BPF probe compile once run everywhere with BTF #186
Comments
|
/assign @fntlnz #dibs |
|
/assign @leodido |
|
For porting falco on ppc64le ,we are facing issues while using containers of docker files having older OS kernel version and gcc-6/5 dependent packages. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
Fundamentally, to offer an eBPF agent to a system/kernel you do not yourself control, I would imagine you inevitably have to solve this problem to drive eBPF adoption. I started down this path as well after an analysis of BCC optimizations, bravo and consider this an upvote. |
|
Thanks @jnach - I'd also love some help here in case you are up to! |
|
Interested... |
|
Also doing containerized builds to minimize the host dependencies - doesn't matter with eBPF, you can try an init container to make sure kernel-devel packages are there (which tends to break on update) or you can crack the code on CORE. The second one is particularly scalable. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. Issues labeled "cncf", "roadmap" and "help wanted" will not be automatically closed. Please refer to a maintainer to get such label added if you think this should be kept open. |
|
I'm working on it. |
|
Someday I might have enough free time to help lift, unfortunately the invisible hand says otherwise at the moment. |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh with Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle rotten |
|
Rotten issues close after 30d of inactivity. Reopen the issue with Mark the issue as fresh with Provide feedback via https://github.com/falcosecurity/community. |
|
@poiana: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/reopen We still want this :) |
|
@leogr: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
If i understand correctly, we "only" need to port libscap to libbpf; libbpf right now supports CO-RE, but it mandates a kernel with BTF type information and clang/llvm 10+ (build only dep). Here is a nice demo app that uses libbpf and CO-RE: https://github.com/libbpf/libbpf-bootstrap#bootstrap |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
/remove-lifecycle stale @fntlnz Would we like to move this proposal to libs? |
|
The business need is and I think always will be a moving target here, libs or not. You can: |
|
Hi all 🖖 I wrote down some ideas about a new BPF probe. If you are interested, you can take a look here 👀 |
|
We are using the software in depth.We believe that using kernel modules to adapt to lower versions of the kernel is still just needed, but libbpf is a trend. Do you have any plans to replace libbpf. |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
/remove-lifecycle stale |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
@FedeDP @Andreagit97 do we have another issue for tracking this? |
|
We had this one #513 to track the syscall support of the modern BPF probe, and now we have this PR falcosecurity/falco#2282 in Falco, that I will enrich with some info when we will be ready to release modern bpf packages |
|
Closing in favor of #513 /close |
|
@leogr: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This will likely become a proposal if it receives a good feedback here (like doing a 👍 counts as feedback )
What would you like to be added:
Adapt and compile our eBPF probe loader code to the BPF type format (BTF) - links below.
Why is this needed:
Some considerations first
One of the main barriers that new and old users encounter when trying to adopt falco is building either the kernel module or the BPF probe. To mitigate this we’ve been working on two main efforts over time:
Despite this, many users still struggle and in my opinion the experience in that area has a lot of room of improvement.
Moreover, in new-ish environments (recent kernel 4 and 5) using eBPF is becoming more and more common and honestly I expect that to become the default for Falco at some point. This also makes sense from a privileges point of view where we will only need capabilities for the
bpfsyscall .Summary of Problems with our current approach
/lib/modules)The actual idea
After all these considerations I think that we need to adapt our current programs to take advantage of BTF (links below) in order to be able to compile once and run everywhere.
Read more about BTF here: https://www.kernel.org/doc/html/latest/bpf/btf.html and here https://facebookmicrosites.github.io/bpf/blog/2018/11/14/btf-enhancement.html
Next steps
After gathering some initial feedback here with this message I’ll open a formal proposal with an action plan
The text was updated successfully, but these errors were encountered: