day4 part1

content/_template/01_opening.md

@@ -1,3 +0,0 @@
----
-title: Opening Keynotes
----

content/day4/01_container_images.md

@@ -0,0 +1,16 @@
+---
+title: "TODO:"
+weight: 1
+---
+
+## Problems
+
+* Dockerfiles are hard and not 100% reproducible
+* Buildpoacks are reproducible but result in large single-arch images
+* Nix has multiple ways of doing things
+
+## Solutions
+
+* Degger as a CI solution
+* Multistage docker images with distroless -> Small image, small attack surcface
+* Language specific solutions (ki, jib)

content/day4/02_ebpf.md

@@ -0,0 +1,54 @@
+---
+title: "eBPF’s Abilities and Limitations: The Truth"
+weight: 2
+---
+
+A talk by isovalent with a full room (one of the large ones).
+
+## Baseline
+
+* eBPF lets you run custom code in the kernel -> close to hardware
+* Typical usecases: Networking, Observability, Tracing/Profiling, security
+* Question: Is eBPF truing complete and can it be used for more complex scenarios (TLS, LK7)?
+
+## eBPF verifier
+
+* The verifier analyzes the program to verify safety
+* Principles
+  * Read memory only with correct permissions
+  * All writes to valid and safe memory
+  * Valid in-bounds and well formed control flow
+  * Execution on-cpu time is bounded: sleep, scheduled callbacks, interations, program acutally compketes
+  * Aquire/release and reference count semantics
+
+## Demo: Game of life
+
+* A random game of life map
+* Implemented as a tetragon plugin
+* Layout: Main control loop that loads the map, generates the next generation, and returns a next run function
+* The timer callback pattern is used for infinite run
+
+## eBPF Limits & workarounds
+
+* Instruction limit to let the verifier actually verify the program in reasonable time
+  * Limit is based on: Instruction limit and verifier step limit
+  * nowadays the limit it 4096 unprivileged calls and 1 million privileged istructions
+* Only jump forward -> No loops
+  * Is a basic limitation to ensure no infinite loops can ruin the day
+  * Limitation: Only finite iterations can be performed
+  * Loops: Newer versions support loops with upper bounds (`for x=0;: x<100`)
+* Is the instruction limit hard?
+  * Solution: subprogram (aka function) and the limit is only for each function -> `x*subprogramms = x*limit`
+  * Limit: Needs real skill
+* Programs have to terminate
+  * Well eBPF really only wants to release the cpu, the program doesn't have to end per se
+  * Iterator: walk abitrary lists of objects
+  * Sleep on pagefault or other memory operations
+  * Timer callbacks (including the timer 0 for run me asap)
+* Memory allocation
+  * Maps are used as the memory management system
+
+## Result
+
+* You can execure abitrary tasks via eBPF
+* It can be used for HTTP or TLS - it's just not implemented yet™