On Thu, Mar 26, 2020 at 3:05 AM Lorenz Bauer <lmb@xxxxxxxxxxxxxx> wrote: > > On Thu, 26 Mar 2020 at 00:16, Andrii Nakryiko <andrii.nakryiko@xxxxxxxxx> wrote: > > > [...] > > > > Those same folks have similar concern with XDP. In the world where > > container management installs "root" XDP program which other user > > applications can plug into (libxdp use case, right?), it's crucial to > > ensure that this root XDP program is not accidentally overwritten by > > some well-meaning, but not overly cautious developer experimenting in > > his own container with XDP programs. This is where bpf_link ownership > > plays a huge role. Tupperware agent (FB's container management agent) > > would install root XDP program and will hold onto this bpf_link > > without sharing it with other applications. That will guarantee that > > the system will be stable and can't be compromised. > > Thanks for the extensive explanation Andrii. > > This is what I imagine you're referring to: Tupperware creates a new network > namespace ns1 and a veth0<>veth1 pair, moves one of the veth devices > (let's says veth1) into ns1 and runs an application in ns1. On which veth > would the XDP program go? > > The way I understand it, veth1 would have XDP, and the application in ns1 would > be prevented from attaching a new program? Maybe you can elaborate on this > a little. > I'll people with first hand knowledge elaborate, if they are willing to share. > Lorenz > > -- > Lorenz Bauer | Systems Engineer > 6th Floor, County Hall/The Riverside Building, SE1 7PB, UK > > www.cloudflare.com
