On Thu, 26 Mar 2020 10:04:53 +0000 Lorenz Bauer wrote: > On Thu, 26 Mar 2020 at 00:16, Andrii Nakryiko <andrii.nakryiko@xxxxxxxxx> wrote: > > Those same folks have similar concern with XDP. In the world where > > container management installs "root" XDP program which other user > > applications can plug into (libxdp use case, right?), it's crucial to > > ensure that this root XDP program is not accidentally overwritten by > > some well-meaning, but not overly cautious developer experimenting in > > his own container with XDP programs. This is where bpf_link ownership > > plays a huge role. Tupperware agent (FB's container management agent) > > would install root XDP program and will hold onto this bpf_link > > without sharing it with other applications. That will guarantee that > > the system will be stable and can't be compromised. > > Thanks for the extensive explanation Andrii. > > This is what I imagine you're referring to: Tupperware creates a new network > namespace ns1 and a veth0<>veth1 pair, moves one of the veth devices > (let's says veth1) into ns1 and runs an application in ns1. On which veth > would the XDP program go? > > The way I understand it, veth1 would have XDP, and the application in ns1 would > be prevented from attaching a new program? Maybe you can elaborate on this > a little. Nope, there is no veths involved. Tupperware mediates the requests from containers to install programs on the physical interface for heavy-duty network processing like DDoS protection for the entire machine.
