RFC: Revamp identification of TCP/UDP port bind and unbind events

[balajiv113]

Problem
Major problems with current approach are,

• Polling to find the open or closed ports using /proc/net/{tcp / udp / tcp6 / udp6}
• This model doesn't work for containers (As they might have iptable rules to bind things differently)

Possible Solution
1. Using eBPF program (Recommended)
In this approach we make use of eBPF program https://github.com/balajiv113/trackport written in go for identifying tcp and udp opening and closing.

Pros

• Easy to integrate and maintain as only minimal code is maintained in c and also has go interoperability
• Support all events tcp, udp, tcp6, udp6 open and close of ports

Cons

• Events are published still as asyn (eBPF write to a map and go prog reads from that map). But this will be lot faster compared to 2 sec polling
• Events used by us is not supported in all flavours of linux. Based on latest testing Alpine and Archlinux doesn't support the required events (https://github.com/balajiv113/lima/pull/3/checks)

2. Using go-libaudit
In this approach we make use of go-libaudit that we already use in guest agent to identify port opening and closing.

Pros

• Supported in all linux flavours

Cons

• Unable to identify port closing using syscalls (When program is force terminated).
• As we are reading from logs and based on syscall events, at times it can be slower

Creating this RFC mainly to brainstorm ideas as we don't have a single drop in replacement with either approach. But it nearly solves the problem

Some further ideas to explore are

• Trying with combination of eBPF and go-libaudit
• Analyse further why alpine doesn't support eBPF events
• Custom kernel extension (Mostly will try to avoid, as worst case we can explore it)

[Nino-K]

@balajiv113, we are using this component in Rancher Desktop. Why couldn't Lima adopt a similar approach since it doesn't require polling? As I mentioned, I’m prepared to make the necessary adjustments to the project to make it compatible with Lima.

[balajiv113]

@Nino-K The problem with that is, for each container system we need to implement it using their respective API.

This has lots of drawbacks like,

• Too many unwanted dependencies
• Maintainability
• If a newer system comes in, need to do implementation again

The proposal is to derive a generic solution across the board. This way we will never need to worry about any new container system.

doesn't require polling?

Here with polling what i menat is, bpf program polls the kerner ring buffer from userspace program. This is not done with some intervals its almost instantaneous

[AkihiroSuda]

Trying with combination of eBPF and go-libaudit

👍 I think this is the most realistic approach

Analyse further why alpine doesn't support eBPF events

👍

Custom kernel extension (Mostly will try to avoid, as worst case we can explore it)

👎
It is quite hard to maintain kernel modules for multiple distros.
This is also likely to affect stability.

[balajiv113]

Analyse further why alpine doesn't support eBPF events

Required option CONFIG_FUNCTION_TRACER not set
Required option CONFIG_DYNAMIC_FTRACE not set

These 2 options are missing in alpine due to which events are not published

[balajiv113]

Archlinux is missing the following

Required option CONFIG_BPF_EVENTS not set
Required option CONFIG_FTRACE_SYSCALLS not set
Required option CONFIG_FUNCTION_TRACER not set
Required option CONFIG_DYNAMIC_FTRACE not set
Required option CONFIG_KPROBE_EVENTS not set
Required option CONFIG_UPROBES not set
Required option CONFIG_UPROBE_EVENTS not set