Aladdin & the eBPF lamp: Travel in the kernel

Transcript

1. Aladdin & the eBPF lamp Travel in the kernel Donia

   Chaiehloudj, Software Engineer & Community Isovalent @Cisco

2. Living from hand to mouth without any visibility, security... (and

   money)

3. Living from hand to mouth without any visibility, security... (and

   money)

4. The Mysterious Cave The Kernel of Wonders...

5. The Mysterious Cave The Kernel of Wonders... Syscalls Sockets Packets

   Hooks Maps

6. The Mysterious Cave The Kernel of Wonders... with Rules To

   change the Kernel: Rebuild the kernel Load modules Risky for adventurers...

7. The Summons Aladdin is sent to the Cave....

8. The Summons Aladdin is sent to the Cave....

9. The Magic eBPF Lamp

10. The Magic eBPF Lamp And the eGenie...

11. Program App The Magic eBPF Lamp And Events Userspace Syscalls

    Linux Kernel

12. Program App The Magic eBPF Lamp And Events Userspace Syscalls

    Linux Kernel event

13. Program App The Magic eBPF Lamp And Events Events tracepoints

    kprobes (kernel) uprobes (user) TC (Traffic Control) XDP (Express Datapath) Userspace Syscalls Linux Kernel event

14. App Program Verifier The Magic eBPF Lamp is Safe eBPF

    programs are: verified sandboxed You can’t crash your kernel. Userspace Syscalls Linux Kernel load eBPF programs

15. App Program Verifier JIT Compiler approved The Magic eBPF Lamp

    is Safe eBPF programs are: verified sandboxed You can’t crash your kernel. Userspace Syscalls Linux Kernel load eBPF programs

16. The Magic eBPF Lamp has Maps for what’s is hidden

    in the cave Userspace Syscalls Linux Kernel App eBPF maps Program BPF_MAP_TYPE_HASH BPF_MAP_TYPE_ARRAY BPF_MAP_TYPE_PERCPU_HASH ...

17. The Magic eBPF Lamp has Maps for what’s is hidden

    in the cave Userspace Syscalls Linux Kernel App eBPF maps read Use Cases: kernel → userspace write Program BPF_MAP_TYPE_HASH BPF_MAP_TYPE_ARRAY BPF_MAP_TYPE_PERCPU_HASH ...

18. The Magic eBPF Lamp has Maps to load configuration in

    the cave... Use Cases: kernel → userspace userspace → kernel Userspace Syscalls Linux Kernel App eBPF maps read write Program BPF_MAP_TYPE_HASH BPF_MAP_TYPE_ARRAY BPF_MAP_TYPE_PERCPU_HASH ...

19. The Magic eBPF Lamp has Maps to transport information within

    the cave... Use Cases: kernel → userspace userspace → kernel kernel → kernel Userspace Syscalls Linux Kernel App eBPF maps write Program Program read BPF_MAP_TYPE_HASH BPF_MAP_TYPE_ARRAY BPF_MAP_TYPE_PERCPU_HASH ...

20. The Flying Carpet

21. → SDKs like cilium/ebpf let you write networking/security tooling +

    = Go the companion to travel easy The Flying Carpet

22. Go the companion to travel easy The Flying Carpet Userspace

    Syscalls Linux Kernel App ELF Object load

23. Go the companion to travel easy The Flying Carpet Userspace

    Syscalls Linux Kernel App C Program ELF Object load clang

24. Go the companion to travel easy The Flying Carpet Userspace

    Syscalls Linux Kernel eBPF maps BPF_MAP_TYPE_HASH BPF_MAP_TYPE_ARRAY BPF_MAP_TYPE_PERCPU_HASH ... App C Program ELF Object load clang

25. Go the companion to travel easy The Flying Carpet Userspace

    Syscalls Linux Kernel eBPF maps BPF_MAP_TYPE_HASH BPF_MAP_TYPE_ARRAY BPF_MAP_TYPE_PERCPU_HASH ... App C Program ELF Object load clang write read

26. Wish #1: Becoming a Prince

27. Wish #1: Becoming a Prince

28. Wish #1: Becoming a Prince Tracing Capability Step 1: Write

    C program

29. Wish #1: Becoming a Prince Tracing Capability / Open file

    example Step 1: Write C program

30. Wish #1: Becoming a Prince Tracing Capability / Open file

    example Step 1: Write C program ✅

31. Wish #1: Becoming a Prince Tracing Capability / Open file

    example //go:generate go run github.com/cilium/ebpf/cmd/bpf2go tracing tracing.c Step 1: Write C program ✅ Step 2: Use friendly APIs to load programs cilium/ebpf library

32. Wish #1: Becoming a Prince Tracing Capability / Open file

    example //go:generate go run github.com/cilium/ebpf/cmd/bpf2go tracing tracing.c Step 1: Write C program ✅ Step 2: Use friendly APIs to load programs cilium/ebpf library type openfileObjects struct { openfilePrograms openfileMaps openfileVariables } eBPF Objects to manipulate

