2.1 KiB
2.1 KiB
title | weight | tags | |
---|---|---|---|
eBPF’s Abilities and Limitations: The Truth | 2 |
|
A talk by isovalent with a full room (one of the large ones).
Baseline
- eBPF lets you run custom code in the kernel -> close to hardware
- Typical usecases: Networking, Observability, Tracing/Profiling, security
- Question: Is eBPF truing complete and can it be used for more complex scenarios (TLS, LK7)?
eBPF verifier
- The verifier analyzes the program to verify safety
- Principles
- Read memory only with correct permissions
- All writes to valid and safe memory
- Valid in-bounds and well formed control flow
- Execution on-cpu time is bounded: sleep, scheduled callbacks, interations, program acutally compketes
- Aquire/release and reference count semantics
Demo: Game of life
- A random game of life map
- Implemented as a tetragon plugin
- Layout: Main control loop that loads the map, generates the next generation, and returns a next run function
- The timer callback pattern is used for infinite run
eBPF Limits & workarounds
- Instruction limit to let the verifier actually verify the program in reasonable time
- Limit is based on: Instruction limit and verifier step limit
- nowadays the limit it 4096 unprivileged calls and 1 million privileged istructions
- Only jump forward -> No loops
- Is a basic limitation to ensure no infinite loops can ruin the day
- Limitation: Only finite iterations can be performed
- Loops: Newer versions support loops with upper bounds (
for x=0;: x<100
)
- Is the instruction limit hard?
- Solution: subprogram (aka function) and the limit is only for each function ->
x*subprogramms = x*limit
- Limit: Needs real skill
- Solution: subprogram (aka function) and the limit is only for each function ->
- Programs have to terminate
- Well eBPF really only wants to release the cpu, the program doesn't have to end per se
- Iterator: walk abitrary lists of objects
- Sleep on pagefault or other memory operations
- Timer callbacks (including the timer 0 for run me asap)
- Memory allocation
- Maps are used as the memory management system
Result
- You can execure abitrary tasks via eBPF
- It can be used for HTTP or TLS - it's just not implemented yet™