eBPF: Connecting with Container Runtimes

60 pointsposted 19 hours ago
by forxtrot
(h0x0er.github.io)

9 Comments

tanelpoder

7 hours ago

I found this article interesting (in fact, posted it earlier, but it didn't get traction then). I think some context is needed: When you operate at eBPF/kernel level you don't get easy direct access to the higher level goodies, like various container metadata (other than perhaps the cgroup id/name). So with eBPF you extract various numbers and IDs and then use userspace code+services to retrieve the meaningful (human-readable) context and strings using these IDs.

A plain Linux example would be that eBPF will only give you user/group IDs (uid/gid), not usernames, so you need to use post-processing in userspace code to convert these IDs into something meaningful.

forxtrot

4 hours ago

Thanks for giving the context.

debatem1

11 hours ago

None of these snippets appear to involve eBPF at all?

forxtrot

9 hours ago

Correct no eBPF-code is directly involved. As post explores eBPF-based tools for understanding user-space connection with container-runtime and enrichment of event once received from kernel-space.

desiderantes

9 hours ago

Hi, this is a nonsensical reply, as the sentence is lacking a few words to be complete. Are you using some kind of AI to answer? If so, which one?

forxtrot

8 hours ago

No A.I, just H.I (Human Intelligence) :).

yjftsjthsd-h

8 hours ago

> As post explores eBPF-based tool

What ebpf-based tool(s)? It looks like it's just sample code to open a socket to a CRI.

forxtrot

7 hours ago

The snippets are taken from cilium/tetragon, aquasecurity/tracee and crictl as mentioned in the post.

The post doesn't covers these projects in depth, instead act as a quick reference to the parts, where connection with CRI is being made and used for enrichment.

I understand there are more better ways to do the thing.

P.S: Post is a collection of my memories, when I was implementing the functionality. So just wanted to share, in hope that, maybe it will help others as well. Thanks !

user

19 hours ago

[deleted]