tanelpoder4 hours ago
I found this article interesting (in fact, posted it earlier, but it didn't get traction then). I think some context is needed: When you operate at eBPF/kernel level you don't get easy direct access to the higher level goodies, like various container metadata (other than perhaps the cgroup id/name). So with eBPF you extract various numbers and IDs and then use userspace code+services to retrieve the meaningful (human-readable) context and strings using these IDs.
A plain Linux example would be that eBPF will only give you user/group IDs (uid/gid), not usernames, so you need to use post-processing in userspace code to convert these IDs into something meaningful.
forxtrotop8 minutes ago
Thanks for giving the context.
debatem18 hours ago
None of these snippets appear to involve eBPF at all?
forxtrotop5 hours ago
Correct no eBPF-code is directly involved. As post explores eBPF-based tools for understanding user-space connection with container-runtime and enrichment of event once received from kernel-space.
desiderantes5 hours ago
Hi, this is a nonsensical reply, as the sentence is lacking a few words to be complete. Are you using some kind of AI to answer? If so, which one?
forxtrotop5 hours ago
No A.I, just H.I (Human Intelligence) :).
yjftsjthsd-h4 hours ago
> As post explores eBPF-based tool
What ebpf-based tool(s)? It looks like it's just sample code to open a socket to a CRI.
forxtrotop4 hours ago
The snippets are taken from cilium/tetragon, aquasecurity/tracee and crictl as mentioned in the post.
The post doesn't covers these projects in depth, instead act as a quick reference to the parts, where connection with CRI is being made and used for enrichment.
I understand there are more better ways to do the thing.
P.S: Post is a collection of my memories, when I was implementing the functionality. So just wanted to share, in hope that, maybe it will help others as well. Thanks !
[deleted]15 hours agocollapsed