing
can change kernel behavior
a framework that allows users to load and run custom programs within the kernel
verify before loaded
attached to an event
powerful but complex
简介
kernel is complex
must be accepted by the community (and more specifically by Linus Torvalds) and be for the greater good of all
it takes literally years to get new functionality from the idea stage into a production environment Linux kernel
Kernel Modules is a possible choice but unsafe: may cause crashing or include vulnerabilities that an attacker could exploit
The verifier ensure that it will always terminate safely and within a bounded number of instructions.
eBPF programs can only access memory they are supposed to access.
safety:
eBPF programs can be loaded into and removed from the kernel dynamically
efficiency
what does eBPF do to make it easier
Changing the Kernel Is Hard
The kernel accepts eBPF programs in bytecode form.
The user space part of an eBPF tool needs to load the program into the kernel and attach it to the right event.
libbpf has become a popular option for making eBPF programs portable across different versions of the kernel.
A user space application uses the bpf() system call to load eBPF programs from an ELF file into the kernel
Tracepoints: list under /sys/kernel/debug/tracing/events
Perf Events: check `perf list` for detail
Linux Security Module Interface: AppArmor or SELinux make use of LSM.
Other Networking Hooks: called traffic control or tc within the kernel’s network stack where eBPF programs can run after initial packet processing.
attach points:
data structures that are defined alongside eBPF programs
eBPF Maps
a utility that shows you what files any process opens.
check BCC Project
Opensnoop Example
how to write
compilation toolchain and kernel header files needed on destination machine
compile before start to run
BBC Aproach: compiling at runtime
Modern Linux kernels support BTF.
can generate a header file containing all the data structure information about akernel that a BPF program might need
BTF (BPF Type Format)
Compiler support
Portability Across Kernels
time-of-check to time-of-use (TOCTTOU). presentation
Linux Kernel Knowledge
things get more complicated when coordinate interactions between different types of events
better for learning exercise and experience in this area could be highly valuable since it’s bound to continue to be a sought-after specialist skill for years to come.
Coordinating Multiple eBPF Programs
Complexity
all the containers running on that machine share the same kernel
sidecar vs eBPF
The security controls that exist on a Linux system assume that the kernel itself can be trusted
do not running sensitive applications on a shared machine alongside untrusted applications
nonroot users don’t have permission to load eBPF programs
do have to be careful about the provenance of the code you run. ( signature checking of eBPF)
eBPF and Process Isolation and security
eBPF in Cloud Native
Katran Unimog Cilium calico
Bypassing the host networking stack with eBPF
Networking
Solo.io Cilium Service Mesh
Service Mesh
BCC project Pixie Parca Hubble component of Cilium
A Pixie flamegraph of everything running on a small Kubernetes cluster
Cilium’s Hubble UI shows network flows in a Kubernetes cluster
Observability
app.networkpolicy.io The network policy editor shows a visual representation of the effects of a policy
Falco tracee tetragon
security
eBPF based tools and projects
ebpf.io
ebpf-beginners repository on GitHub.
eBPF Summit
Cloud Native eBPF Day
ebpf.io/slack
resources
What Is eBPF? 读书笔记
收藏
0 条评论
回复 删除
下一页
