Communication control of the container runtime environment(now only docker) is performed using eBPF.
This system has several problems and is not recommended for use in a production environment.
- Since this system uses Kprobe, even a small difference in kernel may cause it to not work.
- We are attaching the BPF program to an interface that starts with the name veth, which may control communication with non-docker containers.
- The tc command is invoked with exec.Command, which takes veth name as an argument. I’m assuming it’s not a problem since can’t use shell pipes in exec.Command, but I’m not sure.
- Since map is used to store process information, there is a possibility that if the capacity of map is exceeded, control will not be possible.
Operation check environment
- OS: VERSION=”20.04.3 LTS (Focal Fossa)”
- kernel version: 5.10.0-051000-generic
- bcc(commit hash: 220c6dc6bb62c79d5eff49efa5c98e786bf62d4a)
- Docker: Docker version 20.10.9, build c2ea9bc
How to use
To start it, you need to put
policy.yml, which describes the availability of communication, in the directory where the command is executed.
policy.yml, please refer to examples.
How to run
You can get binary from Releases or compile from source code.
Then, run below command.
sudo -E ./furui
If you want to display the debug information as well
sudo -E ENV=debug ./furui