Awesome paper about Linux offensive/defensive eBPF internals. Make no mistake, the future of advanced Linux attacks, container escapes and rootkits is eBPF. Importantly, all Linux EDRs are also based on eBPF ^^ double-edged sword as I mentioned in the past usenix.org/system/files/u…

vger.kernel.org/bpfconf2023_ma… from Daniel Borkmann.

The BPF-programmable network device

🌐 Containers and virtual machines on Linux use virtual network devices to communicate, which involves the full power and overhead of the Linux networking stack.
📡 When data is sent over the…

Explaining 8 Popular Network Protocols in 1 Diagram. The method to download the high-resolution PDF is available at the end.

Network protocols are standard methods of transferring data between two computers in a network.

1. HTTP (HyperText Transfer Protocol)
HTTP is a protocol…

Last week I had an opportunity to give an online lecture about containers to students at Kyoto University.

medium.com/nttlabs/the-in…

Thank you to Daisuke Kotani sensei for inviting me.

An excellent diagram showing what a low-level (OCI) container runtime actually does under the hood.

Long story short, it

- configures namespaces, cgroups, capabilities
- changes root mount
- execs the container entrypoint

(credit goes to github.com/containers/you… authors)

Awesome Andrew Kutz 👍

To post-pandemic engineering managers: be hands on, understand the tech, be with engineers for important conversations and moments, support and praise them at moment, don't simply ask for status all the time.

Got CKS before CKA expiration

Last year, we implemented many changes to Tanzu Kubernetes Grid Integrated edition to help our customers keep up with evolving Kubernetes advancements.

Check out the updates here: bit.ly/34sSxo8

Since Kubernetes just removed dockershim, here is a kind reminder of why it shouldn't be a big deal for most of us.

Kubernetes Container Runtime Interface abstracts the container runtime from kubelet via a runtime-agnostic gRPC API, while dockershim was, well, Docker-aware 🙃

Kubernetes CPU resource requests at runtime

More john-tucker.medium.com/kubernetes-cpu…

[New blog post] There is plenty of room at the bottom
muratbuffalo.blogspot.com/2021/08/there-…
Be mindful of what is swept under the rug: don't abstract away the features that are important to the implementation. What is not a concern at high level can be a feature that makes or breaks the system

Clarification as this is gotten wrong so often (thread):

1. APIs go away in 1.22, existing objects created with old APIs are not, but can only be accessed (read, listed, modified!, deleted) with the v1 API.

A great overview why autoscaling alone is not sufficient for maintaining SLOs and responsive UX

Cilium 1.10 has been released! 🎉🎉🎉

Wireguard Support, ServiceIP BGP Announcements, Static Egress IP Gateway, New Cilium CLI, XDP Load Balancer with PCAP recorder, Alibaba Cloud Integration, Performance improvements, and much more...

cilium.io/blog/2021/05/2…

I needed a little refresher on X.509 for TLS because I keep forgetting what all these technical terms mean, e.g. CNs, issuer, subject, self-signed certs, key, pem, DER, to name a few 😀

This is the best read IMHO 👇 darutk.medium.com/illustrated-x-…

My summary of the BMC paper: a transparent, first-level cache for Memcached built with #eBPF and XDP, by Yoann Ghigoff et al.

Blog post: pchaigno.github.io/ebpf/2021/04/1…
Paper: usenix.org/system/files/n…

GDB got basic support for #eBPF , try it with:

$ git clone git://sourceware.org/git/binutils-gdb.git
$ cd binutils-gdb
$ ./configure bpf
$ make
$ ./gdb/gdb <sample_ret0.o>
(gdb) target sim
(gdb) sim memory-size 4Mb
(gdb) load
(gdb) run

W/ a WIP verifier? sourceware.org/git/?p=binutil…

Today, the awesome Liz Rice 🐝 is joining us at Isovalent. What a day for the Cilium community and eBPF.

thenewstack.io/liz-rice-follo…