为了方便表述简化了很多细节, 比如 CNI 命令行接口的详细参数和 Kubernetes 网络模型的准确翻译, 等, 主要是为了让大家能把握脉络.
CNI, 本质上就是一个命令行工具, 要实现这样的命令行接口:
zc-cni [add|del] $CONTAINER_ID $NETNS_PATH
我在大部分时候都不喜欢 xargs, 因为不能比较方便的执行稍微复杂一点点的脚本, 比如经常干的一件事是遍历容器找 veth:
for p in $(ps -ef | awk '/init/ {print $2}'); do ln -s /proc/$p/ns/net /var/run/netns/$p; echo $p; ip netns exec $p ip l | grep ^$IDX; rm /var/run/netns/$p; done
这种循环如果用 xargs 来写的只能是:
ps -ef | awk '/init/ {print $2}' | xargs -I{} bash -c 'ln -s /proc/$0/ns/net /var/run/netns/$0; echo $0; ip netns exec $0 ip l | grep ^$IDX; rm /var/run/netns/$0' {}
| execve("/usr/bin/bpftrace", ["bpftrace", "--unsafe", "-e", "u:/home/gray/Documents/src/tmp/hello/hello:0x0000000000498e00 {printf(\"called\\n\")}"], 0x7ffcdd66af00 /* 28 vars */) = 0 <0.000208> | |
| brk(NULL) = 0x561199fb4000 <0.000043> | |
| arch_prctl(0x3001 /* ARCH_??? */, 0x7ffcdd3c7be0) = -1 EINVAL (Invalid argument) <0.000048> | |
| access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) <0.000050> | |
| openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3 <0.000051> | |
| fstat(3, {st_mode=S_IFREG|0644, st_size=78472, ...}) = 0 <0.000007> | |
| mmap(NULL, 78472, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f5802356000 <0.000009> | |
| close(3) = 0 <0.000007> | |
| openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libm.so.6", O_RDONLY|O_CLOEXEC) = 3 <0.000010> | |
| read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\300\363\0\0\0\0\0\0@\0\0\0\0\0\0\0\310\334\24\0\0\0\0\0\0\0\0\0@\08\0\v\0@\0!\0 \0\1\0\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0x\344\0\0\0\0\0\0x\ |
demo of scapy blocking on parsing BGP pcap
| // +build OMIT | |
| package main | |
| import ( | |
| "crypto/md5" | |
| "errors" | |
| "fmt" | |
| "io/ioutil" | |
| "os" |
my defense materials
| #!/bin/bpftrace | |
| #include <linux/skbuff.h> | |
| #include <linux/ip.h> | |
| BEGIN | |
| { | |
| printf("follow the white rabbit\n"); | |
| } |
| import os | |
| import sys | |
| import copy | |
| import time | |
| import syscall | |
| import subprocess | |
| def inject_syscall( | |
| pid: int, |