niggl
/
kubecon24
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
kubecon24/content/day4/02_ebpf.md

2.1 KiB
Raw Blame History

title weight tags
eBPFs Abilities and Limitations: The Truth 2
ebpf

A talk by isovalent with a full room (one of the large ones).

Baseline

  • eBPF lets you run custom code in the kernel -> close to hardware
  • Typical usecases: Networking, Observability, Tracing/Profiling, security
  • Question: Is eBPF truing complete and can it be used for more complex scenarios (TLS, LK7)?

eBPF verifier

  • The verifier analyzes the program to verify safety
  • Principles
    • Read memory only with correct permissions
    • All writes to valid and safe memory
    • Valid in-bounds and well formed control flow
    • Execution on-cpu time is bounded: sleep, scheduled callbacks, interations, program acutally compketes
    • Aquire/release and reference count semantics

Demo: Game of life

  • A random game of life map
  • Implemented as a tetragon plugin
  • Layout: Main control loop that loads the map, generates the next generation, and returns a next run function
  • The timer callback pattern is used for infinite run

eBPF Limits & workarounds

  • Instruction limit to let the verifier actually verify the program in reasonable time
    • Limit is based on: Instruction limit and verifier step limit
    • nowadays the limit it 4096 unprivileged calls and 1 million privileged istructions
  • Only jump forward -> No loops
    • Is a basic limitation to ensure no infinite loops can ruin the day
    • Limitation: Only finite iterations can be performed
    • Loops: Newer versions support loops with upper bounds (for x=0;: x<100)
  • Is the instruction limit hard?
    • Solution: subprogram (aka function) and the limit is only for each function -> x*subprogramms = x*limit
    • Limit: Needs real skill
  • Programs have to terminate
    • Well eBPF really only wants to release the cpu, the program doesn't have to end per se
    • Iterator: walk abitrary lists of objects
    • Sleep on pagefault or other memory operations
    • Timer callbacks (including the timer 0 for run me asap)
  • Memory allocation
    • Maps are used as the memory management system

Result

  • You can execure abitrary tasks via eBPF
  • It can be used for HTTP or TLS - it's just not implemented yet™