How GitHub uses eBPF to improve deployment safety

21 points by eduard

nemith

Can figure out eBPF but still can't figure out how to support IPv6.

zipy124

Or be reliable or performant. The fact that it takes multiple seconds to navigate between the comments seciont or file diff in a PR is still insane to me.

safinaskar

I think all these can be done easier. Just run your deployment script in a new mount namespace (unshare --mount) and bind-mount new /etc/hosts inside that namespace. That /etc/hosts should map github.com to some other IP. Done :)

JulianWgs

Clever, but you wouldn‘t get the command which contacted the domain
- eduard
  
  Yes, I guess the auditing wouldn’t be as good as with the eBPF implementation.

atgreen

If you have an appetite for lisp, you can implement their example in about a 3rd of the code, in one language using whistler (https://github.com/atgreen/whistler). Just load it into sbcl and you are done:

(require :asdf)
(asdf:load-system "whistler/loader")
(use-package  :whistler/loader)

(with-bpf-session ()
  ;; -- kernel side ----
  (bpf:map pkt-count :type :array :key-size 4 :value-size 8 :max-entries 1)
  (bpf:prog count-egress
      (:type :cgroup-skb :section "cgroup_skb/egress" :license "GPL")
    (incf (getmap pkt-count 0))
    1)
  ;; -- userspace side ----
  (bpf:attach count-egress "/sys/fs/cgroup")
  (format t "Counting egress packets on /syste/fs/cgroup...~%")
  (loop repeat 10
        do (sleep 1)
           (format t "  packets: ~d~%" (or (bpf:map-ref pkt-count 0) 0))))