eBPF Summit October 28, 2020 Debugging Go in production using eBPF ABOUT ME ? i’m Zain @zainasgar Co-Founder/CEO Pixie (@pixie_run) & Adjunct Professor of CS @ Stanford DEVELOPER PROBLEM You’re Argument Tracer ● Utilizing tracepoints for dynamic logging allows for easy instrumentation of production binaries ● The complexities of the Go ABI make it difficult to do. Especially when you consider:

How to create a SIG For Developers Development Guide How To Contribute Clone and Provision Environment Submitting a pull request Getting a pull request merged Pull requests review process for committers Maps Object Pinning Tail Calls BPF to BPF Calls JIT Hardening Offloads Toolchain Development Environment LLVM iproute2 bpftool BPF sysctls Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous HTTP). As a result, Cilium not only makes it simple to apply security policies in a highly dynamic environment by decoupling security from addressing, but can also provide stronger security isolation by operating

documentation. A hands-on tutorial [https://play.instruqt.com/isovalent/invite/j4maqox5r1h5] in a live environment is also available for users looking for a way to quickly get started and experiment with Cilium How to create a SIG For Developers Development Guide How To Contribute Clone and Provision Environment Submitting a pull request Getting a pull request merged Pull requests review process for committers Maps Object Pinning Tail Calls BPF to BPF Calls JIT Hardening Offloads Toolchain Development Environment LLVM iproute2 bpftool BPF sysctls Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous

Slack Slack channels For Developers Getting Started How To Contribute Clone and Provision Environment Submitting a pull request Getting a pull request merged Development Setup Requirements Vagrant Maps Object Pinning Tail Calls BPF to BPF Calls JIT Hardening Offloads Toolchain Development Environment LLVM iproute2 bpftool BPF sysctls Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous HTTP). As a result, Cilium not only makes it simple to apply security policies in a highly dynamic environment by decoupling security from addressing, but can also provide stronger security isolation by operating

Slack Slack channels For Developers Developer / Contributor Guide Setting up the development environment Development process End-To-End Testing Framework How to contribute Pull request review process HTTP). As a result, Cilium not only makes it simple to apply security policies in a highly dynamic environment by decoupling security from addressing, but can also provide stronger security isolation by operating section first to learn about the basic concepts and motivation. Installation Creating a Sandbox environment Self-Managed Kubernetes Managed Kubernetes Installer Integrations CNI Chaining Security Tutorials

documentation. A hands-on tutorial [https://play.instruqt.com/isovalent/invite/j4maqox5r1h5] in a live environment is also available for users looking for a way to quickly get started and experiment with Cilium Revocation for Detrimental Behavior Development Guide How To Contribute Clone and Provision Environment Submitting a pull request Getting a pull request merged Pull requests review process for committers Maps Object Pinning Tail Calls BPF to BPF Calls JIT Hardening Offloads Toolchain Development Environment LLVM iproute2 bpftool BPF sysctls Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous

documentation. A hands-on tutorial [https://play.instruqt.com/isovalent/invite/j4maqox5r1h5] in a live environment is also available for users looking for a way to quickly get started and experiment with Cilium Revocation for Detrimental Behavior Development Guide How To Contribute Clone and Provision Environment Submitting a pull request Getting a pull request merged Pull requests review process for committers Maps Object Pinning Tail Calls BPF to BPF Calls JIT Hardening Offloads Toolchain Development Environment LLVM iproute2 bpftool BPF sysctls Kernel Testing JIT Debugging Introspection Tracing pipe Miscellaneous

state (kprobes, uprobes, etc.) with policy enforcement (LSM probes) ▶ Rapid prototyping ▶ Safe production deployment of new security solutions We have an opportunity to rethink process confinement from 2000 source lines of kernelspace code ▶ Thanks to eBPF, bpfbox is light-weight, flexible, and production-safe ▶ Works out of the box on any vanilla Linux kernel ≥ 5.8 4 / 7 Our Policy Language Rules

updates to the kernel can take years to reach end users running stable long-term releases (LTS) in production. It is possible to extend the kernel’s functionalities by writing and loading kernel modules, their skills were for hire. And the united bees formed the Hive Alliance. After years of proven production experience, eBPF has been adopted for Windows and other privileged execution contexts. The eBPF

exposes total run_time_ns and run_cnt – Use cases: – Benchmarking + CI/CD – Sampling profiler in production How does it work? – Adds ~20ns of overhead per run Two ways to enable kernel eBPF stats sysctl