eBPF in Ubuntu Core

Hi there,

Just bring up a topic here to see if there is any plan to support eBPF in Ubuntu Core or has someone run eBPF codes in UC20?


pc-kernel got CONFIG_BPF_JIT=y so the kernel supports eBPF.

Can you be more specific about how you want to use eBPF on Ubuntu Core? Do you want to ship an eBPF program from your snap and load it into the kernel to be executed?

Yeah, exactly, and also tried to run bpftrace codes but it failed at missing python libraries, https://github.com/iovisor/bpftrace. Also thinking if there is a way to install python libraries with pip commands more conveniently.

just use the snapcraft python plugin, it wraps pip when building your snap ā€¦

1 Like

Well in terms of allowing snaps to load eBPF programs into the kernel that would require an audit of the capabilities of eBPF programs, and Iā€™m going to go out on a limb and guess that most useful eBPF programs are difficult to confine from a userspace perspective like we do for snap services/apps. If there was a very specific use-case, perhaps we could add a bpf-control interface, but it would have to be super-privileged like the kernel-module-control interface and only granted when there was absolutely no other choice than to grant it for a time sensitive snap.

seems eBPF programs will be different than the kernel-module-control interface (LKM). Just threw out some ideas since it seems to me that eBPF codes may work around the snapd security audit directly hits the kernel with the default kernel parameter CONFIG_BPF_JIT=y enabled.

I think I was wrong, kernel-module-control interface seems to be required:

# bcc.opensnoop
sh: 1: modprobe: Permission denied
Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module) or installing the kernel development package for your running kernel version.
chdir(/lib/modules/5.4.0-81-generic/build): No such file or directory
Traceback (most recent call last):
  File "/snap/bcc/153/usr/share/bcc/tools/opensnoop", line 258, in <module>
    b = BPF(text='')
  File "/snap/bcc/153/usr/lib/python3/dist-packages/bcc/__init__.py", line 364, in __init__
    raise Exception("Failed to compile BPF module %s" % (src_file or "<text>"))
Exception: Failed to compile BPF module <text>
# snap connect bcc:kernel-module-control
error: snap "bcc" has no plug named "kernel-module-control"

The docker command works from https://github.com/iovisor/bcc/issues/3018. Will test bcc commands. :slight_smile: