Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Enable userspace verifier by default #329

Open
yunwei37 opened this issue Aug 14, 2024 · 5 comments
Open

[FEATURE] Enable userspace verifier by default #329

yunwei37 opened this issue Aug 14, 2024 · 5 comments
Labels
enhancement New feature or request

Comments

@yunwei37
Copy link
Member

Is your feature request related to a problem? Please describe.

The PREVAIL should be enable by default, and:

  • Add runtime option to bypass the userspace verifier
  • Add prompt to let user using kernel verifier when the userspace verifer is not pass

Describe the solution you'd like
@yunwei37 yunwei37 added the enhancement New feature or request label Aug 14, 2024
@Officeyutong
Copy link
Contributor

Officeyutong commented Aug 14, 2024
edited
Loading

Note that ebpf-verifier lacks a lot of features, enabling it may cause a lot of confusion

@yunwei37
Copy link
Member Author

Yes. So when there is error occur in userspace verifier, we should treat it as a warning.

If the error is due to unsupport features, there should be a warning and default operation is just continue, and tell user how to use kernel verifier if they want.
If the error sounds like a realy bug, it should block it but also tell user how to bypass it or use the kernel verifier.

We maybe can have 3 mode:

  • BPFTIME_VERIFY_STRICT: all verifier wanring are errors, you should pass either kernel or userspace verifier.
  • BPFTIME_VERIFY_WARNING: userspace verifier are warning, kernel verifier are error.
  • BPFTIME_NO_VERIFY: no verify.

@Officeyutong
Copy link
Contributor

Yes. So when there is error occur in userspace verifier, we should treat it as a warning.

If the error is due to unsupport features, there should be a warning and default operation is just continue, and tell user how to use kernel verifier if they want. If the error sounds like a realy bug, it should block it but also tell user how to bypass it or use the kernel verifier.

We maybe can have 3 mode:

  • BPFTIME_VERIFY_STRICT: all verifier wanring are errors, you should pass either kernel or userspace verifier.
  • BPFTIME_VERIFY_WARNING: userspace verifier are warning, kernel verifier are error.
  • BPFTIME_NO_VERIFY: no verify.

But we even don't know which features are supported by ebpf-verifier, making it hard to distinguish whether it's a lack of feature or bug

@yunwei37
Copy link
Member Author

Ok, so maybe just 3 levels? The default level is verify warning

@Officeyutong
Copy link
Contributor

Ok, so maybe just 3 levels? The default level is verify warning

Agree

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Officeyutong @yunwei37