From: Alexei Starovoitov <ast@plumgrid.com>
To: Thomas Graf <tgraf@suug.ch>, Daniel Borkmann <daniel@iogearbox.net>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Hannes Frederic Sowa <hannes@stressinduktion.org>,
davem@davemloft.net, viro@ZenIV.linux.org.uk,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Alexei Starovoitov <ast@kernel.org>
Subject: Re: [PATCH net-next 3/4] bpf: add support for persistent maps/progs
Date: Wed, 21 Oct 2015 15:44:37 -0700 [thread overview]
Message-ID: <56281555.3030504@plumgrid.com> (raw)
In-Reply-To: <20151021183447.GC23554@pox.localdomain>
On 10/21/15 11:34 AM, Thomas Graf wrote:
>> So far, during this discussion, it was proposed to modify the file system
>> >to a single-mount one and to stick this under/sys/kernel/bpf/. This
>> >will not have "real" namespace support either, but it was proposed to
>> >have a following structure:
>> >
>> > /sys/kernel/bpf/username/<optional_dirs_mkdir_by_user>/progX
> This would probably work as you would typically map the ebpf map
> using -v like this to give a stable path:
>
> docker run -v /sys/kernel/bpf/foo/maps/progX:/map proX
yep
tracefs works inside docker the same way.
May be we should let users pick names similar to this fs patch to make
the above easier to use.
Also from bpf syscall point of the user shouldn't see
/sys/kernel/bpf/user/ prefix. Only 'optional_dirs_mkdir_by_user/name'
when doing pin/new_fd.
May be prog type should be a fixed part of the path as well.
>> >Together with device cgroups for containers, it would allow scenarios where
>> >you can have:
>> >
>> > * eBPF (map/prog) device pass-through so a map/prog could even be shared out
>> > from the initial namespace into individual ones/all (one could possibly
>> > extend such maps as read-only for these consumers).
>> > * eBPF device creation for unprivileged users with permissions being set
>> > accordingly (as in fs case).
>> > * Since cgroup controller can also do wildcards on major/minors, we could
>> > make that further fine-grained.
>> > * eBPF device creation can also be enforced by the cgroup controller to be
>> > entirely disallowed for a specific container.
none of the above is practical. It can be demoed in a canned
environment, but it's a complete mismatch of apis. cgroup/dev is a
static config, whereas bpf-cdev is dynamic (with minors out of idr for
all users) When you have to hack drivers/base/core.c to get there it
should have been a warning sign that something is wrong with
this cdev approach.
> I've read the discussion passively and my take away is that, frankly,
> I think the differences are somewhat minor. Both architectures can
> scale to what we need. Both will do the job. I'm slightly worried about
> exposing uAPI as a FS, I think that didn't work too well for sysfs. It's
> pretty much a define the format once and never touch it again kind of
> deal.
It's even worse in cdev style since it piggy backs on sysfs.
next prev parent reply other threads:[~2015-10-21 22:44 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-16 1:09 [PATCH net-next 0/4] BPF updates Daniel Borkmann
2015-10-16 1:09 ` [PATCH net-next 1/4] bpf: abstract anon_inode_getfd invocations Daniel Borkmann
2015-10-16 1:09 ` [PATCH net-next 2/4] bpf: align and clean bpf_{map,prog}_get helpers Daniel Borkmann
2015-10-16 1:09 ` [PATCH net-next 3/4] bpf: add support for persistent maps/progs Daniel Borkmann
2015-10-16 10:25 ` Hannes Frederic Sowa
2015-10-16 13:36 ` Daniel Borkmann
2015-10-16 16:36 ` Hannes Frederic Sowa
2015-10-16 17:27 ` Daniel Borkmann
2015-10-16 17:37 ` Alexei Starovoitov
2015-10-16 16:18 ` Alexei Starovoitov
2015-10-16 16:43 ` Hannes Frederic Sowa
2015-10-16 17:32 ` Alexei Starovoitov
2015-10-16 17:37 ` Thomas Graf
2015-10-16 17:21 ` Hannes Frederic Sowa
2015-10-16 17:42 ` Alexei Starovoitov
2015-10-16 17:56 ` Daniel Borkmann
2015-10-16 18:41 ` Eric W. Biederman
2015-10-16 19:27 ` Alexei Starovoitov
2015-10-16 19:53 ` Eric W. Biederman
2015-10-16 20:56 ` Alexei Starovoitov
2015-10-16 23:44 ` Eric W. Biederman
2015-10-17 2:43 ` Alexei Starovoitov
2015-10-17 12:28 ` Daniel Borkmann
2015-10-18 2:20 ` Alexei Starovoitov
2015-10-18 15:03 ` Daniel Borkmann
2015-10-18 16:49 ` Daniel Borkmann
2015-10-18 20:59 ` Alexei Starovoitov
2015-10-19 7:36 ` Hannes Frederic Sowa
2015-10-19 9:51 ` Daniel Borkmann
2015-10-19 14:23 ` Daniel Borkmann
2015-10-19 16:22 ` Alexei Starovoitov
2015-10-19 17:37 ` Daniel Borkmann
2015-10-19 18:15 ` Alexei Starovoitov
2015-10-19 18:46 ` Hannes Frederic Sowa
2015-10-19 19:34 ` Alexei Starovoitov
2015-10-19 20:03 ` Hannes Frederic Sowa
2015-10-19 20:48 ` Alexei Starovoitov
2015-10-19 22:17 ` Daniel Borkmann
2015-10-20 0:30 ` Alexei Starovoitov
2015-10-20 8:46 ` Daniel Borkmann
2015-10-20 17:53 ` Alexei Starovoitov
2015-10-20 18:56 ` Eric W. Biederman
2015-10-21 15:17 ` Daniel Borkmann
2015-10-21 18:34 ` Thomas Graf
2015-10-21 22:44 ` Alexei Starovoitov [this message]
2015-10-22 13:22 ` Daniel Borkmann
2015-10-22 19:35 ` Eric W. Biederman
2015-10-23 13:47 ` Daniel Borkmann
2015-10-20 9:43 ` Hannes Frederic Sowa
2015-10-19 23:02 ` Hannes Frederic Sowa
2015-10-20 1:09 ` Alexei Starovoitov
2015-10-20 10:07 ` Hannes Frederic Sowa
2015-10-20 18:44 ` Alexei Starovoitov
2015-10-16 19:54 ` Daniel Borkmann
2015-10-16 1:09 ` [PATCH net-next 4/4] bpf: add sample usages " Daniel Borkmann
2015-10-19 2:53 ` [PATCH net-next 0/4] BPF updates David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56281555.3030504@plumgrid.com \
--to=ast@plumgrid.com \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=hannes@stressinduktion.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=tgraf@suug.ch \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).