GitHub engineering shares how they use eBPF to detect and prevent circular dependencies in their deployment tooling. The core problem: deployment scripts running on stateful hosts could inadvertently call back to github.com during an outage, preventing recovery. Using BPF_PROG_TYPE_CGROUP_SKB and BPF_PROG_TYPE_CGROUP_SOCK_ADDR program types with the cilium/ebpf Go library, they built a per-process network filter that places deployment scripts in a cGroup, intercepts DNS queries via a userspace proxy, and blocks domains on a deny list. The system also correlates blocked DNS requests to specific PIDs and command lines using eBPF Maps and DNS transaction IDs, enabling teams to identify and fix problematic dependencies. The solution is now live after a six-month rollout, improving incident mean time to recovery.
Table of contents
Types of circular dependenciesHow do you solve these circular dependencies?Building out per-process conditional network filtering with eBPFWhat’s next?Want to dive in?Tags:Written bySort: