From c178fe095c0aa2f2a7f02a501f434e4d55e502b5 Mon Sep 17 00:00:00 2001 From: Nicolai Ort Date: Fri, 22 Mar 2024 12:24:27 +0100 Subject: [PATCH] day4 part1 --- content/_template/01_opening.md | 3 -- content/day4/01_container_images.md | 16 ++++++++ content/day4/02_ebpf.md | 54 +++++++++++++++++++++++++++ content/{_template => day4}/_index.md | 0 4 files changed, 70 insertions(+), 3 deletions(-) delete mode 100644 content/_template/01_opening.md create mode 100644 content/day4/01_container_images.md create mode 100644 content/day4/02_ebpf.md rename content/{_template => day4}/_index.md (100%) diff --git a/content/_template/01_opening.md b/content/_template/01_opening.md deleted file mode 100644 index 2fc0230..0000000 --- a/content/_template/01_opening.md +++ /dev/null @@ -1,3 +0,0 @@ ---- -title: Opening Keynotes ---- \ No newline at end of file diff --git a/content/day4/01_container_images.md b/content/day4/01_container_images.md new file mode 100644 index 0000000..f3fb2b2 --- /dev/null +++ b/content/day4/01_container_images.md @@ -0,0 +1,16 @@ +--- +title: "TODO:" +weight: 1 +--- + +## Problems + +* Dockerfiles are hard and not 100% reproducible +* Buildpoacks are reproducible but result in large single-arch images +* Nix has multiple ways of doing things + +## Solutions + +* Degger as a CI solution +* Multistage docker images with distroless -> Small image, small attack surcface +* Language specific solutions (ki, jib) \ No newline at end of file diff --git a/content/day4/02_ebpf.md b/content/day4/02_ebpf.md new file mode 100644 index 0000000..45ccbe4 --- /dev/null +++ b/content/day4/02_ebpf.md @@ -0,0 +1,54 @@ +--- +title: "eBPF’s Abilities and Limitations: The Truth" +weight: 2 +--- + +A talk by isovalent with a full room (one of the large ones). + +## Baseline + +* eBPF lets you run custom code in the kernel -> close to hardware +* Typical usecases: Networking, Observability, Tracing/Profiling, security +* Question: Is eBPF truing complete and can it be used for more complex scenarios (TLS, LK7)? + +## eBPF verifier + +* The verifier analyzes the program to verify safety +* Principles + * Read memory only with correct permissions + * All writes to valid and safe memory + * Valid in-bounds and well formed control flow + * Execution on-cpu time is bounded: sleep, scheduled callbacks, interations, program acutally compketes + * Aquire/release and reference count semantics + +## Demo: Game of life + +* A random game of life map +* Implemented as a tetragon plugin +* Layout: Main control loop that loads the map, generates the next generation, and returns a next run function +* The timer callback pattern is used for infinite run + +## eBPF Limits & workarounds + +* Instruction limit to let the verifier actually verify the program in reasonable time + * Limit is based on: Instruction limit and verifier step limit + * nowadays the limit it 4096 unprivileged calls and 1 million privileged istructions +* Only jump forward -> No loops + * Is a basic limitation to ensure no infinite loops can ruin the day + * Limitation: Only finite iterations can be performed + * Loops: Newer versions support loops with upper bounds (`for x=0;: x<100`) +* Is the instruction limit hard? + * Solution: subprogram (aka function) and the limit is only for each function -> `x*subprogramms = x*limit` + * Limit: Needs real skill +* Programs have to terminate + * Well eBPF really only wants to release the cpu, the program doesn't have to end per se + * Iterator: walk abitrary lists of objects + * Sleep on pagefault or other memory operations + * Timer callbacks (including the timer 0 for run me asap) +* Memory allocation + * Maps are used as the memory management system + +## Result + +* You can execure abitrary tasks via eBPF +* It can be used for HTTP or TLS - it's just not implemented yet™ diff --git a/content/_template/_index.md b/content/day4/_index.md similarity index 100% rename from content/_template/_index.md rename to content/day4/_index.md