bpfbox: Simple Precise Process Confinement with eBPF and KRSI William Findlay October 28, 2020 bpfbox at a Glance ▶ bpfbox is a novel process confinement mechanism for Linux using eBPF ▶ Users write Motivation ▶ Existing process confinement mechanisms are complex seccomp-bpf Unix DAC Namespaces Cgroups Capabilities Namespaces Unix DAC seccomp-bpf ▶ Existing process confinement mechanisms are prototyping ▶ Safe production deployment of new security solutions We have an opportunity to rethink process confinement from the ground up. 3 / 7 bpfbox Implementation ▶ Userspace daemon using the Python3

Developer / Contributor Guide Setting up the development environment Development process End-To-End Testing Framework How to contribute Pull request review process Building Container Images Documentation Developer’s Release Cadence Stable releases LTS Generic Release Process GitHub template process Reference steps for the template Minor Release Process Backporting process CI / Jenkins Jobs Overview Triggering Pull-Request updated without any changes to the application code or container configuration. Why Cilium? The development of modern datacenter applications has shifted to a service-oriented architecture often referred

Developer / Contributor Guide Se�ng up the development environment Development process End-To-End Tes�ng Framework How to contribute Pull request review process Building Container Images Documenta�on CI updated without any changes to the applica�on code or container configura�on. Why Cilium? The development of modern datacenter applica�ons has shi�ed to a service- oriented architecture o�en referred to dropped or a request rejected. The policy tracing framework allows to trace the policy decision process for both, running workloads and based on arbitrary label defini�ons. Metrics export via Prometheus:

developers. API Reference : Details the Cilium agent API for interacting with a local Cilium instance. Development Guide : Gives background to those looking to develop and contribute modifications to the Cilium a SIG For Developers Development Guide How To Contribute Clone and Provision Environment Submitting a pull request Getting a pull request merged Pull requests review process for committers Weekly duties duties Developer’s Certificate of Origin Development Setup Requirements Vagrant Setup Local Development in Vagrant Box Making Changes Add/update a golang dependency Add/update a new Kubernetes version

Environment Submitting a pull request Getting a pull request merged Development Setup Requirements Vagrant Setup Local Development in Vagrant Box Making Changes Add/update a golang dependency Debugging Release tracking Release Cadence Backporting process Backport Criteria Backporting guide Generic Release Process Release Candidate Process Feature Release Process On Freeze date For the final release Testing Helper Functions Maps Object Pinning Tail Calls BPF to BPF Calls JIT Hardening Offloads Toolchain Development Environment LLVM iproute2 bpftool BPF sysctls Kernel Testing JIT Debugging Introspection Tracing

developers. API Reference : Details the Cilium agent API for interacting with a local Cilium instance. Development Guide : Gives background to those looking to develop and contribute modifications to the Cilium a SIG For Developers Development Guide How To Contribute Clone and Provision Environment Submitting a pull request Getting a pull request merged Pull requests review process for committers Weekly duties duties Developer’s Certificate of Origin Development Setup Requirements Vagrant Setup Local Development in Vagrant Box Making Changes Add/update a golang dependency Optional: Docker and IPv6 Debugging

developers. API Reference : Details the Cilium agent API for interacting with a local Cilium instance. Development Guide : Gives background to those looking to develop and contribute modifications to the Cilium for Detrimental Behavior Development Guide How To Contribute Clone and Provision Environment Submitting a pull request Getting a pull request merged Pull requests review process for committers Weekly duties duties Developer’s Certificate of Origin Development Setup Verifying Your Development Setup Requirements Vagrant Setup Local Development in Vagrant Box Making Changes Add/update a golang dependency Add/update

developers. API Reference : Details the Cilium agent API for interacting with a local Cilium instance. Development Guide : Gives background to those looking to develop and contribute modifications to the Cilium for Detrimental Behavior Development Guide How To Contribute Clone and Provision Environment Submitting a pull request Getting a pull request merged Pull requests review process for committers Weekly duties duties Developer’s Certificate of Origin Development Setup Verifying Your Development Setup Requirements Vagrant Setup Local Development in Vagrant Box Making Changes Add/update a golang dependency Add/update

PMTUD support for our load balancer (jp) • https://engineering.linecorp.com/ja/blog/network- development-in-verda/ Thank you for listening! Twitter/Slack: @YutaroHayakawa

程序，借助 bpf_redirect() 或 bpf_redirect_peer() 等 helper 函数，快速帮助同宿主机间 的流量转发，节省了大量的内核协议栈 处理流程 pod 1 process kernel network stack raw PREROUTING mangle PREROUTING nat PREROUTING tc ingress conntrack POSTROUING nat POSTROUING tc egress veth pod 2 veth process kernel < 5.10 tailCall-> to-container: redirect kernel >= 5.10 redirect_peer routing veth 在某测试场景下， 跨节点间的 pod 通 信的 tcp 性能，比 node间应用通信的 tcp 性能还稍高 woker node2 woker node1 pod1 process kernel network stack tc ingress kernel network stack netfilter tc egress veth veth