How GitHub uses eBPF to improve deployment safety
21 points by eduard
21 points by eduard
Can figure out eBPF but still can't figure out how to support IPv6.
Or be reliable or performant. The fact that it takes multiple seconds to navigate between the comments seciont or file diff in a PR is still insane to me.
I think all these can be done easier. Just run your deployment script in a new mount namespace (unshare --mount) and bind-mount new /etc/hosts inside that namespace. That /etc/hosts should map github.com to some other IP. Done :)
If you have an appetite for lisp, you can implement their example in about a 3rd of the code, in one language using whistler (https://github.com/atgreen/whistler). Just load it into sbcl and you are done:
(require :asdf)
(asdf:load-system "whistler/loader")
(use-package :whistler/loader)
(with-bpf-session ()
;; -- kernel side ----
(bpf:map pkt-count :type :array :key-size 4 :value-size 8 :max-entries 1)
(bpf:prog count-egress
(:type :cgroup-skb :section "cgroup_skb/egress" :license "GPL")
(incf (getmap pkt-count 0))
1)
;; -- userspace side ----
(bpf:attach count-egress "/sys/fs/cgroup")
(format t "Counting egress packets on /syste/fs/cgroup...~%")
(loop repeat 10
do (sleep 1)
(format t " packets: ~d~%" (or (bpf:map-ref pkt-count 0) 0))))