Re: [RFC PATCH v2 bpf-next 0/3] bpf: cgroup: support writing and freezing cgroups from BPF

cgroups.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Michal Koutný" <mkoutny@suse.com>
To: Djalal Harouni <tixxdz@gmail.com>
Cc: tj@kernel.org, hannes@cmpxchg.org, ast@kernel.org,
	 daniel@iogearbox.net, andrii@kernel.org, martin.lau@linux.dev,
	eddyz87@gmail.com,  song@kernel.org, yonghong.song@linux.dev,
	john.fastabend@gmail.com,  kpsingh@kernel.org, sdf@fomichev.me,
	haoluo@google.com, jolsa@kernel.org,  mykolal@fb.com,
	shuah@kernel.org, cgroups@vger.kernel.org, bpf@vger.kernel.org,
	 linux-kselftest@vger.kernel.org, tixxdz@opendz.org
Subject: Re: [RFC PATCH v2 bpf-next 0/3] bpf: cgroup: support writing and freezing cgroups from BPF
Date: Tue, 26 Aug 2025 16:18:38 +0200	[thread overview]
Message-ID: <356xekrj6vqsmtcvbd3rnh7vg6ey7l6sd6f4v3dv4jxidxfd6m@cepwozvwucda> (raw)
In-Reply-To: <20250818090424.90458-1-tixxdz@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 1247 bytes --]

Hi Djalal.

On Mon, Aug 18, 2025 at 10:04:21AM +0100, Djalal Harouni <tixxdz@gmail.com> wrote:
> This patch series add support to write cgroup interfaces from BPF.
> 
> It is useful to freeze a cgroup hierarchy on suspicious activity for
> a more thorough analysis before killing it. Planned users of this
> feature are: systemd and BPF tools where the cgroup hierarchy could
> be a system service, user session, k8s pod or a container.

Could you please give more specific example of the "suspicious
activity"? The last time (v1) it was referring to LSM hooks where such
asynchronous approach wasn't ideal.
Also why couldn't all these tools execute the cgroup actions themselves
through traditional userspace API?

One more point (for possible interference with lifecycles) -- what is
the relation between cgroup in which the BPF code "runs" and cgroup
that's target of the operation? (I hope this isn't supposed to run from
BPF without process context.)

> Todo:
> * Limit size of data to be written.
> * Further tests.
> * Add cgroup kill support.

I'm missing the retrieval of freeze result in this plan :) cgroup kill
would be simpler for PoC (and maybe even sufficient for your use case?).

Regards,
Michal

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 265 bytes --]

next prev parent reply	other threads:[~2025-08-26 14:18 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-18  9:04 [RFC PATCH v2 bpf-next 0/3] bpf: cgroup: support writing and freezing cgroups from BPF Djalal Harouni
2025-08-18  9:04 ` [RFC PATCH v2 bpf-next 1/3] kernfs: cgroup: support writing cgroup interfaces from a kernfs node Djalal Harouni
2025-08-18  9:04 ` [RFC PATCH v2 bpf-next 2/3] bpf: cgroup: Add BPF Kfunc to write and freeze a cgroup Djalal Harouni
2025-08-18  9:04 ` [RFC PATCH v2 bpf-next 3/3] selftests/bpf: add selftest for bpf_cgroup_write_interface Djalal Harouni
2025-08-18 17:32 ` [RFC PATCH v2 bpf-next 0/3] bpf: cgroup: support writing and freezing cgroups from BPF Tejun Heo
2025-08-19 23:31   ` Djalal Harouni
2025-08-19 23:36     ` Djalal Harouni
2025-08-20  1:14     ` Tejun Heo
2025-08-22 18:16       ` Djalal Harouni
2025-08-25 18:48         ` Tejun Heo
2025-08-26  3:45           ` Alexei Starovoitov
2025-08-26 10:23           ` Djalal Harouni
2025-08-26 14:18 ` Michal Koutný [this message]
2025-08-26 23:27   ` Djalal Harouni
2025-08-28 14:38     ` Michal Koutný
2025-09-01 19:53       ` Djalal Harouni

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=356xekrj6vqsmtcvbd3rnh7vg6ey7l6sd6f4v3dv4jxidxfd6m@cepwozvwucda \
    --to=mkoutny@suse.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=cgroups@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=hannes@cmpxchg.org \
    --cc=haoluo@google.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=kpsingh@kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=mykolal@fb.com \
    --cc=sdf@fomichev.me \
    --cc=shuah@kernel.org \
    --cc=song@kernel.org \
    --cc=tixxdz@gmail.com \
    --cc=tixxdz@opendz.org \
    --cc=tj@kernel.org \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).