33. Wish #1: Becoming a Prince Tracing Capability / Open file

    example //go:generate go run github.com/cilium/ebpf/cmd/bpf2go tracing tracing.c Step 1: Write C program ✅ Step 2: Use friendly APIs to load programs cilium/ebpf library type openfileObjects struct { openfilePrograms openfileMaps openfileVariables } eBPF Objects to manipulate eBPF program bytecodes type openfilePrograms struct { TraceOpenat *ebpf.Program `ebpf:"trace_openat"` }

34. Wish #1: Becoming a Prince Tracing Capability / Open file

    example Step 1: Write C program ✅ Step 2: Use friendly APIs to load programs cilium/ebpf library ✅

35. Wish #1: Becoming a Prince Tracing Capability / Open file

    example Step 1: Write C program ✅ Step 2: Use friendly APIs to load programs cilium/ebpf library ✅ Step 3: Write Go program to load eBPF program

36. Wish #1: Becoming a Prince Tracing Capability / Open file

    example

37. Wish #1: Becoming a Prince Tracing Capability / Open file

    example Step 1: Write C program ✅ Step 2: Use friendly APIs to load programs cilium/ebpf library ✅ Step 3: Write Go program to load eBPF program ✅

38. Wish #1: Becoming a Prince Tracing Capability / Open file

    example

39. Wish #1: Becoming a Prince Observability Capability / Count packet

    numbers

40. Wish #1: Becoming a Prince Observability Capability / Count packet

    numbers

41. Moral #1 “We didn’t recompile the application. We didn’t stop

    the kingdom. We simply saw. Like Aladdin dressed in fine silk, we gain legitimacy, we can observe from the inside… with grace.”

42. 🥷 The Threat: “Jafar Strikes” A noisy neighbor A suspicious

    IP A storm of a packets at the gate

43. Wish #2: Save me eGenie from the Deep

44. Wish #2: Save me eGenie from the Deep XDP Capability

45. Wish #2: Save me eGenie from the Deep XDP Capability

    - C Code

46. Wish #2: Save me eGenie from the Deep XDP Capability

    - Demo

47. Moral #2 When the sea turns rough, eBPF can pull

    you to the surface—not with blunt force, but with elegant control at the kernel’s edge.”

48. The Prince in the Kubernetes Palace

49. pods The Magic eBPF Lamp And Events One kernel for

    all the containers Userspace Syscalls Linux Kernel

50. pods The Magic eBPF Lamp And Events One kernel for

    all the containers Userspace Syscalls Linux Kernel event

51. Program pods The Magic eBPF Lamp And Events One kernel

    for all the containers Userspace Syscalls Linux Kernel event

52. The Prince in the Kubernetes Palace And the Power of

    eBPF

53. Wish #3: Freeing the eGenie From Tools to Ecosystem

54. Wish #3: Freeing the eGenie From Tools to Ecosystem in

    Networking

55. Wish #3: Freeing the eGenie Cilium as the default Cloud

    Networking Interface (CNI) Amazon EKS Anywhere Anthos GKE Dataplane v2 Azure Kubernetes Service Azure Kubernetes Service source: https://cilium.io/use-cases/cni/ Managed Kubernetes Service MetaKube

56. Wish #3: Freeing the eGenie From Tools to Ecosystem in

    Security - Tetragon

57. Moral #3 When the eGenie is free, standardized, open source,

    integrated, everyone benefits: platform teams, developers, security, and ultimately… users.”

58. Key Takeways Write tiny, safe eBPF Program without rebooting

59. Key Takeways Write tiny, safe eBPF Program without rebooting Abstract

    syscalls, make programs practical, maintainable.

60. Key Takeways Write tiny, safe eBPF Program without rebooting Abstract

    syscalls, make programs practical, maintainable. Wish #1: Tracing Wish #2: Security XDP Wish #3: Networking k8s Palace

61. It’s not about power, it’s about wisdom. Use the genie

    well. Free it into the ecosystem. Build tools that help everyone. Key Takeways Write tiny, safe eBPF Program without rebooting Abstract syscalls, make programs practical, maintainable. Wish #1: Tracing Wish #2: Security XDP Wish #3: Networking k8s Palace

62. The End...

63. @doniacld ebpf.io @ciliumproject @isovalent 🧪 isovalent.com/labs/ebpf-getting-started/ 👩🏾‍💻 github.com/doniacld/ebpf-4-gophers/ Resources &

    Credits

64. @doniacld ebpf.io @ciliumproject @isovalent 🧪 isovalent.com/labs/ebpf-getting-started/ 👩🏾‍💻 github.com/doniacld/ebpf-4-gophers/ Resources &

    Credits Feedback is a gift 🎁