From: John Fastabend <john.fastabend@gmail.com>
To: Hannes Frederic Sowa <hannes@stressinduktion.org>,
Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>,
davem@davemloft.net, netdev@vger.kernel.org
Subject: Re: [PATCH net-next] bpf: add show_fdinfo handler for maps
Date: Mon, 23 Nov 2015 11:18:29 -0800 [thread overview]
Message-ID: <56536685.8000001@gmail.com> (raw)
In-Reply-To: <1448305939.1624527.447961889.5D80B022@webmail.messagingengine.com>
On 15-11-23 11:12 AM, Hannes Frederic Sowa wrote:
> On Mon, Nov 23, 2015, at 20:09, John Fastabend wrote:
>> On 15-11-23 10:03 AM, Alexei Starovoitov wrote:
>>> On Mon, Nov 23, 2015 at 05:11:58PM +0100, Hannes Frederic Sowa wrote:
>>>>
>>>> Actually, that is the reason why I mentioned it, so *the admin* can see
>>>> something is going on. Do you want to protect ebpf from root? Skynet? ;)
>>>
>>> correct. To me both root and non-root are users in the first place and
>>> they both shouldn't be allowed to misuse it.
>>>
>>>> In my opinion the kernel never should hide any information of the admin
>>>> if they are accessible easily. Sampling the number of failed updates to
>>>> a map or printing it via procfs/ebpffs seems to be just a matter of how
>>>> difficult it should be done. The map has a lock, so the number is fairly
>>>
>>> map_lookup is actually lockless. It's a critical path and should be
>>> as fast as possible. No extra stats just for debugging.
>>>
>>>> accurate. Sampling and plotting size of hash maps without having kprobes
>>>> installed would be a nice thing, because it reduces complexity and this
>>>> is nice to have.
>>>
>>> doing 'cat' from procfs is, of course, easier to use, but it's an extra
>>> code that permenanetly lives in memory, whereas kprobe+bpf is a run-time
>>> debugging.
>>
>> Hopefully not jumping in off-base here (I've read most the thread), but
>> what I've been doing is loading programs with debug ebpf code in them
>> to keep a statistics map(s) and then I read that from userspace for
>> stats. It works pretty well and lets me compile out the debug code when
>> I want and also doesn't need kprobe at all. Also I can implement
>> sampling so that the debug code only runs every .01% or something like
>> that so it can be used in "real" systems. My "real" systems are just a
>> couple node test setup but it seems to be ok ;)
>
> Ok, I am fine to wait until there is user demand.
>
> Anyway, all you refer to is code you have under your control. I am
> worried about bpf code that is not under my control.
>
Right, I've not gotten this far. To date everything I've been looking at
is owned by the admin. So probably some more use cases there I haven't
looked at.
> Thanks,
> Hannes
>
next prev parent reply other threads:[~2015-11-23 19:18 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-19 10:56 [PATCH net-next] bpf: add show_fdinfo handler for maps Daniel Borkmann
2015-11-19 17:42 ` Alexei Starovoitov
2015-11-19 18:19 ` Hannes Frederic Sowa
2015-11-19 18:32 ` Alexei Starovoitov
2015-11-19 20:12 ` Hannes Frederic Sowa
2015-11-20 3:30 ` Alexei Starovoitov
2015-11-20 10:30 ` Hannes Frederic Sowa
2015-11-21 23:18 ` Alexei Starovoitov
2015-11-23 16:11 ` Hannes Frederic Sowa
2015-11-23 18:03 ` Alexei Starovoitov
2015-11-23 19:09 ` John Fastabend
2015-11-23 19:12 ` Hannes Frederic Sowa
2015-11-23 19:18 ` John Fastabend [this message]
2015-11-19 18:36 ` Daniel Borkmann
2015-11-19 18:45 ` Alexei Starovoitov
2015-11-20 16:04 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56536685.8000001@gmail.com \
--to=john.fastabend@gmail.com \
--cc=alexei.starovoitov@gmail.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=hannes@stressinduktion.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.