GitHub found that using eBPF, we could selectively monitor and block those calls

Thu, Apr 16 · 4:00 PM UTC 2 min read

Compiled by KHAO Editorial — aggregated from 1 outlet. See llms.txt for citation guidance.

★ Tier-1 Source

Let’s start by looking at the types of circular dependencies through a hypothetical scenario.

Key facts

Here is a simplified example where they rewrite any connect4 syscall targeting DNS (Port 53) to localhost:53
The team used this to intercept DNS queries from the cGroup and forward them to a userspace DNS proxy they run
Now, any DNS queries initiated by the deployment script are routed through their DNS proxy
Inside the BPF_PROG_TYPE_CGROUP_SKB program type, they have the skb_buff from which they can pull the DNS transaction ID and also capture the Process ID (PID) that initiated the request

Summary

Did you know that, at GitHub, they host all of their own source.com? This is what you’d call a simple circular dependency: to deploy GitHub, they needed GitHub. So they're done, right? When they started to design their new host-based deployment system, they evaluated some new approaches to prevent deployment code from creating circular dependencies.

Read full article at GitHub Blog →