bpfbox: Simple Precise Process Confinement with eBPF and KRSI William Findlay October 28, 2020 bpfbox at a Glance ▶ bpfbox is a novel process confinement mechanism for Linux using eBPF ▶ Users write Motivation ▶ Existing process confinement mechanisms are complex seccomp-bpf Unix DAC Namespaces Cgroups Capabilities Namespaces Unix DAC seccomp-bpf ▶ Existing process confinement mechanisms are prototyping ▶ Safe production deployment of new security solutions We have an opportunity to rethink process confinement from the ground up. 3 / 7 bpfbox Implementation ▶ Userspace daemon using the Python3

Provision Environment Submitting a pull request Getting a pull request merged Pull requests review process for committers Weekly duties Developer’s Certificate of Origin Development Setup Requirements Vagrant Release Cadence Backporting process Backport Criteria Backporting guide for the backporter Backporting guide for others Generic Release Process GitHub template process Reference steps for the template template Release Candidate Process Feature Release Process On Freeze date For the final release Testing CI / Jenkins Jobs Overview Triggering Pull-Request Builds With Jenkins Testing with race condition

Contributor Guide Setting up the development environment Development process End-To-End Testing Framework How to contribute Pull request review process Building Container Images Documentation Developer’s Certificate Release Cadence Stable releases LTS Generic Release Process GitHub template process Reference steps for the template Minor Release Process Backporting process CI / Jenkins Jobs Overview Triggering Pull-Request dropped or a request rejected. The policy tracing framework allows to trace the policy decision process for both, running workloads and based on arbitrary label definitions. Metrics export via Prometheus:

Release tracking Release Cadence Backporting process Backport Criteria Backporting guide Generic Release Process Release Candidate Process Feature Release Process On Freeze date For the final release Testing dropped or a request rejected. The policy tracing framework allows to trace the policy decision process for both, running workloads and based on arbitrary label definitions. Metrics export via Prometheus: internals.Fetcher) [2017-12-07 03:08:54,517] ERROR Error processing message, terminating consumer process: (kafka.tools.ConsoleConsumer$) org.apache.kafka.common.errors.TopicAuthorizationException: Not

Contributor Guide Se�ng up the development environment Development process End-To-End Tes�ng Framework How to contribute Pull request review process Building Container Images Documenta�on CI / Jenkins Release dropped or a request rejected. The policy tracing framework allows to trace the policy decision process for both, running workloads and based on arbitrary label defini�ons. Metrics export via Prometheus: model for how external networking pla�orms integrate. In the case of Docker, each Linux node runs a process (cilium- docker) that handles each Docker libnetwork call and passes data / requests on to the main

Provision Environment Submitting a pull request Getting a pull request merged Pull requests review process for committers Weekly duties Developer’s Certificate of Origin Development Setup Verifying Your Release Cadence Backporting process Backport Criteria Backporting Guide for the Backporter Backporting Guide for Others Generic Release Process GitHub template process Reference steps for the template template Release Candidate Process Feature Release Process On Freeze date For the final release Testing CI / Jenkins Jobs Overview Triggering Pull-Request Builds With Jenkins Testing with race condition

Provision Environment Submitting a pull request Getting a pull request merged Pull requests review process for committers Weekly duties Developer’s Certificate of Origin Development Setup Verifying Your repositories Update cilium-builder and cilium-runtime images Nightly Docker image Image Building Process Code Overview High-level Cilium Hubble Important common packages Debugging toFQDNs and DNS Debugging Release Cadence Backporting process Backport Criteria Backporting Guide for the Backporter Backporting Guide for Others Generic Release Process GitHub template process Reference steps for the template

Provision Environment Submitting a pull request Getting a pull request merged Pull requests review process for committers Weekly duties Developer’s Certificate of Origin Development Setup Requirements Vagrant Release Cadence Backporting process Backport Criteria Backporting guide for the backporter Backporting guide for others Generic Release Process GitHub template process Reference steps for the template template Release Candidate Process Feature Release Process On Freeze date For the final release Testing CI / Jenkins Jobs Overview Triggering Pull-Request Builds With Jenkins Using Jenkins for testing

程序，借助 bpf_redirect() 或 bpf_redirect_peer() 等 helper 函数，快速帮助同宿主机间 的流量转发，节省了大量的内核协议栈 处理流程 pod 1 process kernel network stack raw PREROUTING mangle PREROUTING nat PREROUTING tc ingress conntrack POSTROUING nat POSTROUING tc egress veth pod 2 veth process kernel < 5.10 tailCall-> to-container: redirect kernel >= 5.10 redirect_peer routing veth 在某测试场景下， 跨节点间的 pod 通 信的 tcp 性能，比 node间应用通信的 tcp 性能还稍高 woker node2 woker node1 pod1 process kernel network stack tc ingress kernel network stack netfilter tc egress veth veth

flexibility of user space programming. Applications User space Kernel System calls Files Networking Process Memory Flying for years across the galaxy and back, The crew learned to modify their ship and adjust to the evolution of the kernel. Applications User space Kernel System calls Files Networking Process Module Memory One day, a concerned Captain Tux reviewed the crew And remembered that bees had long that eBPF programs are safe for the kernel, or sometimes the hardware, to run. It checks that the process loading the eBPF program holds the required capabilities (privileges), the program does not crash