eBPF in Ubuntu Core

snowsky · August 24, 2021, 2:52pm

Hi there,

Just bring up a topic here to see if there is any plan to support eBPF in Ubuntu Core or has someone run eBPF codes in UC20?

Thanks,

snowsky · August 24, 2021, 2:59pm

pc-kernel got CONFIG_BPF_JIT=y so the kernel supports eBPF.

ijohnson · August 24, 2021, 3:23pm

Can you be more specific about how you want to use eBPF on Ubuntu Core? Do you want to ship an eBPF program from your snap and load it into the kernel to be executed?

snowsky · August 24, 2021, 4:19pm

Yeah, exactly, and also tried to run bpftrace codes but it failed at missing python libraries, https://github.com/iovisor/bpftrace. Also thinking if there is a way to install python libraries with pip commands more conveniently.

ogra · August 24, 2021, 5:04pm

just use the snapcraft python plugin, it wraps pip when building your snap …

ijohnson · August 25, 2021, 1:39am

Well in terms of allowing snaps to load eBPF programs into the kernel that would require an audit of the capabilities of eBPF programs, and I’m going to go out on a limb and guess that most useful eBPF programs are difficult to confine from a userspace perspective like we do for snap services/apps. If there was a very specific use-case, perhaps we could add a bpf-control interface, but it would have to be super-privileged like the kernel-module-control interface and only granted when there was absolutely no other choice than to grant it for a time sensitive snap.

snowsky · August 25, 2021, 12:59pm

seems eBPF programs will be different than the kernel-module-control interface (LKM). Just threw out some ideas since it seems to me that eBPF codes may work around the snapd security audit directly hits the kernel with the default kernel parameter CONFIG_BPF_JIT=y enabled.

snowsky · August 25, 2021, 1:42pm

I think I was wrong, kernel-module-control interface seems to be required:

# bcc.opensnoop
sh: 1: modprobe: Permission denied
Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module) or installing the kernel development package for your running kernel version.
chdir(/lib/modules/5.4.0-81-generic/build): No such file or directory
Traceback (most recent call last):
  File "/snap/bcc/153/usr/share/bcc/tools/opensnoop", line 258, in <module>
    b = BPF(text='')
  File "/snap/bcc/153/usr/lib/python3/dist-packages/bcc/__init__.py", line 364, in __init__
    raise Exception("Failed to compile BPF module %s" % (src_file or "<text>"))
Exception: Failed to compile BPF module <text>

snowsky · August 25, 2021, 1:44pm

# snap connect bcc:kernel-module-control
error: snap "bcc" has no plug named "kernel-module-control"

snowsky · August 25, 2021, 2:13pm

The docker command works from https://github.com/iovisor/bcc/issues/3018. Will test bcc commands.