[PATCH v3 bpf-next 00/11] bpf, cgroup: Add BPF support for cgroup1 hierarchy

[Yafang Shao <laoar.shao@gmail.com>]

Currently, BPF is primarily confined to cgroup2, with the exception of
cgroup_iter, which supports cgroup1 fds. Unfortunately, this limitation
prevents us from harnessing the full potential of BPF within cgroup1
environments.

In our endeavor to seamlessly integrate BPF within our Kubernetes
environment, which relies on cgroup1, we have been exploring the
possibility of transitioning to cgroup2. While this transition is
forward-looking, it poses challenges due to the necessity for numerous
applications to adapt.

While we acknowledge that cgroup2 represents the future, we also recognize
that such transitions demand time and effort. As a result, we are
considering an alternative approach. Instead of migrating to cgroup2, we
are contemplating modifications to the BPF kernel code to ensure
compatibility with cgroup1. These adjustments appear to be relatively
minor, making this option more feasible.

As discussed with Tejun[0], it has been determined that tying the interface
directly to the cgroup1 hierarchies is acceptable. As a result, this
patchset introduces cgroup1-only interfaces that operate with both
hierarchy ID and cgroup ID as parameters.

Within this patchset, a new cgroup1-only interface have been introduced,
which is also suggested by Tejun.

- [bpf_]task_get_cgroup1
  Acquires the associated cgroup of a task within a specific cgroup1
  hierarchy. The cgroup1 hierarchy is identified by its hierarchy ID.

This new kfunc enables the tracing of tasks within a designated container
or its ancestor cgroup directory in BPF programs. Additionally, it is
capable of operating on named cgroups, providing valuable utility for
hybrid cgroup mode scenarios.

To enable the use of this new kfunc in non-sleepable contexts, we need to
eliminate the reliance on the cgroup_mutex. Consequently, the cgroup
root_list is made RCU-safe, allowing us to replace the cgroup_mutex with
RCU read lock in specific paths. This enhancement can also bring
benefits to common operations in a production environment, such as
`cat /proc/self/cgroup`. As pointed out by Michal, we can further
replace cgroup_mutex with the RCU read lock in other paths like
cgroup_path_ns(), but it necessitates some refactoring, so I prefer to
address it in a separate patchset.

[0]. https://lwn.net/ml/cgroups/ZRHU6MfwqRxjBFUH@slm.duckdns.org/

Changes:
- RFC v2 -> v3:
  - Use [bpf_]task_get_cgroup1 instead (Tejun)
  - Skip the unmounted cgroup in /proc/self/cgroup (Tejun)
  - Fix lockdep_is_held() in list_for_each_entry_rcu()
    (Tejun, oliver.sang@intel.com)
  - Drop the warning in __cset_cgroup_from_root()(Tejun) 
  - Fix mismatched comments (Tejun, lkp@intel.com)
  - Add a explicit warning in current_cgns_cgroup_from_root (Michal)
- RFC v1 -> RFC v2:
  - Introduce a new kunc to get cgroup kptr instead of getting the cgrp ID
    (Tejun)
  - Eliminate the cgroup_mutex by making cgroup root_list RCU-safe, as
    disccussed with Michal 
- RFC v1: bpf, cgroup: Add BPF support for cgroup1 hierarchy
  https://lwn.net/Articles/947130/
- bpf, cgroup: Add bpf support for cgroup controller
  https://lwn.net/Articles/945318/
- bpf, cgroup: Enable cgroup_array map on cgroup1
  https://lore.kernel.org/bpf/20230903142800.3870-1-laoar.shao@gmail.com

Yafang Shao (11):
  cgroup: Remove unnecessary list_empty()
  cgroup: Make operations on the cgroup root_list RCU safe
  cgroup: Eliminate the need for cgroup_mutex in proc_cgroup_show()
  cgroup: Add annotation for holding namespace_sem in
    current_cgns_cgroup_from_root()
  cgroup: Add a new helper for cgroup1 hierarchy
  bpf: Add a new kfunc for cgroup1 hierarchy
  selftests/bpf: Fix issues in setup_classid_environment()
  selftests/bpf: Add parallel support for classid
  selftests/bpf: Add a new cgroup helper get_classid_cgroup_id()
  selftests/bpf: Add a new cgroup helper get_cgroup_hierarchy_id()
  selftests/bpf: Add selftests for cgroup1 hierarchy

 include/linux/cgroup-defs.h                        |   1 +
 include/linux/cgroup.h                             |   4 +-
 kernel/bpf/helpers.c                               |  20 +++
 kernel/cgroup/cgroup-internal.h                    |   4 +-
 kernel/cgroup/cgroup-v1.c                          |  33 +++++
 kernel/cgroup/cgroup.c                             |  45 ++++--
 tools/testing/selftests/bpf/cgroup_helpers.c       | 113 ++++++++++++---
 tools/testing/selftests/bpf/cgroup_helpers.h       |   4 +-
 .../selftests/bpf/prog_tests/cgroup1_hierarchy.c   | 159 +++++++++++++++++++++
 .../testing/selftests/bpf/prog_tests/cgroup_v1v2.c |   2 +-
 .../selftests/bpf/progs/test_cgroup1_hierarchy.c   |  72 ++++++++++
 11 files changed, 420 insertions(+), 37 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/cgroup1_hierarchy.c
 create mode 100644 tools/testing/selftests/bpf/progs/test_cgroup1_hierarchy.c

-- 
1.8.3.1