feat: add kernel basics blog #771
Open
+235
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for cilium ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
👷 Deploy Preview for cilium processing.
|
xmulligan
reviewed
Sep 17, 2025
There was a problem hiding this comment.
Is there a reason you are updating this in the PR? Should it be separate?
xmulligan
reviewed
Sep 17, 2025
xmulligan
reviewed
Sep 17, 2025
xmulligan
reviewed
Sep 17, 2025
xmulligan
reviewed
Sep 17, 2025
xmulligan
reviewed
Sep 17, 2025
paularah
force-pushed
the
kernel-blog
branch
3 times, most recently
from
0546962 to
d2ab568
Compare
Signed-off-by: Paul Arah <[email protected]>
paularah
force-pushed
the
kernel-blog
branch
from
d2ab568 to
89ffca3
Compare
xmulligan
reviewed
Sep 17, 2025
There was a problem hiding this comment.
I think you pulled this in by mistake?
There was a problem hiding this comment.
Yes, that was a mistake, but I think its fine. It's the same as the main branch.
There was a problem hiding this comment.
The main branch doesn't have it anymore
Signed-off-by: Paul Arah <[email protected]>
doniacld
reviewed
Sep 17, 2025
|
|
||
| **_Author: Paul Arah, Isovalent@Cisco_** | ||
|
|
||
|  |
There was a problem hiding this comment.
I find it difficult starting to read a blog post with a diagram, not sure what should I focus on and if I should come back later after reading. Maybe add a bit a context we will come back to it or move it later in the article.
doniacld
reviewed
Sep 17, 2025
|
|
||
| When you write Tetragon tracing policies, you’re not writing arbitrary sets of rules; you're programming against the kernel execution path itself. Every policy you create hooks directly into kernel functions, intercepts system calls, and examines kernel data structures. This power comes with responsibility. Without an understanding of how the Linux kernel works, you'll find yourself writing policies that are ineffective, overly broad, or worse, missing the exact events you are trying to find. | ||
|
|
||
| This blog is meant to be a pointer guide; it won’t make you a kernel hacker overnight, but it aims to cover some core Linux knowledge essential for crafting effective Tetragon tracing policies. We’ll connect kernel fundamentals such as user vs. kernel space, system calls, process structures, namespaces, and more to practical tracing policy examples. A basic familiarity with Linux and a base-level understanding of what Tetragon is will be enough to follow along. |
There was a problem hiding this comment.
This blog post? I am not the best at writing english so if it's not correct do not consider my comment 😇
doniacld
reviewed
Sep 17, 2025
|
|
||
| One of the most fundamental concepts in Linux system programming is the distinction between kernel space and user space. | ||
|
|
||
| **User space** is where apps like Bash, Nginx, VS Code run. Userspace programs run with restricted privileges and cannot do things like access arbitrary memory locations, execute privileged instructions, directly control hardware, or access kernel data structures. |
There was a problem hiding this comment.
I would start with the foundation the kernel space, the foundation like in the section title.
doniacld
reviewed
Sep 17, 2025
|
|
||
| Most programming languages offer some sort of standard library that provides a high-level abstraction over the system call interface; this way, application developers typically never have to access the system call interface directly. When you write tracing policies, we’re working with the kernel’s perspective, where syscalls are the actual events being invoked. | ||
|
|
||
|  |
There was a problem hiding this comment.
Kernel space should be in a box too?
doniacld
reviewed
Sep 17, 2025
| - **Kprobes** provide dynamic probes on almost any kernel function. They let you intercept functions like `fd_install()` whenever they’re called. Kprobes are powerful, but are tightly coupled with your kernel version since kernel functions can change across versions. | ||
| - **Tracepoints** are essentially built-in static markers inside the kernel. For example, `sched_process_exec` fires every time a process runs a new program. Tracepoints are more stable than kprobes and work across kernel versions. | ||
| - **Uprobes** are like kprobes, but for user-space programs. For example, you can hook into the readline() function in Bash to see when someone types a command. | ||
| - **BPF LSM** essentially allows instrumenting Linux Security Module (LSM) hooks at runtime. A good way to think of LSM hooks is as some kind of built-in checkpoint that asks, “Is this action allowed?” before letting a process do something sensitive. Security systems like SELinux or AppArmor use LSM hooks. Tetragon can also use LSM hooks for access control and observability. LSM hooks are reliable, less prone to race conditions like TOCTOU, and always represent real enforcement points. |
There was a problem hiding this comment.
TOCTOU is also mentioned later and the full name is displayed maybe switch here and mention only TOCTOU after.
doniacld
reviewed
Sep 17, 2025
Co-authored-by: doniacld <[email protected]> Signed-off-by: Paul Arah <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.