lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Sep 2016 11:03:49 +0200 From: Thomas Graf <tgraf@...g.ch> To: Alexei Starovoitov <alexei.starovoitov@...il.com> Cc: Pablo Neira Ayuso <pablo@...filter.org>, Daniel Mack <daniel@...que.org>, htejun@...com, daniel@...earbox.net, ast@...com, davem@...emloft.net, kafai@...com, fw@...len.de, harald@...hat.com, netdev@...r.kernel.org, sargun@...gun.me, cgroups@...r.kernel.org Subject: Re: [PATCH v5 0/6] Add eBPF hooks for cgroups [Sorry for the repost, gmail decided to start sending HTML crap along overnight for some reason] On 09/13/16 at 09:42pm, Alexei Starovoitov wrote: > On Tue, Sep 13, 2016 at 07:24:08PM +0200, Pablo Neira Ayuso wrote: > > Then you have to explain me how can anyone else than systemd use this > > infrastructure? > > Jokes aside. I'm puzzled why systemd is even being mentioned here. > Here we use tupperware (our internal container management system) that > is heavily using cgroups and has nothing to do with systemd. Just confirming that we are planning to use this decoupled from systemd as well. I fail to see how this is at all systemd specific. > For us this cgroup+bpf is _not_ for filterting and _not_ for security. > We run a ton of tasks in cgroups that launch all sorts of > things on their own. We need to monitor what they do from networking > point of view. Therefore bpf programs need to monitor the traffic in > particular part of cgroup hierarchy. Not globally and no pass/drop decisions. +10, although filtering/drop is a valid use case, the really strong use case is definitely introspection at networking level. Statistics, monitoring, verification of application correctness, etc. I don't see why this is at all an either or discussion. If nft wants cgroups integration similar to this effort, I see no reason why that should stop this effort.
Powered by blists - more mailing lists