day4 part1
This commit is contained in:
parent
c7797a0891
commit
c178fe095c
|
@ -1,3 +0,0 @@
|
||||||
---
|
|
||||||
title: Opening Keynotes
|
|
||||||
---
|
|
|
@ -0,0 +1,16 @@
|
||||||
|
---
|
||||||
|
title: "TODO:"
|
||||||
|
weight: 1
|
||||||
|
---
|
||||||
|
|
||||||
|
## Problems
|
||||||
|
|
||||||
|
* Dockerfiles are hard and not 100% reproducible
|
||||||
|
* Buildpoacks are reproducible but result in large single-arch images
|
||||||
|
* Nix has multiple ways of doing things
|
||||||
|
|
||||||
|
## Solutions
|
||||||
|
|
||||||
|
* Degger as a CI solution
|
||||||
|
* Multistage docker images with distroless -> Small image, small attack surcface
|
||||||
|
* Language specific solutions (ki, jib)
|
|
@ -0,0 +1,54 @@
|
||||||
|
---
|
||||||
|
title: "eBPF’s Abilities and Limitations: The Truth"
|
||||||
|
weight: 2
|
||||||
|
---
|
||||||
|
|
||||||
|
A talk by isovalent with a full room (one of the large ones).
|
||||||
|
|
||||||
|
## Baseline
|
||||||
|
|
||||||
|
* eBPF lets you run custom code in the kernel -> close to hardware
|
||||||
|
* Typical usecases: Networking, Observability, Tracing/Profiling, security
|
||||||
|
* Question: Is eBPF truing complete and can it be used for more complex scenarios (TLS, LK7)?
|
||||||
|
|
||||||
|
## eBPF verifier
|
||||||
|
|
||||||
|
* The verifier analyzes the program to verify safety
|
||||||
|
* Principles
|
||||||
|
* Read memory only with correct permissions
|
||||||
|
* All writes to valid and safe memory
|
||||||
|
* Valid in-bounds and well formed control flow
|
||||||
|
* Execution on-cpu time is bounded: sleep, scheduled callbacks, interations, program acutally compketes
|
||||||
|
* Aquire/release and reference count semantics
|
||||||
|
|
||||||
|
## Demo: Game of life
|
||||||
|
|
||||||
|
* A random game of life map
|
||||||
|
* Implemented as a tetragon plugin
|
||||||
|
* Layout: Main control loop that loads the map, generates the next generation, and returns a next run function
|
||||||
|
* The timer callback pattern is used for infinite run
|
||||||
|
|
||||||
|
## eBPF Limits & workarounds
|
||||||
|
|
||||||
|
* Instruction limit to let the verifier actually verify the program in reasonable time
|
||||||
|
* Limit is based on: Instruction limit and verifier step limit
|
||||||
|
* nowadays the limit it 4096 unprivileged calls and 1 million privileged istructions
|
||||||
|
* Only jump forward -> No loops
|
||||||
|
* Is a basic limitation to ensure no infinite loops can ruin the day
|
||||||
|
* Limitation: Only finite iterations can be performed
|
||||||
|
* Loops: Newer versions support loops with upper bounds (`for x=0;: x<100`)
|
||||||
|
* Is the instruction limit hard?
|
||||||
|
* Solution: subprogram (aka function) and the limit is only for each function -> `x*subprogramms = x*limit`
|
||||||
|
* Limit: Needs real skill
|
||||||
|
* Programs have to terminate
|
||||||
|
* Well eBPF really only wants to release the cpu, the program doesn't have to end per se
|
||||||
|
* Iterator: walk abitrary lists of objects
|
||||||
|
* Sleep on pagefault or other memory operations
|
||||||
|
* Timer callbacks (including the timer 0 for run me asap)
|
||||||
|
* Memory allocation
|
||||||
|
* Maps are used as the memory management system
|
||||||
|
|
||||||
|
## Result
|
||||||
|
|
||||||
|
* You can execure abitrary tasks via eBPF
|
||||||
|
* It can be used for HTTP or TLS - it's just not implemented yet™
|
Loading…
Reference in New Issue