Cilium: API-aware Networking and Security
https://cilium.readthedocs.io/en/stable/
"Cilium is open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes."
"At the foundation of Cilium is a new Linux kernel technology called BPF, which enables the dynamic insertion of powerful security visibility and control logic within Linux itself. Because BPF runs inside the Linux kernel, Cilium security policies can be applied and updated without any changes to the application code or container configuration."https://cilium.readthedocs.io/en/stable/concepts/overview/#cilium-agent
"The Cilium agent (cilium-agent) runs on each Linux container host. At a high-level, the agent accepts configuration that describes service-level network security and visibility policies. It then listens to events in the container runtime to learn when containers are started or stopped, and it creates custom BPF programs which the Linux kernel uses to control all network access in / out of those containers."https://cilium.readthedocs.io/en/stable/concepts/overview/#cilium-cli-client
"Berkeley Packet Filter (BPF) is a Linux kernel bytecode interpreter originally introduced to filter network packets, e.g. tcpdump and socket filters. It has since been extended with additional data structures such as hashtable and arrays as well as additional actions to support packet mangling, forwarding, encapsulation, etc. An in-kernel verifier ensures that BPF programs are safe to run and a JIT compiler converts the bytecode to CPU architecture specific instructions for native execution efficiency. "
"Cilium leverages BPF to perform core datapath filtering, mangling, monitoring and redirection, and requires BPF capabilities that are in any Linux kernel version 4.8.0 or newer."http://docs.cilium.io/en/stable/architecture/#arch-guide
"This document describes the Cilium architecture. It focuses on documenting the BPF datapath hooks to implement the Cilium datapath, how the Cilium datapath integrates with the container orchestration layer, and the objects shared between the layers e.g. the BPF datapath and Cilium agent."
http://docs.cilium.io/en/stable/bpf/
"BPF is a highly flexible and efficient virtual machine-like construct in the Linux kernel allowing to execute bytecode at various hook points in a safe manner. It is used in a number of Linux kernel subsystems, most prominently networking, tracing and security (e.g. sandboxing)."
Additional BPF Background Reading:
- https://en.wikipedia.org/wiki/Berkeley_Packet_Filter
- https://www.kernel.org/doc/Documentation/networking/filter.txt
- https://opensource.com/article/17/9/intro-ebpf
- http://www.brendangregg.com/blog/2016-03-05/linux-bpf-superpowers.html
- "We've stopped calling it eBPF (extended Berkeley Packet Filter), and are now just calling it BPF"
- "BPF is the in-kernel bytecode machine that can be used for tracing, virtual networks, and more"
- " bcc tools, which is a Python front end for BPF"
- https://www.slideshare.net/brendangregg/linux-bpf-superpowers
- http://www.brendangregg.com/blog/2019-01-01/learn-ebpf-tracing.html
- http://www.brendangregg.com/bpf-performance-tools-book.html
- "This is the official site for the book BPF Performance Tools: Linux System and Application Observability, published by Addison Wesley (2019)"
- https://www.amazon.com/Performance-Tools-Addison-Wesley-Professional-Computing-dp-0136554822/dp/0136554822/
- https://twitter.com/ubuntu/status/1200066583021965312
- https://www.youtube.com/watch?v=7pmXdG8-7WU&feature=emb_logo
- "Extended BPF is a new software type and makes a fundamental change to the 50-year old kernel model" ~ Brendan Gregg
- https://kernel-recipes.org/en/2019/talks/bpf-at-facebook/
- https://prototype-kernel.readthedocs.io/en/latest/bpf/
- http://www.infosecwriters.com/text_resources/pdf/JStebelton_BPF.pdf
- https://docs.extrahop.com/7.8/bpf-syntax/
- https://biot.com/capstats/bpf.html
- https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.2/com.ibm.qradar.doc/c_forensics_bpf.html
- https://www.sciencedirect.com/topics/computer-science/berkeley-packet-filter
- https://www.netronome.com/blog/bpf-ebpf-xdp-and-bpfilter-what-are-these-things-and-what-do-they-mean-enterprise/
- https://github.com/iovisor/bcc
- BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more
- https://sysdig.com/blog/the-art-of-writing-ebpf-programs-a-primer/
- https://github.com/draios/sysdig/tree/0.23.1/driver/bpf
- https://sysdig.com/
- Free O'Reilly Book: Linux Observability with BPF Advanced Programming for PerformanceAnalysis and Networking
