BTF and CORE Support

[daemon1024]

Feature Request

We migrated away from BCC and now we are leveraging libbpf for our eBPF programs. But we depend on kernel headers to leverage various kernel structures in our programs. Our BPF System monitor is not portable and we leverage init container to compile our BPF Monitor at runtime.

Kernels where BTF (BPF Type Format) is available, allows us to Compile Once and Run Anywhere (CO-RE) More about it at https://nakryiko.com/posts/bpf-portability-and-co-re/

But the restriction here is that BTF Information needs to be available which is in general added after 5.2 Kernel Version.

We have CO-RE programs as part of BPF LSM enforcer but those programs anyway run only on kernels >5.8 and BTF information is a prerequisite for BPF LSM so it's fine there, But our eBPF Monitor needs to be supported on older kernel versions.

Is your feature request related to a problem? Please describe the use case.

With the introduction of CORE Support, We can remove the dependency on Kernel Headers and the requirement to compile at runtime.

Describe the solution you'd like

• Work with Kernels which support BTF without needing Kernel Headers leveraging CO-RE
• Leverage BTFGen to ship BTF Files with KubeArmor Code for kernels not supporting CO-RE : https://kinvolk.io/blog/2022/03/btfgen-one-step-closer-to-truly-portable-ebpf-programs/
• Generate BTF Information at runtime for kernels that have vmlinux but not BTF Information with pahole : https://lists.iovisor.org/g/iovisor-dev/message/1969

Describe alternatives you've considered

Support both the approaches like Tracee does.

[sahilsarawagi]

Hey @daemon1024, came to know about this project from the cncf repository. I am really interested in working on this project. Would you please guide me on how I can start contributing to this project.

[daemon1024]

Hey @sahilsarawagi, Thanks for the interest.

I would suggest going through CONTRIBUTING.md for ways to get involved and experiment with KubeArmor meanwhile. If you have any specific queries feel free to shoot em on the KubeArmor Slack.

[anonymousr007]

Hello Sir,

I am Rishabh, an undergraduate computer engineering student at Delhi Technological University. I am interested in this project of Mentorship of LFX. Can you please share further information? How can we be selected for mentorship and also contribute to this project?

Skills: C, C++, Python, Golang (Intermediate) DevOps: Linux, Computer Networks, Yaml, Kubernetes (Basics), Docker (Basics).

Thanks & Regards Rishabh

[MayankMittal1]

Hey, I'm Mayank, CSE undergrad from IIT Roorkee, India. I came across this project and would love to work on it as a mentee in LFX fall term. Please help me getting started by pointing some good issue I could take up before this. Thanks!

[daemon1024]

Hey @anonymousr007 and @MayankMittal1, Glad to see y'all interested to working on this. As I mentioned in the earlier comment, I would suggest going through CONTRIBUTING.md for ways to get involved.

Please make sure to apply for this project on the LFX Mentorship portal with your application, We will make our decisions based on your applications.

[AllMight2099]

/assign