niggl/kubecon24
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
kubecon24/content/day4/02_ebpf.md
Nicolai Ort bafbb46f52
added tags
2024-03-25 13:45:10 +01:00

57 lines
2.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "eBPFs Abilities and Limitations: The Truth"
weight: 2
tags:
- ebpf
---
A talk by isovalent with a full room (one of the large ones).
## Baseline
* eBPF lets you run custom code in the kernel -> close to hardware
* Typical usecases: Networking, Observability, Tracing/Profiling, security
* Question: Is eBPF truing complete and can it be used for more complex scenarios (TLS, LK7)?
## eBPF verifier
* The verifier analyzes the program to verify safety
* Principles
* Read memory only with correct permissions
* All writes to valid and safe memory
* Valid in-bounds and well formed control flow
* Execution on-cpu time is bounded: sleep, scheduled callbacks, interations, program acutally compketes
* Aquire/release and reference count semantics
## Demo: Game of life
* A random game of life map
* Implemented as a tetragon plugin
* Layout: Main control loop that loads the map, generates the next generation, and returns a next run function
* The timer callback pattern is used for infinite run
## eBPF Limits & workarounds
* Instruction limit to let the verifier actually verify the program in reasonable time
* Limit is based on: Instruction limit and verifier step limit
* nowadays the limit it 4096 unprivileged calls and 1 million privileged istructions
* Only jump forward -> No loops
* Is a basic limitation to ensure no infinite loops can ruin the day
* Limitation: Only finite iterations can be performed
* Loops: Newer versions support loops with upper bounds (`for x=0;: x<100`)
* Is the instruction limit hard?
* Solution: subprogram (aka function) and the limit is only for each function -> `x*subprogramms = x*limit`
* Limit: Needs real skill
* Programs have to terminate
* Well eBPF really only wants to release the cpu, the program doesn't have to end per se
* Iterator: walk abitrary lists of objects
* Sleep on pagefault or other memory operations
* Timer callbacks (including the timer 0 for run me asap)
* Memory allocation
* Maps are used as the memory management system
## Result
* You can execure abitrary tasks via eBPF
* It can be used for HTTP or TLS - it's just not implemented yet™
Reference in New Issue View Git Blame Copy Permalink